webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-21 08:22:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
19,327 Commits 2 Branches 1 Tag
92e20091663bbcebf8772bd0c9cc92ed5d81db5c
Commit Graph

48 Commits

Author SHA1 Message Date
Peter Müller
fe803a3f89 Revert "linux: Enable randstruct on ARM as well" 
This reverts commit f38e8a35c2.

(Thank you, Arne!)
 2022-08-09 10:43:05 +00:00
Peter Müller
26a91db187 Revert "Revert "linux: Do not allow slab caches to be merged"" 
This reverts commit 1695af3862.

https://lists.ipfire.org/pipermail/development/2022-August/014112.html
 2022-08-09 09:29:42 +00:00
Peter Müller
4865b7f6b8 Revert "Revert "kernel: update to 5.15.59"" 
This reverts commit f25f1b55af.
 2022-08-08 13:17:30 +00:00
Peter Müller
f25f1b55af Revert "kernel: update to 5.15.59" 
This reverts commit 43df4a0373.
 2022-08-08 10:10:35 +00:00
Peter Müller
1695af3862 Revert "linux: Do not allow slab caches to be merged" 
This reverts commit 06b4164dfe.
 2022-08-08 10:10:17 +00:00
Peter Müller
06b4164dfe linux: Do not allow slab caches to be merged 
From the kernel documentation:

> For reduced kernel memory fragmentation, slab caches can be
> merged when they share the same size and other characteristics.
> This carries a risk of kernel heap overflows being able to
> overwrite objects from merged caches (and more easily control
> cache layout), which makes such heap attacks easier to exploit
> by attackers. By keeping caches unmerged, these kinds of exploits
> can usually only damage objects in the same cache. [...]

Thus, it is more sane to leave slab merging disabled. KSPP and ClipOS
recommend this as well.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-08-06 13:51:02 +00:00
Arne Fitzenreiter
43df4a0373 kernel: update to 5.15.59 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
 2022-08-06 07:45:02 +00:00
Peter Müller
f38e8a35c2 linux: Enable randstruct on ARM as well 
My fault, again. :-/

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-08-04 12:38:01 +00:00
Peter Müller
494d2b4bf3 linux: Update ARM kernel configuration files 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-08-04 12:32:43 +00:00
Peter Müller
38a5d03f59 linux: Enable PCI passthrough for QEMU 
Fixes: #12754
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-08-03 10:57:05 +00:00
Peter Müller
0664b1720d linux: Amend upstream patch to harden mount points of /dev 
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.

The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.

As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.

Fixes: #12889
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-06-25 22:20:48 +00:00
Peter Müller
df9ebc6bbe linux: Align kernel configurations on ARM 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-06-23 07:42:27 +00:00
Peter Müller
883e29630c Kernel: Disable support for RPC dprintk debugging 
This is solely needed for debugging of NFS issues. Due to the attack
surface it introduces, grsecurity recommends to disable it; as we do not
have a strict necessity for this feature, it is best to follow that
recommendation for security reasons.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-06-13 15:39:23 +00:00
Peter Müller
9b28e9d02b Kernel: Enable YAMA support 
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-06-13 15:39:08 +00:00
Arne Fitzenreiter
9fa01e4276 kernel: update to 5.15.35 
in kernel 5.15.32 the driver for ATH9K wlan cards is unstable.
This is one of the most used cards so we need this update before
releasing core167 final.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-04-22 12:48:32 +00:00
Peter Müller
250f6efc38 kernel: Do not enforce "integrity" mode of LSM 
LSM was found to render firmware flashing unusable, and patching out LSM
functionality for all features needed (such as /dev/io, direct memory
access and probably raw PCI access for older cards), this would
effectively render much of LSM's functionality useless as well.

For the time being, we do ship LSM, but do not enforce any protection
mode. Users hence can run it in "integrity" or even "confidentiality"
mode by custom commands; hopefully, we will be able to revert this
change at a future point.

Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-04-21 19:30:42 +00:00
Arne Fitzenreiter
1d563665ed kernel: run make oldconfig 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-04-08 00:27:47 +02:00
Peter Müller
8e1a464d12 Kernel: Enable LSM support and set security level to "integrity" 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-06 20:04:04 +00:00
Peter Müller
4f4422cc1c Kernel: Do not automatically load TTY line disciplines, only if necessary 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-04-04 19:59:39 +00:00
Peter Müller
bf2d8cb8a0 Kernel: Disable support for tracing block I/O actions 
This is not needed on IPFire systems, and grsecurity recommends to turn
this off.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-04 19:59:15 +00:00
Peter Müller
26ca63592d Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits 
This follows a recommendation by ClipOS, making ASLR bypassing attempts
harder.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-04 19:59:08 +00:00
Arne Fitzenreiter
59ec91c171 kernel: update to 5.15.22 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-02-09 12:17:53 +00:00
Arne Fitzenreiter
70c57ed33e kernel: update to 5.15.21 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-02-06 14:09:43 +00:00
Arne Fitzenreiter
d68f875d61 kernel: enable support for compressed firmwares 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-01-28 14:44:03 +00:00
Arne Fitzenreiter
c18dda556b kernel: update to 5.15.16 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-01-21 10:06:22 +00:00
Arne Fitzenreiter
65067248d1 kernel: update to 5.15.6 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-12-02 11:34:38 +01:00
Arne Fitzenreiter
ef972dcf7a kernel: update arm config and rootfile (oldconfig) 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-29 09:14:33 +00:00
Arne Fitzenreiter
d4a6dc4270 kernel: update to 5.15.3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-21 10:56:26 +00:00
Arne Fitzenreiter
96c83b21b3 kernel: update to 5.15.2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-13 15:25:39 +00:00
Arne Fitzenreiter
db8199076d kernel: increase CMA size to 24MB 
mmc ports need this for DMA transfers.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-10 21:58:44 +00:00
Arne Fitzenreiter
9f3286a9c1 kernel: updated armv6 config 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-10 07:02:58 +00:00
Arne Fitzenreiter
832490f063 kernel: update to 5.10.76 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-10-28 00:39:07 +02:00
Michael Tremer
cbbed5bc14 kernel: Enable all cgroups on all architectures 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:04:36 +00:00
Michael Tremer
9df49966d6 kernel: Zero-init all stack variables by default 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:04:23 +00:00
Michael Tremer
b7ed5dc817 kernel: Enable support for TPM hardware 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:04:14 +00:00
Michael Tremer
9012cffdb6 kernel: Enable ExFAT on all architectures 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:01:02 +00:00
Michael Tremer
340f155649 kernel: Enable frontswap 
"Frontswap provides a “transcendent memory” interface for swap pages. In
some environments, dramatic performance savings may be obtained because
swapped pages are saved in RAM (or a RAM-like device) instead of a swap
disk."

https://www.kernel.org/doc/html/latest/vm/frontswap.html

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:52 +00:00
Michael Tremer
15f53912a1 kernel: Disable network security hooks 
This is a feature we do not use and it should therefore be disabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:41 +00:00
Michael Tremer
c913c9862c kernel: Disable OpenvSwitch 
We do not use this and so we should not build it to save space.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:31 +00:00
Michael Tremer
fef9a33846 kernel: Disable any runtime testing 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:21 +00:00
Michael Tremer
828d3d2525 kernel: Disable SLUB debugging 
This is not necessary on our systems and according to the documentation
will reduce code size of the allocator which will result in better
performance.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:10 +00:00
Michael Tremer
034a2402fc kernel: Enable Pressure Stall Information 
This is a new type of metric to find out what resource is currently a
bottleneck for the whole system. We might use this for graphs.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 13:59:51 +00:00
Michael Tremer
c0932f8fbe kernel: Disable suspending systems to RAM 
We do not make any use of this functionality

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 13:59:06 +00:00
Michael Tremer
0e83b0d03c kernel: Change timer tick to 1000Hz 
This change is required to make the system respond faster to any
realtime events (sending or receiving data packets).

It will wake up at least one core 1000 times a second which will result
in finer timer granularity and make scheduling smoother. HTB for
example sends large packet bursts on each timer even to keep up data
rates which is not helpful for most applications.

The change might increase resource consumption and overhead slightly on
some systems, but since we are running in an idle-dyntick configuration,
we should not keep awake any cores that have not been awake before.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 13:58:57 +00:00
Arne Fitzenreiter
52758d52c3 kernel: update to 5.10.55 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-08-01 11:50:25 +02:00
Arne Fitzenreiter
f696f419ad kernel: update to 5.10.46 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-07-05 07:42:40 +02:00
Arne Fitzenreiter
97500acdb8 kernel: update to 5.10.44 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-07-05 07:42:39 +02:00
Arne Fitzenreiter
aafdd71b04 switch arm 32 bit arch from armv5tel to armv6l 
we have no supported armv5tel board left so we can switch to the higher
arch. This now can use the vpu (still in softfp calling convention to
not break existing installations.)
this fix many compile problems, also boost is now working again.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-07-05 07:42:39 +02:00