webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-11 11:35:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,222 Commits 2 Branches 1 Tag
da4e2fc635f14d2b0964de8e1e8aeb4a1a34d1ec
Commit Graph

564 Commits

Author SHA1 Message Date
Arne Fitzenreiter
3920ba127f kernel: update to 6.6.9 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-02 09:54:10 +01:00
Arne Fitzenreiter
bf92e55968 kernel: update to 6.6.8 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-21 13:50:59 +01:00
Arne Fitzenreiter
0108697131 kernel: update to 6.6.6 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-12 21:12:37 +01:00
Arne Fitzenreiter
5109f8ee7f kernel: update to 6.6.5 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-08 16:12:17 +01:00
Arne Fitzenreiter
a7c9eca495 kernel: update to 6.6.4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:17:40 +00:00
Arne Fitzenreiter
941190cb3a kernel: update to 6.6.3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-12-05 17:17:35 +00:00
Arne Fitzenreiter
95f9d9350d kernel: update to 6.6.2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:15:48 +00:00
Arne Fitzenreiter
8a37e7f0e3 kernel: update to 6.1.61 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-11-03 14:27:58 +00:00
Arne Fitzenreiter
cfe911bab5 kernel: update to 6.1.60 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-27 08:43:35 +00:00
Arne Fitzenreiter
cce398bca5 kernel: update to 6.1.59 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Arne Fitzenreiter
2b834ef42a kernel: update to 6.1.58 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Peter Müller
7f8b75f8ba linux: Set default IOMMU handling to "strict" on 64-bit ARM 
This has been our default setting on x86_64 for quite some time now,
which is why this patch aligns the aarch64 kernel configuration to that
value.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-20 08:44:26 +00:00
Peter Müller
447d0bf51e linux: Disable io_uring 
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.

IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.

See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-20 08:44:26 +00:00
Arne Fitzenreiter
554e339b9e kernel: update to 6.1.57 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-13 08:13:12 +00:00
Arne Fitzenreiter
e275a07b67 kernel: update to 6.1.56 
this also builds the dtb files on riscv64

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-09 08:13:02 +00:00
Arne Fitzenreiter
e5ad33d9ee kernel: update 6.1.53 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:29 +00:00
Arne Fitzenreiter
14bd32221e kernel: update to 6.1.52 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:23 +00:00
Arne Fitzenreiter
cd78363404 Merge remote-tracking branch 'origin/master' into next 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-08-12 16:48:54 +02:00
Arne Fitzenreiter
162a068448 kernel: update to 6.1.45 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-08-11 23:25:37 +02:00
Arne Fitzenreiter
57ae9ba587 kernel: update config for riscv64 
i had disabled CONFIG_GCC_PLUGIN_LATENT_ENTROPY because this
fails to compile on riscv64.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-08-10 06:35:11 +00:00
Arne Fitzenreiter
6084fa89bf kernel: update to 6.1.42 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-28 16:34:59 +00:00
Arne Fitzenreiter
50c07b4938 kernel: update to 6.1.41 
fix for CVE-2023-20593 (Zenbleed)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-26 16:01:20 +00:00
Arne Fitzenreiter
719864d37e kernel: update to 6.1.40 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-25 10:39:22 +00:00
Arne Fitzenreiter
f2d5cb7c99 kernel: update to 6.1.39 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-21 09:34:12 +00:00
Peter Müller
e08399ddd3 linux: Trigger a BUG() when corruption of kernel data structures is detected 
Given that this will merely log such an incident, this can be safely
enabled.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-07-13 14:20:48 +00:00
Peter Müller
c084d8f970 linux: Enable Indirect Branch Tracking by default 
This became upstream default (see
https://www.phoronix.com/news/Linux-IBT-By-Default-Tip for IT news media
coverage), and given its security-relevance, we should adopt this
setting as well.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-13 14:20:32 +00:00
Arne Fitzenreiter
f7447b1b8e kernel: update to 6.1.38 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-13 14:20:18 +00:00
Arne Fitzenreiter
1a44c7a638 kernel: update to 6.1.37 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-09 14:57:38 +00:00
Arne Fitzenreiter
25aa552258 kernel: update to 6.1.30 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-30 09:21:34 +00:00
Arne Fitzenreiter
c6c78f8e11 kernel: update to 6.1.29 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-19 12:05:52 +00:00
Arne Fitzenreiter
6a005bd9aa kernel: update to 6.1.28 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-16 18:53:01 +00:00
Peter Müller
e155e2f999 linux: Compile "Intel XHCI USB Role Switch" as a module on x86_64 
From the kernel documentation:

> Driver for the internal USB role switch for switching the USB data
> lines between the xHCI host controller and the dwc3 gadget controller
> found on various Intel SoCs. [...]

This may unblock USB-LAN-adaptor usage on certain boards, as reported
once in #12750. Overall affected devices seem to be scanty;
nevertheless, enabling this as a module only is highly unlikely to cause
any harm, so let's give it a try.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-05-11 20:04:33 +00:00
Arne Fitzenreiter
6a0c5ef65a kernel: update to 6.1.27 
the layer7 patch is rebased to apply without fuzzing.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-03 05:07:17 +00:00
Adolf Belka
15041d628c kernel.config.aarch64-ipfire: Fix bug#12856 - Add Armada 38X RTC module to be loadable. 
Fixes: Bug#12856
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
 2023-04-19 09:34:06 +00:00
Peter Müller
6aa0837d24 linux: Update to 6.1.24 
Compiling the kernel has automatically introduced
CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to
be confused with its stackleak counterpart). However, according to
related documentation, this neither introduces a security nor
performance disadvantage.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-04-19 09:33:38 +00:00
Arne Fitzenreiter
54364fac8c kernel: update riscv64 config and rootfiles 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-02-21 10:15:36 +00:00
Michael Tremer
39f94ee8eb Drop support for armv6l (and armv7hl) 
This removes support for building IPFire for 32 bit ARM architectures.

This has been decided in August 2022 with six months notice as there are
not very many users and hardware is generally not available any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-02-10 09:26:37 +00:00
Peter Müller
1296cdc40b linux: Align kernel configurations after merging 6.1 branch 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-01-18 23:09:22 +00:00
Arne Fitzenreiter
3e066f550b kernel: update rootfiles and config 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-01-15 09:19:25 +00:00
Arne Fitzenreiter
6535255270 kernel: update to 6.1.3 
the kernel-6.1.x series should be the next lts series...
 2023-01-08 10:08:33 +00:00
Peter Müller
5f2d660967 linux: Align ARM rootfiles and configurations 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-01-05 10:11:01 +00:00
Peter Müller
f46f939827 linux: Update configuration files and x86_64 rootfile 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-01-04 21:26:43 +00:00
Peter Müller
6647dd5c5c linux: Disable the latent entropy plugin 
It does not generate cryptographically secure entropy.

Backported from IPFire 3.x as 6aea180b26906f001611dcc0c54f494818069d8c.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:11:56 +00:00
Peter Müller
00efe232b7 linux: Disable syscalls that allows processes to r/w other processes' memory 
Backported from IPFire 3.x as 48931178ff83911c5bbc86194dea694845ae1608.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:11:20 +00:00
Peter Müller
a5fbbcf464 linux: Disable some character devices that do not make sense 
Inspired by IPFire 3.x (commit 472fb5fa6b1f77a2166407a8936fda6c8cbdb80b).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:10:53 +00:00
Peter Müller
440e2c2e68 linux: Disable all sorts of useless Device Mapper targets 
This patch also compiles all sorts of device mapper stuff as modules.

Backported from IPFire 3.x as 6fe31a44d07d8705ca7713c449ccbb3dbb9684a0.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:10:28 +00:00
Peter Müller
0186d8d0e1 linux: Disable ACPI configfs support 
This is disabled in IPFire 3.x, and projects such as grsecurity
recommend doing so for security reasons as well. Also, skimming through
our source code, there is no point where this ACPI configfs would have
been explicitly mounted, which leads to the assumption that we never
used it anyway.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:09:25 +00:00
Peter Müller
41d58ef4f3 linux: Enable Landlock support 
From the kernel's documentation:

> Landlock is a sandboxing mechanism that enables processes to restrict
> themselves (and their future children) by gradually enforcing
> tailored access control policies. A Landlock security policy is a
> set of access rights (e.g. open a file in read-only, make a
> directory, etc.) tied to a file hierarchy. Such policy can be
> configured and enforced by any processes for themselves using the
> dedicated system calls: landlock_create_ruleset(),
> landlock_add_rule(), and landlock_restrict_self().

There is no harm in enabling this security feature, so applications
supporting Landlock can benefit from it.

Rolled forward from https://patchwork.ipfire.org/project/ipfire/patch/d7ac0caf-5a7c-bcca-6293-16c773523942@ipfire.org/
to submit all kernel-related changes as a single patchset.

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:09:02 +00:00
Peter Müller
7a39018219 linux: Wipe all memory when rebooting on EFI 
Backported from IPFire 3.x as 49242a5661a550b370fff56f893df0983700ef32.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:08:38 +00:00
Peter Müller
0548bad00a linux: Disable the entire PCMCIA/CardBus subsystem 
Backported from IPFire 3.x as 3d9d44ddaec6b32eaa5c0fc6470ec61d23e61f92.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-01-03 16:08:03 +00:00