webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-21 08:22:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,222 Commits 2 Branches 1 Tag
da4e2fc635f14d2b0964de8e1e8aeb4a1a34d1ec
Commit Graph

156 Commits

Author SHA1 Message Date
Arne Fitzenreiter
3920ba127f kernel: update to 6.6.9 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-02 09:54:10 +01:00
Arne Fitzenreiter
bf92e55968 kernel: update to 6.6.8 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-21 13:50:59 +01:00
Arne Fitzenreiter
0108697131 kernel: update to 6.6.6 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-12 21:12:37 +01:00
Arne Fitzenreiter
5109f8ee7f kernel: update to 6.6.5 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-08 16:12:17 +01:00
Arne Fitzenreiter
a7c9eca495 kernel: update to 6.6.4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:17:40 +00:00
Arne Fitzenreiter
941190cb3a kernel: update to 6.6.3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-12-05 17:17:35 +00:00
Arne Fitzenreiter
95f9d9350d kernel: update to 6.6.2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:15:48 +00:00
Arne Fitzenreiter
8a37e7f0e3 kernel: update to 6.1.61 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-11-03 14:27:58 +00:00
Arne Fitzenreiter
cfe911bab5 kernel: update to 6.1.60 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-27 08:43:35 +00:00
Arne Fitzenreiter
cce398bca5 kernel: update to 6.1.59 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Arne Fitzenreiter
2b834ef42a kernel: update to 6.1.58 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Peter Müller
7f8b75f8ba linux: Set default IOMMU handling to "strict" on 64-bit ARM 
This has been our default setting on x86_64 for quite some time now,
which is why this patch aligns the aarch64 kernel configuration to that
value.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-20 08:44:26 +00:00
Peter Müller
447d0bf51e linux: Disable io_uring 
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.

IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.

See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-20 08:44:26 +00:00
Arne Fitzenreiter
554e339b9e kernel: update to 6.1.57 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-13 08:13:12 +00:00
Arne Fitzenreiter
e275a07b67 kernel: update to 6.1.56 
this also builds the dtb files on riscv64

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-09 08:13:02 +00:00
Arne Fitzenreiter
e5ad33d9ee kernel: update 6.1.53 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:29 +00:00
Arne Fitzenreiter
14bd32221e kernel: update to 6.1.52 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:23 +00:00
Arne Fitzenreiter
162a068448 kernel: update to 6.1.45 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-08-11 23:25:37 +02:00
Arne Fitzenreiter
50c07b4938 kernel: update to 6.1.41 
fix for CVE-2023-20593 (Zenbleed)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-26 16:01:20 +00:00
Arne Fitzenreiter
719864d37e kernel: update to 6.1.40 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-25 10:39:22 +00:00
Arne Fitzenreiter
f2d5cb7c99 kernel: update to 6.1.39 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-21 09:34:12 +00:00
Peter Müller
e08399ddd3 linux: Trigger a BUG() when corruption of kernel data structures is detected 
Given that this will merely log such an incident, this can be safely
enabled.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-07-13 14:20:48 +00:00
Arne Fitzenreiter
f7447b1b8e kernel: update to 6.1.38 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-13 14:20:18 +00:00
Arne Fitzenreiter
1a44c7a638 kernel: update to 6.1.37 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-09 14:57:38 +00:00
Arne Fitzenreiter
25aa552258 kernel: update to 6.1.30 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-30 09:21:34 +00:00
Arne Fitzenreiter
c6c78f8e11 kernel: update to 6.1.29 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-19 12:05:52 +00:00
Arne Fitzenreiter
6a005bd9aa kernel: update to 6.1.28 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-16 18:53:01 +00:00
Arne Fitzenreiter
6a0c5ef65a kernel: update to 6.1.27 
the layer7 patch is rebased to apply without fuzzing.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-05-03 05:07:17 +00:00
Adolf Belka
15041d628c kernel.config.aarch64-ipfire: Fix bug#12856 - Add Armada 38X RTC module to be loadable. 
Fixes: Bug#12856
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
 2023-04-19 09:34:06 +00:00
Peter Müller
6aa0837d24 linux: Update to 6.1.24 
Compiling the kernel has automatically introduced
CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to
be confused with its stackleak counterpart). However, according to
related documentation, this neither introduces a security nor
performance disadvantage.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-04-19 09:33:38 +00:00
Peter Müller
1296cdc40b linux: Align kernel configurations after merging 6.1 branch 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-01-18 23:09:22 +00:00
Arne Fitzenreiter
3e066f550b kernel: update rootfiles and config 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-01-15 09:19:25 +00:00
Arne Fitzenreiter
6535255270 kernel: update to 6.1.3 
the kernel-6.1.x series should be the next lts series...
 2023-01-08 10:08:33 +00:00
Peter Müller
5f2d660967 linux: Align ARM rootfiles and configurations 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-01-05 10:11:01 +00:00
Peter Müller
f46f939827 linux: Update configuration files and x86_64 rootfile 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-01-04 21:26:43 +00:00
Mathew McBride
8399123461 linux: enable options for NXP Layerscape 
This change enables support for NXP's QorIQ/Layerscape platforms,
specifically the Traverse Technologies Ten64 (LS1088A).

Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-10-04 14:45:19 +00:00
Peter Müller
16eb2d5379 linux: Enable seccomp filter on ARM 
Since last time we checked, the kernel's security features on ARM have
improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch
therefore proposes to give the seccomp filter on both 32- and 64-bit ARM
another try, since it provides significant security benefit to
applications using it.

Due to operational constraints, rootfile changes have been omitted, and
will be conducted, should this patch be approved.

Note to future self: Once this patch is approved, applications using
seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.

Fixes: #12366
Fixes: #12370
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-10-03 21:57:47 +00:00
Peter Müller
25a3d87645 linux: Remove user-space probe support 
From the kernels' documentation:

> Uprobes is the user-space counterpart to kprobes: they
> enable instrumentation applications (such as 'perf probe')
> to establish unintrusive probes in user-space binaries and
> libraries, by executing handler functions when the probes
> are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints,
> managed by the kernel and kept transparent to the probed
> application. )

To the best of the authors' understanding, no application on IPFire
needs this functionality, and given its abuse potential, we should
probably not enable it.

As expected, strace functionality is not impaired by this.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-10-03 16:52:09 +00:00
Peter Müller
abb185bf5a linux: Align configurations and rootfiles for ARM 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-09-21 13:36:59 +00:00
Peter Müller
d33651d74f linux: Prepare CONFIG_DEBUG_FS disabling on non-x86_64 architectures 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-09-20 14:30:28 +00:00
Peter Müller
fe803a3f89 Revert "linux: Enable randstruct on ARM as well" 
This reverts commit f38e8a35c2.

(Thank you, Arne!)
 2022-08-09 10:43:05 +00:00
Peter Müller
26a91db187 Revert "Revert "linux: Do not allow slab caches to be merged"" 
This reverts commit 1695af3862.

https://lists.ipfire.org/pipermail/development/2022-August/014112.html
 2022-08-09 09:29:42 +00:00
Peter Müller
4865b7f6b8 Revert "Revert "kernel: update to 5.15.59"" 
This reverts commit f25f1b55af.
 2022-08-08 13:17:30 +00:00
Peter Müller
f25f1b55af Revert "kernel: update to 5.15.59" 
This reverts commit 43df4a0373.
 2022-08-08 10:10:35 +00:00
Peter Müller
1695af3862 Revert "linux: Do not allow slab caches to be merged" 
This reverts commit 06b4164dfe.
 2022-08-08 10:10:17 +00:00
Peter Müller
06b4164dfe linux: Do not allow slab caches to be merged 
From the kernel documentation:

> For reduced kernel memory fragmentation, slab caches can be
> merged when they share the same size and other characteristics.
> This carries a risk of kernel heap overflows being able to
> overwrite objects from merged caches (and more easily control
> cache layout), which makes such heap attacks easier to exploit
> by attackers. By keeping caches unmerged, these kinds of exploits
> can usually only damage objects in the same cache. [...]

Thus, it is more sane to leave slab merging disabled. KSPP and ClipOS
recommend this as well.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-08-06 13:51:02 +00:00
Arne Fitzenreiter
43df4a0373 kernel: update to 5.15.59 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
 2022-08-06 07:45:02 +00:00
Peter Müller
f38e8a35c2 linux: Enable randstruct on ARM as well 
My fault, again. :-/

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-08-04 12:38:01 +00:00
Peter Müller
494d2b4bf3 linux: Update ARM kernel configuration files 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-08-04 12:32:43 +00:00
Peter Müller
38a5d03f59 linux: Enable PCI passthrough for QEMU 
Fixes: #12754
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-08-03 10:57:05 +00:00