bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-21 00:12:58 +02:00

Author	SHA1	Message	Date
Peter Müller	fe803a3f89	Revert "linux: Enable randstruct on ARM as well" This reverts commit `f38e8a35c2`. (Thank you, Arne!)	2022-08-09 10:43:05 +00:00
Peter Müller	26a91db187	Revert "Revert "linux: Do not allow slab caches to be merged"" This reverts commit `1695af3862`. https://lists.ipfire.org/pipermail/development/2022-August/014112.html	2022-08-09 09:29:42 +00:00
Peter Müller	4865b7f6b8	Revert "Revert "kernel: update to 5.15.59"" This reverts commit `f25f1b55af`.	2022-08-08 13:17:30 +00:00
Peter Müller	f25f1b55af	Revert "kernel: update to 5.15.59" This reverts commit `43df4a0373`.	2022-08-08 10:10:35 +00:00
Peter Müller	1695af3862	Revert "linux: Do not allow slab caches to be merged" This reverts commit `06b4164dfe`.	2022-08-08 10:10:17 +00:00
Peter Müller	06b4164dfe	linux: Do not allow slab caches to be merged From the kernel documentation: > For reduced kernel memory fragmentation, slab caches can be > merged when they share the same size and other characteristics. > This carries a risk of kernel heap overflows being able to > overwrite objects from merged caches (and more easily control > cache layout), which makes such heap attacks easier to exploit > by attackers. By keeping caches unmerged, these kinds of exploits > can usually only damage objects in the same cache. [...] Thus, it is more sane to leave slab merging disabled. KSPP and ClipOS recommend this as well. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2022-08-06 13:51:02 +00:00
Arne Fitzenreiter	43df4a0373	kernel: update to 5.15.59 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>	2022-08-06 07:45:02 +00:00
Peter Müller	f38e8a35c2	linux: Enable randstruct on ARM as well My fault, again. :-/ Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-08-04 12:38:01 +00:00
Peter Müller	494d2b4bf3	linux: Update ARM kernel configuration files Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-08-04 12:32:43 +00:00
Peter Müller	38a5d03f59	linux: Enable PCI passthrough for QEMU Fixes: #12754 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-08-03 10:57:05 +00:00
Peter Müller	7caecf45fb	linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try Quoted from https://capsule8.com/blog/kernel-configuration-glossary/: > Significance: Critical > > In support of Kernel Address Space Layout Randomization (KASLR) this randomizes > the physical address at which the kernel image is decompressed and the virtual > address where the kernel image is mapped as a security feature that deters > exploit attempts relying on knowledge of the location of kernel code internals. We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try. Fixes: #12363 Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-08-01 10:20:20 +00:00
Peter Müller	0664b1720d	linux: Amend upstream patch to harden mount points of /dev This patch, which has been merged into the mainline Linux kernel, but not yet backported to the 5.15.x tree, precisely addresses our situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT. The only explanation I have for bug #12889 arising _now_ is that some component (dracut, maybe) changed its behaviour regarding remounting of already mounted special file systems. As current dracut won't (re)mount any file system already found to be mounted, this means that the mount options decided by the kernel remained untouched for /dev, hence being weak in terms of options hardening possible. As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes to kernel configurations have been simulated. Fixes: #12889 Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-06-25 22:20:48 +00:00
Peter Müller	df9ebc6bbe	linux: Align kernel configurations on ARM Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-06-23 07:42:27 +00:00
Peter Müller	883e29630c	Kernel: Disable support for RPC dprintk debugging This is solely needed for debugging of NFS issues. Due to the attack surface it introduces, grsecurity recommends to disable it; as we do not have a strict necessity for this feature, it is best to follow that recommendation for security reasons. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-06-13 15:39:23 +00:00
Peter Müller	9b28e9d02b	Kernel: Enable YAMA support See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-06-13 15:39:08 +00:00
Arne Fitzenreiter	9fa01e4276	kernel: update to 5.15.35 in kernel 5.15.32 the driver for ATH9K wlan cards is unstable. This is one of the most used cards so we need this update before releasing core167 final. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-04-22 12:48:32 +00:00
Peter Müller	250f6efc38	kernel: Do not enforce "integrity" mode of LSM LSM was found to render firmware flashing unusable, and patching out LSM functionality for all features needed (such as /dev/io, direct memory access and probably raw PCI access for older cards), this would effectively render much of LSM's functionality useless as well. For the time being, we do ship LSM, but do not enforce any protection mode. Users hence can run it in "integrity" or even "confidentiality" mode by custom commands; hopefully, we will be able to revert this change at a future point. Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-04-21 19:30:42 +00:00
Arne Fitzenreiter	1d563665ed	kernel: run make oldconfig Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-04-08 00:27:47 +02:00
Peter Müller	8e1a464d12	Kernel: Enable LSM support and set security level to "integrity" Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-04-06 20:04:04 +00:00
Peter Müller	4f4422cc1c	Kernel: Do not automatically load TTY line disciplines, only if necessary Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-04-04 19:59:39 +00:00
Peter Müller	bf2d8cb8a0	Kernel: Disable support for tracing block I/O actions This is not needed on IPFire systems, and grsecurity recommends to turn this off. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-04-04 19:59:15 +00:00
Peter Müller	26ca63592d	Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits This follows a recommendation by ClipOS, making ASLR bypassing attempts harder. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-04-04 19:59:08 +00:00
Arne Fitzenreiter	f978b433e6	kernel: aarch64: enable armv8 optimized crypto Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-02-11 17:36:01 +00:00
Arne Fitzenreiter	59ec91c171	kernel: update to 5.15.22 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-02-09 12:17:53 +00:00
Arne Fitzenreiter	70c57ed33e	kernel: update to 5.15.21 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-02-06 14:09:43 +00:00
Arne Fitzenreiter	d68f875d61	kernel: enable support for compressed firmwares Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-01-28 14:44:03 +00:00
Arne Fitzenreiter	e385c965fa	kernel: aarch64 enable KVM support Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-01-28 11:24:44 +00:00
Arne Fitzenreiter	c18dda556b	kernel: update to 5.15.16 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2022-01-21 10:06:22 +00:00
Arne Fitzenreiter	65067248d1	kernel: update to 5.15.6 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-12-02 11:34:38 +01:00
Arne Fitzenreiter	ef972dcf7a	kernel: update arm config and rootfile (oldconfig) Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-11-29 09:14:33 +00:00
Arne Fitzenreiter	d4a6dc4270	kernel: update to 5.15.3 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-11-21 10:56:26 +00:00
Arne Fitzenreiter	521e8aa99d	kernel: aarch64 enable ath5k wlan driver Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-11-20 23:38:06 +00:00
Arne Fitzenreiter	96c83b21b3	kernel: update to 5.15.2 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-11-13 15:25:39 +00:00
Arne Fitzenreiter	e196a73096	kernel: update aarch64 config Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-11-11 18:18:23 +00:00
Arne Fitzenreiter	832490f063	kernel: update to 5.10.76 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-10-28 00:39:07 +02:00
Arne Fitzenreiter	58f6264fa4	kernel: update to 5.10.71 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-10-10 06:46:25 +00:00
Arne Fitzenreiter	13e001f5c2	kernel: config for nanopi r2s some drivers does nozt work as module so they are now compiled into main kernel Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-10-08 19:54:29 +00:00
Arne Fitzenreiter	62f705316b	kernel: aarch64 enable drivers for common ROCKCHIP boards thx to Fukan K fixes #12681 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-25 13:19:25 +00:00
Arne Fitzenreiter	a21d6a30ce	kernel: aarch64 oldconfig Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-25 13:07:36 +00:00
Michael Tremer	cbbed5bc14	kernel: Enable all cgroups on all architectures Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:04:36 +00:00
Michael Tremer	9df49966d6	kernel: Zero-init all stack variables by default Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:04:23 +00:00
Michael Tremer	b7ed5dc817	kernel: Enable support for TPM hardware Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:04:14 +00:00
Michael Tremer	9012cffdb6	kernel: Enable ExFAT on all architectures Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:01:02 +00:00
Michael Tremer	340f155649	kernel: Enable frontswap "Frontswap provides a “transcendent memory” interface for swap pages. In some environments, dramatic performance savings may be obtained because swapped pages are saved in RAM (or a RAM-like device) instead of a swap disk." https://www.kernel.org/doc/html/latest/vm/frontswap.html Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:00:52 +00:00
Michael Tremer	15f53912a1	kernel: Disable network security hooks This is a feature we do not use and it should therefore be disabled Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:00:41 +00:00
Michael Tremer	c913c9862c	kernel: Disable OpenvSwitch We do not use this and so we should not build it to save space. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:00:31 +00:00
Michael Tremer	fef9a33846	kernel: Disable any runtime testing Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:00:21 +00:00
Michael Tremer	828d3d2525	kernel: Disable SLUB debugging This is not necessary on our systems and according to the documentation will reduce code size of the allocator which will result in better performance. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 14:00:10 +00:00
Michael Tremer	034a2402fc	kernel: Enable Pressure Stall Information This is a new type of metric to find out what resource is currently a bottleneck for the whole system. We might use this for graphs. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 13:59:51 +00:00
Michael Tremer	c0932f8fbe	kernel: Disable suspending systems to RAM We do not make any use of this functionality Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2021-09-20 13:59:06 +00:00

1 2 3

116 Commits