bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00

Author	SHA1	Message	Date
Arne Fitzenreiter	73f4e7b4c6	kernel: aarch64: disable SSDT_OVERLAYS this option was visible by enabling ACPI and is enabled by default but adds an attacking vector. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-09-18 05:23:18 +00:00
Mathew McBride	e29125d52f	kernel: enable ACPI support on ARM64 ACPI (with EFI) is used on ARM systems conforming to the Server Base Boot Requirements (SBBR) and is an optional on embedded systems (EBBR). Up to now the ARM64 boards supported by IPFire use U-Boot and device tree so ACPI was not turned on. The immediate use case here is to run under virtualization, using my muvirt project[1] I can run IPFire on our Traverse Ten64 system. For reasons I'll explain separately it is not currently possible to run stock IPFire on this system. This change also enables the EFI RTC driver which is presented by the qemu arm64 virt machine. Signed-off-by: Mathew McBride <matt@traverse.com.au> [1] - https://gitlab.com/traversetech/muvirt Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-09-17 18:50:35 +00:00
Arne Fitzenreiter	ce9f979c01	kernel: update to 4.14.195 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-08-31 06:58:32 +02:00
Arne Fitzenreiter	f3a59d63e2	kernel: update to 4.14.184 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-12 16:04:48 +02:00
Peter Müller	92e828b3b0	kernel: disable CONFIG_UPROBES Quoted from #12433: > Uprobes is the user-space counterpart to kprobes: they enable instrumentation > applications (such as 'perf probe') to establish unintrusive probes in > user-space binaries and libraries, by executing handler functions when the > probes are hit by user-space applications. > > ( These probes come in the form of single-byte breakpoints, managed by the > kernel and kept transparent to the probed application. ) IMHO this can be safely disabled, as there is little if any need to debug userspace programs _that_ deeply on an IPFire machine. Fixes: #12433 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:18:36 +00:00
Peter Müller	a5e577d083	kernel: enable CONFIG_FORTIFY_SOURCE on armv5tel Partially fixes: #12369 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:17:40 +00:00
Peter Müller	3eb393ff2e	kernel: enable CONFIG_FORTIFY_SOUCRE on aarch64 Partially fixes: #12369 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:17:24 +00:00
Peter Müller	4ee87ee248	kernel: enable CONFIG_SLUB_DEBUG on aarch64 and armv5tel Fixes: #12377 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:16:57 +00:00
Arne Fitzenreiter	325a2680c8	kernel: fix diabling CONFIG_MODFIFY_LDT_SYSCALL Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 16:21:49 +02:00
Arne Fitzenreiter	2b51e4aeab	Revert "kernel: enable CONFIG_RANDOMIZE_BASE on aarch64" with enabled CONFIG_RAMDOIZE_BASE the linking of xtables and maybee other external kernel modules fail on aarch64 This reverts commit `8379ab44b8`.	2020-06-10 16:20:34 +02:00
Peter Müller	e694bbd17f	kernel: enable CONFIG_RANDOMIZE_BASE on armv5tel Partially fixes: #12363 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-09 22:20:26 +00:00
Peter Müller	8379ab44b8	kernel: enable CONFIG_RANDOMIZE_BASE on aarch64 Partially fixes: #12363 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-09 22:19:50 +00:00
Peter Müller	e4d1f96869	kernel: enable CONFIG_HARDENED_USERCOPY on aarch64 and armv5tel Fixes: #12365 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-09 15:37:33 +00:00
Peter Müller	7617da3bba	kernel: enable CONFIG_SECCOMP on aarch64 and armv5tel Fixes: #12366 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-08 21:22:44 +00:00
Peter Müller	d7174d7c3a	kernel: disable CONFIG_ACPI_CUSTOM_METHOD on x86_64 and i586 This is dangerous as it allows replacing the running kernel without rebooting. Kernel Self Protection Project people recommend to keep it disabled. Fixes: #12372 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-08 21:22:32 +00:00
Peter Müller	b1f24c4353	kernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64 Fixes: #12382 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-08 21:22:05 +00:00
Arne Fitzenreiter	a43b370411	kernel: update to 4.14.183 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-04 08:37:00 +02:00
Arne Fitzenreiter	83d5892a86	kernel: drop extra i586-pae kernel Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 18:34:44 +02:00
Peter Müller	e6514b3af8	kernel: disable CONFIG_DEBUG_LIST on i586(-pae) Fixes: #12378 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:15:51 +00:00
Peter Müller	4264e41a61	kernel: enable CONFIG_SCHED_STACK_END_CHECK on x86_64, armv5tel and aarch64 > This option checks for a stack overrun on calls to schedule(). If the stack > end location is found to be over written always panic as the content of the > corrupted region can no longer be trusted. This is to ensure no erroneous > behaviour occurs which could result in data corruption or a sporadic crash at a > later stage once the region is examined. The runtime overhead introduced is > minimal. Fixes: #12376 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:15:34 +00:00
Peter Müller	c2749c1bed	kernel: disable CONFIG_USELIB on x86_64 and i586(-pae) > This option enables the uselib syscall a system call used in the dynamic > linker from libc5 and earlier. glibc does not use this system call. If you > intend to run programs built on libc5 or earlier you may need to enable this > syscall. Current systems running glibc can safely disable this. In my point of view, the last sentence matches our situation. Fixes: #12379 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:15:13 +00:00
Peter Müller	b5e1ccaee2	kernel: enable CONFIG_DEBUG_WX on aarch64 Since this is described as 'Generate a warning if any W+X mappings are found at boot.', it most likely does not break anything and can be safely enabled. Fixes: #12373 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:14:50 +00:00
Peter Müller	efd508e9f6	kernel: enable page poisoning on x86_64 This is already active on i586 and prevents information leaks from freed data. Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:14:15 +00:00
Peter Müller	442a7f5ea2	Kernel: drop Memstick support These are not needed anymore since Sony announced EOL in 2010 and there is no legitimate use case for such hardware on a firewall system. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:13:14 +00:00
Peter Müller	90ecad4f66	Kernel: drop bluetooth support The bluetooth addon was recently removed by commit `592be1d206`, which is why we do not need to carry the corresponding kernel modules around anymore. The second version of this patch correctly updates kernel configuration files via "make oldconfig" as requested by Arne. Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:12:58 +00:00
Arne Fitzenreiter	831ff05d89	kernel: enable and enforce signed kernel modules Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-02-06 15:09:52 +01:00
Arne Fitzenreiter	57b17167eb	kernel: drop kirkwood kernel perl 5.30 will not work on kirkwood platform and firewinfo reports less than 10 users so we will drop the support for the platform. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-02-03 17:44:49 +00:00
Arne Fitzenreiter	bf671bb2ae	kernel: update to 4.14.154 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-11-14 21:23:08 +00:00
Michael Tremer	951a9f9ba0	linux+iptables: Drop support for IMQ This is no longer needed since we are using IFB now Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-21 18:58:08 +00:00
Arne Fitzenreiter	c27fdd8697	Revert "linux+iptables: Drop support for IMQ" This reverts commit `59b9a6bd22`.	2019-10-20 20:20:26 +00:00
Arne Fitzenreiter	596c71d07f	kernel: update to 4.14.150 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-18 23:07:44 +02:00
Michael Tremer	59b9a6bd22	linux+iptables: Drop support for IMQ This is no longer needed since we are using IFB now Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:02:55 +00:00
Arne Fitzenreiter	69cf4f3065	kernel: update to 4.14.146 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-09-21 20:44:52 +02:00
Arne Fitzenreiter	3b415347bb	kernel: update to 4.14.137 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-08-07 20:38:25 +00:00
Arne Fitzenreiter	70590cef48	Kernel: update to 4.14.128 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-06-19 21:01:29 +02:00
Arne Fitzenreiter	716f00b116	kernel: update to 4.14.121 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-05-21 20:42:51 +02:00
Arne Fitzenreiter	16cb73d901	kernel: update to 4.14.120 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-05-17 07:10:52 +02:00
Arne Fitzenreiter	d099196501	kernel: update to 4.14.119 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-05-16 14:26:04 +02:00
Arne Fitzenreiter	5fa063f859	kernel: update to 4.14.112 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-04-17 22:30:19 +02:00
Arne Fitzenreiter	f2afd5e70d	kernel: update to 4.14.111 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-04-08 21:47:23 +02:00
Arne Fitzenreiter	aa20f1b277	kernel: update to 4.14.110 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-04-05 07:46:34 +02:00
Michael Tremer	48d3cde9ce	kernel: Disable some debugging in expactation to increase performance Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-04-01 21:58:23 +01:00
Michael Tremer	474a6a5978	kernel: Enable strict checks for /dev/mem Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-04-01 21:55:03 +01:00
Michael Tremer	30c33cb318	kernel: Enable debugging for Atheros drivers Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-16 12:36:03 +00:00
Michael Tremer	62bf7bd2b2	kernel: Enable DFS support for ath*k drivers Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-16 12:36:03 +00:00
Matthias Fischer	256070e92f	Added 'CONFIG_X86_MSR=y for 'powertop' to i586 and x86_64 builds for fixing #11997 Triggered by: https://forum.ipfire.org/viewtopic.php?f=69&t=22274 This - probably - fixes Bug #11997. Needs testing on 64bit installations! Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-17 13:03:56 +00:00
Arne Fitzenreiter	2caca41217	kernel: enable PCA953X GPIO extender for ClearFog boards fixes: #12000 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-16 21:44:52 +01:00
Arne Fitzenreiter	329788dee5	kernel: update to 4.14.97 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-02-03 12:45:52 +01:00
Arne Fitzenreiter	ec7d630b62	kernel: x86_64 encrease NR_CPUS to 64 fixes #11963 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-01-22 07:46:08 +01:00
Arne Fitzenreiter	503a6f155b	kernel: update to 4.14.94 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-01-22 07:41:18 +01:00

1 2 3 4 5 ...

389 Commits