bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Author	SHA1	Message	Date
Vincent Li	49df562431	ebpf: Enable kernel BPF_EVENTS loxilb or other ebpf program could use bpf_printk for debugging, bpf_printk requires BPF_EVENTS to be enabled, see [0] [0] https://github.com/loxilb-io/loxilb/issues/666#issuecomment-2097850413 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-08 03:26:51 +00:00
Vincent Li	d544247a53	linux: change kernel NR_CPUS to 512 loxilb MAX_CPUS for cpu_map set to 128, BPFire original NR_CPUS 64 result in error: libbpf: map 'cpu_map': failed to create: Argument list too long see https://github.com/loxilb-io/loxilb/issues/661 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-03 16:56:06 +00:00
Vincent Li	d7544e6192	Enable kernel BPF without tracing capability enable kernel BPF XDP/TC capability, no tracing Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-09 01:50:14 +00:00
Vincent Li	d9a8ed29e8	Revert "Enable kernel BPF/BTF" We need to disable BPF trace capability and disallow unprivileged BPF so This reverts commit `d0bd3cc033`. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-08 19:32:11 +00:00
Vincent Li	d0bd3cc033	Enable kernel BPF/BTF enable kernel BPF/BTF build for ebpf/XDP program packet filtering see hack in [1] [1] https://community.ipfire.org/t/how-to-customize-config-kernel-kernel-config-x86-64-ipfire/11100/7 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:01 +00:00
Arne Fitzenreiter	8c43d1481a	kernel: update to 6.6.15 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-02-02 07:52:09 +00:00
Arne Fitzenreiter	0722f42ed2	kernel: update to 6.6.13 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-21 19:10:22 +01:00
Peter Müller	bca096b453	linux: Forbid legacy TIOCSTI usage To quote from the kernel documentation: > Historically the kernel has allowed TIOCSTI, which will push > characters into a controlling TTY. This continues to be used > as a malicious privilege escalation mechanism, and provides no > meaningful real-world utility any more. Its use is considered > a dangerous legacy operation, and can be disabled on most > systems. > > Say Y here only if you have confirmed that your system's > userspace depends on this functionality to continue operating > normally. > > Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can > use TIOCSTI even when this is set to N. > > This functionality can be changed at runtime with the > dev.tty.legacy_tiocsti sysctl. This configuration option sets > the default value of the sysctl. This patch therefore proposes to no longer allow legacy TIOCSTI usage in IPFire, given its security implications and the apparent lack of legitimate usage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-01-16 15:46:37 +00:00
Arne Fitzenreiter	a93525c0ca	kernel: update to 6.6.12 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-16 12:41:08 +01:00
Arne Fitzenreiter	19e66d7e2b	kernel: update to 6.6.11 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-11 10:30:13 +01:00
Arne Fitzenreiter	a2af8c7186	kernel: aarch64: enable CONFIG_SHADOW_CALL_STACK Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-10 06:26:25 +00:00
Arne Fitzenreiter	d303f7c154	kernel: update to 6.6.10 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-07 16:08:31 +01:00
Arne Fitzenreiter	3920ba127f	kernel: update to 6.6.9 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-02 09:54:10 +01:00
Arne Fitzenreiter	bf92e55968	kernel: update to 6.6.8 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-21 13:50:59 +01:00
Arne Fitzenreiter	0108697131	kernel: update to 6.6.6 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-12 21:12:37 +01:00
Arne Fitzenreiter	5109f8ee7f	kernel: update to 6.6.5 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-08 16:12:17 +01:00
Arne Fitzenreiter	a7c9eca495	kernel: update to 6.6.4 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:17:40 +00:00
Arne Fitzenreiter	941190cb3a	kernel: update to 6.6.3 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-12-05 17:17:35 +00:00
Arne Fitzenreiter	95f9d9350d	kernel: update to 6.6.2 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:15:48 +00:00
Arne Fitzenreiter	8a37e7f0e3	kernel: update to 6.1.61 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-11-03 14:27:58 +00:00
Arne Fitzenreiter	cfe911bab5	kernel: update to 6.1.60 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-27 08:43:35 +00:00
Arne Fitzenreiter	cce398bca5	kernel: update to 6.1.59 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Arne Fitzenreiter	2b834ef42a	kernel: update to 6.1.58 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Peter Müller	7f8b75f8ba	linux: Set default IOMMU handling to "strict" on 64-bit ARM This has been our default setting on x86_64 for quite some time now, which is why this patch aligns the aarch64 kernel configuration to that value. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-20 08:44:26 +00:00
Peter Müller	447d0bf51e	linux: Disable io_uring This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible. IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface. See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-20 08:44:26 +00:00
Arne Fitzenreiter	554e339b9e	kernel: update to 6.1.57 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-13 08:13:12 +00:00
Arne Fitzenreiter	e275a07b67	kernel: update to 6.1.56 this also builds the dtb files on riscv64 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-09 08:13:02 +00:00
Arne Fitzenreiter	e5ad33d9ee	kernel: update 6.1.53 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:29 +00:00
Arne Fitzenreiter	14bd32221e	kernel: update to 6.1.52 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:23 +00:00
Arne Fitzenreiter	cd78363404	Merge remote-tracking branch 'origin/master' into next Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-08-12 16:48:54 +02:00
Arne Fitzenreiter	162a068448	kernel: update to 6.1.45 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-08-11 23:25:37 +02:00
Arne Fitzenreiter	57ae9ba587	kernel: update config for riscv64 i had disabled CONFIG_GCC_PLUGIN_LATENT_ENTROPY because this fails to compile on riscv64. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-08-10 06:35:11 +00:00
Arne Fitzenreiter	6084fa89bf	kernel: update to 6.1.42 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-28 16:34:59 +00:00
Arne Fitzenreiter	50c07b4938	kernel: update to 6.1.41 fix for CVE-2023-20593 (Zenbleed) Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-26 16:01:20 +00:00
Arne Fitzenreiter	719864d37e	kernel: update to 6.1.40 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-25 10:39:22 +00:00
Arne Fitzenreiter	f2d5cb7c99	kernel: update to 6.1.39 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-21 09:34:12 +00:00
Peter Müller	e08399ddd3	linux: Trigger a BUG() when corruption of kernel data structures is detected Given that this will merely log such an incident, this can be safely enabled. Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-07-13 14:20:48 +00:00
Peter Müller	c084d8f970	linux: Enable Indirect Branch Tracking by default This became upstream default (see https://www.phoronix.com/news/Linux-IBT-By-Default-Tip for IT news media coverage), and given its security-relevance, we should adopt this setting as well. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:32 +00:00
Arne Fitzenreiter	f7447b1b8e	kernel: update to 6.1.38 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:18 +00:00
Arne Fitzenreiter	1a44c7a638	kernel: update to 6.1.37 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-09 14:57:38 +00:00
Arne Fitzenreiter	25aa552258	kernel: update to 6.1.30 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-30 09:21:34 +00:00
Arne Fitzenreiter	c6c78f8e11	kernel: update to 6.1.29 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-19 12:05:52 +00:00
Arne Fitzenreiter	6a005bd9aa	kernel: update to 6.1.28 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-16 18:53:01 +00:00
Peter Müller	e155e2f999	linux: Compile "Intel XHCI USB Role Switch" as a module on x86_64 From the kernel documentation: > Driver for the internal USB role switch for switching the USB data > lines between the xHCI host controller and the dwc3 gadget controller > found on various Intel SoCs. [...] This may unblock USB-LAN-adaptor usage on certain boards, as reported once in #12750. Overall affected devices seem to be scanty; nevertheless, enabling this as a module only is highly unlikely to cause any harm, so let's give it a try. Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-05-11 20:04:33 +00:00
Arne Fitzenreiter	6a0c5ef65a	kernel: update to 6.1.27 the layer7 patch is rebased to apply without fuzzing. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-03 05:07:17 +00:00
Adolf Belka	15041d628c	kernel.config.aarch64-ipfire: Fix bug#12856 - Add Armada 38X RTC module to be loadable. Fixes: Bug#12856 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>	2023-04-19 09:34:06 +00:00
Peter Müller	6aa0837d24	linux: Update to 6.1.24 Compiling the kernel has automatically introduced CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to be confused with its stackleak counterpart). However, according to related documentation, this neither introduces a security nor performance disadvantage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-04-19 09:33:38 +00:00
Arne Fitzenreiter	54364fac8c	kernel: update riscv64 config and rootfiles Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-02-21 10:15:36 +00:00
Michael Tremer	39f94ee8eb	Drop support for armv6l (and armv7hl) This removes support for building IPFire for 32 bit ARM architectures. This has been decided in August 2022 with six months notice as there are not very many users and hardware is generally not available any more. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-02-10 09:26:37 +00:00
Peter Müller	1296cdc40b	linux: Align kernel configurations after merging 6.1 branch Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-18 23:09:22 +00:00

1 2 3 4 5 ...

576 Commits