bpfire/lfs/linux

###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

###############################################################################
# Definitions
###############################################################################

include Config

VER         = 5.15.23
ARM_PATCHES = 5.15-ipfire5

THISAPP    = linux-$(VER)
DL_FILE    = linux-$(VER).tar.xz
DL_FROM    = $(URL_IPFIRE)
DIR_APP    = $(DIR_SRC)/$(THISAPP)
CFLAGS     =
CXXFLAGS   =

HEADERS_ARCH  = $(BUILD_PLATFORM)
KERNEL_ARCH   = $(BUILD_ARCH)
KERNEL_TARGET = bzImage

ifeq "$(BUILD_ARCH)" "aarch64"
	HEADERS_ARCH = arm64
	KERNEL_ARCH  = arm64
	KERNEL_TARGET = Image
endif

ifeq "$(BUILD_ARCH)" "armv6l"
	KERNEL_ARCH  = arm
	KERNEL_TARGET = zImage
endif

ifeq "$(BUILD_ARCH)" "riscv64"
	KERNEL_ARCH   = riscv
	KERNEL_TARGET = Image.gz
endif

VERSUFIX=ipfire$(KCFG)

ifeq "$(TOOLCHAIN)" "1"
	TARGET = $(DIR_INFO)/linux-$(VER)-$(VERSUFIX)-tools
	HEADERS_PREFIX = $(TOOLS_DIR)
	EXTRAMAKE = CROSS_COMPILE=$(CROSSTARGET)-
else
	TARGET = $(DIR_INFO)/linux-$(VER)-$(VERSUFIX)
	HEADERS_PREFIX = /usr
endif

ifeq "$(KCFG)" ""
LASTKERNEL=1
endif

###############################################################################
# Top-level Rules
###############################################################################
objects =$(DL_FILE) \
	arm-multi-patches-$(ARM_PATCHES).patch.xz

$(DL_FILE)					= $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz	= $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz

$(DL_FILE)_BLAKE2 = 36be53585e67350496a84438712d35e488b745e85b6981f51448d9b19fe30cce9968ef486defd8a68f556e2518d010bf6f63dbf2bf7a504e25568e71c3aecacc
arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0

install : $(TARGET)

check : $(patsubst %,$(DIR_CHK)/%,$(objects))

download :$(patsubst %,$(DIR_DL)/%,$(objects))

b2 : $(subst %,%_BLAKE2,$(objects))

dist:
	@$(PAK)

###############################################################################
# Downloading, checking, b2sum
###############################################################################

$(patsubst %,$(DIR_CHK)/%,$(objects)) :
	@$(CHECK)

$(patsubst %,$(DIR_DL)/%,$(objects)) :
	@$(LOAD)

$(subst %,%_BLAKE2,$(objects)) :
	@$(B2SUM)

###############################################################################
# Installation Details
###############################################################################

$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
	@$(PREBUILD)
	@rm -rf $(DIR_APP) $(DIR_SRC)/linux && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)

	ln -svf linux-$(VER) $(DIR_SRC)/linux

	# Layer7-patch
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-layer7.patch

	# DVB Patches
	cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pll.patch

	# Wlan Patches
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14_ath_user_regd.patch
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8-iwlwifi-noibss_only_on_radar_chan.patch

	# Fix igb and e1000e crash
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.1-igb-e1000e_fix_lock_at_update_stats.patch

	# cs5535audio spams syslog if no ac97 was present (geos router)
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8_cs5535audio_fix_logspam_on_geos.patch

	# Fix uevent PHYSDEVDRIVER
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-2.6.32.27_mcs7830-fix-driver-name.patch

	# fix Boot with enabled usercopy hardening
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch

	# Patch performance monitoring restrictions to allow further hardening
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch

ifeq "$(BUILD_ARCH)" "armv6l"
	# Apply Arm-multiarch kernel patches.
	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
endif
ifeq "$(BUILD_ARCH)" "aarch64"
	# Apply Arm-multiarch kernel patches.
	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
endif
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-amba-fix.patch

	# Fix for CVE-2022-0847 aka Dirty Pipe
	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/kernel-5.15-CVE-2022-0847.patch

ifeq "$(KCFG)" "-headers"
	# Install the header files
	cd $(DIR_APP) && make ARCH=$(HEADERS_ARCH) $(EXTRAMAKE) headers
	-mkdir -pv $(BUILDROOT)/$(HEADERS_PREFIX)/include
	cd $(DIR_APP) && find usr/include -name '.*' -delete
	cd $(DIR_APP) && rm usr/include/Makefile
	cd $(DIR_APP) && cp -rv usr/include/* $(BUILDROOT)/$(HEADERS_PREFIX)/include
else

	# Install ipfire logo
	cd $(DIR_APP) && cp -vf $(DIR_SRC)/config/kernel/ipfire_logo.ppm \
		drivers/video/logo/logo_linux_clut224.ppm

	# Cleanup kernel source
	cp $(DIR_SRC)/config/kernel/kernel.config.$(BUILD_ARCH)-$(VERSUFIX) $(DIR_APP)/.config
	cd $(DIR_APP) && make oldconfig
	cd $(DIR_APP) && make clean
	cd $(DIR_APP) && sed -i -e 's/EXTRAVERSION\ =.*/EXTRAVERSION\ =\ -$(VERSUFIX)/' Makefile

	# Copy Module signing key configuration
	cp -f $(DIR_SRC)/config/kernel/x509.genkey $(DIR_APP)/certs/x509.genkey

	# Remove modules folder if exists
	rm -rf /lib/modules/$(VER)-$(VERSUFIX)

	# Build the kernel
	cd $(DIR_APP) && make $(MAKETUNING) $(KERNEL_TARGET) modules

	# Install the kernel
	cd $(DIR_APP) && cp -v arch/$(KERNEL_ARCH)/boot/$(KERNEL_TARGET) /boot/vmlinuz-$(VER)-$(VERSUFIX)
	cd $(DIR_APP) && cp -v System.map /boot/System.map-$(VER)-$(VERSUFIX)
	cd $(DIR_APP) && cp -v .config /boot/config-$(VER)-$(VERSUFIX)
	cd $(DIR_APP) && make $(MAKETUNING) modules_install

ifeq "$(BUILD_PLATFORM)" "arm"
	cd $(DIR_APP) && make $(MAKETUNING) dtbs
	mkdir -p /boot/dtb-$(VER)-$(VERSUFIX)
	cd $(DIR_APP)/arch/$(KERNEL_ARCH)/boot/dts && for f in $$(find -name "*.dtb"); do \
				cp -v --parents $$f /boot/dtb-$(VER)-$(VERSUFIX)/ ; \
				chmod 644 /boot/dtb-$(VER)-$(VERSUFIX)/$$f ; \
			done
endif

	# Recreate source and build links
	rm -rf /lib/modules/$(VER)-$(VERSUFIX)/{build,source}
	mkdir -p /lib/modules/$(VER)-$(VERSUFIX)/build
	ln -sf build /lib/modules/$(VER)-$(VERSUFIX)/source

	# Create dirs for extra modules
	mkdir -p /lib/modules/$(VER)-$(VERSUFIX)/extra

	cd $(DIR_APP) && cp --parents $$(find -type f -name "Makefile*" -o -name "Kconfig*") \
		/lib/modules/$(VER)-$(VERSUFIX)/build
	cd $(DIR_APP) && cp Module.symvers System.map /lib/modules/$(VER)-$(VERSUFIX)/build
	rm -rf /lib/modules/$(VER)-$(VERSUFIX)/build/{Documentation,scripts,include}

	cd $(DIR_APP) && cp .config /lib/modules/$(VER)-$(VERSUFIX)/build
	cd $(DIR_APP) && cp -a scripts /lib/modules/$(VER)-$(VERSUFIX)/build
	find /lib/modules/$(VER)-$(VERSUFIX)/build/scripts -name "*.o" -exec rm -vf {} \;

	cd $(DIR_APP) && cp -a --parents arch/$(HEADERS_ARCH)/include /lib/modules/$(VER)-$(VERSUFIX)/build
	cd $(DIR_APP) && cp -a include /lib/modules/$(VER)-$(VERSUFIX)/build/include

	# Copy module signing key for off tree modules
	cd $(DIR_APP) && cp -f certs/signing_key.* /lib/modules/$(VER)-$(VERSUFIX)/build/certs/

	# Install objtool
	cd $(DIR_APP) && cp -a tools/objtool/objtool \
		/lib/modules/$(VER)-$(VERSUFIX)/build/tools/objtool/ || :
	cd $(DIR_APP) && cp -a --parents tools/build/{Build,Build.include,fixdep.c} \
		tools/scripts/utilities.mak /lib/modules/$(VER)-$(VERSUFIX)/build

	# Make sure we can build external modules
	touch -r /lib/modules/$(VER)-$(VERSUFIX)/build/Makefile \
		/lib/modules/$(VER)-$(VERSUFIX)/build/include/generated/uapi/linux/version.h
	touch -r /lib/modules/$(VER)-$(VERSUFIX)/build/.config \
		/lib/modules/$(VER)-$(VERSUFIX)/build/autoconf.h
	cp /lib/modules/$(VER)-$(VERSUFIX)/build/.config \
		/lib/modules/$(VER)-$(VERSUFIX)/build/include/config/auto.conf

	# Fix permissions
	find /lib/modules/$(VER)-$(VERSUFIX) -name "modules.order" \
		-exec chmod 644 {} \;

	find /lib/modules/$(VER)-$(VERSUFIX) -name ".*.cmd" -exec rm -f {} \;

ifeq "$(LASTKERNEL)" "1"
	# Only do this once
	cd $(DIR_APP) && install -m 755 usr/gen_init_cpio /sbin/

	# disable drm by install drm to /bin/false because i915 ignore blacklisting
	echo install drm /bin/false > /etc/modprobe.d/framebuffer.conf

	# Blacklist old framebuffer modules
	for f in $$(find /lib/modules/$(VER)-$(VERSUFIX)/kernel/drivers/video/fbdev/ -name *.ko.xz); do \
		echo "blacklist $$(basename $$f)" >> /etc/modprobe.d/framebuffer.conf ; \
	done
	# Blacklist new drm framebuffer modules
	for f in $$(find /lib/modules/$(VER)-$(VERSUFIX)/kernel/drivers/gpu/drm -name *.ko.xz); do \
		echo "blacklist $$(basename $$f)" >> /etc/modprobe.d/framebuffer.conf ; \
	done
	sed -i -e "s|.ko.xz||g" /etc/modprobe.d/framebuffer.conf

	# Disable ipv6 at runtime
	echo "options ipv6 disable_ipv6=1" > /etc/modprobe.d/ipv6.conf
endif
endif

	#force new build of external modules and initrd if the kernel was rebuild
	-rm -f /usr/src/log/*-kmod-$(VER)-$(VERSUFIX)
	-rm -f /usr/src/log/linux-initrd-$(VER)-$(VERSUFIX)

	@rm -rf $(DIR_APP) $(DIR_SRC)/linux
	@$(POSTBUILD)