From d67a07b8f09ff005ce45c3970199796b8888ca6b Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Mon, 9 Sep 2024 15:54:57 +0000 Subject: [PATCH 1/9] kernel: upgrade from 6.6 to 6.12.20 --- ....6.89.ebuild => hv-daemons-6.12.20.ebuild} | 0 ...89.ebuild => coreos-kernel-6.12.20.ebuild} | 0 ...9.ebuild => coreos-modules-6.12.20.ebuild} | 0 ...d64_defconfig-6.6 => amd64_defconfig-6.12} | 0 ...m64_defconfig-6.6 => arm64_defconfig-6.12} | 0 .../{commonconfig-6.6 => commonconfig-6.12} | 0 .../sys-kernel/coreos-sources/Manifest | 4 +-- ...9.ebuild => coreos-sources-6.12.20.ebuild} | 1 + ...elative-path-for-srctree-from-CURDIR.patch | 0 .../z0002-revert-pahole-flags.patch | 0 ...6-boot-Remove-the-bugger-off-message.patch | 0 ...ECURE_BOOT-flag-to-indicate-secure-b.patch | 0 ...e-kernel-if-booted-in-secure-boot-mo.patch | 0 ...Disable-when-the-kernel-is-locked-do.patch | 0 ...-config-option-to-lock-down-when-in-.patch | 0 ...s-hv-fix-cross-compilation-for-ARM64.patch | 35 +++++++++++++++++++ 16 files changed, 38 insertions(+), 2 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.6.89.ebuild => hv-daemons-6.12.20.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.6.89.ebuild => coreos-kernel-6.12.20.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.6.89.ebuild => coreos-modules-6.12.20.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{amd64_defconfig-6.6 => amd64_defconfig-6.12} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{arm64_defconfig-6.6 => arm64_defconfig-6.12} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{commonconfig-6.6 => commonconfig-6.12} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.6.89.ebuild => coreos-sources-6.12.20.ebuild} (95%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0002-revert-pahole-flags.patch (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{6.6 => 6.12}/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch (100%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.89.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.20.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.89.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.12.20.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.89.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.20.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.89.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.20.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.89.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.20.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.89.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.12.20.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.6 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 739af2840e..58fd07c1be 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ -DIST linux-6.6.tar.xz 140064536 BLAKE2B 5f02fd8696d42f7ec8c5fbadec8e7270bdcfcb1f9844a6c4db3e1fd461c93ce1ccda650ca72dceb4890ebcbbf768ba8fba0bce91efc49fbd2c307b04e95665f2 SHA512 458b2c34d46206f9b4ccbac54cc57aeca1eaecaf831bc441e59701bac6eadffc17f6ce24af6eadd0454964e843186539ac0d63295ad2cc32d112b60360c39a35 -DIST patch-6.6.89.xz 4243548 BLAKE2B a4cf3341e453548a9369ed19fbe07deca183bd5786790161e68bb28340925b351d9046bd8db6fe85836ddff5b82facc85c4fc4fab0e73d2e5837c35672b982f7 SHA512 0642eb456df63bd4f3ab501ca93792e80e6807eef5e8b4dae8bd8a75c3e58397104828c8320994244ab03a62b7f46fa3c476ca8ac42ed7d8f6c8290b5ec6c560 +DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548 +DIST patch-6.12.20.xz 1432116 BLAKE2B cc42fce6584baa82dcf513e62433a61b8d90562648f64d7795e58ec3de0c5449b3685e05a0cb0f9c46b08faa7edf6d6b7edd3520fbc1fabbbb5b8fba2d528299 SHA512 a1568d4233d900f95fa4394147acdc37498582b050fd6a111506f680636b50b6725bf99d76f4f3613d5af5e50d3e46929d718dae3a59f2174ff53477bef83825 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.89.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.89.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild index 68ef261b9d..279da7a93d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.89.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild @@ -42,4 +42,5 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \ ${PATCH_DIR}/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch \ ${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch \ + ${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0002-revert-pahole-flags.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-revert-pahole-flags.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0002-revert-pahole-flags.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-revert-pahole-flags.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.6/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch new file mode 100644 index 0000000000..b06e656475 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch @@ -0,0 +1,35 @@ +From 0890eb69da82aec12518a5c2998afea467a0e9d7 Mon Sep 17 00:00:00 2001 +From: Adrian Vladu +Date: Thu, 19 Sep 2024 07:59:59 +0000 +Subject: [PATCH] tools: hv: fix cross-compilation for ARM64 + +--- + tools/hv/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/hv/Makefile b/tools/hv/Makefile +index 2e60e2c212cd..d72554cedbf6 100644 +--- a/tools/hv/Makefile ++++ b/tools/hv/Makefile +@@ -2,7 +2,9 @@ + # Makefile for Hyper-V tools + include ../scripts/Makefile.include + ++ifeq ($(ARCH),) + ARCH := $(shell uname -m 2>/dev/null) ++endif + sbindir ?= /usr/sbin + libexecdir ?= /usr/libexec + sharedstatedir ?= /var/lib +@@ -20,7 +22,7 @@ override CFLAGS += -O2 -Wall -g -D_GNU_SOURCE -I$(OUTPUT)include + override CFLAGS += -Wno-address-of-packed-member + + ALL_TARGETS := hv_kvp_daemon hv_vss_daemon +-ifneq ($(ARCH), aarch64) ++ifeq ($(filter $(ARCH),aarch64 arm64),) + ALL_TARGETS += hv_fcopy_uio_daemon + endif + ALL_PROGRAMS := $(patsubst %,$(OUTPUT)%,$(ALL_TARGETS)) +-- +2.34.1 + From 38cd59cab3adab672169edcd18b33db388a84ff5 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Wed, 18 Sep 2024 10:12:40 +0000 Subject: [PATCH 2/9] kernel: use new patches for secure boot From: https://sources.debian.org/data/main/l/linux/6.12~rc6-1~exp1/debian/patches/features/all/lockdown/ --- .../coreos-sources-6.12.20.ebuild | 9 ++-- ...cure_boot-flag-to-indicate-secure-b.patch} | 33 ++++-------- ...-kernel-if-booted-in-secure-boot-mo.patch} | 54 +++++++------------ ...le-slram-and-phram-when-locked-down.patch} | 13 ++--- ...nel-config-option-to-lock-down-when.patch} | 45 ++++++---------- 5 files changed, 54 insertions(+), 100 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/{z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch => z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch} (79%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/{z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch => z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch} (64%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/{z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch => z0006-mtd-disable-slram-and-phram-when-locked-down.patch} (81%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/{z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch => z0007-arm64-add-kernel-config-option-to-lock-down-when.patch} (73%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild index 279da7a93d..536282e371 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild @@ -38,9 +38,8 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \ ${PATCH_DIR}/z0002-revert-pahole-flags.patch \ ${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \ - ${PATCH_DIR}/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch \ - ${PATCH_DIR}/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \ - ${PATCH_DIR}/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch \ - ${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch \ - ${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \ + ${PATCH_DIR}/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch \ + ${PATCH_DIR}/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \ + ${PATCH_DIR}/z0006-mtd-disable-slram-and-phram-when-locked-down.patch \ + ${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch index 8876e43904..822beab21c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch @@ -1,8 +1,7 @@ -From 1e2ffbec195c89d887bc088691ebb19c9173ecad Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 18 Feb 2019 12:45:03 +0000 -Subject: [PATCH 1/4] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot - mode +Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28 UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT flag that can be passed to efi_enabled() to find out whether secure boot is @@ -26,15 +25,13 @@ cc: linux-efi@vger.kernel.org arch/x86/kernel/setup.c | 14 +---------- drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++ - include/linux/efi.h | 17 ++++++++------ - 4 files changed, 51 insertions(+), 20 deletions(-) + include/linux/efi.h | 16 ++++++++----- + 4 files changed, 51 insertions(+), 19 deletions(-) create mode 100644 drivers/firmware/efi/secureboot.c -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index eb129277dcdd..7c4a6697e39d 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1190,19 +1190,7 @@ void __init setup_arch(char **cmdline_p) +@@ -1193,19 +1193,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); @@ -55,11 +52,9 @@ index eb129277dcdd..7c4a6697e39d 100644 reserve_initrd(); -diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile -index e489fefd23da..f2dfae764fb5 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile -@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB) += libstub +@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o @@ -67,9 +62,6 @@ index e489fefd23da..f2dfae764fb5 100644 obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o -diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c -new file mode 100644 -index 000000000000..b6620669e32b --- /dev/null +++ b/drivers/firmware/efi/secureboot.c @@ -0,0 +1,39 @@ @@ -112,11 +104,9 @@ index 000000000000..b6620669e32b + } + } +} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 80b21d1c6eaf..d267ddba8369 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ @@ -131,7 +121,7 @@ index 80b21d1c6eaf..d267ddba8369 100644 #ifdef CONFIG_EFI /* -@@ -895,6 +903,7 @@ static inline bool efi_rt_services_supported(unsigned int mask) +@@ -895,6 +903,7 @@ static inline bool efi_rt_services_suppo return (efi.runtime_supported_mask & mask) == mask; } extern void efi_find_mirror(void); @@ -139,7 +129,7 @@ index 80b21d1c6eaf..d267ddba8369 100644 #else static inline bool efi_enabled(int feature) { -@@ -914,6 +923,7 @@ static inline bool efi_rt_services_supported(unsigned int mask) +@@ -914,6 +923,7 @@ static inline bool efi_rt_services_suppo } static inline void efi_find_mirror(void) {} @@ -147,7 +137,7 @@ index 80b21d1c6eaf..d267ddba8369 100644 #endif extern int efi_status_to_err(efi_status_t status); -@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(void) { return true; } +@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled( extern void efi_call_virt_check_flags(unsigned long flags, const void *caller); extern unsigned long efi_call_virt_save_flags(void); @@ -161,6 +151,3 @@ index 80b21d1c6eaf..d267ddba8369 100644 static inline enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var) { --- -2.39.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch similarity index 64% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 36df399411..6fff3f8967 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,6 @@ -From fa96a2ef86466da0a43756ee39ce3b1cb555a55a Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 10 Sep 2019 11:54:28 +0100 -Subject: [PATCH 2/4] efi: Lock down the kernel if booted in secure boot mode +Subject: efi: Lock down the kernel if booted in secure boot mode Based on an earlier patch by David Howells, who wrote the following description: @@ -18,18 +17,16 @@ help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)] Signed-off-by: Salvatore Bonaccorso --- - arch/x86/kernel/setup.c | 4 ++-- - drivers/firmware/efi/secureboot.c | 5 +++++ - include/linux/security.h | 6 ++++++ - security/lockdown/Kconfig | 15 +++++++++++++++ - security/lockdown/lockdown.c | 2 +- - 5 files changed, 29 insertions(+), 3 deletions(-) + arch/x86/kernel/setup.c | 4 ++-- + drivers/firmware/efi/secureboot.c | 3 +++ + include/linux/security.h | 6 ++++++ + security/lockdown/Kconfig | 15 +++++++++++++++ + security/lockdown/lockdown.c | 2 +- + 5 files changed, 27 insertions(+), 3 deletions(-) -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 7c4a6697e39d..04e73973098e 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1028,6 +1028,8 @@ void __init setup_arch(char **cmdline_p) +@@ -904,6 +904,8 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); @@ -38,7 +35,7 @@ index 7c4a6697e39d..04e73973098e 100644 reserve_ibft_region(); x86_init.resources.dmi_setup(); -@@ -1190,8 +1192,6 @@ void __init setup_arch(char **cmdline_p) +@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); @@ -47,8 +44,6 @@ index 7c4a6697e39d..04e73973098e 100644 reserve_initrd(); acpi_table_upgrade(); -diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c -index b6620669e32b..8f2554291fb1 100644 --- a/drivers/firmware/efi/secureboot.c +++ b/drivers/firmware/efi/secureboot.c @@ -15,6 +15,7 @@ @@ -59,7 +54,7 @@ index b6620669e32b..8f2554291fb1 100644 /* * Decide what to do when UEFI secure boot mode is enabled. -@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) +@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi break; case efi_secureboot_mode_enabled: set_bit(EFI_SECURE_BOOT, &efi.flags); @@ -70,19 +65,17 @@ index b6620669e32b..8f2554291fb1 100644 pr_info("Secure boot enabled\n"); break; default: -diff --git a/include/linux/security.h b/include/linux/security.h -index 4bd0f6fc553e..08258ecbb5f9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h -@@ -486,6 +486,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); +@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); +int lock_kernel_down(const char *where, enum lockdown_reason level); - #else /* CONFIG_SECURITY */ - - static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) -@@ -1404,6 +1405,11 @@ static inline int security_locked_down(enum lockdown_reason what) + int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len, + void *val, size_t val_len, u64 id, u64 flags); + int security_bdev_alloc(struct block_device *bdev); +@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e { return 0; } @@ -91,14 +84,12 @@ index 4bd0f6fc553e..08258ecbb5f9 100644 +{ + return -EOPNOTSUPP; +} - #endif /* CONFIG_SECURITY */ - - #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) -diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig -index e84ddf484010..4175b50b1e6e 100644 + static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, + u32 *uctx_len, void *val, size_t val_len, + u64 id, u64 flags) --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig -@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY +@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI disabled. endchoice @@ -117,11 +108,9 @@ index e84ddf484010..4175b50b1e6e 100644 + + Enabling this option results in kernel lockdown being + triggered in integrity mode if EFI Secure Boot is set. -diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c -index 68d19632aeb7..67cc9839952f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c -@@ -23,7 +23,7 @@ static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE, +@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo /* * Put the kernel into lock-down mode. */ @@ -130,6 +119,3 @@ index 68d19632aeb7..67cc9839952f 100644 { if (kernel_locked_down >= level) return -EPERM; --- -2.39.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-disable-slram-and-phram-when-locked-down.patch similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-disable-slram-and-phram-when-locked-down.patch index 7346036e80..c718e7e2f0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-disable-slram-and-phram-when-locked-down.patch @@ -1,7 +1,7 @@ -From bb8912cf807feab56cf8e924d33229d800ae71a6 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 30 Aug 2019 15:54:24 +0100 -Subject: [PATCH 3/4] mtd: phram,slram: Disable when the kernel is locked down +Subject: mtd: phram,slram: Disable when the kernel is locked down +Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/ These drivers allow mapping arbitrary memory ranges as MTD devices. This should be disabled to preserve the kernel's integrity when it is @@ -21,11 +21,9 @@ Cc: linux-mtd@lists.infradead.org drivers/mtd/devices/slram.c | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) -diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c -index 208bd4d871f4..30f84a91692d 100644 --- a/drivers/mtd/devices/phram.c +++ b/drivers/mtd/devices/phram.c -@@ -364,7 +364,11 @@ static int phram_param_call(const char *val, const struct kernel_param *kp) +@@ -364,7 +364,11 @@ static int phram_param_call(const char * #endif } @@ -38,8 +36,6 @@ index 208bd4d871f4..30f84a91692d 100644 MODULE_PARM_DESC(phram, "Memory region to map. \"phram=,,[,]\""); #ifdef CONFIG_OF -diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c -index 28131a127d06..d92a2461e2ce 100644 --- a/drivers/mtd/devices/slram.c +++ b/drivers/mtd/devices/slram.c @@ -43,6 +43,7 @@ @@ -77,6 +73,3 @@ index 28131a127d06..d92a2461e2ce 100644 while (map) { devname = devstart = devlength = NULL; --- -2.39.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch similarity index 73% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch index 7661674404..61b7040971 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch @@ -1,8 +1,8 @@ -From 8598238a38a333fed5ec0c8287f99813578370ab Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Tue, 30 Aug 2016 11:54:38 -0600 -Subject: [PATCH 4/4] arm64: add kernel config option to lock down when in - Secure Boot mode +Subject: arm64: add kernel config option to lock down when in Secure Boot mode +Bug-Debian: https://bugs.debian.org/831827 +Forwarded: no Add a kernel configuration option to lock down the kernel, to restrict userspace's ability to modify the running kernel when UEFI Secure Boot is @@ -32,17 +32,15 @@ Signed-off-by: Linn Crosetto [Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c] --- - drivers/firmware/efi/efi-init.c | 5 ++++- - drivers/firmware/efi/fdtparams.c | 12 +++++++++++- - drivers/firmware/efi/libstub/fdt.c | 6 ++++++ - include/linux/efi.h | 3 ++- + drivers/firmware/efi/efi-init.c | 5 ++++- + drivers/firmware/efi/fdtparams.c | 12 +++++++++++- + drivers/firmware/efi/libstub/fdt.c | 6 ++++++ + include/linux/efi.h | 3 ++- 4 files changed, 23 insertions(+), 3 deletions(-) -diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c -index 59b0d7197b68..e63f8a82d9f4 100644 --- a/drivers/firmware/efi/efi-init.c +++ b/drivers/firmware/efi/efi-init.c -@@ -204,9 +204,10 @@ void __init efi_init(void) +@@ -213,9 +213,10 @@ void __init efi_init(void) { struct efi_memory_map_data data; u64 efi_system_table; @@ -54,7 +52,7 @@ index 59b0d7197b68..e63f8a82d9f4 100644 if (!efi_system_table) return; -@@ -228,6 +229,8 @@ void __init efi_init(void) +@@ -237,6 +238,8 @@ void __init efi_init(void) return; } @@ -63,8 +61,6 @@ index 59b0d7197b68..e63f8a82d9f4 100644 reserve_regions(); /* * For memblock manipulation, the cap should come after the memblock_add(). -diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c -index 0ec83ba58097..81a0ac408cf5 100644 --- a/drivers/firmware/efi/fdtparams.c +++ b/drivers/firmware/efi/fdtparams.c @@ -16,6 +16,7 @@ enum { @@ -75,7 +71,7 @@ index 0ec83ba58097..81a0ac408cf5 100644 PARAMCOUNT }; -@@ -26,6 +27,7 @@ static __initconst const char name[][22] = { +@@ -26,6 +27,7 @@ static __initconst const char name[][22] [MMSIZE] = "MemMap Size ", [DCSIZE] = "MemMap Desc. Size ", [DCVERS] = "MemMap Desc. Version ", @@ -99,7 +95,7 @@ index 0ec83ba58097..81a0ac408cf5 100644 } } }; -@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname, +@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const int len; u64 val; @@ -111,7 +107,7 @@ index 0ec83ba58097..81a0ac408cf5 100644 prop = fdt_getprop(fdt, node, pname, &len); if (!prop) return 1; -@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname, +@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const return 0; } @@ -120,7 +116,7 @@ index 0ec83ba58097..81a0ac408cf5 100644 { const void *fdt = initial_boot_params; unsigned long systab; -@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm) +@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi [MMSIZE] = { &mm->size, sizeof(mm->size) }, [DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) }, [DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) }, @@ -128,11 +124,9 @@ index 0ec83ba58097..81a0ac408cf5 100644 }; BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name)); -diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c -index 6a337f1f8787..6c679da644dd 100644 --- a/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c -@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size, +@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *ori } } @@ -145,20 +139,15 @@ index 6a337f1f8787..6c679da644dd 100644 /* Shrink the FDT back to its minimum size: */ fdt_pack(fdt); -diff --git a/include/linux/efi.h b/include/linux/efi.h -index d267ddba8369..fbce526768d3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -756,7 +756,8 @@ extern void efi_mem_reserve(phys_addr_t addr, u64 size); +@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_ + extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md); + extern void efi_mem_reserve(phys_addr_t addr, u64 size); extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size); - extern void efi_initialize_iomem_resources(struct resource *code_resource, - struct resource *data_resource, struct resource *bss_resource); -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data); +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data, + u32 *secure_boot); extern struct kobject *efi_kobj; extern int efi_reboot_quirk_mode; --- -2.39.2 - From 1fa0474efab22acae3520302f9d98fd0cbc1297c Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Tue, 10 Sep 2024 07:42:06 +0000 Subject: [PATCH 3/9] linux: pahole flags moved to scripts/Makefile.btf pahole: added a revamped patch to remove the parallel implementation kernel: use pahole 1.27 feature of reproducible builds --- .../coreos-sources-6.12.20.ebuild | 2 +- ...2-pahole-support-reproducible-builds.patch | 26 +++++++++ .../6.12/z0002-revert-pahole-flags.patch | 53 ------------------- 3 files changed, 27 insertions(+), 54 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-pahole-support-reproducible-builds.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-revert-pahole-flags.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild index 536282e371..a5813f4c46 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild @@ -36,7 +36,7 @@ IUSE="" # local patches overlap with the upstream patch. UNIPATCH_LIST=" ${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \ - ${PATCH_DIR}/z0002-revert-pahole-flags.patch \ + ${PATCH_DIR}/z0002-pahole-support-reproducible-builds.patch \ ${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \ ${PATCH_DIR}/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch \ ${PATCH_DIR}/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-pahole-support-reproducible-builds.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-pahole-support-reproducible-builds.patch new file mode 100644 index 0000000000..dbce2286a3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-pahole-support-reproducible-builds.patch @@ -0,0 +1,26 @@ +From 9faff3734e6456e7927c0914829a4764ec9f1b44 Mon Sep 17 00:00:00 2001 +From: Adrian Vladu +Date: Tue, 17 Sep 2024 13:44:14 +0000 +Subject: [PATCH] pahole: support reproducible builds + +--- + scripts/Makefile.btf | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/Makefile.btf b/scripts/Makefile.btf +index 2d6e5ed9081e..b2f88b0fcf37 100644 +--- a/scripts/Makefile.btf ++++ b/scripts/Makefile.btf +@@ -23,6 +23,9 @@ else + # Switch to using --btf_features for v1.26 and later. + pahole-flags-$(call test-ge, $(pahole-ver), 126) = -j --btf_features=encode_force,var,float,enum64,decl_tag,type_tag,optimized_func,consistent_func + ++# Support reproducible builds. ++pahole-flags-$(call test-ge, $(pahole-ver), 127) = -j --btf_features=encode_force,var,float,enum64,decl_tag,type_tag,optimized_func,consistent_func,reproducible_build ++ + endif + + pahole-flags-$(CONFIG_PAHOLE_HAS_LANG_EXCLUDE) += --lang_exclude=rust +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-revert-pahole-flags.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-revert-pahole-flags.patch deleted file mode 100644 index f6648c3401..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0002-revert-pahole-flags.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/init/Kconfig b/init/Kconfig -index e173364abd6c..cdc35682e03b 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1899,7 +1899,7 @@ config RUST - depends on !GCC_PLUGINS - depends on !RANDSTRUCT - depends on !SHADOW_CALL_STACK -- depends on !DEBUG_INFO_BTF || (PAHOLE_HAS_LANG_EXCLUDE && !LTO) -+ depends on !DEBUG_INFO_BTF - help - Enables Rust support in the kernel. - -diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug -index da5513cfc125..f2b3aab6d4a1 100644 ---- a/lib/Kconfig.debug -+++ b/lib/Kconfig.debug -@@ -394,15 +394,6 @@ config PAHOLE_HAS_BTF_TAG - btf_decl_tag) or not. Currently only clang compiler implements - these attributes, so make the config depend on CC_IS_CLANG. - --config PAHOLE_HAS_LANG_EXCLUDE -- def_bool PAHOLE_VERSION >= 124 -- help -- Support for the --lang_exclude flag which makes pahole exclude -- compilation units from the supplied language. Used in Kbuild to -- omit Rust CUs which are not supported in version 1.24 of pahole, -- otherwise it would emit malformed kernel and module binaries when -- using DEBUG_INFO_BTF_MODULES. -- - config DEBUG_INFO_BTF_MODULES - bool "Generate BTF type information for kernel modules" - default y -diff --git a/scripts/pahole-flags.sh b/scripts/pahole-flags.sh -index 728d55190d97..c293941612e7 100755 ---- a/scripts/pahole-flags.sh -+++ b/scripts/pahole-flags.sh -@@ -16,15 +16,5 @@ fi - if [ "${pahole_ver}" -ge "121" ]; then - extra_paholeopt="${extra_paholeopt} --btf_gen_floats" - fi --if [ "${pahole_ver}" -ge "122" ]; then -- extra_paholeopt="${extra_paholeopt} -j" --fi --if [ "${pahole_ver}" -ge "124" ]; then -- # see PAHOLE_HAS_LANG_EXCLUDE -- extra_paholeopt="${extra_paholeopt} --lang_exclude=rust" --fi --if [ "${pahole_ver}" -ge "125" ]; then -- extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_inconsistent_proto --btf_gen_optimized" --fi - - echo ${extra_paholeopt} From da743a4b46e9367954620bab9c7b0ce8b32183f2 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 25 Mar 2025 12:31:43 +0100 Subject: [PATCH 4/9] coreos-modules: Disable DRM_FBDEV_EMULATION The out-of-tree nvidia driver requires symbols that are behind DRM_TTM_HELPER if DRM_FBDEV_EMULATION is enabled, but DRM_TTM_HELPER can't be selected unless we build more drm drivers (which is undesirable). To get out of this, disable DRM_FBDEV_EMULATION. Signed-off-by: Jeremi Piotrowski --- .../sys-kernel/coreos-modules/files/commonconfig-6.12 | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index f16f1fdd31..31adf3c73f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -171,6 +171,7 @@ CONFIG_DNS_RESOLVER=y CONFIG_DRM=m CONFIG_DRM_VIRTIO_GPU=m CONFIG_DST_CACHE=y +# CONFIG_DRM_FBDEV_EMULATION is not set CONFIG_DUMMY=m CONFIG_DYNAMIC_DEBUG=y CONFIG_E100=m From e9dcdfb12baf279cdf539a9b43b10f8d37538be4 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Tue, 17 Sep 2024 13:19:22 +0000 Subject: [PATCH 5/9] app-emulation/hv_daemons: update the hv_fcopy to hv_fcopy_uio, add hv_fcopy_uio_daemon See: https://github.com/torvalds/linux/commit/82b0945ce2c2d636d5e893ad50210875c929f257wq Also fix hv tools build for arm64. --- .../files/hv_fcopy_uio_daemon.service | 9 ++++++++ .../hv-daemons/hv-daemons-9999.ebuild | 23 +++++++++---------- .../coreos-sources-6.12.20.ebuild | 1 + 3 files changed, 21 insertions(+), 12 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/files/hv_fcopy_uio_daemon.service diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/files/hv_fcopy_uio_daemon.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/files/hv_fcopy_uio_daemon.service new file mode 100644 index 0000000000..f12c7ea1bd --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/files/hv_fcopy_uio_daemon.service @@ -0,0 +1,9 @@ +[Unit] +Description=Hyper-V FCOPY UIO daemon +ConditionPathExists=/sys/bus/vmbus/devices/eb765408-105f-49b6-b4aa-c123b64d17d4/uio + +[Service] +ExecStart=/usr/bin/hv_fcopy_uio_daemon --no-daemon + +[Install] +WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild index 9b6b44dba9..30efe5edc9 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-9999.ebuild @@ -13,20 +13,19 @@ if [[ "${PV}" == 9999 ]]; then fi src_compile() { - # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon + # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon kmake tools/hv } src_install() { - dobin "${S}/build/tools/hv/hv_fcopy_daemon" - dobin "${S}/build/tools/hv/hv_kvp_daemon" - dobin "${S}/build/tools/hv/hv_vss_daemon" - - systemd_dounit "${FILESDIR}/hv_fcopy_daemon.service" - systemd_dounit "${FILESDIR}/hv_kvp_daemon.service" - systemd_dounit "${FILESDIR}/hv_vss_daemon.service" - - systemd_enable_service "multi-user.target" "hv_fcopy_daemon.service" - systemd_enable_service "multi-user.target" "hv_kvp_daemon.service" - systemd_enable_service "multi-user.target" "hv_vss_daemon.service" + local -a HV_DAEMONS=(hv_vss_daemon hv_kvp_daemon hv_fcopy_daemon hv_fcopy_uio_daemon) + local HV_DAEMON + for HV_DAEMON in "$HV_DAEMONS[@]" + do + if [ -f "${S}/build/tools/hv/${HV_DAEMON}" ]; then + dobin "${S}/build/tools/hv/${HV_DAEMON}" + systemd_dounit "${FILESDIR}/${HV_DAEMON}.service" + systemd_enable_service "multi-user.target" "${HV_DAEMON}.service" + fi + done } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild index a5813f4c46..5e33b6ee4d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild @@ -42,4 +42,5 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \ ${PATCH_DIR}/z0006-mtd-disable-slram-and-phram-when-locked-down.patch \ ${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch \ + ${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \ " From 4da91059482ecb625f4c39248d8f63042d0ea2f0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 11 Apr 2025 11:47:38 +0000 Subject: [PATCH 6/9] linux: config: add and remove required build configs Remove CONFIG_AMD_IOMMU_V2, CONFIG_FB_ARMCLCD, CONFIG_MD_LINEAR, CONFIG_NET_ACT_IPT. Add CONFIG_MODULE_COMPRESS. See: https://github.com/torvalds/linux/commit/5a0b11a180a9b82b4437a4be1cf73530053f139b linux: remove CONFIG_MD_LINEAR See: https://github.com/torvalds/linux/commit/849d18e27be9a1253f2318cb4549cc857219d991 linux: remove CONFIG_NET_ACT_IPT See: https://github.com/torvalds/linux/commit/86fe596b588fc9ec23bf93a5c8f86fc16225dd3a linux: add required CONFIG_MODULE_COMPRESS=y See: https://github.com/torvalds/linux/commit/c7ff693fa2094ba0a9d0a20feb4ab1658eff9c33 linux: remove CONFIG_FB_ARMCLCD See: https://github.com/torvalds/linux/commit/dee56ccb468a832074397fdbf22bbd9bf6d710aa --- .../sys-kernel/coreos-modules/files/amd64_defconfig-6.12 | 1 - .../sys-kernel/coreos-modules/files/arm64_defconfig-6.12 | 1 - .../sys-kernel/coreos-modules/files/commonconfig-6.12 | 3 +-- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12 index af07e1a4fe..c1f0251631 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.12 @@ -12,7 +12,6 @@ CONFIG_ACPI_IPMI=m CONFIG_ACPI_PCI_SLOT=y CONFIG_ACPI_PROCESSOR_AGGREGATOR=y CONFIG_AMD_IOMMU=y -CONFIG_AMD_IOMMU_V2=m CONFIG_AQTION=m CONFIG_ARCH_MEMORY_PROBE=y CONFIG_AUTOFS_FS=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12 index 0ca2fb3897..e83ace56d3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-6.12 @@ -32,7 +32,6 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=y CONFIG_CRYPTO_SHA2_ARM64_CE=y # CONFIG_DEBUG_PREEMPT is not set CONFIG_DM_DEBUG=y -CONFIG_FB_ARMCLCD=y CONFIG_GPIO_PL061=y CONFIG_GPIO_XGENE=y CONFIG_GPIO_XGENE_SB=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index 31adf3c73f..90ada1fa62 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -454,7 +454,6 @@ CONFIG_MAGIC_SYSRQ=y CONFIG_MARVELL_PHY=m CONFIG_MAX_RAW_DEVS=8192 CONFIG_MD=y -CONFIG_MD_LINEAR=m CONFIG_MD_RAID0=m CONFIG_MEGARAID_MAILBOX=m CONFIG_MEGARAID_MM=m @@ -497,6 +496,7 @@ CONFIG_MMC_BLOCK_MINORS=16 CONFIG_MMC_SDHCI=m CONFIG_MMC_SDHCI_PCI=m CONFIG_MODULES=y +CONFIG_MODULE_COMPRESS=y CONFIG_MODULE_COMPRESS_XZ=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_KEY="${MODULE_SIGNING_KEY_DIR}/certs/modules.pem" @@ -601,7 +601,6 @@ CONFIG_NET_ACT_CTINFO=m CONFIG_NET_ACT_GACT=m CONFIG_NET_ACT_GATE=m CONFIG_NET_ACT_IFE=m -CONFIG_NET_ACT_IPT=m CONFIG_NET_ACT_MIRRED=m CONFIG_NET_ACT_MPLS=m CONFIG_NET_ACT_NAT=m From 82015b771d889007577db7a639e26353dadd25b4 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 25 Apr 2025 10:56:37 +0000 Subject: [PATCH 7/9] linux: add changelog for Linux kernel 6.12 upgrade --- changelog/updates/2025-04-25-kernel-6.12.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/updates/2025-04-25-kernel-6.12.md diff --git a/changelog/updates/2025-04-25-kernel-6.12.md b/changelog/updates/2025-04-25-kernel-6.12.md new file mode 100644 index 0000000000..a104c045d3 --- /dev/null +++ b/changelog/updates/2025-04-25-kernel-6.12.md @@ -0,0 +1 @@ +- Linux ([6.12](https://lore.kernel.org/all/CAHk-=wgtGkHshfvaAe_O2ntnFBH3EprNk1juieLmjcF2HBwBgQ@mail.gmail.com/) (includes [6.12](https://kernelnewbies.org/Linux_6.12))) From 951883e793e837a1d57d22134124d4858948f83f Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Mon, 12 May 2025 10:26:57 +0000 Subject: [PATCH 8/9] linux: re-add CONFIG_MD_LINEAR=m See: https://github.com/torvalds/linux/commit/127186cfb184eaccdfe948e6da66940cfa03efc5 --- .../sys-kernel/coreos-modules/files/commonconfig-6.12 | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index 90ada1fa62..9274b4df7e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -454,6 +454,7 @@ CONFIG_MAGIC_SYSRQ=y CONFIG_MARVELL_PHY=m CONFIG_MAX_RAW_DEVS=8192 CONFIG_MD=y +CONFIG_MD_LINEAR=m CONFIG_MD_RAID0=m CONFIG_MEGARAID_MAILBOX=m CONFIG_MEGARAID_MM=m From 87e5a37edf42276fd44247bc42e5eee44c91787a Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Tue, 13 May 2025 08:45:00 +0300 Subject: [PATCH 9/9] Update changelog/updates/2025-04-25-kernel-6.12.md Co-authored-by: Sayan Chowdhury --- changelog/updates/2025-04-25-kernel-6.12.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/updates/2025-04-25-kernel-6.12.md b/changelog/updates/2025-04-25-kernel-6.12.md index a104c045d3..0f01c957d9 100644 --- a/changelog/updates/2025-04-25-kernel-6.12.md +++ b/changelog/updates/2025-04-25-kernel-6.12.md @@ -1 +1 @@ -- Linux ([6.12](https://lore.kernel.org/all/CAHk-=wgtGkHshfvaAe_O2ntnFBH3EprNk1juieLmjcF2HBwBgQ@mail.gmail.com/) (includes [6.12](https://kernelnewbies.org/Linux_6.12))) +- Linux [6.12.20](https://lwn.net/Articles/1015185/) (includes [6.12.19](https://lwn.net/Articles/1014045/), [6.12.18](https://lwn.net/Articles/1013397/), [6.12.17](https://lwn.net/Articles/1012191/), [6.12.16](https://lwn.net/Articles/1011265/), [6.12.15](https://lwn.net/Articles/1010623/), [6.12.14](https://lwn.net/Articles/1010356/), [6.12.13](https://lwn.net/Articles/1008643/), [6.12.12](https://lwn.net/Articles/1007440/), [6.12.11](https://lwn.net/Articles/1006009/), [6.12.10](https://lwn.net/Articles/1005382/), [6.12.9](https://lwn.net/Articles/1004549/), [6.12.8](https://lwn.net/Articles/1003985/), [6.12.7](https://lwn.net/Articles/1003608/), [6.12.6](https://lwn.net/Articles/1002918/), [6.12.5](https://lwn.net/Articles/1002176/), [6.12.4](https://lwn.net/Articles/1001437/), [6.12.3](https://lwn.net/Articles/1001203/), [6.12.2](https://lwn.net/Articles/1000872/), [6.12.1](https://lwn.net/Articles/999108/), [6.12](https://lwn.net/Articles/998490/))