Merge pull request #2300 from flatcar/ader1990/linux_kernel_6_10

Upgrade Linux kernel from 6.6 to 6.12
This commit is contained in:
Adrian Vladu 2025-05-13 08:48:10 +03:00 committed by GitHub
commit 482ab8790b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
20 changed files with 142 additions and 170 deletions

View File

@ -0,0 +1 @@
- Linux [6.12.20](https://lwn.net/Articles/1015185/) (includes [6.12.19](https://lwn.net/Articles/1014045/), [6.12.18](https://lwn.net/Articles/1013397/), [6.12.17](https://lwn.net/Articles/1012191/), [6.12.16](https://lwn.net/Articles/1011265/), [6.12.15](https://lwn.net/Articles/1010623/), [6.12.14](https://lwn.net/Articles/1010356/), [6.12.13](https://lwn.net/Articles/1008643/), [6.12.12](https://lwn.net/Articles/1007440/), [6.12.11](https://lwn.net/Articles/1006009/), [6.12.10](https://lwn.net/Articles/1005382/), [6.12.9](https://lwn.net/Articles/1004549/), [6.12.8](https://lwn.net/Articles/1003985/), [6.12.7](https://lwn.net/Articles/1003608/), [6.12.6](https://lwn.net/Articles/1002918/), [6.12.5](https://lwn.net/Articles/1002176/), [6.12.4](https://lwn.net/Articles/1001437/), [6.12.3](https://lwn.net/Articles/1001203/), [6.12.2](https://lwn.net/Articles/1000872/), [6.12.1](https://lwn.net/Articles/999108/), [6.12](https://lwn.net/Articles/998490/))

View File

@ -0,0 +1,9 @@
[Unit]
Description=Hyper-V FCOPY UIO daemon
ConditionPathExists=/sys/bus/vmbus/devices/eb765408-105f-49b6-b4aa-c123b64d17d4/uio
[Service]
ExecStart=/usr/bin/hv_fcopy_uio_daemon --no-daemon
[Install]
WantedBy=multi-user.target

View File

@ -13,20 +13,19 @@ if [[ "${PV}" == 9999 ]]; then
fi fi
src_compile() { src_compile() {
# Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon # Build hv_vss_daemon, hv_kvp_daemon, hv_fcopy_daemon
kmake tools/hv kmake tools/hv
} }
src_install() { src_install() {
dobin "${S}/build/tools/hv/hv_fcopy_daemon" local -a HV_DAEMONS=(hv_vss_daemon hv_kvp_daemon hv_fcopy_daemon hv_fcopy_uio_daemon)
dobin "${S}/build/tools/hv/hv_kvp_daemon" local HV_DAEMON
dobin "${S}/build/tools/hv/hv_vss_daemon" for HV_DAEMON in "$HV_DAEMONS[@]"
do
systemd_dounit "${FILESDIR}/hv_fcopy_daemon.service" if [ -f "${S}/build/tools/hv/${HV_DAEMON}" ]; then
systemd_dounit "${FILESDIR}/hv_kvp_daemon.service" dobin "${S}/build/tools/hv/${HV_DAEMON}"
systemd_dounit "${FILESDIR}/hv_vss_daemon.service" systemd_dounit "${FILESDIR}/${HV_DAEMON}.service"
systemd_enable_service "multi-user.target" "${HV_DAEMON}.service"
systemd_enable_service "multi-user.target" "hv_fcopy_daemon.service" fi
systemd_enable_service "multi-user.target" "hv_kvp_daemon.service" done
systemd_enable_service "multi-user.target" "hv_vss_daemon.service"
} }

View File

@ -12,7 +12,6 @@ CONFIG_ACPI_IPMI=m
CONFIG_ACPI_PCI_SLOT=y CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_PROCESSOR_AGGREGATOR=y CONFIG_ACPI_PROCESSOR_AGGREGATOR=y
CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_V2=m
CONFIG_AQTION=m CONFIG_AQTION=m
CONFIG_ARCH_MEMORY_PROBE=y CONFIG_ARCH_MEMORY_PROBE=y
CONFIG_AUTOFS_FS=y CONFIG_AUTOFS_FS=y

View File

@ -32,7 +32,6 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=y
CONFIG_CRYPTO_SHA2_ARM64_CE=y CONFIG_CRYPTO_SHA2_ARM64_CE=y
# CONFIG_DEBUG_PREEMPT is not set # CONFIG_DEBUG_PREEMPT is not set
CONFIG_DM_DEBUG=y CONFIG_DM_DEBUG=y
CONFIG_FB_ARMCLCD=y
CONFIG_GPIO_PL061=y CONFIG_GPIO_PL061=y
CONFIG_GPIO_XGENE=y CONFIG_GPIO_XGENE=y
CONFIG_GPIO_XGENE_SB=y CONFIG_GPIO_XGENE_SB=y

View File

@ -171,6 +171,7 @@ CONFIG_DNS_RESOLVER=y
CONFIG_DRM=m CONFIG_DRM=m
CONFIG_DRM_VIRTIO_GPU=m CONFIG_DRM_VIRTIO_GPU=m
CONFIG_DST_CACHE=y CONFIG_DST_CACHE=y
# CONFIG_DRM_FBDEV_EMULATION is not set
CONFIG_DUMMY=m CONFIG_DUMMY=m
CONFIG_DYNAMIC_DEBUG=y CONFIG_DYNAMIC_DEBUG=y
CONFIG_E100=m CONFIG_E100=m
@ -496,6 +497,7 @@ CONFIG_MMC_BLOCK_MINORS=16
CONFIG_MMC_SDHCI=m CONFIG_MMC_SDHCI=m
CONFIG_MMC_SDHCI_PCI=m CONFIG_MMC_SDHCI_PCI=m
CONFIG_MODULES=y CONFIG_MODULES=y
CONFIG_MODULE_COMPRESS=y
CONFIG_MODULE_COMPRESS_XZ=y CONFIG_MODULE_COMPRESS_XZ=y
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_KEY="${MODULE_SIGNING_KEY_DIR}/certs/modules.pem" CONFIG_MODULE_SIG_KEY="${MODULE_SIGNING_KEY_DIR}/certs/modules.pem"
@ -600,7 +602,6 @@ CONFIG_NET_ACT_CTINFO=m
CONFIG_NET_ACT_GACT=m CONFIG_NET_ACT_GACT=m
CONFIG_NET_ACT_GATE=m CONFIG_NET_ACT_GATE=m
CONFIG_NET_ACT_IFE=m CONFIG_NET_ACT_IFE=m
CONFIG_NET_ACT_IPT=m
CONFIG_NET_ACT_MIRRED=m CONFIG_NET_ACT_MIRRED=m
CONFIG_NET_ACT_MPLS=m CONFIG_NET_ACT_MPLS=m
CONFIG_NET_ACT_NAT=m CONFIG_NET_ACT_NAT=m

View File

@ -1,2 +1,2 @@
DIST linux-6.6.tar.xz 140064536 BLAKE2B 5f02fd8696d42f7ec8c5fbadec8e7270bdcfcb1f9844a6c4db3e1fd461c93ce1ccda650ca72dceb4890ebcbbf768ba8fba0bce91efc49fbd2c307b04e95665f2 SHA512 458b2c34d46206f9b4ccbac54cc57aeca1eaecaf831bc441e59701bac6eadffc17f6ce24af6eadd0454964e843186539ac0d63295ad2cc32d112b60360c39a35 DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
DIST patch-6.6.89.xz 4243548 BLAKE2B a4cf3341e453548a9369ed19fbe07deca183bd5786790161e68bb28340925b351d9046bd8db6fe85836ddff5b82facc85c4fc4fab0e73d2e5837c35672b982f7 SHA512 0642eb456df63bd4f3ab501ca93792e80e6807eef5e8b4dae8bd8a75c3e58397104828c8320994244ab03a62b7f46fa3c476ca8ac42ed7d8f6c8290b5ec6c560 DIST patch-6.12.20.xz 1432116 BLAKE2B cc42fce6584baa82dcf513e62433a61b8d90562648f64d7795e58ec3de0c5449b3685e05a0cb0f9c46b08faa7edf6d6b7edd3520fbc1fabbbb5b8fba2d528299 SHA512 a1568d4233d900f95fa4394147acdc37498582b050fd6a111506f680636b50b6725bf99d76f4f3613d5af5e50d3e46929d718dae3a59f2174ff53477bef83825

View File

@ -36,10 +36,11 @@ IUSE=""
# local patches overlap with the upstream patch. # local patches overlap with the upstream patch.
UNIPATCH_LIST=" UNIPATCH_LIST="
${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \ ${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \
${PATCH_DIR}/z0002-revert-pahole-flags.patch \ ${PATCH_DIR}/z0002-pahole-support-reproducible-builds.patch \
${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \ ${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \
${PATCH_DIR}/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch \ ${PATCH_DIR}/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch \
${PATCH_DIR}/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \ ${PATCH_DIR}/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
${PATCH_DIR}/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch \ ${PATCH_DIR}/z0006-mtd-disable-slram-and-phram-when-locked-down.patch \
${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch \ ${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch \
${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \
" "

View File

@ -0,0 +1,26 @@
From 9faff3734e6456e7927c0914829a4764ec9f1b44 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Tue, 17 Sep 2024 13:44:14 +0000
Subject: [PATCH] pahole: support reproducible builds
---
scripts/Makefile.btf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/Makefile.btf b/scripts/Makefile.btf
index 2d6e5ed9081e..b2f88b0fcf37 100644
--- a/scripts/Makefile.btf
+++ b/scripts/Makefile.btf
@@ -23,6 +23,9 @@ else
# Switch to using --btf_features for v1.26 and later.
pahole-flags-$(call test-ge, $(pahole-ver), 126) = -j --btf_features=encode_force,var,float,enum64,decl_tag,type_tag,optimized_func,consistent_func
+# Support reproducible builds.
+pahole-flags-$(call test-ge, $(pahole-ver), 127) = -j --btf_features=encode_force,var,float,enum64,decl_tag,type_tag,optimized_func,consistent_func,reproducible_build
+
endif
pahole-flags-$(CONFIG_PAHOLE_HAS_LANG_EXCLUDE) += --lang_exclude=rust
--
2.34.1

View File

@ -1,8 +1,7 @@
From 1e2ffbec195c89d887bc088691ebb19c9173ecad Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Mon, 18 Feb 2019 12:45:03 +0000 Date: Mon, 18 Feb 2019 12:45:03 +0000
Subject: [PATCH 1/4] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
mode Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is flag that can be passed to efi_enabled() to find out whether secure boot is
@ -26,15 +25,13 @@ cc: linux-efi@vger.kernel.org
arch/x86/kernel/setup.c | 14 +---------- arch/x86/kernel/setup.c | 14 +----------
drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++ drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
include/linux/efi.h | 17 ++++++++------ include/linux/efi.h | 16 ++++++++-----
4 files changed, 51 insertions(+), 20 deletions(-) 4 files changed, 51 insertions(+), 19 deletions(-)
create mode 100644 drivers/firmware/efi/secureboot.c create mode 100644 drivers/firmware/efi/secureboot.c
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index eb129277dcdd..7c4a6697e39d 100644
--- a/arch/x86/kernel/setup.c --- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c
@@ -1190,19 +1190,7 @@ void __init setup_arch(char **cmdline_p) @@ -1193,19 +1193,7 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */ /* Allocate bigger log buffer */
setup_log_buf(1); setup_log_buf(1);
@ -55,11 +52,9 @@ index eb129277dcdd..7c4a6697e39d 100644
reserve_initrd(); reserve_initrd();
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
index e489fefd23da..f2dfae764fb5 100644
--- a/drivers/firmware/efi/Makefile --- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile
@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB) += libstub @@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m
obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_TEST) += test/
obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
@ -67,9 +62,6 @@ index e489fefd23da..f2dfae764fb5 100644
obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
new file mode 100644
index 000000000000..b6620669e32b
--- /dev/null --- /dev/null
+++ b/drivers/firmware/efi/secureboot.c +++ b/drivers/firmware/efi/secureboot.c
@@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
@ -112,11 +104,9 @@ index 000000000000..b6620669e32b
+ } + }
+ } + }
+} +}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 80b21d1c6eaf..d267ddba8369 100644
--- a/include/linux/efi.h --- a/include/linux/efi.h
+++ b/include/linux/efi.h +++ b/include/linux/efi.h
@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console(char *); @@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console
#define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
#define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */
#define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */
@ -131,7 +121,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
#ifdef CONFIG_EFI #ifdef CONFIG_EFI
/* /*
@@ -895,6 +903,7 @@ static inline bool efi_rt_services_supported(unsigned int mask) @@ -895,6 +903,7 @@ static inline bool efi_rt_services_suppo
return (efi.runtime_supported_mask & mask) == mask; return (efi.runtime_supported_mask & mask) == mask;
} }
extern void efi_find_mirror(void); extern void efi_find_mirror(void);
@ -139,7 +129,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
#else #else
static inline bool efi_enabled(int feature) static inline bool efi_enabled(int feature)
{ {
@@ -914,6 +923,7 @@ static inline bool efi_rt_services_supported(unsigned int mask) @@ -914,6 +923,7 @@ static inline bool efi_rt_services_suppo
} }
static inline void efi_find_mirror(void) {} static inline void efi_find_mirror(void) {}
@ -147,7 +137,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
#endif #endif
extern int efi_status_to_err(efi_status_t status); extern int efi_status_to_err(efi_status_t status);
@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(void) { return true; } @@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(
extern void efi_call_virt_check_flags(unsigned long flags, const void *caller); extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
extern unsigned long efi_call_virt_save_flags(void); extern unsigned long efi_call_virt_save_flags(void);
@ -161,6 +151,3 @@ index 80b21d1c6eaf..d267ddba8369 100644
static inline static inline
enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var) enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
{ {
--
2.39.2

View File

@ -1,7 +1,6 @@
From fa96a2ef86466da0a43756ee39ce3b1cb555a55a Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk> From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 10 Sep 2019 11:54:28 +0100 Date: Tue, 10 Sep 2019 11:54:28 +0100
Subject: [PATCH 2/4] efi: Lock down the kernel if booted in secure boot mode Subject: efi: Lock down the kernel if booted in secure boot mode
Based on an earlier patch by David Howells, who wrote the following Based on an earlier patch by David Howells, who wrote the following
description: description:
@ -18,18 +17,16 @@ help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)] lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
--- ---
arch/x86/kernel/setup.c | 4 ++-- arch/x86/kernel/setup.c | 4 ++--
drivers/firmware/efi/secureboot.c | 5 +++++ drivers/firmware/efi/secureboot.c | 3 +++
include/linux/security.h | 6 ++++++ include/linux/security.h | 6 ++++++
security/lockdown/Kconfig | 15 +++++++++++++++ security/lockdown/Kconfig | 15 +++++++++++++++
security/lockdown/lockdown.c | 2 +- security/lockdown/lockdown.c | 2 +-
5 files changed, 29 insertions(+), 3 deletions(-) 5 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 7c4a6697e39d..04e73973098e 100644
--- a/arch/x86/kernel/setup.c --- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c
@@ -1028,6 +1028,8 @@ void __init setup_arch(char **cmdline_p) @@ -904,6 +904,8 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT)) if (efi_enabled(EFI_BOOT))
efi_init(); efi_init();
@ -38,7 +35,7 @@ index 7c4a6697e39d..04e73973098e 100644
reserve_ibft_region(); reserve_ibft_region();
x86_init.resources.dmi_setup(); x86_init.resources.dmi_setup();
@@ -1190,8 +1192,6 @@ void __init setup_arch(char **cmdline_p) @@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */ /* Allocate bigger log buffer */
setup_log_buf(1); setup_log_buf(1);
@ -47,8 +44,6 @@ index 7c4a6697e39d..04e73973098e 100644
reserve_initrd(); reserve_initrd();
acpi_table_upgrade(); acpi_table_upgrade();
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
index b6620669e32b..8f2554291fb1 100644
--- a/drivers/firmware/efi/secureboot.c --- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c +++ b/drivers/firmware/efi/secureboot.c
@@ -15,6 +15,7 @@ @@ -15,6 +15,7 @@
@ -59,7 +54,7 @@ index b6620669e32b..8f2554291fb1 100644
/* /*
* Decide what to do when UEFI secure boot mode is enabled. * Decide what to do when UEFI secure boot mode is enabled.
@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) @@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
break; break;
case efi_secureboot_mode_enabled: case efi_secureboot_mode_enabled:
set_bit(EFI_SECURE_BOOT, &efi.flags); set_bit(EFI_SECURE_BOOT, &efi.flags);
@ -70,19 +65,17 @@ index b6620669e32b..8f2554291fb1 100644
pr_info("Secure boot enabled\n"); pr_info("Secure boot enabled\n");
break; break;
default: default:
diff --git a/include/linux/security.h b/include/linux/security.h
index 4bd0f6fc553e..08258ecbb5f9 100644
--- a/include/linux/security.h --- a/include/linux/security.h
+++ b/include/linux/security.h +++ b/include/linux/security.h
@@ -486,6 +486,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what); int security_locked_down(enum lockdown_reason what);
+int lock_kernel_down(const char *where, enum lockdown_reason level); +int lock_kernel_down(const char *where, enum lockdown_reason level);
#else /* CONFIG_SECURITY */ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
void *val, size_t val_len, u64 id, u64 flags);
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) int security_bdev_alloc(struct block_device *bdev);
@@ -1404,6 +1405,11 @@ static inline int security_locked_down(enum lockdown_reason what) @@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
{ {
return 0; return 0;
} }
@ -91,14 +84,12 @@ index 4bd0f6fc553e..08258ecbb5f9 100644
+{ +{
+ return -EOPNOTSUPP; + return -EOPNOTSUPP;
+} +}
#endif /* CONFIG_SECURITY */ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
u32 *uctx_len, void *val, size_t val_len,
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) u64 id, u64 flags)
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..4175b50b1e6e 100644
--- a/security/lockdown/Kconfig --- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig
@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
disabled. disabled.
endchoice endchoice
@ -117,11 +108,9 @@ index e84ddf484010..4175b50b1e6e 100644
+ +
+ Enabling this option results in kernel lockdown being + Enabling this option results in kernel lockdown being
+ triggered in integrity mode if EFI Secure Boot is set. + triggered in integrity mode if EFI Secure Boot is set.
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 68d19632aeb7..67cc9839952f 100644
--- a/security/lockdown/lockdown.c --- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c
@@ -23,7 +23,7 @@ static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE, @@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
/* /*
* Put the kernel into lock-down mode. * Put the kernel into lock-down mode.
*/ */
@ -130,6 +119,3 @@ index 68d19632aeb7..67cc9839952f 100644
{ {
if (kernel_locked_down >= level) if (kernel_locked_down >= level)
return -EPERM; return -EPERM;
--
2.39.2

View File

@ -1,7 +1,7 @@
From bb8912cf807feab56cf8e924d33229d800ae71a6 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk> From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Aug 2019 15:54:24 +0100 Date: Fri, 30 Aug 2019 15:54:24 +0100
Subject: [PATCH 3/4] mtd: phram,slram: Disable when the kernel is locked down Subject: mtd: phram,slram: Disable when the kernel is locked down
Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
These drivers allow mapping arbitrary memory ranges as MTD devices. These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is This should be disabled to preserve the kernel's integrity when it is
@ -21,11 +21,9 @@ Cc: linux-mtd@lists.infradead.org
drivers/mtd/devices/slram.c | 9 ++++++++- drivers/mtd/devices/slram.c | 9 ++++++++-
2 files changed, 13 insertions(+), 2 deletions(-) 2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
index 208bd4d871f4..30f84a91692d 100644
--- a/drivers/mtd/devices/phram.c --- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c +++ b/drivers/mtd/devices/phram.c
@@ -364,7 +364,11 @@ static int phram_param_call(const char *val, const struct kernel_param *kp) @@ -364,7 +364,11 @@ static int phram_param_call(const char *
#endif #endif
} }
@ -38,8 +36,6 @@ index 208bd4d871f4..30f84a91692d 100644
MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\""); MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
#ifdef CONFIG_OF #ifdef CONFIG_OF
diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
index 28131a127d06..d92a2461e2ce 100644
--- a/drivers/mtd/devices/slram.c --- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c +++ b/drivers/mtd/devices/slram.c
@@ -43,6 +43,7 @@ @@ -43,6 +43,7 @@
@ -77,6 +73,3 @@ index 28131a127d06..d92a2461e2ce 100644
while (map) { while (map) {
devname = devstart = devlength = NULL; devname = devstart = devlength = NULL;
--
2.39.2

View File

@ -1,8 +1,8 @@
From 8598238a38a333fed5ec0c8287f99813578370ab Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com> From: Linn Crosetto <linn@hpe.com>
Date: Tue, 30 Aug 2016 11:54:38 -0600 Date: Tue, 30 Aug 2016 11:54:38 -0600
Subject: [PATCH 4/4] arm64: add kernel config option to lock down when in Subject: arm64: add kernel config option to lock down when in Secure Boot mode
Secure Boot mode Bug-Debian: https://bugs.debian.org/831827
Forwarded: no
Add a kernel configuration option to lock down the kernel, to restrict Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is userspace's ability to modify the running kernel when UEFI Secure Boot is
@ -32,17 +32,15 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename [Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c] arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
--- ---
drivers/firmware/efi/efi-init.c | 5 ++++- drivers/firmware/efi/efi-init.c | 5 ++++-
drivers/firmware/efi/fdtparams.c | 12 +++++++++++- drivers/firmware/efi/fdtparams.c | 12 +++++++++++-
drivers/firmware/efi/libstub/fdt.c | 6 ++++++ drivers/firmware/efi/libstub/fdt.c | 6 ++++++
include/linux/efi.h | 3 ++- include/linux/efi.h | 3 ++-
4 files changed, 23 insertions(+), 3 deletions(-) 4 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
index 59b0d7197b68..e63f8a82d9f4 100644
--- a/drivers/firmware/efi/efi-init.c --- a/drivers/firmware/efi/efi-init.c
+++ b/drivers/firmware/efi/efi-init.c +++ b/drivers/firmware/efi/efi-init.c
@@ -204,9 +204,10 @@ void __init efi_init(void) @@ -213,9 +213,10 @@ void __init efi_init(void)
{ {
struct efi_memory_map_data data; struct efi_memory_map_data data;
u64 efi_system_table; u64 efi_system_table;
@ -54,7 +52,7 @@ index 59b0d7197b68..e63f8a82d9f4 100644
if (!efi_system_table) if (!efi_system_table)
return; return;
@@ -228,6 +229,8 @@ void __init efi_init(void) @@ -237,6 +238,8 @@ void __init efi_init(void)
return; return;
} }
@ -63,8 +61,6 @@ index 59b0d7197b68..e63f8a82d9f4 100644
reserve_regions(); reserve_regions();
/* /*
* For memblock manipulation, the cap should come after the memblock_add(). * For memblock manipulation, the cap should come after the memblock_add().
diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
index 0ec83ba58097..81a0ac408cf5 100644
--- a/drivers/firmware/efi/fdtparams.c --- a/drivers/firmware/efi/fdtparams.c
+++ b/drivers/firmware/efi/fdtparams.c +++ b/drivers/firmware/efi/fdtparams.c
@@ -16,6 +16,7 @@ enum { @@ -16,6 +16,7 @@ enum {
@ -75,7 +71,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
PARAMCOUNT PARAMCOUNT
}; };
@@ -26,6 +27,7 @@ static __initconst const char name[][22] = { @@ -26,6 +27,7 @@ static __initconst const char name[][22]
[MMSIZE] = "MemMap Size ", [MMSIZE] = "MemMap Size ",
[DCSIZE] = "MemMap Desc. Size ", [DCSIZE] = "MemMap Desc. Size ",
[DCVERS] = "MemMap Desc. Version ", [DCVERS] = "MemMap Desc. Version ",
@ -99,7 +95,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
} }
} }
}; };
@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname, @@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const
int len; int len;
u64 val; u64 val;
@ -111,7 +107,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
prop = fdt_getprop(fdt, node, pname, &len); prop = fdt_getprop(fdt, node, pname, &len);
if (!prop) if (!prop)
return 1; return 1;
@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname, @@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const
return 0; return 0;
} }
@ -120,7 +116,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
{ {
const void *fdt = initial_boot_params; const void *fdt = initial_boot_params;
unsigned long systab; unsigned long systab;
@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm) @@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi
[MMSIZE] = { &mm->size, sizeof(mm->size) }, [MMSIZE] = { &mm->size, sizeof(mm->size) },
[DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) }, [DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) },
[DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) }, [DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) },
@ -128,11 +124,9 @@ index 0ec83ba58097..81a0ac408cf5 100644
}; };
BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name)); BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
index 6a337f1f8787..6c679da644dd 100644
--- a/drivers/firmware/efi/libstub/fdt.c --- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c
@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size, @@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *ori
} }
} }
@ -145,20 +139,15 @@ index 6a337f1f8787..6c679da644dd 100644
/* Shrink the FDT back to its minimum size: */ /* Shrink the FDT back to its minimum size: */
fdt_pack(fdt); fdt_pack(fdt);
diff --git a/include/linux/efi.h b/include/linux/efi.h
index d267ddba8369..fbce526768d3 100644
--- a/include/linux/efi.h --- a/include/linux/efi.h
+++ b/include/linux/efi.h +++ b/include/linux/efi.h
@@ -756,7 +756,8 @@ extern void efi_mem_reserve(phys_addr_t addr, u64 size); @@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
extern void efi_mem_reserve(phys_addr_t addr, u64 size);
extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size); extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
extern void efi_initialize_iomem_resources(struct resource *code_resource,
struct resource *data_resource, struct resource *bss_resource);
-extern u64 efi_get_fdt_params(struct efi_memory_map_data *data); -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
+extern u64 efi_get_fdt_params(struct efi_memory_map_data *data, +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
+ u32 *secure_boot); + u32 *secure_boot);
extern struct kobject *efi_kobj; extern struct kobject *efi_kobj;
extern int efi_reboot_quirk_mode; extern int efi_reboot_quirk_mode;
--
2.39.2

View File

@ -0,0 +1,35 @@
From 0890eb69da82aec12518a5c2998afea467a0e9d7 Mon Sep 17 00:00:00 2001
From: Adrian Vladu <avladu@cloudbasesolutions.com>
Date: Thu, 19 Sep 2024 07:59:59 +0000
Subject: [PATCH] tools: hv: fix cross-compilation for ARM64
---
tools/hv/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/hv/Makefile b/tools/hv/Makefile
index 2e60e2c212cd..d72554cedbf6 100644
--- a/tools/hv/Makefile
+++ b/tools/hv/Makefile
@@ -2,7 +2,9 @@
# Makefile for Hyper-V tools
include ../scripts/Makefile.include
+ifeq ($(ARCH),)
ARCH := $(shell uname -m 2>/dev/null)
+endif
sbindir ?= /usr/sbin
libexecdir ?= /usr/libexec
sharedstatedir ?= /var/lib
@@ -20,7 +22,7 @@ override CFLAGS += -O2 -Wall -g -D_GNU_SOURCE -I$(OUTPUT)include
override CFLAGS += -Wno-address-of-packed-member
ALL_TARGETS := hv_kvp_daemon hv_vss_daemon
-ifneq ($(ARCH), aarch64)
+ifeq ($(filter $(ARCH),aarch64 arm64),)
ALL_TARGETS += hv_fcopy_uio_daemon
endif
ALL_PROGRAMS := $(patsubst %,$(OUTPUT)%,$(ALL_TARGETS))
--
2.34.1

View File

@ -1,53 +0,0 @@
diff --git a/init/Kconfig b/init/Kconfig
index e173364abd6c..cdc35682e03b 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1899,7 +1899,7 @@ config RUST
depends on !GCC_PLUGINS
depends on !RANDSTRUCT
depends on !SHADOW_CALL_STACK
- depends on !DEBUG_INFO_BTF || (PAHOLE_HAS_LANG_EXCLUDE && !LTO)
+ depends on !DEBUG_INFO_BTF
help
Enables Rust support in the kernel.
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index da5513cfc125..f2b3aab6d4a1 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -394,15 +394,6 @@ config PAHOLE_HAS_BTF_TAG
btf_decl_tag) or not. Currently only clang compiler implements
these attributes, so make the config depend on CC_IS_CLANG.
-config PAHOLE_HAS_LANG_EXCLUDE
- def_bool PAHOLE_VERSION >= 124
- help
- Support for the --lang_exclude flag which makes pahole exclude
- compilation units from the supplied language. Used in Kbuild to
- omit Rust CUs which are not supported in version 1.24 of pahole,
- otherwise it would emit malformed kernel and module binaries when
- using DEBUG_INFO_BTF_MODULES.
-
config DEBUG_INFO_BTF_MODULES
bool "Generate BTF type information for kernel modules"
default y
diff --git a/scripts/pahole-flags.sh b/scripts/pahole-flags.sh
index 728d55190d97..c293941612e7 100755
--- a/scripts/pahole-flags.sh
+++ b/scripts/pahole-flags.sh
@@ -16,15 +16,5 @@ fi
if [ "${pahole_ver}" -ge "121" ]; then
extra_paholeopt="${extra_paholeopt} --btf_gen_floats"
fi
-if [ "${pahole_ver}" -ge "122" ]; then
- extra_paholeopt="${extra_paholeopt} -j"
-fi
-if [ "${pahole_ver}" -ge "124" ]; then
- # see PAHOLE_HAS_LANG_EXCLUDE
- extra_paholeopt="${extra_paholeopt} --lang_exclude=rust"
-fi
-if [ "${pahole_ver}" -ge "125" ]; then
- extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_inconsistent_proto --btf_gen_optimized"
-fi
echo ${extra_paholeopt}