starlingx/kernel
Code Issues Proposed changes
kernel/kernel-rt/debian/deb_patches/0004-kernel-rt-Adapt-the-debian-folder-for-new-source.patch
Li Zhou 3d19001293 Debian: enable lockdown feature patches 
Please refer to:
[Table 4.2. Kernel module authentication requirements for loading] from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/
8/html/managing_monitoring_and_updating_the_kernel/
signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel

When secure boot is enabled, whether the sig_enforce is set or not
the unsigned / missigned kernel modules' loading should fail.
Debian has patches under debian/patches/features/all/lockdown to
realize this function by the lockdown feature. We have removed
all the debian patches except those about building. Here readd the
lockdown feature patches for the secure boot function mentioned above.
Besides, to enable CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT defined in the
patches, extra configs' setting is needed.

Test plan:
 - PASS: Boot up qemu in the way with secure boot enabled, sig_enforce
         is unset by default. Insmod unsigned / missigned kernel
         modules. It should fail.
 - PASS: Set KERNEL_PARAMS="module.sig_enforce=1" in the lat config file
         to make a test build to pass it as a kernel parameter. Then
         boot up qemu in the way with secure boot enabled. Insmod
         unsigned / missigned kernel modules. It should fail.
 - PASS: Do above tests for both kernel-std and kernel-rt.

Story: 2009221
Task: 45071
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I32d7008941322a019dc9d72033cb0c13fb6cfbb4
2022-04-19 21:32:51 -04:00

422 lines
17 KiB
Diff
Raw Blame History

From 20b774f05db7bdcbe77dc612efb171107bcddfde Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Fri, 26 Nov 2021 20:17:45 +0800
Subject: [PATCH 4/4] kernel-rt: Adapt the debian folder for new source
Below are the changes on DEBIAN's kernel release's "debian" folder
for building linux-yocto kernel-rt source 5.10.74, besides the changes
about kernel configs / changelog file / replacing "linux" with
"linux-rt":
-Update debian/config/amd64/none/defines to disable debian cloud image
build, which isn't in use here;
-Update debian/config/defines to disable docs/installer packages'
build to avoid some build errors caused by docs and installer,
which aren't in use here;
-Update debian/lib/python/debian_linux/debian.py to remove an
unimportant format check for changelog because it conflicts with the
new build system;
-Update debian/patches/series to only keep the patches to support
package build system and the lockdown feature, which are from
DEBIAN release.
-Rebase the patch debian/patches/debian/version.patch for context
changes;
-Update debian/rules to solve the issue that build paused after
gencontrol;
-Update debian/config/defines to disable rt feature. This linux-rt
isn't built using the rt feature, because linux-yocto rt source
is stored in its own branch and not as a set of patches against std.
Take the linux-rt code as a normal kernel with its special config file;
-Update debian/config/defines to disable unnecessary tool packages;
-Update debian/control to avoid the error:
<debrepack - ERROR - dpkg-source: error: source package has two
conflicting values - linux and linux-rt>
This is caused by the temp control file in the debian folder
downloaded.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
debian/config/amd64/none/defines | 7 --
debian/config/defines | 8 +-
debian/control | 2 +-
debian/lib/python/debian_linux/debian.py | 23 +++--
debian/patches/debian/version.patch | 38 +++++---
debian/patches/series | 108 -----------------------
debian/rules | 9 +-
7 files changed, 48 insertions(+), 147 deletions(-)
diff --git a/debian/config/amd64/none/defines b/debian/config/amd64/none/defines
index ada2355..090dc41 100644
--- a/debian/config/amd64/none/defines
+++ b/debian/config/amd64/none/defines
@@ -1,10 +1,3 @@
[base]
flavours:
amd64
- cloud-amd64
-default-flavour: amd64
-
-[cloud-amd64_image]
-configs:
- config.cloud
- amd64/config.cloud-amd64
diff --git a/debian/config/defines b/debian/config/defines
index 7133cd7..ee09bd2 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -141,7 +141,6 @@ arches:
compiler: gcc-10
featuresets:
none
- rt
[build]
debug-info: true
@@ -149,7 +148,7 @@ debug-info: true
signed-code: false
[featureset-rt_base]
-enabled: true
+enabled: false
[description]
part-long-up: This kernel is not suitable for SMP (multi-processor,
@@ -167,3 +166,8 @@ gcc-10: gcc-10 <!stage1 !cross !pkg.linux.nokernel>, gcc-10-@gnu-type-package@ <
# initramfs-generators
initramfs-fallback: linux-initramfs-tool
initramfs-tools: initramfs-tools (>= 0.120+deb8u2)
+
+[packages]
+docs: false
+installer: false
+tools-unversioned: false
diff --git a/debian/control b/debian/control
index 11c2e77..5788ad1 100644
--- a/debian/control
+++ b/debian/control
@@ -1,4 +1,4 @@
-Source: linux
+Source: linux-rt
Section: kernel
Priority: optional
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py
index 6fb2618..3200483 100644
--- a/debian/lib/python/debian_linux/debian.py
+++ b/debian/lib/python/debian_linux/debian.py
@@ -85,18 +85,17 @@ class Changelog(list):
v = Version(top_match.group('version'))
else:
bottom_match = self._bottom_re.match(line)
- if not bottom_match:
- raise Exception('invalid bottom line %d in changelog' %
- line_no)
-
- self.append(self.Entry(
- distribution=top_match.group('distribution'),
- source=top_match.group('source'),
- version=v,
- urgency=top_match.group('urgency'),
- maintainer=bottom_match.group('maintainer'),
- date=bottom_match.group('date')))
- top_match = bottom_match = None
+ # Don't raise exception any more if this bottom format
+ # checking fails because we have adpated the changelog format.
+ if bottom_match:
+ self.append(self.Entry(
+ distribution=top_match.group('distribution'),
+ source=top_match.group('source'),
+ version=v,
+ urgency=top_match.group('urgency'),
+ maintainer=bottom_match.group('maintainer'),
+ date=bottom_match.group('date')))
+ top_match = bottom_match = None
class Version(object):
diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch
index 542dc53..fd2ccae 100644
--- a/debian/patches/debian/version.patch
+++ b/debian/patches/debian/version.patch
@@ -1,11 +1,14 @@
+From 195a07a991926137cd48545acd99cc074f5aedac Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
-Subject: Include package version along with kernel release in stack traces
Date: Tue, 24 Jul 2012 03:13:10 +0100
-Forwarded: not-needed
+Subject: Include package version along with kernel release in stack traces
For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.
+
+[LZ: Rebase the patch for context changes.]
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
Makefile | 15 ++++++++++++++-
arch/ia64/kernel/process.c | 5 +++--
@@ -15,9 +18,11 @@ are set.
lib/dump_stack.c | 6 ++++--
6 files changed, 33 insertions(+), 11 deletions(-)
+diff --git a/Makefile b/Makefile
+index 22500fa35..47e19ccdf 100644
--- a/Makefile
+++ b/Makefile
-@@ -1195,7 +1195,7 @@ PHONY += prepare archprepare
+@@ -1208,7 +1208,7 @@ PHONY += prepare archprepare
archprepare: outputmakefile archheaders archscripts scripts include/config/kernel.release \
asm-generic $(version_h) $(autoksyms_h) include/generated/utsrelease.h \
@@ -26,7 +31,7 @@ are set.
prepare0: archprepare
$(Q)$(MAKE) $(build)=scripts/mod
-@@ -1258,6 +1258,16 @@ define filechk_version.h
+@@ -1271,6 +1271,16 @@ define filechk_version.h
((c) > 255 ? 255 : (c)))'
endef
@@ -43,7 +48,7 @@ are set.
$(version_h): PATCHLEVEL := $(if $(PATCHLEVEL), $(PATCHLEVEL), 0)
$(version_h): SUBLEVEL := $(if $(SUBLEVEL), $(SUBLEVEL), 0)
$(version_h): FORCE
-@@ -1267,6 +1277,9 @@ $(version_h): FORCE
+@@ -1280,6 +1290,9 @@ $(version_h): FORCE
include/generated/utsrelease.h: include/config/kernel.release FORCE
$(call filechk,utsrelease.h)
@@ -53,6 +58,8 @@ are set.
PHONY += headerdep
headerdep:
$(Q)find $(srctree)/include/ -name '*.h' | xargs --max-args 1 \
+diff --git a/arch/ia64/kernel/process.c b/arch/ia64/kernel/process.c
+index c9ff8796b..1b589e2c8 100644
--- a/arch/ia64/kernel/process.c
+++ b/arch/ia64/kernel/process.c
@@ -34,6 +34,7 @@
@@ -75,6 +82,8 @@ are set.
printk("ip is at %pS\n", (void *)ip);
printk("unat: %016lx pfs : %016lx rsc : %016lx\n",
regs->ar_unat, regs->ar_pfs, regs->ar_rsc);
+diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
+index 3064694af..d3e3fac92 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -40,6 +40,7 @@
@@ -85,7 +94,7 @@ are set.
#include <asm/io.h>
#include <asm/processor.h>
-@@ -1474,8 +1475,9 @@ void show_regs(struct pt_regs * regs)
+@@ -1490,8 +1491,9 @@ void show_regs(struct pt_regs * regs)
printk("NIP: "REG" LR: "REG" CTR: "REG"\n",
regs->nip, regs->link, regs->ctr);
@@ -97,6 +106,8 @@ are set.
printk("MSR: "REG" ", regs->msr);
print_msr_bits(regs->msr);
pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer);
+diff --git a/arch/x86/um/sysrq_64.c b/arch/x86/um/sysrq_64.c
+index 903ad91b6..7fdad4fc2 100644
--- a/arch/x86/um/sysrq_64.c
+++ b/arch/x86/um/sysrq_64.c
@@ -9,6 +9,7 @@
@@ -119,6 +130,8 @@ are set.
printk(KERN_INFO "RIP: %04lx:[<%016lx>]\n", PT_REGS_CS(regs) & 0xffff,
PT_REGS_IP(regs));
printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs),
+diff --git a/kernel/hung_task.c b/kernel/hung_task.c
+index 396ebaebe..8a4ad4fc5 100644
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -23,6 +23,7 @@
@@ -129,7 +142,7 @@ are set.
/*
* The number of tasks checked:
-@@ -128,10 +129,11 @@ static void check_hung_task(struct task_
+@@ -128,10 +129,11 @@ static void check_hung_task(struct task_struct *t, unsigned long timeout)
sysctl_hung_task_warnings--;
pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n",
t->comm, t->pid, (jiffies - t->last_switch_time) / HZ);
@@ -143,17 +156,19 @@ are set.
pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\""
" disables this message.\n");
sched_show_task(t);
+diff --git a/lib/dump_stack.c b/lib/dump_stack.c
+index f5a33b6f7..0ec8104de 100644
--- a/lib/dump_stack.c
+++ b/lib/dump_stack.c
-@@ -12,6 +12,7 @@
- #include <linux/atomic.h>
+@@ -13,6 +13,7 @@
#include <linux/kexec.h>
#include <linux/utsname.h>
+ #include <linux/stop_machine.h>
+#include <generated/package.h>
static char dump_stack_arch_desc_str[128];
-@@ -44,13 +45,14 @@ void __init dump_stack_set_arch_desc(con
+@@ -45,13 +46,14 @@ void __init dump_stack_set_arch_desc(const char *fmt, ...)
*/
void dump_stack_print_info(const char *log_lvl)
{
@@ -170,3 +185,6 @@ are set.
if (dump_stack_arch_desc_str[0] != '\0')
printk("%sHardware name: %s\n",
+--
+2.17.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 56d1700..163943a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,13 +1,3 @@
-debian/gitignore.patch
-
-# Disable features broken by exclusion of upstream files
-debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
-debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
-debian/dfsg/vs6624-disable.patch
-debian/dfsg/drivers-net-appletalk-cops.patch
-debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
-debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
-
# Changes to support package build system
debian/version.patch
debian/uname-version-timestamp.patch
@@ -26,68 +16,6 @@ debian/documentation-drop-sphinx-version-check.patch
debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
-# Fixes/improvements to firmware loading
-features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
-debian/iwlwifi-do-not-request-unreleased-firmware.patch
-bugfix/all/firmware_class-log-every-success-and-failure.patch
-bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
-bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
-debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
-
-# Patches from aufs5 repository, imported with debian/bin/genpatch-aufs.
-# These are only the changes needed to allow aufs to be built out-of-tree.
-#features/all/aufs5/aufs5-base.patch
-#features/all/aufs5/aufs5-mmap.patch
-#features/all/aufs5/aufs5-standalone.patch
-
-# Change some defaults for security reasons
-debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
-debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
-debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
-debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
-debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
-debian/fs-enable-link-security-restrictions-by-default.patch
-
-# Set various features runtime-disabled by default
-debian/sched-autogroup-disabled.patch
-debian/yama-disable-by-default.patch
-debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
-features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
-features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
-features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
-
-# Disable autoloading/probing of various drivers by default
-debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
-debian/snd-pcsp-disable-autoload.patch
-bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
-debian/fjes-disable-autoload.patch
-
-# Taint if dangerous features are used
-debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
-debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
-
-# Arch bug fixes
-bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
-bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
-bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
-bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
-bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
-bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
-bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
-bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
-
-# Arch features
-features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch
-features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
-features/x86/x86-make-x32-syscall-support-conditional.patch
-
-# Miscellaneous bug fixes
-bugfix/all/disable-some-marvell-phys.patch
-bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
-bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
-debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch
-bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
-
# Miscellaneous features
# Lockdown missing pieces
@@ -95,39 +23,3 @@ features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
-
-# Improve integrity platform keyring for kernel modules verification
-features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
-features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
-features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
-features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
-features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
-features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
-
-# Security fixes
-debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-debian/ntfs-mark-it-as-broken.patch
-bugfix/x86/0001-bpf-x86-Validate-computation-of-branch-displacements.patch
-bugfix/x86/0002-bpf-x86-Validate-computation-of-branch-displacements.patch
-
-# Fix exported symbol versions
-bugfix/all/module-disable-matching-missing-version-crc.patch
-
-# Tools bug fixes
-bugfix/all/usbip-document-tcp-wrappers.patch
-bugfix/all/kbuild-fix-recordmcount-dependency.patch
-bugfix/all/tools-perf-man-date.patch
-bugfix/all/tools-perf-remove-shebangs.patch
-bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
-bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
-bugfix/all/cpupower-bump-soname-version.patch
-bugfix/all/libcpupower-hide-private-function.patch
-bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
-bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
-bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch
-bugfix/all/tools-include-uapi-fix-errno.h.patch
-
-# overlay: allow mounting in user namespaces
-debian/overlayfs-permit-mounts-in-userns.patch
-
-# ABI maintenance
diff --git a/debian/rules b/debian/rules
index 3659e5b..f6f4c07 100755
--- a/debian/rules
+++ b/debian/rules
@@ -113,12 +113,7 @@ debian/control-real: debian/bin/gencontrol.py $(CONTROL_FILES)
# Hash randomisation makes the pickled config unreproducible
PYTHONHASHSEED=0 $<
md5sum $^ > debian/control.md5sum
- @echo
- @echo This target is made to fail intentionally, to make sure
- @echo that it is NEVER run during the automated build. Please
- @echo ignore the following error, the debian/control file has
- @echo been generated SUCCESSFULLY.
- @echo
- exit 1
+ @echo The debian/control file has been generated SUCCESSFULLY.
+ @echo Proceed to build!
.PHONY: binary binary-% build build-% clean debian/control-real orig setup source
--
2.17.1
View Git Blame Copy Permalink