1 |
commit: 08fdcee6ee1676be74fc36cd4659afa7c2589a13 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Oct 3 20:28:20 2021 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 3 20:28:20 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=08fdcee6 |
7 |
|
8 |
Name CPU Opt patch properly and add other patches |
9 |
|
10 |
Patch to enable link security restrictions by default. |
11 |
Support for namespace user.pax.* on tmpfs |
12 |
Enable link security restrictions by default. |
13 |
Bluetooth: Check key sizes only when Secure Simple Pairing |
14 |
is enabled. See bug #686758 |
15 |
tmp513 requies REGMAP_I2C to build. Select it by default in |
16 |
Kconfig. See bug #710790. Thanks to Phil Stracchino |
17 |
sign-file: full functionality with modern LibreSSL |
18 |
Add Gentoo Linux support config settings and defaults. |
19 |
Kernel Self Protection patch CPU Optimization patch |
20 |
Patch to print firmware info |
21 |
|
22 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
23 |
|
24 |
0000_README | 32 +++++++++++ |
25 |
1500_XATTR_USER_PREFIX.patch | 67 ++++++++++++++++++++++ |
26 |
...ble-link-security-restrictions-by-default.patch | 20 +++++++ |
27 |
...zes-only-if-Secure-Simple-Pairing-enabled.patch | 37 ++++++++++++ |
28 |
...3-Fix-build-issue-by-selecting-CONFIG_REG.patch | 30 ++++++++++ |
29 |
2920_sign-file-patch-for-libressl.patch | 16 ++++++ |
30 |
3000_Support-printing-firmware-info.patch | 14 +++++ |
31 |
4567_distro-Gentoo-Kconfig.patch | 2 +- |
32 |
...> 5010_enable-cpu-optimizations-universal.patch | 0 |
33 |
9 files changed, 217 insertions(+), 1 deletion(-) |
34 |
|
35 |
diff --git a/0000_README b/0000_README |
36 |
index 9018993..0995b74 100644 |
37 |
--- a/0000_README |
38 |
+++ b/0000_README |
39 |
@@ -43,6 +43,38 @@ EXPERIMENTAL |
40 |
Individual Patch Descriptions: |
41 |
-------------------------------------------------------------------------- |
42 |
|
43 |
+Patch: 1500_XATTR_USER_PREFIX.patch |
44 |
+From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
45 |
+Desc: Support for namespace user.pax.* on tmpfs. |
46 |
+ |
47 |
+Patch: 1510_fs-enable-link-security-restrictions-by-default.patch |
48 |
+From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ |
49 |
+Desc: Enable link security restrictions by default. |
50 |
+ |
51 |
+Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch |
52 |
+From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@××××××××.org/raw |
53 |
+Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 |
54 |
+ |
55 |
+Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch |
56 |
+From: https://bugs.gentoo.org/710790 |
57 |
+Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino |
58 |
+ |
59 |
+Patch: 2920_sign-file-patch-for-libressl.patch |
60 |
+From: https://bugs.gentoo.org/717166 |
61 |
+Desc: sign-file: full functionality with modern LibreSSL |
62 |
+ |
63 |
+Patch: 3000_Support-printing-firmware-info.patch |
64 |
+From: https://bugs.gentoo.org/732852 |
65 |
+Desc: Print firmware info (Reqs CONFIG_GENTOO_PRINT_FIRMWARE_INFO). Thanks to Georgy Yakovlev |
66 |
+ |
67 |
Patch: 4567_distro-Gentoo-Kconfig.patch |
68 |
From: Tom Wijsman <TomWij@g.o> |
69 |
Desc: Add Gentoo Linux support config settings and defaults. |
70 |
+ |
71 |
+Patch: 5010_enable-cpu-optimizations-universal.patch |
72 |
+From: https://github.com/graysky2/kernel_compiler_patch |
73 |
+Desc: Kernel >= 5.8 patch enables gcc = v9+ optimizations for additional CPUs. |
74 |
+ |
75 |
+Patch: 5021_BMQ-and-PDS-gentoo-defaults.patch |
76 |
+From: https://gitweb.gentoo.org/proj/linux-patches.git/ |
77 |
+Desc: Set defaults for BMQ. Add archs as people test, default to N |
78 |
|
79 |
diff --git a/1500_XATTR_USER_PREFIX.patch b/1500_XATTR_USER_PREFIX.patch |
80 |
new file mode 100644 |
81 |
index 0000000..245dcc2 |
82 |
--- /dev/null |
83 |
+++ b/1500_XATTR_USER_PREFIX.patch |
84 |
@@ -0,0 +1,67 @@ |
85 |
+From: Anthony G. Basile <blueness@g.o> |
86 |
+ |
87 |
+This patch adds support for a restricted user-controlled namespace on |
88 |
+tmpfs filesystem used to house PaX flags. The namespace must be of the |
89 |
+form user.pax.* and its value cannot exceed a size of 8 bytes. |
90 |
+ |
91 |
+This is needed even on all Gentoo systems so that XATTR_PAX flags |
92 |
+are preserved for users who might build packages using portage on |
93 |
+a tmpfs system with a non-hardened kernel and then switch to a |
94 |
+hardened kernel with XATTR_PAX enabled. |
95 |
+ |
96 |
+The namespace is added to any user with Extended Attribute support |
97 |
+enabled for tmpfs. Users who do not enable xattrs will not have |
98 |
+the XATTR_PAX flags preserved. |
99 |
+ |
100 |
+diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h |
101 |
+index 1590c49..5eab462 100644 |
102 |
+--- a/include/uapi/linux/xattr.h |
103 |
++++ b/include/uapi/linux/xattr.h |
104 |
+@@ -73,5 +73,9 @@ |
105 |
+ #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" |
106 |
+ #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT |
107 |
+ |
108 |
++/* User namespace */ |
109 |
++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." |
110 |
++#define XATTR_PAX_FLAGS_SUFFIX "flags" |
111 |
++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX |
112 |
+ |
113 |
+ #endif /* _UAPI_LINUX_XATTR_H */ |
114 |
+--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 |
115 |
++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 |
116 |
+@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const |
117 |
+ struct shmem_inode_info *info = SHMEM_I(inode); |
118 |
+ |
119 |
+ name = xattr_full_name(handler, name); |
120 |
++ |
121 |
++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { |
122 |
++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) |
123 |
++ return -EOPNOTSUPP; |
124 |
++ if (size > 8) |
125 |
++ return -EINVAL; |
126 |
++ } |
127 |
++ |
128 |
+ return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); |
129 |
+ } |
130 |
+ |
131 |
+@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ |
132 |
+ .set = shmem_xattr_handler_set, |
133 |
+ }; |
134 |
+ |
135 |
++static const struct xattr_handler shmem_user_xattr_handler = { |
136 |
++ .prefix = XATTR_USER_PREFIX, |
137 |
++ .get = shmem_xattr_handler_get, |
138 |
++ .set = shmem_xattr_handler_set, |
139 |
++}; |
140 |
++ |
141 |
+ static const struct xattr_handler *shmem_xattr_handlers[] = { |
142 |
+ #ifdef CONFIG_TMPFS_POSIX_ACL |
143 |
+ &posix_acl_access_xattr_handler, |
144 |
+@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem |
145 |
+ #endif |
146 |
+ &shmem_security_xattr_handler, |
147 |
+ &shmem_trusted_xattr_handler, |
148 |
++ &shmem_user_xattr_handler, |
149 |
+ NULL |
150 |
+ }; |
151 |
+ |
152 |
|
153 |
diff --git a/1510_fs-enable-link-security-restrictions-by-default.patch b/1510_fs-enable-link-security-restrictions-by-default.patch |
154 |
new file mode 100644 |
155 |
index 0000000..f0ed144 |
156 |
--- /dev/null |
157 |
+++ b/1510_fs-enable-link-security-restrictions-by-default.patch |
158 |
@@ -0,0 +1,20 @@ |
159 |
+From: Ben Hutchings <ben@××××××××××××.uk> |
160 |
+Subject: fs: Enable link security restrictions by default |
161 |
+Date: Fri, 02 Nov 2012 05:32:06 +0000 |
162 |
+Bug-Debian: https://bugs.debian.org/609455 |
163 |
+Forwarded: not-needed |
164 |
+This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 |
165 |
+('VFS: don't do protected {sym,hard}links by default'). |
166 |
+--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 |
167 |
++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 |
168 |
+@@ -885,8 +885,8 @@ static inline void put_link(struct namei |
169 |
+ path_put(&last->link); |
170 |
+ } |
171 |
+ |
172 |
+-int sysctl_protected_symlinks __read_mostly = 0; |
173 |
+-int sysctl_protected_hardlinks __read_mostly = 0; |
174 |
++int sysctl_protected_symlinks __read_mostly = 1; |
175 |
++int sysctl_protected_hardlinks __read_mostly = 1; |
176 |
+ int sysctl_protected_fifos __read_mostly; |
177 |
+ int sysctl_protected_regular __read_mostly; |
178 |
+ |
179 |
|
180 |
diff --git a/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch |
181 |
new file mode 100644 |
182 |
index 0000000..394ad48 |
183 |
--- /dev/null |
184 |
+++ b/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch |
185 |
@@ -0,0 +1,37 @@ |
186 |
+The encryption is only mandatory to be enforced when both sides are using |
187 |
+Secure Simple Pairing and this means the key size check makes only sense |
188 |
+in that case. |
189 |
+ |
190 |
+On legacy Bluetooth 2.0 and earlier devices like mice the encryption was |
191 |
+optional and thus causing an issue if the key size check is not bound to |
192 |
+using Secure Simple Pairing. |
193 |
+ |
194 |
+Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") |
195 |
+Signed-off-by: Marcel Holtmann <marcel@××××××××.org> |
196 |
+Cc: stable@×××××××××××.org |
197 |
+--- |
198 |
+ net/bluetooth/hci_conn.c | 9 +++++++-- |
199 |
+ 1 file changed, 7 insertions(+), 2 deletions(-) |
200 |
+ |
201 |
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c |
202 |
+index 3cf0764d5793..7516cdde3373 100644 |
203 |
+--- a/net/bluetooth/hci_conn.c |
204 |
++++ b/net/bluetooth/hci_conn.c |
205 |
+@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) |
206 |
+ return 0; |
207 |
+ } |
208 |
+ |
209 |
+- if (hci_conn_ssp_enabled(conn) && |
210 |
+- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) |
211 |
++ /* If Secure Simple Pairing is not enabled, then legacy connection |
212 |
++ * setup is used and no encryption or key sizes can be enforced. |
213 |
++ */ |
214 |
++ if (!hci_conn_ssp_enabled(conn)) |
215 |
++ return 1; |
216 |
++ |
217 |
++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) |
218 |
+ return 0; |
219 |
+ |
220 |
+ /* The minimum encryption key size needs to be enforced by the |
221 |
+-- |
222 |
+2.20.1 |
223 |
|
224 |
diff --git a/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch |
225 |
new file mode 100644 |
226 |
index 0000000..4335685 |
227 |
--- /dev/null |
228 |
+++ b/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch |
229 |
@@ -0,0 +1,30 @@ |
230 |
+From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 |
231 |
+From: Mike Pagano <mpagano@g.o> |
232 |
+Date: Mon, 23 Mar 2020 08:20:06 -0400 |
233 |
+Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by |
234 |
+ default in Kconfig. Reported at gentoo bugzilla: |
235 |
+ https://bugs.gentoo.org/710790 |
236 |
+Cc: mpagano@g.o |
237 |
+ |
238 |
+Reported-by: Phil Stracchino <phils@××××××××××.net> |
239 |
+ |
240 |
+Signed-off-by: Mike Pagano <mpagano@g.o> |
241 |
+--- |
242 |
+ drivers/hwmon/Kconfig | 1 + |
243 |
+ 1 file changed, 1 insertion(+) |
244 |
+ |
245 |
+diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig |
246 |
+index 47ac20aee06f..530b4f29ba85 100644 |
247 |
+--- a/drivers/hwmon/Kconfig |
248 |
++++ b/drivers/hwmon/Kconfig |
249 |
+@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 |
250 |
+ config SENSORS_TMP513 |
251 |
+ tristate "Texas Instruments TMP513 and compatibles" |
252 |
+ depends on I2C |
253 |
++ select REGMAP_I2C |
254 |
+ help |
255 |
+ If you say yes here you get support for Texas Instruments TMP512, |
256 |
+ and TMP513 temperature and power supply sensor chips. |
257 |
+-- |
258 |
+2.24.1 |
259 |
+ |
260 |
|
261 |
diff --git a/2920_sign-file-patch-for-libressl.patch b/2920_sign-file-patch-for-libressl.patch |
262 |
new file mode 100644 |
263 |
index 0000000..e6ec017 |
264 |
--- /dev/null |
265 |
+++ b/2920_sign-file-patch-for-libressl.patch |
266 |
@@ -0,0 +1,16 @@ |
267 |
+--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 |
268 |
++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 |
269 |
+@@ -41,9 +41,10 @@ |
270 |
+ * signing with anything other than SHA1 - so we're stuck with that if such is |
271 |
+ * the case. |
272 |
+ */ |
273 |
+-#if defined(LIBRESSL_VERSION_NUMBER) || \ |
274 |
+- OPENSSL_VERSION_NUMBER < 0x10000000L || \ |
275 |
+- defined(OPENSSL_NO_CMS) |
276 |
++#if defined(OPENSSL_NO_CMS) || \ |
277 |
++ ( defined(LIBRESSL_VERSION_NUMBER) \ |
278 |
++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ |
279 |
++ OPENSSL_VERSION_NUMBER < 0x10000000L |
280 |
+ #define USE_PKCS7 |
281 |
+ #endif |
282 |
+ #ifndef USE_PKCS7 |
283 |
|
284 |
diff --git a/3000_Support-printing-firmware-info.patch b/3000_Support-printing-firmware-info.patch |
285 |
new file mode 100644 |
286 |
index 0000000..a630cfb |
287 |
--- /dev/null |
288 |
+++ b/3000_Support-printing-firmware-info.patch |
289 |
@@ -0,0 +1,14 @@ |
290 |
+--- a/drivers/base/firmware_loader/main.c 2021-08-24 15:42:07.025482085 -0400 |
291 |
++++ b/drivers/base/firmware_loader/main.c 2021-08-24 15:44:40.782975313 -0400 |
292 |
+@@ -809,6 +809,11 @@ _request_firmware(const struct firmware |
293 |
+ |
294 |
+ ret = _request_firmware_prepare(&fw, name, device, buf, size, |
295 |
+ offset, opt_flags); |
296 |
++ |
297 |
++#ifdef CONFIG_GENTOO_PRINT_FIRMWARE_INFO |
298 |
++ printk(KERN_NOTICE "Loading firmware: %s\n", name); |
299 |
++#endif |
300 |
++ |
301 |
+ if (ret <= 0) /* error or already assigned */ |
302 |
+ goto out; |
303 |
+ |
304 |
|
305 |
diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch |
306 |
index d2175f0..74e80d3 100644 |
307 |
--- a/4567_distro-Gentoo-Kconfig.patch |
308 |
+++ b/4567_distro-Gentoo-Kconfig.patch |
309 |
@@ -65,6 +65,7 @@ |
310 |
+ select NET_NS |
311 |
+ select PID_NS |
312 |
+ select SYSVIPC |
313 |
++ select USER_NS |
314 |
+ select UTS_NS |
315 |
+ |
316 |
+ help |
317 |
@@ -145,7 +146,6 @@ |
318 |
+ select TIMERFD |
319 |
+ select TMPFS_POSIX_ACL |
320 |
+ select TMPFS_XATTR |
321 |
-+ select USER_NS |
322 |
+ |
323 |
+ select ANON_INODES |
324 |
+ select BLOCK |
325 |
|
326 |
diff --git a/more-uarches-for-kernel-5.15+.patch b/5010_enable-cpu-optimizations-universal.patch |
327 |
similarity index 100% |
328 |
rename from more-uarches-for-kernel-5.15+.patch |
329 |
rename to 5010_enable-cpu-optimizations-universal.patch |