1 |
commit: ee98a9e773c46b04534c0ceabce56cfd11866b53 |
2 |
Author: Tomáš Mózes <hydrapolic <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Jun 9 07:18:09 2021 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jun 11 12:49:01 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee98a9e7 |
7 |
|
8 |
app-emulation/xen: add upstream security patches |
9 |
|
10 |
Fixes XSA-372, XSA-373, XSA-374, XSA-375, XSA-377 |
11 |
|
12 |
Bug: https://bugs.gentoo.org/795054 |
13 |
Signed-off-by: Tomáš Mózes <hydrapolic <AT> gmail.com> |
14 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
15 |
|
16 |
app-emulation/xen/Manifest | 1 + |
17 |
app-emulation/xen/xen-4.15.0-r1.ebuild | 169 +++++++++++++++++++++++++++++++++ |
18 |
2 files changed, 170 insertions(+) |
19 |
|
20 |
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest |
21 |
index c0dcccef50c..9576a401e2b 100644 |
22 |
--- a/app-emulation/xen/Manifest |
23 |
+++ b/app-emulation/xen/Manifest |
24 |
@@ -2,4 +2,5 @@ DIST xen-4.13.3.tar.gz 39044539 BLAKE2B 5d0e57c76e12e1b86b78bbf561e947d70b9569a2 |
25 |
DIST xen-4.14.2-upstream-patches-0.tar.xz 23304 BLAKE2B 954e0a49e5c3ec122aefe52afe328f440b8a4c8db966e0fa91e0b6d6cb3c0462b75fb99b3e7392811bd2e680cd7945e8a4d68317245fd42fdf0ad6cab33fbc68 SHA512 64d243f0c8acfec87812e4d78e3d8b24a86315824853f4f3b17122b7119425d180650695bc12e1a30f5b30c6ef684be7c08b2bc677ca2f0668d0335d92e2bf78 |
26 |
DIST xen-4.14.2.tar.gz 39973157 BLAKE2B db5d3570f79e0fd97872f5e5dd57a4eb39e005728387bfef3b51fabe1c693cfd8108d09b1026f5a5a7eb79de71be6f4af36d252f7e0b35a65a1567b7949e3e29 SHA512 83c9333b70dbee3e29c6bf08e5ad030676e6c4a32b976f3f5e6a8f8d0dd9e4898bac88dd8e1c9d2ad3509cebb5d212e1745f9392a469d7afeb841d79801ccf39 |
27 |
DIST xen-4.15.0-upstream-patches-0.tar.xz 15744 BLAKE2B e2abb68524a7c190db8d91beb79731aea5290e82f54fb21218739dab666f6f5ea85c203575ec248b46830f1862408d50d3ceea1104fcd9325babfccf3574c515 SHA512 f1a2800d15a61f08eda4d6bafaead95a9d72cc9e4d90a19278d89c696b7e2d5d6353b28dba7ed0eb0c9aeb8604d3697db6a8f4ac38047e2510279d88181752f9 |
28 |
+DIST xen-4.15.0-upstream-patches-1.tar.xz 35180 BLAKE2B eb3b2a44b717a04daa4a2f158040cce78b42cba5a72c437d7b2f8f1237b808f6f13c2140d82e95056818db6c0eb706ebd7dead822a6a4e689e5d5e7c83523fdb SHA512 a7cfe2dbc82b15c48fa781a77b3ca1622fc2feac3874bf17cf56e82be46e9817913f94992e0e1a1cd2be2e719d4abb9a15744c8a1017e30c0d5c01d7db64dbb5 |
29 |
DIST xen-4.15.0.tar.gz 40785399 BLAKE2B 8b0530f5516c39656506f4bb705952da0555a8ab7f47323473b171caeb7692f3107e9d94f13171d40576600064589eed35f4d210af02db4cc4706dd4fc202100 SHA512 93683b8a97387ca5f003c635a11d163e61c87dbdc9a03081f9155fe87b49f1dfa74ce243fcd5e04dc009353a36e2375b786f1ebde828b5951a094cd64197b4c7 |
30 |
|
31 |
diff --git a/app-emulation/xen/xen-4.15.0-r1.ebuild b/app-emulation/xen/xen-4.15.0-r1.ebuild |
32 |
new file mode 100644 |
33 |
index 00000000000..7b6e9f60c2a |
34 |
--- /dev/null |
35 |
+++ b/app-emulation/xen/xen-4.15.0-r1.ebuild |
36 |
@@ -0,0 +1,169 @@ |
37 |
+# Copyright 1999-2021 Gentoo Authors |
38 |
+# Distributed under the terms of the GNU General Public License v2 |
39 |
+ |
40 |
+EAPI=7 |
41 |
+ |
42 |
+PYTHON_COMPAT=( python3_{7..9} ) |
43 |
+ |
44 |
+inherit flag-o-matic mount-boot multilib python-any-r1 toolchain-funcs |
45 |
+ |
46 |
+MY_PV=${PV/_/-} |
47 |
+MY_P=${PN}-${MY_PV} |
48 |
+ |
49 |
+if [[ ${PV} == *9999 ]]; then |
50 |
+ inherit git-r3 |
51 |
+ EGIT_REPO_URI="git://xenbits.xen.org/xen.git" |
52 |
+ SRC_URI="" |
53 |
+else |
54 |
+ KEYWORDS="~amd64 ~arm -x86" |
55 |
+ UPSTREAM_VER=1 |
56 |
+ SECURITY_VER= |
57 |
+ GENTOO_VER= |
58 |
+ |
59 |
+ [[ -n ${UPSTREAM_VER} ]] && \ |
60 |
+ UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz |
61 |
+ https://github.com/hydrapolic/gentoo-dist/raw/master/xen/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz" |
62 |
+ [[ -n ${SECURITY_VER} ]] && \ |
63 |
+ SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz" |
64 |
+ [[ -n ${GENTOO_VER} ]] && \ |
65 |
+ GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz" |
66 |
+ SRC_URI="https://downloads.xenproject.org/release/xen/${MY_PV}/${MY_P}.tar.gz |
67 |
+ ${UPSTREAM_PATCHSET_URI} |
68 |
+ ${SECURITY_PATCHSET_URI} |
69 |
+ ${GENTOO_PATCHSET_URI}" |
70 |
+fi |
71 |
+ |
72 |
+DESCRIPTION="The Xen virtual machine monitor" |
73 |
+HOMEPAGE="https://www.xenproject.org" |
74 |
+LICENSE="GPL-2" |
75 |
+SLOT="0" |
76 |
+IUSE="debug efi flask" |
77 |
+ |
78 |
+DEPEND="${PYTHON_DEPS} |
79 |
+ efi? ( >=sys-devel/binutils-2.22[multitarget] ) |
80 |
+ !efi? ( >=sys-devel/binutils-2.22 )" |
81 |
+RDEPEND="" |
82 |
+PDEPEND="~app-emulation/xen-tools-${PV}" |
83 |
+ |
84 |
+# no tests are available for the hypervisor |
85 |
+# prevent the silliness of /usr/lib/debug/usr/lib/debug files |
86 |
+# prevent stripping of the debug info from the /usr/lib/debug/xen-syms |
87 |
+RESTRICT="test splitdebug strip" |
88 |
+ |
89 |
+# Approved by QA team in bug #144032 |
90 |
+QA_WX_LOAD="boot/xen-syms-${PV}" |
91 |
+ |
92 |
+REQUIRED_USE="arm? ( debug )" |
93 |
+ |
94 |
+S="${WORKDIR}/${MY_P}" |
95 |
+ |
96 |
+pkg_setup() { |
97 |
+ python-any-r1_pkg_setup |
98 |
+ if [[ -z ${XEN_TARGET_ARCH} ]]; then |
99 |
+ if use amd64; then |
100 |
+ export XEN_TARGET_ARCH="x86_64" |
101 |
+ elif use arm; then |
102 |
+ export XEN_TARGET_ARCH="arm32" |
103 |
+ elif use arm64; then |
104 |
+ export XEN_TARGET_ARCH="arm64" |
105 |
+ else |
106 |
+ die "Unsupported architecture!" |
107 |
+ fi |
108 |
+ fi |
109 |
+ |
110 |
+ if use flask ; then |
111 |
+ export "XSM_ENABLE=y" |
112 |
+ export "FLASK_ENABLE=y" |
113 |
+ fi |
114 |
+} |
115 |
+ |
116 |
+src_prepare() { |
117 |
+ # Upstream's patchset |
118 |
+ [[ -n ${UPSTREAM_VER} ]] && eapply "${WORKDIR}"/patches-upstream |
119 |
+ |
120 |
+ # Security patchset |
121 |
+ if [[ -n ${SECURITY_VER} ]]; then |
122 |
+ einfo "Try to apply Xen Security patch set" |
123 |
+ # apply main xen patches |
124 |
+ # Two parallel systems, both work side by side |
125 |
+ # Over time they may concdense into one. This will suffice for now |
126 |
+ source "${WORKDIR}"/patches-security/${PV}.conf |
127 |
+ |
128 |
+ local i |
129 |
+ for i in ${XEN_SECURITY_MAIN}; do |
130 |
+ eapply "${WORKDIR}"/patches-security/xen/$i |
131 |
+ done |
132 |
+ fi |
133 |
+ |
134 |
+ # Gentoo's patchset |
135 |
+ [[ -n ${GENTOO_VER} ]] && eapply "${WORKDIR}"/patches-gentoo |
136 |
+ |
137 |
+ # Symlinks do not work on fat32 volumes |
138 |
+ eapply "${FILESDIR}"/${PN}-4.15-efi.patch |
139 |
+ |
140 |
+ # Workaround new gcc-11 options |
141 |
+ sed -e '/^CFLAGS/s/-Werror//g' -i xen/Makefile || die |
142 |
+ |
143 |
+ # Drop .config |
144 |
+ sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" |
145 |
+ |
146 |
+ if use efi; then |
147 |
+ export EFI_VENDOR="gentoo" |
148 |
+ export EFI_MOUNTPOINT="/boot" |
149 |
+ fi |
150 |
+ |
151 |
+ default |
152 |
+} |
153 |
+ |
154 |
+src_configure() { |
155 |
+ use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i" |
156 |
+ |
157 |
+ use debug && myopt="${myopt} debug=y" |
158 |
+ |
159 |
+ # remove flags |
160 |
+ unset CFLAGS |
161 |
+ unset LDFLAGS |
162 |
+ unset ASFLAGS |
163 |
+ |
164 |
+ tc-ld-disable-gold # Bug 700374 |
165 |
+} |
166 |
+ |
167 |
+src_compile() { |
168 |
+ # Send raw LDFLAGS so that --as-needed works |
169 |
+ emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} |
170 |
+} |
171 |
+ |
172 |
+src_install() { |
173 |
+ local myopt |
174 |
+ use debug && myopt="${myopt} debug=y" |
175 |
+ |
176 |
+ # The 'make install' doesn't 'mkdir -p' the subdirs |
177 |
+ if use efi; then |
178 |
+ mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die |
179 |
+ fi |
180 |
+ |
181 |
+ emake LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" DESTDIR="${D}" -C xen ${myopt} install |
182 |
+ |
183 |
+ # make install likes to throw in some extra EFI bits if it built |
184 |
+ use efi || rm -rf "${D}/usr/$(get_libdir)/efi" |
185 |
+} |
186 |
+ |
187 |
+pkg_postinst() { |
188 |
+ elog "Official Xen Guide:" |
189 |
+ elog " https://wiki.gentoo.org/wiki/Xen" |
190 |
+ |
191 |
+ use efi && einfo "The efi executable is installed in /boot/efi/gentoo" |
192 |
+ |
193 |
+ elog "You can optionally block the installation of /boot/xen-syms by an entry" |
194 |
+ elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK" |
195 |
+ elog "e.g. echo ${msg} > /etc/portage/env/xen.conf" |
196 |
+ |
197 |
+ ewarn |
198 |
+ ewarn "Xen 4.12+ changed the default scheduler to credit2 which can cause" |
199 |
+ ewarn "domU lockups on multi-cpu systems. The legacy credit scheduler seems" |
200 |
+ ewarn "to work fine." |
201 |
+ ewarn |
202 |
+ ewarn "Add sched=credit to xen command line options to use the legacy scheduler." |
203 |
+ ewarn |
204 |
+ ewarn "https://wiki.gentoo.org/wiki/Xen#Xen_domU_hanging_with_Xen_4.12.2B" |
205 |
+} |