From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Selected Debian patches for linux-libre@4.9 Date: Wed, 09 Aug 2017 15:57:21 -0400 Message-ID: <874ltgecpq.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37881) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfX6t-0007Qg-5x for guix-devel@gnu.org; Wed, 09 Aug 2017 15:57:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dfX6q-0002x8-EV for guix-devel@gnu.org; Wed, 09 Aug 2017 15:57:43 -0400 Received: from world.peace.net ([50.252.239.5]:54810) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dfX6q-0002wm-7F for guix-devel@gnu.org; Wed, 09 Aug 2017 15:57:40 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --=-=-= Content-Type: text/plain Hello Guix, I'm not necessarily proposing that we apply this patch to 'master', but since I mentioned in another thread that I'm using this patch on my own GuixSD system, I thought I would make it available to you all. Mark --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-DRAFT-gnu-linux-libre-4.9-Add-selected-patches-from-.patch Content-Description: [PATCH] DRAFT: gnu: linux-libre@4.9: Add selected patches from Debian >From 7ddcef480cc3f2cfa8428af9a98bab144ceae925 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 21 Jul 2017 06:13:02 -0400 Subject: [PATCH] DRAFT: gnu: linux-libre@4.9: Add selected patches from Debian. * gnu/packages/linux.scm (debian-patches-for-linux-libre-4.9): New variable. (linux-libre@4.9): Add debian-patches-for-linux-libre-4.9 to #:patches. --- gnu/packages/aux-files/linux-libre/4.9-i686.conf | 11 +- gnu/packages/aux-files/linux-libre/4.9-x86_64.conf | 14 ++- gnu/packages/linux.scm | 116 ++++++++++++++++++++- 3 files changed, 132 insertions(+), 9 deletions(-) diff --git a/gnu/packages/aux-files/linux-libre/4.9-i686.conf b/gnu/packages/aux-files/linux-libre/4.9-i686.conf index 4f3a9f927..529cfcef2 100644 --- a/gnu/packages/aux-files/linux-libre/4.9-i686.conf +++ b/gnu/packages/aux-files/linux-libre/4.9-i686.conf @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.0-gnu Kernel Configuration +# Linux/x86 4.9.38-gnu Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -593,6 +593,7 @@ CONFIG_X86_SMAP=y CONFIG_X86_INTEL_MPX=y CONFIG_EFI=y CONFIG_EFI_STUB=y +CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set CONFIG_HZ_250=y @@ -5775,6 +5776,7 @@ CONFIG_LOGO=y # CONFIG_LOGO_LINUX_MONO is not set # CONFIG_LOGO_LINUX_VGA16 is not set # CONFIG_LOGO_LINUX_CLUT224 is not set +CONFIG_LOGO_LIBRE_CLUT224=y CONFIG_SOUND=m CONFIG_SOUND_OSS_CORE=y # CONFIG_SOUND_OSS_CORE_PRECLAIM is not set @@ -6038,6 +6040,7 @@ CONFIG_SND_SOC_INTEL_HASWELL=m CONFIG_SND_SOC_INTEL_HASWELL_MACH=m CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m +CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m @@ -6112,7 +6115,8 @@ CONFIG_SND_SOC_RT5645=m CONFIG_SND_SOC_RT5651=m CONFIG_SND_SOC_RT5663=m CONFIG_SND_SOC_RT5670=m -# CONFIG_SND_SOC_RT5677_SPI is not set +CONFIG_SND_SOC_RT5677=m +CONFIG_SND_SOC_RT5677_SPI=m CONFIG_SND_SOC_SGTL5000=m CONFIG_SND_SOC_SI476X=m CONFIG_SND_SOC_SIGMADSP=m @@ -8493,7 +8497,6 @@ CONFIG_SCHED_INFO=y CONFIG_SCHEDSTATS=y CONFIG_SCHED_STACK_END_CHECK=y # CONFIG_DEBUG_TIMEKEEPING is not set -CONFIG_TIMER_STATS=y # # Lock Debugging (spinlocks, mutexes, etc...) @@ -8675,11 +8678,13 @@ CONFIG_TRUSTED_KEYS=y CONFIG_ENCRYPTED_KEYS=y CONFIG_KEY_DH_OPERATIONS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set +CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y +CONFIG_SECURITY_SECURELEVEL=y CONFIG_INTEL_TXT=y CONFIG_LSM_MMAP_MIN_ADDR=0 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y diff --git a/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf b/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf index ca0fcded6..a2ac30e4a 100644 --- a/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf +++ b/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.0-gnu Kernel Configuration +# Linux/x86 4.9.38-gnu Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -596,6 +596,7 @@ CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_EFI=y CONFIG_EFI_STUB=y CONFIG_EFI_MIXED=y +CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set CONFIG_HZ_250=y @@ -868,6 +869,7 @@ CONFIG_COREDUMP=y CONFIG_IA32_EMULATION=y # CONFIG_IA32_AOUT is not set CONFIG_X86_X32=y +CONFIG_X86_X32_DISABLED=y CONFIG_COMPAT=y CONFIG_COMPAT_FOR_U64_ALIGNMENT=y CONFIG_SYSVIPC_COMPAT=y @@ -4473,8 +4475,6 @@ CONFIG_USBPCWATCHDOG=m # Watchdog Pretimeout Governors # # CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set -# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set -# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC is not set CONFIG_SSB_POSSIBLE=y # @@ -5642,6 +5642,7 @@ CONFIG_LOGO=y # CONFIG_LOGO_LINUX_MONO is not set # CONFIG_LOGO_LINUX_VGA16 is not set # CONFIG_LOGO_LINUX_CLUT224 is not set +CONFIG_LOGO_LIBRE_CLUT224=y CONFIG_SOUND=m CONFIG_SOUND_OSS_CORE=y # CONFIG_SOUND_OSS_CORE_PRECLAIM is not set @@ -5848,6 +5849,7 @@ CONFIG_SND_SOC_INTEL_HASWELL=m CONFIG_SND_SOC_INTEL_HASWELL_MACH=m CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m +CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m @@ -5922,7 +5924,8 @@ CONFIG_SND_SOC_RT5645=m CONFIG_SND_SOC_RT5651=m CONFIG_SND_SOC_RT5663=m CONFIG_SND_SOC_RT5670=m -# CONFIG_SND_SOC_RT5677_SPI is not set +CONFIG_SND_SOC_RT5677=m +CONFIG_SND_SOC_RT5677_SPI=m CONFIG_SND_SOC_SGTL5000=m CONFIG_SND_SOC_SI476X=m CONFIG_SND_SOC_SIGMADSP=m @@ -8317,7 +8320,6 @@ CONFIG_SCHED_INFO=y CONFIG_SCHEDSTATS=y CONFIG_SCHED_STACK_END_CHECK=y # CONFIG_DEBUG_TIMEKEEPING is not set -CONFIG_TIMER_STATS=y # # Lock Debugging (spinlocks, mutexes, etc...) @@ -8501,11 +8503,13 @@ CONFIG_TRUSTED_KEYS=y CONFIG_ENCRYPTED_KEYS=y CONFIG_KEY_DH_OPERATIONS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set +CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y +CONFIG_SECURITY_SECURELEVEL=y CONFIG_INTEL_TXT=y CONFIG_LSM_MMAP_MIN_ADDR=0 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 0cb925e31..add56628e 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -375,11 +375,125 @@ It has been modified to remove all non-free binary blobs.") %intel-compatible-systems #:configuration-file kernel-config)) +(define debian-patches-for-linux-libre-4.9 + (let () + (define (debian-patch file-name hash) + (origin + (method url-fetch) + (uri (string-append "https://anonscm.debian.org/cgit/kernel/linux.git/" + "plain/debian/patches/" + file-name + "?h=debian/4.9.30-2%2bdeb9u2")) + (sha256 (base32 hash)) + (file-name (basename file-name)))) + (list + ;; Change some defaults for security reasons + (debian-patch "debian/af_802154-Disable-auto-loading-as-mitigation-against.patch" + "1vxi81m5rvvnkgr7nnqs45vb7i8p2cm9vyh0cwg1zvqn3ijxi9ld") + (debian-patch "debian/rds-Disable-auto-loading-as-mitigation-against-local.patch" + "0qn4dri48wn9mrwxra3n23yn3ihjzc4h87igb8r80ahbla0fnwfi") + (debian-patch "debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch" + "10n43hi5j1h1yk2khlhrdbkfbvy1cj70z6mj9xsji5z3klb35lbq") + (debian-patch "debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch" + "18xmy9dkip3sfy9iwhmcaa4k1gy72s1aq94xw4l68ki5w191h6kw") + (debian-patch "debian/fs-enable-link-security-restrictions-by-default.patch" + "12p3h33k25bl6ny8xm3gchfijb7d9463xwyn9y9lyap6kv4grzqj") + + ;; Set various features runtime-disabled by default + (debian-patch "debian/sched-autogroup-disabled.patch" + "0yn8zva4kp4lnzdsrwywcpsw60bdlh053ap65lcr81l38jmfyihx") + (debian-patch "debian/yama-disable-by-default.patch" + "0xqd14yckirjagd3z91gcv11g9zb1p9x4lvgxsa1zgcpdyv5j70z") + (debian-patch "debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch" + "1kjl4vp8v4xs9r94g048j9w3s59g0g86mdrj54dnaazp5wi7cxy5") + (debian-patch "features/all/security-perf-allow-further-restriction-of-perf_event_open.patch" + "0wz2jm6rnchzy4qbm7bi5qdp1vk3y377lj5b4dkix0bif0rqdzdf") + + ;; Disable autoloading/probing of various drivers by default + (debian-patch "debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch" + "1zp39dzd7hh0vxpihvr326ndg2vaicrdllwj3ba45vznfg06a74h") + (debian-patch "debian/snd-pcsp-disable-autoload.patch" + "136b978v92v82z3dcyrjwib4v830gc8nmi19763phfnw3gvglbpr") + (debian-patch "debian/fjes-disable-autoload.patch" + "14cxxgjis07587g1q01gsp66rzrlnldpxg1078z2hkx51hgyzggm") + + ;; Taint if dangerous features are used + (debian-patch "debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch" + "1l8399ma3nlgd5sj8nhyqlcyfqhw2q2kdys59rs78jbawyh66q25") + (debian-patch "debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch" + "0xa108vzyrh3ij64aagj17ji4gp1mrjnmdby269vn2q2f5rcficc") + + ;; Arch features + (debian-patch "features/x86/x86-memtest-WARN-if-bad-RAM-found.patch" + "0xwl7bjrdzh96pmhjc1g1kk8693fbccgn19pdb4rdpng8nv9gzsn") + (debian-patch "features/x86/x86-make-x32-syscall-support-conditional.patch" + "1j23x5xvagwf6r591z9p9ac80mjpvhhzh6jnxjjcjcqiqxwf9m3p") + + ;; Securelevel patchset from mjg59 + (debian-patch "features/all/securelevel/add-bsd-style-securelevel-support.patch" + "15s7m7rakq9v8b6wizc3zngcalfmx68h9vi35g8bnpyjqjdk2xq3") + (debian-patch "features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch" + "1v2ad3hjly5k9kg3l53nk6ssxc3danz6ynh9l22wlwhxlw1fq4gf") + (debian-patch "features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch" + "1rqawcv1bykcxklab9iz942xrvpyhxf673xzqzv7lkzdza8j4nzw") + (debian-patch "features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch" + "1padscg703iww4znhqqazh5lxrlr55a1i05kyg906hkhv4vm5yfb") + (debian-patch "features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch" + "10il8z5cxcdrryihskfm1qwdy1i71bnf2smzy4xq3hcyy7bv484x") + (debian-patch "features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch" + "0pdaghyisvwym5b5i0vvcfm0ihwki5207ca27qly7dy76pzajb2i") + (debian-patch "features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch" + "0dks5bihlag0yylg7qkv8vmhyspjqlh6i6jnkf54b0gx14fs54h9") + (debian-patch "features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch" + "18406qv89pf1riishqsv7yhgg2wbm4mq4x1hgan87m6jk6wh4hkd") + (debian-patch "features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch" + "1hy8l18ppn0zi652656nr5mcz46mq7xi89b5zmc852cm0lvqxazq") + (debian-patch "features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch" + "1s6nvwglb0hyrp64kwk1rxpzc6gfd5926mvmk3b8rq04g7a615pk") + (debian-patch "features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch" + "0fm8hn62d2ik3739x9mi56xrywpmqpyzwp3jfpfp8ha0izaqrm6y") + (debian-patch "features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch" + "040862b35nfw5qb4xnz53wrm9kvwim8wijh033ysr490xn6grlvp") + (debian-patch "features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch" + "1rc7m5aj92ny3adzm2852x2x4bpd61zamp0sc1na5mhcd96qs724") + (debian-patch "features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch" + "0fw42j1g505qmx910cwqynpvs43rb2vkwwx4n8d2vy27272f534b") + (debian-patch "features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch" + "16p53qsmywcl7p97gx40lc0i8ki9b5m22az2p9g4yzhg75z37w9c") + (debian-patch "features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch" + "1yj9k8lxpm2xjhi3hrgl30777ldcjlfabl8ihaiyq54mzncxc3jl") + (debian-patch "features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch" + "0cssqxx8brn0pq8i9brjv014f9j98msq37p7y64aahchhfvkc6xv") + (debian-patch "features/all/securelevel/enable-cold-boot-attack-mitigation.patch" + "005ghbfxznybhzcslwf3pl2mxmklm659xfq4i3afaybnf6gs7xjs") + (debian-patch "features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch" + "1jy9f2lbw6lzq4241fc22dham4pry95j5kk2m3yg7kjw6ciz4bik") + ;; same for arm64 + (debian-patch "features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch" + "0vnc0yy4ksqfv22xziy8alycv0173n0y3ldgqbpccmgcxqwlgrsw") + (debian-patch "features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch" + "15a2y4zy9jifv3d4pwkhzdyz2ki5iqjkx2z0hp6bg02d5m6khps2") + + ;; Security fixes + (debian-patch "debian/i386-686-pae-pci-set-pci-nobios-by-default.patch" + "0d4gxrqj41vmgf2i5jx79za8rbvr3w5xkwjizz60dbfgjaq58zhr") + (debian-patch "debian/time-mark-timer_stats-as-broken.patch" + "0m0na1ihxj71h96c128g8pnks85125jlx5pbr6w5585ak4zbnp3y") + (debian-patch "bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch" + "0qf8a3ggvvdhph9gvbfbh1645d60xclxwlnhhxpgakih6c60h6dn") + (debian-patch "bugfix/all/sunrpc-refactor-svc_set_num_threads.patch" + "1fgcpf1cqi4j4br29snlzl48cz62dyg0fyrxihn2v3zapfpf9yhv") + (debian-patch "bugfix/all/nfsv4-fix-callback-server-shutdown.patch" + "00cwa4kkjjffh813n9j2m3541fg08hrvcnr5d2bz68bc2rijvpn3")))) + (define-public linux-libre-4.9 (make-linux-libre "4.9.41" "1mkx7rvcny8b0yjkzd8zc53d15h1w8y75m0x6jx0dz3r9y3k0nql" %intel-compatible-systems - #:configuration-file kernel-config)) + #:configuration-file kernel-config + #:patches + (cons %boot-logo-patch + debian-patches-for-linux-libre-4.9))) (define-public linux-libre-4.4 (make-linux-libre "4.4.80" -- 2.14.0 --=-=-=--