commit: 08fdcee6ee1676be74fc36cd4659afa7c2589a13 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Sun Oct 3 20:28:20 2021 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Sun Oct 3 20:28:20 2021 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=08fdcee6
Name CPU Opt patch properly and add other patches Patch to enable link security restrictions by default. Support for namespace user.pax.* on tmpfs Enable link security restrictions by default. Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino sign-file: full functionality with modern LibreSSL Add Gentoo Linux support config settings and defaults. Kernel Self Protection patch CPU Optimization patch Patch to print firmware info Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 32 +++++++++++ 1500_XATTR_USER_PREFIX.patch | 67 ++++++++++++++++++++++ ...ble-link-security-restrictions-by-default.patch | 20 +++++++ ...zes-only-if-Secure-Simple-Pairing-enabled.patch | 37 ++++++++++++ ...3-Fix-build-issue-by-selecting-CONFIG_REG.patch | 30 ++++++++++ 2920_sign-file-patch-for-libressl.patch | 16 ++++++ 3000_Support-printing-firmware-info.patch | 14 +++++ 4567_distro-Gentoo-Kconfig.patch | 2 +- ...> 5010_enable-cpu-optimizations-universal.patch | 0 9 files changed, 217 insertions(+), 1 deletion(-) diff --git a/0000_README b/0000_README index 9018993..0995b74 100644 --- a/0000_README +++ b/0000_README @@ -43,6 +43,38 @@ EXPERIMENTAL Individual Patch Descriptions: -------------------------------------------------------------------------- +Patch: 1500_XATTR_USER_PREFIX.patch +From: https://bugs.gentoo.org/show_bug.cgi?id=470644 +Desc: Support for namespace user.pax.* on tmpfs. + +Patch: 1510_fs-enable-link-security-restrictions-by-default.patch +From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ +Desc: Enable link security restrictions by default. + +Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch +From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw +Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 + +Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch +From: https://bugs.gentoo.org/710790 +Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino + +Patch: 2920_sign-file-patch-for-libressl.patch +From: https://bugs.gentoo.org/717166 +Desc: sign-file: full functionality with modern LibreSSL + +Patch: 3000_Support-printing-firmware-info.patch +From: https://bugs.gentoo.org/732852 +Desc: Print firmware info (Reqs CONFIG_GENTOO_PRINT_FIRMWARE_INFO). Thanks to Georgy Yakovlev + Patch: 4567_distro-Gentoo-Kconfig.patch From: Tom Wijsman <[email protected]> Desc: Add Gentoo Linux support config settings and defaults. + +Patch: 5010_enable-cpu-optimizations-universal.patch +From: https://github.com/graysky2/kernel_compiler_patch +Desc: Kernel >= 5.8 patch enables gcc = v9+ optimizations for additional CPUs. + +Patch: 5021_BMQ-and-PDS-gentoo-defaults.patch +From: https://gitweb.gentoo.org/proj/linux-patches.git/ +Desc: Set defaults for BMQ. Add archs as people test, default to N diff --git a/1500_XATTR_USER_PREFIX.patch b/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 0000000..245dcc2 --- /dev/null +++ b/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,67 @@ +From: Anthony G. Basile <[email protected]> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; + diff --git a/1510_fs-enable-link-security-restrictions-by-default.patch b/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 0000000..f0ed144 --- /dev/null +++ b/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings <[email protected]> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 0000000..394ad48 --- /dev/null +++ b/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <[email protected]> +Cc: [email protected] +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1 diff --git a/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 0000000..4335685 --- /dev/null +++ b/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,30 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <[email protected]> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: [email protected] + +Reported-by: Phil Stracchino <[email protected]> + +Signed-off-by: Mike Pagano <[email protected]> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 + diff --git a/2920_sign-file-patch-for-libressl.patch b/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 0000000..e6ec017 --- /dev/null +++ b/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 diff --git a/3000_Support-printing-firmware-info.patch b/3000_Support-printing-firmware-info.patch new file mode 100644 index 0000000..a630cfb --- /dev/null +++ b/3000_Support-printing-firmware-info.patch @@ -0,0 +1,14 @@ +--- a/drivers/base/firmware_loader/main.c 2021-08-24 15:42:07.025482085 -0400 ++++ b/drivers/base/firmware_loader/main.c 2021-08-24 15:44:40.782975313 -0400 +@@ -809,6 +809,11 @@ _request_firmware(const struct firmware + + ret = _request_firmware_prepare(&fw, name, device, buf, size, + offset, opt_flags); ++ ++#ifdef CONFIG_GENTOO_PRINT_FIRMWARE_INFO ++ printk(KERN_NOTICE "Loading firmware: %s\n", name); ++#endif ++ + if (ret <= 0) /* error or already assigned */ + goto out; + diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch index d2175f0..74e80d3 100644 --- a/4567_distro-Gentoo-Kconfig.patch +++ b/4567_distro-Gentoo-Kconfig.patch @@ -65,6 +65,7 @@ + select NET_NS + select PID_NS + select SYSVIPC ++ select USER_NS + select UTS_NS + + help @@ -145,7 +146,6 @@ + select TIMERFD + select TMPFS_POSIX_ACL + select TMPFS_XATTR -+ select USER_NS + + select ANON_INODES + select BLOCK diff --git a/more-uarches-for-kernel-5.15+.patch b/5010_enable-cpu-optimizations-universal.patch similarity index 100% rename from more-uarches-for-kernel-5.15+.patch rename to 5010_enable-cpu-optimizations-universal.patch
