mbox series

[00/21] linux: Update to 5.15.85 and backport many IPFire 3.x changes

Message ID 0e60a1de-6210-835e-54a4-ec5e3128e42e@ipfire.org
Headers
Series linux: Update to 5.15.85 and backport many IPFire 3.x changes |

Message

Peter Müller Dec. 26, 2022, 7:24 p.m. UTC 
  This patchset aims at updating the Linux kernel to 5.15.85, given that
the last release we shipped dates back a while ago. However, its primary
purpose is to backport some kernel changes recently made by Michael in
IPFire 3.x, whenever bringing these to the IPFire 2.x userbase is sensible
and/or feasible.

Patch descriptions are copy & past'ed from their IPFire 3.x counterparts,
which are referred to by their commit IDs in ipfire-3.x. Due to different
hardware situation as well as architecture maturity (this particularly
affects ARM), not all changes could be backported 1:1 or to a near-complete
extend.

Feedback is particularly appreciated regarding the last commit, which aims
at aligning the ARM kernel configuration files to the x86_64 one. Since
no real ARM hardware is at the author's disposal, this alignment has to be
taken with a pinch of salt.

As far as benchmarks are concerned, a 5.15.85 x86_64 kernel booted in an
IPFire 2.x VM on the basis of Core Update 172 introduced the following changes
in file size:

Location	Before		After
-------------------------------------------
/boot		48M		53M  (+ 5)
/lib/modules	58M		71M  (+13)
ISO		373M		394M (+21)

Contrary to its documentation, enabling the GCC stackleak plugin (which
is the current setting in IPFire 3.x as well) neither brought a notable
compile time increase, nor does it seem to slow down runtime operations
significantly. More thorough tests, especially on physical machines, are
however, yet to come.

Peter Müller (21):
  linux: Update to 5.15.85
  linux: Disable the entire PCMCIA/CardBus subsystem
  linux: Enable parallel crypto by default
  linux: Disable syscalls that allows processes to r/w other processes'
    memory
  linux: Disable the latent entropy plugin
  linux: Build all library routines as modules and disable self-tests
  linux: Build all HWRNGs as modules
  linux: Compile binfmt_misc as a module
  linux: Wipe all memory when rebooting on EFI
  linux: Disable the Distributed Lock Manager
  linux: Disable some character devices that do not make sense
  linux: Make graphics configruation sane
  linux: Disable all sorts of useless Device Mapper targets
  linux: Enable various modern ciphers/hashes/etc. and acceleration
  linux: Compress the kernel, modules and firmware using Zstandard
  linux: Disable ACPI configfs support
  linux: Enable support for more USB host controllers as modules
  linux: Poison kernel stack before returning from syscalls
  linux: Enable Landlock support
  linux: Update x86_64 rootfile
  linux: Align ARM kernel configurations as much as possible

 config/kernel/kernel.config.aarch64-ipfire    |  194 +-
 config/kernel/kernel.config.armv6l-ipfire     |  101 +-
 config/kernel/kernel.config.x86_64-ipfire     |  216 +-
 config/rootfiles/common/x86_64/linux          | 5954 ++++++++---------
 lfs/linux                                     |    9 +-
 .../linux-5.15-wifi-security-patches-1.patch  |   50 -
 .../linux-5.15-wifi-security-patches-10.patch |   98 -
 .../linux-5.15-wifi-security-patches-11.patch |   96 -
 .../linux-5.15-wifi-security-patches-12.patch | 1179 ----
 .../linux-5.15-wifi-security-patches-13.patch |  130 -
 .../linux-5.15-wifi-security-patches-14.patch |  107 -
 .../linux-5.15-wifi-security-patches-2.patch  |   59 -
 .../linux-5.15-wifi-security-patches-3.patch  |   49 -
 .../linux-5.15-wifi-security-patches-4.patch  |   96 -
 .../linux-5.15-wifi-security-patches-5.patch  |   56 -
 .../linux-5.15-wifi-security-patches-6.patch  |   39 -
 .../linux-5.15-wifi-security-patches-7.patch  |   60 -
 .../linux-5.15-wifi-security-patches-8.patch  |   94 -
 .../linux-5.15-wifi-security-patches-9.patch  |  126 -
 19 files changed, 3183 insertions(+), 5530 deletions(-)
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
 delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch

Comments

Michael Tremer Dec. 27, 2022, 10:36 a.m. UTC | #1 
Hello Peter,

> On 26 Dec 2022, at 20:24, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> This patchset aims at updating the Linux kernel to 5.15.85, given that
> the last release we shipped dates back a while ago. However, its primary
> purpose is to backport some kernel changes recently made by Michael in
> IPFire 3.x, whenever bringing these to the IPFire 2.x userbase is sensible
> and/or feasible.

I am happy with updating the kernel.

> Patch descriptions are copy & past'ed from their IPFire 3.x counterparts,
> which are referred to by their commit IDs in ipfire-3.x. Due to different
> hardware situation as well as architecture maturity (this particularly
> affects ARM), not all changes could be backported 1:1 or to a near-complete
> extend.

As I said in our previous conversation about this, I am not too happy to see this patchset here, yet.

The current kernel in IPFire 3 is highly experimental. In order to try things out, I enabled lots of (let’s call them) risky features that are either not commonly enabled on off-the-shelf distributions, or are not tested by us.

That results in a kernel that currently does not even boot.

“Backporting” from a broken kernel that is so untested will only result in carrying over any problems from the testing environment into the production environment where they are so much more harmful.

We should test first, and then move on to the next step and figure out how we can roll out the successfully tested changes and how we can roll back those that don’t work well for us.

> Feedback is particularly appreciated regarding the last commit, which aims
> at aligning the ARM kernel configuration files to the x86_64 one. Since
> no real ARM hardware is at the author's disposal, this alignment has to be
> taken with a pinch of salt.

How is that supposed to be tested?

> As far as benchmarks are concerned, a 5.15.85 x86_64 kernel booted in an
> IPFire 2.x VM on the basis of Core Update 172 introduced the following changes
> in file size:
> 
> Location Before After
> -------------------------------------------
> /boot 48M 53M  (+ 5)
> /lib/modules 58M 71M  (+13)
> ISO 373M 394M (+21)

We cannot afford at all to make the kernel larger, since we still have plenty of installations out there is a small /boot partition and a / partition that is limited to 2GB. Not that another 13 MiB will break the camel’s back, but we should try to save space to keep those users up and running.

> Contrary to its documentation, enabling the GCC stackleak plugin (which
> is the current setting in IPFire 3.x as well) neither brought a notable
> compile time increase, nor does it seem to slow down runtime operations
> significantly. More thorough tests, especially on physical machines, are
> however, yet to come.

How many times did you rebuild the kernel with exactly the same configuration?

In IPFire 3 there is something that seems to limit the performance of ccache, which we cannot carry over into IPFire 2 under any circumstances. IPFire 2 is very sensitive towards compile time.

-Michael

> Peter Müller (21):
>  linux: Update to 5.15.85
>  linux: Disable the entire PCMCIA/CardBus subsystem
>  linux: Enable parallel crypto by default
>  linux: Disable syscalls that allows processes to r/w other processes'
>    memory
>  linux: Disable the latent entropy plugin
>  linux: Build all library routines as modules and disable self-tests
>  linux: Build all HWRNGs as modules
>  linux: Compile binfmt_misc as a module
>  linux: Wipe all memory when rebooting on EFI
>  linux: Disable the Distributed Lock Manager
>  linux: Disable some character devices that do not make sense
>  linux: Make graphics configruation sane
>  linux: Disable all sorts of useless Device Mapper targets
>  linux: Enable various modern ciphers/hashes/etc. and acceleration
>  linux: Compress the kernel, modules and firmware using Zstandard
>  linux: Disable ACPI configfs support
>  linux: Enable support for more USB host controllers as modules
>  linux: Poison kernel stack before returning from syscalls
>  linux: Enable Landlock support
>  linux: Update x86_64 rootfile
>  linux: Align ARM kernel configurations as much as possible
> 
> config/kernel/kernel.config.aarch64-ipfire    |  194 +-
> config/kernel/kernel.config.armv6l-ipfire     |  101 +-
> config/kernel/kernel.config.x86_64-ipfire     |  216 +-
> config/rootfiles/common/x86_64/linux          | 5954 ++++++++---------
> lfs/linux                                     |    9 +-
> .../linux-5.15-wifi-security-patches-1.patch  |   50 -
> .../linux-5.15-wifi-security-patches-10.patch |   98 -
> .../linux-5.15-wifi-security-patches-11.patch |   96 -
> .../linux-5.15-wifi-security-patches-12.patch | 1179 ----
> .../linux-5.15-wifi-security-patches-13.patch |  130 -
> .../linux-5.15-wifi-security-patches-14.patch |  107 -
> .../linux-5.15-wifi-security-patches-2.patch  |   59 -
> .../linux-5.15-wifi-security-patches-3.patch  |   49 -
> .../linux-5.15-wifi-security-patches-4.patch  |   96 -
> .../linux-5.15-wifi-security-patches-5.patch  |   56 -
> .../linux-5.15-wifi-security-patches-6.patch  |   39 -
> .../linux-5.15-wifi-security-patches-7.patch  |   60 -
> .../linux-5.15-wifi-security-patches-8.patch  |   94 -
> .../linux-5.15-wifi-security-patches-9.patch  |  126 -
> 19 files changed, 3183 insertions(+), 5530 deletions(-)
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
> 
> -- 
> 2.35.3