Message ID | 0e60a1de-6210-835e-54a4-ec5e3128e42e@ipfire.org |
---|---|
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Ngnlv1hxFz3wcv for <patchwork@web04.haj.ipfire.org>; Mon, 26 Dec 2022 19:24:27 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Ngnls0BT6zyZ; Mon, 26 Dec 2022 19:24:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Ngnlr6Ddkz2yTC; Mon, 26 Dec 2022 19:24:24 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Ngnlp5L38z2xLF for <development@lists.ipfire.org>; Mon, 26 Dec 2022 19:24:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Ngnll5Qvwz9Q for <development@lists.ipfire.org>; Mon, 26 Dec 2022 19:24:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1672082661; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fkGs76NJphErpNcZF237qzssZTajed9bADU9h89S5p8=; b=VDGzsIRXu4dp/WnqpdXe3TSC/+mniWa5bxlCwtYNoV5N+PumTbdT0ihHqlh2uyt0fLWiin ARJADtNdjYiPqZAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1672082661; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fkGs76NJphErpNcZF237qzssZTajed9bADU9h89S5p8=; b=ipbr5FdUYMAgV9S0ekhdQbHlIqIAJrjY+odAFNOZJTjM201W1EAXZpebkl3lVe9h7LKcdi 0MA18ROEJQSzS2zx6t+gkt7zMvLOLvpHlSNZwyBxCMWi7S+ymGsE7ifMe31WXbfmuw5nrF WhK0h0paVBsiG7hFJhwJueAwXXecESJR8prZgkJ6fo2szcweUTQm6uK5V7rkhET0RfiwmO 8OotOTr9KsMMUzeVBfl+OLJjYGP2/znyf++BPMYAk92jano7h6YpnF1ZQuNhG9dX1+nZbg NUMxVAHC3zCyEqMB7lDRadtF4sPRFg2/+jJMHIXT/rZae5Tkz5NtIBxXZbUDAQ== Message-ID: <0e60a1de-6210-835e-54a4-ec5e3128e42e@ipfire.org> Date: Mon, 26 Dec 2022 19:24:12 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH 00/21] linux: Update to 5.15.85 and backport many IPFire 3.x changes Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
linux: Update to 5.15.85 and backport many IPFire 3.x changes
|
|
Message
Peter Müller
Dec. 26, 2022, 7:24 p.m. UTC
This patchset aims at updating the Linux kernel to 5.15.85, given that the last release we shipped dates back a while ago. However, its primary purpose is to backport some kernel changes recently made by Michael in IPFire 3.x, whenever bringing these to the IPFire 2.x userbase is sensible and/or feasible. Patch descriptions are copy & past'ed from their IPFire 3.x counterparts, which are referred to by their commit IDs in ipfire-3.x. Due to different hardware situation as well as architecture maturity (this particularly affects ARM), not all changes could be backported 1:1 or to a near-complete extend. Feedback is particularly appreciated regarding the last commit, which aims at aligning the ARM kernel configuration files to the x86_64 one. Since no real ARM hardware is at the author's disposal, this alignment has to be taken with a pinch of salt. As far as benchmarks are concerned, a 5.15.85 x86_64 kernel booted in an IPFire 2.x VM on the basis of Core Update 172 introduced the following changes in file size: Location Before After ------------------------------------------- /boot 48M 53M (+ 5) /lib/modules 58M 71M (+13) ISO 373M 394M (+21) Contrary to its documentation, enabling the GCC stackleak plugin (which is the current setting in IPFire 3.x as well) neither brought a notable compile time increase, nor does it seem to slow down runtime operations significantly. More thorough tests, especially on physical machines, are however, yet to come. Peter Müller (21): linux: Update to 5.15.85 linux: Disable the entire PCMCIA/CardBus subsystem linux: Enable parallel crypto by default linux: Disable syscalls that allows processes to r/w other processes' memory linux: Disable the latent entropy plugin linux: Build all library routines as modules and disable self-tests linux: Build all HWRNGs as modules linux: Compile binfmt_misc as a module linux: Wipe all memory when rebooting on EFI linux: Disable the Distributed Lock Manager linux: Disable some character devices that do not make sense linux: Make graphics configruation sane linux: Disable all sorts of useless Device Mapper targets linux: Enable various modern ciphers/hashes/etc. and acceleration linux: Compress the kernel, modules and firmware using Zstandard linux: Disable ACPI configfs support linux: Enable support for more USB host controllers as modules linux: Poison kernel stack before returning from syscalls linux: Enable Landlock support linux: Update x86_64 rootfile linux: Align ARM kernel configurations as much as possible config/kernel/kernel.config.aarch64-ipfire | 194 +- config/kernel/kernel.config.armv6l-ipfire | 101 +- config/kernel/kernel.config.x86_64-ipfire | 216 +- config/rootfiles/common/x86_64/linux | 5954 ++++++++--------- lfs/linux | 9 +- .../linux-5.15-wifi-security-patches-1.patch | 50 - .../linux-5.15-wifi-security-patches-10.patch | 98 - .../linux-5.15-wifi-security-patches-11.patch | 96 - .../linux-5.15-wifi-security-patches-12.patch | 1179 ---- .../linux-5.15-wifi-security-patches-13.patch | 130 - .../linux-5.15-wifi-security-patches-14.patch | 107 - .../linux-5.15-wifi-security-patches-2.patch | 59 - .../linux-5.15-wifi-security-patches-3.patch | 49 - .../linux-5.15-wifi-security-patches-4.patch | 96 - .../linux-5.15-wifi-security-patches-5.patch | 56 - .../linux-5.15-wifi-security-patches-6.patch | 39 - .../linux-5.15-wifi-security-patches-7.patch | 60 - .../linux-5.15-wifi-security-patches-8.patch | 94 - .../linux-5.15-wifi-security-patches-9.patch | 126 - 19 files changed, 3183 insertions(+), 5530 deletions(-) delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
Comments
Hello Peter, > On 26 Dec 2022, at 20:24, Peter Müller <peter.mueller@ipfire.org> wrote: > > This patchset aims at updating the Linux kernel to 5.15.85, given that > the last release we shipped dates back a while ago. However, its primary > purpose is to backport some kernel changes recently made by Michael in > IPFire 3.x, whenever bringing these to the IPFire 2.x userbase is sensible > and/or feasible. I am happy with updating the kernel. > Patch descriptions are copy & past'ed from their IPFire 3.x counterparts, > which are referred to by their commit IDs in ipfire-3.x. Due to different > hardware situation as well as architecture maturity (this particularly > affects ARM), not all changes could be backported 1:1 or to a near-complete > extend. As I said in our previous conversation about this, I am not too happy to see this patchset here, yet. The current kernel in IPFire 3 is highly experimental. In order to try things out, I enabled lots of (let’s call them) risky features that are either not commonly enabled on off-the-shelf distributions, or are not tested by us. That results in a kernel that currently does not even boot. “Backporting” from a broken kernel that is so untested will only result in carrying over any problems from the testing environment into the production environment where they are so much more harmful. We should test first, and then move on to the next step and figure out how we can roll out the successfully tested changes and how we can roll back those that don’t work well for us. > Feedback is particularly appreciated regarding the last commit, which aims > at aligning the ARM kernel configuration files to the x86_64 one. Since > no real ARM hardware is at the author's disposal, this alignment has to be > taken with a pinch of salt. How is that supposed to be tested? > As far as benchmarks are concerned, a 5.15.85 x86_64 kernel booted in an > IPFire 2.x VM on the basis of Core Update 172 introduced the following changes > in file size: > > Location Before After > ------------------------------------------- > /boot 48M 53M (+ 5) > /lib/modules 58M 71M (+13) > ISO 373M 394M (+21) We cannot afford at all to make the kernel larger, since we still have plenty of installations out there is a small /boot partition and a / partition that is limited to 2GB. Not that another 13 MiB will break the camel’s back, but we should try to save space to keep those users up and running. > Contrary to its documentation, enabling the GCC stackleak plugin (which > is the current setting in IPFire 3.x as well) neither brought a notable > compile time increase, nor does it seem to slow down runtime operations > significantly. More thorough tests, especially on physical machines, are > however, yet to come. How many times did you rebuild the kernel with exactly the same configuration? In IPFire 3 there is something that seems to limit the performance of ccache, which we cannot carry over into IPFire 2 under any circumstances. IPFire 2 is very sensitive towards compile time. -Michael > Peter Müller (21): > linux: Update to 5.15.85 > linux: Disable the entire PCMCIA/CardBus subsystem > linux: Enable parallel crypto by default > linux: Disable syscalls that allows processes to r/w other processes' > memory > linux: Disable the latent entropy plugin > linux: Build all library routines as modules and disable self-tests > linux: Build all HWRNGs as modules > linux: Compile binfmt_misc as a module > linux: Wipe all memory when rebooting on EFI > linux: Disable the Distributed Lock Manager > linux: Disable some character devices that do not make sense > linux: Make graphics configruation sane > linux: Disable all sorts of useless Device Mapper targets > linux: Enable various modern ciphers/hashes/etc. and acceleration > linux: Compress the kernel, modules and firmware using Zstandard > linux: Disable ACPI configfs support > linux: Enable support for more USB host controllers as modules > linux: Poison kernel stack before returning from syscalls > linux: Enable Landlock support > linux: Update x86_64 rootfile > linux: Align ARM kernel configurations as much as possible > > config/kernel/kernel.config.aarch64-ipfire | 194 +- > config/kernel/kernel.config.armv6l-ipfire | 101 +- > config/kernel/kernel.config.x86_64-ipfire | 216 +- > config/rootfiles/common/x86_64/linux | 5954 ++++++++--------- > lfs/linux | 9 +- > .../linux-5.15-wifi-security-patches-1.patch | 50 - > .../linux-5.15-wifi-security-patches-10.patch | 98 - > .../linux-5.15-wifi-security-patches-11.patch | 96 - > .../linux-5.15-wifi-security-patches-12.patch | 1179 ---- > .../linux-5.15-wifi-security-patches-13.patch | 130 - > .../linux-5.15-wifi-security-patches-14.patch | 107 - > .../linux-5.15-wifi-security-patches-2.patch | 59 - > .../linux-5.15-wifi-security-patches-3.patch | 49 - > .../linux-5.15-wifi-security-patches-4.patch | 96 - > .../linux-5.15-wifi-security-patches-5.patch | 56 - > .../linux-5.15-wifi-security-patches-6.patch | 39 - > .../linux-5.15-wifi-security-patches-7.patch | 60 - > .../linux-5.15-wifi-security-patches-8.patch | 94 - > .../linux-5.15-wifi-security-patches-9.patch | 126 - > 19 files changed, 3183 insertions(+), 5530 deletions(-) > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch > delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch > > -- > 2.35.3