From patchwork Sat Mar 19 21:08:32 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5355
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYQD5q5pz3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:08:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYQD0Kvxz4Cx;
	Sat, 19 Mar 2022 21:08:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYQD0MQdz301l;
	Sat, 19 Mar 2022 21:08:36 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYQC3gmdz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:08:35 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYQB3mn9z3Yk
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:08:34 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724115;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=V7Vjd1n9dNDTjZshvuBrTMdbatNHwUE7XoYo3NDSv+U=;
 b=2NlUsY5OqZOOSoFXjFA5iQq/t0+xE4m06QzsO4yoc8FkiiBlHoR40yFHmVtqqHY1F/F9xB
 fMzxWzWGBz+DpKAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724115;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=V7Vjd1n9dNDTjZshvuBrTMdbatNHwUE7XoYo3NDSv+U=;
 b=ePVL7mTLR4d42h30yfN4QF9icYIEkQLn8v7TwofbbrvhlKWxmhEpA/M/O3D5tYXTNvzSEI
 DTLc8sjDDQ1tLxzydwWufy2JH3Q+tI4LH+HSyoxO+ejGeqb+beqPUMlXVgV02w5Qvz3/25
 ME1LCCFdFD5itbwCURhkhVDFna8DBQtkwg04PTSV0wl+ztAj6r6q6NdE5F1tdFu1iMdKp6
 tceoY2QRgtZagcBtRfjDKKcmFa+EATH3VKgG5ab8bffu9aAWTgtbXN+UwS8kJpYEWFBCx7
 AoXiUQ1Ctrr3YvIz5R2heuisDs8G1hE3WnyXTMuHEgb+qNHEg8kV0Snl4Bi3zw==
Message-ID: <cb505ff6-5140-94ea-33ef-e2745a8d9629@ipfire.org>
Date: Sat, 19 Mar 2022 21:08:32 +0000
MIME-Version: 1.0
Subject: [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This follows a recommendation by ClipOS, making ASLR bypassing attempts
harder.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 6728fa7f3..4205aa5bc 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
 CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=18
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index d8482de92..ef36b8e22 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=8
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
 CONFIG_CLONE_BACKWARDS=y
 CONFIG_OLD_SIGSUSPEND3=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 73911b2ab..d8045c15c 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
 CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=18
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
 CONFIG_CLONE_BACKWARDS=y
 CONFIG_COMPAT_32BIT_TIME=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0f322826e..b14815545 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
 CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y

From patchwork Sat Mar 19 21:08:56 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5356
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYQg40hWz3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:08:59 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYQg1PQmz4Cx;
	Sat, 19 Mar 2022 21:08:59 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYQg1Qrjz302P;
	Sat, 19 Mar 2022 21:08:59 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYQf5Sr0z2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:08:58 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYQd6Kl9z3Yk
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:08:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724138;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=IfUNjr8KPYs7BU3JU3IQU9uoJHVR/+T3Z7FQf0KeMJ0=;
 b=oAmzO59BYnfxmZKHhfOHwKGfVFLxItsNMFirdNK3tNVMnynIyiPS2MS+eFMKVF/TwyMXaA
 1WwWOueA/Yls4umSK/gtHucc93nXqDPM36D59L9cd85ljue1hF7VrUnisdY8dkg0OOeEPk
 /j0UBbKCCyT7ssmA5+T6HycvSn1hCyHA2no/GHkKHy/D9/Rd2EohvrY2uEpeEQkKOyRLqh
 7f6YKbGGfdQVt3AnBERi9/9ypm/wFQqR9JmskXm8PBkKPYaiOe5xerurpBnDleaWs/z8yd
 C9R0C8YLuvlJBVtP/ZtWkOygsdqrb7C2Pl9zTHjYrazK58BLjQRFLVVuMyRGpw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724138;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=IfUNjr8KPYs7BU3JU3IQU9uoJHVR/+T3Z7FQf0KeMJ0=;
 b=YSntGkro29S7R8IWo0xLNN3AGFStj5QP9/GyWwvOPVY+busiV2/T8Q3QbU87yqd4nrVgJ2
 lAx7YMR51RVR8JDQ==
Message-ID: <efc33d1c-90eb-f9c3-bf95-0d82955e7bef@ipfire.org>
Date: Sat, 19 Mar 2022 21:08:56 +0000
MIME-Version: 1.0
Subject: [PATCH 02/11] Kernel: Disable support for tracing block I/O actions
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This is not needed on IPFire systems, and grsecurity recommends to turn
this off.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 4205aa5bc..35c249253 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y
 # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index ef36b8e22..5b4ff8e20 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
 # CONFIG_PROFILE_ALL_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index d8045c15c..d4c0e0451 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y
 # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b14815545..8b525ef89 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y
 # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y

From patchwork Sat Mar 19 21:09:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5357
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYR15gCFz3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:09:17 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYR12Jtrz4Cx;
	Sat, 19 Mar 2022 21:09:17 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYR12RbGz301l;
	Sat, 19 Mar 2022 21:09:17 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYR03yRhz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:16 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYQz5gvMz3Yk
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:15 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724156;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=exhmqVdXRjryL8wYhM/GRo4b8gU2jxb3r6BBN16hDrQ=;
 b=8W/gHT05mRBLI1ejXasn8oALxoK6JJgPkee0rLfbg704louk2dnCVLGYUZY8df/Oq9PYZ7
 rFyZSsm2iWs4wTBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724156;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=exhmqVdXRjryL8wYhM/GRo4b8gU2jxb3r6BBN16hDrQ=;
 b=eH8E4YVqmqOvpdJ5KN8yq/vHG3UwUFBX0rO/4QmpmxIAONfotE7b3gbFqzCBf415cLH9Pc
 G0/l9XDeuFcJwUM2J6ii1kG2LyOdZqxDtVNVDtb0iFNpWwm3C9BiKEx8A7r+JmpSRbFYQd
 AqUkTKlKneHIA+bVhLxwibawc2pes+Sd69DHAGA+l0F9EVIgHEIjYP8GRfKrsYcR7S5xRA
 6xuD2X17+WhtQaRPWZjIYEHGWn+nPHjmNJIOdo7d7/0altBrOFRXGdoA6AeSZ0Lbn21q0r
 NjJ4Wa1e0BwIUWZ1g/WeFa8lxaen/XZzviUO0BaBoKbJnkYuqOm9DmoDpMrb4w==
Message-ID: <867bc7ac-1f22-4f70-5a8c-867f0d020e78@ipfire.org>
Date: Sat, 19 Mar 2022 21:09:13 +0000
MIME-Version: 1.0
Subject: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This can be safely enabled on IPFire, as we never swap filesystems
during runtime.

Fixes: #12432

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 3 ++-
 config/kernel/kernel.config.armv6l-ipfire  | 3 ++-
 config/kernel/kernel.config.riscv64-ipfire | 3 ++-
 config/kernel/kernel.config.x86_64-ipfire  | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 35c249253..d9179c061 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 5b4ff8e20..522278160 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index d4c0e0451..ebb830eb7 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8b525ef89..675c3ce1e 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set

From patchwork Sat Mar 19 21:09:26 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5358
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYRH1jG2z3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:09:31 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYRG3Fq8z3Ny;
	Sat, 19 Mar 2022 21:09:30 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYRG3K0Sz302P;
	Sat, 19 Mar 2022 21:09:30 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYRF5GMlz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:29 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYRD69pszTm
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:28 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724169;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qy1B+igEjz1HJXKghS1/G64nuE1cLIP3VF+LJ8UV1+s=;
 b=OWx/bBIeX1X9nYfj8kwMbqqCUHrCpT3bYkeVPzYEVs9hGCIF5YOQ77twwnNuT92HT3Gvwm
 JWJ+8iTbEJa9hHBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724169;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qy1B+igEjz1HJXKghS1/G64nuE1cLIP3VF+LJ8UV1+s=;
 b=p8rhXvrPAaCx2ZyDVIS+WdhePsuEsIf7tdCuwJfeK/tsMXkVy/jVQ6lf2f0OX/kkBxV2rU
 3G5++a4F8xd0JEAIm0I/LQLH4fR1vPs2BJgh05yXWD0prous2Wn5ZAa12zvef5tysSmpaU
 07PN/jkCjZzY0gU01SaPLlB/m4mwQsaJfk1VdsjQMnUfT3rrwXeY3MS6fa1JPDxeb4wy5o
 YKOVsjoBynqWs84YrIv8aTgQePduzT23jrltsG6DZ/5z9jhwsTdysekBSoqWJG/QeN0MmB
 hhFKTq5ma1ut9q02e7J/jWE4cd22hQFBmv/Jh7lqtzj0yaYcSb0MDBJFTd6/Eg==
Message-ID: <2f4432a0-6b08-9f0e-780c-e86aedfa4969@ipfire.org>
Date: Sat, 19 Mar 2022 21:09:26 +0000
MIME-Version: 1.0
Subject: [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++-
 config/kernel/kernel.config.armv6l-ipfire  | 13 ++++++++++++-
 config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
 config/kernel/kernel.config.x86_64-ipfire  | 13 ++++++++++++-
 4 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index d9179c061..b2ef43e51 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_KCSAN_COMPILER=y
 # end of Generic Kernel Debugging Instruments
 
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 522278160..13326a29c 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
 # CONFIG_DEBUG_FS_ALLOW_NONE is not set
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_KCSAN_COMPILER=y
 # end of Generic Kernel Debugging Instruments
 
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index ebb830eb7..fa4ee46fa 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y
 CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_KCSAN_COMPILER=y
 # end of Generic Kernel Debugging Instruments
 
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 675c3ce1e..e6a03a9e5 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_ARCH_KCSAN=y
 CONFIG_HAVE_KCSAN_COMPILER=y
 # CONFIG_KCSAN is not set

From patchwork Sat Mar 19 21:09:44 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5359
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYRc2mYFz3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:09:48 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYRb4L01z3Ny;
	Sat, 19 Mar 2022 21:09:47 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYRb4Lnfz3020;
	Sat, 19 Mar 2022 21:09:47 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYRZ0ZBHz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:46 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYRY2SMhzTm
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:45 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724185;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=AHUSd+PxmsYNvXdnegZYAh0dfOWT4w2CCzzeb2qKUiY=;
 b=M+CafvsLg55aQvZuKOA6fa6FPBZgKUUXm+LuLcCHX4DSc24j2MIHt9UtnHrd5IedHyJSp7
 U0LojDp2E2oyB1CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724185;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=AHUSd+PxmsYNvXdnegZYAh0dfOWT4w2CCzzeb2qKUiY=;
 b=IzvGOMYMFfaeG7Xo4+XFeS8vbqx4ER3ohfYNY//s9pbf0lGmhkDfc5OdGocQDZZNqBluNs
 wPncTb0P6ZeWkvxlYhU6udIE+6Rs1SVfTK1QKf/uIVoc48/QTtMuCbYo+MA1Ji2G6IF2PN
 tA1409QthlwKLIwwuCxeL4OOkeEU6+yUHy77IMOCgMggp697GZN/btw5U5Q9C3QyB0aRLs
 vloU5tACs2qBPTw9oP406DRVqjkjgT4N//hMD7e2AXNggXMXkeyvaZ/r/HNZXn4IOkrT7c
 v/h44RkUe4SBjjEhE4ogACWYUD4ZWUetWnMKEsyZnmf1Qt6CpBgW5PsZAxy6+w==
Message-ID: <1e8ebe39-63a5-6c76-764b-b8293fb5cfa2@ipfire.org>
Date: Sat, 19 Mar 2022 21:09:44 +0000
MIME-Version: 1.0
Subject: [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID
 capabilities
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b2ef43e51..b485c2fb6 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 13326a29c..98b554d91 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index fa4ee46fa..b595ae8cd 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index e6a03a9e5..b325feb1d 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y

From patchwork Sat Mar 19 21:10:00 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5360
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYRw59Gkz3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:10:04 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYRv5fpBz4Cx;
	Sat, 19 Mar 2022 21:10:03 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYRv5jVcz301g;
	Sat, 19 Mar 2022 21:10:03 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYRs6ffVz2yTY
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:01 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYRs1cpCz3Ny
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:01 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724201;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qbKsI8uMzZ699uV526sCyAPZnRmH5kB7Qz41dtEmzik=;
 b=y/oJ4EuSEWVIW2xSeIjp9W+1OdLb+lXIonrEOwlRnbTDM8soMsgU861d78/fQK1xyWN8zm
 iKVyT9Z0ptdNOmBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724201;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qbKsI8uMzZ699uV526sCyAPZnRmH5kB7Qz41dtEmzik=;
 b=j6hlN9iZUUkbFjZCf2IMEjls2rXYc27En+Y7fZbWlkdZjhr57SQofFpmpAtC9elGmLS9I+
 CETvo5s04IrvJaqOvEDec1OAgINUkcuDrDRIxqElStrqM4zZF2vfHfDnJ3ezFKxfiUkd3E
 ekgWHsCAyW4CEPYrLCnPN53/5RQBlaINwZ4gKz9ZXEsqfUrtHtIHaXu+JxOC8qrxme7MSw
 YsLfvyujTM2b7zdNfgECeQJwYfSd0obSPVU/IZg10krmQgmfcoVAeBIT2ZrqxRsjsZdTMe
 w877y8kgQfbaavdu9xCxAT8+/WWlFMqbY9wzgmW1e1Y9Uf9lM5diIEcQG8pDJQ==
Message-ID: <3cdff493-ce39-353e-3c24-7b4ab93bc3ff@ipfire.org>
Date: Sat, 19 Mar 2022 21:10:00 +0000
MIME-Version: 1.0
Subject: [PATCH 06/11] Kernel: Enable LSM support and set security level to
 "integrity"
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 6 +++++-
 config/kernel/kernel.config.armv6l-ipfire  | 6 +++++-
 config/kernel/kernel.config.riscv64-ipfire | 6 +++++-
 config/kernel/kernel.config.x86_64-ipfire  | 6 +++++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b485c2fb6..356d9051d 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 98b554d91..9dab473d4 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index b595ae8cd..adef88dc9 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b325feb1d..222b2dc53 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set

From patchwork Sat Mar 19 21:10:11 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5361
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYS71Rpqz3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:10:15 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYS66YChz4Cx;
	Sat, 19 Mar 2022 21:10:14 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYS66fcRz301d;
	Sat, 19 Mar 2022 21:10:14 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYS54BTqz301d
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:13 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYS46pVHz1tH
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724213;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=c9Be/kDQuE3obkBP1Br0K0HrUFBKR6tJvLAOl7J8c5c=;
 b=gx6SZptLuQyc3G3Zr56TNADPqF8hJMPMaVcQy3K/uECBGVSlO8XngtBlHqDwGKUBuQuFkG
 VAP57SKOuxt4VEqIgGUv/II4FFmSXTm9p2UUNyYfgtfMCtY/kn2KCT0hgCbft5gRMsBL9t
 84kI2OH/mlSdhA2oduo6fH97p6TzUEHkxu5ZAYEPJ3+Ku113WnbVikEMdcVHXzvtE0CsQH
 kWw/7lW/elt49p7bljSvQfSxVPORDc5wooW+kHRoW5QnVD00HuTc6cffSSwPmj1c24y10B
 i7YQkQqF9xO9ghJ6eICkQEiOe6iIdCxvmn2W3g2B7VClN6OVElMQ9eujgjyFDw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724213;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=c9Be/kDQuE3obkBP1Br0K0HrUFBKR6tJvLAOl7J8c5c=;
 b=dHg1Ljm36iPIcJ3xD+WdxNiWMdQ/GnB2rjp+Q+h/ad5SIoGFILvwfH0ECexzRJSB1UfNFn
 cbYaaV5i+noHfXAQ==
Message-ID: <0588411b-01e1-cb02-0d2f-7e40831b3338@ipfire.org>
Date: Sat, 19 Mar 2022 21:10:11 +0000
MIME-Version: 1.0
Subject: [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Since we cannot trust the kernel to do the right thing (tm) in such a
situation anymore, triggering a BUG is less bad than running on a kernel
in an undefined state.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 4 ++--
 config/kernel/kernel.config.armv6l-ipfire  | 4 ++--
 config/kernel/kernel.config.riscv64-ipfire | 4 ++--
 config/kernel/kernel.config.x86_64-ipfire  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 356d9051d..06379d544 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 9dab473d4..68e37304a 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index adef88dc9..8cec9a200 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 222b2dc53..0c6731bd1 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set

From patchwork Sat Mar 19 21:10:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5362
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYSb3C45z3xK1
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:10:39 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYSb0YkTz5R3;
	Sat, 19 Mar 2022 21:10:39 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYSb0d3bz301g;
	Sat, 19 Mar 2022 21:10:39 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYSY1C2bz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:37 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYSX1zhrz3Ny
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:36 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724236;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=rfA2DEtzLnuJjjyI0YnKJhk8EUTCfRjmEJeOUdbS0lI=;
 b=iG3KPm7CmjkJyT9YrEpDhGlppJCEs/ueL0eDj9bEavSQU+TivczpypVJs/FQ3ePsKG7Jpn
 0Ycss3lX6ED/MZCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724236;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=rfA2DEtzLnuJjjyI0YnKJhk8EUTCfRjmEJeOUdbS0lI=;
 b=jVDtH3ug3d82paAP76irsRVeBfai/mPAphmcPQUsUQ/TiCDWl01mBSqOy3MYR6XGClSvoi
 ocDS3grXjcRl9LYoM770QcsaL357p44PM4na3KR1fdqHNeHzrwcrD9z5NlP7WrCWo8CMHc
 pOgBZRp7UytRHnZi80J5+cGCf15S/QFUyByHWoG63aclPuCPmVL/0ckydc1X+QJ0WE+9gz
 ZGGHXKkZH9NzDtaX70Oy+RunVbPz/ghvKjJ765FExUdlWrAdN91ngeYL6GZ6f8gbCUhE3k
 vW2U5pK0C5lOifFeD8eMWygxUbLZsdi9+qvhH3e53L+cOZ1+zLJy4BuwGjUtYQ==
Message-ID: <3b95f139-aa2d-93ba-f80b-d63c3091e6d7@ipfire.org>
Date: Sat, 19 Mar 2022 21:10:34 +0000
MIME-Version: 1.0
Subject: [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines,
 only if necessary
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 06379d544..0fcbed4a2 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 68e37304a..468c74112 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 8cec9a200..de975e3f0 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0c6731bd1..0b9c79209 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers

From patchwork Sat Mar 19 21:10:50 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5363
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYSt4mMzz3wt4
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:10:54 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYSt1Z4Sz4Cx;
	Sat, 19 Mar 2022 21:10:54 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYSt1dtvz301d;
	Sat, 19 Mar 2022 21:10:54 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYSr3WtRz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:52 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYSq4Zqwz3Ny
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:10:51 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724252;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nTMDY7qbt3+91uybxUQdxIDY2gvFO5xRDb9IdxJZxcI=;
 b=h30lZFBXYZfmmCMMBu4cRZ02qu+QkU6/8GZpllLD5X1KyZwIiip7fk40x5BpXHLaKKrbi8
 4svKIn6Mg5b+cEDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724252;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nTMDY7qbt3+91uybxUQdxIDY2gvFO5xRDb9IdxJZxcI=;
 b=EG3J6mXNMC96SNXOt9cFgHEnMuByGMnvKucPDmv381x+FjVmahjyV6KKVRa68odb3fXnht
 uJiAhRXE81d3ZL/jQ+Daj+OysrXP6FHtEHCN4TXBkqbzecgob1MG55awF9uFeccrGgZhnL
 g/UyVyNvQN4TyrJaZf/SQY1aG/4q5M0Xye2JZaGzO0OKqSGFWYAIT/XgnS0eM2/roPGscg
 0o+KdIz0PHoVt2zVQTGQ4fvigpZzsga6NUDERH6zP8VNB2cA4tmIU1LQ820Dbq99SFLi/Y
 SLBpBlQzGdAhG2B+bYTwrmrNlhehojpGPnoH3erlGSS8AKOvwQZiaUHioN6QDQ==
Message-ID: <4e8085be-1959-60f6-eec5-0c30826a70ae@ipfire.org>
Date: Sat, 19 Mar 2022 21:10:50 +0000
MIME-Version: 1.0
Subject: [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Since running virtual machines is one of our legitimate use cases, it
makes sense to provide Qemu with the ability of taking advantage of
IOMMU support for safer virtuall memory allocation, if available.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/kernel/kernel.config.x86_64-ipfire | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0b9c79209..42275d26f 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m
 CONFIG_INTEL_IDXD_BUS=m
 CONFIG_INTEL_IDXD=m
 # CONFIG_INTEL_IDXD_COMPAT is not set
+# CONFIG_INTEL_IDXD_SVM is not set
 # CONFIG_INTEL_IDXD_PERFMON is not set
 CONFIG_INTEL_IOATDMA=m
 CONFIG_PLX_DMA=m
@@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
 # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
 CONFIG_IOMMU_DMA=y
+CONFIG_IOMMU_SVA_LIB=y
 CONFIG_AMD_IOMMU=y
-# CONFIG_AMD_IOMMU_V2 is not set
+CONFIG_AMD_IOMMU_V2=y
 CONFIG_DMAR_TABLE=y
 CONFIG_INTEL_IOMMU=y
-# CONFIG_INTEL_IOMMU_SVM is not set
+CONFIG_INTEL_IOMMU_SVM=y
 # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set

From patchwork Sat Mar 19 21:11:06 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5364
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYT96HJ9z3wt4
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:11:09 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYT92dgzz4Cx;
	Sat, 19 Mar 2022 21:11:09 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYT92flQz3020;
	Sat, 19 Mar 2022 21:11:09 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYT82BjLz2yXw
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:11:08 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYT74HK0z3Ny
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:11:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724268;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=L4SflZxZ1Yq+lJEntmlVrWQj42Ge/IHUKvxLGHZCRkU=;
 b=HCHGbK+wsnV7xAKz6PKtg+4biOjXuCHvGGPKtJXr5JfroYWo/khsDJdE1RW87CayCyCjhn
 S1Zd6/rY173Abfe6tYozI4XR7+JMDn3JtOWPSBRW0GlW+Vg2kT09ue9y5BlBmAJoaV4gnN
 Mo1U5SfGBYirrs+lzzOD0aKwi0QdnehnHm8PWOCrXVBQiKXn/sKzUaMMk7dJAoHydg8x7T
 exuUxlZ0+cyZKuS/ZLclAFbenFgR4jLyeKhPXJfjFyRw+QldFE2Z5ZH9QDRAfgxw1QzUKS
 TCPGT804b8I6JOEcxGGuo5EHQqW2fUISjcfzQ74dsfZpRXQkST+UjZjuRiUQ1A==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724268;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=L4SflZxZ1Yq+lJEntmlVrWQj42Ge/IHUKvxLGHZCRkU=;
 b=Q2UZzNnLJDz7XCi7v3tjoC4muu40ANBZvuHHMFbl6/ODKwkPalLKflymZ55v40+nAsdLkD
 8bfYiKHCLy3wG7Cg==
Message-ID: <6400eeaa-f3c2-e423-e0f1-c58431f89228@ipfire.org>
Date: Sat, 19 Mar 2022 21:11:06 +0000
MIME-Version: 1.0
Subject: [PATCH 10/11] Kernel: Disable function and stack tracers
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

grsecurity recommends to disable this on non-development systems for
reducing attack surface. Since we never debug the kernel that deeply on
a productive system, it makes sense to follow this recommendation.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 13 ++-----------
 config/kernel/kernel.config.armv6l-ipfire  | 13 ++-----------
 config/kernel/kernel.config.riscv64-ipfire | 13 ++-----------
 config/kernel/kernel.config.x86_64-ipfire  | 17 ++---------------
 4 files changed, 8 insertions(+), 48 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 0fcbed4a2..5bd15cc48 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_HIST_TRIGGERS is not set
@@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 468c74112..06010f893 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_HIST_TRIGGERS is not set
@@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index de975e3f0..6b0aa466f 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_TRACE_EVENT_INJECT is not set
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 42275d26f..eee5e4a55 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
 # CONFIG_CMDLINE_BOOL is not set
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 CONFIG_HAVE_LIVEPATCH=y
-# CONFIG_LIVEPATCH is not set
 # end of Processor type and features
 
 CONFIG_ARCH_HAS_ADD_PAGES=y
@@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
-CONFIG_FTRACE_MCOUNT_USE_CC=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_HIST_TRIGGERS is not set
 # CONFIG_TRACE_EVENT_INJECT is not set
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set

From patchwork Sat Mar 19 21:11:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5365
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYTV2Vz3z3wt4
	for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:11:26 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYTT3vQ8z4PH;
	Sat, 19 Mar 2022 21:11:25 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYTT414gz301g;
	Sat, 19 Mar 2022 21:11:25 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYTS1BrLz2yTY
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:11:24 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYTR0Mqhz1tH
 for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:11:22 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1647724283;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nXjUe4dzLHDKQTFdyLN0Mfpv6U5KeJ9+jSzthMusfmM=;
 b=26Qfg+8qQSt0zWRPNPMveEhXwuxB8/8vMgr0ovOD1eHLY+SXunKh0oNpmf7V2rRETpR6fc
 C6sEOfkVzGTPkuCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1647724283;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nXjUe4dzLHDKQTFdyLN0Mfpv6U5KeJ9+jSzthMusfmM=;
 b=T2kDMlA1EDooWUQiXcaXSYpkcG1+MjUNH5wQ09BmKxDAGMdPUkacOK8tb/SU2WHBhOIkgp
 T7mavSi4cm91XGDT1YMEIxfbeRk8e9I8BWSGqOdLArSAEC3eA+D6h2oWGRVmLT8IHd+l02
 Fx1llvyleTzelmfXLLfHL4NCLtDf+Tut+FHM6ffZsrp4OnV9x4jf1/knFDd/nbQ4jqj11n
 SUetqBkqPVl/LfbQEEZGQfLhBGkOtBCVeLtbH0Tj3yw0yJFhOeJOitQBoG0hQt1WEK8bzg
 MUpYV53tzyWIDqf35NYJaqZodsHI9M3hOFPhMzGgh1PmMshG9aQffXha2cQl4w==
Message-ID: <1b36a9fd-18a3-ffd2-4c95-34bbe75ca754@ipfire.org>
Date: Sat, 19 Mar 2022 21:11:21 +0000
MIME-Version: 1.0
Subject: [PATCH 11/11] Kernel: Update rootfile for x86_64
Content-Language: en-US
To: development@lists.ipfire.org
References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/common/x86_64/linux | 33 ++++++++++++++++------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index a01af1fc4..85d8ffc66 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -6408,6 +6408,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/ALX
 #lib/modules/KVER-ipfire/build/include/config/AMD8111_ETH
 #lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU
+#lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU_V2
 #lib/modules/KVER-ipfire/build/include/config/AMD_NB
 #lib/modules/KVER-ipfire/build/include/config/AMD_PHY
 #lib/modules/KVER-ipfire/build/include/config/AMD_PMC
@@ -6680,7 +6681,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INITRD
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY_T10
-#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_IO_TRACE
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP_MIN_COUNT
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_MD
@@ -6763,6 +6763,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL
 #lib/modules/KVER-ipfire/build/include/config/BTT
 #lib/modules/KVER-ipfire/build/include/config/BUG
+#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION
 #lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT
 #lib/modules/KVER-ipfire/build/include/config/BUILD_SALT
 #lib/modules/KVER-ipfire/build/include/config/CACHEFILES
@@ -6786,6 +6787,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_UBSAN_BOUNDS
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDRESS
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS
 #lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC
@@ -7086,6 +7088,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
+#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
 #lib/modules/KVER-ipfire/build/include/config/DECOMPRESS_BZIP2
@@ -7417,10 +7420,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_REGS
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_MEMORY_LAYOUT
 #lib/modules/KVER-ipfire/build/include/config/E100
 #lib/modules/KVER-ipfire/build/include/config/E1000
@@ -7589,14 +7588,9 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/FS_MBCACHE
 #lib/modules/KVER-ipfire/build/include/config/FS_POSIX_ACL
 #lib/modules/KVER-ipfire/build/include/config/FTRACE
-#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_RECORD
-#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_USE_CC
 #lib/modules/KVER-ipfire/build/include/config/FTRACE_SYSCALLS
 #lib/modules/KVER-ipfire/build/include/config/FUJITSU_ES
 #lib/modules/KVER-ipfire/build/include/config/FUJITSU_LAPTOP
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_GRAPH_TRACER
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_PROFILER
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_TRACER
 #lib/modules/KVER-ipfire/build/include/config/FUSE_FS
 #lib/modules/KVER-ipfire/build/include/config/FUSION
 #lib/modules/KVER-ipfire/build/include/config/FUSION_CTL
@@ -8070,6 +8064,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOATDMA
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_FLOPPY_WA
+#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_SVM
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IPS
 #lib/modules/KVER-ipfire/build/include/config/INTEL_ISH_HID
 #lib/modules/KVER-ipfire/build/include/config/INTEL_LDMA
@@ -8090,6 +8085,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/IOMMU_IOVA
 #lib/modules/KVER-ipfire/build/include/config/IOMMU_IO_PGTABLE
 #lib/modules/KVER-ipfire/build/include/config/IOMMU_SUPPORT
+#lib/modules/KVER-ipfire/build/include/config/IOMMU_SVA_LIB
 #lib/modules/KVER-ipfire/build/include/config/IONIC
 #lib/modules/KVER-ipfire/build/include/config/IOSCHED_BFQ
 #lib/modules/KVER-ipfire/build/include/config/IOSF_MBI
@@ -8345,7 +8341,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/LAN743X
 #lib/modules/KVER-ipfire/build/include/config/LCD_CLASS_DEVICE
 #lib/modules/KVER-ipfire/build/include/config/LCD_PLATFORM
-#lib/modules/KVER-ipfire/build/include/config/LDISC_AUTOLOAD
 #lib/modules/KVER-ipfire/build/include/config/LDM_PARTITION
 #lib/modules/KVER-ipfire/build/include/config/LD_IS_BFD
 #lib/modules/KVER-ipfire/build/include/config/LD_ORPHAN_WARN
@@ -8414,6 +8409,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/LOCKD_V4
 #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
 #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
+#lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_INTEGRITY
 #lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
 #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
 #lib/modules/KVER-ipfire/build/include/config/LOGO
@@ -9867,6 +9863,11 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/SECURITY
 #lib/modules/KVER-ipfire/build/include/config/SECURITYFS
 #lib/modules/KVER-ipfire/build/include/config/SECURITY_DMESG_RESTRICT
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN_ENFORCE
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM_EARLY
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_SAFESETID
 #lib/modules/KVER-ipfire/build/include/config/SELECT_MEMORY_MODEL
 #lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU
 #lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU3
@@ -10345,7 +10346,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/STACKPROTECTOR_STRONG
 #lib/modules/KVER-ipfire/build/include/config/STACKTRACE
 #lib/modules/KVER-ipfire/build/include/config/STACKTRACE_SUPPORT
-#lib/modules/KVER-ipfire/build/include/config/STACK_TRACER
 #lib/modules/KVER-ipfire/build/include/config/STACK_VALIDATION
 #lib/modules/KVER-ipfire/build/include/config/STAGING
 #lib/modules/KVER-ipfire/build/include/config/STANDALONE
@@ -10395,8 +10395,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/SYS_HYPERVISOR
 #lib/modules/KVER-ipfire/build/include/config/TAP
 #lib/modules/KVER-ipfire/build/include/config/TASKSTATS
-#lib/modules/KVER-ipfire/build/include/config/TASKS_RCU_GENERIC
-#lib/modules/KVER-ipfire/build/include/config/TASKS_RUDE_RCU
 #lib/modules/KVER-ipfire/build/include/config/TASK_DELAY_ACCT
 #lib/modules/KVER-ipfire/build/include/config/TASK_IO_ACCOUNTING
 #lib/modules/KVER-ipfire/build/include/config/TASK_XACCT
@@ -10502,6 +10500,13 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/TYPEC_TCPM
 #lib/modules/KVER-ipfire/build/include/config/TYPEC_UCSI
 #lib/modules/KVER-ipfire/build/include/config/TYPHOON
+#lib/modules/KVER-ipfire/build/include/config/UBSAN
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOOL
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOUNDS
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_ENUM
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_ONLY_BOUNDS
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_SANITIZE_ALL
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_SHIFT
 #lib/modules/KVER-ipfire/build/include/config/UCS2_STRING
 #lib/modules/KVER-ipfire/build/include/config/UCSI_ACPI
 #lib/modules/KVER-ipfire/build/include/config/UDF_FS