From patchwork Fri Oct 13 09:03:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 7280 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4S6LCk4bLsz3wfc for ; Fri, 13 Oct 2023 09:04:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4S6LCg3CWjzCj; Fri, 13 Oct 2023 09:03:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4S6LCg1vHsz2xn3; Fri, 13 Oct 2023 09:03:59 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4S6LCd2NfXz2xn3 for ; Fri, 13 Oct 2023 09:03:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4S6LCb5qW6zCj for ; Fri, 13 Oct 2023 09:03:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1697187836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j2axJ07GZ+k/bxlM2JcnLAm8exAoszJa0QWbDg8wFpo=; b=xfU/S2KVUMvaVGH38HfQdiDDvPycfXK2rJznfMUI+kubSkAeJvulfjE1ZXvMJ0o5kXYMWh GLMXd47Jt9i5mfDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1697187836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j2axJ07GZ+k/bxlM2JcnLAm8exAoszJa0QWbDg8wFpo=; b=rD3R56SqKCrbeBVl5AMPkli8RoitIHWFX/VTODkuc1xg9Ypf4erkg9aotaRzLF/Ovy3HlK N5dxZceF33gl6cKmBGwM361HYZdy+YwQ8pYwCvuQpfN27m+1s3tZ6ZIjlo13bZfeiAKYG5 DZP1M7s+TbfxktBdjVKqCiVhGkQJfuifX67YGJBYWT+aT/MERRx8rliFBDivk+gom8MgTT eQ4JbWhoXZlr/uX8NKo+92ZdOwR8AMd9Vr9B+9WtuOd15U6b7BojDAf7PWzGywMGpxpYBZ 7XRgk23QbEO2NfegJBY8CWGwOIP+vIgr8GbiE6Tv2Y18OxLRKq67YjMI05637A== Message-ID: Date: Fri, 13 Oct 2023 09:03:00 +0000 MIME-Version: 1.0 To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 1/2] linux: Disable io_uring Message-ID-Hash: 5YW2V7NG6QRKVL2GMOFY5YFSO7NYEUB7 X-Message-ID-Hash: 5YW2V7NG6QRKVL2GMOFY5YFSO7NYEUB7 X-MailFrom: peter.mueller@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible. IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface. See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html Signed-off-by: Peter Müller --- config/kernel/kernel.config.aarch64-ipfire | 3 +-- config/kernel/kernel.config.x86_64-ipfire | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 96944c3d5..0d7c1ba8a 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -229,7 +229,7 @@ CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y -CONFIG_IO_URING=y +# CONFIG_IO_URING is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y @@ -7824,7 +7824,6 @@ CONFIG_NLS_MAC_TURKISH=m CONFIG_NLS_UTF8=m # CONFIG_DLM is not set # CONFIG_UNICODE is not set -CONFIG_IO_WQ=y # end of File systems # diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 129e0d209..48fdbd8ff 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -249,7 +249,7 @@ CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y -CONFIG_IO_URING=y +# CONFIG_IO_URING is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y @@ -7047,7 +7047,6 @@ CONFIG_DLM=m # CONFIG_DLM_DEPRECATED_API is not set # CONFIG_DLM_DEBUG is not set # CONFIG_UNICODE is not set -CONFIG_IO_WQ=y # end of File systems # From patchwork Fri Oct 13 09:04:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 7281 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4S6LD46QpTz3wfc for ; Fri, 13 Oct 2023 09:04:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4S6LD43bhrz84; Fri, 13 Oct 2023 09:04:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4S6LD432bXz2xn3; Fri, 13 Oct 2023 09:04:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4S6LD22ZTWz2xn3 for ; Fri, 13 Oct 2023 09:04:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4S6LD11t1sz84 for ; Fri, 13 Oct 2023 09:04:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1697187857; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xftCU6TAe34AIBkU7N4jaNEC5JkmqtMPuV4DvOC0/NI=; b=0suC66fNHwZMoloFzFzb4knlZ3p8WrqpX+PJ115De3AdL/Y6O9Bed9S88bKVBIBMSiRM7W S13dBvDIke7vm3BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1697187857; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xftCU6TAe34AIBkU7N4jaNEC5JkmqtMPuV4DvOC0/NI=; b=JplrWNAsIaPjYC6pEgBY6kN+VlyqO/AU3S2vBq1jlYJQ8ss9n/Hh5dAQSoMlmS2VMJF/cQ PnVN9uVsQYz/7qEzQWros5PyQHACKeX0jOa3/a3Farqm6GkuuT9UA4LcEr1dj7w2UArvaP 5GoBASYNGyuNX9ZhSCwCtYCVpRW2YbCpaCKdgiEOuajYg3uqg8bpavPbftnvE41r4jWohX jhQ+9IguqCUUv8PYbPPmhdhZs8fRdh3EC75vVtJEE0HF58ALtILmIlLZVvyhqepgZQxgua h94vxuGnG9yapNT3V6WiZG0X6J6hbhKmAF5qvaUQOWXmcZ1oO4b8vemgaOW+GA== Message-ID: <0a0c2405-2e76-4c47-9959-6b511733d968@ipfire.org> Date: Fri, 13 Oct 2023 09:04:00 +0000 MIME-Version: 1.0 Subject: [PATCH 2/2] linux: Set default IOMMU handling to "strict" on 64-bit ARM To: development@lists.ipfire.org References: From: =?utf-8?q?Peter_M=C3=BCller?= In-Reply-To: Message-ID-Hash: I55CPPXNCTC4UYM4S3GZJRICIRQX4ZVS X-Message-ID-Hash: I55CPPXNCTC4UYM4S3GZJRICIRQX4ZVS X-MailFrom: peter.mueller@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This has been our default setting on x86_64 for quite some time now, which is why this patch aligns the aarch64 kernel configuration to that value. Signed-off-by: Peter Müller --- config/kernel/kernel.config.aarch64-ipfire | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 0d7c1ba8a..46bfb1bb3 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7190,9 +7190,9 @@ CONFIG_IOMMU_IO_PGTABLE_LPAE=y # CONFIG_IOMMU_IO_PGTABLE_DART is not set # end of Generic IOMMU Pagetable Support -# CONFIG_IOMMU_DEFAULT_DMA_STRICT is not set +CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set -CONFIG_IOMMU_DEFAULT_PASSTHROUGH=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set CONFIG_OF_IOMMU=y CONFIG_IOMMU_DMA=y CONFIG_ROCKCHIP_IOMMU=y