Djam/kernel-5.15
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-5.15.git synced 2025-02-23 18:42:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
575 commits 5 branches 9 tags 15 MiB
Commit graph

575 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mikhail Novosyolov
104da23e60 minor: delete some odd empty lines 2020-03-19 00:48:01 +03:00
Mikhail Novosyolov
4e695cf30c Replace patch for sign-file.c with the one sent to upstream. CONFIG_MODULE_SIG_STREEBOG* does not make sense now as there is no tool to properly sign with a GOST algo 2020-03-19 00:42:46 +03:00
Mikhail Novosyolov
784b256f80 Always generate a random GOST key for the kernel keyring (later add preinstalled trusted GOST keys) 2020-03-18 23:53:18 +03:00
Mikhail Novosyolov
3148180250 Prepare to have the same kernel in Fresh/RED and certified distros: 
- rename nrj-desktop to generic because nowadays there are no nrjQL patches
- keep nickel flavour for certified distros
- add uml and uml-modules subpackages
- fix description of uml package - it is stripped
- always enable enhanced_security
- disable CONFIG_INIT_ON_FREE_DEFAULT_ON on non-certified distros for best performance
- in scriptlets, check that dkms is installed and make actions if it is installed
- do not depend from the dkms package to avoid pulling it even if someone wants to completely remove it
 2020-03-18 22:26:13 +03:00
Mikhail Novosyolov
0313188174 delete incorrect patch 
AltHa/RestrScript: file /bin/dmesg is allowed to run by f_path \xc0l2r\xe3\xa0\xff\xff
 2020-03-17 11:51:43 +03:00
Mikhail Novosyolov
2854a5a0a7 AltHa: add logging of allowed interpreters 
kernel.altha.rstrscript.debug_log=1 now allows to log interpreters
which were allowed to run and log the path to them which was seen by the kernel.

It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225
where it is not clear why a binary was allowed to run.
 2020-03-17 00:31:54 +03:00
Mikhail Novosyolov
5f08ed1263 Add AltHa LSM Module 
TODO: https://bugzilla.altlinux.org/show_bug.cgi?id=38225 has to be resolved
 2020-03-16 23:58:42 +03:00
Mikhail Novosyolov
88e63d63e7 Fix building UML on 32 bit (copy hack from non-UML) 2020-03-16 19:38:59 +03:00
Mikhail Novosyolov
6b48b8dafb Disable GOST signing for now due to impossibility to make a correct signature untill libressl or openssl-gost-engine support GOST CMS 2020-03-15 20:26:01 +03:00
Mikhail Novosyolov
c98134ffc6 Revert "Mix non-GOST RSA keys with GOST buildtime key in the kernel keyring" 
The 1st certificate from PEM - GOST - is loaded correctly, others (RSA) are not

Loaded X.509 cert 'ROSA rpmbuild: Build time autogenerated kernel key: bb12e555ee1aa3718c7cbff4033d6f08ddc514af'
Loaded X.509 cert 'ROSA rpmbuild: Build time autogenerated kernel key: bb12e555ee1aa3718c7cbff4033d6f08ddc514af'

Thread 1 "linux-uml-5.4.2" hit Breakpoint 1, pkcs1pad_verify (req=0x6197a600) at crypto/rsa-pkcs1pad.c:538
538		if (WARN_ON(req->dst) ||
(gdb) n
539		    WARN_ON(!req->dst_len) ||
(gdb) n
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:539 pkcs1pad_verify+0x4e/0x146
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0 #1
Stack:
 6182b9e0 602e6a39 00000009 00000000
 00000000 61969580 6182b9f0 602e6a7e
 6182ba30 60037f79 00000200 61981409
Call Trace:
 [<600677ed>] ? printk+0x0/0x94
 [<601e1d29>] ? sg_set_buf+0x0/0x92
 [<6001d383>] show_stack+0x13b/0x155
 [<602e6a39>] ? dump_stack_print_info+0xe2/0xeb
 [<602e6a7e>] dump_stack+0x2a/0x2c
 [<60037f79>] __warn+0xed/0x116
 [<60038431>] warn_slowpath_fmt+0xd1/0xdf
 [<601dab29>] ? rsa_free_mpi_key+0x0/0x44
 [<601dab29>] ? rsa_free_mpi_key+0x0/0x44
 [<60211d2c>] ? mpi_read_raw_data+0x0/0x105
 [<601dad3e>] ? rsa_set_pub_key+0xb9/0xe7
 [<60038360>] ? warn_slowpath_fmt+0x0/0xdf
 [<601db6d3>] pkcs1pad_verify+0x4e/0x146
 [<601e2667>] public_key_verify_signature+0x2ae/0x366
 [<601d3a45>] ? crypto_find_alg+0x0/0x2a
 [<6002eebe>] ? set_signals+0x30/0x36
 [<6002eebe>] ? set_signals+0x30/0x36
 [<600d082f>] ? __kmalloc+0xa6/0xd0
 [<600d10ee>] ? kfree+0x0/0x65
 [<601e37ea>] x509_check_for_self_signed+0xd9/0xff
 [<600d10ee>] ? kfree+0x0/0x65
 [<601e2e48>] x509_cert_parse+0x1ed/0x22d
 [<601e33de>] x509_key_preparse+0x28/0x20a
 [<601e0e66>] asymmetric_key_preparse+0x4a/0x87
 [<601ca333>] ? key_type_lookup+0x5a/0x97
 [<601ca509>] key_create_or_update+0x199/0x43a
 [<600677ed>] ? printk+0x0/0x94
 [<6000a549>] load_system_certificate_list+0xc2/0x134
 [<6000a487>] ? load_system_certificate_list+0x0/0x134
 [<6001aa19>] do_one_initcall+0x8e/0x1d0
 [<6001a98b>] ? do_one_initcall+0x0/0x1d0
 [<6001a98b>] ? do_one_initcall+0x0/0x1d0
 [<60001e26>] kernel_init_freeable+0x18c/0x254
 [<600677ed>] ? printk+0x0/0x94
 [<602f55bd>] kernel_init+0x27/0x136
 [<6001c1b5>] new_thread_handler+0x81/0xb2

---[ end trace 9cd4d0bf1a354d26 ]---
public_key_verify_signature (pkey=0x61969580, sig=<optimized out>) at crypto/asymmetric_keys/public_key.c:309
309		ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
(gdb) p req
$1 = (struct akcipher_request *) 0x6197a600
(gdb) p &req
Address requested for identifier "req" which is in register $rbx
(gdb) p $req
$2 = void
(gdb) p req->src_len
$3 = 512
(gdb) p ctx->key_size
No symbol "ctx" in current context.
(gdb)

Problems happen here:

static int pkcs1pad_verify(struct akcipher_request *req)
{
	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
	int err;

	if (WARN_ON(req->dst) ||
	    WARN_ON(!req->dst_len) ||
	    !ctx->key_size || req->src_len < ctx->key_size)
		return -EINVAL;

For now let's just disable this and debug this later if I have wish and time.

This reverts commit 89974eea5f.
 2020-03-15 17:08:18 +03:00
Mikhail Novosyolov
89974eea5f Mix non-GOST RSA keys with GOST buildtime key in the kernel keyring 2020-03-15 14:55:26 +03:00
Mikhail Novosyolov
582758eb22 CRYPTO_ECRDSA must be built in to load kernel keyring and modules 2020-03-15 13:16:34 +03:00
Mikhail Novosyolov
663de86aea decode future CONFIG_SYSTEM_TRUSTED_KEYS 2020-03-14 22:02:48 +03:00
Evgenii Shatokhin
ad889a101f Do not package include/Kbuild 
Starting from fcbb8461fd23 "kbuild: remove header compile test",
include/Kbuild is no longer provided. Do not expect it to be present.
 2020-03-14 20:51:32 +03:00
Evgenii Shatokhin
caad8bc737 Fix objtool-related errors in 'make prepare' for devel packages 
Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 2020-03-14 20:51:15 +03:00
Mikhail Novosyolov
974fbb224c More verbosity 2020-03-14 15:06:19 +03:00
Mikhail Novosyolov
7dd0d4da5b upd: 5.4.6 -> 5.4.25 2020-03-13 23:26:47 +03:00
Mikhail Novosyolov
de78db5b2c Better regulation of CONFIG_DEBUGINFO*, make UML binary really not stripped 2020-03-13 20:51:12 +03:00
Mikhail Novosyolov
b320b958ee Build UML (User Mode Linux) 2020-03-13 20:35:12 +03:00
Mikhail Novosyolov
2e4f6dd1fc python-devel was renamed to python2-devel in rosa2019.1 2020-03-13 20:33:55 +03:00
Mikhail Novosyolov
2887e766e7 enable AutoProv 2020-03-13 20:33:46 +03:00
Mikhail Novosyolov
227ff5c08b adapt for rpm4 2020-03-13 20:33:36 +03:00
Mikhail Novosyolov
64d2bf03ae Print debug messages to console/log 2019-12-23 14:29:21 +03:00
Mikhail Novosyolov
833fec59c1 upd: 5.4.3 -> 5.4.6 2019-12-22 02:35:08 +03:00
Evgenii Shatokhin
6d5c9b98f5 aufs: do not export flush_delayed_fput() twice 2019-12-16 16:53:30 +03:00
Mikhail Novosyolov
14ab754fe2 upd: 5.4.2 -> 5.4.3 2019-12-16 16:14:30 +03:00
Mikhail Novosyolov
06412a73ba Reenable AUFS 
(I am still thinking of dropping AUFS)
 2019-12-16 16:12:07 +03:00
Evgenii Shatokhin
34e76862b9 Updated configs and AUFS patch for kernel 5.4.3 
AUFS patch was rediffed manually due to missing upstream version for kernel 5.4
 2019-12-16 16:09:18 +03:00
Mikhail Novosyolov
f439835bb0 Upd to 5.4 series (v5.4.2), rediffed patches, disabled AUFS for now 2019-12-12 15:30:51 +03:00
Mikhail Novosyolov
eb0db6c1dd allow unsigned modules 2019-12-09 19:50:34 +03:00
Mikhail Novosyolov
12362ac8e3 Use GOST for signing kernel modules 2019-12-09 19:50:15 +03:00
Mikhail Novosyolov
efe34d83a7 upd: 5.3.11 -> 5.3.15 2019-12-07 20:39:47 +03:00
Mikhail Novosyolov
cd6077c83d test libressl, step 1 2019-12-01 02:03:15 +03:00
Mikhail Novosyolov
c9df52aa4c Allow to rebuild allowing unsigned modules (needed for testing custom modules from rosa-test-suite e.g.) 2019-11-21 21:17:42 +03:00
Mikhail Novosyolov
a71dd0a80d Use relative path to certs directory, use "" 
Fixes reading PEM with trusted keys (for some reason...)
 2019-11-19 22:30:42 +03:00
Mikhail Novosyolov
32ae7451b8 debug: print public certificates to log 2019-11-19 00:24:49 +03:00
Mikhail Novosyolov
a7f7bf8598 Explicitly enable CONFIG_SYSTEM_EXTRA_CERTIFICATE (is enabled in Kconfig by default) 2019-11-18 21:25:13 +03:00
Mikhail Novosyolov
aa3a5337f4 Use CONFIG_SYSTEM_TRUSTED_KEYS for propper configuration of trusted keys (currently no keys were trusted) 2019-11-18 18:57:48 +03:00
Evgenii Shatokhin
81f0f6a4db Updated to version 5.3.11 2019-11-18 00:16:32 +03:00
Mikhail Novosyolov
722ec1fea5 Reenable CONFIG_MODULE_SIG_ALL=y 2019-11-18 00:12:28 +03:00
Mikhail Novosyolov
e185c46feb Fix key valid till date, it was valid only for 30 days 
$ openssl x509 -enddate -noout -in full_key0.pem
notAfter=Sep  6 16:04:17 2319 GMT
 2019-11-17 19:12:14 +03:00
Mikhail Novosyolov
1d8979272b Add additional public keys to the list of trusted keys for kernel modules 2019-11-17 17:21:25 +03:00
Mikhail Novosyolov
3d57d87ee7 Improve x509 config based on kernel's certs/Makefile 2019-11-17 16:09:47 +03:00
Mikhail Novosyolov
179d4d367c Provide kernel-hardended if with enhanced_security 
This may be useful e.g. if we attach an additional sysctl by a hardening patch like ebcecf9f12 and then enable that sysctl from another package. That package should require kernel-hardened.
 2019-11-17 15:18:28 +03:00
Mikhail Novosyolov
eea783a594 Fix more copy-paste junk from desktop flavour 
Extends commit 95c7ee5355
 2019-11-17 15:12:03 +03:00
Mikhail Novosyolov
236b8ce3a6 Avoid tricky shell construction 
It sometimes failed:

environment: line 4: 1
7+1: syntax error in expression (error token is "7+1")
 2019-11-14 08:52:35 +03:00
Mikhail Novosyolov
3eca49b16a Enable wiping objects in RAM with enhanced_security 2019-11-14 08:52:35 +03:00
Mikhail Novosyolov
95c7ee5355 Fix copy-paste typo (fix filelist of debuginfo package) 2019-11-14 00:20:41 +03:00
Mikhail Novosyolov
b46067ee17 Manually sign modules after stripping 2019-11-13 18:18:59 +03:00
Evgenii Shatokhin
2076e438cd Added more filters to kernel.rpmlintrc 
* "E: unstripped-binary-or-object" - debuginfo package has such files
* "W: non-executable-script", "W: script-without-shebang" - kernel
packages have many special scripts which are not expected to be called
directly.
 2019-11-12 16:40:21 +03:00