Djam/kernel-5.15
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-5.15.git synced 2025-02-23 18:42:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
396 commits 5 branches 9 tags 15 MiB
Commit graph

396 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mikhail Novosyolov
eb0db6c1dd allow unsigned modules 2019-12-09 19:50:34 +03:00
Mikhail Novosyolov
12362ac8e3 Use GOST for signing kernel modules 2019-12-09 19:50:15 +03:00
Mikhail Novosyolov
efe34d83a7 upd: 5.3.11 -> 5.3.15 2019-12-07 20:39:47 +03:00
Mikhail Novosyolov
cd6077c83d test libressl, step 1 2019-12-01 02:03:15 +03:00
Mikhail Novosyolov
c9df52aa4c Allow to rebuild allowing unsigned modules (needed for testing custom modules from rosa-test-suite e.g.) 2019-11-21 21:17:42 +03:00
Mikhail Novosyolov
a71dd0a80d Use relative path to certs directory, use "" 
Fixes reading PEM with trusted keys (for some reason...)
 2019-11-19 22:30:42 +03:00
Mikhail Novosyolov
32ae7451b8 debug: print public certificates to log 2019-11-19 00:24:49 +03:00
Mikhail Novosyolov
a7f7bf8598 Explicitly enable CONFIG_SYSTEM_EXTRA_CERTIFICATE (is enabled in Kconfig by default) 2019-11-18 21:25:13 +03:00
Mikhail Novosyolov
aa3a5337f4 Use CONFIG_SYSTEM_TRUSTED_KEYS for propper configuration of trusted keys (currently no keys were trusted) 2019-11-18 18:57:48 +03:00
Evgenii Shatokhin
81f0f6a4db Updated to version 5.3.11 2019-11-18 00:16:32 +03:00
Mikhail Novosyolov
722ec1fea5 Reenable CONFIG_MODULE_SIG_ALL=y 2019-11-18 00:12:28 +03:00
Mikhail Novosyolov
e185c46feb Fix key valid till date, it was valid only for 30 days 
$ openssl x509 -enddate -noout -in full_key0.pem
notAfter=Sep  6 16:04:17 2319 GMT
 2019-11-17 19:12:14 +03:00
Mikhail Novosyolov
1d8979272b Add additional public keys to the list of trusted keys for kernel modules 2019-11-17 17:21:25 +03:00
Mikhail Novosyolov
3d57d87ee7 Improve x509 config based on kernel's certs/Makefile 2019-11-17 16:09:47 +03:00
Mikhail Novosyolov
179d4d367c Provide kernel-hardended if with enhanced_security 
This may be useful e.g. if we attach an additional sysctl by a hardening patch like ebcecf9f12 and then enable that sysctl from another package. That package should require kernel-hardened.
 2019-11-17 15:18:28 +03:00
Mikhail Novosyolov
eea783a594 Fix more copy-paste junk from desktop flavour 
Extends commit 95c7ee5355
 2019-11-17 15:12:03 +03:00
Mikhail Novosyolov
236b8ce3a6 Avoid tricky shell construction 
It sometimes failed:

environment: line 4: 1
7+1: syntax error in expression (error token is "7+1")
 2019-11-14 08:52:35 +03:00
Mikhail Novosyolov
3eca49b16a Enable wiping objects in RAM with enhanced_security 2019-11-14 08:52:35 +03:00
Mikhail Novosyolov
95c7ee5355 Fix copy-paste typo (fix filelist of debuginfo package) 2019-11-14 00:20:41 +03:00
Mikhail Novosyolov
b46067ee17 Manually sign modules after stripping 2019-11-13 18:18:59 +03:00
Evgenii Shatokhin
2076e438cd Added more filters to kernel.rpmlintrc 
* "E: unstripped-binary-or-object" - debuginfo package has such files
* "W: non-executable-script", "W: script-without-shebang" - kernel
packages have many special scripts which are not expected to be called
directly.
 2019-11-12 16:40:21 +03:00
Mikhail Novosyolov
6e1e792676 enhanced_security logically conflicts with dkms 2019-11-12 16:16:27 +03:00
Mikhail Novosyolov
9674247130 Enable debug what will also strip kernel modules 2019-11-12 16:07:05 +03:00
Alexander Stefanov
26660b3500 strip kernel modules 2019-11-12 15:41:56 +03:00
Mikhail Novosyolov
300bd5e2db Improve regexp for email 
Previous regexp assumed that first level domain is <=4 symbols,
but modern domain zones are longer, e.g. email foo@foo.forex
was incorrectly considered invalid by the old regexp

Move this stuff from macro expansion to the script itself:
the new regexp does not work inside RPM-invoked shell due to
further subshells being invoked by '()' in the regexp
(I don't know how to deal with it, `shopt -u expand_aliases` does not help)

[ Regexp is from logist/wl.cgi ]
 2019-11-12 04:10:17 +03:00
Mikhail Novosyolov
cc3afd8669 Fix parsing hexdump output 
hexdump output on i586 contained odd symbol '|' in the line where the word 'Modules' began,
it broke previously used awk command.
 2019-11-12 01:32:36 +03:00
Mikhail Novosyolov
4dc2157aaa upd: 5.3.7 -> 5.3.10 2019-11-12 01:07:30 +03:00
Mikhail Novosyolov
f76f4d007e Off unneeded logging to decrease build log size 2019-11-11 23:48:27 +03:00
Mikhail Novosyolov
9a76adb348 Better removal of private keys 2019-11-11 23:04:21 +03:00
Mikhail Novosyolov
f8e79286b3 Rename from nrj-desktop to nickel if built with hardening 
Nickel may be not the best name but I don't have better ideas.
 2019-11-11 22:56:06 +03:00
Mikhail Novosyolov
f05348d4fa Verify that modules are signed (multithreaded) 2019-11-11 22:55:51 +03:00
Mikhail Novosyolov
3a8564ce81 Implement signing kernel modules 2019-11-11 20:40:40 +03:00
Mikhail Novosyolov
95836da65c Merge branch 'master' of abf.io:kernels_stable/kernel-5.3 
eshatokhin@: CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE is not used since
mainline commit be6ec88f41ba "selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE",
so it is not set here.
 2019-11-11 15:27:16 +03:00
Evgenii Shatokhin
5b69a49e46 Updated to version 5.3.7 2019-10-18 13:57:15 +03:00
Mikhail Novosyolov
d43e01981e Fix kernel opts for booting in enforcing selinux mode 
1f5dcdbf22

eshatokhin@: CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE is not used since
mainline commit be6ec88f41ba "selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE",
so it is not set here.
 2019-10-07 11:18:31 +03:00
Mikhail Novosyolov
1f5dcdbf22 Fix kernel opts for booting in enforcing selinux mode 2019-10-07 01:35:53 +03:00
Evgenii Shatokhin
7a64052e96 Updated to version 5.3.4 2019-10-06 17:17:55 +03:00
Evgenii Shatokhin
6e76e58193 Revisited the list of files for the devel package 2019-09-24 18:37:26 +03:00
Evgenii Shatokhin
a89c2e9bda Removed sanitize-memory.patch 
Starting from the mainline kernel 5.3, it is no longer needed. See

  commit 6471384af2a6530696fc0203bafe4de41a23c9ef
  Author: Alexander Potapenko <glider@google.com>
  Date:   Thu Jul 11 20:59:19 2019 -0700

      mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options
 2019-09-24 18:36:02 +03:00
Evgenii Shatokhin
4ca3b2aeb5 Updated to version 5.3.1 2019-09-24 18:31:28 +03:00
Evgenii Shatokhin
17e88f1815 Updated to version 5.2.14 2019-09-11 15:49:01 +03:00
Evgenii Shatokhin
ea6f6b95f9 Updated to version 5.2.7 2019-08-07 15:59:12 +03:00
Evgenii Shatokhin
55fa1145d5 Re-diffed fs-aufs.patch for the kernel 5.2.5+ 2019-08-05 11:48:36 +03:00
Evgenii Shatokhin
bbfcc7091f Updated to version 5.2.6 2019-08-05 11:35:18 +03:00
Evgenii Shatokhin
9d21195523 Updated to version 5.2.5 2019-07-31 16:56:44 +03:00
Evgenii Shatokhin
d0260ef581 Updated to version 5.2.2 2019-07-22 13:30:14 +03:00
Evgenii Shatokhin
7b533a4517 Stable-based kernels have no Ubuntu-specific files 2019-07-22 10:55:21 +03:00
Evgenii Shatokhin
668c472445 Fixed the name of the list file 2019-07-21 23:50:25 +03:00
Evgenii Shatokhin
326a5ab596 Updated to version 5.1.19 2019-07-21 21:46:26 +03:00
Evgenii Shatokhin
2dee2c0e88 Revisited configs to support kernel 5.1.x 2019-07-21 21:44:03 +03:00