5.14.13-xanmod1

2025-02-23 09:02:47 +00:00 · 2021-10-21 22:47:53 +03:00 · 2021-10-21 22:47:53 +03:00 · 9477ab1a9a
commit 9477ab1a9a
parent 1fbfa2238a
13 changed files with 1061 additions and 564 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,5 +1,4 @@
 sources:
  linux-5.14.tar.xz: 82c1b2888febfe12510a8e83e09b7652c606ffda
  patch-5.14.13-xanmod1.xz: ce79c3af8a2f3bdfdecdb1c690753a7e9aa53ea6
-
-
+  
--- a/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
+++ b/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
@ -0,0 +1,37 @@
+From 36dc5cf3039c0751fe95370a247ca1c23c06571c Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Mon, 10 Aug 2020 10:38:20 +0300
+Subject: [PATCH] ROSA: ima: allow to off modules signature check dynamically
+
+Allow module.sig_enforce=0 kernel cmdline, not only module.sig_enforce=1
+It allows to keep CONFIG_MODULE_SIG_FORCE=y, but disable it when really needed
+without recompiling the kernel (it may be impossible, e.g. in certified systems).
+
+GRUB or another bootloader is password-protected when needed,
+so I am not afraid much that someone will be able to turn it off when not needed.
+
+ROSA-specific patch.
+This violates requirements of "secure boot", but currently we do not have secure boot in ROSA.
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ kernel/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 6baa1080c..118d8ee60 100644
+--- a/kernel/module.c
+++ b/kernel/module.c
+@@ -274,7 +274,7 @@
+ 
+ #ifdef CONFIG_MODULE_SIG
+ static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+-module_param(sig_enforce, bool_enable_only, 0644);
+module_param(sig_enforce, bool, 0644);
+ 
+ void set_module_sig_enforced(void)
+ {
+
+-- 
+2.17.1
+
--- a/0001-audit-make-it-less-verbose.patch
+++ b/0001-audit-make-it-less-verbose.patch
@ -0,0 +1,34 @@
+From edce12c92c0d1e02a6f41344290ee7adee745ef4 Mon Sep 17 00:00:00 2001
+From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
+Date: Wed, 11 Dec 2019 21:10:42 +0300
+Subject: [PATCH] audit: make it less verbose
+
+It seems, if audit itself is not installed and therefore nothing listens
+to the messages from the kernel's audit subsystem, the latter spams the
+kernel log with such messages.
+
+Let us make them debug-level and thus invisible by default.
+
+http://bugs.rosalinux.ru/show_bug.cgi?id=6235
+http://bugs.rosalinux.ru/show_bug.cgi?id=6459
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ kernel/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 68cee3bc8cfe..805633090ea5 100644
+--- a/kernel/audit.c
+++ b/kernel/audit.c
+@@ -535,7 +535,7 @@ static void kauditd_printk_skb(struct sk_buff *skb)
+ 	char *data = nlmsg_data(nlh);
+ 
+ 	if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
+-		pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
+		pr_debug("type=%d %s\n", nlh->nlmsg_type, data);
+ }
+ 
+ /**
+-- 
+2.25.1
+
--- a/0001-crypto-support-loading-GOST-signed-kernel-modules.patch
+++ b/0001-crypto-support-loading-GOST-signed-kernel-modules.patch
@ -0,0 +1,46 @@
+From 59bf6ed4709ea82d63be300814af2c4c94503e14 Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Thu, 6 Aug 2020 14:17:31 +0300
+Subject: [PATCH] crypto: support loading GOST-signed kernel modules
+
+Support loading kernel modules signed with:
+* 1.2.643.7.1.1.1.1 id-tc26-gost3410-12-256
+* 1.2.643.7.1.1.1.2 id-tc26-gost3410-12-512
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ crypto/asymmetric_keys/pkcs7_parser.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
+index 967329e0a07b..39c260a04167 100644
+--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
+@@ -248,6 +248,12 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
+ 	case OID_sha224:
+ 		ctx->sinfo->sig->hash_algo = "sha224";
+ 		break;
+	case OID_gost2012Digest256:
+		ctx->sinfo->sig->hash_algo = "streebog256";
+		break;
+	case OID_gost2012Digest512:
+		ctx->sinfo->sig->hash_algo = "streebog512";
+		break;
+ 	default:
+ 		printk("Unsupported digest algo: %u\n", ctx->last_oid);
+ 		return -ENOPKG;
+@@ -269,6 +275,11 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
+ 		ctx->sinfo->sig->pkey_algo = "rsa";
+ 		ctx->sinfo->sig->encoding = "pkcs1";
+ 		break;
+	case OID_gost2012PKey256:
+	case OID_gost2012PKey512:
+		ctx->sinfo->sig->pkey_algo = "ecrdsa";
+		ctx->sinfo->sig->encoding = "raw";
+		break;
+ 	default:
+ 		printk("Unsupported pkey algo: %u\n", ctx->last_oid);
+ 		return -ENOPKG;
+-- 
+2.17.1
+
--- a/0001-perf-skip-xmlto-validation.patch
+++ b/0001-perf-skip-xmlto-validation.patch
@ -0,0 +1,30 @@
+From 8d376cb0241182ae4859db3aa7f790996054ae75 Mon Sep 17 00:00:00 2001
+From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
+Date: Wed, 11 Dec 2019 21:12:06 +0300
+Subject: [PATCH] perf: skip xmlto validation
+
+Perf docs are built after all the kernels. To validate the xml files
+generated during that process, xmlto tries to get DTD files from the Net.
+If it fails, the whole build fails, which is unfortunate. Let us avoid this.
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ tools/perf/Documentation/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
+index 6e54979c2124..ccbc7a68769d 100644
+--- a/tools/perf/Documentation/Makefile
+++ b/tools/perf/Documentation/Makefile
+@@ -51,7 +51,7 @@ ASCIIDOC=asciidoc
+ ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
+ ASCIIDOC_HTML = xhtml11
+ MANPAGE_XSL = manpage-normal.xsl
+-XMLTO_EXTRA =
+XMLTO_EXTRA = --skip-validation
+ INSTALL?=install
+ RM ?= rm -f
+ DOC_REF = origin/man
+-- 
+2.25.1
+
--- a/0001-sign-file-full-functionality-with-modern-LibreSSL.patch
+++ b/0001-sign-file-full-functionality-with-modern-LibreSSL.patch
@ -0,0 +1,47 @@
+From 7fac9b5a88bf45574b92cc3ad74fac32f3bacbcc Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Thu, 19 Mar 2020 00:15:41 +0300
+Subject: [PATCH] sign-file: full functionality with modern LibreSSL
+
+Current pre-release version of LibreSSL has enabled CMS support,
+and now sign-file is fully functional with it.
+
+See https://github.com/libressl-portable/openbsd/commits/master
+
+To test buildability with LibreSSL:
+~$ git clone https://github.com/libressl-portable/portable.git
+~$ cd portable && ./autogen.sh
+~$ ./configure --prefix=/opt/libressl
+~$ make
+~# make install
+Go to the kernel source tree and:
+~$ gcc -I/opt/libressl/include -L /opt/libressl/lib -lcrypto -Wl,-rpath,/opt/libressl/lib scripts/sign-file.c -o scripts/sign-file
+
+Fixes: f8688017 ("sign-file: fix build error in sign-file.c with libressl")
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ scripts/sign-file.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/sign-file.c b/scripts/sign-file.c
+index fbd34b8e8f57..fd4d7c31d1bf 100644
+--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
+@@ -41,9 +41,10 @@
+  * signing with anything other than SHA1 - so we're stuck with that if such is
+  * the case.
+  */
+-#if defined(LIBRESSL_VERSION_NUMBER) || \
+-	OPENSSL_VERSION_NUMBER < 0x10000000L || \
+-	defined(OPENSSL_NO_CMS)
+#if defined(OPENSSL_NO_CMS) || \
+	( defined(LIBRESSL_VERSION_NUMBER) \
+	&& (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \
+	OPENSSL_VERSION_NUMBER < 0x10000000L
+ #define USE_PKCS7
+ #endif
+ #ifndef USE_PKCS7
+-- 
+2.20.1
+
--- a/audit-make-it-less-verbose.patch
+++ b/audit-make-it-less-verbose.patch
@ -1,21 +0,0 @@
-It seems, if audit itself is not installed and therefore nothing listens
-to the messages from the kernel's audit subsystem, the latter spams the
-kernel log with such messages.
-
-Let us make them debug-level and thus invisible by default.
-
-http://bugs.rosalinux.ru/show_bug.cgi?id=6235
-http://bugs.rosalinux.ru/show_bug.cgi?id=6459
-
-diff -Naur linux-5.9.orig/kernel/audit.c linux-5.9/kernel/audit.c
--- linux-5.9.orig/kernel/audit.c	2020-10-17 12:03:17.445125041 +0300
-+++ linux-5.9/kernel/audit.c	2020-10-17 12:03:17.455125041 +0300
-@@ -535,7 +535,7 @@
- 	char *data = nlmsg_data(nlh);
- 
- 	if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
-		pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
-+		pr_debug("type=%d %s\n", nlh->nlmsg_type, data);
- }
- 
- /**
--- a/kernel-xanmod.spec
+++ b/kernel-xanmod.spec
--- a/kernel.rpmlintrc
+++ b/kernel.rpmlintrc
@ -2,36 +2,9 @@
 addFilter("E: zero-length")
 addFilter("E: incoherent-version-in-name")
 addFilter("E: unstripped-binary-or-object")
-
-addFilter("E: executable-sourced-script")
-addFilter("E: executable-in-library-package")
-addFilter("E: devel-dependency")
-addFilter("E: hardcoded-library-path")
-addFilter("E: useless-provides")
-
 addFilter("W: devel-file-in-non-devel-package")
 addFilter("W: dangling-relative-symlink")
 addFilter("W: non-executable-script")
 addFilter("W: script-without-shebang")
-
-addFilter("W: no-documentation")
-addFilter("W: spurious-executable-perm")
-addFilter("W: summary-not-capitalized")
-addFilter("W: obsolete-not-provided")
-
-addFilter("W: non-standard-dir-in-usr")
-addFilter("W: no-major-in-name")
-addFilter("W: no-dependency-on")
-addFilter("W: name-repeated-in-summary")
-addFilter("W: unversioned-explicit-provides")
-
-addFilter("W: hidden-file-or-dir")
-addFilter("W: filename-too-long-for-joliet")
-addFilter("W: dangerous-command-in-%preun")
-addFilter("W: dangerous-command-in-%postun")
-addFilter("W: dangerous-command-in-%post")
-
-
-
-
-
+# longer descriptions are allowed in rpm4 platforms
+addFilter("E: description-line-too-long")
--- a/linux-5.13-attribute-error.patch
+++ b/linux-5.13-attribute-error.patch
@ -1,15 +0,0 @@
-diff -up linux-5.13/tools/include/linux/compiler-gcc.h.2~ linux-5.13/tools/include/linux/compiler-gcc.h
--- linux-5.13/tools/include/linux/compiler-gcc.h.2~	2021-06-28 00:21:11.000000000 +0200
-+++ linux-5.13/tools/include/linux/compiler-gcc.h	2021-07-09 01:09:40.704907665 +0200
-@@ -16,9 +16,9 @@
- # define __fallthrough __attribute__ ((fallthrough))
- #endif
- 
-#if GCC_VERSION >= 40300
-+#if __has_attribute(error)
- # define __compiletime_error(message) __attribute__((error(message)))
-#endif /* GCC_VERSION >= 40300 */
-+#endif /* __has_attribute(error) */
- 
- /* &a[0] degrades to a pointer: a different type from an array */
- #define __must_be_array(a)	BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
--- a/macros.ksobirator
+++ b/macros.ksobirator
@ -0,0 +1,40 @@
+# ksobirator RPM macros
+# For now they are bundled in the kernel package,
+# in the future, after testing, ksobirator will become a separate package
+# which will be BuildRequired from kernel packages
+
+# TODO: define it somewhere else...
+# TODO: avoid depending from %%flavour, %%buildrel etc ?!
+# TODO: fail if needed macros are not defined
+%ksob_kernel %{kernelversion}.%{patchlevel}-%{flavour}
+
+# %%ksob_mk_module_pkg -n module name -s module section [ -r additional requires for this package ]
+# Examples:
+# %%ksob_mk_module_pkg -n shredder -s extra -r /usr/bin/wipe
+# %%ksob_mk_module_pkg -n shredder -s extra
+%ksob_mk_module_pkg(n:s:r:) \
+\
+%define module_name        %{-n:%{-n*}}%{!-n:%{error:Module name not defined!}} \
+%define pkg_main kernel-module-%{module_name}-%{ksob_kernel} \
+%define module_section     %{-s:%{-s*}}%{!-s:%{error:Module section (e.g. extra) not defined!}} \
+\
+%{expand: \
+%package -n %{pkg_main} \
+# TODO: convert long kernel name to one macro \
+Summary: Binary module %{module_name} for kernel-%{ksob_kernel} \
+Group: System/Kernel and hardware \
+\
+%{-r:Requires: %{-r*}} \
+Requires: %{name}%{_isa} = %{EVRD} \
+Provides: installonlypkg(kernel-module) = %{EVRD}.module.%{module_name} \
+Obsoletes: kernel-module-%{module_name}-%{flavour}-%{kernelversion}.%{patchlevel}-latest < 5.10.34-2 \
+\
+%description -n %{pkg_main} \
+Binary module %{module_name} for kernel-%{ksob_kernel} \
+\
+%files -n %{pkg_main} \
+# XXX TODO: how to %%exclude these files from the main package automatically? \
+%{_modulesdir}/%{kver_full}/kernel/%{module_section}/%{module_name}.ko%{kmod_suffix} \
+\
+%{nil} \
+}
--- a/perf-xmlto-skip-validation.patch
+++ b/perf-xmlto-skip-validation.patch
@ -1,12 +0,0 @@
-diff -Naur linux-5.9.orig/tools/perf/Documentation/Makefile linux-5.9/tools/perf/Documentation/Makefile
--- linux-5.9.orig/tools/perf/Documentation/Makefile	2020-10-17 12:00:45.497122395 +0300
-+++ linux-5.9/tools/perf/Documentation/Makefile	2020-10-17 12:00:47.205122425 +0300
-@@ -51,7 +51,7 @@
- ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
- ASCIIDOC_HTML = xhtml11
- MANPAGE_XSL = manpage-normal.xsl
-XMLTO_EXTRA =
-+XMLTO_EXTRA = --skip-validation
- INSTALL?=install
- RM ?= rm -f
- DOC_REF = origin/man
--- a/xanmod-futex2-error-avoid.patch
+++ b/xanmod-futex2-error-avoid.patch
@ -1,13 +0,0 @@
-diff --git a/tools/perf/bench/futex.h b/tools/perf/bench/futex.h
-index 915bf3da7ce2..6e62e7708fde 100644
--- a/tools/perf/bench/futex.h
-+++ b/tools/perf/bench/futex.h
-@@ -11,7 +11,7 @@
- #include <unistd.h>
- #include <sys/syscall.h>
- #include <sys/types.h>
-#include <linux/futex.h>
-+#include "../../include/uapi/linux/futex.h"
- 
- /**
-  * futex() - SYS_futex syscall wrapper