diff options
6 files changed, 99 insertions, 38 deletions
diff --git a/libre/linux-libre/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/libre/linux-libre/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch index a1c62dc7f..ba0d75381 100644 --- a/libre/linux-libre/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ b/libre/linux-libre/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -1,7 +1,7 @@ -From 9baf57b4c2d9348bd5adecbb893870d1d79fade1 Mon Sep 17 00:00:00 2001 +From 63cec1d1efdb31caeef17411c7560e8b0f941073 Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: [PATCH 1/2] ZEN: Add sysctl and CONFIG to disallow unprivileged +Subject: [PATCH 1/3] ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER Our default behavior continues to match the vanilla kernel. @@ -36,10 +36,10 @@ index 33a4240e6a6f..82213f9c4c17 100644 { return &init_user_ns; diff --git a/init/Kconfig b/init/Kconfig -index b19e2eeaae80..2c2e01d76076 100644 +index fa63cc019ebf..5aa29feccae3 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1240,6 +1240,22 @@ config USER_NS +@@ -1249,6 +1249,22 @@ config USER_NS If unsure, say N. @@ -102,7 +102,7 @@ index 0d8abfb9e0f4..bd7c215e315f 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 830aaf8ca08e..af4c0806bd8e 100644 +index c42ba2d669dc..a6ddbf02a809 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -91,6 +91,9 @@ @@ -115,7 +115,7 @@ index 830aaf8ca08e..af4c0806bd8e 100644 #if defined(CONFIG_SYSCTL) -@@ -1803,6 +1806,15 @@ static struct ctl_table kern_table[] = { +@@ -1806,6 +1809,15 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, @@ -150,5 +150,5 @@ index 5481ba44a8d6..423ab2563ad7 100644 static DEFINE_MUTEX(userns_state_mutex); -- -2.36.1 +2.37.1 diff --git a/libre/linux-libre/0002-HID-apple-Properly-handle-function-keys-on-Keychron-.patch b/libre/linux-libre/0002-HID-apple-Properly-handle-function-keys-on-Keychron-.patch index 4d36e40fb..7212fe4a7 100644 --- a/libre/linux-libre/0002-HID-apple-Properly-handle-function-keys-on-Keychron-.patch +++ b/libre/linux-libre/0002-HID-apple-Properly-handle-function-keys-on-Keychron-.patch @@ -1,7 +1,7 @@ -From e410435c977a01e386fda83b5215540365a0086f Mon Sep 17 00:00:00 2001 +From 4b81eecd4c636d953aaf4ebafd8171716f4c61fe Mon Sep 17 00:00:00 2001 From: Bryan Cain <bryancain3@gmail.com> Date: Thu, 5 May 2022 13:12:21 -0600 -Subject: [PATCH 2/2] HID: apple: Properly handle function keys on Keychron +Subject: [PATCH 2/3] HID: apple: Properly handle function keys on Keychron keyboards MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -103,5 +103,5 @@ index 0cf35caee9fa..42a568902f49 100644 } -- -2.36.1 +2.37.1 diff --git a/libre/linux-libre/0003-soundwire-Raise-DEFAULT_PROBE_TIMEOUT-to-10000-ms.patch b/libre/linux-libre/0003-soundwire-Raise-DEFAULT_PROBE_TIMEOUT-to-10000-ms.patch new file mode 100644 index 000000000..606afbdaf --- /dev/null +++ b/libre/linux-libre/0003-soundwire-Raise-DEFAULT_PROBE_TIMEOUT-to-10000-ms.patch @@ -0,0 +1,26 @@ +From 2da21cf28e573b84e5a5baecc1eda7372322375d Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org> +Date: Sat, 23 Jul 2022 11:14:46 +0200 +Subject: [PATCH 3/3] soundwire: Raise DEFAULT_PROBE_TIMEOUT to 10000 ms + +See: https://github.com/thesofproject/linux/issues/3777#issuecomment-1192655300 +--- + drivers/soundwire/bus.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/bus.h b/drivers/soundwire/bus.h +index 7631ef5e71fb..d3ed828daac0 100644 +--- a/drivers/soundwire/bus.h ++++ b/drivers/soundwire/bus.h +@@ -5,7 +5,7 @@ + #define __SDW_BUS_H + + #define DEFAULT_BANK_SWITCH_TIMEOUT 3000 +-#define DEFAULT_PROBE_TIMEOUT 2000 ++#define DEFAULT_PROBE_TIMEOUT 10000 + + u64 sdw_dmi_override_adr(struct sdw_bus *bus, u64 addr); + +-- +2.37.1 + diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD index 06574adaf..42939874a 100644 --- a/libre/linux-libre/PKGBUILD +++ b/libre/linux-libre/PKGBUILD @@ -14,11 +14,11 @@ _replacesoldkernels=() # '%' gets replaced with kernel suffix _replacesoldmodules=() # '%' gets replaced with kernel suffix pkgbase=linux-libre -pkgver=5.18.5 +pkgver=5.18.14 pkgrel=1 pkgdesc='Linux-libre' -rcnver=5.18.2 -rcnrel=armv7-x6 +rcnver=5.18.12 +rcnrel=armv7-x8 url='https://linux-libre.fsfla.org/' arch=(i686 x86_64 armv7h) license=(GPL2) @@ -47,6 +47,7 @@ source=( # Arch Linux patches 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 0002-HID-apple-Properly-handle-function-keys-on-Keychron-.patch + 0003-soundwire-Raise-DEFAULT_PROBE_TIMEOUT-to-10000-ms.patch ) source_i686=( # avoid using zstd compression in ultra mode (exhausts virtual memory) @@ -72,7 +73,7 @@ validpgpkeys=( ) sha512sums=('13be3762fffd74c63eeb23b0d34b994a3e5198bfdbda4f013b38f8d3edd24b9bbebe5a4bfde0f5191aa1cf2678e4517f3b5540a40b30ebc05da1f6708cbb98bb' 'SKIP' - '9355c0f22606c0401e8a01d6e22f0fa6e97b69a9fce6d991235da6430907fb6a788fca30bd48e5cbb743cc4a211a40806c896f660db7432e7bc85ba7634b5d06' + '9016e87060d3ddbf4bad5adee54f07cba3930a23a5c2a7ca32338a98d0c51676228f3d97405c624f2f48a67849f9b40a5dc670e10fbc02bc75cc4d47deab4c34' 'SKIP' '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3' 'SKIP' @@ -80,8 +81,8 @@ sha512sums=('13be3762fffd74c63eeb23b0d34b994a3e5198bfdbda4f013b38f8d3edd24b9bbeb 'SKIP' '267295aa0cea65684968420c68b32f1a66a22d018b9d2b2c1ef14267bcf4cb68aaf7099d073cbfefe6c25c8608bdcbbd45f7ac8893fdcecbf1e621abdfe9ecc1' 'SKIP' - 'bcec71d3bd1daaa27bdf4c9a10f0b302b915e8236ef47b5e6d6eaf65bfd0b34644d8d3ff6c25d894ae21dedbece3c1f1ff152fbf8525b77100bc790d0541f3f1' - 'e141c387e8045030278d683a1294bfd3d13197bf3466a9c89c4f72a53aafed606acc8e42e528479527c638af895bce2303944b5d8b8a29040f5aae8a9581dd5a' + '9833a9caf788aa928b7c4fab85205259459cc65ccf2b1ef1af8f9dfecf8804829aa4c1f0571a1a0819c6e838ab3f32a5322df9ddb07a201bc43c66ad6c3b2f3b' + '9112373138102b14ca900156afc6292334fc2b9ee542f1f5264ff2b6dc82073f761e9caf35aff56fb47cb285fbc2c4421f6d89c1d417f823f38b1e3f287d9294' '47d16ffc94510d4a8773146a46cfb35aca8cfdae38d17283334cd62d92de36250fbec90e9892357033398ecc7d970127b1a41b703a8372972422ca4af7c90c70' '53103bf55b957b657039510527df0df01279dec59cda115a4d6454e4135025d4546167fa30bdc99107f232561c1e096d8328609ab5a876cf7017176f92ad3e0b' 'f10af02f0cb2d31259d9633e1ba845f555f525789f750fc2ddc51bd18c5ff64fcdd242dae801623887f5ce5cdb5528bce890459f0fab9fd31a28868bb7f6bba5' @@ -89,10 +90,11 @@ sha512sums=('13be3762fffd74c63eeb23b0d34b994a3e5198bfdbda4f013b38f8d3edd24b9bbeb '143dea30c6da00e504c99984a98a0eb2411f558fcdd9dfa7f607d6c14e9e7dffff9cb00121d9317044b07e3e210808286598c785ee854084b993ec9cb14d8232' '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af' 'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168' - '1b6c3108d5628ca6db20c2bc3431e560ab2a274aaf863e7a796f1931a35982d175247f47cbfbb7d643ffc6b742442806755bb10339e5b0577c3f232b38288891' - 'bf6d9a66be49c2cc67b0a0f3cfb61734adf7a3b032b5ed133e1e0afbf4a6ddbd3e8231e4b85fef2e3aeb7274a60f7572a4469c057ff13d81134613f01767d3b2') + '671ab29fb1858c3898792164ac49d57103ecdeff220d7b262efb0c74ee270a670cf40f746a76f400513019989d858326fb3da507a0159418215e0b645011c406' + '2fecb2fb31981af21e17ce08c8352236f8817e6000f7e542f7479eaa7300238c4581f992b4da4d49dd2657d3e3c038eb0369954559f233b2913c382ef25b5753' + '816ad9cb93a473376487234d4bf255f7d081c37186b1715e914c2c30dcdcfaee7b6db4eeb427969190d0cffa7499bc99c95ef58fb8c632d27e51d0350990f0ce') sha512sums_i686=('bca15cc96f64c38adcd13a46752866b5b30555ac21e19b3f7afcd20fcb7ec585c9d990fe8f842f44d5f69d477d72867fe6a9102729f26f93f5a80b372e41ce85') -sha512sums_armv7h=('5a75b12dd386940a0bf1be630d45a514ef3c32289ec5976988764baa8483b254e5dcc879337556bfa041b6dbf9ac16debbe4b57bf86db30089661e9536ffaa0a' +sha512sums_armv7h=('94c6243d23bc995dec3edcb1dd5cc7d5e7d30fec70fc32b9be5f3e7d934da7035e9152fea3cce58a53b0f35f29060bdef2a3a2dac3c46f520adf1088897362f9' 'SKIP' '8da996a42249672893fa532ccbd096347580a0dc1698c45e9c865646e2765789553b1bb42793e721de30aea70340fdc116d2e4a50580fef999ca5fc627aaf4c3' '0e6ddc24011d77a2e422b642c4507317fc2d26b20f5649818a2f11acac165ccab2cf2e64ab50d44ce7affcfe12c2ef5158790e499058831e7995400b2087df78' @@ -175,8 +177,7 @@ prepare() { build() { cd $_srcname - make all - make htmldocs + make htmldocs all } _package() { @@ -236,7 +237,7 @@ _package-headers() { localversion.* version vmlinux install -Dt "$builddir/kernel" -m644 kernel/Makefile install -Dt "$builddir/arch/$KARCH" -m644 arch/$KARCH/Makefile - if [[ $CARCH = i686 ]]; then + if [ "$CARCH" = i686 ]; then install -Dt "$builddir/arch/$KARCH" -m644 arch/$KARCH/Makefile_32.cpu fi cp -t "$builddir" -a scripts @@ -379,7 +380,7 @@ _package-chromebook() { } pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs") -[[ $CARCH = armv7h ]] && pkgname+=("$pkgbase-chromebook") +[ "$CARCH" = armv7h ] && pkgname+=("$pkgbase-chromebook") for _p in "${pkgname[@]}"; do eval "package_$_p() { $(declare -f "_package${_p#$pkgbase}") diff --git a/libre/linux-libre/config.i686 b/libre/linux-libre/config.i686 index 825810459..a23c25e10 100644 --- a/libre/linux-libre/config.i686 +++ b/libre/linux-libre/config.i686 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.5-gnu Kernel Configuration +# Linux/x86 5.18.14-gnu Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y @@ -18,7 +18,7 @@ CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y CONFIG_CC_HAS_ASM_INLINE=y CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y -CONFIG_PAHOLE_VERSION=0 +CONFIG_PAHOLE_VERSION=123 CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_TABLE_SORT=y CONFIG_THREAD_INFO_IN_TASK=y @@ -187,6 +187,8 @@ CONFIG_UCLAMP_BUCKETS_COUNT=5 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" +CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_CC_NO_ARRAY_BOUNDS=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y @@ -332,8 +334,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y -CONFIG_CC_HAS_SLS=y CONFIG_X86_CPU_RESCTRL=y CONFIG_X86_BIGSMP=y # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -493,6 +493,14 @@ CONFIG_MODIFY_LDT_SYSCALL=y # CONFIG_STRICT_SIGALTSTACK_SIZE is not set # end of Processor type and features +CONFIG_CC_HAS_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y # @@ -10478,14 +10486,24 @@ CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set CONFIG_SECURITY_LANDLOCK=y -# CONFIG_INTEGRITY is not set +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_INTEGRITY_MACHINE_KEYRING=y +CONFIG_LOAD_UEFI_KEYS=y +CONFIG_INTEGRITY_AUDIT=y +# CONFIG_IMA is not set +# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +# CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set # CONFIG_DEFAULT_SECURITY_TOMOYO is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="landlock,lockdown,yama,bpf" +CONFIG_LSM="landlock,lockdown,yama,integrity,bpf" # # Kernel hardening options @@ -10496,9 +10514,9 @@ CONFIG_LSM="landlock,lockdown,yama,bpf" # CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y -# CONFIG_INIT_STACK_NONE is not set +CONFIG_INIT_STACK_NONE=y # CONFIG_INIT_STACK_ALL_PATTERN is not set -CONFIG_INIT_STACK_ALL_ZERO=y +# CONFIG_INIT_STACK_ALL_ZERO is not set # CONFIG_GCC_PLUGIN_STACKLEAK is not set CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set @@ -10769,6 +10787,7 @@ CONFIG_CRYPTO_LIB_SM3=m CONFIG_CRYPTO_LIB_SM4=m # end of Crypto library routines +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=y CONFIG_CRC16=m CONFIG_CRC_T10DIF=y @@ -10861,6 +10880,7 @@ CONFIG_LRU_CACHE=m CONFIG_CLZ_TAB=y CONFIG_IRQ_POLL=y CONFIG_MPILIB=y +CONFIG_SIGNATURE=y CONFIG_DIMLIB=y CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y @@ -10928,6 +10948,9 @@ CONFIG_DEBUG_INFO_DWARF4=y # CONFIG_DEBUG_INFO_COMPRESSED is not set # CONFIG_DEBUG_INFO_SPLIT is not set CONFIG_DEBUG_INFO_BTF=y +CONFIG_PAHOLE_HAS_SPLIT_BTF=y +CONFIG_DEBUG_INFO_BTF_MODULES=y +# CONFIG_MODULE_ALLOW_BTF_MISMATCH is not set # CONFIG_GDB_SCRIPTS is not set CONFIG_FRAME_WARN=1024 CONFIG_STRIP_ASM_SYMS=y diff --git a/libre/linux-libre/config.x86_64 b/libre/linux-libre/config.x86_64 index 77f7e30ec..c9190a5bb 100644 --- a/libre/linux-libre/config.x86_64 +++ b/libre/linux-libre/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.5-gnu Kernel Configuration +# Linux/x86 5.18.14-gnu Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y @@ -197,6 +197,8 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y CONFIG_CC_HAS_INT128=y CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" +CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_CC_NO_ARRAY_BOUNDS=y CONFIG_ARCH_SUPPORTS_INT128=y CONFIG_NUMA_BALANCING=y CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y @@ -351,9 +353,6 @@ CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y -CONFIG_CC_HAS_SLS=y -CONFIG_SLS=y CONFIG_X86_CPU_RESCTRL=y # CONFIG_X86_EXTENDED_PLATFORM is not set CONFIG_X86_INTEL_LPSS=y @@ -497,7 +496,9 @@ CONFIG_SCHED_HRTICK=y CONFIG_KEXEC=y CONFIG_KEXEC_FILE=y CONFIG_ARCH_HAS_KEXEC_PURGATORY=y -# CONFIG_KEXEC_SIG is not set +CONFIG_KEXEC_SIG=y +# CONFIG_KEXEC_SIG_FORCE is not set +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y CONFIG_KEXEC_JUMP=y CONFIG_PHYSICAL_START=0x1000000 @@ -522,6 +523,16 @@ CONFIG_HAVE_LIVEPATCH=y # CONFIG_LIVEPATCH is not set # end of Processor type and features +CONFIG_CC_HAS_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y +CONFIG_SLS=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y @@ -10159,7 +10170,6 @@ CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_SECURITY_INFINIBAND=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y @@ -10219,7 +10229,7 @@ CONFIG_INTEGRITY_AUDIT=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="landlock,lockdown,yama,bpf" +CONFIG_LSM="landlock,lockdown,yama,integrity,bpf" # # Kernel hardening options @@ -10533,6 +10543,7 @@ CONFIG_CRYPTO_LIB_SM3=m CONFIG_CRYPTO_LIB_SM4=m # end of Crypto library routines +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=y CONFIG_CRC16=m CONFIG_CRC_T10DIF=y |