openSUSE Kernel January 2013

kernel@lists.opensuse.org

20 participants
15 discussions

[opensuse-kernel] CONFIG_CC_STACKPROTECTOR

by richard -rw- weinberger

Hi! I'm wondering why CONFIG_CC_STACKPROTECTOR is disabled on openSUSE. Debian and Fedora seem to enabled it per default. What's the deal? -- Thanks, //richard -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

8 years, 5 months

[opensuse-kernel] build space ran out on one build, and can Kernel:stable be updated with kernel 3.7.5 patch

by doiggl＠velocitynet.com.au

Hello, - I noticed this in the build log of [1] the x86_86 version build run out of space -resubmit ?? , the i586 succeeded. - Also v 3.7.5 patch is listed http://www.kernel.org/pub/linux/kernel/v3.0/patch-3.7.5.bz2. Thanks Glenn [1]https://build.opensuse.org/package/live_build_log?arch=x86_64&package=ker… .. [ 7181s] Unable to write payload to /home/abuild/rpmbuild/RPMS/x86_64/kernel-vanilla-debuginfo-3.7.4-1.1.x86_64.rpm: [ 7184s] [ 7153.679247] SysRq : Power Off -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 3 months

[opensuse-kernel] Make kernel-default obsolete kernel-ppc64

by Dinar Valeev

Hi, ppc64 flavor was replaced by kernel-default. I think now kernel-default on ppc64 should obsolete kernel-ppc64, to make upgrade from 12.2 -> Factory/12.3 smoother. Is such kind of report is enough or I should come up with a patch or file a bug? Have fun, Dinar -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 3 months

[opensuse-kernel] openSUSE kernel of UEFI secure boot for testing

by joeyli

Hi all, In the past of 2 weeks, I backported 5 patches for support UEFI secure boot and also sent to opensuse-kernel for every experts review: [PATCH 0/11] Backported patches to lock down functions in secure boot [1] [PATCH 0/2] Backported patches for prepare KMP kernel module sign [2] [PATCH 0/4] Backported patches for support driver firmware sign [3] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) [4] [PATCH 0/19] Backported patches for support UEFI variable filesystem [5] Now, I clone a kernel-source of openSUSE 12.3 and pushed those backported patches to this branch: https://gitorious.org/~joeyli/opensuse/joeylis-kernel-source/commits/openSU… And, I also push kernel source to OBS for build out kernel RPMs: https://build.opensuse.org/project/show?project=home%3Ajoeyli%3Abranches%3A… Those kernel RPMs are for anyone want to try the backported patches on openSUSE. e.g. We can set 'secureboot_enable=1' kernel parameter to lock down some functions on non-UEFI machine, then monitor the openSUSE behavior. or We want test the kernel module sign. Thanks a lot! Joey Lee [1] [PATCH 0/11] Backported patches to lock down functions in secure boot Patch-mainline: Not yet, reviewing References: none Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + add 'secureboot_enable=1' kernel parameter Known issues on SLE (fixed): + xorg-x11-server need d01921ec18c21f21d377b606 patch for avoid 'xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)' Backported 11 patches to lock down functions in secure boot: 0001_Secure_boot:_Add_new_capability_v2.patch 0002_PCI:_Lock_down_BAR_access_in_secure_boot_environments_v2.patch 0003_x86:_Lock_down_IO_port_access_in_secure_boot_environments_v2.patch 0004_ACPI:_Limit_access_to_custom_method_v2.patch 0005_asus-wmi:_Restrict_debugfs_interface_v2.patch 0006_Restrict__dev_mem_and__dev_kmem_in_secure_boot_setups_v2.patch 0007_Secure_boot:_Add_a_dummy_kernel_parameter_that_will_switch_on_Secure_Boot_mode_v2.patch 0008_efi:_Enable_secure_boot_lockdown_automatically_when_enabled_in_firmware_v2.patch 0009_acpi:_Ignore_acpi_rsdp_kernel_parameter_in_a_secure_boot_environment_v2.patch 0010_SELinux:_define_mapping_for_new_Secure_Boot_capability_v2.patch 0011-hibernate-Disable-in-a-Secure-Boot-environment.patch [2] [PATCH 0/2] Backported patches for prepare KMP kernel module sign Patch-mainline: v3.8-rc? References: none Target: openSUSE 12.3 Backported 2 patches for for prepare KMP kernel module sign: 0001-MODSIGN-Avoid-using-.incbin-in-C-source.patch 0002-MODSIGN-Drop-ccache-hack.patch [3] [PATCH 0/4] Backported patches for support driver firmware sign Patch-mainline: Not yet, reviewing (contributed by Takashi) Target: openSUSE 12.3 Test steps: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> Device Drivers ---> Generic Driver Options ---> Firmware signature verification (NEW) + mkinitrd need this patch [1] + build; make modules_install; make firmware_install; make install + check the /lib/modules/3.0.51-default/, should have *.sig file + We can also test manually sign a firmware file: # ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for more testing. Backported 4 patches for support driver firmware sign Driver firmware sign (from Takashi, reviewing on upstream): Not yet: 0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch 0002-firmware:_Add_-a_option_to_scripts_sign-file.patch 0003-firmware:_Add_support_for_signature_checks.patch 0004-firmware:_Install_firmware_signature_files_automatically.patch [1] Index: mkinitrd-2.4.2/scripts/setup-modules.sh =================================================================== --- mkinitrd-2.4.2.orig/scripts/setup-modules.sh +++ mkinitrd-2.4.2/scripts/setup-modules.sh @@ -375,6 +375,10 @@ for module in $resolved_modules; do has_firmware=true fi echo -n "$fw " + if test -e "$dir/$subdir/$fw.sig"; then + cp -p --parents "$_" "$tmp_mnt" + echo -n "$fw.sig " + fi fi done done [4] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) Patch-mainline: Not yet, from Fedora 18 kernel References: fate#314574 Target: SLE-11 SP3 Tested-on: qemu-kvm with OVMF UEFI BIOS Test steps: + enable the following kernel configs: CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_BLACKLIST=y CONFIG_MODULE_SIG_UEFI=y + build + make modules_install; make install When we do make modules_install, script will do the kernel modules sign. + copy vmlinuz binary to efi folder: # mv /boot/vmlinuz-3.0.53-default /boot/efi/vmlinuz-3.0.53-default.efi + boot kvm image with UEFI BIOS, enroll key to db, dbx + boot kvm image to SUSE, enroll key to MokList by mokutil + reboot system, go to UEFI shell + run vmlinuz-3.0.53-default.efi STUB kernel, the boot message should show: [ 0.157219] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.module_sign' [ 0.159674] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.modsign_blacklist' Backported 7 patches for load key of module sign from db, dbx and MokList (MODSIGN): 0001-modsign-Always-enforce-module-signing-in-a-Secure-Boot.patch 0002-Add-EFI-signature-data-types.patch 0003-Add-an-EFI-signature-blob-parser-and-key-loader.patch 0004-EFI-Add-in-kernel-variable-to-determine-if-Secure-Boot-is-enabled.patch 0005-MODSIGN-Add-module-certificate-blacklist-keyring.patch 0006-MODSIGN-Import-certificates-from-UEFI-Secure-Boot-v3.patch 0007-Dont-soft-lockup-on-bad-EFI-signature-lists.patch [5] Patch-mainline: v3.8-rc1..v3.8-rc3 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it. Backported 19 patches: 0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch 0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch 0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch 0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch 0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch 0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch 0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch 0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch 0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch 0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch 0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch 0012-efi-Clarify-GUID-length-calculations.patch 0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch 0014-efivarfs-Add-unique-magic-number.patch 0015-efivarfs-Make-datasize-unsigned-long.patch 0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch 0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch 0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch 0019-efivarfs-Make-efivarfs_fill_super-static.patch [1] /lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to systemd mailing list for review) [Unit] Description=EFI Variables File System Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs… DefaultDependencies=no ConditionPathExists=/sys/firmware/efi/efivars Before=sysinit.target [Mount] What=efivarfs Where=/sys/firmware/efi/efivars Type=efivarfs [2] create.c #include <stdio.h> #include <string.h> #include <stdint.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; int fd, flags; mode_t mode; uint32_t attribute; char buffer[1024 + 4]; int i; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); flags = O_CREAT | O_WRONLY; mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; fd = open (file_path, flags, mode); if (fd < 0) { fprintf (stderr, "Failed to open %s\n", file_path); return -1; } attribute = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; memcpy (buffer, &attribute, sizeof(uint32_t)); for (i = 0; i < 1024; i++) buffer[i+4] = 'a'; if (write (fd, buffer, 1024 + 4) != (1024 + 4)) { fprintf (stderr, "Failed to write\n"); } close (fd); return 0; } [3] delete.c #include <stdio.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); unlink (file_path); return 0; } -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 3 months

[opensuse-kernel] wrong sysctl entries in desktop kernel

by Cristian Rodríguez

Heya ! # cat /boot/sysctl.conf-3.8.0-rc4-1-desktop # The desktop workload is sensitive to latency, so start writeout earlier # (bnc#552883) sys.vm.dirty_ratio=20 but sys.vm.dirty_ratio is not a valid sysctl option .. should be vm.dirty_ratio=20 instead. JYI ;) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 3 months

[opensuse-kernel] [PATCH] kernel-binary.spec.in: Force kernel options required by systemd

by Cristian Rodríguez

Without this options, any system that boots with systemd will either not work or be functionally crippled. --- rpm/kernel-binary.spec.in | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index c6794a2..ae1204f 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -260,13 +260,21 @@ fi %build_src_dir/scripts/config \ --set-str CONFIG_LOCALVERSION %release_num-%build_flavor \ --enable CONFIG_SUSE_KERNEL \ +%if 0%{?suse_version} > 1210 + --enable CONFIG_IPV6 \ + --enable CONFIG_AUTOFS4_FS \ + --enable CONFIG_CGROUPS \ + --enable CONFIG_FANOTIFY \ + --enable CONFIG_DEVTMPFS \ + --enable CONFIG_DEVTMPFS_MOUNT \ + --enable CONFIG_NAMESPACES \ +%endif %if 0%{?__debug_package:1} --enable CONFIG_DEBUG_INFO \ --disable CONFIG_DEBUG_INFO_REDUCED %else --disable CONFIG_DEBUG_INFO %endif - MAKE_ARGS="$MAKE_ARGS -C %build_src_dir O=$PWD" if test -e %_sourcedir/TOLERATE-UNKNOWN-NEW-CONFIG-OPTIONS; then yes '' | make oldconfig $MAKE_ARGS -- 1.8.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 4 months

[opensuse-kernel] openSUSE 12.3 kernel

by Stephan Kulow

Hi, Are you aiming for 3.8 or will we stick with 3.7.X? Next week I want to release Beta1 and it should have the correct code line for the kernel. If your choice is 3.8, then we should go to RC2 IMO. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 4 months

[opensuse-kernel] [PATCH 0/4] Backported patches for support driver firmware sign

by Lee, Chun-Yi

Patch-mainline: Not yet, reviewing (contributed by Takashi) Target: openSUSE 12.3 Test steps: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> Device Drivers ---> Generic Driver Options ---> Firmware signature verification (NEW) + mkinitrd need this patch [1] + build; make modules_install; make firmware_install; make install + check the /lib/modules/3.0.51-default/, should have *.sig file + We can also test manually sign a firmware file: # ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for more testing. Backported 4 patches for support driver firmware sign Driver firmware sign (from Takashi, reviewing on upstream): Not yet: 0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch 0002-firmware:_Add_-a_option_to_scripts_sign-file.patch 0003-firmware:_Add_support_for_signature_checks.patch 0004-firmware:_Install_firmware_signature_files_automatically.patch [1] Index: mkinitrd-2.4.2/scripts/setup-modules.sh =================================================================== --- mkinitrd-2.4.2.orig/scripts/setup-modules.sh +++ mkinitrd-2.4.2/scripts/setup-modules.sh @@ -375,6 +375,10 @@ for module in $resolved_modules; do has_firmware=true fi echo -n "$fw " + if test -e "$dir/$subdir/$fw.sig"; then + cp -p --parents "$_" "$tmp_mnt" + echo -n "$fw.sig " + fi fi done done -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 4 months

[opensuse-kernel] [PATCH] backport patch from commit b9ed9f0ecf1b5675c64d069e9b53effe276b6f01 to fix include error for drm_mode.h

by Guillaume Gardet

Hi, This patch backport patch from commit b9ed9f0ecf1b5675c64d069e9b53effe276b6f01 to fix include error for drm_mode.h This is needed to fix kernel-omap2plus build. Signed-off-by: Guillaume GARDET <guillaume.gardet(a)opensuse.org> Regards, Guillaume

9 years, 4 months

[opensuse-kernel] [PATCH 0/19] Backported patches for support UEFI variable filesystem

by Lee, Chun-Yi

Patch-mainline: v3.8-rc1..v3.8-rc3 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it. Backported 19 patches: 0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch 0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch 0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch 0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch 0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch 0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch 0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch 0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch 0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch 0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch 0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch 0012-efi-Clarify-GUID-length-calculations.patch 0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch 0014-efivarfs-Add-unique-magic-number.patch 0015-efivarfs-Make-datasize-unsigned-long.patch 0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch 0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch 0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch 0019-efivarfs-Make-efivarfs_fill_super-static.patch [1] /lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to systemd mailing list for review) [Unit] Description=EFI Variables File System Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs… DefaultDependencies=no ConditionPathExists=/sys/firmware/efi/efivars Before=sysinit.target [Mount] What=efivarfs Where=/sys/firmware/efi/efivars Type=efivarfs [2] create.c #include <stdio.h> #include <string.h> #include <stdint.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; int fd, flags; mode_t mode; uint32_t attribute; char buffer[1024 + 4]; int i; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); flags = O_CREAT | O_WRONLY; mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; fd = open (file_path, flags, mode); if (fd < 0) { fprintf (stderr, "Failed to open %s\n", file_path); return -1; } attribute = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; memcpy (buffer, &attribute, sizeof(uint32_t)); for (i = 0; i < 1024; i++) buffer[i+4] = 'a'; if (write (fd, buffer, 1024 + 4) != (1024 + 4)) { fprintf (stderr, "Failed to write\n"); } close (fd); return 0; } [3] delete.c #include <stdio.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); unlink (file_path); return 0; } -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

9 years, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openSUSE Kernel January 2013