Hi!
I'm wondering why CONFIG_CC_STACKPROTECTOR is disabled on openSUSE.
Debian and Fedora seem to enabled it per default.
What's the deal?
--
Thanks,
//richard
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Hello,
- I noticed this in the build log of [1] the x86_86 version build run out
of space -resubmit ?? , the i586 succeeded.
- Also v 3.7.5 patch is listed
http://www.kernel.org/pub/linux/kernel/v3.0/patch-3.7.5.bz2.
Thanks Glenn
[1]https://build.opensuse.org/package/live_build_log?arch=x86_64&package=ker…
..
[ 7181s] Unable to write payload to
/home/abuild/rpmbuild/RPMS/x86_64/kernel-vanilla-debuginfo-3.7.4-1.1.x86_64.rpm:
[ 7184s] [ 7153.679247] SysRq : Power Off
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Hi,
ppc64 flavor was replaced by kernel-default.
I think now kernel-default on ppc64 should obsolete kernel-ppc64, to
make upgrade from 12.2 -> Factory/12.3 smoother.
Is such kind of report is enough or I should come up with a patch or file a bug?
Have fun,
Dinar
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Hi all,
In the past of 2 weeks, I backported 5 patches for support UEFI secure boot and also sent to
opensuse-kernel for every experts review:
[PATCH 0/11] Backported patches to lock down functions in secure boot [1]
[PATCH 0/2] Backported patches for prepare KMP kernel module sign [2]
[PATCH 0/4] Backported patches for support driver firmware sign [3]
[PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) [4]
[PATCH 0/19] Backported patches for support UEFI variable filesystem [5]
Now, I clone a kernel-source of openSUSE 12.3 and pushed those backported patches to this branch:
https://gitorious.org/~joeyli/opensuse/joeylis-kernel-source/commits/openSU…
And, I also push kernel source to OBS for build out kernel RPMs:
https://build.opensuse.org/project/show?project=home%3Ajoeyli%3Abranches%3A…
Those kernel RPMs are for anyone want to try the backported patches on openSUSE.
e.g.
We can set 'secureboot_enable=1' kernel parameter to lock down some functions on non-UEFI machine, then
monitor the openSUSE behavior.
or
We want test the kernel module sign.
Thanks a lot!
Joey Lee
[1]
[PATCH 0/11] Backported patches to lock down functions in secure boot
Patch-mainline: Not yet, reviewing
References: none
Target: openSUSE 12.3
Test steps:
+ build; make modules_install; make install
+ add 'secureboot_enable=1' kernel parameter
Known issues on SLE (fixed):
+ xorg-x11-server need d01921ec18c21f21d377b606 patch for avoid
'xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)'
Backported 11 patches to lock down functions in secure boot:
0001_Secure_boot:_Add_new_capability_v2.patch
0002_PCI:_Lock_down_BAR_access_in_secure_boot_environments_v2.patch
0003_x86:_Lock_down_IO_port_access_in_secure_boot_environments_v2.patch
0004_ACPI:_Limit_access_to_custom_method_v2.patch
0005_asus-wmi:_Restrict_debugfs_interface_v2.patch
0006_Restrict__dev_mem_and__dev_kmem_in_secure_boot_setups_v2.patch
0007_Secure_boot:_Add_a_dummy_kernel_parameter_that_will_switch_on_Secure_Boot_mode_v2.patch
0008_efi:_Enable_secure_boot_lockdown_automatically_when_enabled_in_firmware_v2.patch
0009_acpi:_Ignore_acpi_rsdp_kernel_parameter_in_a_secure_boot_environment_v2.patch
0010_SELinux:_define_mapping_for_new_Secure_Boot_capability_v2.patch
0011-hibernate-Disable-in-a-Secure-Boot-environment.patch
[2]
[PATCH 0/2] Backported patches for prepare KMP kernel module sign
Patch-mainline: v3.8-rc?
References: none
Target: openSUSE 12.3
Backported 2 patches for for prepare KMP kernel module sign:
0001-MODSIGN-Avoid-using-.incbin-in-C-source.patch
0002-MODSIGN-Drop-ccache-hack.patch
[3]
[PATCH 0/4] Backported patches for support driver firmware sign
Patch-mainline: Not yet, reviewing (contributed by Takashi)
Target: openSUSE 12.3
Test steps:
+ select the following kernel config:
Enable loadable module support ->
Module signature verification
Require modules to be validly signed
Which hash algorithm should modules be signed with? --->
Device Drivers --->
Generic Driver Options --->
Firmware signature verification (NEW)
+ mkinitrd need this patch [1]
+ build; make modules_install; make firmware_install; make install
+ check the /lib/modules/3.0.51-default/, should have *.sig file
+ We can also test manually sign a firmware file:
# ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw
Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for
more testing.
Backported 4 patches for support driver firmware sign
Driver firmware sign (from Takashi, reviewing on upstream):
Not yet:
0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch
0002-firmware:_Add_-a_option_to_scripts_sign-file.patch
0003-firmware:_Add_support_for_signature_checks.patch
0004-firmware:_Install_firmware_signature_files_automatically.patch
[1]
Index: mkinitrd-2.4.2/scripts/setup-modules.sh
===================================================================
--- mkinitrd-2.4.2.orig/scripts/setup-modules.sh
+++ mkinitrd-2.4.2/scripts/setup-modules.sh
@@ -375,6 +375,10 @@ for module in $resolved_modules; do
has_firmware=true
fi
echo -n "$fw "
+ if test -e "$dir/$subdir/$fw.sig"; then
+ cp -p --parents "$_" "$tmp_mnt"
+ echo -n "$fw.sig "
+ fi
fi
done
done
[4]
[PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN)
Patch-mainline: Not yet, from Fedora 18 kernel
References: fate#314574
Target: SLE-11 SP3
Tested-on: qemu-kvm with OVMF UEFI BIOS
Test steps:
+ enable the following kernel configs:
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_BLACKLIST=y
CONFIG_MODULE_SIG_UEFI=y
+ build
+ make modules_install; make install
When we do make modules_install, script will do the kernel modules sign.
+ copy vmlinuz binary to efi folder:
# mv /boot/vmlinuz-3.0.53-default /boot/efi/vmlinuz-3.0.53-default.efi
+ boot kvm image with UEFI BIOS, enroll key to db, dbx
+ boot kvm image to SUSE, enroll key to MokList by mokutil
+ reboot system, go to UEFI shell
+ run vmlinuz-3.0.53-default.efi STUB kernel, the boot message should show:
[ 0.157219] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.module_sign'
[ 0.159674] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.modsign_blacklist'
Backported 7 patches for load key of module sign from db, dbx and MokList (MODSIGN):
0001-modsign-Always-enforce-module-signing-in-a-Secure-Boot.patch
0002-Add-EFI-signature-data-types.patch
0003-Add-an-EFI-signature-blob-parser-and-key-loader.patch
0004-EFI-Add-in-kernel-variable-to-determine-if-Secure-Boot-is-enabled.patch
0005-MODSIGN-Add-module-certificate-blacklist-keyring.patch
0006-MODSIGN-Import-certificates-from-UEFI-Secure-Boot-v3.patch
0007-Dont-soft-lockup-on-bad-EFI-signature-lists.patch
[5]
Patch-mainline: v3.8-rc1..v3.8-rc3
Target: openSUSE 12.3
Test steps:
+ build; make modules_install; make install
+ mount -t efivarfs none /sys/firmware/efi/efivars/
or create file
/lib/systemd/system/sys-firmware-efi-efivars.mount [1]
+ ls /sys/firmware/efi/efivars will show up all EFI variables
+ Try the small create[2]/delete[3] programs from Gary Lin
The create program will create a EFI variable is TestVar, then we can
see it show up
in /sys/firmware/efi/efivars. And, delete program can remove it.
Backported 19 patches:
0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch
0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch
0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch
0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch
0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch
0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch
0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch
0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch
0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch
0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch
0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch
0012-efi-Clarify-GUID-length-calculations.patch
0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch
0014-efivarfs-Add-unique-magic-number.patch
0015-efivarfs-Make-datasize-unsigned-long.patch
0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch
0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch
0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch
0019-efivarfs-Make-efivarfs_fill_super-static.patch
[1]
/lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to
systemd mailing list for review)
[Unit]
Description=EFI Variables File System
Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs…
DefaultDependencies=no
ConditionPathExists=/sys/firmware/efi/efivars
Before=sysinit.target
[Mount]
What=efivarfs
Where=/sys/firmware/efi/efivars
Type=efivarfs
[2]
create.c
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/limits.h>
#include "def.h"
int
main ()
{
const char *variable_name = "TestVar";
char file_path[PATH_MAX];
int fd, flags;
mode_t mode;
uint32_t attribute;
char buffer[1024 + 4];
int i;
snprintf (file_path, PATH_MAX, "%s%s-%s",
EFIVARS_FS, variable_name, MY_GUID);
flags = O_CREAT | O_WRONLY;
mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
fd = open (file_path, flags, mode);
if (fd < 0) {
fprintf (stderr, "Failed to open %s\n", file_path);
return -1;
}
attribute = EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS;
memcpy (buffer, &attribute, sizeof(uint32_t));
for (i = 0; i < 1024; i++)
buffer[i+4] = 'a';
if (write (fd, buffer, 1024 + 4) != (1024 + 4)) {
fprintf (stderr, "Failed to write\n");
}
close (fd);
return 0;
}
[3]
delete.c
#include <stdio.h>
#include <unistd.h>
#include <linux/limits.h>
#include "def.h"
int
main ()
{
const char *variable_name = "TestVar";
char file_path[PATH_MAX];
snprintf (file_path, PATH_MAX, "%s%s-%s",
EFIVARS_FS, variable_name, MY_GUID);
unlink (file_path);
return 0;
}
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Heya !
# cat /boot/sysctl.conf-3.8.0-rc4-1-desktop
# The desktop workload is sensitive to latency, so start writeout earlier
# (bnc#552883)
sys.vm.dirty_ratio=20
but sys.vm.dirty_ratio is not a valid sysctl option .. should be
vm.dirty_ratio=20 instead.
JYI ;)
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Hi,
Are you aiming for 3.8 or will we stick with 3.7.X? Next week
I want to release Beta1 and it should have the correct code line
for the kernel. If your choice is 3.8, then we should go to RC2
IMO.
Greetings, Stephan
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Patch-mainline: Not yet, reviewing (contributed by Takashi)
Target: openSUSE 12.3
Test steps:
+ select the following kernel config:
Enable loadable module support ->
Module signature verification
Require modules to be validly signed
Which hash algorithm should modules be signed with? --->
Device Drivers --->
Generic Driver Options --->
Firmware signature verification (NEW)
+ mkinitrd need this patch [1]
+ build; make modules_install; make firmware_install; make install
+ check the /lib/modules/3.0.51-default/, should have *.sig file
+ We can also test manually sign a firmware file:
# ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw
Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for
more testing.
Backported 4 patches for support driver firmware sign
Driver firmware sign (from Takashi, reviewing on upstream):
Not yet:
0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch
0002-firmware:_Add_-a_option_to_scripts_sign-file.patch
0003-firmware:_Add_support_for_signature_checks.patch
0004-firmware:_Install_firmware_signature_files_automatically.patch
[1]
Index: mkinitrd-2.4.2/scripts/setup-modules.sh
===================================================================
--- mkinitrd-2.4.2.orig/scripts/setup-modules.sh
+++ mkinitrd-2.4.2/scripts/setup-modules.sh
@@ -375,6 +375,10 @@ for module in $resolved_modules; do
has_firmware=true
fi
echo -n "$fw "
+ if test -e "$dir/$subdir/$fw.sig"; then
+ cp -p --parents "$_" "$tmp_mnt"
+ echo -n "$fw.sig "
+ fi
fi
done
done
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org
Hi,
This patch backport patch from commit b9ed9f0ecf1b5675c64d069e9b53effe276b6f01 to fix include error for drm_mode.h
This is needed to fix kernel-omap2plus build.
Signed-off-by: Guillaume GARDET <guillaume.gardet(a)opensuse.org>
Regards,
Guillaume