January 2013 - openSUSE Kernel - openSUSE Mailing Lists

[opensuse-kernel] CONFIG_CC_STACKPROTECTOR
by richard -rw- weinberger 14 Dec '13

14 Dec '13

Hi! I'm wondering why CONFIG_CC_STACKPROTECTOR is disabled on openSUSE. Debian and Fedora seem to enabled it per default. What's the deal? -- Thanks, //richard -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

7 17

[opensuse-kernel] build space ran out on one build, and can Kernel:stable be updated with kernel 3.7.5 patch
by doiggl＠velocitynet.com.au 20 Feb '13

20 Feb '13

Hello, - I noticed this in the build log of [1] the x86_86 version build run out of space -resubmit ?? , the i586 succeeded. - Also v 3.7.5 patch is listed http://www.kernel.org/pub/linux/kernel/v3.0/patch-3.7.5.bz2. Thanks Glenn [1]https://build.opensuse.org/package/live_build_log?arch=x86_64&package=ker… .. [ 7181s] Unable to write payload to /home/abuild/rpmbuild/RPMS/x86_64/kernel-vanilla-debuginfo-3.7.4-1.1.x86_64.rpm: [ 7184s] [ 7153.679247] SysRq : Power Off -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

5 7

[opensuse-kernel] Make kernel-default obsolete kernel-ppc64
by Dinar Valeev 04 Feb '13

04 Feb '13

Hi, ppc64 flavor was replaced by kernel-default. I think now kernel-default on ppc64 should obsolete kernel-ppc64, to make upgrade from 12.2 -> Factory/12.3 smoother. Is such kind of report is enough or I should come up with a patch or file a bug? Have fun, Dinar -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

2 1

[opensuse-kernel] openSUSE kernel of UEFI secure boot for testing
by joeyli 31 Jan '13

31 Jan '13

Hi all, In the past of 2 weeks, I backported 5 patches for support UEFI secure boot and also sent to opensuse-kernel for every experts review: [PATCH 0/11] Backported patches to lock down functions in secure boot [1] [PATCH 0/2] Backported patches for prepare KMP kernel module sign [2] [PATCH 0/4] Backported patches for support driver firmware sign [3] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) [4] [PATCH 0/19] Backported patches for support UEFI variable filesystem [5] Now, I clone a kernel-source of openSUSE 12.3 and pushed those backported patches to this branch: https://gitorious.org/~joeyli/opensuse/joeylis-kernel-source/commits/openSU… And, I also push kernel source to OBS for build out kernel RPMs: https://build.opensuse.org/project/show?project=home%3Ajoeyli%3Abranches%3A… Those kernel RPMs are for anyone want to try the backported patches on openSUSE. e.g. We can set 'secureboot_enable=1' kernel parameter to lock down some functions on non-UEFI machine, then monitor the openSUSE behavior. or We want test the kernel module sign. Thanks a lot! Joey Lee [1] [PATCH 0/11] Backported patches to lock down functions in secure boot Patch-mainline: Not yet, reviewing References: none Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + add 'secureboot_enable=1' kernel parameter Known issues on SLE (fixed): + xorg-x11-server need d01921ec18c21f21d377b606 patch for avoid 'xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)' Backported 11 patches to lock down functions in secure boot: 0001_Secure_boot:_Add_new_capability_v2.patch 0002_PCI:_Lock_down_BAR_access_in_secure_boot_environments_v2.patch 0003_x86:_Lock_down_IO_port_access_in_secure_boot_environments_v2.patch 0004_ACPI:_Limit_access_to_custom_method_v2.patch 0005_asus-wmi:_Restrict_debugfs_interface_v2.patch 0006_Restrict__dev_mem_and__dev_kmem_in_secure_boot_setups_v2.patch 0007_Secure_boot:_Add_a_dummy_kernel_parameter_that_will_switch_on_Secure_Boot_mode_v2.patch 0008_efi:_Enable_secure_boot_lockdown_automatically_when_enabled_in_firmware_v2.patch 0009_acpi:_Ignore_acpi_rsdp_kernel_parameter_in_a_secure_boot_environment_v2.patch 0010_SELinux:_define_mapping_for_new_Secure_Boot_capability_v2.patch 0011-hibernate-Disable-in-a-Secure-Boot-environment.patch [2] [PATCH 0/2] Backported patches for prepare KMP kernel module sign Patch-mainline: v3.8-rc? References: none Target: openSUSE 12.3 Backported 2 patches for for prepare KMP kernel module sign: 0001-MODSIGN-Avoid-using-.incbin-in-C-source.patch 0002-MODSIGN-Drop-ccache-hack.patch [3] [PATCH 0/4] Backported patches for support driver firmware sign Patch-mainline: Not yet, reviewing (contributed by Takashi) Target: openSUSE 12.3 Test steps: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> Device Drivers ---> Generic Driver Options ---> Firmware signature verification (NEW) + mkinitrd need this patch [1] + build; make modules_install; make firmware_install; make install + check the /lib/modules/3.0.51-default/, should have *.sig file + We can also test manually sign a firmware file: # ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for more testing. Backported 4 patches for support driver firmware sign Driver firmware sign (from Takashi, reviewing on upstream): Not yet: 0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch 0002-firmware:_Add_-a_option_to_scripts_sign-file.patch 0003-firmware:_Add_support_for_signature_checks.patch 0004-firmware:_Install_firmware_signature_files_automatically.patch [1] Index: mkinitrd-2.4.2/scripts/setup-modules.sh =================================================================== --- mkinitrd-2.4.2.orig/scripts/setup-modules.sh +++ mkinitrd-2.4.2/scripts/setup-modules.sh @@ -375,6 +375,10 @@ for module in $resolved_modules; do has_firmware=true fi echo -n "$fw " + if test -e "$dir/$subdir/$fw.sig"; then + cp -p --parents "$_" "$tmp_mnt" + echo -n "$fw.sig " + fi fi done done [4] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) Patch-mainline: Not yet, from Fedora 18 kernel References: fate#314574 Target: SLE-11 SP3 Tested-on: qemu-kvm with OVMF UEFI BIOS Test steps: + enable the following kernel configs: CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_BLACKLIST=y CONFIG_MODULE_SIG_UEFI=y + build + make modules_install; make install When we do make modules_install, script will do the kernel modules sign. + copy vmlinuz binary to efi folder: # mv /boot/vmlinuz-3.0.53-default /boot/efi/vmlinuz-3.0.53-default.efi + boot kvm image with UEFI BIOS, enroll key to db, dbx + boot kvm image to SUSE, enroll key to MokList by mokutil + reboot system, go to UEFI shell + run vmlinuz-3.0.53-default.efi STUB kernel, the boot message should show: [ 0.157219] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.module_sign' [ 0.159674] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.modsign_blacklist' Backported 7 patches for load key of module sign from db, dbx and MokList (MODSIGN): 0001-modsign-Always-enforce-module-signing-in-a-Secure-Boot.patch 0002-Add-EFI-signature-data-types.patch 0003-Add-an-EFI-signature-blob-parser-and-key-loader.patch 0004-EFI-Add-in-kernel-variable-to-determine-if-Secure-Boot-is-enabled.patch 0005-MODSIGN-Add-module-certificate-blacklist-keyring.patch 0006-MODSIGN-Import-certificates-from-UEFI-Secure-Boot-v3.patch 0007-Dont-soft-lockup-on-bad-EFI-signature-lists.patch [5] Patch-mainline: v3.8-rc1..v3.8-rc3 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it. Backported 19 patches: 0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch 0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch 0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch 0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch 0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch 0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch 0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch 0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch 0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch 0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch 0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch 0012-efi-Clarify-GUID-length-calculations.patch 0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch 0014-efivarfs-Add-unique-magic-number.patch 0015-efivarfs-Make-datasize-unsigned-long.patch 0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch 0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch 0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch 0019-efivarfs-Make-efivarfs_fill_super-static.patch [1] /lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to systemd mailing list for review) [Unit] Description=EFI Variables File System Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs… DefaultDependencies=no ConditionPathExists=/sys/firmware/efi/efivars Before=sysinit.target [Mount] What=efivarfs Where=/sys/firmware/efi/efivars Type=efivarfs [2] create.c #include <stdio.h> #include <string.h> #include <stdint.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; int fd, flags; mode_t mode; uint32_t attribute; char buffer[1024 + 4]; int i; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); flags = O_CREAT | O_WRONLY; mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; fd = open (file_path, flags, mode); if (fd < 0) { fprintf (stderr, "Failed to open %s\n", file_path); return -1; } attribute = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; memcpy (buffer, &attribute, sizeof(uint32_t)); for (i = 0; i < 1024; i++) buffer[i+4] = 'a'; if (write (fd, buffer, 1024 + 4) != (1024 + 4)) { fprintf (stderr, "Failed to write\n"); } close (fd); return 0; } [3] delete.c #include <stdio.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); unlink (file_path); return 0; } -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

1 0

[opensuse-kernel] wrong sysctl entries in desktop kernel
by Cristian Rodríguez 29 Jan '13

29 Jan '13

Heya ! # cat /boot/sysctl.conf-3.8.0-rc4-1-desktop # The desktop workload is sensitive to latency, so start writeout earlier # (bnc#552883) sys.vm.dirty_ratio=20 but sys.vm.dirty_ratio is not a valid sysctl option .. should be vm.dirty_ratio=20 instead. JYI ;) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

3 5

[opensuse-kernel] [PATCH] kernel-binary.spec.in: Force kernel options required by systemd
by Cristian Rodríguez 23 Jan '13

23 Jan '13

Without this options, any system that boots with systemd will either not work or be functionally crippled. --- rpm/kernel-binary.spec.in | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index c6794a2..ae1204f 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -260,13 +260,21 @@ fi %build_src_dir/scripts/config \ --set-str CONFIG_LOCALVERSION %release_num-%build_flavor \ --enable CONFIG_SUSE_KERNEL \ +%if 0%{?suse_version} > 1210 + --enable CONFIG_IPV6 \ + --enable CONFIG_AUTOFS4_FS \ + --enable CONFIG_CGROUPS \ + --enable CONFIG_FANOTIFY \ + --enable CONFIG_DEVTMPFS \ + --enable CONFIG_DEVTMPFS_MOUNT \ + --enable CONFIG_NAMESPACES \ +%endif %if 0%{?__debug_package:1} --enable CONFIG_DEBUG_INFO \ --disable CONFIG_DEBUG_INFO_REDUCED %else --disable CONFIG_DEBUG_INFO %endif - MAKE_ARGS="$MAKE_ARGS -C %build_src_dir O=$PWD" if test -e %_sourcedir/TOLERATE-UNKNOWN-NEW-CONFIG-OPTIONS; then yes '' | make oldconfig $MAKE_ARGS -- 1.8.0.2 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

3 7

[opensuse-kernel] openSUSE 12.3 kernel
by Stephan Kulow 21 Jan '13

21 Jan '13

Hi, Are you aiming for 3.8 or will we stick with 3.7.X? Next week I want to release Beta1 and it should have the correct code line for the kernel. If your choice is 3.8, then we should go to RC2 IMO. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

5 22

[opensuse-kernel] [PATCH 0/4] Backported patches for support driver firmware sign
by Lee, Chun-Yi 18 Jan '13

18 Jan '13

Patch-mainline: Not yet, reviewing (contributed by Takashi) Target: openSUSE 12.3 Test steps: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> Device Drivers ---> Generic Driver Options ---> Firmware signature verification (NEW) + mkinitrd need this patch [1] + build; make modules_install; make firmware_install; make install + check the /lib/modules/3.0.51-default/, should have *.sig file + We can also test manually sign a firmware file: # ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for more testing. Backported 4 patches for support driver firmware sign Driver firmware sign (from Takashi, reviewing on upstream): Not yet: 0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch 0002-firmware:_Add_-a_option_to_scripts_sign-file.patch 0003-firmware:_Add_support_for_signature_checks.patch 0004-firmware:_Install_firmware_signature_files_automatically.patch [1] Index: mkinitrd-2.4.2/scripts/setup-modules.sh =================================================================== --- mkinitrd-2.4.2.orig/scripts/setup-modules.sh +++ mkinitrd-2.4.2/scripts/setup-modules.sh @@ -375,6 +375,10 @@ for module in $resolved_modules; do has_firmware=true fi echo -n "$fw " + if test -e "$dir/$subdir/$fw.sig"; then + cp -p --parents "$_" "$tmp_mnt" + echo -n "$fw.sig " + fi fi done done -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

6 17

[opensuse-kernel] [PATCH] backport patch from commit b9ed9f0ecf1b5675c64d069e9b53effe276b6f01 to fix include error for drm_mode.h
by Guillaume Gardet 17 Jan '13

17 Jan '13

Hi, This patch backport patch from commit b9ed9f0ecf1b5675c64d069e9b53effe276b6f01 to fix include error for drm_mode.h This is needed to fix kernel-omap2plus build. Signed-off-by: Guillaume GARDET <guillaume.gardet(a)opensuse.org> Regards, Guillaume

3 4

[opensuse-kernel] [PATCH 0/19] Backported patches for support UEFI variable filesystem
by Lee, Chun-Yi 17 Jan '13

17 Jan '13

Patch-mainline: v3.8-rc1..v3.8-rc3 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it. Backported 19 patches: 0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch 0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch 0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch 0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch 0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch 0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch 0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch 0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch 0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch 0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch 0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch 0012-efi-Clarify-GUID-length-calculations.patch 0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch 0014-efivarfs-Add-unique-magic-number.patch 0015-efivarfs-Make-datasize-unsigned-long.patch 0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch 0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch 0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch 0019-efivarfs-Make-efivarfs_fill_super-static.patch [1] /lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to systemd mailing list for review) [Unit] Description=EFI Variables File System Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs… DefaultDependencies=no ConditionPathExists=/sys/firmware/efi/efivars Before=sysinit.target [Mount] What=efivarfs Where=/sys/firmware/efi/efivars Type=efivarfs [2] create.c #include <stdio.h> #include <string.h> #include <stdint.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; int fd, flags; mode_t mode; uint32_t attribute; char buffer[1024 + 4]; int i; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); flags = O_CREAT | O_WRONLY; mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; fd = open (file_path, flags, mode); if (fd < 0) { fprintf (stderr, "Failed to open %s\n", file_path); return -1; } attribute = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; memcpy (buffer, &attribute, sizeof(uint32_t)); for (i = 0; i < 1024; i++) buffer[i+4] = 'a'; if (write (fd, buffer, 1024 + 4) != (1024 + 4)) { fprintf (stderr, "Failed to write\n"); } close (fd); return 0; } [3] delete.c #include <stdio.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); unlink (file_path); return 0; } -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org

1 19