From abb4ea464fc4934a04f2caf902467f6f67e03091 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 16 Aug 2024 15:08:45 -0400 Subject: [PATCH 01/13] Bump 5.10.5 kernel to 5.10.214 Cloudfare patches to speed up LUKS encryption were upstreamed into linux kernel and backported to 5.10.9: https://github.com/cloudflare/linux/issues/1#issuecomment-763085915 Therefore, we bump to latest of 5.10.x (bump from 5.10.5 which doesn't contain the fixes) Trace: sed -i 's/5.10.5/5.10.214/g' boards/*/*.config find ./boards/*/*.config | awk -F "/" {'print $3'}| while read board; do echo "make BOARD=$board linux"; make BOARD=$board linux; echo make BOARD=$board linux.save_in_oldconfig_format_in_place || make BOARD=$board linux.modify_and_save_oldconfig_in_place; done git status | grep modified | awk -F ":" {'print $2'}| xargs git add git commit --signoff - Move patches from 5.10.5 -> 5.10.214 - Add linux kernel hash and version under modules/linux - Change board configs accordingly Signed-off-by: Thierry Laurion --- ...MAINTAINED_kgpe-d16_server-whiptail.config | 2 +- .../UNMAINTAINED_kgpe-d16_server.config | 2 +- ...D_kgpe-d16_workstation-usb_keyboard.config | 2 +- .../UNMAINTAINED_kgpe-d16_workstation.config | 2 +- boards/librem_l1um/librem_l1um.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm1-hotp.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm1.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm2-hotp.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm2.config | 2 +- .../qemu-coreboot-whiptail-tpm1-hotp.config | 2 +- .../qemu-coreboot-whiptail-tpm1.config | 2 +- .../qemu-coreboot-whiptail-tpm2-hotp.config | 2 +- .../qemu-coreboot-whiptail-tpm2.config | 2 +- .../t420-hotp-maximized.config | 2 +- boards/t420-maximized/t420-maximized.config | 2 +- .../t430-hotp-maximized.config | 2 +- boards/t430-maximized/t430-maximized.config | 2 +- boards/t440p-maximized/t440p-maximized.config | 2 +- .../t530-hotp-maximized.config | 2 +- boards/t530-maximized/t530-maximized.config | 2 +- .../w530-hotp-maximized.config | 2 +- boards/w530-maximized/w530-maximized.config | 2 +- boards/w541-maximized/w541-maximized.config | 2 +- .../x220-hotp-maximized.config | 2 +- boards/x220-maximized/x220-maximized.config | 2 +- .../x230-hotp-maximized-fhd_edp.config | 2 +- .../x230-hotp-maximized.config | 2 +- .../x230-hotp-maximized_usb-kb.config | 2 +- .../x230-maximized-fhd_edp.config | 2 +- boards/x230-maximized/x230-maximized.config | 2 +- .../z220-cmt-maximized.config | 2 +- config/linux-c216.config | 62 ++-- config/linux-kgpe-d16_server-whiptail.config | 274 +++++++++++++++-- config/linux-kgpe-d16_server.config | 277 ++++++++++++++++-- config/linux-kgpe-d16_workstation.config | 62 ++-- config/linux-librem_common.config | 60 ++-- config/linux-qemu.config | 67 +++-- config/linux-t440p.config | 62 ++-- config/linux-talos-2.config | 2 +- config/linux-w541.config | 62 ++-- config/linux-x230-flash.config | 45 ++- config/linux-x230-legacy.config | 60 ++-- config/linux-x230-maximized.config | 63 ++-- modules/linux | 6 +- .../0001-fake-acpi.patch | 0 .../0002-nmi-squelch.patch | 0 .../0003-fake-trampoline.patch | 0 .../0010-winterfell-ahci.patch | 0 patches/linux-5.10.214/shebangs.patch | 40 +++ ...ubcmd_Fix_use-after-free-for-realloc.patch | 64 ---- patches/linux-5.10.5/shebangs.patch | 100 ------- 51 files changed, 940 insertions(+), 428 deletions(-) rename patches/{linux-5.10.5 => linux-5.10.214}/0001-fake-acpi.patch (100%) rename patches/{linux-5.10.5 => linux-5.10.214}/0002-nmi-squelch.patch (100%) rename patches/{linux-5.10.5 => linux-5.10.214}/0003-fake-trampoline.patch (100%) rename patches/{linux-5.10.5 => linux-5.10.214}/0010-winterfell-ahci.patch (100%) create mode 100644 patches/linux-5.10.214/shebangs.patch delete mode 100644 patches/linux-5.10.5/0004-libsubcmd_Fix_use-after-free-for-realloc.patch delete mode 100644 patches/linux-5.10.5/shebangs.patch diff --git a/boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config b/boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config index 3a847c260..8fc8b55d1 100644 --- a/boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config +++ b/boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config @@ -19,7 +19,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.11 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-whiptail.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server-whiptail.config diff --git a/boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config b/boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config index 5f363add8..7b905ecde 100644 --- a/boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config +++ b/boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config @@ -17,7 +17,7 @@ # - Please support https://github.com/osresearch/heads/issues/719 export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.11 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server.config diff --git a/boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config b/boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config index 235d579ab..dbe8b3855 100644 --- a/boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config +++ b/boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config @@ -13,7 +13,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.11 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation-usb_keyboard.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config diff --git a/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config b/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config index e927edabc..77eae6877 100644 --- a/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config +++ b/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config @@ -17,7 +17,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.11 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config diff --git a/boards/librem_l1um/librem_l1um.config b/boards/librem_l1um/librem_l1um.config index ed8dc1765..1b0af69c8 100644 --- a/boards/librem_l1um/librem_l1um.config +++ b/boards/librem_l1um/librem_l1um.config @@ -4,7 +4,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.11 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 export CONFIG_PURISM_BLOBS=y CONFIG_CRYPTSETUP2=y diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config index 665cb0e45..6e406aa03 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config @@ -6,7 +6,7 @@ # the VM. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index 81558e823..0482e20dd 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -4,7 +4,7 @@ # TPM can be used with a qemu software TPM (TIS, 1.2). export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config index 21750ddcf..498b2df8a 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config @@ -5,7 +5,7 @@ # TPM can be used with a qemu software TPM (TIS, 2.0). export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config index 94881db3b..f9275f313 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config @@ -4,7 +4,7 @@ # TPM can be used with a qemu software TPM (TIS, 2.0). export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config index 68f0acf09..f34c8b894 100644 --- a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config @@ -6,7 +6,7 @@ # the VM. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config index c700478cb..ec1f6cde6 100644 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config @@ -4,7 +4,7 @@ # TPM can be used with a qemu software TPM (TIS, 1.2). export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config index 6574dc3ec..3fc6fa9f2 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config @@ -5,7 +5,7 @@ # TPM can be used with a qemu software TPM (TIS, 2.0). export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config index 019521225..2b4b3caa9 100644 --- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config +++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config @@ -4,7 +4,7 @@ # TPM can be used with a qemu software TPM (TIS, 2.0). export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index dbdeda6a0..f3019d2c4 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -10,7 +10,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-t420-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index 2bd5aaaa6..e44175e51 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -9,7 +9,7 @@ # - dropbear export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-t420-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index 1861c64cb..c1efccd9c 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -8,7 +8,7 @@ # - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-t430-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 0a804940a..acc7b54fe 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -8,7 +8,7 @@ # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-t430-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config index 22aeb9c6a..b6ad3c897 100644 --- a/boards/t440p-maximized/t440p-maximized.config +++ b/boards/t440p-maximized/t440p-maximized.config @@ -5,7 +5,7 @@ CONFIG_LINUX_CONFIG=config/linux-t440p.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_CRYPTSETUP2=y CONFIG_FLASHPROG=y diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index f237b3dbd..234259db1 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -9,7 +9,7 @@ # This board is designed for a t530 without a dGPU. It will work just fine for a board with a dGPU, except you will not be able to use an external monitor via the mini-displayport or the dock's displayport, though external monitors will work via VGA ports. To initialize the dGPU please use one of the dgpu boards. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-t530-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 84acd68ca..62cda1ab9 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -9,7 +9,7 @@ # This board is designed for a t530 without a dGPU. It will work just fine for a board with a dGPU, except you will not be able to use an external monitor via the mini-displayport or the dock's displayport, though external monitors will work via VGA ports. To initialize the dGPU please use one of the dgpu boards. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-t530-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index 425989a95..02f9f2de8 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -9,7 +9,7 @@ # This board ignores the in-built dGPU that comes with all w530's. In doing so the dGPU will not be initialized. This has some benefits in terms of reduced complexity in working with OS's with poor support for NVIDIA, better battery life and lower heat (making use of the thicker heatsink from a dGPU). Conversely, if you do not initialize the dGPU you will be unable to use an external monitor. To initialize the dGPU please use the dGPU boards that corresponds with the model of dGPU included with your device. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-w530-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index 26c88bb63..952d5dd13 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -9,7 +9,7 @@ # This board ignores the in-built dGPU that comes with all w530's. In doing so the dGPU will not be initialized. This has some benefits in terms of reduced complexity in working with OS's with poor support for NVIDIA, better battery life and lower heat (making use of the thicker heatsink from a dGPU). Conversely, if you do not initialize the dGPU you will be unable to use an external monitor. To initialize the dGPU please use the dGPU boards that corresponds with the model of dGPU included with your device. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-w530-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/w541-maximized/w541-maximized.config b/boards/w541-maximized/w541-maximized.config index 881beae0f..d031350b7 100644 --- a/boards/w541-maximized/w541-maximized.config +++ b/boards/w541-maximized/w541-maximized.config @@ -5,7 +5,7 @@ CONFIG_LINUX_CONFIG=config/linux-w541.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_CRYPTSETUP2=y CONFIG_FLASHPROG=y diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 33637c7d5..1090bab83 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -10,7 +10,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x220-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index c752635c7..66bf251b6 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -10,7 +10,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x220-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index 853118fbd..ad48e56a5 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -20,7 +20,7 @@ # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized-fhd_edp.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index 50042591c..d29cb62ba 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -8,7 +8,7 @@ # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index 74171f221..082b5c974 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -10,7 +10,7 @@ # USB Keyboard support export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index ce7a66e1b..d1b8c6282 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -20,7 +20,7 @@ # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized-fhd_edp.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 6c2706898..5ca4e1e54 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -8,7 +8,7 @@ # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/z220-cmt-maximized/z220-cmt-maximized.config b/boards/z220-cmt-maximized/z220-cmt-maximized.config index 35f389015..736b512b3 100644 --- a/boards/z220-cmt-maximized/z220-cmt-maximized.config +++ b/boards/z220-cmt-maximized/z220-cmt-maximized.config @@ -26,7 +26,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-z220-cmt.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_CRYPTSETUP2=y CONFIG_FLASHPROG=y diff --git a/config/linux-c216.config b/config/linux-c216.config index dbd963eac..8a5b76381 100644 --- a/config/linux-c216.config +++ b/config/linux-c216.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -188,6 +190,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -258,7 +261,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -320,7 +322,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -369,6 +370,13 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +# CONFIG_PAGE_TABLE_ISOLATION is not set +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -560,6 +568,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -612,6 +621,7 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -624,6 +634,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -758,6 +772,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -779,7 +794,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -962,7 +976,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1316,7 +1329,6 @@ CONFIG_USB_NET_CDC_SUBSET=m # CONFIG_FUJITSU_ES is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1500,10 +1512,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1628,6 +1639,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1718,7 +1730,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1849,6 +1860,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2583,7 +2595,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITYFS is not set -# CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_INTEL_TXT=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2603,6 +2614,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2779,18 +2794,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2815,6 +2818,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-kgpe-d16_server-whiptail.config b/config/linux-kgpe-d16_server-whiptail.config index eccb00b31..d79a5aa8c 100644 --- a/config/linux-kgpe-d16_server-whiptail.config +++ b/config/linux-kgpe-d16_server-whiptail.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -194,6 +196,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_KCMP=y CONFIG_RSEQ=y # CONFIG_DEBUG_RSEQ is not set CONFIG_EMBEDDED=y @@ -264,7 +267,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -369,6 +371,8 @@ CONFIG_LEGACY_VSYSCALL_XONLY=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +# CONFIG_SPECULATION_MITIGATIONS is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -539,6 +543,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -605,6 +610,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -617,7 +626,8 @@ CONFIG_MODULES=y # CONFIG_MODULE_SIG is not set # CONFIG_MODULE_COMPRESS is not set # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set -CONFIG_UNUSED_SYMBOLS=y +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_TRIM_UNUSED_KSYMS is not set CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_SCSI_REQUEST=y @@ -738,6 +748,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -759,7 +770,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -948,7 +958,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1333,7 +1342,6 @@ CONFIG_NET_VENDOR_XILINX=y # CONFIG_NETDEVSIM is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1495,10 +1503,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1616,6 +1623,7 @@ CONFIG_I2C_SLAVE=y # CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y # CONFIG_POWER_SUPPLY_DEBUG is not set +CONFIG_POWER_SUPPLY_HWMON=y # CONFIG_PDA_POWER is not set # CONFIG_TEST_POWER is not set # CONFIG_CHARGER_ADP5061 is not set @@ -1633,12 +1641,162 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set -# CONFIG_HWMON is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_AD7414 is not set +# CONFIG_SENSORS_AD7418 is not set +# CONFIG_SENSORS_ADM1021 is not set +# CONFIG_SENSORS_ADM1025 is not set +# CONFIG_SENSORS_ADM1026 is not set +# CONFIG_SENSORS_ADM1029 is not set +# CONFIG_SENSORS_ADM1031 is not set +# CONFIG_SENSORS_ADM1177 is not set +# CONFIG_SENSORS_ADM9240 is not set +# CONFIG_SENSORS_ADT7410 is not set +# CONFIG_SENSORS_ADT7411 is not set +# CONFIG_SENSORS_ADT7462 is not set +# CONFIG_SENSORS_ADT7470 is not set +# CONFIG_SENSORS_ADT7475 is not set +# CONFIG_SENSORS_AS370 is not set +# CONFIG_SENSORS_ASC7621 is not set +# CONFIG_SENSORS_AXI_FAN_CONTROL is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_AMD_ENERGY is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASB100 is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_ATXP1 is not set +# CONFIG_SENSORS_CORSAIR_CPRO is not set +# CONFIG_SENSORS_DRIVETEMP is not set +# CONFIG_SENSORS_DS620 is not set +# CONFIG_SENSORS_DS1621 is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_F75375S is not set +# CONFIG_SENSORS_FSCHMD is not set +# CONFIG_SENSORS_GL518SM is not set +# CONFIG_SENSORS_GL520SM is not set +# CONFIG_SENSORS_G760A is not set +# CONFIG_SENSORS_G762 is not set +# CONFIG_SENSORS_HIH6130 is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_JC42 is not set +# CONFIG_SENSORS_POWR1220 is not set +# CONFIG_SENSORS_LINEAGE is not set +# CONFIG_SENSORS_LTC2945 is not set +# CONFIG_SENSORS_LTC2947_I2C is not set +# CONFIG_SENSORS_LTC2990 is not set +# CONFIG_SENSORS_LTC4151 is not set +# CONFIG_SENSORS_LTC4215 is not set +# CONFIG_SENSORS_LTC4222 is not set +# CONFIG_SENSORS_LTC4245 is not set +# CONFIG_SENSORS_LTC4260 is not set +# CONFIG_SENSORS_LTC4261 is not set +# CONFIG_SENSORS_MAX16065 is not set +# CONFIG_SENSORS_MAX1619 is not set +# CONFIG_SENSORS_MAX1668 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_MAX31730 is not set +# CONFIG_SENSORS_MAX6621 is not set +# CONFIG_SENSORS_MAX6639 is not set +# CONFIG_SENSORS_MAX6642 is not set +# CONFIG_SENSORS_MAX6650 is not set +# CONFIG_SENSORS_MAX6697 is not set +# CONFIG_SENSORS_MAX31790 is not set +# CONFIG_SENSORS_MCP3021 is not set +# CONFIG_SENSORS_TC654 is not set +# CONFIG_SENSORS_MR75203 is not set +# CONFIG_SENSORS_LM63 is not set +# CONFIG_SENSORS_LM73 is not set +# CONFIG_SENSORS_LM75 is not set +# CONFIG_SENSORS_LM77 is not set +# CONFIG_SENSORS_LM78 is not set +# CONFIG_SENSORS_LM80 is not set +# CONFIG_SENSORS_LM83 is not set +# CONFIG_SENSORS_LM85 is not set +# CONFIG_SENSORS_LM87 is not set +# CONFIG_SENSORS_LM90 is not set +# CONFIG_SENSORS_LM92 is not set +# CONFIG_SENSORS_LM93 is not set +# CONFIG_SENSORS_LM95234 is not set +# CONFIG_SENSORS_LM95241 is not set +# CONFIG_SENSORS_LM95245 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NCT7802 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_PCF8591 is not set +# CONFIG_PMBUS is not set +# CONFIG_SENSORS_SHT21 is not set +# CONFIG_SENSORS_SHT3x is not set +# CONFIG_SENSORS_SHTC1 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_DME1737 is not set +# CONFIG_SENSORS_EMC1403 is not set +# CONFIG_SENSORS_EMC2103 is not set +# CONFIG_SENSORS_EMC6W201 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47M192 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_STTS751 is not set +# CONFIG_SENSORS_SMM665 is not set +# CONFIG_SENSORS_ADC128D818 is not set +# CONFIG_SENSORS_ADS7828 is not set +# CONFIG_SENSORS_AMC6821 is not set +# CONFIG_SENSORS_INA209 is not set +# CONFIG_SENSORS_INA2XX is not set +# CONFIG_SENSORS_INA3221 is not set +# CONFIG_SENSORS_TC74 is not set +# CONFIG_SENSORS_THMC50 is not set +# CONFIG_SENSORS_TMP102 is not set +# CONFIG_SENSORS_TMP103 is not set +# CONFIG_SENSORS_TMP108 is not set +# CONFIG_SENSORS_TMP401 is not set +# CONFIG_SENSORS_TMP421 is not set +# CONFIG_SENSORS_TMP513 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83773G is not set +# CONFIG_SENSORS_W83781D is not set +# CONFIG_SENSORS_W83791D is not set +# CONFIG_SENSORS_W83792D is not set +# CONFIG_SENSORS_W83793 is not set +# CONFIG_SENSORS_W83795 is not set +# CONFIG_SENSORS_W83L785TS is not set +# CONFIG_SENSORS_W83L786NG is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set +# CONFIG_SENSORS_XGENE is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set CONFIG_THERMAL=y # CONFIG_THERMAL_NETLINK is not set # CONFIG_THERMAL_STATISTICS is not set CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y # CONFIG_THERMAL_WRITABLE_TRIPS is not set CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y # CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set @@ -1693,6 +1851,7 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_LPC_SCH is not set # CONFIG_MFD_INTEL_LPSS_ACPI is not set # CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_INTEL_PMC_BXT is not set # CONFIG_MFD_IQS62X is not set # CONFIG_MFD_JANZ_CMODIO is not set # CONFIG_MFD_KEMPLD is not set @@ -1721,7 +1880,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1917,6 +2075,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2307,7 +2466,68 @@ CONFIG_VHOST_MENU=y # CONFIG_GREYBUS is not set # CONFIG_STAGING is not set -# CONFIG_X86_PLATFORM_DEVICES is not set +CONFIG_X86_PLATFORM_DEVICES=y +CONFIG_ACPI_WMI=y +CONFIG_WMI_BMOF=y +# CONFIG_HUAWEI_WMI is not set +# CONFIG_INTEL_WMI_SBL_FW_UPDATE is not set +# CONFIG_INTEL_WMI_THUNDERBOLT is not set +CONFIG_MXM_WMI=y +# CONFIG_PEAQ_WMI is not set +# CONFIG_XIAOMI_WMI is not set +# CONFIG_ACERHDF is not set +# CONFIG_ACER_WIRELESS is not set +# CONFIG_ACER_WMI is not set +# CONFIG_APPLE_GMUX is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_DCDBAS is not set +# CONFIG_DELL_SMBIOS is not set +# CONFIG_DELL_RBU is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_DELL_WMI_AIO is not set +# CONFIG_FUJITSU_LAPTOP is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_HP_WMI is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_THINKPAD_ACPI is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_SURFACE_3_POWER_OPREGION is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_MSI_WMI is not set +# CONFIG_SAMSUNG_LAPTOP is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_TOSHIBA_WMI is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_LG_LAPTOP is not set +# CONFIG_PANASONIC_LAPTOP is not set +# CONFIG_SYSTEM76_ACPI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_I2C_MULTI_INSTANTIATE is not set +# CONFIG_MLX_PLATFORM is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set + +# +# Intel Speed Select Technology interface support +# +# CONFIG_INTEL_SPEED_SELECT_INTERFACE is not set +# end of Intel Speed Select Technology interface support + +# CONFIG_INTEL_UNCORE_FREQ_CONTROL is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_INTEL_SCU_PCI is not set +# CONFIG_INTEL_SCU_PLATFORM is not set CONFIG_PMC_ATOM=y # CONFIG_CHROME_PLATFORMS is not set # CONFIG_MELLANOX_PLATFORM is not set @@ -2628,7 +2848,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_FALLBACK=y @@ -2646,6 +2865,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2820,18 +3043,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2856,6 +3067,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-kgpe-d16_server.config b/config/linux-kgpe-d16_server.config index eccb00b31..2ca92f0c3 100644 --- a/config/linux-kgpe-d16_server.config +++ b/config/linux-kgpe-d16_server.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -194,6 +196,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_KCMP=y CONFIG_RSEQ=y # CONFIG_DEBUG_RSEQ is not set CONFIG_EMBEDDED=y @@ -264,7 +267,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -369,6 +371,14 @@ CONFIG_LEGACY_VSYSCALL_XONLY=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_SRSO=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -539,6 +549,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -605,6 +616,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -738,6 +753,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -759,7 +775,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -948,7 +963,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1333,7 +1347,6 @@ CONFIG_NET_VENDOR_XILINX=y # CONFIG_NETDEVSIM is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1495,10 +1508,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1616,6 +1628,7 @@ CONFIG_I2C_SLAVE=y # CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y # CONFIG_POWER_SUPPLY_DEBUG is not set +CONFIG_POWER_SUPPLY_HWMON=y # CONFIG_PDA_POWER is not set # CONFIG_TEST_POWER is not set # CONFIG_CHARGER_ADP5061 is not set @@ -1633,12 +1646,162 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set -# CONFIG_HWMON is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_AD7414 is not set +# CONFIG_SENSORS_AD7418 is not set +# CONFIG_SENSORS_ADM1021 is not set +# CONFIG_SENSORS_ADM1025 is not set +# CONFIG_SENSORS_ADM1026 is not set +# CONFIG_SENSORS_ADM1029 is not set +# CONFIG_SENSORS_ADM1031 is not set +# CONFIG_SENSORS_ADM1177 is not set +# CONFIG_SENSORS_ADM9240 is not set +# CONFIG_SENSORS_ADT7410 is not set +# CONFIG_SENSORS_ADT7411 is not set +# CONFIG_SENSORS_ADT7462 is not set +# CONFIG_SENSORS_ADT7470 is not set +# CONFIG_SENSORS_ADT7475 is not set +# CONFIG_SENSORS_AS370 is not set +# CONFIG_SENSORS_ASC7621 is not set +# CONFIG_SENSORS_AXI_FAN_CONTROL is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_AMD_ENERGY is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASB100 is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_ATXP1 is not set +# CONFIG_SENSORS_CORSAIR_CPRO is not set +# CONFIG_SENSORS_DRIVETEMP is not set +# CONFIG_SENSORS_DS620 is not set +# CONFIG_SENSORS_DS1621 is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_F75375S is not set +# CONFIG_SENSORS_FSCHMD is not set +# CONFIG_SENSORS_GL518SM is not set +# CONFIG_SENSORS_GL520SM is not set +# CONFIG_SENSORS_G760A is not set +# CONFIG_SENSORS_G762 is not set +# CONFIG_SENSORS_HIH6130 is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_JC42 is not set +# CONFIG_SENSORS_POWR1220 is not set +# CONFIG_SENSORS_LINEAGE is not set +# CONFIG_SENSORS_LTC2945 is not set +# CONFIG_SENSORS_LTC2947_I2C is not set +# CONFIG_SENSORS_LTC2990 is not set +# CONFIG_SENSORS_LTC4151 is not set +# CONFIG_SENSORS_LTC4215 is not set +# CONFIG_SENSORS_LTC4222 is not set +# CONFIG_SENSORS_LTC4245 is not set +# CONFIG_SENSORS_LTC4260 is not set +# CONFIG_SENSORS_LTC4261 is not set +# CONFIG_SENSORS_MAX16065 is not set +# CONFIG_SENSORS_MAX1619 is not set +# CONFIG_SENSORS_MAX1668 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_MAX31730 is not set +# CONFIG_SENSORS_MAX6621 is not set +# CONFIG_SENSORS_MAX6639 is not set +# CONFIG_SENSORS_MAX6642 is not set +# CONFIG_SENSORS_MAX6650 is not set +# CONFIG_SENSORS_MAX6697 is not set +# CONFIG_SENSORS_MAX31790 is not set +# CONFIG_SENSORS_MCP3021 is not set +# CONFIG_SENSORS_TC654 is not set +# CONFIG_SENSORS_MR75203 is not set +# CONFIG_SENSORS_LM63 is not set +# CONFIG_SENSORS_LM73 is not set +# CONFIG_SENSORS_LM75 is not set +# CONFIG_SENSORS_LM77 is not set +# CONFIG_SENSORS_LM78 is not set +# CONFIG_SENSORS_LM80 is not set +# CONFIG_SENSORS_LM83 is not set +# CONFIG_SENSORS_LM85 is not set +# CONFIG_SENSORS_LM87 is not set +# CONFIG_SENSORS_LM90 is not set +# CONFIG_SENSORS_LM92 is not set +# CONFIG_SENSORS_LM93 is not set +# CONFIG_SENSORS_LM95234 is not set +# CONFIG_SENSORS_LM95241 is not set +# CONFIG_SENSORS_LM95245 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NCT7802 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_PCF8591 is not set +# CONFIG_PMBUS is not set +# CONFIG_SENSORS_SHT21 is not set +# CONFIG_SENSORS_SHT3x is not set +# CONFIG_SENSORS_SHTC1 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_DME1737 is not set +# CONFIG_SENSORS_EMC1403 is not set +# CONFIG_SENSORS_EMC2103 is not set +# CONFIG_SENSORS_EMC6W201 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47M192 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_STTS751 is not set +# CONFIG_SENSORS_SMM665 is not set +# CONFIG_SENSORS_ADC128D818 is not set +# CONFIG_SENSORS_ADS7828 is not set +# CONFIG_SENSORS_AMC6821 is not set +# CONFIG_SENSORS_INA209 is not set +# CONFIG_SENSORS_INA2XX is not set +# CONFIG_SENSORS_INA3221 is not set +# CONFIG_SENSORS_TC74 is not set +# CONFIG_SENSORS_THMC50 is not set +# CONFIG_SENSORS_TMP102 is not set +# CONFIG_SENSORS_TMP103 is not set +# CONFIG_SENSORS_TMP108 is not set +# CONFIG_SENSORS_TMP401 is not set +# CONFIG_SENSORS_TMP421 is not set +# CONFIG_SENSORS_TMP513 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83773G is not set +# CONFIG_SENSORS_W83781D is not set +# CONFIG_SENSORS_W83791D is not set +# CONFIG_SENSORS_W83792D is not set +# CONFIG_SENSORS_W83793 is not set +# CONFIG_SENSORS_W83795 is not set +# CONFIG_SENSORS_W83L785TS is not set +# CONFIG_SENSORS_W83L786NG is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set +# CONFIG_SENSORS_XGENE is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set CONFIG_THERMAL=y # CONFIG_THERMAL_NETLINK is not set # CONFIG_THERMAL_STATISTICS is not set CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y # CONFIG_THERMAL_WRITABLE_TRIPS is not set CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y # CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set @@ -1693,6 +1856,7 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_LPC_SCH is not set # CONFIG_MFD_INTEL_LPSS_ACPI is not set # CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_INTEL_PMC_BXT is not set # CONFIG_MFD_IQS62X is not set # CONFIG_MFD_JANZ_CMODIO is not set # CONFIG_MFD_KEMPLD is not set @@ -1721,7 +1885,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1917,6 +2080,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2307,7 +2471,68 @@ CONFIG_VHOST_MENU=y # CONFIG_GREYBUS is not set # CONFIG_STAGING is not set -# CONFIG_X86_PLATFORM_DEVICES is not set +CONFIG_X86_PLATFORM_DEVICES=y +CONFIG_ACPI_WMI=y +CONFIG_WMI_BMOF=y +# CONFIG_HUAWEI_WMI is not set +# CONFIG_INTEL_WMI_SBL_FW_UPDATE is not set +# CONFIG_INTEL_WMI_THUNDERBOLT is not set +CONFIG_MXM_WMI=y +# CONFIG_PEAQ_WMI is not set +# CONFIG_XIAOMI_WMI is not set +# CONFIG_ACERHDF is not set +# CONFIG_ACER_WIRELESS is not set +# CONFIG_ACER_WMI is not set +# CONFIG_APPLE_GMUX is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_DCDBAS is not set +# CONFIG_DELL_SMBIOS is not set +# CONFIG_DELL_RBU is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_DELL_WMI_AIO is not set +# CONFIG_FUJITSU_LAPTOP is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_HP_WMI is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_THINKPAD_ACPI is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_SURFACE_3_POWER_OPREGION is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_MSI_WMI is not set +# CONFIG_SAMSUNG_LAPTOP is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_TOSHIBA_WMI is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_LG_LAPTOP is not set +# CONFIG_PANASONIC_LAPTOP is not set +# CONFIG_SYSTEM76_ACPI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_I2C_MULTI_INSTANTIATE is not set +# CONFIG_MLX_PLATFORM is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set + +# +# Intel Speed Select Technology interface support +# +# CONFIG_INTEL_SPEED_SELECT_INTERFACE is not set +# end of Intel Speed Select Technology interface support + +# CONFIG_INTEL_UNCORE_FREQ_CONTROL is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_INTEL_SCU_PCI is not set +# CONFIG_INTEL_SCU_PLATFORM is not set CONFIG_PMC_ATOM=y # CONFIG_CHROME_PLATFORMS is not set # CONFIG_MELLANOX_PLATFORM is not set @@ -2628,7 +2853,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_FALLBACK=y @@ -2646,6 +2870,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2820,18 +3048,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2856,6 +3072,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-kgpe-d16_workstation.config b/config/linux-kgpe-d16_workstation.config index fe9d92f27..53bf4c2e8 100644 --- a/config/linux-kgpe-d16_workstation.config +++ b/config/linux-kgpe-d16_workstation.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -194,6 +196,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_KCMP=y CONFIG_RSEQ=y # CONFIG_DEBUG_RSEQ is not set CONFIG_EMBEDDED=y @@ -264,7 +267,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -369,6 +371,14 @@ CONFIG_LEGACY_VSYSCALL_XONLY=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_SRSO=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -539,6 +549,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -605,6 +616,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -738,6 +753,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -759,7 +775,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -948,7 +963,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1333,7 +1347,6 @@ CONFIG_NET_VENDOR_XILINX=y # CONFIG_NETDEVSIM is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1495,10 +1508,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1634,6 +1646,7 @@ CONFIG_POWER_SUPPLY_HWMON=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set CONFIG_HWMON=y # CONFIG_HWMON_DEBUG_CHIP is not set @@ -1872,7 +1885,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1964,7 +1976,6 @@ CONFIG_DRM_AMD_DC=y CONFIG_DRM_AMD_DC_DCN=y # CONFIG_DRM_AMD_DC_DCN3_0 is not set # CONFIG_DRM_AMD_DC_HDCP is not set -# CONFIG_DRM_AMD_DC_SI is not set # end of Display Engine Configuration # CONFIG_HSA_AMD is not set @@ -2104,6 +2115,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2876,7 +2888,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_FALLBACK=y @@ -2894,6 +2905,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -3068,18 +3083,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -3104,6 +3107,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-librem_common.config b/config/linux-librem_common.config index e65f907d1..65311e1f5 100644 --- a/config/linux-librem_common.config +++ b/config/linux-librem_common.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -188,6 +190,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_KCMP=y # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -258,7 +261,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -# CONFIG_RETPOLINE is not set # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -320,7 +322,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -368,6 +369,12 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +# CONFIG_RETPOLINE is not set +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -536,6 +543,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -600,6 +608,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -735,6 +747,7 @@ CONFIG_INET=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -756,7 +769,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -943,7 +955,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1350,7 +1361,6 @@ CONFIG_USB_NET_CDC_SUBSET=m # CONFIG_FUJITSU_ES is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1510,10 +1520,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1648,6 +1657,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1738,7 +1748,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1970,6 +1979,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2682,7 +2692,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2701,6 +2710,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2877,18 +2890,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2913,6 +2914,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-qemu.config b/config/linux-qemu.config index 113e0ae0a..e16a59171 100644 --- a/config/linux-qemu.config +++ b/config/linux-qemu.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -211,6 +213,7 @@ CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set CONFIG_RSEQ=y # CONFIG_DEBUG_RSEQ is not set CONFIG_EMBEDDED=y @@ -284,7 +287,6 @@ CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_X2APIC is not set # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -348,11 +350,10 @@ CONFIG_PERF_EVENTS_INTEL_CSTATE=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set CONFIG_MICROCODE=y CONFIG_MICROCODE_INTEL=y CONFIG_MICROCODE_AMD=y -# CONFIG_MICROCODE_OLD_INTERFACE is not set +# CONFIG_MICROCODE_LATE_LOADING is not set CONFIG_X86_MSR=y CONFIG_X86_CPUID=y # CONFIG_X86_5LEVEL is not set @@ -407,6 +408,16 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y +CONFIG_CPU_SRSO=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -601,6 +612,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -668,6 +680,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -808,6 +824,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -829,7 +846,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -1020,7 +1036,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1035,6 +1050,7 @@ CONFIG_VIRTIO_BLK=y # # CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set # CONFIG_NVME_TARGET is not set # end of NVME Support @@ -1394,7 +1410,6 @@ CONFIG_IGB=m # CONFIG_NETDEVSIM is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1563,10 +1578,9 @@ CONFIG_TCG_TIS_ST33ZP24=y CONFIG_TCG_TIS_ST33ZP24_I2C=y # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1691,6 +1705,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1783,7 +1798,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1904,6 +1918,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2636,7 +2651,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2656,6 +2670,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2832,18 +2850,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2868,6 +2874,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-t440p.config b/config/linux-t440p.config index 2ba0a56af..ab90c3126 100644 --- a/config/linux-t440p.config +++ b/config/linux-t440p.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -188,6 +190,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -258,7 +261,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -# CONFIG_RETPOLINE is not set # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -320,7 +322,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -369,6 +370,12 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +# CONFIG_RETPOLINE is not set +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -561,6 +568,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -613,6 +621,7 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -625,6 +634,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -759,6 +772,7 @@ CONFIG_INET=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -780,7 +794,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -967,7 +980,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -981,6 +993,7 @@ CONFIG_BLK_DEV_RAM_SIZE=65536 # # CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set # end of NVME Support # @@ -1370,7 +1383,6 @@ CONFIG_USB_NET_CDC_SUBSET=m # CONFIG_FUJITSU_ES is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1530,10 +1542,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1668,6 +1679,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1758,7 +1770,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1889,6 +1900,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2597,7 +2609,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2617,6 +2628,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2793,18 +2808,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2829,6 +2832,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-talos-2.config b/config/linux-talos-2.config index 0aa3ac5b1..cee4cb742 100644 --- a/config/linux-talos-2.config +++ b/config/linux-talos-2.config @@ -162,7 +162,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y -CONFIG_AIO=y +CONFIG_AIO is not set CONFIG_IO_URING=y CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y diff --git a/config/linux-w541.config b/config/linux-w541.config index 2ba0a56af..ab90c3126 100644 --- a/config/linux-w541.config +++ b/config/linux-w541.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -188,6 +190,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -258,7 +261,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -# CONFIG_RETPOLINE is not set # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -320,7 +322,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -369,6 +370,12 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +# CONFIG_RETPOLINE is not set +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -561,6 +568,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -613,6 +621,7 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -625,6 +634,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -759,6 +772,7 @@ CONFIG_INET=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -780,7 +794,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -967,7 +980,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -981,6 +993,7 @@ CONFIG_BLK_DEV_RAM_SIZE=65536 # # CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set # end of NVME Support # @@ -1370,7 +1383,6 @@ CONFIG_USB_NET_CDC_SUBSET=m # CONFIG_FUJITSU_ES is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1530,10 +1542,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1668,6 +1679,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1758,7 +1770,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1889,6 +1900,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2597,7 +2609,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y -CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2617,6 +2628,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2793,18 +2808,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2829,6 +2832,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-x230-flash.config b/config/linux-x230-flash.config index e5030ebc3..94aa7145e 100644 --- a/config/linux-x230-flash.config +++ b/config/linux-x230-flash.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -184,6 +186,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -313,7 +316,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -360,6 +362,13 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +# CONFIG_PAGE_TABLE_ISOLATION is not set +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -549,6 +558,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -601,6 +611,7 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -613,6 +624,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -855,7 +870,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # DRBD disabled because PROC_FS or INET not selected # # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1153,10 +1167,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1280,6 +1293,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1369,7 +1383,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1500,6 +1513,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2221,6 +2235,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2420,6 +2438,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-x230-legacy.config b/config/linux-x230-legacy.config index 792edc792..f7e55ad71 100644 --- a/config/linux-x230-legacy.config +++ b/config/linux-x230-legacy.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -188,6 +190,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -258,7 +261,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -320,7 +322,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -369,6 +370,13 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +# CONFIG_PAGE_TABLE_ISOLATION is not set +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -560,6 +568,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -612,6 +621,7 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -624,6 +634,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -750,7 +764,6 @@ CONFIG_UNIX_SCM=y # CONFIG_ATM is not set # CONFIG_BRIDGE is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -928,7 +941,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -1264,10 +1276,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1392,6 +1403,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1482,7 +1494,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1613,6 +1624,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2318,7 +2330,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITYFS is not set -# CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_INTEL_TXT=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2338,6 +2349,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2514,18 +2529,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2550,6 +2553,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/config/linux-x230-maximized.config b/config/linux-x230-maximized.config index 2ebbc1781..1b5534089 100644 --- a/config/linux-x230-maximized.config +++ b/config/linux-x230-maximized.config @@ -1,12 +1,14 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.10.5 Kernel Configuration +# Linux/x86 5.10.214 Kernel Configuration # CONFIG_CC_VERSION_TEXT="x86_64-linux-musl-gcc (GCC) 8.3.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=80300 CONFIG_LD_VERSION=232000000 CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23200 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -188,6 +190,7 @@ CONFIG_MEMBARRIER=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +# CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y @@ -258,7 +261,6 @@ CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y # CONFIG_X86_MPPARSE is not set # CONFIG_GOLDFISH is not set -CONFIG_RETPOLINE=y # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_X86_INTEL_LPSS is not set @@ -320,7 +322,6 @@ CONFIG_X86_THERMAL_VECTOR=y # CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_X86_IOPL_IOPERM=y -# CONFIG_I8K is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set @@ -369,6 +370,13 @@ CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +# CONFIG_PAGE_TABLE_ISOLATION is not set +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y @@ -560,6 +568,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_HAVE_ASM_MODVERSIONS=y @@ -612,6 +621,7 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -624,6 +634,10 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set +# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set +# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set # end of General architecture-dependent options CONFIG_RT_MUTEXES=y @@ -758,6 +772,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y @@ -779,7 +794,6 @@ CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_HAVE_NET_DSA=y # CONFIG_NET_DSA is not set # CONFIG_VLAN_8021Q is not set -# CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -962,7 +976,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=65536 @@ -976,6 +989,7 @@ CONFIG_BLK_DEV_RAM_SIZE=65536 # # CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set # end of NVME Support # @@ -1313,7 +1327,6 @@ CONFIG_USB_NET_CDC_SUBSET=m # CONFIG_FUJITSU_ES is not set # CONFIG_NET_FAILOVER is not set # CONFIG_ISDN is not set -# CONFIG_NVM is not set # # Input device support @@ -1497,10 +1510,9 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set -# end of Character devices - CONFIG_RANDOM_TRUST_CPU=y # CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices # # I2C support @@ -1625,6 +1637,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -1715,7 +1728,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_SKY81452 is not set # CONFIG_ABX500_CORE is not set CONFIG_MFD_SYSCON=y -# CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_TI_LMU is not set @@ -1846,6 +1858,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y # CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -2580,7 +2593,6 @@ CONFIG_IO_WQ=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITYFS is not set -# CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_INTEL_TXT=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -2600,6 +2612,10 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" # Memory initialization # CONFIG_INIT_STACK_NONE=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set +# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set +# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # end of Memory initialization @@ -2776,18 +2792,6 @@ CONFIG_CRYPTO_USER_API_AEAD=y # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set # CONFIG_CRYPTO_STATS is not set CONFIG_CRYPTO_HASH_INFO=y - -# -# Crypto library routines -# -CONFIG_CRYPTO_LIB_AES=y -# CONFIG_CRYPTO_LIB_BLAKE2S is not set -# CONFIG_CRYPTO_LIB_CHACHA is not set -# CONFIG_CRYPTO_LIB_CURVE25519 is not set -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -# CONFIG_CRYPTO_LIB_POLY1305 is not set -# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -CONFIG_CRYPTO_LIB_SHA256=y # CONFIG_CRYPTO_HW is not set # @@ -2812,6 +2816,21 @@ CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +# CONFIG_CRYPTO_LIB_CHACHA is not set +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y # CONFIG_CRC_CCITT is not set CONFIG_CRC16=y # CONFIG_CRC_T10DIF is not set diff --git a/modules/linux b/modules/linux index ea08916d9..23ddcec85 100644 --- a/modules/linux +++ b/modules/linux @@ -28,9 +28,9 @@ linux_hash := a6fbd4ee903c128367892c2393ee0d9657b6ed3ea90016d4dc6f1f6da20b2330 # been done. This is because `0000-efi_bds.patch` did not cleanly port # from 5.4.69 to 5.10.5 which directly affects linuxboot systems. # -else ifeq "$(CONFIG_LINUX_VERSION)" "5.10.5" -linux_version := 5.10.5 -linux_hash := 3991a9e16a187d78d5f414d89236ae5d7f404a69e60c4c42a9d262ee19612ef4 +else ifeq "$(CONFIG_LINUX_VERSION)" "5.10.214" +linux_version := 5.10.214 +linux_hash := 40f014d53e81f204f6d2a364aae4201ae07970dd1b70dc602d7c66c1a140f558 else ifeq "$(CONFIG_LINUX_VERSION)" "6.1.8" linux_version := 6.1.8 linux_hash := b60bb53ab8ba370a270454b11e93d41af29126fc72bd6ede517673e2e57b816d diff --git a/patches/linux-5.10.5/0001-fake-acpi.patch b/patches/linux-5.10.214/0001-fake-acpi.patch similarity index 100% rename from patches/linux-5.10.5/0001-fake-acpi.patch rename to patches/linux-5.10.214/0001-fake-acpi.patch diff --git a/patches/linux-5.10.5/0002-nmi-squelch.patch b/patches/linux-5.10.214/0002-nmi-squelch.patch similarity index 100% rename from patches/linux-5.10.5/0002-nmi-squelch.patch rename to patches/linux-5.10.214/0002-nmi-squelch.patch diff --git a/patches/linux-5.10.5/0003-fake-trampoline.patch b/patches/linux-5.10.214/0003-fake-trampoline.patch similarity index 100% rename from patches/linux-5.10.5/0003-fake-trampoline.patch rename to patches/linux-5.10.214/0003-fake-trampoline.patch diff --git a/patches/linux-5.10.5/0010-winterfell-ahci.patch b/patches/linux-5.10.214/0010-winterfell-ahci.patch similarity index 100% rename from patches/linux-5.10.5/0010-winterfell-ahci.patch rename to patches/linux-5.10.214/0010-winterfell-ahci.patch diff --git a/patches/linux-5.10.214/shebangs.patch b/patches/linux-5.10.214/shebangs.patch new file mode 100644 index 000000000..34164d291 --- /dev/null +++ b/patches/linux-5.10.214/shebangs.patch @@ -0,0 +1,40 @@ +diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs +index 8bcb9e26c7bc..90137319c50a 100755 +--- a/scripts/check-sysctl-docs ++++ b/scripts/check-sysctl-docs +@@ -1,4 +1,4 @@ +-#!/usr/bin/gawk -f ++#!/usr/bin/env -S gawk -f + # SPDX-License-Identifier: GPL-2.0 + + # Script to check sysctl documentation against source files +diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh +index f2be0ff9a738..7a5b546ece16 100755 +--- a/scripts/ld-version.sh ++++ b/scripts/ld-version.sh +@@ -1,4 +1,4 @@ +-#!/usr/bin/awk -f ++#!/usr/bin/env -S awk -f + # SPDX-License-Identifier: GPL-2.0 + # extract linker version number from stdin and turn into single number + { +diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl +index 2ca4eb3f190d..9515765158fa 100755 +--- a/scripts/parse-maintainers.pl ++++ b/scripts/parse-maintainers.pl +@@ -1,4 +1,4 @@ +-#!/usr/bin/perl -w ++#!/usr/bin/env -S perl -w + # SPDX-License-Identifier: GPL-2.0 + + use strict; +diff --git a/scripts/ver_linux b/scripts/ver_linux +index 0968a3070eff..345b92f71d2d 100755 +--- a/scripts/ver_linux ++++ b/scripts/ver_linux +@@ -1,4 +1,4 @@ +-#!/usr/bin/awk -f ++#!/usr/bin/env -S awk -f + # SPDX-License-Identifier: GPL-2.0 + # Before running this script please ensure that your PATH is + # typical as you use for compilation/installation. I use diff --git a/patches/linux-5.10.5/0004-libsubcmd_Fix_use-after-free-for-realloc.patch b/patches/linux-5.10.5/0004-libsubcmd_Fix_use-after-free-for-realloc.patch deleted file mode 100644 index 57d0d5038..000000000 --- a/patches/linux-5.10.5/0004-libsubcmd_Fix_use-after-free-for-realloc.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Sun, 13 Feb 2022 10:24:43 -0800 -Subject: [PATCH] libsubcmd: Fix use-after-free for realloc(..., 0) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -GCC 12 correctly reports a potential use-after-free condition in the -xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" -when size == 0: - -In file included from help.c:12: -In function 'xrealloc', - inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] - 56 | ret = realloc(ptr, size); - | ^~~~~~~~~~~~~~~~~~ -subcmd-util.h:52:21: note: call to 'realloc' here - 52 | void *ret = realloc(ptr, size); - | ^~~~~~~~~~~~~~~~~~ -subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] - 58 | ret = realloc(ptr, 1); - | ^~~~~~~~~~~~~~~ -subcmd-util.h:52:21: note: call to 'realloc' here - 52 | void *ret = realloc(ptr, size); - | ^~~~~~~~~~~~~~~~~~ - -Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") -Reported-by: Valdis Klētnieks -Signed-off-by: Kees Kook -Tested-by: Valdis Klētnieks -Tested-by: Justin M. Forbes -Acked-by: Josh Poimboeuf -Cc: linux-hardening@vger.kernel.org -Cc: Valdis Klētnieks -Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org -Signed-off-by: Arnaldo Carvalho de Melo ---- - tools/lib/subcmd/subcmd-util.h | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/tools/lib/subcmd/subcmd-util.h b/tools/lib/subcmd/subcmd-util.h -index 794a375dad3601..b2aec04fce8f67 100644 ---- a/tools/lib/subcmd/subcmd-util.h -+++ b/tools/lib/subcmd/subcmd-util.h -@@ -50,15 +50,8 @@ static NORETURN inline void die(const char *err, ...) - static inline void *xrealloc(void *ptr, size_t size) - { - void *ret = realloc(ptr, size); -- if (!ret && !size) -- ret = realloc(ptr, 1); -- if (!ret) { -- ret = realloc(ptr, size); -- if (!ret && !size) -- ret = realloc(ptr, 1); -- if (!ret) -- die("Out of memory, realloc failed"); -- } -+ if (!ret) -+ die("Out of memory, realloc failed"); - return ret; - } - - diff --git a/patches/linux-5.10.5/shebangs.patch b/patches/linux-5.10.5/shebangs.patch deleted file mode 100644 index 76a73b5d8..000000000 --- a/patches/linux-5.10.5/shebangs.patch +++ /dev/null @@ -1,100 +0,0 @@ -diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter -index d7ca46c612b3..652e9542043f 100755 ---- a/scripts/bloat-o-meter -+++ b/scripts/bloat-o-meter -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python - # - # Copyright 2004 Matt Mackall - # -diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs -index 8bcb9e26c7bc..90137319c50a 100755 ---- a/scripts/check-sysctl-docs -+++ b/scripts/check-sysctl-docs -@@ -1,4 +1,4 @@ --#!/usr/bin/gawk -f -+#!/usr/bin/env -S gawk -f - # SPDX-License-Identifier: GPL-2.0 - - # Script to check sysctl documentation against source files -diff --git a/scripts/diffconfig b/scripts/diffconfig -index 89abf777f197..627eba5849b5 100755 ---- a/scripts/diffconfig -+++ b/scripts/diffconfig -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python - # SPDX-License-Identifier: GPL-2.0 - # - # diffconfig - a tool to compare .config files. -diff --git a/scripts/get_abi.pl b/scripts/get_abi.pl -index 68dab828a722..92d9aa6cc4f5 100755 ---- a/scripts/get_abi.pl -+++ b/scripts/get_abi.pl -@@ -1,4 +1,4 @@ --#!/usr/bin/perl -+#!/usr/bin/env perl - # SPDX-License-Identifier: GPL-2.0 - - use strict; -diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh -index f2be0ff9a738..7a5b546ece16 100755 ---- a/scripts/ld-version.sh -+++ b/scripts/ld-version.sh -@@ -1,4 +1,4 @@ --#!/usr/bin/awk -f -+#!/usr/bin/env -S awk -f - # SPDX-License-Identifier: GPL-2.0 - # extract linker version number from stdin and turn into single number - { -diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl -index 2ca4eb3f190d..9515765158fa 100755 ---- a/scripts/parse-maintainers.pl -+++ b/scripts/parse-maintainers.pl -@@ -1,4 +1,4 @@ --#!/usr/bin/perl -w -+#!/usr/bin/env -S perl -w - # SPDX-License-Identifier: GPL-2.0 - - use strict; -diff --git a/scripts/show_delta b/scripts/show_delta -index 264399307c4f..28e67e178194 100755 ---- a/scripts/show_delta -+++ b/scripts/show_delta -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python - # SPDX-License-Identifier: GPL-2.0-only - # - # show_deltas: Read list of printk messages instrumented with -diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install -index 40fa6923e80a..828a8615a918 100755 ---- a/scripts/sphinx-pre-install -+++ b/scripts/sphinx-pre-install -@@ -1,4 +1,4 @@ --#!/usr/bin/perl -+#!/usr/bin/env perl - # SPDX-License-Identifier: GPL-2.0-or-later - use strict; - -diff --git a/scripts/split-man.pl b/scripts/split-man.pl -index c3db607ee9ec..96bd99dc977a 100755 ---- a/scripts/split-man.pl -+++ b/scripts/split-man.pl -@@ -1,4 +1,4 @@ --#!/usr/bin/perl -+#!/usr/bin/env perl - # SPDX-License-Identifier: GPL-2.0 - # - # Author: Mauro Carvalho Chehab -diff --git a/scripts/ver_linux b/scripts/ver_linux -index 0968a3070eff..345b92f71d2d 100755 ---- a/scripts/ver_linux -+++ b/scripts/ver_linux -@@ -1,4 +1,4 @@ --#!/usr/bin/awk -f -+#!/usr/bin/env -S awk -f - # SPDX-License-Identifier: GPL-2.0 - # Before running this script please ensure that your PATH is - # typical as you use for compilation/installation. I use From e2e5e788012f17d8dfcf6436488c838da106b410 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 16 Aug 2024 15:20:11 -0400 Subject: [PATCH 02/13] cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2) cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation. This is a critical feature for the Qubes OS 4.2 release for added data at rest protection Cryptsetup 2.6.x internal changes: - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots. - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs. - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted) - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree) cryptsetup 2.6.1 requires: - lvm2 2.03.23, which is also included in this PR. - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in) - requires util-linux 2.39 - patches for reproducible builds are included for above 3 packages. luks-functions was updated to support the new cryptsetup2 version calls/changes - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues - from tests, this is best for performance and reliability in single-user mode - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early. - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically. - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK - Reencryption: requires to know which key slot to reencrypt. - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call - Passphrase change: no slot can be passed, but key slot of DRK rotates. kexec-seal-key - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31) - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots. - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys. - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used? - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31) - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic. - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions. TODO: - async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out - this could be subject to future work Notes: - time to deprecated legacy boards the do not enough space for the new space requirements - x230-legacy, x230-legacy-flash, x230-hotp-legacy - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated Unrelated: - typos fixes found along the way Signed-off-by: Thierry Laurion --- initrd/bin/kexec-save-default | 7 +- initrd/bin/kexec-seal-key | 229 +++++++---- initrd/bin/oem-factory-reset | 25 +- initrd/etc/gui_functions | 3 + initrd/etc/luks-functions | 372 ++++++++++++------ initrd/init | 2 + modules/cryptsetup2 | 17 +- modules/libaio | 19 + modules/lvm2 | 40 +- modules/util-linux | 6 +- ...p2-2.3.3.patch => cryptsetup2-2.6.1.patch} | 360 ++++++++++++----- patches/lvm2-2.03.23.patch | 150 +++++++ patches/util-linux-2.29.2.patch | 139 ------- patches/util-linux-2.39.patch | 276 +++++++++++++ .../x230-hotp-legacy/x230-hotp-legacy.config | 73 ++++ .../x230-legacy-flash.config | 36 ++ .../x230-legacy/x230-legacy.config | 66 ++++ 17 files changed, 1357 insertions(+), 463 deletions(-) create mode 100644 modules/libaio rename patches/{cryptsetup2-2.3.3.patch => cryptsetup2-2.6.1.patch} (72%) create mode 100644 patches/lvm2-2.03.23.patch delete mode 100644 patches/util-linux-2.29.2.patch create mode 100644 patches/util-linux-2.39.patch create mode 100644 unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config create mode 100644 unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config create mode 100644 unmaintained_boards/x230-legacy/x230-legacy.config diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index c7a4f04fa..828e7d984 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -218,16 +218,17 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ save_key="y" fi else - DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM" + DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Unlock Key (DUK) to the TPM" read \ -n 1 \ - -p "Do you wish to add a disk encryption to the TPM [y/N]: " \ + -p "Do you wish to add a disk encryption key to the TPM [y/N]: " \ add_key_confirm + #TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more? echo if [ "$add_key_confirm" = "y" \ -o "$add_key_confirm" = "Y" ]; then - DEBUG "User confirmed desire to add a Disk Encryption Key to the TPM" + DEBUG "User confirmed desire to add a Disk Unlock Key (DUK) to the TPM" save_key="y" fi fi diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 0481ebb2a..0765d8b9e 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -1,15 +1,33 @@ #!/bin/bash -# This will generate a disk encryption key and seal / ecncrypt +# This will generate a disk encryption key and seal / encrypt # with the current PCRs and then store it in the TPM NVRAM. # It will then need to be bundled into initrd that is booted. set -e -o pipefail . /etc/functions +find_drk_key_slot() { + local temp_drk_key_slot="" + local keyslot + + for keyslot in "${luks_used_keyslots[@]}"; do + if [ -z "$temp_drk_key_slot" ]; then + DEBUG "Testing LUKS key slot $keyslot against $DISK_RECOVERY_KEY_FILE for Disk Recovery Key slot..." + if DO_WITH_DEBUG cryptsetup open --test-passphrase --key-slot "$keyslot" --key-file "$DISK_RECOVERY_KEY_FILE" "$dev"; then + temp_drk_key_slot="$keyslot" + DEBUG "Disk Recovery key slot is $temp_drk_key_slot" + break + fi + fi + done + + echo "$temp_drk_key_slot" +} + TPM_INDEX=3 TPM_SIZE=312 -KEY_FILE="/tmp/secret/secret.key" +DUK_KEY_FILE="/tmp/secret/secret.key" TPM_SEALED="/tmp/secret/secret.sealed" -RECOVERY_KEY="/tmp/secret/recovery.key" +DISK_RECOVERY_KEY_FILE="/tmp/secret/recovery.key" . /etc/functions . /tmp/config @@ -23,11 +41,12 @@ fi KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt" +key_devices=$(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ') if [ ! -r "$KEY_DEVICES" ]; then die "No devices defined for disk encryption" else - DEBUG "Devices defined for disk encryption: $(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')" + DEBUG "Devices defined for disk encryption: $key_devices" fi if [ -r "$KEY_LVM" ]; then @@ -44,92 +63,160 @@ fi DEBUG "$(pcrs)" -# LUKS Key slot 0 is the manual recovery pass phrase -# that they user entered when they installed OS, -# key slot 1 is the one that we've generated. -read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password -echo -n "$disk_password" >"$RECOVERY_KEY" -echo -read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password -echo -read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2 -echo +luks_drk_passphrase_valid=0 +for dev in $key_devices ; do + attempts=0 + while [ $attempts -lt 3 ]; do + if [ "$luks_drk_passphrase_valid" == "0" ]; then + # Ask for the passphrase only once + read -s -p "Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock: $key_devices: " disk_recovery_key_passphrase + #Using he provided passphrase as the DRK "keyfile" for unattended operations + echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE" + echo + fi -if [ "$key_password" != "$key_password2" ]; then - die "Key passphrases do not match" -fi + DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots" + if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then + DEBUG "LUKS device $dev unlocked successfully with the DRK passphrase" + luks_drk_passphrase_valid=1 + break + else + attempts=$((attempts + 1)) + if [ "$attempts" == "3" ] && [ "$luks_drk_passphrase_valid" == "0" ]; then + die "Failed to unlock LUKS device $dev with the provided passphrase. Exiting..." + elif [ "$attempts" != "3" ] && [ "$luks_drk_passphrase_valid" == "1" ]; then + #We failed unlocking with DRK passphrase another LUKS container + die "LUKS device $key_devices cannot all be unlocked with same passphrase. Please make $key_devices devices unlockable with the same passphrase. Exiting" + else + warn "Failed to unlock LUKS device $dev with the provided passphrase. Please try again." + fi + fi + done +done + +attempts=0 +while [ $attempts -lt 3 ]; do + read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password + echo + read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2 + echo + if [ "$key_password" != "$key_password2" ]; then + attempts=$((attempts + 1)) + if [ "$attempts" == "3" ]; then + die "Disk Unlock Key passphrases do not match. Exiting..." + else + warn "Disk Unlock Key passphrases do not match. Please try again." + fi + else + break + fi +done # Generate key file echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase" dd \ if=/dev/urandom \ - of="$KEY_FILE" \ + of="$DUK_KEY_FILE" \ bs=1 \ count=128 \ 2>/dev/null || die "Unable to generate 128 random bytes" -# Count the number of slots used on each device -for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do - DEBUG "Checking number of slots used on $dev LUKS header" - #check if the device is a LUKS device with luks[1,2] - # Get the number of key slots used on the LUKS header. - # LUKS1 Format is : - # Slot 0: ENABLED - # Slot 1: ENABLED - # Slot 2: DISABLED - # Slot 3: DISABLED - #... - # Slot 7: DISABLED - # Luks2 only reports on enabled slots. - # luks2 Format is : - # 0: luks2 - # 1: luks2 - # Meaning that the number of slots used is the number of lines returned by a grep on the LUKS2 above format. - # We need to count the number of ENABLED slots for both LUKS1 and LUKS2 - # create regex pattern for both LUKS1 and LUKS2 - regex="Slot [0-9]*: ENABLED" - regex+="\|" - regex+="[0-9]*: luks2" - slots_used=$(cryptsetup luksDump "$dev" | grep -c "$regex" || die "Unable to get number of slots used on $dev") - - DEBUG "Number of slots used on $dev LUKS header: $slots_used" - # If slot1 is the only one used, warn and die with proper messages - if [ "$slots_used" -eq 1 ]; then - # Check if slot 1 is the only one existing - if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then - warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key" - warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase" - die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev" - fi +previous_luks_header_version=0 +for dev in $key_devices; do + # Check and store LUKS version of the devices to be used later + luks_version=$(cryptsetup luksDump "$dev" | grep "Version" | cut -d: -f2 | tr -d '[:space:]') + if [ "$luks_version" == "2" ] && [ "$previous_luks_header_version" == "1" ]; then + die "$dev: LUKSv2 device detected while LUKSv1 device was detected previously. Exiting..." + fi + + if [ "$luks_version" == "1" ] && [ "$previous_luks_header_version" == "2" ]; then + die "$dev: LUKSv1 device detected while LUKSv2 device was detected previously. Exiting..." + fi + + if [ "$luks_version" == "2" ]; then + # LUKSv2 last key slot is 31 + duk_keyslot=31 + regex="^\s+([0-9]+):\s*luks2" + sed_command="s/^\s\+\([0-9]\+\):\s*luks2/\1/g" + previous_luks_header_version=2 + DEBUG "$dev: LUKSv2 device detected" + elif [ "$luks_version" == "1" ]; then + # LUKSv1 last key slot is 7 + duk_keyslot=7 + regex="Key Slot ([0-9]+): ENABLED" + sed_command='s/Key Slot \([0-9]\+\): ENABLED/\1/' + previous_luks_header_version=1 + DEBUG "$dev: LUKSv1 device detected" else - DEBUG "Slot 1 is not the only existing slot on $dev LUKS header." - DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase" + die "$dev: Unsupported LUKS version $luks_version" fi -done -# Remove all the old keys from slot 1 -for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do - echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1" - cryptsetup luksKillSlot \ - --key-file "$RECOVERY_KEY" \ - $dev 1 || - warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing" - - echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1" - cryptsetup luksAddKey \ - --key-file "$RECOVERY_KEY" \ - --key-slot 1 \ - $dev "$KEY_FILE" || - die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1" + # drk_key_slot will be the slot number where the passphrase was tested against as valid. We will keep that slot + drk_key_slot="-1" + + # Get all the key slots that are used on $dev + luks_used_keyslots=($(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command")) + DEBUG "$dev LUKS key slots: ${luks_used_keyslots[*]}" + + #Find the key slot that can be unlocked with the provided passphrase + drk_key_slot=$(find_drk_key_slot) + + # If we didn't find the DRK key slot, we exit (this should never happen) + if [ "$drk_key_slot" == "-1" ]; then + die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..." + fi + + # If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe + for keyslot in "${luks_used_keyslots[@]}"; do + if [ "$keyslot" != "$drk_key_slot" ]; then + #set wipe_desired to no by default + wipe_desired="no" + + if [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" == "1" ]; then + wipe_desired="yes" + DEBUG "LUKS key slot $keyslot not DRK. Will wipe this DUK key slot silently" + elif [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" != "$duk_keyslot" ]; then + # Heads expects key slot LUKSv1:7 or LUKSv2:31 to be used for TPM DUK setup. + # Ask user to confirm otherwise + warn "LUKS key slot $keyslot is not typical ($duk_keyslot expected) for TPM Disk Unlock Key setup" + read -p "Are you sure you want to wipe it? [y/N] " -n 1 -r + echo + # If user does not confirm, skip this slot + if [[ $REPLY =~ ^[Yy]$ ]]; then + wipe_desired="yes" + fi + elif [ "$keyslot" == "$duk_keyslot" ]; then + # If key slot is the expected DUK keyslot, we wipe it silently + DEBUG "LUKS key slot $keyslot is the expected DUK key slot. Will wipe this DUK key slot silently" + wipe_desired="yes" + fi + + if [ "$wipe_desired" == "yes" ] && [ "$keyslot" != "$drk_key_slot" ]; then + echo "++++++ $dev: Wiping LUKS key slot $keyslot" + DO_WITH_DEBUG cryptsetup luksKillSlot \ + --key-file "$DISK_RECOVERY_KEY_FILE" \ + $dev $keyslot || + warn "$dev: removal of LUKS slot $keyslot failed: Continuing" + fi + fi + done + + + echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" + DO_WITH_DEBUG cryptsetup luksAddKey \ + --key-file "$DISK_RECOVERY_KEY_FILE" \ + --new-key-slot $duk_keyslot \ + $dev "$DUK_KEY_FILE" || + die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" done # Now that we have setup the new keys, measure the PCRs # We don't care what ends up in PCR 6; we just want # to get the /tmp/luksDump.txt file. We use PCR16 # since it should still be zero -cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks || +echo "$key_devices" | xargs /bin/qubes-measure-luks || die "Unable to measure the LUKS headers" pcrf="/tmp/secret/pcrf.bin" @@ -155,13 +242,13 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" tpmr pcrread -a 7 "$pcrf" DO_WITH_DEBUG --mask-position 7 \ - tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ + tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ "$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM" # should be okay if this fails shred -n 10 -z -u "$pcrf" 2>/dev/null || warn "Failed to delete pcrf file - continuing" -shred -n 10 -z -u "$KEY_FILE" 2>/dev/null || +shred -n 10 -z -u "$DUK_KEY_FILE" 2>/dev/null || warn "Failed to delete key file - continuing" mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing" diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 35e41ac3a..ca000e50d 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -44,6 +44,12 @@ GPG_ALGO="RSA" # Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard RSA_KEY_LENGTH=3072 +#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes +if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then + DEBUG "Overriding RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards" + RSA_KEY_LENGTH=2048 +fi + GPG_USER_NAME="OEM Key" GPG_KEY_NAME=$(date +%Y%m%d%H%M%S) GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com" @@ -266,20 +272,20 @@ keytocard_subkeys_to_smartcard() { { echo "key 1" #Toggle on Signature key in --edit-key mode on local keyring echo "keytocard" #Move Signature key to smartcard - echo "1" #Select Signature key keyslot on smartcard + echo "1" #Select Signature key key slot on smartcard echo "${ADMIN_PIN}" #Local keyring Subkey PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "0" #No expiration date echo "key 1" #Toggle off Signature key echo "key 2" #Toggle on Encryption key echo "keytocard" #Move Encryption key to smartcard - echo "2" #Select Encryption key keyslot on smartcard + echo "2" #Select Encryption key key slot on smartcard echo "${ADMIN_PIN}" #Local keyring Subkey PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "key 2" #Toggle off Encryption key echo "key 3" #Toggle on Authentication key echo "keytocard" #Move Authentication key to smartcard - echo "3" #Select Authentication key keyslot on smartcard + echo "3" #Select Authentication key slot on smartcard echo "${ADMIN_PIN}" #Local keyring Subkey PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "key 3" #Toggle off Authentication key @@ -383,6 +389,7 @@ export_public_key_to_thumbdrive_public_partition() { #pass non-empty arguments to --pass, --mountpoint, --device, --mode mount-usb --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition" + #TODO: reuse "Obtain GPG key ID" so that pubkey on public thumb drive partition is named after key ID gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition" umount "$mountpoint" || die "Error unmounting thumb drive's public partition" @@ -879,6 +886,7 @@ report_integrity_measurements clear #Prompt user for use of default configuration options +TRACE_FUNC echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: " read -n 1 use_defaults @@ -907,6 +915,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ]; then + TRACE_FUNC test_luks_current_disk_recovery_key_passphrase luks_new_Disk_Recovery_Key_desired=1 echo -e "\n" @@ -970,8 +979,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ]; then - echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" - echo + echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length." while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "Enter the custom password: " read CUSTOM_SINGLE_PASS @@ -999,8 +1007,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then read TPM_PASS done fi - while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG Admin PIN: " read ADMIN_PIN done @@ -1028,6 +1036,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then } done #We test that current LUKS Disk Recovery Key passphrase is known prior of going further + TRACE_FUNC test_luks_current_disk_recovery_key_passphrase echo -e "\n" fi @@ -1147,8 +1156,8 @@ fi if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested - luks_change_passphrase luks_reencrypt + luks_change_passphrase elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Reencryption of disk was requested but not passphrase change luks_reencrypt diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions index 38958b1ab..e4b7ed4d5 100755 --- a/initrd/etc/gui_functions +++ b/initrd/etc/gui_functions @@ -37,6 +37,7 @@ mount_usb() # -- Display related functions -- # Produce a whiptail prompt with 'warning' background, works for fbwhiptail and newt whiptail_warning() { + #TODO: Cannot be called as is under luks_functions with string expension in title: why? if [ -x /bin/fbwhiptail ]; then whiptail $BG_COLOR_WARNING "$@" else @@ -46,6 +47,7 @@ whiptail_warning() { # Produce a whiptail prompt with 'error' background, works for fbwhiptail and newt whiptail_error() { + #TODO: Cannot be called as is under luks_functions with string expension in title: why? if [ -x /bin/fbwhiptail ]; then whiptail $BG_COLOR_ERROR "$@" else @@ -55,6 +57,7 @@ whiptail_error() { # Produce a whiptail prompt of the given type - 'error', 'warning', or 'normal' whiptail_type() { + TRACE_FUNC local TYPE="$1" shift case "$TYPE" in diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 30e0c4ab9..b7765a7b0 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -7,6 +7,7 @@ #List all LUKS devices on the system list_luks_devices() { + TRACE_FUNC #generate a list of devices to choose from that contain a LUKS header lvm vgscan || true blkid | cut -d ':' -f 1 | while read device; do @@ -267,12 +268,15 @@ prepare_thumb_drive() select_luks_container() { + #TODO: extend logic to prompt for block devices with model if multiple LUKS are found on block device instead of partitions + # Then feed luks with those partitions so that reencrypt and passphrase change can use passphrase to test all selected TRACE_FUNC if [ -s /boot/kexec_key_devices.txt ]; then DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt" - DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)" - LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) - else + LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) + DEBUG "LUKS container device: $(echo $LUKS)" + # LUKS variable not exported yet, prompt for LUKS device + elif [ -z "$LUKS" ]; then list_luks_devices > /tmp/luks_devices.txt #if /tmp/luks_devices.txt exists and is not empty if [ -s /tmp/luks_devices.txt ]; then @@ -280,11 +284,21 @@ select_luks_container() if [ "$FILE" == "" ]; then return 1 else - LUKS=$FILE - detect_boot_device - mount -o remount,rw /boot - echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt - mount -o remount,ro /boot + #TODO: What about BRTFS multi LUKS setup of QubesOS? + # if multiple LUKS containers are found on same block device + # select all of the luks containers on same block device instead of just one + # note that block devices for example under /dev/sda will be /dev/sda1, /dev/sda2, etc + # so we need to select all of the partitions on the same block device from /tmp/luks_devices.txt + # and then export them to LUKS variable + # then reencrypt and passphrase change functions will loop on all of the LUKS containers + # and test passphrase on all of them + if grep -q "$(echo $FILE | sed 's/[0-9]*$//')" /tmp/luks_devices.txt; then + DEBUG "Multiple LUKS containers found on same block device, selecting them all" + LUKS=$(grep $(echo $FILE | sed 's/[0-9]*$//') /tmp/luks_devices.txt) + else + DEBUG "Single LUKS container found on block device, assigning to LUKS variable" + LUKS=$FILE + fi fi else warn "No encrypted device found" @@ -295,41 +309,79 @@ select_luks_container() test_luks_current_disk_recovery_key_passphrase() { + #TODO: reuse/generalize usage of this function. Tests for LUKS are still done 4 times independently of this helper TRACE_FUNC while :; do select_luks_container || return 1 + + # LUKS contains multiline string of LUKS containers on same block device + # transform it into words of a same string separated by space + PRINTABLE_LUKS=$(echo $LUKS) + + TRACE_FUNC if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - #if no external provisioning provides current LUKS Disk Recovery Key passphrase + # if no external provisioning provides current LUKS Disk Recovery Key passphrase echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..." - cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..." - cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi - #Validate past cryptsetup-reencrypt attempts - if [ $? -eq 0 ]; then - whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 - shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null - #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round - unset luks_current_Disk_Recovery_Key_passphrase - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - else - #LuksOpen test was successful. Cleanup should be called only when done - #Exporting successfully used passphrase possibly reused by oem-factory-reset - #We close the volume - cryptsetup close test - export luks_current_Disk_Recovery_Key_passphrase + # test all LUKS containers on same block device as returned by select_luks_container + echo -e "\n$PRINTABLE_LUKS: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + + # Loop on all LUKS containers on same block device + for luks_container in $LUKS; do + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase + # Validate past cryptsetup reencrypt attempts + if [ $? -ne 0 ]; then + # if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase + if [ $(echo $LUKS | wc -w) -gt 1 ]; then + #TODO remove this once whiptail_error whiptail_warning can take titles with double quotes + #whiptail_warning --title 'tes' --msgbox 'test' 0 80 + #whiptail_error --title 'error' --msgbox 'error' 0 80 + #Neither work today. Not related to this PR... Using whiptail without coloring. + + msg=$(echo -e "All $PRINTABLE_LUKS must unlock with the same Disk Recovery Key passphrase for the current operation to succeed.\n\nTo change individual LUKS container passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s) + whiptail --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \ + --msgbox "$msg" 0 80 + + TRACE_FUNC + luks_secrets_cleanup + die "$PRINTABLE_LUKS individual containers NEED to share the same Disk Recovery Key passphrase" + # We exited to caller, LUKS still set. TODO: problem? Should we call all cleaning functions on die? + fi + + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + # remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # maybe the container was not the right one + unset LUKS + else + # LuksOpen test was successful. Cleanup should be called only when done + # Exporting successfully used passphrase possibly reused by oem-factory-reset + echo "$luks_container: unlocking LUKS container with current Disk Recovery Key passphrase successful" + + # Exporting successfully used passphrase possibly reused by oem-factory-reset + export luks_current_Disk_Recovery_Key_passphrase + fi + done + + # exit while loop if LUKS variable is not empty + if [ -n "$LUKS" ]; then + # We export the LUKS volume(s) that was/were validated via passphrase test + export LUKS + TRACE_FUNC + DEBUG "$LUKS exported to be reused" break; fi done @@ -337,12 +389,16 @@ test_luks_current_disk_recovery_key_passphrase() luks_reencrypt() { TRACE_FUNC - while :; do - select_luks_container || return 1 - #If the user just set a new LUKS Disk Recovery Key passphrase - if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then - luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase" - fi + #TODO: REFACTOR This and luks passphrase change function needs to loop on same drive discovered luks containers so that reencrypt/passwd change is done on all luks containers of same drive + # Ideal would be to list luks devices and then try keep and append LUKS devices to a list of devices to reencrypt or change passphrase + # then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase + select_luks_container || return 1 + + # Count the number of containers to be reencrypted + num_containers=$(echo "$LUKS" | wc -w) + reencrypted_containers=0 + + while [ $reencrypted_containers -lt $num_containers ]; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current LUKS Disk Recovery Key passphrase msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) @@ -351,97 +407,185 @@ luks_reencrypt() { echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!" - cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!" - cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi - #Validate past cryptsetup-reencrypt attempts - if [ $(echo $?) -ne 0 ]; then - whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 - shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null - #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round - unset luks_current_Disk_Recovery_Key_passphrase - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - else - #Reencryption was successful. Cleanup should be called only when done - #Exporting successfully used passphrase possibly reused by oem-factory-reset - export luks_current_Disk_Recovery_Key_passphrase - break; - fi - done -} -luks_change_passphrase() -{ - TRACE_FUNC - while :; do - select_luks_container || return 1 - #if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ - "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60 - if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" - while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do - { - read -r luks_new_Disk_Recovery_Key_passphrase - };done + # Split the $LUKS variable into an array of LUKS containers + luks_containers=($LUKS) + TRACE_FUNC + DEBUG "luks_containers: $luks_containers" + + # Loop through each LUKS container + for luks_container in "${luks_containers[@]}"; do + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # Maybe the container was not the right one + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue fi - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" - read -r luks_current_Disk_Recovery_Key_passphrase + done + + DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key" + for luks_container in "${luks_containers[@]}"; do + # First obtain which luks1/luks2 key-slot can be unlocked with the key-file + DRK_KEYSLOT=-1 + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + for i in $(seq 0 31); do + if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + DRK_KEYSLOT=$i + DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" + break + fi + done + + # Validate if a key slot was found + if [ $DRK_KEYSLOT -eq -1 ]; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # Maybe the container was not the right one + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue fi - export luks_current_Disk_Recovery_Key_passphrase - export luks_new_Disk_Recovery_Key_passphrase - echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." - cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase - else - #If current and new LUKS Disk Recovery Key were exported - echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." - cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase - fi - #Validate past cryptsetup attempts - if [ $(echo $?) -ne 0 ]; then - #Cryptsetup luksChangeKey was unsuccessful - whiptail --title 'Invalid LUKS passphrase?' --msgbox \ - "The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60 - unset luks_current_Disk_Recovery_Key_passphrase - unset luks_new_Disk_Recovery_Key_passphrase - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - else - #Cryptsetup was successful. - #Cleanup should be called seperately. - #Exporting successfully used passphrase possibly reused by oem-factory-reset - export luks_new_Disk_Recovery_Key_passphrase - break; - fi + # Now reencrypt the LUKS container with the same key slot + # Warn and launch actual reencryption + echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..." + warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS" + + # --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+ + # bypassing dm-crypt queues. + # Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518 + # --resilience=none disables the resilience feature of cryptsetup, which is enabled by default + # --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device) + # --disable-locks disables the lock feature of cryptsetup, which is enabled by default + + if ! DO_WITH_DEBUG cryptsetup reencrypt \ + --perf-no_read_workqueue --perf-no_write_workqueue \ + --resilience=none --force-offline-reencrypt --disable-locks \ + "$luks_container" --key-slot "$DRK_KEYSLOT" \ + --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + + TRACE_FUNC + + #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + #maybe the container was not the right one + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + else + #Reencryption was successful. Cleanup should be called only when done + #Exporting successfully used passphrase possibly reused by oem-factory-reset + export luks_current_Disk_Recovery_Key_passphrase + export LUKS + + # Increment the count of reencrypted containers + reencrypted_containers=$((reencrypted_containers + 1)) + fi + done done } +luks_change_passphrase() { + TRACE_FUNC + + select_luks_container || return 1 + + # Count the number of containers to be processed + num_containers=$(echo "$LUKS" | wc -w) + changed_containers=0 + + # Split the $LUKS variable into an array of LUKS containers + IFS=' ' read -ra luks_containers <<< "$LUKS" + + for luks_container in "${luks_containers[@]}"; do + if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then + whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ + "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80 + + if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then + echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" + while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do + read -r luks_new_Disk_Recovery_Key_passphrase + done + fi + + if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + read -r luks_current_Disk_Recovery_Key_passphrase + fi + fi + + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase + + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue + fi + + echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase; then + whiptail --title 'Failed to change LUKS passphrase' --msgbox \ + "Failed to change the passphrase for $luks_container.\nPlease try again." 0 80 + continue + fi + + echo "Success changing passphrase for $luks_container." + changed_containers=$((changed_containers + 1)) + done + + if [ $changed_containers -eq $num_containers ]; then + # All containers processed successfully + luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase + export luks_current_Disk_Recovery_Key_passphrase + export luks_new_Disk_Recovery_Key_passphrase + export LUKS + fi +} + luks_secrets_cleanup() { + TRACE_FUNC + #Cleanup shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true + + #Unset variables (when in same boot) unset luks_current_Disk_Recovery_Key_passphrase unset luks_new_Disk_Recovery_Key_passphrase + + #TODO: refactor logic of selec_luks_conatainer, where to put + #unset LUKS } diff --git a/initrd/init b/initrd/init index 55a894a79..847f9e2a9 100755 --- a/initrd/init +++ b/initrd/init @@ -103,10 +103,12 @@ fi #Specify whiptail background colors cues under FBWhiptail only if [ -x /bin/fbwhiptail ]; then + DEBUG "fbwhiptail BG_COLOR_* exported" export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}" export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}" export BG_COLOR_MAIN_MENU="normal" else + DEBUG "whiptail TEXT_BG_COLOR_* exported" export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}" export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}" export BG_COLOR_MAIN_MENU="normal" diff --git a/modules/cryptsetup2 b/modules/cryptsetup2 index 6becf6db8..ff98639b6 100644 --- a/modules/cryptsetup2 +++ b/modules/cryptsetup2 @@ -2,11 +2,11 @@ modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2 cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep) -cryptsetup2_version := 2.3.3 +cryptsetup2_version := 2.6.1 cryptsetup2_dir := cryptsetup-$(cryptsetup2_version) cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz -cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-$(cryptsetup2_version).tar.xz -cryptsetup2_hash := 3bca4ffe39e2f94cef50f6ea65acb873a6dbce5db34fc6bcefe38b6d095e82df +cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz +cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693 # Use an empty prefix so that the executables will not include the # build path. @@ -16,9 +16,15 @@ cryptsetup2_configure := \ ./configure \ --host $(MUSL_ARCH)-elf-linux \ --prefix "/" \ - --disable-gcrypt-pbkdf2 \ + --enable-internal-sse-argon2 \ --disable-rpath \ - --enable-cryptsetup-reencrypt \ + --disable-gcrypt-pbkdf2 \ + --disable-ssh-token \ + --disable-asciidoc \ + --disable-nls \ + --disable-selinux \ + --disable-udev \ + --disable-external-tokens \ --with-crypto_backend=kernel \ --with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d @@ -33,7 +39,6 @@ cryptsetup2_target := \ cryptsetup2_output := \ .libs/cryptsetup \ - .libs/cryptsetup-reencrypt \ .libs/veritysetup \ cryptsetup2_libraries := \ diff --git a/modules/libaio b/modules/libaio new file mode 100644 index 000000000..bf83fb90a --- /dev/null +++ b/modules/libaio @@ -0,0 +1,19 @@ +modules-$(CONFIG_LVM2) += libaio + +libaio_version := 0.3.113 +libaio_dir := libaio-$(libaio_version) +libaio_tar := libaio_$(libaio_version).orig.tar.gz +libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar) +libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b + +libaio_target := \ + DESTDIR="$(INSTALL)" \ + prefix="/" \ + $(CROSS_TOOLS) \ + install \ + && mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \ + +libaio_libraries:= src/libaio.so.1 + +libaio_depends := $(musl_dep) + diff --git a/modules/lvm2 b/modules/lvm2 index e51292d6d..6df76284e 100644 --- a/modules/lvm2 +++ b/modules/lvm2 @@ -1,37 +1,39 @@ modules-$(CONFIG_LVM2) += lvm2 -lvm2_version := 2.02.168 +lvm2_version := 2.03.23 lvm2_dir := lvm2.$(lvm2_version) lvm2_tar := LVM2.$(lvm2_version).tgz lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar) -lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d +lvm2_hash := 74e794a9e9dee1bcf8a2065f65b9196c44fdf321e22d63b98ed7de8c9aa17a5d # cross compiling test assumes malloc/realloc aren't glibc compat # so we force it via the configure cache. lvm2_configure := \ $(CROSS_TOOLS) \ - CFLAGS="-Os" \ - PKG_CONFIG=/bin/false \ - MODPROBE_CMD=/bin/false \ ac_cv_func_malloc_0_nonnull=yes \ ac_cv_func_realloc_0_nonnull=yes \ ./configure \ --host $(MUSL_ARCH)-elf-linux \ - --prefix "/" \ - --disable-blkid_wiping \ - --disable-cache_check_needs_check \ - --disable-cmirrord \ + --prefix "" \ + --libexecdir "/bin" \ + --with-optimisation=-Os \ + --enable-devmapper \ + --disable-selinux \ + --without-systemd \ + --disable-lvmimportvdo \ + --disable-realtime \ + --disable-dmfilemapd \ --disable-dmeventd \ - --disable-lvmetad \ --disable-lvmpolld \ - --disable-realtime \ - --disable-selinux \ - --disable-thin_check_needs_check \ - --disable-udev-systemd-background-jobs \ - --disable-use-lvmetad \ + --disable-readline \ + --disable-udev_sync \ + --enable-static_link \ --disable-use-lvmlockd \ --disable-use-lvmpolld \ - --enable-devmapper \ + --disable-dmfilemapd \ + --disable-cmirrord \ + --disable-cache_check_needs_check \ + --disable-thin_check_needs_check \ --with-cluster=none \ --with-thin-check= \ @@ -49,10 +51,10 @@ lvm2_target := \ DESTDIR="$(INSTALL)" \ install_device-mapper \ -lvm2_libraries := libdm/libdevmapper.so.1.02 +lvm2_libraries := libdm/ioctl/libdevmapper.so.1.02 lvm2_output := \ - tools/dmsetup \ + ./libdm/dm-tools/dmsetup \ tools/lvm \ -lvm2_depends := util-linux $(musl_dep) +lvm2_depends := util-linux libaio $(musl_dep) diff --git a/modules/util-linux b/modules/util-linux index 9ab8dae55..bb359d74d 100644 --- a/modules/util-linux +++ b/modules/util-linux @@ -1,10 +1,10 @@ modules-$(CONFIG_UTIL_LINUX) += util-linux -util-linux_version := 2.29.2 +util-linux_version := 2.39 util-linux_dir := util-linux-$(util-linux_version) util-linux_tar := util-linux-$(util-linux_version).tar.xz -util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.29/$(util-linux_tar) -util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3 +util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar) +util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb util-linux_configure := \ $(CROSS_TOOLS) \ diff --git a/patches/cryptsetup2-2.3.3.patch b/patches/cryptsetup2-2.6.1.patch similarity index 72% rename from patches/cryptsetup2-2.3.3.patch rename to patches/cryptsetup2-2.6.1.patch index 8a673ef86..036aa007a 100644 --- a/patches/cryptsetup2-2.3.3.patch +++ b/patches/cryptsetup2-2.6.1.patch @@ -1,7 +1,7 @@ -diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ---- cryptsetup-2.3.3-clean/configure 2020-06-10 14:05:45.784925972 +0200 -+++ cryptsetup-2.3.3/configure 2020-06-10 14:12:03.811651237 +0200 -@@ -10206,7 +10206,7 @@ +diff -u -r cryptsetup-2.4.3-clean/configure cryptsetup-2.4.3/configure +--- cryptsetup-2.4.3-clean/configure 2022-01-13 17:24:34.000000000 +0800 ++++ cryptsetup-2.4.3/configure 2022-01-16 14:08:37.088258763 +0800 +@@ -11056,7 +11056,7 @@ hardcode_automatic=no hardcode_direct=no hardcode_direct_absolute=no @@ -10,7 +10,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator= hardcode_minus_L=no hardcode_shlibpath_var=unsupported -@@ -10290,7 +10290,7 @@ +@@ -11140,7 +11140,7 @@ # are reset later if shared libraries are not supported. Putting them # here allows them to be overridden if necessary. runpath_var=LD_RUN_PATH @@ -19,7 +19,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec='$wl--export-dynamic' # ancient GNU ld didn't support --whole-archive et. al. if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then -@@ -10336,7 +10336,7 @@ +@@ -11186,7 +11186,7 @@ ;; m68k) archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' @@ -28,7 +28,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes ;; esac -@@ -10356,7 +10356,7 @@ +@@ -11206,7 +11206,7 @@ cygwin* | mingw* | pw32* | cegcc*) # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, # as there is no search path for DLLs. @@ -37,7 +37,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec='$wl--export-all-symbols' allow_undefined_flag=unsupported always_export_symbols=no -@@ -10386,7 +10386,7 @@ +@@ -11236,7 +11236,7 @@ ;; os2*) @@ -46,7 +46,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes allow_undefined_flag=unsupported shrext_cmds=.dll -@@ -10416,7 +10416,7 @@ +@@ -11266,7 +11266,7 @@ interix[3-9]*) hardcode_direct=no hardcode_shlibpath_var=no @@ -55,7 +55,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec='$wl-E' # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. # Instead, shared libraries are loaded at an image base (0x10000000 by -@@ -10492,7 +10492,7 @@ +@@ -11342,7 +11342,7 @@ xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' @@ -64,7 +64,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test yes = "$supports_anon_versioning"; then archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ -@@ -10559,7 +10559,7 @@ +@@ -11409,7 +11409,7 @@ # DT_RUNPATH tag from executables and libraries. But doing so # requires that you compile everything twice, which is a pain. if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then @@ -73,7 +73,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' else -@@ -10588,7 +10588,7 @@ +@@ -11438,7 +11438,7 @@ if test no = "$ld_shlibs"; then runpath_var= @@ -82,7 +82,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec= whole_archive_flag_spec= fi -@@ -10706,7 +10706,7 @@ +@@ -11556,7 +11556,7 @@ # path is not listed in the libpath. Setting hardcode_minus_L # to unsupported forces relinking hardcode_minus_L=yes @@ -91,7 +91,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator= fi ;; -@@ -10790,11 +10790,11 @@ +@@ -11642,11 +11642,11 @@ aix_libpath=$lt_cv_aix_libpath_ fi @@ -105,7 +105,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure allow_undefined_flag="-z nodefs" archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" else -@@ -10843,7 +10843,7 @@ +@@ -11697,7 +11697,7 @@ aix_libpath=$lt_cv_aix_libpath_ fi @@ -114,7 +114,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Warning - without using the other run time loading flags, # -berok will link without error, but may produce a broken library. no_undefined_flag=' $wl-bernotok' -@@ -10883,7 +10883,7 @@ +@@ -11737,7 +11737,7 @@ ;; m68k) archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' @@ -123,25 +123,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes ;; esac -@@ -10901,7 +10901,7 @@ - case $cc_basename in - cl*) - # Native MSVC -- hardcode_libdir_flag_spec=' ' -+ hardcode_libdir_flag_spec=" " - allow_undefined_flag=unsupported - always_export_symbols=yes - file_list_spec='@' -@@ -10942,7 +10942,7 @@ - ;; - *) - # Assume MSVC wrapper -- hardcode_libdir_flag_spec=' ' -+ hardcode_libdir_flag_spec=" " - allow_undefined_flag=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib -@@ -10993,7 +10993,7 @@ +@@ -11847,7 +11847,7 @@ dgux*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' @@ -150,7 +132,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_shlibpath_var=no ;; -@@ -11003,7 +11003,7 @@ +@@ -11857,7 +11857,7 @@ # extra space). freebsd2.2*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' @@ -159,16 +141,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_direct=yes hardcode_shlibpath_var=no ;; -@@ -11019,7 +11019,7 @@ - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | dragonfly*) - archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' -- hardcode_libdir_flag_spec='-R$libdir' -+ hardcode_libdir_flag_spec=" " - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; -@@ -11030,7 +11030,7 @@ +@@ -11884,7 +11884,7 @@ else archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' fi @@ -177,7 +150,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: hardcode_direct=yes -@@ -11047,7 +11047,7 @@ +@@ -11901,7 +11901,7 @@ archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' fi if test no = "$with_gnu_ld"; then @@ -186,7 +159,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: hardcode_direct=yes hardcode_direct_absolute=yes -@@ -11124,7 +11124,7 @@ +@@ -11979,7 +11979,7 @@ esac fi if test no = "$with_gnu_ld"; then @@ -195,7 +168,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: case $host_cpu in -@@ -11183,7 +11183,7 @@ +@@ -12040,7 +12040,7 @@ archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib' fi archive_cmds_need_lc='no' @@ -204,7 +177,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: inherit_rpath=yes link_all_deplibs=yes -@@ -11205,7 +11205,7 @@ +@@ -12062,7 +12062,7 @@ else archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF fi @@ -213,7 +186,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_direct=yes hardcode_shlibpath_var=no ;; -@@ -11213,7 +11213,7 @@ +@@ -12070,7 +12070,7 @@ newsos6) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes @@ -222,7 +195,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: hardcode_shlibpath_var=no ;; -@@ -11229,11 +11229,11 @@ +@@ -12086,11 +12086,11 @@ if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols' @@ -236,7 +209,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure fi else ld_shlibs=no -@@ -11241,7 +11241,7 @@ +@@ -12098,7 +12098,7 @@ ;; os2*) @@ -245,7 +218,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes allow_undefined_flag=unsupported shrext_cmds=.dll -@@ -11277,7 +11277,7 @@ +@@ -12134,7 +12134,7 @@ archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' fi archive_cmds_need_lc='no' @@ -254,7 +227,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: ;; -@@ -11285,7 +11285,7 @@ +@@ -12142,7 +12142,7 @@ if test yes = "$GCC"; then allow_undefined_flag=' $wl-expect_unresolved $wl\*' archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' @@ -263,7 +236,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure else allow_undefined_flag=' -expect_unresolved \*' archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' -@@ -11293,7 +11293,7 @@ +@@ -12150,7 +12150,7 @@ $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp' # Both c and cxx compiler support -rpath directly @@ -272,7 +245,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure fi archive_cmds_need_lc='no' hardcode_libdir_separator=: -@@ -11322,7 +11322,7 @@ +@@ -12179,7 +12179,7 @@ ;; esac fi @@ -281,7 +254,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_shlibpath_var=no case $host_os in solaris2.[0-5] | solaris2.[0-5].*) ;; -@@ -11349,7 +11349,7 @@ +@@ -12206,7 +12206,7 @@ else archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' fi @@ -290,7 +263,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_direct=yes hardcode_minus_L=yes hardcode_shlibpath_var=no -@@ -11419,7 +11419,7 @@ +@@ -12276,7 +12276,7 @@ allow_undefined_flag='$wl-z,nodefs' archive_cmds_need_lc=no hardcode_shlibpath_var=no @@ -299,7 +272,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=':' link_all_deplibs=yes export_dynamic_flag_spec='$wl-Bexport' -@@ -11436,7 +11436,7 @@ +@@ -12293,7 +12293,7 @@ uts4*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' @@ -308,7 +281,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_shlibpath_var=no ;; -@@ -11804,7 +11804,7 @@ +@@ -12662,7 +12662,7 @@ version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -317,7 +290,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure if test ia64 = "$host_cpu"; then # AIX 5 supports IA64 library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' -@@ -12094,16 +12094,16 @@ +@@ -12952,16 +12952,16 @@ ;; freebsd3.[01]* | freebsdelf3.[01]*) shlibpath_overrides_runpath=yes @@ -337,7 +310,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; esac ;; -@@ -12118,7 +12118,7 @@ +@@ -12976,7 +12976,7 @@ shlibpath_var=LIBRARY_PATH shlibpath_overrides_runpath=no sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' @@ -346,7 +319,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; hpux9* | hpux10* | hpux11*) -@@ -12130,7 +12130,7 @@ +@@ -12988,7 +12988,7 @@ case $host_cpu in ia64*) shrext_cmds='.so' @@ -355,7 +328,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker="$host_os dld.so" shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -12146,7 +12146,7 @@ +@@ -13004,7 +13004,7 @@ ;; hppa*64*) shrext_cmds='.sl' @@ -364,7 +337,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker="$host_os dld.sl" shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -12179,7 +12179,7 @@ +@@ -13037,7 +13037,7 @@ dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -373,7 +346,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; irix5* | irix6* | nonstopux*) -@@ -12216,7 +12216,7 @@ +@@ -13074,7 +13074,7 @@ shlibpath_overrides_runpath=no sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" @@ -382,7 +355,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; # No shared lib support for Linux oldld, aout, or coff. -@@ -12237,11 +12237,11 @@ +@@ -13095,11 +13095,11 @@ # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. @@ -396,7 +369,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; # This must be glibc/ELF. -@@ -12292,7 +12292,7 @@ +@@ -13153,7 +13153,7 @@ # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. @@ -405,7 +378,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Ideally, we could use ldconfig to report *all* directores which are # searched for libraries, however this is still not possible. Aside from not -@@ -12322,7 +12322,7 @@ +@@ -13183,7 +13183,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -414,7 +387,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker='NetBSD ld.elf_so' ;; -@@ -12341,7 +12341,7 @@ +@@ -13202,7 +13202,7 @@ fi shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -423,7 +396,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; newsos6) -@@ -12359,7 +12359,7 @@ +@@ -13220,7 +13220,7 @@ soname_spec='$libname$release$shared_ext$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -432,7 +405,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker='ldqnx.so' ;; -@@ -12431,7 +12431,7 @@ +@@ -13292,7 +13292,7 @@ soname_spec='$libname$release$shared_ext$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -441,7 +414,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # ldd complains unless libraries are executable postinstall_cmds='chmod +x $lib' ;; -@@ -12488,7 +12488,7 @@ +@@ -13349,7 +13349,7 @@ soname_spec='$libname$release$shared_ext$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -450,7 +423,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure if test yes = "$with_gnu_ld"; then sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' else -@@ -12510,7 +12510,7 @@ +@@ -13371,7 +13371,7 @@ library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -459,7 +432,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; uts4*) -@@ -13610,7 +13610,7 @@ +@@ -14490,7 +14490,7 @@ acl_shlibext="$acl_cv_shlibext" acl_libname_spec="$acl_cv_libname_spec" acl_library_names_spec="$acl_cv_library_names_spec" @@ -468,7 +441,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure acl_hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator" acl_hardcode_direct="$acl_cv_hardcode_direct" acl_hardcode_minus_L="$acl_cv_hardcode_minus_L" -@@ -21296,7 +21296,7 @@ +@@ -22538,7 +22538,7 @@ with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' @@ -477,7 +450,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' -@@ -21327,7 +21327,7 @@ +@@ -22569,7 +22569,7 @@ postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' @@ -486,7 +459,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`' configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`' -@@ -22485,7 +22485,7 @@ +@@ -23727,7 +23727,7 @@ finish_eval=$lt_finish_eval # Whether we should hardcode library paths into libraries. @@ -495,7 +468,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Compile-time system search path for libraries. sys_lib_search_path_spec=$lt_sys_lib_search_path_spec -@@ -22582,7 +22582,7 @@ +@@ -23824,7 +23824,7 @@ # Flag to hardcode \$libdir into a binary during linking. # This must work even if \$libdir does not exist @@ -504,10 +477,10 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Whether we need a single "-rpath" flag with a separated argument. hardcode_libdir_separator=$lt_hardcode_libdir_separator -diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in ---- cryptsetup-2.3.3-clean/Makefile.in 2020-06-10 14:05:45.781594282 +0200 -+++ cryptsetup-2.3.3/Makefile.in 2020-06-10 14:30:09.512375745 +0200 -@@ -1032,6 +1032,8 @@ +diff -u -r cryptsetup-2.4.3-clean/Makefile.in cryptsetup-2.4.3/Makefile.in +--- cryptsetup-2.4.3-clean/Makefile.in 2022-01-13 17:24:33.000000000 +0800 ++++ cryptsetup-2.4.3/Makefile.in 2022-01-16 14:08:37.096258854 +0800 +@@ -1115,6 +1115,8 @@ @CRYPTSETUP_TRUE@cryptsetup_LDADD = $(LDADD) \ @CRYPTSETUP_TRUE@ libcryptsetup.la \ @CRYPTSETUP_TRUE@ @POPT_LIBS@ \ @@ -516,31 +489,218 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in @CRYPTSETUP_TRUE@ @PWQUALITY_LIBS@ \ @CRYPTSETUP_TRUE@ @PASSWDQC_LIBS@ \ @CRYPTSETUP_TRUE@ @UUID_LIBS@ \ -@@ -1060,6 +1062,9 @@ +@@ -1147,6 +1149,9 @@ @VERITYSETUP_TRUE@veritysetup_LDADD = $(LDADD) \ @VERITYSETUP_TRUE@ libcryptsetup.la \ @VERITYSETUP_TRUE@ @POPT_LIBS@ \ -+@VERITYSETUP_TRUE@ @UUID_LIBS@ \ -+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ -+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \ - @VERITYSETUP_TRUE@ @PWQUALITY_LIBS@ \ - @VERITYSETUP_TRUE@ @PASSWDQC_LIBS@ \ ++@VERITYSETUP_TRUE@ @UUID_LIBS@ \ ++@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ ++@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \ @VERITYSETUP_TRUE@ @BLKID_LIBS@ -@@ -1093,6 +1093,8 @@ + + @STATIC_TOOLS_TRUE@@VERITYSETUP_TRUE@veritysetup_static_SOURCES = $(veritysetup_SOURCES) +@@ -1177,6 +1182,8 @@ @INTEGRITYSETUP_TRUE@ libcryptsetup.la \ @INTEGRITYSETUP_TRUE@ @POPT_LIBS@ \ @INTEGRITYSETUP_TRUE@ @UUID_LIBS@ \ +@INTEGRITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ +@INTEGRITYSETUP_TRUE@ @JSON_C_LIBS@ \ @INTEGRITYSETUP_TRUE@ @BLKID_LIBS@ - + @INTEGRITYSETUP_TRUE@@STATIC_TOOLS_TRUE@integritysetup_static_SOURCES = $(integritysetup_SOURCES) -@@ -1122,6 +1122,8 @@ - @REENCRYPT_TRUE@ @POPT_LIBS@ \ - @REENCRYPT_TRUE@ @PWQUALITY_LIBS@ \ - @REENCRYPT_TRUE@ @PASSWDQC_LIBS@ \ -+@REENCRYPT_TRUE@ @DEVMAPPER_LIBS@ \ -+@REENCRYPT_TRUE@ @JSON_C_LIBS@ \ - @REENCRYPT_TRUE@ @UUID_LIBS@ \ - @REENCRYPT_TRUE@ @BLKID_LIBS@ +--- ./configure.orig 2023-11-26 14:22:30.912000000 -0500 ++++ ./configure 2023-11-26 14:26:21.714000000 -0500 +@@ -12336,7 +12336,7 @@ + + case $cc_basename in + tcc*) +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='-rdynamic' + ;; + xlf* | bgf* | bgxlf* | mpixlf*) +@@ -12755,7 +12755,7 @@ + case $cc_basename in + cl* | icl*) + # Native MSVC or ICC +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + always_export_symbols=yes + file_list_spec='@' +@@ -12796,7 +12796,7 @@ + ;; + *) + # Assume MSVC and ICC wrapper +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib +@@ -12873,7 +12873,7 @@ + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly* | midnightbsd*) + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -13052,7 +13052,7 @@ + # Fabrice Bellard et al's Tiny C Compiler + ld_shlibs=yes + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + ;; + esac + ;; +--- ./configure.mod 2023-11-26 14:46:49.779000000 -0500 ++++ ./configure 2023-11-26 14:47:56.962000000 -0500 +@@ -17670,7 +17670,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -17958,16 +17958,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -17982,7 +17982,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -17994,7 +17994,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -18010,7 +18010,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -18043,7 +18043,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -18080,7 +18080,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -18101,7 +18101,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -18159,7 +18159,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not +@@ -18189,7 +18189,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -18208,7 +18208,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -18226,7 +18226,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -18298,7 +18298,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -18355,7 +18355,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -18377,7 +18377,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) diff --git a/patches/lvm2-2.03.23.patch b/patches/lvm2-2.03.23.patch new file mode 100644 index 000000000..587e1bb69 --- /dev/null +++ b/patches/lvm2-2.03.23.patch @@ -0,0 +1,150 @@ +--- ./lib/mm/memlock.c.orig 2023-11-27 13:52:46.281000000 -0500 ++++ ./lib/mm/memlock.c 2023-11-27 13:56:35.656000000 -0500 +@@ -160,6 +160,7 @@ + + static void _allocate_memory(void) + { ++#if 0 + #if defined(__GLIBC__) && !defined(VALGRIND_POOL) + /* Memory allocation is currently only tested with glibc + * for different C libraries, some other mechanisms might be needed +@@ -233,11 +234,14 @@ + for (i = 0; i < area; ++i) + free(areas[i]); + #endif ++#endif + } + + static void _release_memory(void) + { ++#if 0 + free(_malloc_mem); ++#endif + } + + /* +@@ -313,7 +317,7 @@ + + if (lock == LVM_MLOCK) { + if (mlock((const void*)from, sz) < 0) { +- log_sys_error("mlock", line); ++ //log_sys_error("mlock", line); + return 0; + } + } else { +--- ./libdm/libdm-stats.c.orig 2023-11-27 13:59:40.677000000 -0500 ++++ ./libdm/libdm-stats.c 2023-11-27 14:07:28.655000000 -0500 +@@ -18,7 +18,23 @@ + #include "libdm/misc/dmlib.h" + #include "libdm/misc/kdev_t.h" + ++#if 0 + #include "math.h" /* log10() */ ++#else ++static int ilog10(double x) ++{ ++ int e = 0; ++ ++ while(x > 10) ++ { ++ e++; ++ x = x / 10; ++ } ++ ++ return e; ++} ++#endif ++ + + #include + #include +@@ -556,7 +572,12 @@ + while(entry >= bins) { + value = (double) (entry--)->upper; + /* Use lround to avoid size_t -> double cast warning. */ ++#if 0 + hist_len += 1 + (size_t) lround(log10(value / scale)); ++#else ++ hist_len += 1 + ilog10(value / scale); ++#endif ++ + if (entry != bins) + hist_len++; /* ',' */ + } +@@ -1863,7 +1884,12 @@ + i = dm_bit_get_first(regions); + for (; i >= 0; i = dm_bit_get_next(regions, i)) { + /* length of region_id or range start in characters */ ++#if 0 + id_len = (i) ? 1 + (size_t) log10(i) : 1; ++#else ++ id_len = (i) ? 1 + ilog10(i) : 1; ++#endif ++ + buflen += id_len; + j = i; + do +@@ -1878,7 +1904,11 @@ + /* handle range */ + if (i != j) { + /* j is always > i, which is always >= 0 */ ++#if 0 + id_len = 1 + (size_t) log10(j); ++#else ++ id_len = 1 + ilog10(j); ++#endif + buflen += id_len + 1; /* range end plus "-" */ + } + buflen++; + +--- ./tools/lvmcmdline.c.orig 2023-11-27 14:12:46.649000000 -0500 ++++ ./tools/lvmcmdline.c 2023-11-27 14:15:47.563000000 -0500 +@@ -3438,7 +3438,7 @@ + static int _check_standard_fds(void) + { + int err = is_valid_fd(STDERR_FILENO); +- ++#if 0 + if (!is_valid_fd(STDIN_FILENO) && + !(stdin = fopen(_PATH_DEVNULL, "r"))) { + if (err) +@@ -3463,7 +3463,7 @@ + strerror(errno)); + return 0; + } +- ++#endif + return 1; + } + +@@ -3644,7 +3644,7 @@ + */ + dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE); + +- if (!(cmd = create_toolcontext(0, NULL, 1, threaded, set_connections, set_filters))) { ++ if (!(cmd = create_toolcontext(0, NULL, 0, threaded, set_connections, set_filters))) { + return_NULL; + } + +--- ./make.tmpl.orig 2023-11-28 13:29:11.744000000 -0500 ++++ ./make.tmpl.in 2023-11-28 13:29:36.716000000 -0500 +@@ -210,7 +210,7 @@ + M_INSTALL_PROGRAM = -m 555 + M_INSTALL_DATA = -m 444 + endif +-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP) ++INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) + INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA) + INSTALL_WDATA = $(INSTALL) -p -m 644 + +--- ./libdm/make.tmpl.orig 2023-11-28 13:29:52.760000000 -0500 ++++ ./libdm/make.tmpl.in 2023-11-28 13:30:22.336000000 -0500 +@@ -173,7 +173,7 @@ + M_INSTALL_PROGRAM = -m 555 + M_INSTALL_DATA = -m 444 + endif +-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP) ++INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) + INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA) + INSTALL_WDATA = $(INSTALL) -p -m 644 + diff --git a/patches/util-linux-2.29.2.patch b/patches/util-linux-2.29.2.patch deleted file mode 100644 index 5a54b26ff..000000000 --- a/patches/util-linux-2.29.2.patch +++ /dev/null @@ -1,139 +0,0 @@ ---- ./configure 2017-02-22 07:07:46.595740152 -0500 -+++ ./configure 2023-02-27 13:34:27.068000000 -0500 -@@ -13408,7 +13408,7 @@ - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - if test ia64 = "$host_cpu"; then - # AIX 5 supports IA64 - library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' -@@ -13698,16 +13698,16 @@ - ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ - freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - *) # from 4.6 on, and DragonFly - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - esac - ;; -@@ -13722,7 +13722,7 @@ - shlibpath_var=LIBRARY_PATH - shlibpath_overrides_runpath=no - sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - hpux9* | hpux10* | hpux11*) -@@ -13734,7 +13734,7 @@ - case $host_cpu in - ia64*) - shrext_cmds='.so' -- hardcode_into_libs=yes -+ hardcode_into_libs=no - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -13750,7 +13750,7 @@ - ;; - hppa*64*) - shrext_cmds='.sl' -- hardcode_into_libs=yes -+ hardcode_into_libs=no - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -13783,7 +13783,7 @@ - dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - irix5* | irix6* | nonstopux*) -@@ -13820,7 +13820,7 @@ - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" - sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - # No shared lib support for Linux oldld, aout, or coff. -@@ -13841,7 +13841,7 @@ - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. -- hardcode_into_libs=yes -+ hardcode_into_libs=no - - dynamic_linker='Android linker' - # Don't embed -rpath directories since the linker doesn't support them. -@@ -13896,7 +13896,7 @@ - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. -- hardcode_into_libs=yes -+ hardcode_into_libs=no - - # Add ABI-specific directories to the system library path. - sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -@@ -13936,7 +13936,7 @@ - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - newsos6) -@@ -13954,7 +13954,7 @@ - soname_spec='$libname$release$shared_ext$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - dynamic_linker='ldqnx.so' - ;; - -@@ -14026,7 +14026,7 @@ - soname_spec='$libname$release$shared_ext$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; -@@ -14083,7 +14083,7 @@ - soname_spec='$libname$release$shared_ext$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - if test yes = "$with_gnu_ld"; then - sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - else -@@ -14105,7 +14105,7 @@ - library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - uts4*) diff --git a/patches/util-linux-2.39.patch b/patches/util-linux-2.39.patch new file mode 100644 index 000000000..e39fcfc58 --- /dev/null +++ b/patches/util-linux-2.39.patch @@ -0,0 +1,276 @@ +--- ./configure.orig 2023-05-17 06:53:16.721284360 -0400 ++++ ./configure 2023-11-28 13:57:50.012000000 -0500 +@@ -16580,7 +16580,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -16870,16 +16870,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -16894,7 +16894,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -16906,7 +16906,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -16922,7 +16922,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -16955,7 +16955,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -16992,7 +16992,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -17013,7 +17013,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -17071,7 +17071,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" +@@ -17111,7 +17111,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -17129,7 +17129,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -17201,7 +17201,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -17258,7 +17258,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -17280,7 +17280,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -20574,7 +20574,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -20862,16 +20862,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -20886,7 +20886,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -20898,7 +20898,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -20914,7 +20914,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -20947,7 +20947,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -20984,7 +20984,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -21005,7 +21005,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -21063,7 +21063,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" +@@ -21103,7 +21103,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -21121,7 +21121,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -21193,7 +21193,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -21250,7 +21250,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -21272,7 +21272,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) diff --git a/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config b/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config new file mode 100644 index 000000000..1d6233d72 --- /dev/null +++ b/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config @@ -0,0 +1,73 @@ +# Configuration for a x230 with HOTP (Nitrokey/Purism USB Security dongle enabled HOTP support) +# running Qubes 4.1 and other OSes. +# +# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 : +# dropbear support(ssh client/server) +# e1000e (ethernet driver) +# +# Addition vs standard x230 board config: +# HOTP_KEY: HOTP challenge for currently supported USB Security dongles +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.02.01 +export CONFIG_LINUX_VERSION=5.10.5 + +CONFIG_COREBOOT_CONFIG=config/coreboot-x230-legacy.config +CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=n + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y +export CONFIG_AUTO_BOOT_TIMEOUT=5 + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +CONFIG_SLANG=y +CONFIG_NEWT=y +#FBWhiptail based (Graphical): +#CONFIG_CAIRO=y +#CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=n +#Ethernet driver (Heads only) +CONFIG_LINUX_E1000E=n + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="" +export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOARD_NAME="Thinkpad X230-hotp-legacy" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" + +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# Only flashing to the bios region is safe to do. The easiest is to +# flash internally when the IFD is unlocked for writing, and x230-flash +# is installed first. diff --git a/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config b/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config new file mode 100644 index 000000000..ed0e79908 --- /dev/null +++ b/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config @@ -0,0 +1,36 @@ +# Minimal configuration for a x230 to support flashrom and USB +# This top SPI flash image needed to flash legacy board counterpart internally +# This image can be flashed through 1vyrain and skulls +# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.02.01 +export CONFIG_LINUX_VERSION=5.10.5 + +CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config +CONFIG_LINUX_CONFIG=config/linux-x230-flash.config + +#Add bare minimal tools for flashing boards +CONFIG_BASH=n +CONFIG_FLASHPROG=y +CONFIG_ZSTD=n +#CONFIG_GPG=y +#CONFIG_FLASHTOOLS=y +CONFIG_PCIUTILS=y +#CONFIG_MBEDTLS=y +#CONFIG_QRENCODE=y +#CONFIG_TPMTOTP=y +#CONFIG_DROPBEAR=y + + +#Additional hardware support +CONFIG_LINUX_USB=y +#CONFIG_LINUX_E1000E=y + +export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init +export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" + +CONFIG_LEGACY_FLASH=y + +BOARD_TARGETS := legacy_flash diff --git a/unmaintained_boards/x230-legacy/x230-legacy.config b/unmaintained_boards/x230-legacy/x230-legacy.config new file mode 100644 index 000000000..bdd821218 --- /dev/null +++ b/unmaintained_boards/x230-legacy/x230-legacy.config @@ -0,0 +1,66 @@ +# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec) +# +# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 : +# dropbear support(ssh client/server) +# e1000e (ethernet driver) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.02.01 +export CONFIG_LINUX_VERSION=5.10.5 + +CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy.config +CONFIG_LINUX_CONFIG=config/linux-UNMAINTAINED_x230-legacy.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=n + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=n + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +CONFIG_SLANG=y +CONFIG_NEWT=y +#FBWhiptail based (Graphical): +#CONFIG_CAIRO=y +#CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=n + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="" +export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOARD_NAME="Thinkpad X230-legacy" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" + +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# Only flashing to the bios region is safe to do. The easiest is to +# flash internally when the IFD is unlocked for writing, and x230-flash +# is installed first. From 8caa8cab2ec79af4f70fb9ae2744ce3f85809867 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 10:59:31 -0400 Subject: [PATCH 03/13] WiP: fake cryptsetup reencrypt call for testing local one last time: seems like luks passphrase change only happens on one of the containers; not all Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index b7765a7b0..169c335c5 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -476,11 +476,12 @@ luks_reencrypt() { # --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device) # --disable-locks disables the lock feature of cryptsetup, which is enabled by default - if ! DO_WITH_DEBUG cryptsetup reencrypt \ - --perf-no_read_workqueue --perf-no_write_workqueue \ - --resilience=none --force-offline-reencrypt --disable-locks \ - "$luks_container" --key-slot "$DRK_KEYSLOT" \ - --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then + #if ! DO_WITH_DEBUG cryptsetup reencrypt \ + #--perf-no_read_workqueue --perf-no_write_workqueue \ + #--resilience=none --force-offline-reencrypt --disable-locks \ + #"$luks_container" --key-slot "$DRK_KEYSLOT" \ + #--key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then + if ! DO_WITH_DEBUG echo "fake cryptsetup reencrypt call"; then whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 From 664a2210fbf6a2a8e90baf16c7f7d3256ef6251e Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 12:00:43 -0400 Subject: [PATCH 04/13] seal-totp: add missing PCR7 DEBUG call for CBFS measured content, add DEBUG for TOTP secret/qrcode output to console Signed-off-by: Thierry Laurion --- initrd/bin/seal-totp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index 0ef5bcfbe..1fa24fbc0 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -46,6 +46,7 @@ DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modul # pcr 6 (drive LUKS header) is not measured at sealing/unsealing of totp DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)" # pcr 7 is containing measurements of user injected stuff in cbfs +DEBUG "Sealing TOTP with actual state of PCR7 (User injected stuff in cbfs)" tpmr pcrread -a 7 "$pcrf" #Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" || @@ -56,5 +57,6 @@ shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null url="otpauth://totp/$HOST?secret=$secret" secret="" +DEBUG "TOTP secret output on screen (both URL and QR code)" qrenc "$url" echo "$url" From 33cfca576249ad452edfbbd209932d6c715fbe85 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 12:01:42 -0400 Subject: [PATCH 05/13] luks-functions: fix luks_change_passphrase which was only occuring on first LUKS volume, not all Remove unneeded loop under luks_reencrypt Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 98 ++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 57 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 169c335c5..0011e0f4f 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -381,7 +381,7 @@ test_luks_current_disk_recovery_key_passphrase() # We export the LUKS volume(s) that was/were validated via passphrase test export LUKS TRACE_FUNC - DEBUG "$LUKS exported to be reused" + DEBUG "LUKS container(s) $PRINTABLE_LUKS exported to be reused" break; fi done @@ -394,11 +394,12 @@ luks_reencrypt() { # then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase select_luks_container || return 1 - # Count the number of containers to be reencrypted - num_containers=$(echo "$LUKS" | wc -w) - reencrypted_containers=0 + # Split the $LUKS variable into an array of LUKS containers + luks_containers=($LUKS) + TRACE_FUNC + DEBUG "luks_containers: ${luks_containers[@]}" - while [ $reencrypted_containers -lt $num_containers ]; do + for luks_container in "${luks_containers[@]}"; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current LUKS Disk Recovery Key passphrase msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) @@ -411,29 +412,22 @@ luks_reencrypt() { echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase fi - # Split the $LUKS variable into an array of LUKS containers - luks_containers=($LUKS) - TRACE_FUNC - DEBUG "luks_containers: $luks_containers" - - # Loop through each LUKS container - for luks_container in "${luks_containers[@]}"; do - DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then - whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - # Maybe the container was not the right one - TRACE_FUNC - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - luks_secrets_cleanup - unset LUKS - continue - fi - done + + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # Maybe the container was not the right one + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue + fi DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key" for luks_container in "${luks_containers[@]}"; do @@ -500,42 +494,35 @@ luks_reencrypt() { #Exporting successfully used passphrase possibly reused by oem-factory-reset export luks_current_Disk_Recovery_Key_passphrase export LUKS - - # Increment the count of reencrypted containers - reencrypted_containers=$((reencrypted_containers + 1)) fi done done } -luks_change_passphrase() { +luks_change_passphrase() +{ TRACE_FUNC select_luks_container || return 1 - # Count the number of containers to be processed - num_containers=$(echo "$LUKS" | wc -w) - changed_containers=0 - # Split the $LUKS variable into an array of LUKS containers - IFS=' ' read -ra luks_containers <<< "$LUKS" + luks_containers=($LUKS) + TRACE_FUNC + DEBUG "luks_containers: ${luks_containers[@]}" + # Loop through each LUKS container for luks_container in "${luks_containers[@]}"; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80 - if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" - while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do - read -r luks_new_Disk_Recovery_Key_passphrase - done - fi - - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" - read -r luks_current_Disk_Recovery_Key_passphrase - fi + echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" + while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do + read -r luks_new_Disk_Recovery_Key_passphrase + done + + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + read -r luks_current_Disk_Recovery_Key_passphrase fi echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase @@ -551,7 +538,7 @@ luks_change_passphrase() { rm -f /boot/kexec_key_devices.txt mount -o remount,ro /boot luks_secrets_cleanup - unset LUKS + unset LUKS continue fi @@ -563,16 +550,13 @@ luks_change_passphrase() { fi echo "Success changing passphrase for $luks_container." - changed_containers=$((changed_containers + 1)) done - if [ $changed_containers -eq $num_containers ]; then - # All containers processed successfully - luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase - export luks_current_Disk_Recovery_Key_passphrase - export luks_new_Disk_Recovery_Key_passphrase - export LUKS - fi + # Export the new passphrase if all containers were processed successfully + luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase + export luks_current_Disk_Recovery_Key_passphrase + export luks_new_Disk_Recovery_Key_passphrase + export LUKS } luks_secrets_cleanup() From d8edb51e630c619411ce813f382163426a8ad7d3 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 12:29:59 -0400 Subject: [PATCH 06/13] luks-functions: move secret placement from /tmp to /tmp/secret to be wiped when going to recovery shell and upon automatic cleanup as all other secret Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 0011e0f4f..dd1cd432b 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -323,9 +323,9 @@ test_luks_current_disk_recovery_key_passphrase() # if no external provisioning provides current LUKS Disk Recovery Key passphrase echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase else - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase fi # test all LUKS containers on same block device as returned by select_luks_container @@ -334,7 +334,7 @@ test_luks_current_disk_recovery_key_passphrase() # Loop on all LUKS containers on same block device for luks_container in $LUKS; do DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase + DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase # Validate past cryptsetup reencrypt attempts if [ $? -ne 0 ]; then # if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase @@ -407,14 +407,14 @@ luks_reencrypt() { --msgbox "$msg" 0 80 echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" read -r luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase else - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase fi DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. @@ -435,7 +435,7 @@ luks_reencrypt() { DRK_KEYSLOT=-1 DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." for i in $(seq 0 31); do - if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then DRK_KEYSLOT=$i DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" break @@ -474,7 +474,7 @@ luks_reencrypt() { #--perf-no_read_workqueue --perf-no_write_workqueue \ #--resilience=none --force-offline-reencrypt --disable-locks \ #"$luks_container" --key-slot "$DRK_KEYSLOT" \ - #--key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then + #--key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then if ! DO_WITH_DEBUG echo "fake cryptsetup reencrypt call"; then whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 @@ -525,11 +525,11 @@ luks_change_passphrase() read -r luks_current_Disk_Recovery_Key_passphrase fi - echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_new_Disk_Recovery_Key_passphrase DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC @@ -543,7 +543,7 @@ luks_change_passphrase() fi echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase; then + if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/secret/luks_current_Disk_Recovery_Key_passphrase /tmp/secret/luks_new_Disk_Recovery_Key_passphrase; then whiptail --title 'Failed to change LUKS passphrase' --msgbox \ "Failed to change the passphrase for $luks_container.\nPlease try again." 0 80 continue @@ -564,8 +564,8 @@ luks_secrets_cleanup() TRACE_FUNC #Cleanup - shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true - shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true + shred -n 10 -z -u /tmp/secret/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true + shred -n 10 -z -u /tmp/secret/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true #Unset variables (when in same boot) unset luks_current_Disk_Recovery_Key_passphrase From 05d4d87426c796992b4ea3c47e1cc8a3b3f926fc Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 12:36:56 -0400 Subject: [PATCH 07/13] luks-functions: wording fixes Signed-off-by: Thierry Laurion Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index dd1cd432b..0510071d9 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -344,7 +344,7 @@ test_luks_current_disk_recovery_key_passphrase() #whiptail_error --title 'error' --msgbox 'error' 0 80 #Neither work today. Not related to this PR... Using whiptail without coloring. - msg=$(echo -e "All $PRINTABLE_LUKS must unlock with the same Disk Recovery Key passphrase for the current operation to succeed.\n\nTo change individual LUKS container passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s) + msg=$(echo -e "All $PRINTABLE_LUKS LUKS containers must be unlockable by a shared Disk Recovery Key (DRK) passphrase for the current operation to succeed.\n\nTo change individual LUKS container DRK passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s) whiptail --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \ --msgbox "$msg" 0 80 From b3d6c906892e4b4e32166ebf9b89dafd936a374e Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 13:06:11 -0400 Subject: [PATCH 08/13] Revert+adapt "WiP: fake cryptsetup reencrypt call for testing local one last time: seems like luks passphrase change only happens on one of the containers; not all" This reverts commit 20e9392b97c9ed42b85ae930a163131997640a44. To test this PR without reencryption, just 'git revert' this commit Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 0510071d9..6f95a1c23 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -470,12 +470,11 @@ luks_reencrypt() { # --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device) # --disable-locks disables the lock feature of cryptsetup, which is enabled by default - #if ! DO_WITH_DEBUG cryptsetup reencrypt \ - #--perf-no_read_workqueue --perf-no_write_workqueue \ - #--resilience=none --force-offline-reencrypt --disable-locks \ - #"$luks_container" --key-slot "$DRK_KEYSLOT" \ - #--key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then - if ! DO_WITH_DEBUG echo "fake cryptsetup reencrypt call"; then + if ! DO_WITH_DEBUG cryptsetup reencrypt \ + --perf-no_read_workqueue --perf-no_write_workqueue \ + --resilience=none --force-offline-reencrypt --disable-locks \ + "$luks_container" --key-slot "$DRK_KEYSLOT" \ + --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 From 2336e81da4a7edd813dd1302a4e85ad09ab8c6cd Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 14:45:20 -0400 Subject: [PATCH 09/13] optiplex boards: bumper kernel from 5.10.5 to 5.10.214. No config file changes Signed-off-by: Thierry Laurion --- .../optiplex-7010_9010-hotp-maximized.config | 2 +- .../optiplex-7010_9010-maximized.config | 2 +- .../optiplex-7010_9010_TXT-hotp-maximized.config | 2 +- .../optiplex-7010_9010_TXT-maximized.config | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config index 19f83c076..d837daa26 100644 --- a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config +++ b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config @@ -8,7 +8,7 @@ # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config index 7b5e6e71f..0b286522b 100644 --- a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config +++ b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config @@ -8,7 +8,7 @@ # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config index 194475e04..a5597efdb 100644 --- a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config +++ b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config @@ -8,7 +8,7 @@ # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config diff --git a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config index 2e62094e2..1880e0e09 100644 --- a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config +++ b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config @@ -8,7 +8,7 @@ # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 +export CONFIG_LINUX_VERSION=5.10.214 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config From 1d5137fc129f8f53e62211c215e233973889dc9b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 15:29:26 -0400 Subject: [PATCH 10/13] GUI scripts: add whiptail_error and whiptail_warning since https://github.com/linuxboot/heads/pull/1787 fixed the issue Signed-off-by: Thierry Laurion --- initrd/etc/gui_functions | 3 --- initrd/etc/luks-functions | 20 +++++++------------- initrd/init | 2 -- 3 files changed, 7 insertions(+), 18 deletions(-) diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions index e4b7ed4d5..38958b1ab 100755 --- a/initrd/etc/gui_functions +++ b/initrd/etc/gui_functions @@ -37,7 +37,6 @@ mount_usb() # -- Display related functions -- # Produce a whiptail prompt with 'warning' background, works for fbwhiptail and newt whiptail_warning() { - #TODO: Cannot be called as is under luks_functions with string expension in title: why? if [ -x /bin/fbwhiptail ]; then whiptail $BG_COLOR_WARNING "$@" else @@ -47,7 +46,6 @@ whiptail_warning() { # Produce a whiptail prompt with 'error' background, works for fbwhiptail and newt whiptail_error() { - #TODO: Cannot be called as is under luks_functions with string expension in title: why? if [ -x /bin/fbwhiptail ]; then whiptail $BG_COLOR_ERROR "$@" else @@ -57,7 +55,6 @@ whiptail_error() { # Produce a whiptail prompt of the given type - 'error', 'warning', or 'normal' whiptail_type() { - TRACE_FUNC local TYPE="$1" shift case "$TYPE" in diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 6f95a1c23..94789a950 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -339,13 +339,8 @@ test_luks_current_disk_recovery_key_passphrase() if [ $? -ne 0 ]; then # if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase if [ $(echo $LUKS | wc -w) -gt 1 ]; then - #TODO remove this once whiptail_error whiptail_warning can take titles with double quotes - #whiptail_warning --title 'tes' --msgbox 'test' 0 80 - #whiptail_error --title 'error' --msgbox 'error' 0 80 - #Neither work today. Not related to this PR... Using whiptail without coloring. - msg=$(echo -e "All $PRINTABLE_LUKS LUKS containers must be unlockable by a shared Disk Recovery Key (DRK) passphrase for the current operation to succeed.\n\nTo change individual LUKS container DRK passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s) - whiptail --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \ + whiptail_error --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \ --msgbox "$msg" 0 80 TRACE_FUNC @@ -354,7 +349,7 @@ test_luks_current_disk_recovery_key_passphrase() # We exited to caller, LUKS still set. TODO: problem? Should we call all cleaning functions on die? fi - whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC @@ -411,11 +406,10 @@ luks_reencrypt() { else echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase fi - DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then - whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. # Maybe the container was not the right one @@ -444,7 +438,7 @@ luks_reencrypt() { # Validate if a key slot was found if [ $DRK_KEYSLOT -eq -1 ]; then - whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. # Maybe the container was not the right one @@ -475,7 +469,7 @@ luks_reencrypt() { --resilience=none --force-offline-reencrypt --disable-locks \ "$luks_container" --key-slot "$DRK_KEYSLOT" \ --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then - whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC @@ -529,7 +523,7 @@ luks_change_passphrase() DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then - whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC detect_boot_device @@ -543,7 +537,7 @@ luks_change_passphrase() echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/secret/luks_current_Disk_Recovery_Key_passphrase /tmp/secret/luks_new_Disk_Recovery_Key_passphrase; then - whiptail --title 'Failed to change LUKS passphrase' --msgbox \ + whiptail_error --title 'Failed to change LUKS passphrase' --msgbox \ "Failed to change the passphrase for $luks_container.\nPlease try again." 0 80 continue fi diff --git a/initrd/init b/initrd/init index 847f9e2a9..55a894a79 100755 --- a/initrd/init +++ b/initrd/init @@ -103,12 +103,10 @@ fi #Specify whiptail background colors cues under FBWhiptail only if [ -x /bin/fbwhiptail ]; then - DEBUG "fbwhiptail BG_COLOR_* exported" export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}" export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}" export BG_COLOR_MAIN_MENU="normal" else - DEBUG "whiptail TEXT_BG_COLOR_* exported" export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}" export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}" export BG_COLOR_MAIN_MENU="normal" From e430e9546a2f2563182fedb326f972a0abd031ba Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 17:02:18 -0400 Subject: [PATCH 11/13] initrd/etc/luks-functions: fix path to wrong luks key for reencrypt call Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 94789a950..de5f41c5a 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -468,7 +468,7 @@ luks_reencrypt() { --perf-no_read_workqueue --perf-no_write_workqueue \ --resilience=none --force-offline-reencrypt --disable-locks \ "$luks_container" --key-slot "$DRK_KEYSLOT" \ - --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then + --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 From 2992ec231c1196b1526344256dadea5858248cce Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 17:42:47 -0400 Subject: [PATCH 12/13] luks-functions: detect non-usb LUKS partitions that can be unlocked with prompted DRK then ask user to confirm that those are all ok to reencryt/change passphrase onto (oem factory reset/manual, whatever) - cache/reuse that passphrase, used afterward to find which LUKS keyslot contains the DRK, which is used to direct reencryption, also reused for passphrase change. - refactoring detection + testing of prompted LUKS passphrase for discovered LUKS containers that can be unlocked with same passphrase to prompt user for selection TODO: remove duplicate luks passphrase unlocking volumes functions for the moment Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 428 ++++++++++++++++++++------------------ 1 file changed, 226 insertions(+), 202 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index de5f41c5a..a69023302 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -1,20 +1,110 @@ #!/bin/bash -# LUKS related functions +# This script contains various functions related to LUKS (Linux Unified Key Setup) encryption management. . /etc/functions . /etc/gui_functions . /tmp/config -#List all LUKS devices on the system -list_luks_devices() { +# List all LUKS devices on the system that are not USB +list_local_luks_devices() { TRACE_FUNC - #generate a list of devices to choose from that contain a LUKS header lvm vgscan || true - blkid | cut -d ':' -f 1 | while read device; do - if cryptsetup isLuks $device; then echo $device; fi + blkid | cut -d ':' -f 1 | while read -r device; do + DEBUG "Checking device: $device" + if cryptsetup isLuks "$device"; then + DEBUG "Device $device is a LUKS device" + dev_name=$(basename "$device") + parent_dev_name=$(echo "$dev_name" | sed 's/[0-9]*$//') + if [ -e "/sys/block/$parent_dev_name" ]; then + DEBUG "Device $device exists in /sys/block" + if ! stat -c %N "/sys/block/$parent_dev_name" 2>/dev/null | grep -q "usb"; then + DEBUG "Device $device is not a USB device" + echo "$device" + else + DEBUG "Device $device is a USB device, skipping" + fi + else + DEBUG "Device $device does not exist in /sys/block, skipping" + fi + else + DEBUG "Device $device is not a LUKS device" + fi done | sort } +# Prompt for LUKS Disk Recovery Key passphrase +prompt_luks_passphrase() { + TRACE_FUNC + while [[ ${#luks_current_Disk_Recovery_Key_passphrase} -lt 8 ]]; do + echo -e "\nEnter the LUKS Disk Recovery Key passphrase (At least 8 characters long):" + read -r luks_current_Disk_Recovery_Key_passphrase + if [[ ${#luks_current_Disk_Recovery_Key_passphrase} -lt 8 ]]; then + echo -e "\nPassphrase must be at least 8 characters long. Please try again." + unset luks_current_Disk_Recovery_Key_passphrase + continue + fi + done + echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase +} + +# Test LUKS passphrase against all found LUKS containers that are not USB +test_luks_passphrase() { + TRACE_FUNC + + list_local_luks_devices >/tmp/luks_devices.txt + if [ ! -s /tmp/luks_devices.txt ]; then + warn "No LUKS devices found" + return 1 + fi + + valid_luks_devices=() + while read -r luks_device; do + DEBUG "Testing passphrase on $luks_device" + if cryptsetup open --test-passphrase "$luks_device" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then + DEBUG "Passphrase valid for $luks_device" + valid_luks_devices+=("$luks_device") + else + DEBUG "Passphrase test failed on $luks_device" + fi + done /tmp/luks_container_size_percent + echo "10" >/tmp/luks_container_size_percent elif [ "$option_index" = "2" ]; then - echo "25" > /tmp/luks_container_size_percent + echo "25" >/tmp/luks_container_size_percent elif [ "$option_index" = "3" ]; then - echo "50" > /tmp/luks_container_size_percent + echo "50" >/tmp/luks_container_size_percent elif [ "$option_index" = "4" ]; then - echo "75" > /tmp/luks_container_size_percent + echo "75" >/tmp/luks_container_size_percent else die "Error selecting LUKS container size percentage of device" fi @@ -55,20 +145,19 @@ select_luks_container_size_percent() { # Partition a device interactively with two partitions: a LUKS container # containing private ext4 partition and second public exFAT partition # Size provisioning is done by percentage of the device -interactive_prepare_thumb_drive() -{ +interactive_prepare_thumb_drive() { TRACE_FUNC #Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning #If no passphrase was provided, ask user to select passphrase for LUKS container # if no device provided as parameter, we will ask user to select device to partition # if no percentage provided as parameter, we will default to 10% of device to use for LUKS container # we will validate parameters and not make them positional and print a usage function first - + #Set defaults - DEVICE="" #Will list all usb storage devices if not provided as parameter + DEVICE="" #Will list all usb storage devices if not provided as parameter PERCENTAGE="10" #default to 10% of device to use for LUKS container (requires a LUKS partition bigger then 32mb!) - PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter - + PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter + #Parse parameters while [ $# -gt 0 ]; do case "$1" in @@ -101,29 +190,30 @@ interactive_prepare_thumb_drive() #If no passphrase was provided, ask user to select passphrase for LUKS container #console based no whiptail while [[ ${#PASSPHRASE} -lt 8 ]]; do - { - echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):" - #hide passphrase input from read command - read -r -s PASSPHRASE - #skip confirmation if passphrase is less then 8 characters long (continue) - if [[ ${#PASSPHRASE} -lt 8 ]]; then - echo -e "\nPassphrase must be at least 8 characters long. Please try again." - unset PASSPHRASE - continue - fi - #validate passphrase and ask user to re-enter if not at least 8 characters long - #confirm passphrase - echo -e "\nConfirm passphrase for LUKS container:" - #hide passphrase input from read command - read -r -s PASSPHRASE_CONFIRM - #compare passphrase and passphrase confirmation - if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then - echo -e "\nPassphrases do not match. Please try again." - unset PASSPHRASE - unset PASSPHRASE_CONFIRM - fi + { + echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):" + #hide passphrase input from read command + read -r -s PASSPHRASE + #skip confirmation if passphrase is less then 8 characters long (continue) + if [[ ${#PASSPHRASE} -lt 8 ]]; then + echo -e "\nPassphrase must be at least 8 characters long. Please try again." + unset PASSPHRASE + continue + fi + #validate passphrase and ask user to re-enter if not at least 8 characters long + #confirm passphrase + echo -e "\nConfirm passphrase for LUKS container:" + #hide passphrase input from read command + read -r -s PASSPHRASE_CONFIRM + #compare passphrase and passphrase confirmation + if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then + echo -e "\nPassphrases do not match. Please try again." + unset PASSPHRASE + unset PASSPHRASE_CONFIRM + fi - };done + } + done fi #If no device was provided, ask user to select device to partition @@ -131,8 +221,8 @@ interactive_prepare_thumb_drive() #warn user to disconnect all external drives if [ -x /bin/whiptail ]; then whiptail_warning --title "WARNING: Disconnect all external drives" --msgbox \ - "WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 \ - || die "User cancelled wiping and repartitioning of $DEVICE" + "WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 || + die "User cancelled wiping and repartitioning of $DEVICE" else echo -e -n "Warning: Please disconnect all external drives before proceeding.\n\nHit Enter to continue?" read -r -p " [Y/n] " response @@ -150,7 +240,7 @@ interactive_prepare_thumb_drive() enable_usb_storage #list all usb storage devices - list_usb_storage disks > /tmp/devices.txt + list_usb_storage disks >/tmp/devices.txt if [ $(cat /tmp/devices.txt | wc -l) -gt 0 ]; then file_selector "/tmp/devices.txt" "Select device to partition" if [ "$FILE" == "" ]; then @@ -187,8 +277,7 @@ interactive_prepare_thumb_drive() # parameters: # $1 - block device of flash drive # $2 - percent of device allocated to LUKS [1-99] -confirm_thumb_drive_format() -{ +confirm_thumb_drive_format() { TRACE_FUNC local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG @@ -229,8 +318,7 @@ confirm_thumb_drive_format() # $1 - block device of flash drive # $2 - percentage of flash drive to allocate to LUKS [1-99] # $3 - passphrase for LUKS container -prepare_thumb_drive() -{ +prepare_thumb_drive() { TRACE_FUNC local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB @@ -266,61 +354,28 @@ prepare_thumb_drive() echo "Done." } -select_luks_container() -{ - #TODO: extend logic to prompt for block devices with model if multiple LUKS are found on block device instead of partitions - # Then feed luks with those partitions so that reencrypt and passphrase change can use passphrase to test all selected +# Select LUKS container +select_luks_container() { TRACE_FUNC if [ -s /boot/kexec_key_devices.txt ]; then DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt" - LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) + LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) DEBUG "LUKS container device: $(echo $LUKS)" - # LUKS variable not exported yet, prompt for LUKS device elif [ -z "$LUKS" ]; then - list_luks_devices > /tmp/luks_devices.txt - #if /tmp/luks_devices.txt exists and is not empty - if [ -s /tmp/luks_devices.txt ]; then - file_selector "/tmp/luks_devices.txt" "Select LUKS container device" - if [ "$FILE" == "" ]; then - return 1 - else - #TODO: What about BRTFS multi LUKS setup of QubesOS? - # if multiple LUKS containers are found on same block device - # select all of the luks containers on same block device instead of just one - # note that block devices for example under /dev/sda will be /dev/sda1, /dev/sda2, etc - # so we need to select all of the partitions on the same block device from /tmp/luks_devices.txt - # and then export them to LUKS variable - # then reencrypt and passphrase change functions will loop on all of the LUKS containers - # and test passphrase on all of them - if grep -q "$(echo $FILE | sed 's/[0-9]*$//')" /tmp/luks_devices.txt; then - DEBUG "Multiple LUKS containers found on same block device, selecting them all" - LUKS=$(grep $(echo $FILE | sed 's/[0-9]*$//') /tmp/luks_devices.txt) - else - DEBUG "Single LUKS container found on block device, assigning to LUKS variable" - LUKS=$FILE - fi - fi - else - warn "No encrypted device found" - return 1 + main_luks_selection fi fi } -test_luks_current_disk_recovery_key_passphrase() -{ - #TODO: reuse/generalize usage of this function. Tests for LUKS are still done 4 times independently of this helper +# Test LUKS current disk recovery key passphrase +test_luks_current_disk_recovery_key_passphrase() { TRACE_FUNC while :; do select_luks_container || return 1 - # LUKS contains multiline string of LUKS containers on same block device - # transform it into words of a same string separated by space PRINTABLE_LUKS=$(echo $LUKS) - TRACE_FUNC if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - # if no external provisioning provides current LUKS Disk Recovery Key passphrase echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase @@ -328,91 +383,62 @@ test_luks_current_disk_recovery_key_passphrase() echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase fi - # test all LUKS containers on same block device as returned by select_luks_container echo -e "\n$PRINTABLE_LUKS: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - # Loop on all LUKS containers on same block device for luks_container in $LUKS; do DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase - # Validate past cryptsetup reencrypt attempts - if [ $? -ne 0 ]; then - # if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase - if [ $(echo $LUKS | wc -w) -gt 1 ]; then - msg=$(echo -e "All $PRINTABLE_LUKS LUKS containers must be unlockable by a shared Disk Recovery Key (DRK) passphrase for the current operation to succeed.\n\nTo change individual LUKS container DRK passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s) - whiptail_error --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \ - --msgbox "$msg" 0 80 - - TRACE_FUNC - luks_secrets_cleanup - die "$PRINTABLE_LUKS individual containers NEED to share the same Disk Recovery Key passphrase" - # We exited to caller, LUKS still set. TODO: problem? Should we call all cleaning functions on die? - fi - + if ! cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - TRACE_FUNC - + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 detect_boot_device mount -o remount,rw /boot rm -f /boot/kexec_key_devices.txt mount -o remount,ro /boot luks_secrets_cleanup - # remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - # maybe the container was not the right one unset LUKS else - # LuksOpen test was successful. Cleanup should be called only when done - # Exporting successfully used passphrase possibly reused by oem-factory-reset echo "$luks_container: unlocking LUKS container with current Disk Recovery Key passphrase successful" - - # Exporting successfully used passphrase possibly reused by oem-factory-reset export luks_current_Disk_Recovery_Key_passphrase fi done - # exit while loop if LUKS variable is not empty if [ -n "$LUKS" ]; then - # We export the LUKS volume(s) that was/were validated via passphrase test export LUKS TRACE_FUNC DEBUG "LUKS container(s) $PRINTABLE_LUKS exported to be reused" - break; + break fi done } +# Function to re-encrypt LUKS partitions luks_reencrypt() { TRACE_FUNC - #TODO: REFACTOR This and luks passphrase change function needs to loop on same drive discovered luks containers so that reencrypt/passwd change is done on all luks containers of same drive - # Ideal would be to list luks devices and then try keep and append LUKS devices to a list of devices to reencrypt or change passphrase - # then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase - select_luks_container || return 1 + test_luks_current_disk_recovery_key_passphrase || return 1 - # Split the $LUKS variable into an array of LUKS containers luks_containers=($LUKS) TRACE_FUNC DEBUG "luks_containers: ${luks_containers[@]}" for luks_container in "${luks_containers[@]}"; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - #if no external provisioning provides current LUKS Disk Recovery Key passphrase - msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) - whiptail --title 'Reencrypt LUKS encrypted container ?' \ - --msgbox "$msg" 0 80 - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" - read -r luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase + if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then + luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase) + else + msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) + whiptail --title 'Reencrypt LUKS encrypted container ?' --msgbox "$msg" 0 80 + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" + read -r -s luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase + fi else - echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase fi - + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - # Maybe the container was not the right one + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC detect_boot_device mount -o remount,rw /boot @@ -422,26 +448,25 @@ luks_reencrypt() { unset LUKS continue fi - + DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key" for luks_container in "${luks_containers[@]}"; do - # First obtain which luks1/luks2 key-slot can be unlocked with the key-file DRK_KEYSLOT=-1 DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." for i in $(seq 0 31); do - if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + DEBUG "Testing key slot $i on $luks_container" + if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then DRK_KEYSLOT=$i DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" break + else + DEBUG "Key slot $i on $luks_container cannot be unlocked with the current passphrase" fi done - # Validate if a key slot was found if [ $DRK_KEYSLOT -eq -1 ]; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - # Maybe the container was not the right one + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC detect_boot_device mount -o remount,rw /boot @@ -465,13 +490,12 @@ luks_reencrypt() { # --disable-locks disables the lock feature of cryptsetup, which is enabled by default if ! DO_WITH_DEBUG cryptsetup reencrypt \ - --perf-no_read_workqueue --perf-no_write_workqueue \ - --resilience=none --force-offline-reencrypt --disable-locks \ - "$luks_container" --key-slot "$DRK_KEYSLOT" \ - --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then + --perf-no_read_workqueue --perf-no_write_workqueue \ + --resilience=none --force-offline-reencrypt --disable-locks \ + "$luks_container" --key-slot "$DRK_KEYSLOT" \ + --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. @@ -492,68 +516,70 @@ luks_reencrypt() { done } -luks_change_passphrase() -{ - TRACE_FUNC - - select_luks_container || return 1 +# Function to change LUKS passphrase +luks_change_passphrase() { + TRACE_FUNC + test_luks_current_disk_recovery_key_passphrase || return 1 - # Split the $LUKS variable into an array of LUKS containers luks_containers=($LUKS) TRACE_FUNC DEBUG "luks_containers: ${luks_containers[@]}" - # Loop through each LUKS container - for luks_container in "${luks_containers[@]}"; do - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ - "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80 - - echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" - while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do - read -r luks_new_Disk_Recovery_Key_passphrase - done - - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" - read -r luks_current_Disk_Recovery_Key_passphrase - fi - - echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_new_Disk_Recovery_Key_passphrase - - DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then - whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - TRACE_FUNC - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - luks_secrets_cleanup - unset LUKS - continue - fi - - echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." - if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/secret/luks_current_Disk_Recovery_Key_passphrase /tmp/secret/luks_new_Disk_Recovery_Key_passphrase; then - whiptail_error --title 'Failed to change LUKS passphrase' --msgbox \ - "Failed to change the passphrase for $luks_container.\nPlease try again." 0 80 - continue - fi - - echo "Success changing passphrase for $luks_container." - done - - # Export the new passphrase if all containers were processed successfully - luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase - export luks_current_Disk_Recovery_Key_passphrase - export luks_new_Disk_Recovery_Key_passphrase - export LUKS + for luks_container in "${luks_containers[@]}"; do + if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then + if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then + luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase) + else + whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ + "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80 + + echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" + while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do + read -r luks_new_Disk_Recovery_Key_passphrase + done + + TRACE_FUNC + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + read -r luks_current_Disk_Recovery_Key_passphrase + fi + fi + + echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_new_Disk_Recovery_Key_passphrase + + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue + fi + + echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/secret/luks_current_Disk_Recovery_Key_passphrase /tmp/secret/luks_new_Disk_Recovery_Key_passphrase; then + whiptail_error --title 'Failed to change LUKS passphrase' --msgbox \ + "Failed to change the passphrase for $luks_container.\nPlease try again." 0 80 + continue + fi + + echo "Success changing passphrase for $luks_container." + done + + # Export the new passphrase if all containers were processed successfully + luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase + export luks_current_Disk_Recovery_Key_passphrase + export luks_new_Disk_Recovery_Key_passphrase + export LUKS } -luks_secrets_cleanup() -{ +# Cleanup LUKS secrets +luks_secrets_cleanup() { TRACE_FUNC #Cleanup @@ -563,7 +589,5 @@ luks_secrets_cleanup() #Unset variables (when in same boot) unset luks_current_Disk_Recovery_Key_passphrase unset luks_new_Disk_Recovery_Key_passphrase - - #TODO: refactor logic of selec_luks_conatainer, where to put - #unset LUKS + unset LUKS } From c29ce203516abd770dd260b7137f8c306ace41c4 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 29 Oct 2024 09:28:59 -0400 Subject: [PATCH 13/13] initrd/bin/kexec-seal-key initrd/etc/luks-functions: last fixups - fi misplaced - rework reencryption loop - added verbose output on TPM DUK key addition when LUKS container can be unlocked with DRK Current state, left todo for future work: TPM DUK: - TPM DUK setup on defautl boot reuses /boot/kexec_key_devices.txt if present - If not, list all LUKS partitions, asks user for selection and makes sure LUKS passphrase can unlock all - Works on both LUKSv1 and LUKSv2 containers, reusing OS installer settings (Heads doesn't enforce better then OS installer LUKS parameters) LUKS passphrase change/LUKS reencryption: - Reuses /boot/kexec_key_devices.txt if existing - If not, prompts for LUKS passphase, list all LUKS containers not being USB based and attempt to unlock all those, listing only the ones successfully unlocked - Prompts user to reuse found unlockable LUKS partitions with LUKS passphrase, caches and reuse in other LUKS operations (passphrase change as well from oem factory reset/re-ownership) - Deals properly with LUKSv1/LUKSv2/multiple LUKS containers and reencrypt/passphrase changes them all if accepted, otherwise asks user to select individual LUKS container Tested on luksv1,luksv2, btrfs under luks (2x containers) and TPM DUK setup up to booting OS. All good TODO: - LUKS passphrase check is done multiple times across TPM DUK, reencryption and luks passphrase. Could refactor to change this, but since this op is done only one reencrypt+passphrase change) upon hardare reception from OEM, I stopped caring here. Signed-off-by: Thierry Laurion --- initrd/bin/kexec-seal-key | 2 +- initrd/etc/luks-functions | 136 ++++++++++++++++++-------------------- 2 files changed, 64 insertions(+), 74 deletions(-) diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 0765d8b9e..bd35fe354 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -78,7 +78,7 @@ for dev in $key_devices ; do DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots" if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then - DEBUG "LUKS device $dev unlocked successfully with the DRK passphrase" + echo "++++++ $dev: LUKS device unlocked successfully with the DRK passphrase" luks_drk_passphrase_valid=1 break else diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index a69023302..eb2d1fb66 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -363,7 +363,6 @@ select_luks_container() { DEBUG "LUKS container device: $(echo $LUKS)" elif [ -z "$LUKS" ]; then main_luks_selection - fi fi } @@ -420,21 +419,21 @@ luks_reencrypt() { TRACE_FUNC DEBUG "luks_containers: ${luks_containers[@]}" - for luks_container in "${luks_containers[@]}"; do - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then - luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase) - else - msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) - whiptail --title 'Reencrypt LUKS encrypted container ?' --msgbox "$msg" 0 80 - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" - read -r -s luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase - fi + if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then + if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then + luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase) else + msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) + whiptail --title 'Reencrypt LUKS encrypted container ?' --msgbox "$msg" 0 80 + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" + read -r -s luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase fi + else + echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase + fi + for luks_container in "${luks_containers[@]}"; do DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ @@ -449,70 +448,61 @@ luks_reencrypt() { continue fi - DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key" - for luks_container in "${luks_containers[@]}"; do - DRK_KEYSLOT=-1 - DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." - for i in $(seq 0 31); do - DEBUG "Testing key slot $i on $luks_container" - if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then - DRK_KEYSLOT=$i - DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" - break - else - DEBUG "Key slot $i on $luks_container cannot be unlocked with the current passphrase" - fi - done - - if [ $DRK_KEYSLOT -eq -1 ]; then - whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - TRACE_FUNC - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - luks_secrets_cleanup - unset LUKS - continue - fi - - # Now reencrypt the LUKS container with the same key slot - # Warn and launch actual reencryption - echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..." - warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS" - - # --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+ - # bypassing dm-crypt queues. - # Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518 - # --resilience=none disables the resilience feature of cryptsetup, which is enabled by default - # --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device) - # --disable-locks disables the lock feature of cryptsetup, which is enabled by default - - if ! DO_WITH_DEBUG cryptsetup reencrypt \ - --perf-no_read_workqueue --perf-no_write_workqueue \ - --resilience=none --force-offline-reencrypt --disable-locks \ - "$luks_container" --key-slot "$DRK_KEYSLOT" \ - --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then - whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ - "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 - TRACE_FUNC - - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - luks_secrets_cleanup - unset LUKS + DEBUG "Test opening ${luks_container} successful. Now testing key slots to determine which holds master key" + DRK_KEYSLOT=-1 + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + for i in $(seq 0 31); do + DEBUG "Testing key slot $i on $luks_container" + if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then + DRK_KEYSLOT=$i + DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" + break else - #Reencryption was successful. Cleanup should be called only when done - #Exporting successfully used passphrase possibly reused by oem-factory-reset - export luks_current_Disk_Recovery_Key_passphrase - export LUKS + DEBUG "Key slot $i on $luks_container cannot be unlocked with the current passphrase" fi done + + if [ $DRK_KEYSLOT -eq -1 ]; then + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue + fi + + # --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+ + # bypassing dm-crypt queues. + # Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518 + # --resilience=none disables the resilience feature of cryptsetup, which is enabled by default + # --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device) + # --disable-locks disables the lock feature of cryptsetup, which is enabled by default + + echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..." + warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS" + + if ! DO_WITH_DEBUG cryptsetup reencrypt \ + --perf-no_read_workqueue --perf-no_write_workqueue \ + --resilience=none --force-offline-reencrypt --disable-locks \ + "$luks_container" --key-slot "$DRK_KEYSLOT" \ + --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then + whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + else + export luks_current_Disk_Recovery_Key_passphrase + export LUKS + fi done }