Update to 4.14.6 and auto generate config

The config is now generated based on Fedora's config. This way we need to only track qubes specific changes and can quickly update to never Fedora configs.
6 years ago · 537e0d17a8
parent a00512fb97
commit 537e0d17a8
6 changed files with 1475 additions and 1020 deletions
--- a/2255
+++ b/2255
--- a/119
+++ b/119
@ -0,0 +1,119 @@
+## Qubes specific config settings.
+##
+## Lines starting with ## are comments.
+
+
+################################################################################
+## Enable expert options
+
+CONFIG_EXPERT=y
+
+
+################################################################################
+## Use xz to save space on /boot
+
+# CONFIG_KERNEL_GZIP is not set
+CONFIG_KERNEL_XZ=y
+
+
+################################################################################
+## Enable /proc/config.gz to help debugging etc.
+
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+
+
+################################################################################
+## Enable some more hardening options
+
+CONFIG_GCC_PLUGINS=y
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
+CONFIG_GCC_PLUGIN_STRUCTLEAK=y
+## XXX: What's about RANDSTRUCT?
+
+## Those depend on CONFIG_EXPERT
+CONFIG_ARCH_MMAP_RND_BITS=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16
+
+CONFIG_REFCOUNT_FULL=y
+
+# CONFIG_KEXEC is not set
+
+# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
+CONFIG_LEGACY_VSYSCALL_NONE=y
+
+# CONFIG_ACPI_CUSTOM_METHOD is not set
+
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+
+# CONFIG_PROC_KCORE is not set
+
+CONFIG_PAGE_POISONING=y
+# CONFIG_PAGE_POISONING_NO_SANITY is not set
+CONFIG_PAGE_POISONING_ZERO=y
+
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_ON_OOPS_VALUE=1
+CONFIG_PANIC_TIMEOUT=-1
+
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_TIMEKEEPING=y
+
+CONFIG_IO_STRICT_DEVMEM=y
+
+CONFIG_SECURITY_YAMA=y
+
+# CONFIG_HIBERNATION is not set
+
+
+################################################################################
+## Disable PCI hotplug to prevent DMA attacks via ExpressCard or Thunderbolt
+## ports. QubesOS/qubes-issues#1673
+
+# CONFIG_HOTPLUG_PCI is not set
+
+
+################################################################################
+## We don't use singed modules
+
+# CONFIG_MODULE_SIG is not set
+
+
+################################################################################
+## Deactivate selinux by default
+
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+
+CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
+
+
+################################################################################
+## Enable paravirt spinlocks. This should be more performant.
+
+CONFIG_PARAVIRT_SPINLOCKS=y
+
+
+################################################################################
+## Disable atomisp support. It's broken.
+## https://lists.xen.org/archives/html/xen-devel/2017-09/msg00793.html
+
+# CONFIG_INTEL_ATOMISP is not set
+
+
+################################################################################
+## TODO: from diff to old config
+
+## CONFIG_X86_AMD_PLATFORM_DEVICE=y
+##
+## # CONFIG_X86_MCELOG_LEGACY is not set
+## # CONFIG_X86_MCE_INJECT is not set
+##
+## CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
+##
+## CONFIG_SECURITY_APPARMOR=y
+## sensors from 0f976d972a1671a303fad30a5e690304b0b82ee0
+##
+## Intel ME driver e0f8e9ca81b80d897b190f48a4af80eff3198cb1
--- a/61
+++ b/61
@ -0,0 +1,61 @@
+#!/bin/bash
+
+# The Qubes OS Project, https://www.qubes-os.org
+#
+# Copyright (C) 2017 Simon Gaiser <simon@invisiblethingslab.com>
+# Copyright (c) 2009-2010 Wind River Systems, Inc.
+# Copyright 2011 Linaro
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU General Public License for more details.
+
+set -eu -o pipefail
+
+linux_merge_config="./scripts/kconfig/merge_config.sh"
+make_opts=""
+
+if [ -n "${RPM_PACKAGE_VERSION:-}" ]; then
+    linux_merge_config="../linux-$RPM_PACKAGE_VERSION/scripts/kconfig/merge_config.sh"
+    make_opts="-C ../linux-$RPM_PACKAGE_VERSION O=$PWD"
+fi
+
+if [ -z "$linux_merge_config" ]; then
+    printf 'Error: Could not find merge_config.sh from the linux source tree!\n'
+    exit 1
+fi
+
+sed_config_exp='s/^\(# \)\{0,1\}\(CONFIG_[a-zA-Z0-9_]*\)[= ].*/\2/p'
+
+if [ $# -ne 2 ]; then
+    printf 'Usage: gen-config base.config local.config\n'
+    exit 1
+fi
+
+base_config="$1"
+local_config="$2"
+
+grep -v '^##' "$local_config" > "$local_config.gen"
+
+$linux_merge_config -m "$base_config" "$local_config.gen"
+
+make $make_opts KCONFIG_ALLCONFIG=.config alldefconfig
+
+rc=0
+for cfg in $(sed -n "$sed_config_exp" "$local_config.gen"); do
+    requested="$(grep -w "$cfg" "$local_config.gen" || true)"
+    actual="$(grep -w "$cfg" .config || true)"
+    if [ "$requested" != "$actual" ]; then
+        printf 'Local config setting for %s didn'\''t make it into the final config\n' "$cfg"
+        rc=1
+    fi
+done
+
+rm "$local_config.gen"
+
+exit $rc
--- a/kernel.spec
+++ b/kernel.spec
@ -79,7 +79,9 @@ Source14:       series.conf
 Source16:       guards
 Source17:       apply-patches
 Source33:       check-for-config-changes
-Source100:      config
+Source34:       gen-config
+Source100:      config-base
+Source101:      config-qubes
 # FIXME: Including dirs this way does NOT produce proper src.rpms
 Source204:      patches.rpmify
 Source205:      patches.xen
@ -114,11 +116,7 @@ fi

 cd %kernel_build_dir

-if [ -f %_sourcedir/config-%{version} ]; then
-    cp %_sourcedir/config-%{version} .config
-else
-    cp %_sourcedir/config .config
-fi
+%_sourcedir/gen-config %_sourcedir/config-base %_sourcedir/config-qubes

 %build_src_dir/scripts/config \
        --set-str CONFIG_LOCALVERSION -%release.%cpu_arch \
@ -128,14 +126,6 @@ fi
 # Enabling CONFIG_DEBUG_INFO produces *huge* packages!

 MAKE_ARGS="$MAKE_ARGS -C %build_src_dir O=$PWD"
-if test -e %_sourcedir/TOLERATE-UNKNOWN-NEW-CONFIG-OPTIONS; then
-    yes '' | make oldconfig $MAKE_ARGS
-else
-    cp .config .config.orig
-    make silentoldconfig $MAKE_ARGS < /dev/null
-    %_sourcedir/check-for-config-changes .config.orig .config
-    rm .config.orig
-fi

 make prepare $MAKE_ARGS
 make scripts $MAKE_ARGS
--- a/patches.xen/xen-pciback-add-attribute-to-allow-MSI-enable-flag-w.patch
+++ b/patches.xen/xen-pciback-add-attribute-to-allow-MSI-enable-flag-w.patch
@ -19,11 +19,9 @@ guest (or stubdom) can already generate MSIs through other ways, see
 drivers/xen/xen-pciback/pciback.h               |  1 +
 3 files changed, 105 insertions(+)

-diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c
-index 7f83e9083e9d..793635238267 100644
 --- a/drivers/xen/xen-pciback/conf_space_capability.c
 +++ b/drivers/xen/xen-pciback/conf_space_capability.c
-@@ -189,6 +189,40 @@ static const struct config_field caplist_pm[] = {
+@@ -190,6 +190,40 @@ static const struct config_field caplist
 	{}
 };
 
@ -64,7 +62,7 @@ index 7f83e9083e9d..793635238267 100644
 static struct xen_pcibk_config_capability xen_pcibk_config_capability_pm = {
 	.capability = PCI_CAP_ID_PM,
 	.fields = caplist_pm,
-@@ -197,11 +231,16 @@ static struct xen_pcibk_config_capability xen_pcibk_config_capability_vpd = {
+@@ -198,11 +232,16 @@ static struct xen_pcibk_config_capabilit
 	.capability = PCI_CAP_ID_VPD,
 	.fields = caplist_vpd,
 };
@ -81,11 +79,9 @@ index 7f83e9083e9d..793635238267 100644
 
 	return 0;
 }
-diff --git a/drivers/xen/xen-pciback/pci_stub.c b/drivers/xen/xen-pciback/pci_stub.c
-index 6331a95691a4..953866285ac1 100644
 --- a/drivers/xen/xen-pciback/pci_stub.c
 +++ b/drivers/xen/xen-pciback/pci_stub.c
-@@ -303,6 +303,8 @@ void pcistub_put_pci_dev(struct pci_dev *dev)
+@@ -303,6 +303,8 @@ void pcistub_put_pci_dev(struct pci_dev
 	xen_pcibk_config_reset_dev(dev);
 	xen_pcibk_config_free_dyn_fields(dev);
 
@ -94,12 +90,12 @@ index 6331a95691a4..953866285ac1 100644
 	xen_unregister_device_domain_owner(dev);
 
 	spin_lock_irqsave(&found_psdev->lock, flags);
-@@ -1434,6 +1436,64 @@ static ssize_t permissive_show(struct device_driver *drv, char *buf)
- static DRIVER_ATTR(permissive, S_IRUSR | S_IWUSR, permissive_show,
- 		   permissive_add);
+@@ -1430,6 +1432,63 @@ static ssize_t permissive_show(struct de
+ }
+ static DRIVER_ATTR_RW(permissive);
 
-+static ssize_t allow_msi_enable_add(struct device_driver *drv, const char *buf,
-+				    size_t count)
+static ssize_t allow_msi_enable_store(struct device_driver *drv, const char *buf,
+				      size_t count)
 +{
 +	int domain, bus, slot, func;
 +	int err;
@ -153,22 +149,21 @@ index 6331a95691a4..953866285ac1 100644
 +	spin_unlock_irqrestore(&pcistub_devices_lock, flags);
 +	return count;
 +}
-+static DRIVER_ATTR(allow_msi_enable, S_IRUSR | S_IWUSR, allow_msi_enable_show,
-+		   allow_msi_enable_add);
+static DRIVER_ATTR_RW(allow_msi_enable);
 +
 static void pcistub_exit(void)
 {
 	driver_remove_file(&xen_pcibk_pci_driver.driver, &driver_attr_new_slot);
-@@ -1443,6 +1503,8 @@ static void pcistub_exit(void)
- 	driver_remove_file(&xen_pcibk_pci_driver.driver, &driver_attr_quirks);
+@@ -1440,6 +1499,8 @@ static void pcistub_exit(void)
 	driver_remove_file(&xen_pcibk_pci_driver.driver,
 			   &driver_attr_permissive);
-+	driver_remove_file(&xen_pcibk_pci_driver.driver,
-+			   &driver_attr_allow_msi_enable);
 	driver_remove_file(&xen_pcibk_pci_driver.driver,
+			   &driver_attr_allow_msi_enable);
+	driver_remove_file(&xen_pcibk_pci_driver.driver,
 			   &driver_attr_irq_handlers);
 	driver_remove_file(&xen_pcibk_pci_driver.driver,
-@@ -1533,6 +1595,9 @@ static int __init pcistub_init(void)
+ 			   &driver_attr_irq_handler_state);
+@@ -1529,6 +1590,9 @@ static int __init pcistub_init(void)
 	if (!err)
 		err = driver_create_file(&xen_pcibk_pci_driver.driver,
 					 &driver_attr_permissive);
@ -178,11 +173,9 @@ index 6331a95691a4..953866285ac1 100644
 
 	if (!err)
 		err = driver_create_file(&xen_pcibk_pci_driver.driver,
-diff --git a/drivers/xen/xen-pciback/pciback.h b/drivers/xen/xen-pciback/pciback.h
-index 7af369b6aaa2..32006bb4dad1 100644
 --- a/drivers/xen/xen-pciback/pciback.h
 +++ b/drivers/xen/xen-pciback/pciback.h
-@@ -44,6 +44,7 @@ struct xen_pcibk_dev_data {
+@@ -45,6 +45,7 @@ struct xen_pcibk_dev_data {
 	struct list_head config_fields;
 	struct pci_saved_state *pci_saved_state;
 	unsigned int permissive:1;
@ -190,6 +183,3 @@ index 7af369b6aaa2..32006bb4dad1 100644
 	unsigned int warned_on_write:1;
 	unsigned int enable_intx:1;
 	unsigned int isr_on:1; /* Whether the IRQ handler is installed. */
-- 
-2.14.1
-
--- a/2
+++ b/2
@ -1 +1 @@
-4.13.12
+4.14.6
 @ -1 +1 @@
 .13.12
 .14.6