From 4130746c31606aebaccef58997b650beda9049f7 Mon Sep 17 00:00:00 2001 From: Maximilian Luz Date: Sun, 1 Aug 2021 16:59:58 +0200 Subject: [PATCH] pkd/debian: Update extra patches for LTS kernel --- ...secureboot-pre-signing-to-the-kernel.patch | 88 +++++++++++- ...t-symbols-needed-by-Android-drivers.patch} | 120 +++++++++-------- ...ilding-ashmem-and-binder-as-modules.patch} | 126 ++++++++++-------- 3 files changed, 221 insertions(+), 113 deletions(-) mode change 120000 => 100644 pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch rename pkg/debian/kernel-lts/{export-symbols-needed-by-android-drivers.patch => 0001-Export-symbols-needed-by-Android-drivers.patch} (54%) rename pkg/debian/kernel-lts/{android-enable-building-ashmem-and-binder-as-modules.patch => 0002-android-Enable-building-ashmem-and-binder-as-modules.patch} (54%) diff --git a/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch deleted file mode 120000 index 26c95bad7..000000000 --- a/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch +++ /dev/null @@ -1 +0,0 @@ -../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch \ No newline at end of file diff --git a/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch new file mode 100644 index 000000000..3af51215c --- /dev/null +++ b/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch @@ -0,0 +1,87 @@ +From c1384dfce8f7a364a73b69c18238db635454ec6a Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sun, 22 Sep 2019 22:44:16 +0200 +Subject: [PATCH] Add secureboot pre-signing to the kernel + +If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`, +the kernel Makefile will automatically sign the vmlinux / bzImage file that +gets generated, and that is then used in packaging. + +By integrating it into the kernel build system directly, it is fully integrated +with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`) +and it gets added to every tree by the same mechanism that is used to apply the +other surface patches anyways. + +Signed-off-by: Dorian Stoll +--- + .gitignore | 3 +++ + arch/x86/Makefile | 1 + + scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++ + 3 files changed, 34 insertions(+) + create mode 100755 scripts/sign_kernel.sh + +diff --git a/.gitignore b/.gitignore +index 97ba6b79834c..490f0526ed66 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -127,6 +127,9 @@ signing_key.priv + signing_key.x509 + x509.genkey + ++# Secureboot certificate ++/keys/ ++ + # Kconfig presets + all.config + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 65a8722e784c..68ddcd308384 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -296,6 +296,7 @@ endif + $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE) + $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot + $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@ ++ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@ + + $(BOOT_TARGETS): vmlinux + $(Q)$(MAKE) $(build)=$(boot) $@ +diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh +new file mode 100755 +index 000000000000..d2526a279254 +--- /dev/null ++++ b/scripts/sign_kernel.sh +@@ -0,0 +1,30 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++ ++# The path to the compiled kernel image is passed as the first argument ++BUILDDIR=$(dirname $(dirname $0)) ++VMLINUX=$1 ++ ++# Keys are stored in a toplevel directory called keys ++# The following files need to be there: ++# * MOK.priv (private key) ++# * MOK.pem (public key) ++# ++# If the files don't exist, this script will do nothing. ++if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then ++ exit 0 ++fi ++if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then ++ exit 0 ++fi ++ ++# Both required certificates were found. Check if sbsign is installed. ++echo "Keys for automatic secureboot signing found." ++if [ ! -x "$(command -v sbsign)" ]; then ++ echo "ERROR: sbsign not found!" ++ exit -2 ++fi ++ ++# Sign the kernel ++sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \ ++ --output $VMLINUX $VMLINUX +-- +2.32.0 + diff --git a/pkg/debian/kernel-lts/export-symbols-needed-by-android-drivers.patch b/pkg/debian/kernel-lts/0001-Export-symbols-needed-by-Android-drivers.patch similarity index 54% rename from pkg/debian/kernel-lts/export-symbols-needed-by-android-drivers.patch rename to pkg/debian/kernel-lts/0001-Export-symbols-needed-by-Android-drivers.patch index 94a00d452..bbe871d97 100644 --- a/pkg/debian/kernel-lts/export-symbols-needed-by-android-drivers.patch +++ b/pkg/debian/kernel-lts/0001-Export-symbols-needed-by-Android-drivers.patch @@ -1,7 +1,7 @@ +From 816b7fe4a492f9f49978e39a779a89992d8d4d32 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 16:59:01 +0100 -Subject: Export symbols needed by Android drivers -Bug-Debian: https://bugs.debian.org/901492 +Subject: [PATCH 1/2] Export symbols needed by Android drivers We want to enable use of the Android ashmem and binder drivers to support Anbox, but they should not be built-in as that would waste @@ -9,13 +9,22 @@ resources and increase security attack surface on systems that don't need them. Export the currently un-exported symbols they depend on. - --- -Index: linux/fs/file.c -=================================================================== ---- linux.orig/fs/file.c -+++ linux/fs/file.c -@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st + fs/file.c | 4 ++++ + kernel/fork.c | 1 + + kernel/sched/core.c | 1 + + kernel/signal.c | 1 + + mm/memory.c | 1 + + mm/shmem.c | 1 + + mm/vmalloc.c | 2 ++ + security/security.c | 4 ++++ + 8 files changed, 15 insertions(+) + +diff --git a/fs/file.c b/fs/file.c +index 3762a3f136fd..3e10be834458 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(struct task_struct *task) return files; } @@ -23,7 +32,7 @@ Index: linux/fs/file.c void put_files_struct(struct files_struct *files) { -@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc +@@ -421,6 +422,7 @@ void put_files_struct(struct files_struct *files) kmem_cache_free(files_cachep, files); } } @@ -31,7 +40,7 @@ Index: linux/fs/file.c void reset_files_struct(struct files_struct *files) { -@@ -534,6 +536,7 @@ out: +@@ -534,6 +536,7 @@ int __alloc_fd(struct files_struct *files, spin_unlock(&files->file_lock); return error; } @@ -39,7 +48,7 @@ Index: linux/fs/file.c static int alloc_fd(unsigned start, unsigned flags) { -@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *f +@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *files, unsigned int fd, rcu_assign_pointer(fdt->fd[fd], file); rcu_read_unlock_sched(); } @@ -47,11 +56,11 @@ Index: linux/fs/file.c void fd_install(unsigned int fd, struct file *file) { -Index: linux/kernel/fork.c -=================================================================== ---- linux.orig/kernel/fork.c -+++ linux/kernel/fork.c -@@ -1048,6 +1048,7 @@ void mmput_async(struct mm_struct *mm) +diff --git a/kernel/fork.c b/kernel/fork.c +index cf535b9d5db7..08f3ff948b2d 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1053,6 +1053,7 @@ void mmput_async(struct mm_struct *mm) schedule_work(&mm->async_put_work); } } @@ -59,11 +68,23 @@ Index: linux/kernel/fork.c #endif /** -Index: linux/kernel/signal.c -=================================================================== ---- linux.orig/kernel/signal.c -+++ linux/kernel/signal.c -@@ -1353,6 +1353,7 @@ struct sighand_struct *__lock_task_sigha +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 013b1c6cb4ed..962eef6a146c 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3976,6 +3976,7 @@ int can_nice(const struct task_struct *p, const int nice) + return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || + capable(CAP_SYS_NICE)); + } ++EXPORT_SYMBOL_GPL(can_nice); + + #ifdef __ARCH_WANT_SYS_NICE + +diff --git a/kernel/signal.c b/kernel/signal.c +index a02a25acf205..ab8c2d4d0e6d 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1368,6 +1368,7 @@ struct sighand_struct *__lock_task_sighand(struct task_struct *tsk, return sighand; } @@ -71,11 +92,11 @@ Index: linux/kernel/signal.c /* * send signal info to all the members of a group -Index: linux/mm/memory.c -=================================================================== ---- linux.orig/mm/memory.c -+++ linux/mm/memory.c -@@ -1611,6 +1611,7 @@ void zap_page_range(struct vm_area_struc +diff --git a/mm/memory.c b/mm/memory.c +index 49b546cdce0d..753bb3a3df81 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1634,6 +1634,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start, mmu_notifier_invalidate_range_end(mm, start, end); tlb_finish_mmu(&tlb, start, end); } @@ -83,11 +104,11 @@ Index: linux/mm/memory.c /** * zap_page_range_single - remove user pages in a given range -Index: linux/mm/shmem.c -=================================================================== ---- linux.orig/mm/shmem.c -+++ linux/mm/shmem.c -@@ -4039,6 +4039,7 @@ int shmem_zero_setup(struct vm_area_stru +diff --git a/mm/shmem.c b/mm/shmem.c +index 9fd0e72757cf..4440c837318d 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -4053,6 +4053,7 @@ int shmem_zero_setup(struct vm_area_struct *vma) return 0; } @@ -95,11 +116,11 @@ Index: linux/mm/shmem.c /** * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags. -Index: linux/mm/vmalloc.c -=================================================================== ---- linux.orig/mm/vmalloc.c -+++ linux/mm/vmalloc.c -@@ -1299,6 +1299,7 @@ int map_kernel_range_noflush(unsigned lo +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 1817871b0239..809d14e0b06e 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1300,6 +1300,7 @@ int map_kernel_range_noflush(unsigned long addr, unsigned long size, { return vmap_page_range_noflush(addr, addr + size, prot, pages); } @@ -107,7 +128,7 @@ Index: linux/mm/vmalloc.c /** * unmap_kernel_range_noflush - unmap kernel VM area -@@ -1439,6 +1440,7 @@ struct vm_struct *get_vm_area(unsigned l +@@ -1440,6 +1441,7 @@ struct vm_struct *get_vm_area(unsigned long size, unsigned long flags) NUMA_NO_NODE, GFP_KERNEL, __builtin_return_address(0)); } @@ -115,11 +136,11 @@ Index: linux/mm/vmalloc.c struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags, const void *caller) -Index: linux/security/security.c -=================================================================== ---- linux.orig/security/security.c -+++ linux/security/security.c -@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(stru +diff --git a/security/security.c b/security/security.c +index 9478444bf93f..9b06982fa2d4 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(struct task_struct *mgr) { return call_int_hook(binder_set_context_mgr, 0, mgr); } @@ -148,15 +169,6 @@ Index: linux/security/security.c int security_ptrace_access_check(struct task_struct *child, unsigned int mode) { -Index: linux/kernel/sched/core.c -=================================================================== ---- linux.orig/kernel/sched/core.c -+++ linux/kernel/sched/core.c -@@ -3973,6 +3973,7 @@ int can_nice(const struct task_struct *p - return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || - capable(CAP_SYS_NICE)); - } -+EXPORT_SYMBOL_GPL(can_nice); - - #ifdef __ARCH_WANT_SYS_NICE - +-- +2.32.0 + diff --git a/pkg/debian/kernel-lts/android-enable-building-ashmem-and-binder-as-modules.patch b/pkg/debian/kernel-lts/0002-android-Enable-building-ashmem-and-binder-as-modules.patch similarity index 54% rename from pkg/debian/kernel-lts/android-enable-building-ashmem-and-binder-as-modules.patch rename to pkg/debian/kernel-lts/0002-android-Enable-building-ashmem-and-binder-as-modules.patch index da02e00e0..9aee6517d 100644 --- a/pkg/debian/kernel-lts/android-enable-building-ashmem-and-binder-as-modules.patch +++ b/pkg/debian/kernel-lts/0002-android-Enable-building-ashmem-and-binder-as-modules.patch @@ -1,7 +1,7 @@ +From ea5f38dafdd4a0c5482e4b4dbce0aef647411c13 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 22 Jun 2018 17:27:00 +0100 -Subject: android: Enable building ashmem and binder as modules -Bug-Debian: https://bugs.debian.org/901492 +Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules We want to enable use of the Android ashmem and binder drivers to support Anbox, but they should not be built-in as that would waste @@ -12,12 +12,19 @@ need them. - Change the Makefiles to build each driver as an object with the "_linux" suffix (which is what Anbox expects) - Change config symbol types to tristate - --- -Index: linux/drivers/android/Kconfig -=================================================================== ---- linux.orig/drivers/android/Kconfig -+++ linux/drivers/android/Kconfig + drivers/android/Kconfig | 2 +- + drivers/android/Makefile | 5 +++-- + drivers/android/binder_alloc.c | 2 +- + drivers/staging/android/Kconfig | 2 +- + drivers/staging/android/Makefile | 3 ++- + drivers/staging/android/ashmem.c | 3 +++ + 6 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig +index 432e9ad77070..5f054abd6a10 100644 +--- a/drivers/android/Kconfig ++++ b/drivers/android/Kconfig @@ -9,7 +9,7 @@ config ANDROID if ANDROID @@ -27,10 +34,10 @@ Index: linux/drivers/android/Kconfig depends on MMU default n ---help--- -Index: linux/drivers/android/Makefile -=================================================================== ---- linux.orig/drivers/android/Makefile -+++ linux/drivers/android/Makefile +diff --git a/drivers/android/Makefile b/drivers/android/Makefile +index a01254c43ee3..e42257997ba8 100644 +--- a/drivers/android/Makefile ++++ b/drivers/android/Makefile @@ -1,4 +1,5 @@ ccflags-y += -I$(src) # needed for trace events @@ -39,53 +46,10 @@ Index: linux/drivers/android/Makefile +obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o +binder_linux-y := binder.o binder_alloc.o +binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o -Index: linux/drivers/staging/android/Kconfig -=================================================================== ---- linux.orig/drivers/staging/android/Kconfig -+++ linux/drivers/staging/android/Kconfig -@@ -3,7 +3,7 @@ menu "Android" - if ANDROID - - config ASHMEM -- bool "Enable the Anonymous Shared Memory Subsystem" -+ tristate "Enable the Anonymous Shared Memory Subsystem" - default n - depends on SHMEM - help -Index: linux/drivers/staging/android/Makefile -=================================================================== ---- linux.orig/drivers/staging/android/Makefile -+++ linux/drivers/staging/android/Makefile -@@ -2,5 +2,6 @@ ccflags-y += -I$(src) # needed for tra - - obj-y += ion/ - --obj-$(CONFIG_ASHMEM) += ashmem.o -+obj-$(CONFIG_ASHMEM) += ashmem_linux.o -+ashmem_linux-y += ashmem.o - obj-$(CONFIG_ANDROID_VSOC) += vsoc.o -Index: linux/drivers/staging/android/ashmem.c -=================================================================== ---- linux.orig/drivers/staging/android/ashmem.c -+++ linux/drivers/staging/android/ashmem.c -@@ -24,6 +24,7 @@ - #include - #include - #include -+#include - #include "ashmem.h" - - #define ASHMEM_NAME_PREFIX "dev/ashmem/" -@@ -924,3 +925,5 @@ out: - return ret; - } - device_initcall(ashmem_init); -+ -+MODULE_LICENSE("GPL v2"); -Index: linux/drivers/android/binder_alloc.c -=================================================================== ---- linux.orig/drivers/android/binder_alloc.c -+++ linux/drivers/android/binder_alloc.c +diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c +index 3371b986e3b4..b51dd2aaba90 100644 +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c @@ -44,7 +44,7 @@ enum { }; static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; @@ -95,3 +59,49 @@ Index: linux/drivers/android/binder_alloc.c uint, 0644); #define binder_alloc_debug(mask, x...) \ +diff --git a/drivers/staging/android/Kconfig b/drivers/staging/android/Kconfig +index 17c5587805f5..c46669f32bfa 100644 +--- a/drivers/staging/android/Kconfig ++++ b/drivers/staging/android/Kconfig +@@ -3,7 +3,7 @@ menu "Android" + if ANDROID + + config ASHMEM +- bool "Enable the Anonymous Shared Memory Subsystem" ++ tristate "Enable the Anonymous Shared Memory Subsystem" + default n + depends on SHMEM + help +diff --git a/drivers/staging/android/Makefile b/drivers/staging/android/Makefile +index 90e6154f11a4..8202002bd72c 100644 +--- a/drivers/staging/android/Makefile ++++ b/drivers/staging/android/Makefile +@@ -2,5 +2,6 @@ ccflags-y += -I$(src) # needed for trace events + + obj-y += ion/ + +-obj-$(CONFIG_ASHMEM) += ashmem.o ++obj-$(CONFIG_ASHMEM) += ashmem_linux.o ++ashmem_linux-y += ashmem.o + obj-$(CONFIG_ANDROID_VSOC) += vsoc.o +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c +index a97bbd89fae2..1f1f16c39b58 100644 +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include "ashmem.h" + + #define ASHMEM_NAME_PREFIX "dev/ashmem/" +@@ -964,3 +965,5 @@ static int __init ashmem_init(void) + return ret; + } + device_initcall(ashmem_init); ++ ++MODULE_LICENSE("GPL v2"); +-- +2.32.0 +