pkd/debian: Update extra patches for LTS kernel

2021-08-01 16:59:58 +02:00 · 2021-08-01 16:59:58 +02:00 · 4130746c31
parent 780af34a1f
commit 4130746c31
3 changed files with 221 additions and 113 deletions
--- a/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch
+++ b/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch
@ -1 +0,0 @@
 ../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch
--- a/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch
+++ b/pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch
@ -0,0 +1,87 @@
 From c1384dfce8f7a364a73b69c18238db635454ec6a Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
 Date: Sun, 22 Sep 2019 22:44:16 +0200
 Subject: [PATCH] Add secureboot pre-signing to the kernel
 If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
 the kernel Makefile will automatically sign the vmlinux / bzImage file that
 gets generated, and that is then used in packaging.
 By integrating it into the kernel build system directly, it is fully integrated
 with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
 and it gets added to every tree by the same mechanism that is used to apply the
 other surface patches anyways.
 Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
 ---
 .gitignore             |  3 +++
 arch/x86/Makefile      |  1 +
 scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+)
 create mode 100755 scripts/sign_kernel.sh
 diff --git a/.gitignore b/.gitignore
 index 97ba6b79834c..490f0526ed66 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -127,6 +127,9 @@ signing_key.priv
 signing_key.x509
 x509.genkey
 +# Secureboot certificate
 +/keys/
 +
 # Kconfig presets
 all.config
 diff --git a/arch/x86/Makefile b/arch/x86/Makefile
 index 65a8722e784c..68ddcd308384 100644
 --- a/arch/x86/Makefile
 +++ b/arch/x86/Makefile
@@ -296,6 +296,7 @@ endif
 	$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
 	$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
 	$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
 +	$(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
 $(BOOT_TARGETS): vmlinux
 	$(Q)$(MAKE) $(build)=$(boot) $@
 diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
 new file mode 100755
 index 000000000000..d2526a279254
 --- /dev/null
 +++ b/scripts/sign_kernel.sh
@@ -0,0 +1,30 @@
 +#!/bin/sh
 +# SPDX-License-Identifier: GPL-2.0
 +
 +# The path to the compiled kernel image is passed as the first argument
 +BUILDDIR=$(dirname $(dirname $0))
 +VMLINUX=$1
 +
 +# Keys are stored in a toplevel directory called keys
 +# The following files need to be there:
 +#     * MOK.priv  (private key)
 +#     * MOK.pem   (public key)
 +#
 +# If the files don't exist, this script will do nothing.
 +if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
 +    exit 0
 +fi
 +if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
 +    exit 0
 +fi
 +
 +# Both required certificates were found. Check if sbsign is installed.
 +echo "Keys for automatic secureboot signing found."
 +if [ ! -x "$(command -v sbsign)" ]; then
 +    echo "ERROR: sbsign not found!"
 +    exit -2
 +fi
 +
 +# Sign the kernel
 +sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
 +    --output $VMLINUX $VMLINUX
 -- 
 2.32.0
--- a/pkg/debian/kernel-lts/0001-Export-symbols-needed-by-Android-drivers.patch
+++ b/pkg/debian/kernel-lts/0001-Export-symbols-needed-by-Android-drivers.patch
@ -1,7 +1,7 @@
 From 816b7fe4a492f9f49978e39a779a89992d8d4d32 Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Tue, 26 Jun 2018 16:59:01 +0100
-Subject: Export symbols needed by Android drivers
+Subject: [PATCH 1/2] Export symbols needed by Android drivers
 Bug-Debian: https://bugs.debian.org/901492
 We want to enable use of the Android ashmem and binder drivers to
 support Anbox, but they should not be built-in as that would waste
@ -9,13 +9,22 @@ resources and increase security attack surface on systems that don't
 need them.
 Export the currently un-exported symbols they depend on.
 ---
-Index: linux/fs/file.c
+ fs/file.c           | 4 ++++
-===================================================================
+ kernel/fork.c       | 1 +
--- linux.orig/fs/file.c
+ kernel/sched/core.c | 1 +
-+++ linux/fs/file.c
+ kernel/signal.c     | 1 +
-@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st
+ mm/memory.c         | 1 +
 mm/shmem.c          | 1 +
 mm/vmalloc.c        | 2 ++
 security/security.c | 4 ++++
 8 files changed, 15 insertions(+)
 diff --git a/fs/file.c b/fs/file.c
 index 3762a3f136fd..3e10be834458 100644
 --- a/fs/file.c
 +++ b/fs/file.c
@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(struct task_struct *task)
 	return files;
 }
@ -23,7 +32,7 @@ Index: linux/fs/file.c
 void put_files_struct(struct files_struct *files)
 {
-@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc
+@@ -421,6 +422,7 @@ void put_files_struct(struct files_struct *files)
 		kmem_cache_free(files_cachep, files);
 	}
 }
@ -31,7 +40,7 @@ Index: linux/fs/file.c
 void reset_files_struct(struct files_struct *files)
 {
-@@ -534,6 +536,7 @@ out:
+@@ -534,6 +536,7 @@ int __alloc_fd(struct files_struct *files,
 	spin_unlock(&files->file_lock);
 	return error;
 }
@ -39,7 +48,7 @@ Index: linux/fs/file.c
 static int alloc_fd(unsigned start, unsigned flags)
 {
-@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *f
+@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *files, unsigned int fd,
 	rcu_assign_pointer(fdt->fd[fd], file);
 	rcu_read_unlock_sched();
 }
@ -47,11 +56,11 @@ Index: linux/fs/file.c
 void fd_install(unsigned int fd, struct file *file)
 {
-Index: linux/kernel/fork.c
+diff --git a/kernel/fork.c b/kernel/fork.c
-===================================================================
+index cf535b9d5db7..08f3ff948b2d 100644
--- linux.orig/kernel/fork.c
+--- a/kernel/fork.c
-+++ linux/kernel/fork.c
+++ b/kernel/fork.c
-@@ -1048,6 +1048,7 @@ void mmput_async(struct mm_struct *mm)
+@@ -1053,6 +1053,7 @@ void mmput_async(struct mm_struct *mm)
 		schedule_work(&mm->async_put_work);
 	}
 }
@ -59,11 +68,23 @@ Index: linux/kernel/fork.c
 #endif
 /**
-Index: linux/kernel/signal.c
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-===================================================================
+index 013b1c6cb4ed..962eef6a146c 100644
--- linux.orig/kernel/signal.c
+--- a/kernel/sched/core.c
-+++ linux/kernel/signal.c
+++ b/kernel/sched/core.c
-@@ -1353,6 +1353,7 @@ struct sighand_struct *__lock_task_sigha
+@@ -3976,6 +3976,7 @@ int can_nice(const struct task_struct *p, const int nice)
 	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
 		capable(CAP_SYS_NICE));
 }
 +EXPORT_SYMBOL_GPL(can_nice);
 #ifdef __ARCH_WANT_SYS_NICE
 diff --git a/kernel/signal.c b/kernel/signal.c
 index a02a25acf205..ab8c2d4d0e6d 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
@@ -1368,6 +1368,7 @@ struct sighand_struct *__lock_task_sighand(struct task_struct *tsk,
 	return sighand;
 }
@ -71,11 +92,11 @@ Index: linux/kernel/signal.c
 /*
  * send signal info to all the members of a group
-Index: linux/mm/memory.c
+diff --git a/mm/memory.c b/mm/memory.c
-===================================================================
+index 49b546cdce0d..753bb3a3df81 100644
--- linux.orig/mm/memory.c
+--- a/mm/memory.c
-+++ linux/mm/memory.c
+++ b/mm/memory.c
-@@ -1611,6 +1611,7 @@ void zap_page_range(struct vm_area_struc
+@@ -1634,6 +1634,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start,
 	mmu_notifier_invalidate_range_end(mm, start, end);
 	tlb_finish_mmu(&tlb, start, end);
 }
@ -83,11 +104,11 @@ Index: linux/mm/memory.c
 /**
  * zap_page_range_single - remove user pages in a given range
-Index: linux/mm/shmem.c
+diff --git a/mm/shmem.c b/mm/shmem.c
-===================================================================
+index 9fd0e72757cf..4440c837318d 100644
--- linux.orig/mm/shmem.c
+--- a/mm/shmem.c
-+++ linux/mm/shmem.c
+++ b/mm/shmem.c
-@@ -4039,6 +4039,7 @@ int shmem_zero_setup(struct vm_area_stru
+@@ -4053,6 +4053,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
 	return 0;
 }
@ -95,11 +116,11 @@ Index: linux/mm/shmem.c
 /**
  * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags.
-Index: linux/mm/vmalloc.c
+diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-===================================================================
+index 1817871b0239..809d14e0b06e 100644
--- linux.orig/mm/vmalloc.c
+--- a/mm/vmalloc.c
-+++ linux/mm/vmalloc.c
+++ b/mm/vmalloc.c
-@@ -1299,6 +1299,7 @@ int map_kernel_range_noflush(unsigned lo
+@@ -1300,6 +1300,7 @@ int map_kernel_range_noflush(unsigned long addr, unsigned long size,
 {
 	return vmap_page_range_noflush(addr, addr + size, prot, pages);
 }
@ -107,7 +128,7 @@ Index: linux/mm/vmalloc.c
 /**
  * unmap_kernel_range_noflush - unmap kernel VM area
-@@ -1439,6 +1440,7 @@ struct vm_struct *get_vm_area(unsigned l
+@@ -1440,6 +1441,7 @@ struct vm_struct *get_vm_area(unsigned long size, unsigned long flags)
 				  NUMA_NO_NODE, GFP_KERNEL,
 				  __builtin_return_address(0));
 }
@ -115,11 +136,11 @@ Index: linux/mm/vmalloc.c
 struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags,
 				const void *caller)
-Index: linux/security/security.c
+diff --git a/security/security.c b/security/security.c
-===================================================================
+index 9478444bf93f..9b06982fa2d4 100644
--- linux.orig/security/security.c
+--- a/security/security.c
-+++ linux/security/security.c
+++ b/security/security.c
-@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(stru
+@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
 {
 	return call_int_hook(binder_set_context_mgr, 0, mgr);
 }
@ -148,15 +169,6 @@ Index: linux/security/security.c
 int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
 {
-Index: linux/kernel/sched/core.c
+-- 
-===================================================================
+2.32.0
--- linux.orig/kernel/sched/core.c
+
 +++ linux/kernel/sched/core.c
@@ -3973,6 +3973,7 @@ int can_nice(const struct task_struct *p
 	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
 		capable(CAP_SYS_NICE));
 }
 +EXPORT_SYMBOL_GPL(can_nice);
 #ifdef __ARCH_WANT_SYS_NICE
--- a/pkg/debian/kernel-lts/0002-android-Enable-building-ashmem-and-binder-as-modules.patch
+++ b/pkg/debian/kernel-lts/0002-android-Enable-building-ashmem-and-binder-as-modules.patch
@ -1,7 +1,7 @@
 From ea5f38dafdd4a0c5482e4b4dbce0aef647411c13 Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Fri, 22 Jun 2018 17:27:00 +0100
-Subject: android: Enable building ashmem and binder as modules
+Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules
 Bug-Debian: https://bugs.debian.org/901492
 We want to enable use of the Android ashmem and binder drivers to
 support Anbox, but they should not be built-in as that would waste
@ -12,12 +12,19 @@ need them.
 - Change the Makefiles to build each driver as an object with the
  "_linux" suffix (which is what Anbox expects)
 - Change config symbol types to tristate
 ---
-Index: linux/drivers/android/Kconfig
+ drivers/android/Kconfig          | 2 +-
-===================================================================
+ drivers/android/Makefile         | 5 +++--
--- linux.orig/drivers/android/Kconfig
+ drivers/android/binder_alloc.c   | 2 +-
-+++ linux/drivers/android/Kconfig
+ drivers/staging/android/Kconfig  | 2 +-
 drivers/staging/android/Makefile | 3 ++-
 drivers/staging/android/ashmem.c | 3 +++
 6 files changed, 11 insertions(+), 6 deletions(-)
 diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig
 index 432e9ad77070..5f054abd6a10 100644
 --- a/drivers/android/Kconfig
 +++ b/drivers/android/Kconfig
@@ -9,7 +9,7 @@ config ANDROID
 if ANDROID
@ -27,10 +34,10 @@ Index: linux/drivers/android/Kconfig
 	depends on MMU
 	default n
 	---help---
-Index: linux/drivers/android/Makefile
+diff --git a/drivers/android/Makefile b/drivers/android/Makefile
-===================================================================
+index a01254c43ee3..e42257997ba8 100644
--- linux.orig/drivers/android/Makefile
+--- a/drivers/android/Makefile
-+++ linux/drivers/android/Makefile
+++ b/drivers/android/Makefile
@@ -1,4 +1,5 @@
 ccflags-y += -I$(src)			# needed for trace events
@ -39,53 +46,10 @@ Index: linux/drivers/android/Makefile
 +obj-$(CONFIG_ANDROID_BINDER_IPC)	+= binder_linux.o
 +binder_linux-y := binder.o binder_alloc.o
 +binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
-Index: linux/drivers/staging/android/Kconfig
+diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
-===================================================================
+index 3371b986e3b4..b51dd2aaba90 100644
--- linux.orig/drivers/staging/android/Kconfig
+--- a/drivers/android/binder_alloc.c
-+++ linux/drivers/staging/android/Kconfig
+++ b/drivers/android/binder_alloc.c
@@ -3,7 +3,7 @@ menu "Android"
 if ANDROID
 config ASHMEM
 -	bool "Enable the Anonymous Shared Memory Subsystem"
 +	tristate "Enable the Anonymous Shared Memory Subsystem"
 	default n
 	depends on SHMEM
 	help
 Index: linux/drivers/staging/android/Makefile
 ===================================================================
 --- linux.orig/drivers/staging/android/Makefile
 +++ linux/drivers/staging/android/Makefile
@@ -2,5 +2,6 @@ ccflags-y += -I$(src)			# needed for tra
 obj-y					+= ion/
 -obj-$(CONFIG_ASHMEM)			+= ashmem.o
 +obj-$(CONFIG_ASHMEM)			+= ashmem_linux.o
 +ashmem_linux-y += ashmem.o
 obj-$(CONFIG_ANDROID_VSOC)		+= vsoc.o
 Index: linux/drivers/staging/android/ashmem.c
 ===================================================================
 --- linux.orig/drivers/staging/android/ashmem.c
 +++ linux/drivers/staging/android/ashmem.c
@@ -24,6 +24,7 @@
 #include <linux/bitops.h>
 #include <linux/mutex.h>
 #include <linux/shmem_fs.h>
 +#include <linux/module.h>
 #include "ashmem.h"
 #define ASHMEM_NAME_PREFIX "dev/ashmem/"
@@ -924,3 +925,5 @@ out:
 	return ret;
 }
 device_initcall(ashmem_init);
 +
 +MODULE_LICENSE("GPL v2");
 Index: linux/drivers/android/binder_alloc.c
 ===================================================================
 --- linux.orig/drivers/android/binder_alloc.c
 +++ linux/drivers/android/binder_alloc.c
@@ -44,7 +44,7 @@ enum {
 };
 static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
@ -95,3 +59,49 @@ Index: linux/drivers/android/binder_alloc.c
 		   uint, 0644);
 #define binder_alloc_debug(mask, x...) \
 diff --git a/drivers/staging/android/Kconfig b/drivers/staging/android/Kconfig
 index 17c5587805f5..c46669f32bfa 100644
 --- a/drivers/staging/android/Kconfig
 +++ b/drivers/staging/android/Kconfig
@@ -3,7 +3,7 @@ menu "Android"
 if ANDROID
 config ASHMEM
 -	bool "Enable the Anonymous Shared Memory Subsystem"
 +	tristate "Enable the Anonymous Shared Memory Subsystem"
 	default n
 	depends on SHMEM
 	help
 diff --git a/drivers/staging/android/Makefile b/drivers/staging/android/Makefile
 index 90e6154f11a4..8202002bd72c 100644
 --- a/drivers/staging/android/Makefile
 +++ b/drivers/staging/android/Makefile
@@ -2,5 +2,6 @@ ccflags-y += -I$(src)			# needed for trace events
 obj-y					+= ion/
 -obj-$(CONFIG_ASHMEM)			+= ashmem.o
 +obj-$(CONFIG_ASHMEM)			+= ashmem_linux.o
 +ashmem_linux-y += ashmem.o
 obj-$(CONFIG_ANDROID_VSOC)		+= vsoc.o
 diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
 index a97bbd89fae2..1f1f16c39b58 100644
 --- a/drivers/staging/android/ashmem.c
 +++ b/drivers/staging/android/ashmem.c
@@ -24,6 +24,7 @@
 #include <linux/bitops.h>
 #include <linux/mutex.h>
 #include <linux/shmem_fs.h>
 +#include <linux/module.h>
 #include "ashmem.h"
 #define ASHMEM_NAME_PREFIX "dev/ashmem/"
@@ -964,3 +965,5 @@ static int __init ashmem_init(void)
 	return ret;
 }
 device_initcall(ashmem_init);
 +
 +MODULE_LICENSE("GPL v2");
 -- 
 2.32.0
		`@ -1 +0,0 @@`
			`../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch`