pkd/debian: Update extra patches for LTS kernel
This commit is contained in:
parent
780af34a1f
commit
4130746c31
|
@ -1 +0,0 @@
|
|||
../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch
|
|
@ -0,0 +1,87 @@
|
|||
From c1384dfce8f7a364a73b69c18238db635454ec6a Mon Sep 17 00:00:00 2001
|
||||
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||
Date: Sun, 22 Sep 2019 22:44:16 +0200
|
||||
Subject: [PATCH] Add secureboot pre-signing to the kernel
|
||||
|
||||
If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
|
||||
the kernel Makefile will automatically sign the vmlinux / bzImage file that
|
||||
gets generated, and that is then used in packaging.
|
||||
|
||||
By integrating it into the kernel build system directly, it is fully integrated
|
||||
with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
|
||||
and it gets added to every tree by the same mechanism that is used to apply the
|
||||
other surface patches anyways.
|
||||
|
||||
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||
---
|
||||
.gitignore | 3 +++
|
||||
arch/x86/Makefile | 1 +
|
||||
scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
|
||||
3 files changed, 34 insertions(+)
|
||||
create mode 100755 scripts/sign_kernel.sh
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index 97ba6b79834c..490f0526ed66 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -127,6 +127,9 @@ signing_key.priv
|
||||
signing_key.x509
|
||||
x509.genkey
|
||||
|
||||
+# Secureboot certificate
|
||||
+/keys/
|
||||
+
|
||||
# Kconfig presets
|
||||
all.config
|
||||
|
||||
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
|
||||
index 65a8722e784c..68ddcd308384 100644
|
||||
--- a/arch/x86/Makefile
|
||||
+++ b/arch/x86/Makefile
|
||||
@@ -296,6 +296,7 @@ endif
|
||||
$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
|
||||
$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
|
||||
$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
||||
+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
||||
|
||||
$(BOOT_TARGETS): vmlinux
|
||||
$(Q)$(MAKE) $(build)=$(boot) $@
|
||||
diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
|
||||
new file mode 100755
|
||||
index 000000000000..d2526a279254
|
||||
--- /dev/null
|
||||
+++ b/scripts/sign_kernel.sh
|
||||
@@ -0,0 +1,30 @@
|
||||
+#!/bin/sh
|
||||
+# SPDX-License-Identifier: GPL-2.0
|
||||
+
|
||||
+# The path to the compiled kernel image is passed as the first argument
|
||||
+BUILDDIR=$(dirname $(dirname $0))
|
||||
+VMLINUX=$1
|
||||
+
|
||||
+# Keys are stored in a toplevel directory called keys
|
||||
+# The following files need to be there:
|
||||
+# * MOK.priv (private key)
|
||||
+# * MOK.pem (public key)
|
||||
+#
|
||||
+# If the files don't exist, this script will do nothing.
|
||||
+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
+# Both required certificates were found. Check if sbsign is installed.
|
||||
+echo "Keys for automatic secureboot signing found."
|
||||
+if [ ! -x "$(command -v sbsign)" ]; then
|
||||
+ echo "ERROR: sbsign not found!"
|
||||
+ exit -2
|
||||
+fi
|
||||
+
|
||||
+# Sign the kernel
|
||||
+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
|
||||
+ --output $VMLINUX $VMLINUX
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
From 816b7fe4a492f9f49978e39a779a89992d8d4d32 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Tue, 26 Jun 2018 16:59:01 +0100
|
||||
Subject: Export symbols needed by Android drivers
|
||||
Bug-Debian: https://bugs.debian.org/901492
|
||||
Subject: [PATCH 1/2] Export symbols needed by Android drivers
|
||||
|
||||
We want to enable use of the Android ashmem and binder drivers to
|
||||
support Anbox, but they should not be built-in as that would waste
|
||||
|
@ -9,13 +9,22 @@ resources and increase security attack surface on systems that don't
|
|||
need them.
|
||||
|
||||
Export the currently un-exported symbols they depend on.
|
||||
|
||||
---
|
||||
Index: linux/fs/file.c
|
||||
===================================================================
|
||||
--- linux.orig/fs/file.c
|
||||
+++ linux/fs/file.c
|
||||
@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st
|
||||
fs/file.c | 4 ++++
|
||||
kernel/fork.c | 1 +
|
||||
kernel/sched/core.c | 1 +
|
||||
kernel/signal.c | 1 +
|
||||
mm/memory.c | 1 +
|
||||
mm/shmem.c | 1 +
|
||||
mm/vmalloc.c | 2 ++
|
||||
security/security.c | 4 ++++
|
||||
8 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/fs/file.c b/fs/file.c
|
||||
index 3762a3f136fd..3e10be834458 100644
|
||||
--- a/fs/file.c
|
||||
+++ b/fs/file.c
|
||||
@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(struct task_struct *task)
|
||||
|
||||
return files;
|
||||
}
|
||||
|
@ -23,7 +32,7 @@ Index: linux/fs/file.c
|
|||
|
||||
void put_files_struct(struct files_struct *files)
|
||||
{
|
||||
@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc
|
||||
@@ -421,6 +422,7 @@ void put_files_struct(struct files_struct *files)
|
||||
kmem_cache_free(files_cachep, files);
|
||||
}
|
||||
}
|
||||
|
@ -31,7 +40,7 @@ Index: linux/fs/file.c
|
|||
|
||||
void reset_files_struct(struct files_struct *files)
|
||||
{
|
||||
@@ -534,6 +536,7 @@ out:
|
||||
@@ -534,6 +536,7 @@ int __alloc_fd(struct files_struct *files,
|
||||
spin_unlock(&files->file_lock);
|
||||
return error;
|
||||
}
|
||||
|
@ -39,7 +48,7 @@ Index: linux/fs/file.c
|
|||
|
||||
static int alloc_fd(unsigned start, unsigned flags)
|
||||
{
|
||||
@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *f
|
||||
@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *files, unsigned int fd,
|
||||
rcu_assign_pointer(fdt->fd[fd], file);
|
||||
rcu_read_unlock_sched();
|
||||
}
|
||||
|
@ -47,11 +56,11 @@ Index: linux/fs/file.c
|
|||
|
||||
void fd_install(unsigned int fd, struct file *file)
|
||||
{
|
||||
Index: linux/kernel/fork.c
|
||||
===================================================================
|
||||
--- linux.orig/kernel/fork.c
|
||||
+++ linux/kernel/fork.c
|
||||
@@ -1048,6 +1048,7 @@ void mmput_async(struct mm_struct *mm)
|
||||
diff --git a/kernel/fork.c b/kernel/fork.c
|
||||
index cf535b9d5db7..08f3ff948b2d 100644
|
||||
--- a/kernel/fork.c
|
||||
+++ b/kernel/fork.c
|
||||
@@ -1053,6 +1053,7 @@ void mmput_async(struct mm_struct *mm)
|
||||
schedule_work(&mm->async_put_work);
|
||||
}
|
||||
}
|
||||
|
@ -59,11 +68,23 @@ Index: linux/kernel/fork.c
|
|||
#endif
|
||||
|
||||
/**
|
||||
Index: linux/kernel/signal.c
|
||||
===================================================================
|
||||
--- linux.orig/kernel/signal.c
|
||||
+++ linux/kernel/signal.c
|
||||
@@ -1353,6 +1353,7 @@ struct sighand_struct *__lock_task_sigha
|
||||
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
|
||||
index 013b1c6cb4ed..962eef6a146c 100644
|
||||
--- a/kernel/sched/core.c
|
||||
+++ b/kernel/sched/core.c
|
||||
@@ -3976,6 +3976,7 @@ int can_nice(const struct task_struct *p, const int nice)
|
||||
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
|
||||
capable(CAP_SYS_NICE));
|
||||
}
|
||||
+EXPORT_SYMBOL_GPL(can_nice);
|
||||
|
||||
#ifdef __ARCH_WANT_SYS_NICE
|
||||
|
||||
diff --git a/kernel/signal.c b/kernel/signal.c
|
||||
index a02a25acf205..ab8c2d4d0e6d 100644
|
||||
--- a/kernel/signal.c
|
||||
+++ b/kernel/signal.c
|
||||
@@ -1368,6 +1368,7 @@ struct sighand_struct *__lock_task_sighand(struct task_struct *tsk,
|
||||
|
||||
return sighand;
|
||||
}
|
||||
|
@ -71,11 +92,11 @@ Index: linux/kernel/signal.c
|
|||
|
||||
/*
|
||||
* send signal info to all the members of a group
|
||||
Index: linux/mm/memory.c
|
||||
===================================================================
|
||||
--- linux.orig/mm/memory.c
|
||||
+++ linux/mm/memory.c
|
||||
@@ -1611,6 +1611,7 @@ void zap_page_range(struct vm_area_struc
|
||||
diff --git a/mm/memory.c b/mm/memory.c
|
||||
index 49b546cdce0d..753bb3a3df81 100644
|
||||
--- a/mm/memory.c
|
||||
+++ b/mm/memory.c
|
||||
@@ -1634,6 +1634,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start,
|
||||
mmu_notifier_invalidate_range_end(mm, start, end);
|
||||
tlb_finish_mmu(&tlb, start, end);
|
||||
}
|
||||
|
@ -83,11 +104,11 @@ Index: linux/mm/memory.c
|
|||
|
||||
/**
|
||||
* zap_page_range_single - remove user pages in a given range
|
||||
Index: linux/mm/shmem.c
|
||||
===================================================================
|
||||
--- linux.orig/mm/shmem.c
|
||||
+++ linux/mm/shmem.c
|
||||
@@ -4039,6 +4039,7 @@ int shmem_zero_setup(struct vm_area_stru
|
||||
diff --git a/mm/shmem.c b/mm/shmem.c
|
||||
index 9fd0e72757cf..4440c837318d 100644
|
||||
--- a/mm/shmem.c
|
||||
+++ b/mm/shmem.c
|
||||
@@ -4053,6 +4053,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -95,11 +116,11 @@ Index: linux/mm/shmem.c
|
|||
|
||||
/**
|
||||
* shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags.
|
||||
Index: linux/mm/vmalloc.c
|
||||
===================================================================
|
||||
--- linux.orig/mm/vmalloc.c
|
||||
+++ linux/mm/vmalloc.c
|
||||
@@ -1299,6 +1299,7 @@ int map_kernel_range_noflush(unsigned lo
|
||||
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
|
||||
index 1817871b0239..809d14e0b06e 100644
|
||||
--- a/mm/vmalloc.c
|
||||
+++ b/mm/vmalloc.c
|
||||
@@ -1300,6 +1300,7 @@ int map_kernel_range_noflush(unsigned long addr, unsigned long size,
|
||||
{
|
||||
return vmap_page_range_noflush(addr, addr + size, prot, pages);
|
||||
}
|
||||
|
@ -107,7 +128,7 @@ Index: linux/mm/vmalloc.c
|
|||
|
||||
/**
|
||||
* unmap_kernel_range_noflush - unmap kernel VM area
|
||||
@@ -1439,6 +1440,7 @@ struct vm_struct *get_vm_area(unsigned l
|
||||
@@ -1440,6 +1441,7 @@ struct vm_struct *get_vm_area(unsigned long size, unsigned long flags)
|
||||
NUMA_NO_NODE, GFP_KERNEL,
|
||||
__builtin_return_address(0));
|
||||
}
|
||||
|
@ -115,11 +136,11 @@ Index: linux/mm/vmalloc.c
|
|||
|
||||
struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags,
|
||||
const void *caller)
|
||||
Index: linux/security/security.c
|
||||
===================================================================
|
||||
--- linux.orig/security/security.c
|
||||
+++ linux/security/security.c
|
||||
@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(stru
|
||||
diff --git a/security/security.c b/security/security.c
|
||||
index 9478444bf93f..9b06982fa2d4 100644
|
||||
--- a/security/security.c
|
||||
+++ b/security/security.c
|
||||
@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
|
||||
{
|
||||
return call_int_hook(binder_set_context_mgr, 0, mgr);
|
||||
}
|
||||
|
@ -148,15 +169,6 @@ Index: linux/security/security.c
|
|||
|
||||
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
|
||||
{
|
||||
Index: linux/kernel/sched/core.c
|
||||
===================================================================
|
||||
--- linux.orig/kernel/sched/core.c
|
||||
+++ linux/kernel/sched/core.c
|
||||
@@ -3973,6 +3973,7 @@ int can_nice(const struct task_struct *p
|
||||
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
|
||||
capable(CAP_SYS_NICE));
|
||||
}
|
||||
+EXPORT_SYMBOL_GPL(can_nice);
|
||||
|
||||
#ifdef __ARCH_WANT_SYS_NICE
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
From ea5f38dafdd4a0c5482e4b4dbce0aef647411c13 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Fri, 22 Jun 2018 17:27:00 +0100
|
||||
Subject: android: Enable building ashmem and binder as modules
|
||||
Bug-Debian: https://bugs.debian.org/901492
|
||||
Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules
|
||||
|
||||
We want to enable use of the Android ashmem and binder drivers to
|
||||
support Anbox, but they should not be built-in as that would waste
|
||||
|
@ -12,12 +12,19 @@ need them.
|
|||
- Change the Makefiles to build each driver as an object with the
|
||||
"_linux" suffix (which is what Anbox expects)
|
||||
- Change config symbol types to tristate
|
||||
|
||||
---
|
||||
Index: linux/drivers/android/Kconfig
|
||||
===================================================================
|
||||
--- linux.orig/drivers/android/Kconfig
|
||||
+++ linux/drivers/android/Kconfig
|
||||
drivers/android/Kconfig | 2 +-
|
||||
drivers/android/Makefile | 5 +++--
|
||||
drivers/android/binder_alloc.c | 2 +-
|
||||
drivers/staging/android/Kconfig | 2 +-
|
||||
drivers/staging/android/Makefile | 3 ++-
|
||||
drivers/staging/android/ashmem.c | 3 +++
|
||||
6 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig
|
||||
index 432e9ad77070..5f054abd6a10 100644
|
||||
--- a/drivers/android/Kconfig
|
||||
+++ b/drivers/android/Kconfig
|
||||
@@ -9,7 +9,7 @@ config ANDROID
|
||||
if ANDROID
|
||||
|
||||
|
@ -27,10 +34,10 @@ Index: linux/drivers/android/Kconfig
|
|||
depends on MMU
|
||||
default n
|
||||
---help---
|
||||
Index: linux/drivers/android/Makefile
|
||||
===================================================================
|
||||
--- linux.orig/drivers/android/Makefile
|
||||
+++ linux/drivers/android/Makefile
|
||||
diff --git a/drivers/android/Makefile b/drivers/android/Makefile
|
||||
index a01254c43ee3..e42257997ba8 100644
|
||||
--- a/drivers/android/Makefile
|
||||
+++ b/drivers/android/Makefile
|
||||
@@ -1,4 +1,5 @@
|
||||
ccflags-y += -I$(src) # needed for trace events
|
||||
|
||||
|
@ -39,53 +46,10 @@ Index: linux/drivers/android/Makefile
|
|||
+obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o
|
||||
+binder_linux-y := binder.o binder_alloc.o
|
||||
+binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
|
||||
Index: linux/drivers/staging/android/Kconfig
|
||||
===================================================================
|
||||
--- linux.orig/drivers/staging/android/Kconfig
|
||||
+++ linux/drivers/staging/android/Kconfig
|
||||
@@ -3,7 +3,7 @@ menu "Android"
|
||||
if ANDROID
|
||||
|
||||
config ASHMEM
|
||||
- bool "Enable the Anonymous Shared Memory Subsystem"
|
||||
+ tristate "Enable the Anonymous Shared Memory Subsystem"
|
||||
default n
|
||||
depends on SHMEM
|
||||
help
|
||||
Index: linux/drivers/staging/android/Makefile
|
||||
===================================================================
|
||||
--- linux.orig/drivers/staging/android/Makefile
|
||||
+++ linux/drivers/staging/android/Makefile
|
||||
@@ -2,5 +2,6 @@ ccflags-y += -I$(src) # needed for tra
|
||||
|
||||
obj-y += ion/
|
||||
|
||||
-obj-$(CONFIG_ASHMEM) += ashmem.o
|
||||
+obj-$(CONFIG_ASHMEM) += ashmem_linux.o
|
||||
+ashmem_linux-y += ashmem.o
|
||||
obj-$(CONFIG_ANDROID_VSOC) += vsoc.o
|
||||
Index: linux/drivers/staging/android/ashmem.c
|
||||
===================================================================
|
||||
--- linux.orig/drivers/staging/android/ashmem.c
|
||||
+++ linux/drivers/staging/android/ashmem.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <linux/bitops.h>
|
||||
#include <linux/mutex.h>
|
||||
#include <linux/shmem_fs.h>
|
||||
+#include <linux/module.h>
|
||||
#include "ashmem.h"
|
||||
|
||||
#define ASHMEM_NAME_PREFIX "dev/ashmem/"
|
||||
@@ -924,3 +925,5 @@ out:
|
||||
return ret;
|
||||
}
|
||||
device_initcall(ashmem_init);
|
||||
+
|
||||
+MODULE_LICENSE("GPL v2");
|
||||
Index: linux/drivers/android/binder_alloc.c
|
||||
===================================================================
|
||||
--- linux.orig/drivers/android/binder_alloc.c
|
||||
+++ linux/drivers/android/binder_alloc.c
|
||||
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
|
||||
index 3371b986e3b4..b51dd2aaba90 100644
|
||||
--- a/drivers/android/binder_alloc.c
|
||||
+++ b/drivers/android/binder_alloc.c
|
||||
@@ -44,7 +44,7 @@ enum {
|
||||
};
|
||||
static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
|
||||
|
@ -95,3 +59,49 @@ Index: linux/drivers/android/binder_alloc.c
|
|||
uint, 0644);
|
||||
|
||||
#define binder_alloc_debug(mask, x...) \
|
||||
diff --git a/drivers/staging/android/Kconfig b/drivers/staging/android/Kconfig
|
||||
index 17c5587805f5..c46669f32bfa 100644
|
||||
--- a/drivers/staging/android/Kconfig
|
||||
+++ b/drivers/staging/android/Kconfig
|
||||
@@ -3,7 +3,7 @@ menu "Android"
|
||||
if ANDROID
|
||||
|
||||
config ASHMEM
|
||||
- bool "Enable the Anonymous Shared Memory Subsystem"
|
||||
+ tristate "Enable the Anonymous Shared Memory Subsystem"
|
||||
default n
|
||||
depends on SHMEM
|
||||
help
|
||||
diff --git a/drivers/staging/android/Makefile b/drivers/staging/android/Makefile
|
||||
index 90e6154f11a4..8202002bd72c 100644
|
||||
--- a/drivers/staging/android/Makefile
|
||||
+++ b/drivers/staging/android/Makefile
|
||||
@@ -2,5 +2,6 @@ ccflags-y += -I$(src) # needed for trace events
|
||||
|
||||
obj-y += ion/
|
||||
|
||||
-obj-$(CONFIG_ASHMEM) += ashmem.o
|
||||
+obj-$(CONFIG_ASHMEM) += ashmem_linux.o
|
||||
+ashmem_linux-y += ashmem.o
|
||||
obj-$(CONFIG_ANDROID_VSOC) += vsoc.o
|
||||
diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
|
||||
index a97bbd89fae2..1f1f16c39b58 100644
|
||||
--- a/drivers/staging/android/ashmem.c
|
||||
+++ b/drivers/staging/android/ashmem.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <linux/bitops.h>
|
||||
#include <linux/mutex.h>
|
||||
#include <linux/shmem_fs.h>
|
||||
+#include <linux/module.h>
|
||||
#include "ashmem.h"
|
||||
|
||||
#define ASHMEM_NAME_PREFIX "dev/ashmem/"
|
||||
@@ -964,3 +965,5 @@ static int __init ashmem_init(void)
|
||||
return ret;
|
||||
}
|
||||
device_initcall(ashmem_init);
|
||||
+
|
||||
+MODULE_LICENSE("GPL v2");
|
||||
--
|
||||
2.32.0
|
||||
|
Loading…
Reference in a new issue