Add Arch Linux 4.19 LTS build

.github/workflows/arch_lts.yml

@@ -0,0 +1,154 @@
+on:
+  push:
+    tags:
+      - 'arch_lts-*'
+
+name: Arch LTS
+
+env:
+  GPG_KEY_ID: 56C464BAAC421453
+
+jobs:
+  build:
+    name: Build Kernel
+    runs-on: ubuntu-latest
+    container: archlinux
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Install build dependencies
+      run: |
+        # Install makepkg deps
+        pacman -Sy --noconfirm sudo binutils fakeroot grep base-devel git sbsigntools
+
+    - name: Setup secureboot certificate
+      env:
+        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+      run: |
+        cd pkg
+
+        # Install the surface secureboot certificate
+        echo "$SB_KEY" | base64 -d > arch/kernel-lts/MOK.key
+        cp keys/surface.crt arch/kernel-lts/MOK.crt
+
+    - name: Build
+      run: |
+        cd pkg/arch/kernel-lts
+
+        # Fix permissions (can't makepkg as root)
+        echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
+        chown -R nobody .
+
+        # Package compression settings (Matches latest Arch)
+        export PKGEXT='.pkg.tar.zst'
+        export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
+        export MAKEFLAGS="-j2"
+
+        # Build
+        su nobody --pty -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
+
+    - name: Prepare release
+      run: |
+        mkdir release
+        mv pkg/arch/kernel-lts/*.pkg.tar.zst release
+
+    - name: Sign packages
+      env:
+        GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
+      run: |
+        cd release
+
+        # import GPG key
+        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
+        export GPG_TTY=$(tty)
+
+        # sign packages
+        ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: arch-latest
+        path: release
+
+  repo:
+    name: Update package repository
+    needs: [build]
+    runs-on: ubuntu-latest
+    container: archlinux
+    steps:
+    - name: Install dependencies
+      run: |
+        pacman -Sy --noconfirm base-devel git
+
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        repository: linux-surface/repo
+        token: ${{ secrets.GITHUB_BOT_TOKEN }}
+        fetch-depth: 0
+        ref: master
+
+    - name: Download artifacts
+      uses: actions/download-artifact@v1
+      with:
+        name: arch-latest
+
+    - name: Update repository
+      env:
+        GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
+        GIT_REF: ${{ github.ref }}
+      run: |
+        cp arch-latest/* arch/
+        rm -r arch-latest
+
+        cd arch
+        repo-add -n linux-surface.db.tar.gz *.pkg.tar.zst
+
+        # Sign the updated repository
+        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
+        gpg --detach-sign --batch --no-tty --no-armor -u $GPG_KEY_ID linux-surface.db
+        gpg --detach-sign --batch --no-tty --no-armor -u $GPG_KEY_ID linux-surface.db.tar.gz
+        gpg --detach-sign --batch --no-tty --no-armor -u $GPG_KEY_ID linux-surface.files
+        gpg --detach-sign --batch --no-tty --no-armor -u $GPG_KEY_ID linux-surface.files.tar.gz
+
+        # Parse git tag from ref
+        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
+
+        # Convert packages into references
+        for pkg in $(find . -name '*.pkg.tar.zst'); do
+          echo "$GIT_TAG/$(basename $pkg)" > $pkg.blob
+          rm $pkg
+        done
+
+    - name: Commit and push
+      uses: github-actions-x/commit@v2.3
+      with:
+        github-token: ${{ secrets.GITHUB_BOT_TOKEN }}
+        push-branch: master
+        commit-message: Update arch lts kernel
+        force-add: false
+        rebase: true
+        files: arch/*
+        name: surfacebot
+        email: surfacebot@users.noreply.github.com
+
+  release:
+    name: Publish release
+    needs: [repo]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Download artifacts
+      uses: actions/download-artifact@v1
+      with:
+        name: arch-latest
+
+    - name: Upload assets
+      uses: svenstaro/upload-release-action@v1-release
+      with:
+        repo_token: ${{ secrets.GITHUB_BOT_TOKEN }}
+        file: ./*-latest/*
+        tag: ${{ github.ref }}
+        overwrite: true
+        file_glob: true

pkg/arch/kernel-lts/.gitignore

@@ -0,0 +1,4 @@
+pkg
+src
+linux-*.tar.xz
+linux-*.tar.sign

pkg/arch/kernel-lts/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch

@@ -0,0 +1,132 @@
+From 6136ffb3d88e9f044260f8288d2d0a1edd64379e Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Mon, 16 Sep 2019 04:53:20 +0200
+Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
+ CLONE_NEWUSER
+
+Our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig            | 16 ++++++++++++++++
+ kernel/fork.c           | 15 +++++++++++++++
+ kernel/sysctl.c         | 12 ++++++++++++
+ kernel/user_namespace.c |  7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index bd7d650d4a99..658f9c052151 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1091,6 +1091,22 @@ config USER_NS
+ 
+ 	  If unsure, say N.
+ 
++config USER_NS_UNPRIVILEGED
++	bool "Allow unprivileged users to create namespaces"
++	default y
++	depends on USER_NS
++	help
++	  When disabled, unprivileged users will not be able to create
++	  new namespaces. Allowing users to create their own namespaces
++	  has been part of several recent local privilege escalation
++	  exploits, so if you need user namespaces but are
++	  paranoid^Wsecurity-conscious you want to disable this.
++
++	  This setting can be overridden at runtime via the
++	  kernel.unprivileged_userns_clone sysctl.
++
++	  If unsure, say Y.
++
+ config PID_NS
+ 	bool "PID Namespaces"
+ 	default y
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 541fd805fb88..ffd57c812153 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -106,6 +106,11 @@
+ 
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+ 
+ /*
+  * Minimum number of threads to boot the kernel
+@@ -1788,6 +1793,10 @@ static __latent_entropy struct task_struct *copy_process(
+ 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ 		return ERR_PTR(-EINVAL);
+ 
++	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++		if (!capable(CAP_SYS_ADMIN))
++			return ERR_PTR(-EPERM);
++
+ 	/*
+ 	 * Thread groups must share signals as well, and detached threads
+ 	 * can only be started up within the thread group.
+@@ -2819,6 +2828,12 @@ int ksys_unshare(unsigned long unshare_flags)
+ 	if (unshare_flags & CLONE_NEWNS)
+ 		unshare_flags |= CLONE_FS;
+ 
++	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++		err = -EPERM;
++		if (!capable(CAP_SYS_ADMIN))
++			goto bad_unshare_out;
++	}
++
+ 	err = check_unshare_flags(unshare_flags);
+ 	if (err)
+ 		goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 078950d9605b..baead3605bbe 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -110,6 +110,9 @@ extern int core_uses_pid;
+ extern char core_pattern[];
+ extern unsigned int core_pipe_limit;
+ #endif
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
+ extern int pid_max;
+ extern int pid_max_min, pid_max_max;
+ extern int percpu_pagelist_fraction;
+@@ -545,6 +548,15 @@ static struct ctl_table kern_table[] = {
+ 		.proc_handler	= proc_dointvec,
+ 	},
+ #endif
++#ifdef CONFIG_USER_NS
++	{
++		.procname	= "unprivileged_userns_clone",
++		.data		= &unprivileged_userns_clone,
++		.maxlen		= sizeof(int),
++		.mode		= 0644,
++		.proc_handler	= proc_dointvec,
++	},
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ 	{
+ 		.procname	= "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 8eadadc478f9..c36ecd19562c 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -21,6 +21,13 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+ 
++/* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
++int unprivileged_userns_clone;
++#endif
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+ 
+-- 
+2.23.0
+

pkg/arch/kernel-lts/0002-surface-acpi.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0001-surface-acpi.patch

pkg/arch/kernel-lts/0003-suspend.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0002-suspend.patch

pkg/arch/kernel-lts/0004-buttons.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0003-buttons.patch

pkg/arch/kernel-lts/0005-cameras.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0004-cameras.patch

pkg/arch/kernel-lts/0006-ipts.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0005-ipts.patch

pkg/arch/kernel-lts/0007-hid.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0006-hid.patch

pkg/arch/kernel-lts/0008-sdcard-reader.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0007-sdcard-reader.patch

pkg/arch/kernel-lts/0009-wifi.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0008-wifi.patch

pkg/arch/kernel-lts/0010-surface3-power.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0009-surface3-power.patch

pkg/arch/kernel-lts/0011-mwlwifi.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0010-mwlwifi.patch

pkg/arch/kernel-lts/0012-surface-lte.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0011-surface-lte.patch

pkg/arch/kernel-lts/0013-ioremap_uc.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0012-ioremap_uc.patch

pkg/arch/kernel-lts/0014-surface3-spi-dma.patch

@@ -0,0 +1 @@
+../../../patches/4.19/0013-surface3-spi-dma.patch

pkg/arch/kernel-lts/PKGBUILD

@@ -0,0 +1,224 @@
+# Maintainer: Maximilian Luz <luzmaximilian@gmail.com>
+
+pkgbase=linux-surface-lts
+pkgver=4.19.91
+pkgrel=1
+pkgdesc='LTS Linux'
+url="https://www.kernel.org/"
+arch=(x86_64)
+license=(GPL2)
+makedepends=(
+  bc kmod libelf
+  xmlto python-sphinx python-sphinx_rtd_theme graphviz imagemagick
+)
+options=('!strip')
+_srcname=linux-$pkgver
+source=(
+  https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign}
+  config         # the main kernel config file
+  0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+
+  surface.config
+  0002-surface-acpi.patch
+  0003-suspend.patch
+  0004-buttons.patch
+  0005-cameras.patch
+  0006-ipts.patch
+  0007-hid.patch
+  0008-sdcard-reader.patch
+  0009-wifi.patch
+  0010-surface3-power.patch
+  0011-mwlwifi.patch
+  0012-surface-lte.patch
+  0013-ioremap_uc.patch
+  0014-surface3-spi-dma.patch
+)
+validpgpkeys=(
+  'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
+  '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
+)
+# https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
+sha256sums=('f403c3dee12ded0af1889c78871abf7a531a978ba423f1ca772de702a92c3447'
+            'SKIP'
+            '4e68572e7cc4c5368f0236e0792660ae8498373988625dca46e509399a7eaea6'
+            'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2'
+            '75080f2961b8745fc7c4f4563a8c93e7f2f47446ce736f1ad89c3de99f9ef2c1'
+            '7d7d7298d54fe768ddf4fd0e54ef23b363fafd630e3bbe60577b846175f04964'
+            '435e719d2e64c70170a6e0968cbfd5c3ed9e6fe6411e7673d5cfa364c5b68134'
+            '4791d6076f50d8b5d26e48c510d078baa8092bcea2e6108377a70f225bb7485c'
+            'fa01e1f791b1eb57780418092aaa3237619a23fcb8dc600a74d2fd3c840d67c7'
+            '147916a311af7885b245b0843aaeb65a4ab5f6e97dd501d9295cb00ec563d048'
+            'dec54176d9115cfa59f708244f76cfd39294c3455be343e262ec3f77e37f2664'
+            'f0b4652353146389a0e55f4b84c0f91658eb4425fd65904b3436070626275032'
+            '799ed876448fc37cf44042c3af79382ff898f15829888fabb48d43814da2001e'
+            'a69f0daa2fe0e2a54c0c69b8785f1345962132295f341d42abcc2ae9b4e4abc7'
+            '55758eb12bc2ef3d03bca409fc43773353c01d48920b61a10ddbaf5992fe1b64'
+            '0cc652b397a544efa47bef6f60d0ecfb9f7eeb03a70476479cc365b8adcf4e4d'
+            'ba76566bfe59e38a825e8633c23941ce314ee7e822bb167d970a3bd1a767a5ac'
+            'db52ea142e92b3dcd58c7f89ef27553df4b49ee2bde99da1fe0abb3b4dd68fc4')
+
+export KBUILD_BUILD_HOST=archlinux
+export KBUILD_BUILD_USER=$pkgbase
+export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
+
+# optional certificate and key for secure boot signing
+_mok_crt="$PWD/MOK.crt"
+_mok_key="$PWD/MOK.key"
+
+prepare() {
+  cd $_srcname
+
+  msg2 "Setting version..."
+  scripts/setlocalversion --save-scmversion
+  echo "-$pkgrel" > localversion.10-pkgrel
+  echo "${pkgbase#linux}" > localversion.20-pkgname
+
+  local src
+  for src in "${source[@]}"; do
+    src="${src%%::*}"
+    src="${src##*/}"
+    [[ $src = *.patch ]] || continue
+    msg2 "Applying patch $src..."
+    patch -Np1 < "../$src"
+  done
+
+  msg2 "Setting config..."
+  # cp ../config .config
+  # merge the two configs together
+  ./scripts/kconfig/merge_config.sh -m ../config ../surface.config
+  make olddefconfig
+
+  make -s kernelrelease > version
+  msg2 "Prepared %s version %s" "$pkgbase" "$(<version)"
+}
+
+build() {
+  cd $_srcname
+  make bzImage modules
+}
+
+_package() {
+  pkgdesc="The $pkgdesc kernel and modules"
+  depends=(coreutils kmod initramfs)
+  optdepends=('crda: to set the correct wireless channels of your country'
+              'linux-firmware: firmware images needed for some devices')
+
+  cd $_srcname
+  local kernver="$(<version)"
+  local modulesdir="$pkgdir/usr/lib/modules/$kernver"
+  local image_name="$(make -s image_name)"
+
+  # sign boot image if the prequisites are available
+  if [[ -f "$_mok_crt" ]] && [[ -f "$_mok_key" ]] && [[ -x "$(command -v sbsign)" ]]; then
+    msg2 "Signing boot image..."
+    sbsign --key "$_mok_key" --cert "$_mok_crt" --output "$image_name" "$image_name"
+  fi
+
+  msg2 "Installing boot image..."
+  # systemd expects to find the kernel here to allow hibernation
+  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
+  install -Dm644 "$image_name" "$modulesdir/vmlinuz"
+
+  # Used by mkinitcpio to name the kernel
+  echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
+
+  msg2 "Installing modules..."
+  make INSTALL_MOD_PATH="$pkgdir/usr" modules_install
+
+  # remove build and source links
+  rm "$modulesdir"/{source,build}
+
+  msg2 "Fixing permissions..."
+  chmod -Rc u=rwX,go=rX "$pkgdir"
+}
+
+_package-headers() {
+  pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"
+
+  cd $_srcname
+  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
+
+  msg2 "Installing build files..."
+  install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
+    localversion.* version vmlinux
+  install -Dt "$builddir/kernel" -m644 kernel/Makefile
+  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
+  cp -t "$builddir" -a scripts
+
+  # add objtool for external module building and enabled VALIDATION_STACK option
+  install -Dt "$builddir/tools/objtool" tools/objtool/objtool
+
+  # add xfs and shmem for aufs building
+  mkdir -p "$builddir"/{fs/xfs,mm}
+
+  # this is gone in v5.3
+  mkdir "$builddir/.tmp_versions"
+
+  msg2 "Installing headers..."
+  cp -t "$builddir" -a include
+  cp -t "$builddir/arch/x86" -a arch/x86/include
+  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
+
+  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
+  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
+
+  # http://bugs.archlinux.org/task/13146
+  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
+
+  # http://bugs.archlinux.org/task/20402
+  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
+  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
+  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
+
+  msg2 "Installing KConfig files..."
+  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
+
+  msg2 "Removing unneeded architectures..."
+  local arch
+  for arch in "$builddir"/arch/*/; do
+    [[ $arch = */x86/ ]] && continue
+    echo "Removing $(basename "$arch")"
+    rm -r "$arch"
+  done
+
+  msg2 "Removing documentation..."
+  rm -r "$builddir/Documentation"
+
+  msg2 "Removing broken symlinks..."
+  find -L "$builddir" -type l -printf 'Removing %P\n' -delete
+
+  msg2 "Removing loose objects..."
+  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
+
+  msg2 "Stripping build tools..."
+  local file
+  while read -rd '' file; do
+    case "$(file -bi "$file")" in
+      application/x-sharedlib\;*)      # Libraries (.so)
+        strip -v $STRIP_SHARED "$file" ;;
+      application/x-archive\;*)        # Libraries (.a)
+        strip -v $STRIP_STATIC "$file" ;;
+      application/x-executable\;*)     # Binaries
+        strip -v $STRIP_BINARIES "$file" ;;
+      application/x-pie-executable\;*) # Relocatable binaries
+        strip -v $STRIP_SHARED "$file" ;;
+    esac
+  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
+
+  msg2 "Adding symlink..."
+  mkdir -p "$pkgdir/usr/src"
+  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
+
+  msg2 "Fixing permissions..."
+  chmod -Rc u=rwX,go=rX "$pkgdir"
+}
+
+pkgname=("$pkgbase" "$pkgbase-headers")
+for _p in "${pkgname[@]}"; do
+  eval "package_$_p() {
+    $(declare -f "_package${_p#$pkgbase}")
+    _package${_p#$pkgbase}
+  }"
+done
+
+# vim:set ts=8 sts=2 sw=2 et:

pkg/arch/kernel-lts/surface.config

@@ -0,0 +1,30 @@
+#
+# Intel IPTS Touchscreen
+#
+CONFIG_INTEL_IPTS=m
+CONFIG_INTEL_IPTS_SURFACE=m
+
+#
+# Surface Aggregator Module
+#
+CONFIG_SURFACE_SAM=m
+CONFIG_SURFACE_SAM_SSH=m
+CONFIG_SURFACE_SAM_SSH_DEBUG_DEVICE=y
+CONFIG_SURFACE_SAM_SAN=m
+CONFIG_SURFACE_SAM_VHF=m
+CONFIG_SURFACE_SAM_DTX=m
+CONFIG_SURFACE_SAM_HPS=m
+CONFIG_SURFACE_SAM_SID=m
+CONFIG_SURFACE_SAM_SID_GPELID=m
+CONFIG_SURFACE_SAM_SID_PERFMODE=m
+CONFIG_SURFACE_SAM_SID_VHF=m
+CONFIG_SURFACE_SAM_SID_POWER=m
+
+#
+# Other Drivers
+#
+CONFIG_INPUT_SOC_BUTTON_ARRAY=m
+CONFIG_SURFACE_3_POWER_OPREGION=m
+CONFIG_SURFACE_3_BUTTON=m
+CONFIG_SURFACE_3_POWER_OPREGION=m
+CONFIG_SURFACE_PRO3_BUTTON=m