summaryrefslogtreecommitdiff
path: root/libre
diff options
context:
space:
mode:
Diffstat (limited to 'libre')
-rw-r--r--libre/linux-libre-grsec/0013-efistub-fix.patch177
-rw-r--r--libre/linux-libre-grsec/PKGBUILD33
-rw-r--r--libre/linux-libre-grsec/config.i68611
-rw-r--r--libre/linux-libre-grsec/config.x86_649
-rw-r--r--libre/linux-libre-grsec/linux-libre-grsec.install25
5 files changed, 207 insertions, 48 deletions
diff --git a/libre/linux-libre-grsec/0013-efistub-fix.patch b/libre/linux-libre-grsec/0013-efistub-fix.patch
new file mode 100644
index 000000000..a2da3b63a
--- /dev/null
+++ b/libre/linux-libre-grsec/0013-efistub-fix.patch
@@ -0,0 +1,177 @@
+From c7fb93ec51d462ec3540a729ba446663c26a0505 Mon Sep 17 00:00:00 2001
+From: Michael Brown <mbrown@fensystems.co.uk>
+Date: Thu, 10 Jul 2014 12:26:20 +0100
+Subject: x86/efi: Include a .bss section within the PE/COFF headers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The PE/COFF headers currently describe only the initialised-data
+portions of the image, and result in no space being allocated for the
+uninitialised-data portions. Consequently, the EFI boot stub will end
+up overwriting unexpected areas of memory, with unpredictable results.
+
+Fix by including a .bss section in the PE/COFF headers (functionally
+equivalent to the init_size field in the bzImage header).
+
+Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
+Cc: Thomas Bächler <thomas@archlinux.org>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+
+diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
+index 84c2234..7a6d43a 100644
+--- a/arch/x86/boot/header.S
++++ b/arch/x86/boot/header.S
+@@ -91,10 +91,9 @@ bs_die:
+
+ .section ".bsdata", "a"
+ bugger_off_msg:
+- .ascii "Direct floppy boot is not supported. "
+- .ascii "Use a boot loader program instead.\r\n"
++ .ascii "Use a boot loader.\r\n"
+ .ascii "\n"
+- .ascii "Remove disk and press any key to reboot ...\r\n"
++ .ascii "Remove disk and press any key to reboot...\r\n"
+ .byte 0
+
+ #ifdef CONFIG_EFI_STUB
+@@ -108,7 +107,7 @@ coff_header:
+ #else
+ .word 0x8664 # x86-64
+ #endif
+- .word 3 # nr_sections
++ .word 4 # nr_sections
+ .long 0 # TimeDateStamp
+ .long 0 # PointerToSymbolTable
+ .long 1 # NumberOfSymbols
+@@ -250,6 +249,25 @@ section_table:
+ .word 0 # NumberOfLineNumbers
+ .long 0x60500020 # Characteristics (section flags)
+
++ #
++ # The offset & size fields are filled in by build.c.
++ #
++ .ascii ".bss"
++ .byte 0
++ .byte 0
++ .byte 0
++ .byte 0
++ .long 0
++ .long 0x0
++ .long 0 # Size of initialized data
++ # on disk
++ .long 0x0
++ .long 0 # PointerToRelocations
++ .long 0 # PointerToLineNumbers
++ .word 0 # NumberOfRelocations
++ .word 0 # NumberOfLineNumbers
++ .long 0xc8000080 # Characteristics (section flags)
++
+ #endif /* CONFIG_EFI_STUB */
+
+ # Kernel attributes; used by setup. This is part 1 of the
+diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
+index 1a2f212..a7661c4 100644
+--- a/arch/x86/boot/tools/build.c
++++ b/arch/x86/boot/tools/build.c
+@@ -143,7 +143,7 @@ static void usage(void)
+
+ #ifdef CONFIG_EFI_STUB
+
+-static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
++static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset)
+ {
+ unsigned int pe_header;
+ unsigned short num_sections;
+@@ -164,10 +164,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
+ put_unaligned_le32(size, section + 0x8);
+
+ /* section header vma field */
+- put_unaligned_le32(offset, section + 0xc);
++ put_unaligned_le32(vma, section + 0xc);
+
+ /* section header 'size of initialised data' field */
+- put_unaligned_le32(size, section + 0x10);
++ put_unaligned_le32(datasz, section + 0x10);
+
+ /* section header 'file offset' field */
+ put_unaligned_le32(offset, section + 0x14);
+@@ -179,6 +179,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
+ }
+ }
+
++static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
++{
++ update_pecoff_section_header_fields(section_name, offset, size, size, offset);
++}
++
+ static void update_pecoff_setup_and_reloc(unsigned int size)
+ {
+ u32 setup_offset = 0x200;
+@@ -203,9 +208,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
+
+ pe_header = get_unaligned_le32(&buf[0x3c]);
+
+- /* Size of image */
+- put_unaligned_le32(file_sz, &buf[pe_header + 0x50]);
+-
+ /*
+ * Size of code: Subtract the size of the first sector (512 bytes)
+ * which includes the header.
+@@ -220,6 +222,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
+ update_pecoff_section_header(".text", text_start, text_sz);
+ }
+
++static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz)
++{
++ unsigned int pe_header;
++ unsigned int bss_sz = init_sz - file_sz;
++
++ pe_header = get_unaligned_le32(&buf[0x3c]);
++
++ /* Size of uninitialized data */
++ put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]);
++
++ /* Size of image */
++ put_unaligned_le32(init_sz, &buf[pe_header + 0x50]);
++
++ update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0);
++}
++
+ static int reserve_pecoff_reloc_section(int c)
+ {
+ /* Reserve 0x20 bytes for .reloc section */
+@@ -259,6 +277,8 @@ static void efi_stub_entry_update(void)
+ static inline void update_pecoff_setup_and_reloc(unsigned int size) {}
+ static inline void update_pecoff_text(unsigned int text_start,
+ unsigned int file_sz) {}
++static inline void update_pecoff_bss(unsigned int file_sz,
++ unsigned int init_sz) {}
+ static inline void efi_stub_defaults(void) {}
+ static inline void efi_stub_entry_update(void) {}
+
+@@ -310,7 +330,7 @@ static void parse_zoffset(char *fname)
+
+ int main(int argc, char ** argv)
+ {
+- unsigned int i, sz, setup_sectors;
++ unsigned int i, sz, setup_sectors, init_sz;
+ int c;
+ u32 sys_size;
+ struct stat sb;
+@@ -376,7 +396,9 @@ int main(int argc, char ** argv)
+ buf[0x1f1] = setup_sectors-1;
+ put_unaligned_le32(sys_size, &buf[0x1f4]);
+
+- update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz));
++ update_pecoff_text(setup_sectors * 512, i + (sys_size * 16));
++ init_sz = get_unaligned_le32(&buf[0x260]);
++ update_pecoff_bss(i + (sys_size * 16), init_sz);
+
+ efi_stub_entry_update();
+
+--
+cgit v0.10.1
+
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index 3531e60d9..91c02221c 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -8,17 +8,18 @@
# Contributor: Sorin-Mihai Vârgolici <smv@yobicore.org>
# Contributor: Michał Masłowski <mtjm@mtjm.eu>
# Contributor: Márcio Silva <coadde@parabola.nu>
+# Contributor: Luke Shumaker <lukeshu@sbcglobal.net>
-pkgbase=linux-libre-grsec # Build stock -LIBRE-GRSEC kernel
+pkgbase=linux-libre-grsec # Build stock -libre-grsec kernel
#pkgbase=linux-libre-custom # Build kernel with a different name
_basekernel=3.15
-_sublevel=3
+_sublevel=5
_grsecver=3.0
-_timestamp=201407012153
+_timestamp=201407131211
_pkgver=${_basekernel}.${_sublevel}
pkgver=${_basekernel}.${_sublevel}.${_timestamp}
pkgrel=1
-_lxopkgver=${_basekernel}.2 # nearly always the same as pkgver
+_lxopkgver=${_basekernel}.5 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="https://grsecurity.net/"
license=('GPL2')
@@ -36,21 +37,23 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
'Kbuild.platforms'
'boot-logo.patch'
'change-default-console-loglevel.patch'
+ '0013-efistub-fix.patch'
'sysctl.conf'
"http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
- 'dfd23e705edfc0f6fcf0df1a98e58ec7ae835ec780d7092810b664093d91cd5f'
- '753d4983413740ca7d901724e11885462f2876caae6706463987e53b95578c2d'
+ '17ee14d488733298eef21d4a82986376199d92150ed9de00c25f5d9997eb02ae'
+ 'b7b65ff2ab0ff7f4d7f91e7b26060c1832de50eb35eeac1b835e5190ffaf2645'
'SKIP'
- '20d7aa7723620bcdefc0828c2ba0c5b17049e7ecb8475703ddccd9f3e84c30d7'
- 'e686e05416e6060d1345f58c0b77eff9d554c412d97df086bbcf2a97a39564ae'
+ '63e0b77252fb881ec0d1ee97ec78fd243a56bf79bf35e7e650d59631dfe9096d'
+ '434816aaaa635115b7f44b06dcd6f4037431378b4b0e9282803263c9288ab663'
'9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486'
'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b'
'55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9'
'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6'
'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
+ '937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c'
'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31'
- '09210211de26e59dcc20e48b355233fdaa572aea8e80e17acc915defc7aa7166')
+ 'ca0399ad601efd926a3d6e328d6457a7e945fe982e4f13ed39fff31982082f28')
if [ "$CARCH" != "mips64el" ]; then
# don't use the Loongson-specific patches on non-mips64el arches.
unset source[${#source[@]}-1]
@@ -58,7 +61,7 @@ if [ "$CARCH" != "mips64el" ]; then
fi
_kernelname=${pkgbase#linux-libre}
-_localversionname=-LIBRE-GRSEC
+_localversionname=-libre-grsec
prepare() {
cd "${srcdir}/linux-${_basekernel}"
@@ -82,6 +85,10 @@ prepare() {
# (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227)
patch -p1 -i "${srcdir}/change-default-console-loglevel.patch"
+ # fix efistub hang #33745
+ # https://git.kernel.org/cgit/linux/kernel/git/mfleming/efi.git/patch/?id=c7fb93ec51d462ec3540a729ba446663c26a0505
+ patch -Np1 -i "${srcdir}/0013-efistub-fix.patch"
+
if [ "$CARCH" == "mips64el" ]; then
sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile
sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \
@@ -214,10 +221,10 @@ _package() {
# gzip -9 all modules to save 100MB of space
find "${pkgdir}" -name '*.ko' -exec gzip -9 {} \;
# make room for external modules
- ln -s "../extramodules-${_basekernel}${_localversionname:--LIBRE-GRSEC}" "${pkgdir}/lib/modules/${_kernver}/extramodules"
+ ln -s "../extramodules-${_basekernel}${_localversionname:--libre-grsec}" "${pkgdir}/lib/modules/${_kernver}/extramodules"
# add real version for building modules and running depmod from post_install/upgrade
- mkdir -p "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--LIBRE-GRSEC}"
- echo "${_kernver}" > "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--LIBRE-GRSEC}/version"
+ mkdir -p "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--libre-grsec}"
+ echo "${_kernver}" > "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--libre-grsec}/version"
# Now we call depmod...
depmod -b "${pkgdir}" -F System.map "${_kernver}"
diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686
index 0723b0a06..462fb89d7 100644
--- a/libre/linux-libre-grsec/config.i686
+++ b/libre/linux-libre-grsec/config.i686
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.1.201406222112-1 Kernel Configuration
+# Linux/x86 3.15.3.201407012153-2 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -48,7 +48,7 @@ CONFIG_BUILDTIME_EXTABLE_SORT=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
# CONFIG_COMPILE_TEST is not set
-CONFIG_LOCALVERSION="-LIBRE-GRSEC"
+CONFIG_LOCALVERSION="-libre-grsec"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -493,7 +493,8 @@ CONFIG_SCHED_HRTICK=y
# CONFIG_CRASH_DUMP is not set
CONFIG_PHYSICAL_START=0x1000000
CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x20000000
CONFIG_X86_NEED_RELOCS=y
CONFIG_PHYSICAL_ALIGN=0x1000000
CONFIG_HOTPLUG_CPU=y
@@ -6330,10 +6331,6 @@ CONFIG_TIMER_STATS=y
# CONFIG_RT_MUTEX_TESTER is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
-# CONFIG_DEBUG_LOCK_ALLOC is not set
-# CONFIG_PROVE_LOCKING is not set
-# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
# CONFIG_LOCK_TORTURE_TEST is not set
diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64
index 8b5501a57..6d2def186 100644
--- a/libre/linux-libre-grsec/config.x86_64
+++ b/libre/linux-libre-grsec/config.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.1.201406222112-1 Kernel Configuration
+# Linux/x86 3.15.3.201407012153-2 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -49,7 +49,7 @@ CONFIG_BUILDTIME_EXTABLE_SORT=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
# CONFIG_COMPILE_TEST is not set
-CONFIG_LOCALVERSION="-LIBRE-GRSEC"
+CONFIG_LOCALVERSION="-libre-grsec"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -456,6 +456,7 @@ CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
CONFIG_BALLOON_COMPACTION=y
CONFIG_COMPACTION=y
CONFIG_MIGRATION=y
+CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
CONFIG_PHYS_ADDR_T_64BIT=y
CONFIG_ZONE_DMA_FLAG=1
CONFIG_BOUNCE=y
@@ -501,7 +502,9 @@ CONFIG_SCHED_HRTICK=y
# CONFIG_CRASH_DUMP is not set
CONFIG_PHYSICAL_START=0x1000000
CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000
+CONFIG_X86_NEED_RELOCS=y
CONFIG_PHYSICAL_ALIGN=0x1000000
CONFIG_HOTPLUG_CPU=y
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install
index cff18d020..637577244 100644
--- a/libre/linux-libre-grsec/linux-libre-grsec.install
+++ b/libre/linux-libre-grsec/linux-libre-grsec.install
@@ -44,29 +44,6 @@ _remove_groups() {
done
}
-_help() {
-cat <<EOF
-
-Configuration of grsecurity features via sysctl is possible in
-"/etc/sysctl.d/05-grsecurity.conf".
-
-Trusted Path Execution is disabled by default and can be enabled via the
-kernel.grsecurity.tpe sysctl option. The tpe group can be used either to build
-a whitelist for users free from the restrictions (tpe_invert = 1) or a
-blacklist of users with the restrictions (tpe_invert = 0).
-
-To prevent certain socket access to users, there are three groups:
-socket-deny-server, socket-deny-client and socket-deny-all.
-
-There is an extensive wikibook on grsecurity and some documentation in the
-Parabola GNU/Linux-libre Wiki:
-
-https://en.wikibooks.org/wiki/Grsecurity
-https://wiki.parabolagnulinux.org/Grsecurity
-
-EOF
-}
-
post_install () {
# updating module dependencies
echo ">>> Updating module dependencies. Please wait ..."
@@ -77,7 +54,6 @@ post_install () {
fi
_add_groups
- _help
}
post_upgrade() {
@@ -104,7 +80,6 @@ post_upgrade() {
fi
_add_groups
- _help
}
post_remove() {