BugLink: https://bugs.launchpad.net/bugs/1980061
This sets CONFIG_COMPAT=n for riscv64 kernels. Enabling it allows 32bit
binaries to be run on 64bit kernels, but requires hardware support. So
far no chips have been released that support it and neither does
upstream Qemu. Also Ubuntu doesn't ship 32bit RISC-V binaries, so
disable this feature for now.
Signed-off-by: Emil Renner Berthing <emil.renner.berthing@canonical.com> Acked-By: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: [Config] Merge riscv64 config and annotations
BugLink: https://bugs.launchpad.net/bugs/1979647
This adds the debian.master/config/riscv64 directory and merges
annotations and configuration from kinetic:linux-riscv.
Merging the riscv64 configuration reveals a lot of differences from the
other architectures, but this commit tries to keep the configuration as
close as possible to kinetic:linux-riscv.
Signed-off-by: Emil Renner Berthing <emil.renner.berthing@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Paolo Pisati <paolo.pisati@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Juerg Haefliger [Fri, 24 Jun 2022 12:41:53 +0000 (14:41 +0200)]
UBUNTU: [Packaging] final-checks: Remove useless sourcing of kernelconfig
kernelconfig only defines 'archs' but 'archs' is overwritten after the
fact so remove the uselsess sourcing. While at it, remove a stray leading
space in the following line.
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Juerg Haefliger [Mon, 9 May 2022 09:12:06 +0000 (11:12 +0200)]
UBUNTU: [Packaging] kernelconfig: Bubble up warnings and errors
Config annotation check failures and warnings due to incomplete config
operations are really bad, so exit the script with a non-zero status if
such errors or warnings are detected.
Ignore: yes Signed-off-by: Juerg Haefliger <juergh@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Juerg Haefliger [Tue, 21 Jun 2022 13:18:22 +0000 (15:18 +0200)]
UBUNTU: SAUCE: Add selective signing of staging modules
BugLink: https://bugs.launchpad.net/bugs/1642368
'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so only sign modules listed in debian/signature-inclusion.
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Juerg Haefliger [Mon, 9 May 2022 14:25:02 +0000 (16:25 +0200)]
UBUNTU: [Packaging] Move and update signature inclusion list
BugLink: https://bugs.launchpad.net/bugs/1642368
Move the signature inclusion list from the source tree to the debian/
directory to keep the upstream source clean. While at it, remove modules
that are no longer in the staging area.
Signed-off-by: Juerg Haefliger <juergh@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Tue, 31 May 2022 06:15:38 +0000 (08:15 +0200)]
UBUNTU: [Config] enable CONFIG_X86_KERNEL_IBT
The rest of userspace in kinetic is built to support CET (shadow stack
and IBT), so we want to enable IBT also in the kernel to provide an
extra level of security against indirect call based attacks for Tiger
Lake CPUs and newer.
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Fri, 20 May 2022 12:55:39 +0000 (14:55 +0200)]
UBUNTU: [Config] enable CONFIG_DEVTMPFS_SAFE
BugLink: https://bugs.launchpad.net/bugs/1974442
Mount devtmpfs with nosuid,noexec to prevent mmapping special files in
/dev with PROT_EXEC or having executables setuid files.
This allows to provide a little bit of extra security in the system.
This change may potentially break some drivers that require to execute
code by mmapping /dev/mem (e.g., non-KSM video drivers).
Theoretically we shouldn't break any of the officially supported
drivers, because kernel lockdown is already preventing access to
/dev/mem.
This is just a little more relaxed constraint than kernel lockdown, but
it can still provide a reasonable level of extra security in the system
also when the kernel is not completely locked down.
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Even if upstream decided to enable these options by default, it is
probably safer for now to keep IOMMU disabled, to prevent potential
issues like those mentioned above.
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Audit: Fix incorrect static inline function declration.
The LSM attributes SAUCE patches have incorrect syntax for the case
when AUDIT framework is turned off, such as zfcpdump_defconfig. This
in turn breaks building zfcpdump-kernel from Ubuntu patched sources.
Reproducer:
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- zfcpdump_defconfig
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- bzImage
BugLink: https://bugs.launchpad.net/bugs/1965766 Fixes: 558fd844dd ("UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM attributes") Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
zouxiaoh [Wed, 23 Feb 2022 02:21:25 +0000 (10:21 +0800)]
UBUNTU: SAUCE: iommu: intel-ipu: use IOMMU passthrough mode for Intel IPUs
BugLink: https://bugs.launchpad.net/bugs/1958004
Intel IPU(Image Processing Unit) has its own (IO)MMU hardware,
The IPU driver allocates its own page table that is not mapped
via the DMA, and thus the Intel IOMMU driver blocks access giving
this error: DMAR: DRHD: handling fault status reg 3 DMAR:
[DMA Read] Request device [00:05.0] PASID ffffffff
fault addr 76406000 [fault reason 06] PTE Read access is not set
As IPU is not an external facing device which is not risky, so use
IOMMU passthrough mode for Intel IPUs.
Change-Id: I6dcccdadac308cf42e20a18e1b593381391e3e6b
Depends-On: Iacd67578e8c6a9b9ac73285f52b4081b72fb68a6
Tracked-On: #JIITL8-411 Signed-off-by: Bingbu Cao <bingbu.cao@intel.com> Signed-off-by: zouxiaoh <xiaohong.zou@intel.com> Signed-off-by: Xu Chongyang <chongyang.xu@intel.com>
(cherry picked from https://github.com/intel/ipu6-drivers/blob/5d5526d2b2811aa52590c2fa513ba989e7e594ab/patch/IOMMU-passthrough-for-intel-ipu.diff) Signed-off-by: You-Sheng Yang <vicamo.yang@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
It should be better to reverse the check on codec_dai
and returned early in order to be easier to understand.
Fixes: de2c6f98817f ("ASoC: soc-compress: prevent the potentially use of null pointer") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com> Link: https://lore.kernel.org/r/20220310030041.1556323-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
The fan curve control patches introduced a regression for at least the
TUF FX506 and possibly other TUF series laptops that do not have support
for fan curve control.
As part of the probing process, asus_wmi_evaluate_method_buf is called
to get the factory default fan curve . The WMI management function
returns 0 on certain laptops to indicate lack of fan curve control
instead of ASUS_WMI_UNSUPPORTED_METHOD. This 0 is transformed to
-ENODATA which results in failure when probing.
Fixes: 0f0ac158d28f ("platform/x86: asus-wmi: Add support for custom fan curves") Reported-and-tested-by: Abhijeet V <abhijeetviswa@gmail.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Link: https://lore.kernel.org/r/20220205112840.33095-1-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>