Building dell_rbu module
by Major Hayden
Hey folks,
I've rebuilt quite a few Fedora kernels to enable the dell_rbu module for firmware updates on various Dell servers, workstations, and laptops that are running Fedora 21 and 22. Would it be possible to have it enabled in the normal kernel builds?
I found a bugzilla ticket[1] referenced in the kernel config[2] that points to some installation issues in Fedora 20. I can't tell if the bug was within dell_rbu or perhaps in systemd-udevd from the ticket. However, I've had success loading the module on various Dell equipment over the last 18 months or so.
If we enable it, could we ensure that it's not enabled by default? I wondered if a kernel subpackage would be helpful but that seems a bit like overkill.
Thanks!
[1] https://bugzilla.redhat.com/show_bug.cgi?id=997149
[2] http://pkgs.fedoraproject.org/cgit/kernel.git/tree/config-x86-generic?h=f22
--
Major Hayden
7 years, 9 months
initramfs vs installer initrd
by Prarit Bhargava
[This may not be the place to ask this question. If I'm not in the right place
could someone point me to the correct list? TIA]
I'm wondering about why the rpm kernel install (via dracut) method results in an
initramfs but the install targets have an initrd. Is there any technical reason
for the difference?
Thanks,
P.
8 years, 1 month
[PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot
by Dave Young
Kexec reboot in case secure boot enabled does not keep the secure boot mode
in new kernel, so later one can load unsigned kernel via legacy kexec_load.
Adding a patch to fix this by retain the secure_boot flag in original kernel.
Signed-off-by: Dave Young <dyoung(a)redhat.com>
---
kernel.spec | 2 ++
...uefi-copy-secure_boot-flag-in-boot-params.patch | 30 ++++++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
diff --git a/kernel.spec b/kernel.spec
index e91ef9d..469a2a2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
#rhbz 1244511
Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
+Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
+
Patch904: kdbus.patch
# END OF PATCH DEFINITIONS
diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
new file mode 100644
index 0000000..e239ea9
--- /dev/null
+++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
@@ -0,0 +1,30 @@
+From: Dave Young <dyoung(a)redhat.com>
+
+[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot
+
+Kexec reboot in case secure boot being enabled does not keep the secure boot
+mode in new kernel, so later one can load unsigned kernel via legacy kexec_load.
+In this state, the system is missing the protections provided by secure boot.
+
+Adding a patch to fix this by retain the secure_boot flag in original kernel.
+
+secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub.
+Fixing this issue by copying secure_boot flag across kexec reboot.
+
+Signed-off-by: Dave Young <dyoung(a)redhat.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 9642b9b..0539ec7 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+ if (efi_enabled(EFI_OLD_MEMMAP))
+ return 0;
+
++ params->secure_boot = boot_params.secure_boot;
+ ei->efi_loader_signature = current_ei->efi_loader_signature;
+ ei->efi_systab = current_ei->efi_systab;
+ ei->efi_systab_hi = current_ei->efi_systab_hi;
--
1.8.3.1
8 years, 1 month
[Patch] kernel-tests master: Fix path to ignore-files.sh in sysfs-perms test
by Donavan Lance
Without this change the sysfs-perms test was failing and printing
"ignore-files.sh: command not found" into the kernel-tests log.
This patch fixes that error and allows the sysfs-perms test to run.
Signed-off-by: Donavan Lance <tusklahoma(a)gmail.com>
---
default/sysfs-perms/runtest.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/default/sysfs-perms/runtest.sh b/default/sysfs-perms/runtest.sh
index 351af76..54c4c28 100755
--- a/default/sysfs-perms/runtest.sh
+++ b/default/sysfs-perms/runtest.sh
@@ -6,7 +6,7 @@ COUNT=$(find /sys -type f -perm 666 | ./ignore-files.sh | wc -l)
if [ "$COUNT" != "0" ]; then
echo Found world-writable files in sysfs.
- find /sys -type f -perm 666 | ignore-files.sh
+ find /sys -type f -perm 666 | ./ignore-files.sh
exit -1
fi
--
2.4.3
8 years, 2 months
[PATCH] Always enable mmiotrace when building x86 kernels
by Hans de Goede
mmiotrace uses the ftrace framework for dynamic patching, so enabling it
does not cause any performance impact.
Having mmiotrace enabled is very useful for debugging nvidia / nouveau
driver problems, as we often use mmiotraces for nouveau development /
debugging.
Signed-off-by: Hans de Goede <hdegoede(a)redhat.com>
---
config-x86-generic | 1 +
kernel.spec | 3 +++
2 files changed, 4 insertions(+)
diff --git a/config-x86-generic b/config-x86-generic
index 9ba3354..eb78690 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -66,6 +66,7 @@ CONFIG_CAPI_EICON=y
#
CONFIG_X86_MPPARSE=y
# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_MMIOTRACE=y
# CONFIG_MMIOTRACE_TEST is not set
# CONFIG_DEBUG_PER_CPU_MAPS is not set
CONFIG_DEBUG_RODATA=y
diff --git a/kernel.spec b/kernel.spec
index 4ccceec..cdb59d4 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -2025,6 +2025,9 @@ fi
#
%changelog
* Tue Aug 04 2015 Hans de Goede <hdegoede(a)redhat.com>
+- Always enable mmiotrace when building x86 kernels
+
+* Tue Aug 04 2015 Hans de Goede <hdegoede(a)redhat.com>
- Move joydev.ko from kernel-modules-extra to kernel-modules
* Mon Aug 03 2015 Josh Boyer <jwboyer(a)fedoraproject.org>
--
2.4.3
8 years, 2 months
[PATCH] Move joydev.ko from kernel-modules-extra to kernel-modules
by Hans de Goede
Unlike the other joystick modules joydev is not just needed for old analog
joysticks, but also to provide /dev/js? devices with new usb connected
joysticks.
Many games still use the (old) /dev/js interface, and will not work ootb
unless kernel-modules-extra is installed. Moving jodev.ko to the main
kernel package fixes this.
Signed-off-by: Hans de Goede <hdegoede(a)redhat.com>
---
kernel.spec | 3 +++
mod-extra.list | 1 -
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel.spec b/kernel.spec
index 32d084f..4ccceec 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -2024,6 +2024,9 @@ fi
#
#
%changelog
+* Tue Aug 04 2015 Hans de Goede <hdegoede(a)redhat.com>
+- Move joydev.ko from kernel-modules-extra to kernel-modules
+
* Mon Aug 03 2015 Josh Boyer <jwboyer(a)fedoraproject.org>
- Fix i386 boot bug correctly (rhbz 1247382)
- CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)
diff --git a/mod-extra.list b/mod-extra.list
index 9794fef..cf957d4 100644
--- a/mod-extra.list
+++ b/mod-extra.list
@@ -105,7 +105,6 @@ w6692.ko
avma1_cs.ko
elsa_cs.ko
hfc4s8s_l1.ko
-joydev.ko
a3d.ko
adi.ko
analog.ko
--
2.4.3
8 years, 2 months
[PATCH] Add 10-yama-ptrace.conf (rhbz 1209492)
by Mark Wielaard
This fixes the yama bug #1209492 but lets administrators still add
extra restrictions if desired. This patch should apply as is against
both f22 and master.
---
10-yama-ptrace.conf | 30 ++++++++++++++++++++++++++++++
kernel.spec | 11 +++++++++++
2 files changed, 41 insertions(+)
create mode 100644 10-yama-ptrace.conf
diff --git a/10-yama-ptrace.conf b/10-yama-ptrace.conf
new file mode 100644
index 0000000..bcf0e69
--- /dev/null
+++ b/10-yama-ptrace.conf
@@ -0,0 +1,30 @@
+# The ptrace system call is used for interprocess services, communication
+# and introspection (like synchronisation, signaling, debugging, tracing
+# and profiling) of processes.
+#
+# Usage of ptrace is restricted by normal user permissions. Normal
+# unprivileged processes cannot interact through ptrace with processes
+# that they cannot send signals to or processes that are running set-uid
+# or set-gid.
+#
+# yama ptrace scope can be used to reduce these permissions even more.
+# This should normally not be done because it will break various programs
+# relying on the default ptrace security restrictions. But can be used
+# if you don't have any other way to separate processes in their own
+# domains. A different way to restrict ptrace is to set the selinux
+# deny_ptrace boolean. Both mechanisms will break some programs relying
+# on the ptrace system call and might force users to elevate their
+# priviliges to root to do their work.
+#
+# For more information see Documentation/security/Yama.txt in the kernel
+# sources.
+#
+# This runtime kernel parameter can be set to the following options:
+# (Note that setting this to anything except zero will break programs!)
+#
+# 0 - Normal ptrace security permissions.
+# 1 - Restricted ptrace. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+kernel.yama.ptrace_scope = 0
diff --git a/kernel.spec b/kernel.spec
index dfc4500..87efd85 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -460,6 +460,9 @@ Source1000: config-local
Source2000: cpupower.service
Source2001: cpupower.config
+# Default sysctl files
+Source3000: 10-yama-ptrace.conf
+
# Here should be only the patches up to the upstream canonical Linus tree.
# For a stable release kernel
@@ -1711,6 +1714,10 @@ BuildKernel() {
rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/vdso/.build-id
%endif
+ # Install default sysctl settings.
+ %{__install} -D -m 444 %{SOURCE3000} \
+ $RPM_BUILD_ROOT%{_sysctldir}/10-yama-ptrace-$KernelVer.conf
+
# And save the headers/makefiles etc for building modules against
#
# This all looks scary, but the end result is supposed to be:
@@ -2342,6 +2349,7 @@ fi
/lib/modules/%{KVERREL}%{?2:+%{2}}/vdso\
/etc/ld.so.conf.d/kernel-%{KVERREL}%{?2:+%{2}}.conf\
%endif\
+%config(noreplace) %{_sysctldir}/10-yama-ptrace-%{KVERREL}%{?2:+%{2}}.conf\
/lib/modules/%{KVERREL}%{?2:+%{2}}/modules.*\
%{expand:%%files -f kernel-%{?2:%{2}-}modules.list %{?2:%{2}-}modules}\
%defattr(-,root,root)\
@@ -2375,6 +2383,9 @@ fi
#
#
%changelog
+* Thu Jun 23 2015 Mark Wielaard <mjw(a)redhat.com>
+- Add 10-yama-ptrace.conf (rhbz 1209492)
+
* Thu Jun 18 2015 Josh Boyer <jwboyer(a)fedoraproject.org>
- Add patch to fix touchpad issues on Razer machines (rhbz 1227891)
--
2.4.3
8 years, 2 months
