This activates CONFIG_SLAB_FREELIST_RANDOM.
This option make the free list less predictable. This makes it harder to
exploit heap based security vulnerabilities.
This adds a little bit more code to the kernel and a small additional
compute overhead.
This option is activated in Debian by default.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This activates the CONFIG_SCHED_STACK_END_CHECK option.
The kernel will check if the kernel stack overflowed in the schedule()
function. This just adds a very small computational overhead.
This option is activated in Debian by default.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This activates some extra checks in SLAB or SLUB to make it harder to
execute kernel heap exploits. This adds a minor performance
degradation which I haven't measured-.
Many mainstream Linux distributions also activate this option.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This activates the following kernel options by default:
* CONFIG_RANDOM_TRUST_CPU
* CONFIG_RANDOM_TRUST_BOOTLOADER
With these option Linux will also use data from the CPU RNG e.g. RDRAND
and the bootloader to initialize the Linux RNG if such sources are
available.
These random bits are used in addition to the other sources, no other
sources are getting deactivated. I read that the Chacha mixer isn't
vulnerable to injected entropy, so this should not be a problem even if
these sources might inject bad random data.
The Linux kernel suggests to activate both options, Debian also
activates them. This does not increase kernel code size.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
They add NVMEM layouts support. It allows handling NVMEM content
independently of NVMEM device access.
Skip U-Boot env data patch for now as it break our downstream MAC hacks.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
In the build of the ramips/mt76x8 target the user gets asked about these
two configuration options, add them to the generic kernel configuration.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Kernel 5.10.158 added a prompt for the FUNCTION_ERROR_INJECTION symbol.
This is exposed in builds with CONFIG_KERNEL_KPROBES enabled, causing
those builds to fail due to a missing symbol. Add the symbol to fix
this.
Fixes: 6801c460b6 ("kernel: bump 5.10 to 5.10.158")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Removed a20 in description, since it
only works for a10, a13 and a31.
Also refreshed kernel config.
Fixes: #10466
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(moved fixes, refreshed, added CONFIG_DVB_USB=n)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Found during work on qoriq target.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
[improve commit message, remove from target configs]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
In my commit da5c45f4d8 ("kernel: remove handling of xfrm[4|6]_mode_*
modules") I missed a few default config options and description entries.
Those should be gone as well.
Fixes: da5c45f4d8 ("kernel: remove handling of xfrm[4|6]_mode_* modules")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
For kernel versions before 5.2, the required IPsec modes have to be
enabled explicitly (they are built-in for newer kernels).
Commit 1556ed155a ("kernel: mode_beet mode_transport mode_tunnel xfram
modules") tried to handle this, but it does not really work.
Since we don't support these kernel versions anymore and the code is
also broken, let's remove it.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Remove old generic config options too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The kernel config option 'CONFIG_GPIO_MCP23S08' no longer exists.
Therefore, it is removed from the generic kernel configuration for
linux-5.10 and linux-5.15.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Endianness depends on CPU architecture. CONFIG_CPU_(BIG/LITTLE)_ENDIAN should
be enabled on target or subtarget based on SoC architecture.
Fixes warning:
$ make kernel_oldconfig CONFIG_TARGET=subtarget
...
.config:1008:warning: override: CPU_LITTLE_ENDIAN changes choice state
....
Summary:
- ARC - only the CONFIG_CPU_BIG_ENDIAN symbol is defined for this architeture.
If it is disabled then the processor operates in LITTLE_ENDIAN mode (default),
- ARM32 - CONFIG_CPU_LITTLE_ENDIAN symbol available since kernel 5.19. This
option should be enabled after OpenWRT moves to kernel 6.x. After refreshing
the kernel, the symbol disappears,
- ARM64 - enabled CONFIG_CPU_LITTLE_ENDIAN,
- MIPS - enabled relevant symbols,
- POWERPC - enabled CONFIG_CPU_BIG_ENDIAN,
- UML - Symbols are not defined for this architecture,
- X86 - always little endian. Symbols are not defined for this architecture.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
This adds some missing IOMMU related options for x86/64 and moves some
of them to generic for all targets.
On x86 IOMMU_DEFAULT_DMA_LAZY is used by default, on all other platforms
IOMMU_DEFAULT_DMA_STRICT is the default. we just follow the default
kernel configuration here.
Fixes: 8fea4a102c ("x86/64: enable IOMMU support")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When building OpenWrt with CONFIG_ALL_KMODS the kernel build will ask
for CONFIG_DEFAULT_FQ_PIE option. This deactivates it by default.
Fixes: c3e4a0d99b ("kernel: netsupport: Add FQ-PIE as an optional sched kmod and extract PIE")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
These patches support the tps23861 PoE controller found on a number of
managed switches. The TPS23861 is an I2C-based quad IEEE 802.3at (PoE+)
Power-over-Ethernet PSE controller. It's also found on some Realtek
based switches, where we expect the bulk of the users to reside.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[Disable driver in generic/config-5.10]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
The nft NAT packages for IPv4 and IPv6 were merged into the common
packages with kernel 5.1. The kmod-nft-nat6 package was empty in our
build, remove it.
Multiple kernel configuration options were also removed, remove them
from our generic kernel configuration too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
All targets expect the malta target already activate the CONFIG_GPIOLIB
option. Move it to generic kernel configuration and also activate it for
malta.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The bootloader on some H3C devices (for example HPE 1920 switches) only
supports booting from flash by reading an image from an "VFS" filesystem
which spans most of the available flash. The filesystem size is hard-
coded in the bootloader. However, as long as no write operations are
performed in the bootloader menu, it is sufficient if the start of the
partition contains a valid filesystem with the kernel image.
This mtdsplit parser reads the size and location of the kernel image and
finds the location of the rootfs stored after it. It assumes that the
filesystem image matches the layout of one generated by mkh3cvfs, with
a filename of "openwrt-kernel.bin" for the kernel image.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
When building the mediatek/mt7629 target in OpenWrt 22.03 the kernel
does not have a configuration option for CONFIG_CRYPTO_DEV_MEDIATEK. Add
this option to the generic kernel configuration and also add two other
configuration options which are removed when we refresh the mt7629
kernel configuration.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Since 4e0c54bc5b ("kernel: add support for kernel 5.4"),
the spi-nor limit 4k erasesize to spi-nor chips below a configured size
patch has not functioned as intended.
For uniform erasesize SPI-NOR devices, both
nor->erase_opcode & mtd->erasesize are used in erase operations.
These are set before, and not modified by, this
CONFIG_MTD_SPI_NOR_USE_4K_SECTORS_LIMIT patch.
Thus, an SPI-NOR device with CONFIG_MTD_SPI_NOR_USE_4K_SECTORS will
always use 4k erasesize (where the device supports it).
If this patch was fixed to function as intended, there would be
cases where devices change from a 4K to a 64K erasesize.
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
Kernel 5.10.124 introduced a new symbol 'LIB_MEMNEQ'. Add it to the
generic 5.10 config.
Fixes: 9e5d743422 ("kernel: bump 5.10 to 5.10.124")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This is now built-in, enable so it won't propagate on target configs.
Link: https://lkml.org/lkml/2022/1/3/168
Fixes: 79e7a2552e ("kernel: bump 5.15 to 5.15.44")
Fixes: 0ca9367069 ("kernel: bump 5.10 to 5.10.119")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(Link to Kernel's commit taht made it built-in,
CRYPTO_LIB_BLAKE2S[_ARM|_X86] as it's selectable, 5.10 backport)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Delete the crypto-lib-blake2s kmod package, as BLAKE2s is now built-in.
Patches automatically rebased.
Build system: x86_64
Build-tested: ipq806x/R7800, x86/64
Signed-off-by: John Audia <therealgraysky@proton.me>
Add DEBUG_INFO_REDUCED as a kernel config option and remove it from the
kernel configs. This is in preparation of the upcoming option to enable
BTF typeinfo, which is incompatible with DEBUG_INFO_REDUCED.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
MPLS feature symbols are normally only set when kmod-mpls is enabled, but the
CONFIG_MPLS symbol they depend on could also have been selected by openvswitch
instead
Signed-off-by: Felix Fietkau <nbd@nbd.name>
# CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
this can lead to confusion. Thankfully, in the KConfig
world this setting is still interpreted as disabled.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
at91/sama7 fails to build due to:
| Asymmetric (public-key cryptographic) key type (ASYMMETRIC_KEY_TYPE) [Y/?] y
| Asymmetric public-key crypto algorithm subtype (ASYMMETRIC_PUBLIC_KEY_SUBTYPE) [Y/?] y
| Asymmetric TPM backed private key subtype (ASYMMETRIC_TPM_KEY_SUBTYPE) [N/m/?] (NEW)
|Error in reading or end of file.
please note that asym_tpm (module) has been removed in 5.17:
<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d3cff4a9>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
ARM Builds like sunxi/cortexa53 or the rpi family failed
to build due to a new symbols showing up:
|Google Firmware Drivers (GOOGLE_FIRMWARE) [Y/n/?] y
| Coreboot Table Access (GOOGLE_COREBOOT_TABLE) [M/n/y/?] m
| Coreboot Framebuffer (GOOGLE_FRAMEBUFFER_COREBOOT) [N/m/?] (NEW)
|Error in reading or end of file.
Fixes: e5b009e532 ("kernel: Package GOOGLE_FIRMWARE drivers")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Kernel 5.6 introduced a new config symbol SERIAL_8250_16550A_VARIANTS.
In kernel 5.8, this symbol was changed to default to on on !x86, as some
embedded devices still use 16650A variants. Let's play safe here and
enable this symbol in the generic config, to avoid others from running
into this problem and having to spend several hours trying to bisect
this problem. While we could disable the symbol in the x86 target
configs, a 20ms boot time reduction really isn't worth the time wasted
on bisecting this issue.
Matt discovered this problem while working on adding support for the
WatchGuard Firebox M200 to the qoriq target, where it caused some
characters to be missing on the console output.
Reported-by: Matt Fawcett <mattytap@icloud.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Rui Salvaterra <rsalvaterra@gmail.com>
Seeing failure to build because of missing symbols related to provisioning
CONFIG_KEXEC and signed images. Without this, if you set
CONFIG_KERNEL_KEXEC=y and try to build, target/linux will hang at:
scripts/kconfig/conf --syncconfig Kconfig
...
kexec system call (KEXEC) [Y/n/?] y
kexec file based system call (KEXEC_FILE) [Y/n/?] y
Verify kernel signature during kexec_file_load() syscall (KEXEC_SIG) [N/y/?] (NEW)
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This patch moves the patches of parser_trx in mediatek target to
generic/backport-5.10 to use the changes from ramips target and
backport the additional patch of the parser.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Add the following kconfig symbols (disabled):
CONFIG_DEFAULT_FQ
CONFIG_DEFAULT_CODEL
CONFIG_DEFAULT_SFQ
Also resort the config with the kconfig.pl script.
Fixes: f39872d966 ("kernel: generic: select the fq_codel qdisc by default")
Tested-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>