KASAN has supported more architectures, such as ARM, PPC32 and RISC-V 64.
Enable KASAN option for those architectures.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks.
This option enhances the stack-smashing protection provided by -fstack-protector-strong.
-fstack-protector-all option applies stack protection to all functions, regardless of their characteristics.
While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact
the performance of the program because every function call includes additional checks for stack integrity.
This option can incur a performance penalty because of the extra checks added to every function call,
but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code.
It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable.
Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
GRUB_SERIAL is also used for the default serial on the target and not
only in grub. When no grub was build it was not available and the build
fails.
Rename GRUB_SERIAL to TARGET_SERIAL and make it always available on x86
and armsr targets.
Fixes: #14063
Fixes: b10768476f ("x86,armsr: interpolate GRUB_SERIAL into /etc/inittab")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Allow selecting KERNEL_SLUB_DEBUG and KERNEL_SLUB_DEBUG_ON manually and
provide detailed help for both.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.
So lets add support for CycloneDX SBOM for packages and images
manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
CONFIG_ARM_PMU (Arm Performance Monitor Unit) is a requirement
to use KVM (virtualization) from Linux 5.11+, as the virtualised
guest has virtualized PMU access.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Currently KASAN is supported but only the generic one. SW-tag and HW-tag
based KASAN have less impact on memory footprint or performance, and are
worth supporting.
Add choice menu for software and hardware Tag-Based KASAN, in addition
to the generic one.
Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com>
[Restructure commit message]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Building it requires gcc >= 10.2 or clang >= 12.
Using sstrip with its -z argument can produce non-working binaries, like
a segfaulting `getrandom`, so don't allow that combination.
Signed-off-by: Andre Heider <a.heider@gmail.com>
sstrip only has one functional arg. Make that a bool option, which can
easily depend on other knobs then.
This is required to be disabled for the mold linker.
Signed-off-by: Andre Heider <a.heider@gmail.com>
In commit b2d1eb717b ("generic: 5.15: enable Werror by default for
kernel compile") CONFIG_WERROR=y was enabled and all warnings/errors
reported with GCC 12 were fixed.
Keeping this in sync with past/future GCC versions is going to be uphill
battle, so lets introduce new KERNEL_WERROR config option, enable it by
default only for tested/known working combinations and on buildbots.
References: #12687
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, ipq807x only covers Qualcomm IPQ807x SoC-s.
However, Qualcomm also has IPQ60xx and IPQ50xx SoC-s under the AX WiSoC-s
and they share a lot of stuff with IPQ807x, especially IPQ60xx so to avoid
duplicating kernel patches and everything lets make a common target with
per SoC subtargets.
Start doing that by renaming ipq807x to qualcommax so that dependencies
on ipq807x target can be updated.
Signed-off-by: Robert Marko <robimarko@gmail.com>
armvirt target has been renamed to armsr (Arm SystemReady),
so the config defaults need to be changed as well.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
The nominal partition type for EFI boot partitions is FAT32,
which has a minimum size of 32MiB on a 512-byte-sector block device.
To ensure that the boot partition is created as FAT32 set a size
well above this minimum.
A useful discussion about EFI partition sizes can be found here:
https://superuser.com/questions/1310927/what-is-the-absolute-minimum-size-a-uefi-system-partition-can-be
I have found 128MiB works pretty consistently across both
tools (mkfs.fat) and firmwares (EDKII)
Signed-off-by: Mathew McBride <matt@traverse.com.au>
This adds a separate package for EFI on Arm SystemReady
compatible machines. 32-bit Arm UEFI is supported as well.
It is very similar to x86-64 EFI setup, without the
need for BIOS backward compatibility and slightly
different default modules.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
This set the CONFIG_FRAME_WARN option depending on some target settings.
It will use the default from the upstream kernel and not the hard coded
value of 1024 now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
BTF mismatch can occur for a separately-built module even when the ABI
is otherwise compatible and nothing else would prevent successfully
loading. Add a new config to control how mismatches are handled. By
default, preserve the current behavior of refusing to load the
module. If MODULE_ALLOW_BTF_MISMATCH is enabled, load the module but
ignore its BTF information.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
We only use 5.15 kernel. So remove all those unnecessary symbols
referencing 5.10 or 5.15 kernel.
Can be found with:
git grep -E 'LINUX_5_1(0|5)'
Note that we remove the dependency from "sound-soc-chipdip-dac" instead
of removing the complete kernel package. The 5.15 version bump forgot to
delete the "@LINUX_5_10" dependency. The kernel package is still needed
in 5.15 kernel.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Kernel setting CONFIG_IO_URING supports high-performance I/O for file
access and servers, generally for more performant platforms, and adds
~45 KB to kernel sizes. The need for this on less "beefy" devices is
questionable, as is the size cost considering many platforms have kernel
size limits which require tricky repartitioning if outgrown. The size
cost is also large relative to the ~180 KB bump expected between major
OpenWRT kernel releases.
No OpenWrt packages have hard dependencies on this; samba4 and mariadb
can take advantage if available (+KERNEL_IO_URING:liburing) but
otherwise build and work fine.
Since CONFIG_IO_URING is already managed via the KERNEL_IO_URING setting
in Config-kernel.in (default Y), remove it from those target configs
which unconditionally enable it, and update the defaults to enable it
conditionally only on more powerful 64-bit x86 and arm devices. It may
still be manually enabled as needed for high-performance custom builds.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Make it possible to change the kernel configuration option
CONFIG_HARDLOCKUP_DETECTOR from OpenWrt.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
Without the default value this still causes a missing symbol. Disable by
default as it depends on FUNCTION_ERROR_INJECTION, which is disabled in
the generic config and we don't have a build symbol to enable that.
Fixes: 500c37c56f ("kernel: add missing symbol")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Sourcing of image/Config.in will not happen
When a target is installed from target/linux/feeds/
Signed-off-by: Prasun Maiti <prasunmaiti87@gmail.com>
Acked-by: Petr Štetiar <ynezz@true.cz>
Set default values for KERNEL_DEBUG_LL and KERNEL_DEBUG_LL_UART_NONE again
as both of these symbols are non visible if KERNEL_EARLY_PRINTK is not
selected and KConfig wont write their value to .config.
This usually is the intended behaviour, but in OpenWrt we are relying on
the KConfig to set these and disable the debug console settings that
multiple targets like mvebu have set in their kernel config.
This was the behaviour before removing all of the "default n" settings
as KConfig by default considers symbols disabled but they are not visible
anymore and thus their value is not set in .config and build system then
later does not override the values from target kernel config.
So, to restore the behaviour to the previous one lets a default value for
KERNEL_DEBUG_LL and KERNEL_DEBUG_LL_UART_NONE.
Fixes: 8bc72ea7be ("treewide: strip useless default n Kconfig lines")
Tested-by: Georgi Valkov <gvalkov@gmail.com>
Signed-off-by: Robert Marko <robimarko@gmail.com>
Kconfig docs say:
> The default value deliberately defaults to 'n' in order to avoid
> bloating the build.
Apply this rule everywhere, to avoid more cloning of bad examples
Signed-off-by: Tony Butler <spudz76@gmail.com>
Requires: tools/lz4, tools/lzop
complete the wiring so that these options work:
* `CONFIG_KERNEL_INITRAMFS_COMPRESSION_LZO`
* `CONFIG_KERNEL_INITRAMFS_COMPRESSION_LZ4`
Signed-off-by: Tony Butler <spudz76@gmail.com>
[remove blocking dependencies for separate ramdisk, fix lzop options]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Qualcomm Atheros IPQ807x is a modern WiSoC featuring:
* Quad Core ARMv8 Cortex A-53
* @ 2.2 GHz (IPQ8072A/4A/6A/8A) Codename Hawkeye
* @ 1.4 GHz (IPQ8070A/1A) Codename Acorn
* Dual Band simultaneaous IEEE 802.11ax
* 5G: 8x8/80 or 4x4/160MHz (IPQ8074A/8A)
* 5G: 4x4/80 or 2x2/160MHz (IPQ8071A/2A/6A)
* 5G: 2x2/80MHz (IPQ8070A)
* 2G: 4x4/40MHz (IPQ8072A/4A/6A/8A)
* 2G: 2x2/40MHz (IPQ8070A/1A)
* 1x PSGMII via QCA8072/5 (Max 5x 1GbE ports)
* 2x SGMII/USXGMII (1/2.5/5/10 GbE) on Hawkeye
* 2x SGMII/USXGMII (1/2.5/5 GbE) on Acorn
* DDR3L/4 32/16 bit up to 2400MT/s
* SDIO 3.0/SD card 3.0/eMMC 5.1
* Dual USB 3.0
* One PCIe Gen2.1 and one PCIe Gen3.0 port (Single lane)
* Parallel NAND (ONFI)/LCD
* 6x QUP BLSP SPI/I2C/UART
* I2S, PCM, and TDMA
* HW PWM
* 1.8V configurable GPIO
* Companion PMP8074 PMIC via SPMI (GPIOS, RTC etc)
Note that only v2 SOC models aka the ones ending with A suffix are
supported, v1 models do not comply to the final 802.11ax and have
lower clocks, lack the Gen3 PCIe etc.
SoC itself has two UBI32 cores for the NSS offloading system, however
currently no offloading is supported.
Signed-off-by: Robert Marko <robimarko@gmail.com>
add help text for `TARGET_SQUASHFS_BLOCK_SIZE` to match the only valid
settings accepted by `mksquashfs4` ("block size not power of two or not
between 4096 and 1Mbyte") thus for this setting in "KB", the set:
`4, 8, 16, 32, 64, 128, 256, 512, 1024`
replace `squashfs-lzma` with `squashfs` in the description for
`TARGET_ROOTFS_SQUASHFS` because it has various compressions, and not
just lzma as it did in the past
cosmetic change with no functional effect
Signed-off-by: Tony Butler <spudz76@gmail.com>
some config `depends on` lines contained outdated kernel version checks
that can no longer happen and had become non-operational; clean them up
cosmetic change with no functional effect
Signed-off-by: Tony Butler <spudz76@gmail.com>
This reverts commit ce1346a8fc.
Seems to cause buildbot compilation to fail and require more testing.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Introduce a new option in the "Advanced configuration options" to
configure a custom download tool.
By declaring a string in "Use custom download tool" an user can force
what command to use to download package. With the string empty the
default tool used is curl, with wget as a fallback if not available.
download.pl supports 3 tools officially aria2c, curl and wget.
If one of the tool is used in this config, download.pl will use the
default args to make use of them.
If the provided string is different than aria2c, curl or wget, the command
is used as is and the download url will be appended at the end of such command.
While at it also tweak the tool selection logic and chose the tool only
once when the script is called and move aria2c specific variables in the
relevant section.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add option to compile all host tools even if not needed.
This can be useful to prepare a universal precompiled host tools
archive to use in another buildroot and speedup compilation.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
When we use the internal toolchain USE_SSTRIP will be selected by
default for musl libc and USE_STRIP when glibc is used. Do the same when
an external toolchain is used. USE_GLIBC will also be set for external
toolchain builds based on the EXTERNAL_TOOLCHAIN_LIBC_USE_GLIBC setting.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Remove flags from wget and curl instructing them to ignore bad server
certificates. Although other mechanisms can protect against malicious
modifications of downloads, other vectors of attack may be available
to an adversary.
TLS certificate verification can be disabled by turning oof the
"Enable TLS certificate verification during package download" option
enabled by default in the "Global build settings" in "make menuconfig"
Signed-off-by: Josh Roys <roysjosh@gmail.com>
[ add additional info on how to disable this option ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Disabling this build tunable breaks build and seems unrealistically
likely to be fixed.
This patch sets the related CONFIG to always true and removes the
config prompt, keeping the change minimal, and, should !CONFIG_IPV6 ever
be fixed, easy to revert.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Paul Spooren <mail@aparcar.org>
Acked-by: Josef.Schlehofer <pepe.schlehofer@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
This option allows turning on CONFIG_DEBUG_VIRTUAL which is useful to
debug incorrect uses of the virtual to physical and physical to virtual
translations functions.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This is required to use BPF maps of type BPF_MAP_TYPE_PERF_EVENT_ARRAY
for sending data from BPF programs to user-space for post-processing
or logging.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Generate BTF (BPF Type Format) information from DWARF debug info. This is
embedded in the kernel and exported via sysfs as /sys/kernel/btf/vmlinux.
BTF data enhances kernel portability and introspection for BPF programs.
Selecting this also enables the dwarves host package which provides the
pahole tool used for BTF encoding.
Test using: "bpftool btf dump file /sys/kernel/btf/vmlinux format c"
This needs to depend on KERNEL_DEBUG_INFO_REDUCED not being set,
otherwise we can enable both KERNEL_DEBUG_INFO_BTF and
KERNEL_DEBUG_INFO_REDUCED, which will result in undefined behaviour.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
[split DEBUG_INFO_REDUCED into separate commit, add dependency]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Add DEBUG_INFO_REDUCED as a kernel config option and remove it from the
kernel configs. This is in preparation of the upcoming option to enable
BTF typeinfo, which is incompatible with DEBUG_INFO_REDUCED.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This symbol is added by the bcm27xx target patches so it should depend
on that target.
Fixes: efd9463dcf ("kernel: add missing symbol for bcm27xx")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
When KERNEL_PERF_EVENTS is enabled in OpenWrt, the RPI_AXIPERF symbol is
exposed. Add a build option for it to fix build failures with
KERNEL_PERF_EVENTS enabled.
Fixes: 20ea6adbf1 ("bcm27xx: add support for linux v5.15")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>