Enable the CONFIG_ARM64_PAN kernel security option, which leverages the
ARMv8.1 Privileged Access Never (PAN) extension to prevent the kernel
from directly accessing user space memory.
Instead, copy_to_user and similar functions must be used for data
transfer between kernel and user space. This feature is automatically
disabled at runtime on CPUs without PAN support, making it a no-op in
those cases.
Link: https://github.com/openwrt/openwrt/pull/16189
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add the KERNEL_BTRFS_FS config option so that targets can select
whether BTRFS support must be built-in.
Select this option (alongside KERNEL_BTRFS_FS_POSIX_ACL) from the
layerscape/armv8_64b subtarget instead of enabling it in
target/linux/layerscape/armv8_64b/config-* files.
Move disabling of CONFIG_BTRFS_FS_CHECK_INTEGRITY into generic configs.
This makes it possible for OpenWRT to be built with built-in BTRFS
support on specific boards, instead of whole targets.
Signed-off-by: Marek Behún <kabel@kernel.org>
Link: https://github.com/openwrt/openwrt/pull/15990
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Commit ec885796c0 switched the crc32 implementation from default to
byte-at-a-time algorithm, which runs slower but consumes less memory.
A decade has passed, and we have already abandoned targets that had
small memory, so switch it back to default for faster speed.
Signed-off-by: Qingfang Deng <qingfang.deng@siflower.com.cn>
CDNS3 is a SuperSpeed (SS) USB 3.0 Dual-Role-Device (DRD) controller from
Cadence. Add support for this device, and add the required symbols into
the generic configs.
Compile-tested: apm821xx, bcm4908, imx, mpc85xx, pistachio, starfive
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
The partition parser approach has been rejected upstream, it will be
replaced by a small block driver which is the solution suggestion by
upstream maintainers.
As the partition parser has only been used by the mediatek target, as
a first step, move it there.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This mtdsplit parser driver parses firmware partition on Internet
Initiative Japan Inc. (IIJ) SEIL series devices.
Structure of header:
0x0 - 0x7 : Identifier (hex)
0x8 - 0x57: Copyright (ascii)
0x58 - 0x5b: Data CRC (hex)
0x5c - 0x5f: Image Format Version (hex)
0x60 - 0x63: Image Major Version (hex)
0x64 - 0x67: Image Minor Version (hex)
0x68 - 0x87: Image Release Version (ascii)
0x88 - 0x8b: Xor value for Data? (hex)
0x8c - 0x8f: Data Length (hex)
Properties:
- compatible : "iij,seil-firmware"
- iij,seil-id : ID of SEIL firmware for the device (8 bytes)
- examples:
- SA-W2 : <0x5345494c 0x32303135> ("SEIL2015")
- SEIL/X1 : <0x5345494c 0x2F582020> ("SEIL/X ")
- iij,bootdev-name: boot device name assigned to the partition
(optional)
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This option was removed from upstream kernel back in 2022.
See commits:
2d16803c562ecc644803d42ba98a8e0aef9c014e (>=6.0)
3dd33a09f5dc12ccb0902923c4c784eb0f8c7554 (>=5.15.61 backport)
Signed-off-by: Christian Svensson <blue@cmd.nu>
In commit b2d1eb717b ("generic: 5.15: enable Werror by default for
kernel compile") CONFIG_WERROR=y was enabled and all warnings/errors
reported with GCC 12 were fixed.
Keeping this in sync with past/future GCC versions is going to be uphill
battle, so lets introduce new KERNEL_WERROR config option, enable it by
default only for tested/known working combinations and on buildbots.
References: #12687
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Backport initial LEDs hw control support. Currently this is limited to
only rx/tx and link events for the netdev trigger but the API got
accepted and the additional modes are working on and will be backported
later.
Refresh every patch and add the additional config flag for QCA8K new
LEDs support.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This set the CONFIG_FRAME_WARN option depending on some target settings.
It will use the default from the upstream kernel and not the hard coded
value of 1024 now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In order to cut down on the Netgear WNDR4700, the ata
driver can be outsourced. This helps other apm821xx
devices too to save up on kernel size (~200 kb).
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This allows loading modules with large memory requirements, recently needed
while testing on armvirt/32. Past forum discussions [1] and bug reports [2]
also raised this and the ipq806x target already set it in response [3].
Given this increases kernel image size by only ~1KB, is generally useful on
multi-platform kernels, and enabled by default on upstream arm32 Linux, add
it to the generic config.
The setting has similar utility on arm64, is a requirement for KASLR, and
already enabled on most OpenWrt aarch64 targets, so pull this into the
top-level generic config.
[1]: https://forum.openwrt.org/t/vmap-allocation-for-size-442368-failed-use-vmalloc-size-to-increase-size/34545/7
[2]: https://github.com/openwrt/openwrt/issues/8282
[3]: f81e148eb6 ("ipq806x: update 4.19 kernel config").
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
From 5.15 and up linux kernel introduced CONFIG_WERROR to flag any
warning as error. To improve code quality, enable this by default to
catch any warning and fix it.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Since CONFIG_DYNAMIC_DEBUG is already managed via the KERNEL_DYNAMIC_DEBUG
setting in Config-kernel.in (default N), remove or disable it in target
configs which unconditionally enable it, along with the related setting
CONFIG_DYNAMIC_DEBUG_CORE. This saves several KB in the kernels for
ipq40xx, ipq806x, filogic, mt7622, qoriq, and sunxi.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This activates CONFIG_SLAB_FREELIST_RANDOM.
This option make the free list less predictable. This makes it harder to
exploit heap based security vulnerabilities.
This adds a little bit more code to the kernel and a small additional
compute overhead.
This option is activated in Debian by default.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This activates the CONFIG_SCHED_STACK_END_CHECK option.
The kernel will check if the kernel stack overflowed in the schedule()
function. This just adds a very small computational overhead.
This option is activated in Debian by default.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This activates some extra checks in SLAB or SLUB to make it harder to
execute kernel heap exploits. This adds a minor performance
degradation which I haven't measured-.
Many mainstream Linux distributions also activate this option.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This activates the following kernel options by default:
* CONFIG_RANDOM_TRUST_CPU
* CONFIG_RANDOM_TRUST_BOOTLOADER
With these option Linux will also use data from the CPU RNG e.g. RDRAND
and the bootloader to initialize the Linux RNG if such sources are
available.
These random bits are used in addition to the other sources, no other
sources are getting deactivated. I read that the Chacha mixer isn't
vulnerable to injected entropy, so this should not be a problem even if
these sources might inject bad random data.
The Linux kernel suggests to activate both options, Debian also
activates them. This does not increase kernel code size.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
They add NVMEM layouts support. It allows handling NVMEM content
independently of NVMEM device access.
Skip U-Boot env data patch for now as it break our downstream MAC hacks.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
The current patches are old, update them from mainline.
Backports taken from https://github.com/yuzhaogoogle/linux/commits/mglru-5.15
Tested-by: Kazuki H <kazukih0205@gmail.com> #mt7622/Linksys E8450 UBI
Signed-off-by: Kazuki H <kazukih0205@gmail.com>
Make it possible to change the kernel configuration option
CONFIG_HARDLOCKUP_DETECTOR from OpenWrt.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This sets the CONFIG_KCOV_IRQ_AREA_SIZE kernel configuration option to its default value.
This is shown when I set CONFIG_KERNEL_KCOV=y in the OpenWrt configuration on x86/64.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This deactivates some kernel configuration options I see when
CONFIG_KERNEL_KASAN=y is set in the OpenWrt configuration on x86/64.
Set CONFIG_STACK_HASH_ORDER to its default value.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This sets some kernel configuration options to their default values. I saw
these as warnings when I set CONFIG_KERNEL_UBSAN=y is set in the OpenWrt
configuration on x86/64.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This deactivates some kernel configuration options I see when
CONFIG_KERNEL_DYNAMIC_FTRACE=y is set in the OpenWrt configuration on x86/64.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This deactivates some kernel configuration options I see when
CONFIG_KERNEL_HIST_TRIGGERS=y is set in the OpenWrt configuration on x86/64.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This deactivates some kernel configuration options I see when
CONFIG_KERNEL_DEBUG_VIRTUAL=y is set in the OpenWrt configuration on x86/64.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
This deactivates some kernel configuratoion options I see when
CONFIG_KERNEL_DEBUG_VM=y is set in the OpenWrt configuration on x86/64.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
The CONFIG_PPC_QUEUED_SPINLOCKS configuration option is not defined for
kernel 5.15, it is defined for kernel 5.10.
This fixes the compilation of mpc85xx/p2020 with kernel 5.15.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
"842" is a compression scheme and this is the software implementation
which is too slow to really use beyond a proof of concept. It can be
selected in ZRAM, ZSWAP, or `fs/pstore`, and is here for completeness.
In general you need a Power8 or better with 842-in-hardware for it to
be fast, but other 842-accelerators are emerging.
Signed-off-by: Tony Butler <spudz76@gmail.com>
In the build of the ramips/mt76x8 target the user gets asked about these
two configuration options, add them to the generic kernel configuration.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The CONFIG_DRM_XEN_FRONTEND configuration symbol is also used by the
layerscape target, move it to the generic kernel configuration.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>