1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
|
# Copyright 2020-2023 Liguros Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit check-reqs mount-boot toolchain-funcs
DESCRIPTION="Linux kernel sources with Debian patches."
HOMEPAGE="https://packages.debian.org/unstable/kernel/"
LICENSE="GPL-2"
KEYWORDS="x86 amd64 arm arm64"
SLOT=$(ver_cut 1-2)
RESTRICT="binchecks strip mirror"
IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi libressl luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs"
BDEPEND="
sys-devel/bc
debug? ( dev-util/dwarves )
virtual/libelf
"
DEPEND="
net-misc/dhcp[client]
binary? (
sys-kernel/dracut
dev-util/pahole
)
btrfs? ( sys-fs/btrfs-progs )
dtrace? (
dev-util/dtrace-utils
dev-libs/libdtrace-ctf
)
firmware? (
sys-kernel/linux-firmware
)
luks? ( sys-fs/cryptsetup )
lvm? ( sys-fs/lvm2 )
mdadm? ( sys-fs/mdadm )
mcelog? ( app-admin/mcelog )
plymouth? (
x11-libs/libdrm
sys-boot/plymouth[udev]
)
sign-modules? (
|| ( dev-libs/openssl
dev-libs/libressl
)
sys-apps/kmod
)
systemd? ( sys-apps/systemd )
!systemd? ( sys-fs/eudev )
wireguard? ( virtual/wireguard )
zfs? ( sys-fs/zfs )
"
DEB_PV_BASE=${PV/_*/} #5.8.7
DEB_EXTRAVERSION=${PV/*_p/-} #-1
EXTRAVERSION=${PV/*_/_} #_p1
TEMP_EXTRA_VERSION="debian"
# at a minimum we will append EXTRAVERSION (debian patch set revision) and TEMP_EXTRA_VERSION (debian name) to MODULE_EXT
# if we have a local revision, we append that between EXTRAVERSION and TEMP_EXTRA_VERSION, e.g. _p1-debian-r5
# if we do not have a local revision, then we have only EXTRAVERSION and TEMP_EXTRA_VERSION, e.g. _p1-debian
if [ "${PR}" != "r0" ]; then
MODULE_EXT=${EXTRAVERSION}-${TEMP_EXTRA_VERSION}-${PR}
else
MODULE_EXT=${EXTRAVERSION}-${TEMP_EXTRA_VERSION}
fi
DEB_PV="${DEB_PV_BASE}${DEB_EXTRAVERSION}"
KERNEL_ARCHIVE="linux_${DEB_PV_BASE}.orig.tar.xz"
DEB_PATCH_ARCHIVE="linux_${DEB_PV}.debian.tar.xz"
LIG_PATCH_ARCHIVE="linux_patches.tar.xz"
LIG_UPSTREAM="https://gitlab.com/liguros/distfiles/-/raw/main"
SRC_URI="
$LIG_UPSTREAM/${KERNEL_ARCHIVE}
$LIG_UPSTREAM/${DEB_PATCH_ARCHIVE}
$LIG_UPSTREAM/${LIG_PATCH_ARCHIVE}
"
S="$WORKDIR/linux-${DEB_PV_BASE}"
# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES can be managed in a git repository and packed into tar balls per version.
HARDENED_PATCHES_DIR="${WORKDIR}/${SLOT}/hardened-patches/"
# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project
# 0033-enable-protected_-symlinks-hardlinks-by-default.patch
# 0058-security-perf-Allow-further-restriction-of-perf_even.patch
# 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
# All of the above already provided by Debian patches.
HARDENED_PATCHES=(
0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch
0002-enable-HARDENED_USERCOPY-by-default.patch
0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch
0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch
0005-set-kptr_restrict-2-by-default.patch
0006-enable-DEBUG_LIST-by-default.patch
0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch
0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch
0009-arm64-enable-RANDOMIZE_BASE-by-default.patch
0010-enable-SLAB_FREELIST_RANDOM-by-default.patch
0011-enable-SLAB_FREELIST_HARDENED-by-default.patch
0012-disable-SLAB_MERGE_DEFAULT-by-default.patch
0013-enable-FORTIFY_SOURCE-by-default.patch
0014-enable-PANIC_ON_OOPS-by-default.patch
0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch
0016-stop-hiding-X86_16BIT-behind-EXPERT.patch
0017-disable-X86_16BIT-by-default.patch
0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch
0019-disable-MODIFY_LDT_SYSCALL-by-default.patch
0020-set-LEGACY_VSYSCALL_NONE-by-default.patch
0021-stop-hiding-AIO-behind-EXPERT.patch
0022-disable-AIO-by-default.patch
0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch
0024-disable-DEVPORT-by-default.patch
0025-disable-PROC_VMCORE-by-default.patch
0026-disable-NFS_DEBUG-by-default.patch
0027-enable-DEBUG_WX-by-default.patch
0028-disable-LEGACY_PTYS-by-default.patch
0029-disable-DEVMEM-by-default.patch
0030-enable-IO_STRICT_DEVMEM-by-default.patch
0031-disable-COMPAT_BRK-by-default.patch
0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch
# 0033-enable-protected_-symlinks-hardlinks-by-default.patch
0034-enable-SECURITY-by-default.patch
0035-enable-SECURITY_YAMA-by-default.patch
0036-enable-SECURITY_NETWORK-by-default.patch
0037-enable-AUDIT-by-default.patch
0038-enable-SECURITY_SELINUX-by-default.patch
0039-enable-SYN_COOKIES-by-default.patch
0040-add-__read_only-for-non-init-related-usage.patch
0041-make-sysctl-constants-read-only.patch
0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch
0043-mark-slub-runtime-configuration-as-__ro_after_init.patch
0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch
0045-mark-kmem_cache-as-__ro_after_init.patch
0046-mark-__supported_pte_mask-as-__ro_after_init.patch
0047-mark-kobj_ns_type_register-as-only-used-for-init.patch
0048-mark-open_softirq-as-only-used-for-init.patch
0049-remove-unused-softirq_action-callback-parameter.patch
0050-mark-softirq_vec-as-__ro_after_init.patch
0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch
0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch
0053-bug-on-PageSlab-PageCompound-in-ksize.patch
0054-mm-add-support-for-verifying-page-sanitization.patch
0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch
0056-slub-Add-support-for-verifying-slab-sanitization.patch
0057-slub-add-multi-purpose-random-canaries.patch
# 0058-security-perf-Allow-further-restriction-of-perf_even.patch
0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch
# 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
0061-add-kmalloc-krealloc-alloc_size-attributes.patch
0062-add-vmalloc-alloc_size-attributes.patch
0063-add-kvmalloc-alloc_size-attribute.patch
0064-add-percpu-alloc_size-attributes.patch
0065-add-alloc_pages_exact-alloc_size-attributes.patch
0066-Add-the-extra_latent_entropy-kernel-parameter.patch
0067-ata-avoid-null-pointer-dereference-on-bug.patch
0068-sanity-check-for-negative-length-in-nla_memcpy.patch
0069-add-page-destructor-sanity-check.patch
0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch
0071-add-writable-function-pointer-detection.patch
0072-support-overriding-early-audit-kernel-cmdline.patch
0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch
0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch
0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch
0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch
0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch
0078-randomize-lower-bits-of-the-argument-block.patch
0079-x86_64-match-arm64-brk-randomization-entropy.patch
0080-support-randomizing-the-lower-bits-of-brk.patch
0081-mm-randomize-lower-bits-of-brk.patch
0082-x86-randomize-lower-bits-of-brk.patch
0083-mm-guarantee-brk-gap-is-at-least-one-page.patch
0084-x86-guarantee-brk-gap-is-at-least-one-page.patch
0085-x86_64-bound-mmap-between-legacy-modern-bases.patch
0086-restrict-device-timing-side-channels.patch
0087-add-toggle-for-disabling-newly-added-USB-devices.patch
0088-hard-wire-legacy-checkreqprot-option-to-0.patch
0089-security-tty-Add-owner-user-namespace-to-tty_struct.patch
0090-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch
0091-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch
0092-disable-unprivileged-eBPF-access-by-default.patch
0093-enable-BPF-JIT-hardening-by-default-if-available.patch
0094-enable-protected_-fifos-regular-by-default.patch
0095-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch
0096-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch
0097-mm-Fix-extra_latent_entropy.patch
0098-add-CONFIG-for-unprivileged_userns_clone.patch
0099-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch
0100-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch
0101-add-CONFIG-for-unprivileged_userfaultfd.patch
0102-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch
0103-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch
# 0104-backport-net-packet-fix-overflow-in-tpacket_rcv.patch
)
GENTOO_PATCHES_DIR="${WORKDIR}/${SLOT}/gentoo-patches/"
# Gentoo Linux 'genpatches' patch set
# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in debian patches
# 4567_distro-Gentoo-Kconfig TODO?
GENTOO_PATCHES=(
1500_XATTR_USER_PREFIX.patch
#1510_fs-enable-link-security-restrictions-by-default.patch
1700_sparc-address-warray-bound-warnings.patch
2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch
2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch
2910_bfp-mark-get-entry-ip-as--maybe-unused.patch
2920_sign-file-patch-for-libressl.patch
2930_gcc-plugins-Reorg-gimple-incs-for-gcc-13.patch
3000_Support-printing-firmware-info.patch
4567_distro-Gentoo-Kconfig.patch
5000_shiftfs-6.1.patch
5010_enable-cpu-optimizations-universal.patch
5020_BMQ-and-PDS-io-scheduler-v6.1-r4-linux-tkg.patch
5021_BMQ-and-PDS-gentoo-defaults.patch
5022_BMQ-and-PDS-remove-psi-support.patch
)
DTRACE_PATCHES_DIR="${WORKDIR}/${SLOT}/dtrace-patches"
DTRACE_PATCHES=(
0001-kallsyms-new-proc-kallmodsyms-with-builtin-modules-a.patch
0002-ctf-generate-CTF-information-for-the-kernel.patch
0003-waitfd-new-syscall-implementing-waitpid-over-fds.patch
0004-ctf-kernel-build-with-gt-for-CTF-generation-using-GC.patch
0005-ctf-toolchain-based-CTF-support.patch
0006-kbuild-arm64-Set-objects.builtin-dependency-to-Image.patch
0007-ctf-adapt-to-the-new-CTF-linker-API.patch
0008-ctf-discard-CTF-sections-for-arches-not-using-DISCAR.patch
0009-ctf-discard-CTF-from-the-vDSO.patch
0010-ctf-fix-memory-leak-in-ctfarchive.patch
0011-ctf-adjust-to-upcoming-binutils-ctf_link_add_ctf-API.patch
0012-ctf-support-ld-ctf-variables-if-available.patch
0013-ctf-add-.ctf-to-.gitignore.patch
0014-waitfd-enable-by-default.patch
)
eapply_hardened() {
eapply "${HARDENED_PATCHES_DIR}/${1}"
}
eapply_gentoo() {
eapply "${GENTOO_PATCHES_DIR}/${1}"
}
eapply_dtrace() {
eapply "${DTRACE_PATCHES_DIR}/${1}"
}
get_patch_list() {
[[ -z "${1}" ]] && die "No patch series file specified"
local patch_series="${1}"
while read line ; do
if [[ "${line:0:1}" != "#" ]] ; then
echo "${line}"
fi
done < "${patch_series}"
}
get_certs_dir() {
# find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules.
for subdir in $PF $P linux; do
certdir=/etc/kernel/certs/$subdir
if [ -d $certdir ]; then
if [ ! -e $certdir/signing_key.pem ]; then
eerror "$certdir exists but missing signing key; exiting."
exit 1
fi
echo $certdir
return
fi
done
}
pkg_pretend() {
# Ensure we have enough disk space to compile
if use binary ; then
CHECKREQS_DISK_BUILD="5G"
check-reqs_pkg_setup
fi
}
pkg_setup() {
export REAL_ARCH="$ARCH"
unset ARCH; unset LDFLAGS #will interfere with Makefile if set
}
src_unpack() {
# unpack the kernel sources to ${WORKDIR}
unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources"
# unpack the kernel patches
unpack ${DEB_PATCH_ARCHIVE} || die "failed to unpack debian patches"
unpack ${LIG_PATCH_ARCHIVE} || die "failed to unpack liguros patches"
}
src_prepare() {
debug-print-function ${FUNCNAME} "${@}"
# punt the debian devs certificates
rm -rf "${S}"/debian/certs
### PATCHES ###
# apply debian patches
for debpatch in $( get_patch_list "${WORKDIR}/debian/patches/series" ); do
eapply -p1 "${WORKDIR}/debian/patches/${debpatch}"
done
# only apply these if USE=hardened as the patches will break proprietary userspace and some others.
if use hardened; then
# apply hardening patches
einfo "Applying hardening patches ..."
for my_patch in ${HARDENED_PATCHES[*]} ; do
eapply_hardened "${my_patch}"
done
fi
# apply gentoo patches
einfo "Applying Gentoo Linux patches ..."
for my_patch in ${GENTOO_PATCHES[*]} ; do
eapply_gentoo "${my_patch}"
done
# optionally apply dtrace patches
if use dtrace; then
for my_patch in ${DTRACE_PATCHES[*]} ; do
eapply_dtrace "${my_patch}"
done
fi
# append EXTRAVERSION to the kernel sources Makefile
sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${MODULE_EXT}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile"
# todo: look at this, haven't seen it used in many cases.
sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile"
# copy the debian patches into the kernel sources work directory (config-extract requires this).
cp -a "${WORKDIR}"/debian "${S}"/debian
### GENERATE CONFIG ###
local arch featureset subarch
featureset="standard"
if [[ ${REAL_ARCH} == x86 ]]; then
arch="i386"
subarch="686-pae"
elif [[ ${REAL_ARCH} == amd64 ]]; then
arch="amd64"
subarch="amd64"
elif [[ ${REAL_ARCH} == arm ]]; then
arch="armhf"
subarch="armmp"
elif [[ ${REAL_ARCH} == arm64 ]]; then
arch="arm64"
subarch="arm64"
else
die "Architecture not handled in ebuild"
fi
# Copy 'config-extract' tool to the work directory
cp "${FILESDIR}"/config-extract-6.1 ./config-extract || die
# ... and make it executable
chmod +x config-extract || die
# ... and now extract the kernel config file!
./config-extract ${arch} ${featureset} ${subarch} || die
### TWEAK CONFIG ###
# Do not configure Debian devs certificates
echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config
# enable IKCONFIG so that /proc/config.gz can be used for various checks
# TODO: Maybe not a good idea for USE=hardened, look into this...
echo "CONFIG_IKCONFIG=y" >> .config
echo "CONFIG_IKCONFIG_PROC=y" >> .config
if use custom-cflags; then
MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")"
if [ -n "$MARCH" ]; then
sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!"
fi
fi
# only enable debugging symbols etc if USE=debug...
if use debug; then
echo "CONFIG_DEBUG_INFO=y" >> .config
else
echo "CONFIG_DEBUG_INFO=n" >> .config
sed -i -e "s/^CONFIG_DEBUG\(.*\)=.*/CONFIG_DEBUG\1=n/g" .config
fi
if use dtrace; then
echo "CONFIG_WAITFD=y" >> .config
fi
# these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2
if use ec2; then
echo "CONFIG_BLK_DEV_NVME=y" >> .config
echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config
echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config
echo "CONFIG_IXGBEVF=m" >> .config
fi
# hardening opts
# TODO: document these
if use hardened; then
echo "CONFIG_AUDIT=y" >> .config
echo "CONFIG_EXPERT=y" >> .config
echo "CONFIG_SLUB_DEBUG=y" >> .config
echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config
echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config
echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config
echo "CONFIG_SLAB_CANARY=y" >> .config
echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config
echo "CONFIG_RANDOMIZE_BASE=y" >> .config
echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config
echo "CONFIG_HIBERNATION=n" >> .config
echo "CONFIG_HARDENED_USERCOPY=y" >> .config
echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config
echo "CONFIG_FORTIFY_SOURCE=y" >> .config
echo "CONFIG_STACKPROTECTOR=y" >> .config
echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config
echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config
echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config
echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config
echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config
echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config
echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config
# gcc plugins
if ! use clang; then
echo "CONFIG_GCC_PLUGINS=y" >> .config
echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config
echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config
echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config
echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config
echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config
echo "CONFIG_STACKLEAK_METRICS=n" >> .config
echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config
echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config
echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config
fi
# main hardening options complete... anything after this point is a focus on disabling potential attack vectors
# i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel.
echo 'CONFIG_KEXEC=n' >> .config
echo "CONFIG_KEXEC_FILE=n" >> .config
echo 'CONFIG_KEXEC_SIG=n' >> .config
fi
# mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support.
if use mcelog; then
echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config
fi
# sign kernel modules via
if use sign-modules; then
certs_dir=$(get_certs_dir)
echo
if [ -z "$certs_dir" ]; then
eerror "No certs dir found in /etc/kernel/certs; aborting."
die
else
einfo "Using certificate directory of $certs_dir for kernel module signing."
fi
echo
# turn on options for signing modules.
# first, remove existing configs and comments:
echo 'CONFIG_MODULE_SIG=""' >> .config
# now add our settings:
echo 'CONFIG_MODULE_SIG=y' >> .config
echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config
echo 'CONFIG_MODULE_SIG_ALL=n' >> .config
# LibreSSL currently (2.9.0) does not have CMS support, so is limited to SHA1.
# https://bugs.gentoo.org/706086
# https://bugzilla.kernel.org/show_bug.cgi?id=202159
if use libressl; then
echo 'CONFIG_MODULE_SIG_HASH="sha1"' >> .config
else
echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config
fi
echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config
echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config
echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config
echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config
# See above comment re: LibreSSL
if use libressl; then
echo "CONFIG_MODULE_SIG_SHA1=y" >> .config
else
echo "CONFIG_MODULE_SIG_SHA512=y" >> .config
fi
ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING."
ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot"
ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)"
echo
fi
# enable wireguard support within kernel
if use wireguard; then
echo 'CONFIG_WIREGUARD=m' >> .config
# there are some other options, but I need to verify them first, so I'll start with this
fi
# get config into good state:
yes "" | make oldconfig >/dev/null 2>&1 || die
cp .config "${T}"/.config || die
make -s mrproper || die "make mrproper failed"
# Apply any user patches
eapply_user
}
src_configure() {
if use binary; then
debug-print-function ${FUNCNAME} "${@}"
tc-export_build_env
MAKEARGS=(
V=1
HOSTCC="$(tc-getBUILD_CC)"
HOSTCXX="$(tc-getBUILD_CXX)"
HOSTCFLAGS="${BUILD_CFLAGS}"
HOSTLDFLAGS="${BUILD_LDFLAGS}"
CROSS_COMPILE=${CHOST}-
AS="$(tc-getAS)"
CC="$(tc-getCC)"
LD="$(tc-getLD)"
AR="$(tc-getAR)"
NM="$(tc-getNM)"
STRIP=":"
OBJCOPY="$(tc-getOBJCOPY)"
OBJDUMP="$(tc-getOBJDUMP)"
# we need to pass it to override colliding Gentoo envvar
ARCH=$(tc-arch-kernel)
)
mkdir -p "${WORKDIR}"/modprep || die
cp "${T}"/.config "${WORKDIR}"/modprep/ || die
emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed"
emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed"
cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die
fi
}
src_compile() {
if use binary; then
debug-print-function ${FUNCNAME} "${@}"
emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed"
fi
}
src_install() {
debug-print-function ${FUNCNAME} "${@}"
# TODO: Change to SANDBOX_WRITE=".." for installkernel writes
# Disable sandbox
export SANDBOX_ON=0
# copy sources into place:
dodir /usr/src
cp -a "${S}" "${D}"/usr/src/linux-${DEB_PV_BASE}${MODULE_EXT} || die "failed to install kernel sources"
cd "${D}"/usr/src/linux-${DEB_PV_BASE}${MODULE_EXT}
# prepare for real-world use and 3rd-party module building:
make mrproper || die
cp "${T}"/.config .config || die
cp -a "${WORKDIR}"/debian debian || die
# if we didn't use genkernel, we're done. The kernel source tree is left in
# an unconfigured state - you can't compile 3rd-party modules against it yet.
if use binary; then
make prepare || die
make scripts || die
local targets=( modules_install )
# ARM / ARM64 requires dtb
if (use arm || use arm64); then
targets+=( dtbs_install )
fi
emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
installkernel "${DEB_PV_BASE}${MODULE_EXT}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot"
# module symlink fix-up:
rm -rf "${D}"/lib/modules/${DEB_PV_BASE}${MODULE_EXT}/source || die "failed to remove old kernel source symlink"
rm -rf "${D}"/lib/modules/${DEB_PV_BASE}${MODULE_EXT}/build || die "failed to remove old kernel build symlink"
# Set-up module symlinks:
ln -s /usr/src/linux-${PV}-${TEMP_EXTRA_VERSION} "${D}"/lib/modules/${DEB_PV_BASE}${MODULE_EXT}/source || die "failed to create kernel source symlink"
ln -s /usr/src/linux-${PV}-${TEMP_EXTRA_VERSION} "${D}"/lib/modules/${DEB_PV_BASE}${MODULE_EXT}/build || die "failed to create kernel build symlink"
# Fixes FL-14
cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${DEB_PV_BASE}${MODULE_EXT}/ || die "failed to install System.map"
cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${DEB_PV_BASE}${MODULE_EXT}/ || die "failed to install Module.symvers"
if use sign-modules; then
for x in $(find "${D}"/lib/modules -iname *.ko); do
# $certs_dir defined previously in this function.
${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die
done
# install the sign-file executable for future use.
exeinto /usr/src/linux-${PV}-${P}/scripts
doexe ${WORKDIR}/build/scripts/sign-file
fi
fi
}
pkg_postinst() {
# TODO: Change to SANDBOX_WRITE=".." for Dracut writes
export SANDBOX_ON=0
# if USE=symlink...
if use symlink; then
# delete the existing symlink if one exists
if [[ -h "${EROOT}"/usr/src/linux ]]; then
rm "${EROOT}"/usr/src/linux
fi
# and now symlink the newly installed sources
ewarn ""
ewarn "WARNING... WARNING... WARNING"
ewarn ""
ewarn "/usr/src/linux symlink automatically set to linux-${DEB_PV_BASE}${MODULE_EXT}"
ewarn ""
ln -sf "${EROOT}"/usr/src/linux-${DEB_PV_BASE}${MODULE_EXT} "${EROOT}"/usr/src/linux
fi
# if there's a modules folder for these sources, generate modules.dep and map files
if [[ -d ${EROOT}/lib/modules/${DEB_PV_BASE}${MODULE_EXT} ]]; then
depmod -a ${DEB_PV_BASE}${MODULE_EXT}
fi
# NOTE: WIP and not well tested yet.
#
# Dracut will build an initramfs when USE=binary.
#
# The initramfs will be configurable via USE, i.e.
# USE=zfs will pass '--zfs' to Dracut
# USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs.
#
# NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'.
# Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems),
# and may end up requiring network-manager for decent support (this really needs further research).
if use binary; then
einfo ""
einfo ">>> Dracut: building initramfs"
dracut \
--stdlog=5 \
--force \
--no-hostonly \
--add "base fs-lib i18n kernel-modules network qemu qemu-net rootfs-block shutdown terminfo udev-rules usrmount" \
--omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network-manager rpmversion securityfs ssh-client stratis syslog url-lib" \
$(usex btrfs "-a btrfs" "-o btrfs") \
$(usex dmraid "-a dmraid -a dm" "-o dmraid") \
$(usex hardened "-o resume" "-a resume") \
$(usex iscsi "-a iscsi" "-o iscsi") \
$(usex lvm "-a lvm -a dm" "-o lvm") \
$(usex lvm "--lvmconf" "--nolvmconf") \
$(usex luks "-a crypt" "-o crypt") \
$(usex mdadm "--mdadmconf" "--nomdadmconf") \
$(usex mdadm "-a mdraid" "-o mdraid") \
$(usex microcode "--early-microcode" "--no-early-microcode") \
$(usex multipath "-a multipath -a dm" "-o multipath") \
$(usex nbd "-a nbd" "-o nbd") \
$(usex nfs "-a nfs" "-o nfs") \
$(usex plymouth "-a plymouth" "-o plymouth") \
$(usex selinux "-a selinux" "-o selinux") \
$(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \
$(usex zfs "-a zfs" "-o zfs") \
--kmoddir ${EROOT}/lib/modules/${DEB_PV_BASE}${MODULE_EXT} \
--fwdir ${EROOT}/lib/firmware \
"${EROOT}"/boot/initrd-${DEB_PV_BASE}${MODULE_EXT} ${DEB_PV_BASE}${MODULE_EXT} || die ">>>Dracut: Building initramfs failed"
einfo ""
einfo ">>> Dracut: Finished building initramfs"
ewarn ""
ewarn "WARNING... WARNING... WARNING..."
ewarn ""
ewarn "Dracut initramfs has been generated!"
ewarn ""
ewarn "Required kernel arguments:"
ewarn ""
ewarn " root=/dev/ROOT"
ewarn ""
ewarn " Where ROOT is the device node for your root partition as the"
ewarn " one specified in /etc/fstab"
ewarn ""
ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..."
ewarn ""
ewarn "If you use hibernation:"
ewarn ""
ewarn " resume=/dev/SWAP"
ewarn ""
ewarn " Where $SWAP is the swap device used by hibernate software of your choice."
ewarn""
ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments."
fi
# warn about the issues with running a hardened kernel
if use hardened; then
ewarn ""
ewarn "WARNING... WARNING... WARNING..."
ewarn ""
ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set."
ewarn "These KCONFIG options and patches change kernel behavior."
ewarn "Changes include:"
ewarn "Increased entropy for Address Space Layout Randomization"
ewarn "GCC plugins (if using GCC)"
ewarn "Memory allocation"
ewarn "... and more"
ewarn ""
ewarn "These changes will stop certain programs from functioning"
ewarn "e.g. VirtualBox, Skype"
ewarn "Full information available in $DOCUMENTATION"
ewarn ""
fi
# if there are out-of-tree kernel modules detected, warn warn warn
# TODO: tidy up below
if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then
ewarn ""
ewarn "WARNING... WARNING... WARNING..."
ewarn ""
ewarn "External kernel modules are not yet automatically built"
ewarn "by USE=binary - emerge @modules-rebuild to do this"
ewarn "and regenerate your initramfs if you are using ZFS root filesystem"
ewarn ""
fi
if use binary; then
if [[ -e /etc/boot.conf ]]; then
ego boot update
fi
fi
}
|
