* receive: treat packet checking as irrelevant for timers
Small simplification to the state machine, as discussed with Mathias
Hall-Andersen.
* socket: check for null socket before fishing out sport
* wg-quick: ifnames have max len of 15
* tools: plug memleak in config error path
Important bug fixes.
* external-tests: add python implementation
Piotr Lizonczyk has contributed a test vector written in Python.
* poly1305: remove indirect calls
From Samuel Neves, we now are in a better position to mitigate speculative
execution attacks.
* curve25519: modularize implementation
* curve25519: import 32-bit fiat-crypto implementation
* curve25519: import 64-bit hacl-star implementation
* curve25519: resolve symbol clash between fe types
* curve25519: wire up new impls and remove donna
* tools: import new curve25519 implementations
* contrib: keygen-html: update curve25519 implementation
Two of our Curve25519 implementations now use formally verified C. Read this
mailing list post for more information:
https://lists.zx2c4.com/pipermail/wireguard/2018-January/002304.html
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Enable RETPOLINE by default. Note, however, this will
only be used if the compiler supports it.
- Enable sysfs interface for vulnerabilities
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.4.14 has a number of important fixes/additions:
- New support for retpolines (enabled but requires newer gcc
to take advantage of). This provides mitigation for Spectre
style attacks.
- Various KPTI fixes including fixes for EFI booting
- More eBPF fixes around out-of-bounds and overflow of
maps. These were used for variant 1 of CVE-2017-5753.
- Several KVM related to CVE-2017-5753, CVE-2017-5715,
CVE-2017-17741.
- New sysfs interface listing vulnerabilities:
/sys/devices/system/cpu/vulnerabilities
The 4.9.77 kernel also has seems to have most/all of the above
back-ported.
See https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/
for more details on the Spectre mitigation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
If the flag is set on push, then the image will have the license
set to enabled the currently experimental netsted virtualisation
feature. The flag currently also needs to be set on run to make
sure the right CPU model (at least Haswell) is selected.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This package is primarily for users of custom or foreign
kernels which may have drivers enabled for which the
'firmware' package does not contain the firmware blobs.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This new 'firmware' package contains the firmware blobs required
by the device drivers in a LinuxKit kernel. The list of required
blobs is determined by calling 'modinfo' on each module.
We also unconditionally include the AMD CPU microcode and the
licence files.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
go_vet (via https://goreportcard.com/report/github.com/linuxkit/linuxkit)
reported:
error: missing argument for Printf("%v"): format reads arg 2, have only 1 args (vet)
error: wrong number of args for format in Printf call: 2 needed but 3 args (vet)
Signed-off-by: Ian Campbell <ijc@docker.com>
DOwnload and verify the Intel microcode package and convert it
to a cpio archive which can be prepended to the initrd.
It also adds the license file to the kernel package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The iucode_tool is used to convert the Intel CPU microcode
binaries into a cpio archive. There is no alpine package
for it, so compile it from source.
This is for x86_64 only and on other archs we create a empty
file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
