The 4.4.14 has a number of important fixes/additions:
- New support for retpolines (enabled but requires newer gcc
to take advantage of). This provides mitigation for Spectre
style attacks.
- Various KPTI fixes including fixes for EFI booting
- More eBPF fixes around out-of-bounds and overflow of
maps. These were used for variant 1 of CVE-2017-5753.
- Several KVM related to CVE-2017-5753, CVE-2017-5715,
CVE-2017-17741.
- New sysfs interface listing vulnerabilities:
/sys/devices/system/cpu/vulnerabilities
The 4.9.77 kernel also has seems to have most/all of the above
back-ported.
See https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/
for more details on the Spectre mitigation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This looks like there are a couple of minor fixes to the
recent KPTI changes but nothing major...
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This contains the fixes to the eBPF verifier which allowed
privilege escalation in 4.9 and 4.14 kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
For 'build_perf_' and 'build_zfs_' targets in the Makefile,
since both of them are dependends on the build_$(2)$(3) target,
So, we pull the image with DCT as part of the dependency on build_$(2)$(3)
and then build with DOCKER_CONTENT_TRUST explicitly set to 0.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
The kernel config files are a copy of the 4.13 kernel configs,
which will be refined in subsequent commits.
This does not yet include any patches which may
be required for LCOW.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Note: There were more conflicts in applying the
vmbus patches to 4.13. For now I've just skipped the
conflicting patches so the end-result may be that
Hyper-V sockets on 4.13 may break (if they were not
already broken by the update to 4.13.6).
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It's kinda obvious that these are kernel configuration files
and, looking at various other distros it seems more common
to call the files 'config-<foo>'.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
NOTE: Some of the 4.13.x VMBus patches did not apply cleanly and they
were dropped for now. This may break LCOW and other Windows support.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The patches from 4.12 applied cleanly, except for 81304747d9
("Drivers: hv: vmbus: Fix rescind handling"), which was already
in upstream so has been dropped from the patch series.
The kernel config is from 4.12 run through defconfig/oldconfig to
pick up any new defaults.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds building the zfs-kmod package to the kernel build.
The zfs-kmod packages contains the matching ZFS kernel modules
for a given kernel in /lib/modules/$(uname -r)/extra.
The zfs-kmod package also contains the standard kernel modules
and depmod is run over them so that modprobe works
The zfs-kmod package is not build by default due to unclarity
about licenses. Users will have to build it themselves.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Note, on x86_64 for 4.12.9 a new kernel option,
HARDLOCKUP_CHECK_TIMESTAMP was added which defaults to enabled. It enables
a low pass filter to compensate for perf based hard lockup detection.
Added this option to the x86_64 4.12.x kernel confog file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Due to https://github.com/moby/moby/issues/34199 we can't supply
the FROM image via --build-arg and use DOCKER_CONTENT_TRUST=1 for build.
So we pull the image with DCT and then explicitly build it without.
This regression was introduced with 8b84baf2 ("kernel: Allow disabling content trust")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
For some use cases, we may want to add additional kernel
configuration options (e.g. when adding AUFS). This commit
enables it by:
- renaming DEBUG to EXTRA
- append kernel_config${EXTRA} to the kernel config
- allowing passing in an EXTRA argument to the make file
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
specifying NOTRUST=1 on the make command line disables
content trust just like with packages.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
