the 4.14.38 kernel backported the Spectre mitigation requiring
a change of the kernel config.
Might as well enabled the mitigations by default.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This is useful for some baremetal configs, such as using
USB sticks on a RPi3. I enabled it for x86_64 as well
to keep the differences smaller.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
Note, the depeding SERIAL_DEV_CTRL_TTYPORT defaults to
'N' with the 4.14.x kernel and 'Y' for the 4.16.x kernel.
I chose to stick with the defaults.
This may fix the serial console issue, I've seen on the RPi3
with 4.14.x kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
The s390x build VM we have access to is quite slow. Dropping
the 4.15.x kernel, which soon will be EOLed anyway, to
save some time.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
For example kernel module signatures if you do not provide a key. So add
to the dependencies for kernel builds.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
The kernel config is based on the 4.15.x kernel config
run through 'make defconfig && make oldconfig' and then
tweaked a little by hand.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
There are too many kernels to compile and arm64 takes a bit
too long to compile even on a beefy arm64 server.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
These fix some issues around hot-unplugging devices which may be the cause
of some LCOW issues we are seeing.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
Enable the Integrity Measurement Architecture (IMA) for 4.14.x
and 4.15.x kernels. This pretty much uses the defaults except we
also enable INTEGRITY_ASYMMETRIC_KEYS and IMA_READ_POLICY. The
latter may be useful for debugging.
For s390x we also needed to enable TPM support.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable all network device driver apart from Mellanox, which
is the only support NIC on s390x
- Disable Fusion MPT
- Disable DAX/NVMEM/NVME
- Disable USB
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
While this now has some duplication, it is clearer as to which
kernels are compiled for each architecture.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Update building process to add s390 support.
The patch serial-forbid-8250-on-s390.patch has been added to disable
8250 serial for s390.
The patch is available upstream https://patchwork.kernel.org/patch/10106437/
but it is not backported.
Signed-off-by: Alice Frosi <alice@linux.vnet.ibm.com>
Also remove the 4.4 patch which should have been removed by
231cead2cc ("kernel: Update to 4.15.4/4.14.20/4.9.82/4.4.116")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
We may soon get another arch, so wanted to set the template
for having per arch list of kernels to compile.
While at it also drop the 4.4.x kernel for arm64. We never really
tested it and folks should be on 4.9 or 4.14 anyway. I'll leave
4.4.x for x86 for now as it might be useful to test for regressions.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In order to cut the number of kernels we build, remove the debug
kernel for the now non-default 4.9.x series.
Also remove the -rt debug kernel. Users who need it can build
it themselves with 'make EXTRA=-rt DEBUG=-dbg build_4.14.x'
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These are part of the Meltdown/Spectre mitigations for arm64
now available for 4.14 and 4.15
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.14.20 update has Meltdown/Spectre fixes for arm64
The 4.4.116 update incorporates the proper fix for the
div by zero crash in the firmware loader, so the patch
with the hackish workaround was dropped.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In order to get such a preempt-rt Linux kerne, we grab -rt patch via
https://www.kernel.org/pub/linux/kernel/projects/rt/. So far we just enable it
over 4.14.x.
Signed-off-by: Tiejun Chen <tiejun.china@gmail.com>
This should make debugging a lot easier. Note, 991f8f1c6eb6
("hyper-v: trace channel events"), patch 18, required some
minor modifications from upstream as another patch was not easy
to cherry-pick.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Drop the hack for the microcode division by 0 on GCP as
a proper fix is in upstream as:
2760f452a718 ("x86/microcode: Do the family check first")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These kernels have significant changes/addition for Spectre
mitigation as well as the usual other set of fixes.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The CONFIG_BPF_JIT_ALWAYS_ON option has now been back-ported
to 4.4.115 as well. Enable it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a patch to avoid a division by zero panic for 4.4.x
and 4.9.x kernels on single vCPU machine types on Google Cloud.
4.14.x and 4.15.x kernels seem to work fine.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This option is not enabled by default, but disables the
BPF interpreter which can be used to inject speculative
execution into the kernel. Enabled it as it seems
like a good security measure.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.14 and 4.9 kernels have a significant number of
fixes to eBPF and also a fix for kernel level sockets
and namespace removals, ie fixes some aspects of
https://github.com/moby/moby/issues/5618
"unregister_netdevice: waiting for lo to become free"
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
* receive: treat packet checking as irrelevant for timers
Small simplification to the state machine, as discussed with Mathias
Hall-Andersen.
* socket: check for null socket before fishing out sport
* wg-quick: ifnames have max len of 15
* tools: plug memleak in config error path
Important bug fixes.
* external-tests: add python implementation
Piotr Lizonczyk has contributed a test vector written in Python.
* poly1305: remove indirect calls
From Samuel Neves, we now are in a better position to mitigate speculative
execution attacks.
* curve25519: modularize implementation
* curve25519: import 32-bit fiat-crypto implementation
* curve25519: import 64-bit hacl-star implementation
* curve25519: resolve symbol clash between fe types
* curve25519: wire up new impls and remove donna
* tools: import new curve25519 implementations
* contrib: keygen-html: update curve25519 implementation
Two of our Curve25519 implementations now use formally verified C. Read this
mailing list post for more information:
https://lists.zx2c4.com/pipermail/wireguard/2018-January/002304.html
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Enable RETPOLINE by default. Note, however, this will
only be used if the compiler supports it.
- Enable sysfs interface for vulnerabilities
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.4.14 has a number of important fixes/additions:
- New support for retpolines (enabled but requires newer gcc
to take advantage of). This provides mitigation for Spectre
style attacks.
- Various KPTI fixes including fixes for EFI booting
- More eBPF fixes around out-of-bounds and overflow of
maps. These were used for variant 1 of CVE-2017-5753.
- Several KVM related to CVE-2017-5753, CVE-2017-5715,
CVE-2017-17741.
- New sysfs interface listing vulnerabilities:
/sys/devices/system/cpu/vulnerabilities
The 4.9.77 kernel also has seems to have most/all of the above
back-ported.
See https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/
for more details on the Spectre mitigation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
DOwnload and verify the Intel microcode package and convert it
to a cpio archive which can be prepended to the initrd.
It also adds the license file to the kernel package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This looks like there are a couple of minor fixes to the
recent KPTI changes but nothing major...
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This is the new Lernel Page Table Isolation (KPTI,
formerly KAISER) introduced with 4.14.11 (and in
4.15.rcX).
KPTI runs the kernel and userspace off separate
pagetables (and uses PCID on more recent processors
to minimise the TLB flush penalty). It comes with
a performance hit but is enabled by default as a
workaround around some serious, not yet disclosed,
bug in Intel processors.
When enabled in the kernel config, KPTI will be
be dynamically enabled at boot time deping on the
CPU it is executing (currently all Intel x86 CPUs).
Depending on the environment, you may choose to
disable it using 'pti=off' on the kernel commandline.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This contains the fixes to the eBPF verifier which allowed
privilege escalation in 4.9 and 4.14 kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Commit 340d45d70850 ("locking/refcounts, x86/asm: Enable
CONFIG_ARCH_HAS_REFCOUNT") re-enabled the ARCH_HAS_REFCOUNT
again as default. Pick it up in our kernel config.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
