From 103d5672106c3f40aa5780eb5a01d0e9151fb30e Mon Sep 17 00:00:00 2001 From: Ali Polatel Date: Wed, 24 Jul 2024 09:00:32 +0200 Subject: [PATCH 1/2] debian-sources: Version bump to 6.11.99 --- sys-kernel/debian-sources/Manifest | 4 ++-- ...urces-6.1.55_p1.ebuild => debian-sources-6.1.99_p1.ebuild} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename sys-kernel/debian-sources/{debian-sources-6.1.55_p1.ebuild => debian-sources-6.1.99_p1.ebuild} (100%) diff --git a/sys-kernel/debian-sources/Manifest b/sys-kernel/debian-sources/Manifest index adaddfdf..44643b86 100644 --- a/sys-kernel/debian-sources/Manifest +++ b/sys-kernel/debian-sources/Manifest @@ -4,5 +4,5 @@ DIST linux_5.17.6-1.debian.tar.xz 1311940 BLAKE2B 3f31f07248f578f28872ba2180cac7 DIST linux_5.17.6.orig.tar.xz 130114880 BLAKE2B 8cce2deff2fc10806e0675b2318cde76c42da04177ce40e207902a5a2d85feafa51e820547eb284106f78b96581ad034c940135130a6a3d8c4079e408f7c2f2e SHA512 85e55a3d6bfe2e4eadcca88143ab6c06f4552edf2c270295333373bc835468f4283183b9761f9d9c38044edfd2fd6cd4a1a0547dae4358950a33de1fc728ef82 DIST linux_5.18.5-1.debian.tar.xz 1325916 BLAKE2B c65ee75adce82f4c2b9e0b24f879f768c7096639486a8a5c1e8c94f50584d0cd3eb07339d07ee21e7ee9a16405fb233979376261e1ab580ddcc526782a890108 SHA512 23652040cb8992a7ebba4ad8965648ef37d69bbb2930afa133b7015e2f69df7f9d4b15f0dcf4c17511209f247781dd1a2557cb90003f979200a8e8cabbbc0143 DIST linux_5.18.5.orig.tar.xz 131684092 BLAKE2B ea0ac781186824468e2b2601a668ce1ef648a91a4bfcd18b81fcae52311f4f9875843accde140f49f23f1116fd84a10509afc58d3c9325a04a199e7a955811aa SHA512 78be456080d88d90ac053137054f488120b05fc3e183a6ef2c8fec166f0d2fedfbec8135be3c5fb8199f8e23d3c7a9a0d64307bb50e00358a59b943bf469839d -DIST linux_6.1.55-1.debian.tar.xz 1576156 BLAKE2B 8c978f9cbc50e0fc16703980e971d861a833a56b6d10bf37956571077e0814690cf916ebb45d41ce633fe880963cb84146619de54d341a4080110dafb470704a SHA512 4a7500d84138d804dd3a8fd59d3b48851bdd3a25cf3a5890a80c7de24edebf5358682e02d51be4440c39f78275a606362b73eaa074a309d96f71b717602f3d98 -DIST linux_6.1.55.orig.tar.xz 137442320 BLAKE2B 8229b5a1ed601ab92ee3fcb1fa98ccbe6d8da19f577265a6b46b6c96e342a885774918a0654da65b477901c8e4edb69d2ea4657ff3a428343c2429572a06a26e SHA512 d8a9a917f84a7059d3aa28d385319de47c5ff7213ac6a84292adb40f82c6777318d491eaf12b1caa43d0f2a86d67bdff4fd0960d08c36bb161113958667f9017 +DIST linux_6.1.99-1.debian.tar.xz 1650024 BLAKE2B 7c1a7def7e744813cfbf877b8a598ccff7d646606f90e3c354cddee9ae3447cf3fb0a63423c1ea12439bb7e242f7de4d7c2aa5464883baa4c3bc3e7847c7bef9 SHA512 0532b39b7454e6c9e4c67f35e946b355b00edf524d6d8f365ec6d49e7ae818f52438ff4254b5f372f1a4c6bef707aa7318318b3c7c2ecb4461f6e8b3d7e572dc +DIST linux_6.1.99.orig.tar.xz 137645468 BLAKE2B 5a49e63de158ffc44247417c084688dfa40d264da485cc37b4b546c51b86114d7d372653332a667514e108eea6cdf5ae67d51af60eb1a65fd94a718dbcecba3d SHA512 69cec51ab5aedbf28044dd07480617c689edde132cf58770ec79e7f44ef4b11b3d45f95dffcb828547df440e47440ee4e577cc0b9096bb305ec23715b713f1ad diff --git a/sys-kernel/debian-sources/debian-sources-6.1.55_p1.ebuild b/sys-kernel/debian-sources/debian-sources-6.1.99_p1.ebuild similarity index 100% rename from sys-kernel/debian-sources/debian-sources-6.1.55_p1.ebuild rename to sys-kernel/debian-sources/debian-sources-6.1.99_p1.ebuild From 32e2e1c98d0e5f7790ea09388a81c56b19969856 Mon Sep 17 00:00:00 2001 From: Ali Polatel Date: Wed, 24 Jul 2024 09:03:37 +0200 Subject: [PATCH 2/2] debian-sources: Add latest stable 6.9.10 --- sys-kernel/debian-sources/Manifest | 2 + .../debian-sources-6.1.99_p1.ebuild | 2 +- .../debian-sources-6.9.10_p1.ebuild | 535 ++++++++++++++++++ .../debian-sources/files/config-extract-6.6 | 229 ++++++++ 4 files changed, 767 insertions(+), 1 deletion(-) create mode 100644 sys-kernel/debian-sources/debian-sources-6.9.10_p1.ebuild create mode 100644 sys-kernel/debian-sources/files/config-extract-6.6 diff --git a/sys-kernel/debian-sources/Manifest b/sys-kernel/debian-sources/Manifest index 44643b86..f75f66e8 100644 --- a/sys-kernel/debian-sources/Manifest +++ b/sys-kernel/debian-sources/Manifest @@ -6,3 +6,5 @@ DIST linux_5.18.5-1.debian.tar.xz 1325916 BLAKE2B c65ee75adce82f4c2b9e0b24f879f7 DIST linux_5.18.5.orig.tar.xz 131684092 BLAKE2B ea0ac781186824468e2b2601a668ce1ef648a91a4bfcd18b81fcae52311f4f9875843accde140f49f23f1116fd84a10509afc58d3c9325a04a199e7a955811aa SHA512 78be456080d88d90ac053137054f488120b05fc3e183a6ef2c8fec166f0d2fedfbec8135be3c5fb8199f8e23d3c7a9a0d64307bb50e00358a59b943bf469839d DIST linux_6.1.99-1.debian.tar.xz 1650024 BLAKE2B 7c1a7def7e744813cfbf877b8a598ccff7d646606f90e3c354cddee9ae3447cf3fb0a63423c1ea12439bb7e242f7de4d7c2aa5464883baa4c3bc3e7847c7bef9 SHA512 0532b39b7454e6c9e4c67f35e946b355b00edf524d6d8f365ec6d49e7ae818f52438ff4254b5f372f1a4c6bef707aa7318318b3c7c2ecb4461f6e8b3d7e572dc DIST linux_6.1.99.orig.tar.xz 137645468 BLAKE2B 5a49e63de158ffc44247417c084688dfa40d264da485cc37b4b546c51b86114d7d372653332a667514e108eea6cdf5ae67d51af60eb1a65fd94a718dbcecba3d SHA512 69cec51ab5aedbf28044dd07480617c689edde132cf58770ec79e7f44ef4b11b3d45f95dffcb828547df440e47440ee4e577cc0b9096bb305ec23715b713f1ad +DIST linux_6.9.10-1.debian.tar.xz 1550368 BLAKE2B bf4509aca52c2d587e4ae0b9fc3b471d55bc597775c250bb7245f78344b455c2f225af1a1d1baae1009316c511d0831d50ec9924aada7afbf00cb55de9e4182f SHA512 cfb23eea1951274d9542d1de59d45ed0b0115d26f6ae1094be7b69f72e366a56c90c1f06adcd90303ca748e1bd8e58946f095a7017a11d33993ab6d9cd73e6ea +DIST linux_6.9.10.orig.tar.xz 146876388 BLAKE2B 52dc30a91df8fe95ae59b6f3d2fd1f7a314e3a4ca07bcdc0f7f5dfc257c44bf32e060c6707b351de7fd48f38b4a2903fcbb3aaa692f99e82a64e596316608e1b SHA512 8e7668ab32da5892734f24e20090b86e600fb2c10e550ff95232adc97214ccf80df69f76729f8658a05f403bae77b72d1f88bb8b143c538d7543d5d0f7d45945 diff --git a/sys-kernel/debian-sources/debian-sources-6.1.99_p1.ebuild b/sys-kernel/debian-sources/debian-sources-6.1.99_p1.ebuild index b30f6573..9bfeebbb 100644 --- a/sys-kernel/debian-sources/debian-sources-6.1.99_p1.ebuild +++ b/sys-kernel/debian-sources/debian-sources-6.1.99_p1.ebuild @@ -170,7 +170,7 @@ src_prepare() { fi # Copy 'config-extract' tool to the work directory - cp "${FILESDIR}"/config-extract-6.1 config-extrac || die "failed to install config-extract to sources directory" + cp "${FILESDIR}"/config-extract-6.1 config-extract || die "failed to install config-extract to sources directory" # ... and make it executable chmod +x config-extract || die "failed to set +x on config-extract" diff --git a/sys-kernel/debian-sources/debian-sources-6.9.10_p1.ebuild b/sys-kernel/debian-sources/debian-sources-6.9.10_p1.ebuild new file mode 100644 index 00000000..0c3077bc --- /dev/null +++ b/sys-kernel/debian-sources/debian-sources-6.9.10_p1.ebuild @@ -0,0 +1,535 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit toolchain-funcs + +DESCRIPTION="Linux kernel sources with some additional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="~amd64" + +SLOT="${PV%%_p*}" + +RESTRICT="binchecks mirror strip" + +# general kernel USE flags +IUSE="build-kernel clang compress debug symlink" +# security +IUSE="${IUSE} hardened +kpti +retpoline selinux sign-modules" +# initramfs +IUSE="${IUSE} btrfs firmware luks lvm mdadm microcode plymouth systemd udev zfs" +# misc kconfig tweaks +IUSE="${IUSE} +mcelog +memcg +numa" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/pahole ) + sys-devel/flex + virtual/libelf + app-alternatives/yacc +" + +RDEPEND=" + build-kernel? ( sys-kernel/genkernel ) + btrfs? ( sys-fs/btrfs-progs ) + compress? ( sys-apps/kmod[lzma] ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + dev-libs/openssl + sys-apps/kmod + ) + zfs? ( sys-fs/zfs ) +" + +REQUIRED_USE=" + sign-modules? ( build-kernel ) +" + + +KERNEL_VERSION="${PV%%_*}" +KERNEL_EXTRAVERSION="-debian" +KERNEL_FULL_VERSION="${KERNEL_VERSION}${KERNEL_EXTRAVERSION}" + +DEBIAN_UPSTREAM="https://ftp.debian.org/debian/pool/main/l/linux" +KERNEL_ARCHIVE="linux_${KERNEL_VERSION}.orig.tar.xz" +PATCH_ARCHIVE="linux_${PV/_p/-}.debian.tar.xz" + +SRC_URI=" + ${DEBIAN_UPSTREAM}/${KERNEL_ARCHIVE} + ${DEBIAN_UPSTREAM}/${PATCH_ARCHIVE} +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +tweak_config() { + echo "$1" >> .config || die "failed to tweak \"$1\" in the kernel config" +} + +get_patch_list() { + [[ -z "${1}" ]] && die "No patch series file specified" + local patch_series="${1}" + while read line ; do + if [[ "${line:0:1}" != "#" ]] ; then + echo "${line}" + fi + done < "${patch_series}" +} + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in ${PF} ${P} linux; do + certdir=/etc/kernel/certs/${subdir} + if [[ -d ${certdir} ]]; then + if [[ ! -e ${certdir}/signing_key.pem ]]; then + die "${certdir} exists but missing signing key; exiting." + exit 1 + fi + echo ${certdir} + return + fi + done +} + +pkg_pretend() { + + # a lot of hardware requires firmware + if ! use firmware; then + ewarn "sys-kernel/linux-firmware not found installed on your system." + ewarn "This package provides firmware that may be needed for your hardware to work." + fi +} + +pkg_setup() { + + export REAL_ARCH="${ARCH}" + + # will interfere with Makefile if set + unset ARCH + unset LDFLAGS +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} + + # unpack the kernel patches to ${WORKDIR} + unpack ${PATCH_ARCHIVE} +} + +src_prepare() { + + # punt Debian dev certs + rm -rf ${S}/debian/certs || die "failed to remove Debian certs" + +# PATCH: + + # todo + einfo "Applying Debian patches ..." + for deb_patch in $( get_patch_list "${WORKDIR}/debian/patches/series" ); do + eapply "${WORKDIR}"/debian/patches/${deb_patch} + done + + # apply any user patches + eapply_user + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the debian patches into the kernel sources work directory (config-extract requires this). + cp -a "${WORKDIR}"/debian "${S}"/debian || die "failed to copy Debian archive to kernel source tree" + + local arch featureset subarch + featureset="standard" + if [[ ${REAL_ARCH} == x86 ]]; then + arch="i386" + subarch="686-pae" + elif [[ ${REAL_ARCH} == amd64 ]]; then + arch="amd64" + subarch="amd64" + elif [[ ${REAL_ARCH} == arm64 ]]; then + arch="arm64" + subarch="arm64" + else + die "Architecture not handled in ebuild" + fi + + # Copy 'config-extract' tool to the work directory + cp "${FILESDIR}"/config-extract-6.6 config-extract || die "failed to install config-extract to sources directory" + + # ... and make it executable + chmod +x config-extract || die "failed to set +x on config-extract" + + # ... and now extract the kernel config file! + ./config-extract ${arch} ${featureset} ${subarch} || die "failed to generate kernel config" + +# CONFIG: + + # Do not configure Debian trusted certificates + tweak_config 'CONFIG_SYSTEM_TRUSTED_KEYS=""' + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + tweak_config "CONFIG_IKCONFIG=y" + tweak_config "CONFIG_IKCONFIG_PROC=y" + + # enable kernel module compression ... + # ... defaulting to xz compression + if use compress; then + tweak_config "CONFIG_MODULE_COMPRESS_NONE=n" + tweak_config "CONFIG_MODULE_COMPRESS_GZIP=n" + tweak_config "CONFIG_MODULE_COMPRESS_ZSTD=n" + tweak_config "CONFIG_MODULE_COMPRESS_XZ=y" + else + tweak_config "CONFIG_MODULE_COMPRESS_NONE=y" + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + tweak_config "CONFIG_DEBUG_INFO=y" + tweak_config "CONFIG_DEBUG_INFO_BTF=y" + else + tweak_config "CONFIG_DEBUG_INFO=n" + tweak_config "CONFIG_DEBUG_INFO_BTF=n" + fi + + if use hardened; then + + # TODO: HARDENING + + # disable gcc plugins on clang + if use clang; then + tweak_config "CONFIG_GCC_PLUGINS=n" + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + + # Kexec is a syscall that enables loading/booting into a new kernel from the currently running kernel. + # This has been used in numerous exploits of various systems over the years, so we disable it. + tweak_config 'CONFIG_KEXEC=n' + tweak_config "CONFIG_KEXEC_FILE=n" + tweak_config 'CONFIG_KEXEC_SIG=n' + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + tweak_config "CONFIG_X86_MCELOG_LEGACY=y" + fi + + if use memcg; then + tweak_config "CONFIG_MEMCG=y" + else + tweak_config "CONFIG_MEMCG=n" + fi + + if use numa; then + tweak_config "CONFIG_NUMA_BALANCING=y" + else + tweak_config "CONFIG_NUMA_BALANCING=n" + fi + + if use kpti; then + tweak_config "CONFIG_PAGE_TABLE_ISOLATION=y" + if use arm64; then + tweak_config "CONFIG_UNMAP_KERNEL_AT_EL0=y" + fi + else + tweak_config "CONFIG_PAGE_TABLE_ISOLATION=n" + if use arm64; then + tweak_config "CONFIG_UNMAP_KERNEL_AT_EL0=n" + fi + fi + + if use retpoline; then + if use amd64 || use arm64 || use ppc64 || use x86; then + tweak_config "CONFIG_RETPOLINE=y" + elif use arm; then + tweak_config "CONFIG_CPU_SPECTRE=y" + tweak_config "CONFIG_HARDEN_BRANCH_PREDICTOR=y" + fi + else + if use amd64 || use arm64 || use ppc64 || use x86; then + tweak_config "CONFIG_RETPOLINE=n" + elif use arm; then + tweak_config "CONFIG_CPU_SPECTRE=n" + tweak_config "CONFIG_HARDEN_BRANCH_PREDICTOR=n" + fi + + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + if [[ -z "${certs_dir}" ]]; then + die "No certs dir found in /etc/kernel/certs; aborting." + else + einfo "Using certificate directory of ${certs_dir} for kernel module signing." + fi + # turn on options for signing modules. + # first, remove existing configs and comments: + tweak_config 'CONFIG_MODULE_SIG=""' + + # now add our settings: + tweak_config 'CONFIG_MODULE_SIG=y' + tweak_config 'CONFIG_MODULE_SIG_FORCE=n' + tweak_config 'CONFIG_MODULE_SIG_ALL=n' + tweak_config 'CONFIG_MODULE_SIG_HASH="sha512"' + tweak_config 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' + tweak_config 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' + tweak_config 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' + tweak_config 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' + tweak_config "CONFIG_MODULE_SIG_SHA512=y" + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" +} + +src_configure() { + + if use build-kernel; then + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/build || die "failed to create build dir" + cp "${T}"/.config "${WORKDIR}"/build/.config || die "failed to copy .config into build dir" + + local targets=( olddefconfig prepare modules_prepare scripts ) + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" "${targets[@]}" || die "kernel configure failed" + + cp -a "${WORKDIR}"/build "${WORKDIR}"/mod_prep || die "failed to copy modprep" + fi +} + +src_compile() { + + if use build-kernel; then + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +# this can likely be done a bit better +# TODO: create backups of kernel + initramfs if same ver exists? +install_kernel_and_friends() { + + install -d "${D}"/boot + local kern_arch=$(tc-arch-kernel) + + cp "${WORKDIR}"/build/arch/${kern_arch}/boot/bzImage "${D}"/boot/vmlinuz-${KERNEL_FULL_VERSION} || die "failed to install kernel to /boot" + cp "${T}"/.config "${D}"/boot/config-${KERNEL_FULL_VERSION} || die "failed to install kernel config to /boot" + cp "${WORKDIR}"/build/System.map "${D}"/boot/System.map-${KERNEL_FULL_VERSION} || die "failed to install System.map to /boot" +} + +src_install() { + + # 'standard' install of kernel sources that most consumers are used to ... + # i.e. install sources to /usr/src/linux-${KERNEL_FULL_VERSION} and manually compile the kernel. + if ! use build-kernel; then + + # create kernel sources directory + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${KERNEL_FULL_VERSION} || die "failed to install kernel sources" + + # clean-up kernel source tree + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/.config || die "failed to install kernel config" + + # let Portage handle the compilation, testing and installing of the kernel + initramfs, + # and optionally installing kernel headers + signing the kernel modules. + elif use build-kernel; then + + # ... maybe incoporate some [[ ${MERGE_TYPE} != foobar ]] so that headers can + # be installed on a build server for emerging out-of-tree modules but the end consumer + # e.g. container doesn't get the headers ... + + # standard target for installing modules to /lib/modules/${KERNEL_FULL_VERSION} + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${D}" INSTALL_PATH="${D}"/boot "${targets[@]}" + install_kernel_and_friends + + local kern_arch=$(tc-arch-kernel) + dodir /usr/src/linux-${KERNEL_FULL_VERSION} + mv include scripts "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/ || die + + dodir /usr/src/linux-${KERNEL_FULL_VERSION}/arch/${kern_arch} + mv arch/${kern_arch}/include "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/arch/${kern_arch}/ || die + + # some arches need module.lds linker script to build external modules + if [[ -f arch/${kern_arch}/kernel/module.lds ]]; then + mv arch/${kern_arch}/kernel/module.lds "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/arch/${kern_arch}/kernel/ + fi + + # remove everything but Makefile* and Kconfig* + find -type f '!' '(' -name 'Makefile*' -o -name 'Kconfig*' ')' -delete || die + find -type l -delete || die + cp -p -R * "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/ || die + + # todo mod_prep + find "${WORKDIR}"/mod_prep -type f '(' -name Makefile -o -name '*.[ao]' -o '(' -name '.*' -a -not -name '.config' ')' ')' -delete || die + rm -rf "${WORKDIR}"/mod_prep/source + cp -p -R "${WORKDIR}"/mod_prep/* "${D}"/usr/src/linux-${KERNEL_FULL_VERSION} + + # copy kconfig into place + cp "${T}"/.config "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/.config || die "failed to install kconfig" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${KERNEL_FULL_VERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${KERNEL_FULL_VERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${KERNEL_FULL_VERSION} "${D}"/lib/modules/${KERNEL_FULL_VERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${KERNEL_FULL_VERSION} "${D}"/lib/modules/${KERNEL_FULL_VERSION}/build || die "failed to create kernel build symlink" + + # Install System.map, Module.symvers and bzImage - required for building out-of-tree kernel modules: + cp "${WORKDIR}"/build/System.map "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/ || die "failed to install System.map" + cp "${WORKDIR}"/build/Module.symvers "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/ || die "failed to install Module.symvers" + cp "${WORKDIR}"/build/arch/x86/boot/bzImage "${D}"/usr/src/linux-${KERNEL_FULL_VERSION}/arch/x86/boot/bzImage || die "failed to install bzImage" + + # USE=sign-modules depends on the scripts directory being available + if use sign-modules; then + for kmod in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + "${WORKDIR}"/build/scripts/sign-file sha512 ${certs_dir}/signing_key.pem ${certs_dir}/signing_key.x509 ${kmod} || die "failed to sign kernel modules" + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${KERNEL_FULL_VERSION}/scripts + doexe "${WORKDIR}"/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${ROOT}"/usr/src/linux ]]; then + rm "${ROOT}"/usr/src/linux || die "failed to delete existing /usr/src/linux symlink" + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${KERNEL_FULL_VERSION}" + ewarn "" + ln -sf "${ROOT}"/usr/src/linux-${KERNEL_FULL_VERSION} "${ROOT}"/usr/src/linux || die "failed to create /usr/src/linux symlink" + fi + + # rebuild the initramfs on post_install + if use build-kernel; then + + # setup dirs for genkernel + mkdir -p "${WORKDIR}"/genkernel/{tmp,cache,log} || die "failed to create setup directories for genkernel" + + genkernel \ + --color \ + --makeopts="${MAKEOPTS}" \ + --logfile="${WORKDIR}/genkernel/log/genkernel.log" \ + --cachedir="${WORKDIR}/genkernel/cache" \ + --tmpdir="${WORKDIR}/genkernel/tmp" \ + --kernel-config="/boot/config-${KERNEL_FULL_VERSION}" \ + --kerneldir="/usr/src/linux-${KERNEL_FULL_VERSION}" \ + --kernel-outputdir="/usr/src/linux-${KERNEL_FULL_VERSION}" \ + --all-ramdisk-modules \ + --busybox \ + --compress-initramfs \ + --compress-initramfs-type="xz" \ + $(usex btrfs "--btrfs" "--no-btrfs") \ + $(usex debug "--loglevel=5" "--loglevel=1") \ + $(usex firmware "--firmware" "--no-firmware") \ + $(usex luks "--luks" "--no-luks") \ + $(usex lvm "--lvm" "--no-lvm") \ + $(usex mdadm "--mdadm" "--no-mdadm") \ + $(usex mdadm "--mdadm-config=/etc/mdadm.conf" "") \ + $(usex microcode "--microcode-initramfs" "--no-microcode-initramfs") \ + $(usex udev "--udev-rules" "--no-udev-rules") \ + $(usex zfs "--zfs" "--no-zfs") \ + initramfs || die "failed to build initramfs" + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "Hardened patches have been applied to the kernel and kconfig options have been set." + ewarn "These kconfig options and patches change kernel behavior." + ewarn "" + ewarn "Changes include:" + ewarn " Increased entropy for Address Space Layout Randomization" + if ! use clang; then + ewarn " GCC plugins" + fi + ewarn " Memory allocation" + ewarn " ... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + if use sign-modules; then + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot parameter" + fi +} + +pkg_postrm() { + + # these clean-ups only apply if USE=build-kernel + if use build-kernel; then + + # clean-up the generated initramfs for this kernel ... + if [[ -f "${ROOT}"/boot/initramfs-${KERNEL_FULL_VERSION}.img ]]; then + rm -f "${ROOT}"/boot/initramfs-${KERNEL_FULL_VERSION}.img || die "failed to remove initramfs-${KERNEL_FULL_VERSION}.img" + fi + fi +} diff --git a/sys-kernel/debian-sources/files/config-extract-6.6 b/sys-kernel/debian-sources/files/config-extract-6.6 new file mode 100644 index 00000000..d0841dee --- /dev/null +++ b/sys-kernel/debian-sources/files/config-extract-6.6 @@ -0,0 +1,229 @@ +#!/usr/bin/env python3 + +import os, sys, re +import getopt + +re_head = re.compile("^binary-arch_(.*)_headers") +re_flav = re.compile("binary_headers") +re_item = re.compile("[A-Z_]*='[^']*'") + +try: + f = open("debian/rules.gen", "r") +except: + print("Unable to open debian/rules.gen; can't continue.") + sys.exit(1) +lines = f.readlines() +f.close() + +line = 0 + +configlist = [] +configdict = {} + +# scan Debian rules.gen file and gather all variable data into a more useable format: + +while line < len(lines): + head_match = re_head.match(lines[line]) + if not head_match: + line += 1 + continue + config_name = head_match.group(1) + line += 1 + if not re_flav.findall(lines[line]): + continue + lsplit = re_item.findall(lines[line]) + groovydict = {} + for item in lsplit: + kv = item.split("=", 1) + if len(kv) < 2: + continue + groovydict[kv[0]] = kv[1][1:-1] + configlist.append(config_name) + configdict[config_name] = groovydict + line += 1 + +# We will organize the arch, featureset and flavors into cascading lists so +# that we can present a nice clean chart of what's available to the user: + +archdict = {} +for config in configlist: + cs = config.split("_") + if not cs[0] in archdict: + archdict[cs[0]] = {} + if cs[1] == "none": + cs[1] = None + if cs[1] not in archdict[cs[0]]: + archdict[cs[0]][cs[1]] = [] + archdict[cs[0]][cs[1]].append(cs[2]) + +arches = list(archdict.keys()) +arches.sort() + +features = [None] +for arch in arches: + for flav in archdict[arch]: + if flav not in features: + features.append(flav) + +PROG = "config-extract" + + +def usage(): + print( + """This work is free software. + +Copyright 2011-2024 Funtoo Solutions. You can redistribute and/or modify it under +the terms of the GNU General Public License version 3 as published by the Free +Software Foundation. Alternatively you may (at your option) use any other +license that has been publicly approved for use with this program by Funtoo +Technologies (or its successors, if any.) + +usage: %s [options] arch [featureset] [subarch] + + -h --help print this usage and exit + -l --list list all available kernel configurations + -o --outfile specify kernel config outfile -- + defaults to .config in current directory + [featureset] defaults to "standard" if not specified + [subarch] defaults to the only one available; otherwise required + +This program was written by Daniel Robbins for Funtoo Linux, for the purpose of +easily and conveniently extracting Debian kernel configurations. To see a nice +list of all available kernel configurations, use the --list option. + +Debian's kernel configs are specified internally in arch_featureset_flavor +format, such as: "amd64_openvz_amd64". The featureset typically describes an +optional kernel configuration such as "xen" or "openvz", while the flavor in +Debian terminology typically refers to the sub-architecture of the CPU. + +When using this command, you must specify an arch. A featureset of "standard" is +assumed unless you specify one, and by default this program will pick the only +available subarch if there is only one to choose from. If not, you will need to +pick one (and the program will remind you to do this.) + +The kernel configuration will be written to ".config" in the current directory, +or the location you specified using the -o/--outfile option. +""" + % PROG + ) + sys.exit(2) + + +try: + opts, args = getopt.getopt(sys.argv[1:], "o:hl", ["help", "list", "outfile="]) +except getopt.GetoptError as err: + print(str(err)) + usage() + +mode = "run" +outfile = None +for o, a in opts: + if o in ("-h", "--help"): + usage() + elif o in ("-l", "--list"): + mode = "list" + elif o in ("-o", "--outfile"): + outfile = a + else: + assert False, "Unhandled option" +if mode == "run": + if len(args) < 1 or len(args) > 3: + if len(args) == 0: + print("Please specify an arch - one of: " + ", ".join(arches)) + sys.exit(2) + else: + print("Too many arguments.") + usage() + arch = args[0] + if outfile == None: + outfile = os.path.join(os.getcwd(), ".config") + featureset = None + subarch = None + if len(args) == 3: + featureset = args[1] + subarch = args[2] + elif len(args) == 2: + featureset = args[1] + if featureset == "standard": + featureset = None + +# print out optimized list of available kernel configurations: + +if mode == "list": + print() + for flav in features: + label = flav + if label is None: + label = "standard" + print("====== %s featureset ======" % label) + print() + for arch in arches: + if flav in archdict[arch]: + if len(archdict[arch][flav]) == 1: + print(arch.rjust(12)) + else: + flavlist = archdict[arch][flav] + flavlist.sort() + variants = ", ".join(flavlist) + print(arch.rjust(12) + ":", variants) + print() + sys.exit(0) + +if arch not in archdict: + raise KeyError(f"{arch} not found by config-extract. Regexes may need updating.") + +# featureset defaults to None. + +if featureset not in archdict[arch]: + print("Error: There is no '%s' featureset kernel config for arch '%s'. Exiting." % (featureset, arch)) + print(archdict[arch]) + sys.exit(2) + +# If a subarch is not specified (None), then we will auto-pick the subarch if only one is available. +# Debian often has an "amd64" subarch for the "amd64" arch, rather than "none" as I might expect: + +if subarch is None: + if len(archdict[arch][featureset]) == 1: + subarch = archdict[arch][featureset][0] + else: + print("Error: there is more than one 'sub-architecture' for this arch.") + print("Please specify [arch] [featureset] [subarch], with one of these subarches:") + print(", ".join(archdict[arch][featureset])) + sys.exit(2) +else: + if subarch not in archdict[arch][featureset]: + print("Error: specified sub-architecture '%s' is not available for this arch. Exiting." % subarch) + sys.exit(2) + +# We've done all our arg processing, now let's construct the master_key that we will use to look up the +# proper settings to pass to Debian's debian/bin/kconfig.py command: + +master_key = arch +if featureset is None: + master_key += "_none" +else: + master_key += "_%s" % featureset +if subarch is None: + master_key += "_none" +else: + master_key += "_%s" % subarch + +if master_key not in configdict: + print(f"config-extract: Master key lookup for {master_key} failed; can't continue. Missing from {configdict.keys()}. Please report this bug.") + sys.exit(1) +else: + print(f"config-extract: found master key {master_key} from {configdict.keys()}") +if "KCONFIG" not in configdict[master_key]: + print("config-extract: Unable to find KCONFIG option; can't continue. Please report this bug.") + sys.exit(1) +cmd = "python3 debian/bin/kconfig.py '%s' %s" % (outfile, configdict[master_key]["KCONFIG"]) +if "KCONFIG_OPTIONS" in configdict[master_key]: + cmd += " %s" % configdict[master_key]["KCONFIG_OPTIONS"] +os.environ["PYTHONPATH"] = "debian/lib/python" +retval = os.system(cmd) +if retval == 0: + print("Wrote %s kernel configuration to %s." % (master_key, outfile)) + sys.exit(0) +else: + print("There was an error extracting the Debian kernel config.") + sys.exit(1)