Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: backport kernel 6.10 form yocto 5.1 #15

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: backport kernel 6.10 form yocto 5.1 #15

wants to merge 1 commit into from

Conversation

fnerdman
Copy link
Collaborator

@fnerdman fnerdman commented Sep 4, 2024

No description provided.

MoeMahhouk
MoeMahhouk reviewed Sep 4, 2024
View reviewed changes
conf/distro/cvm.conf
PREFERRED_VERSION_linux-yocto-tiny ?= "6.6%"
PREFERRED_VERSION_linux-yocto-tiny ?= "6.10%"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nit: The title refers to the current yocto as 5.1 but we actually running version 6.6.35.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with yocto version 5.1 I'm referring to the yocto version. Scarthgap is 5.0.3, the next non LTS release is 5.1. Ofc. kernel version is different here.

recipes-kernel/linux/linux-yocto-tiny_6.10.bb
Comment on lines +8 to +9
# CVE exclusions
include recipes-kernel/linux/cve-exclusion_6.10.inc
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the CVE exclusion list seems quite big.
Could you refer me to where you got it and are all the listed vulnerabilities in it false-positives or accepted risks?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure: https://git.openembedded.org/openembedded-core/commit/?id=0b47b5900df9b808a7fe47b8c5054164b579ec00

recipes-kernel/linux/linux-yocto/security-mitigations.cfg
CONFIG_CPU_MITIGATIONS=y
CONFIG_MITIGATION_RETHUNK=y
CONFIG_MITIGATION_RETPOLINE=y
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems a duplicate to the one from line 7

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mitigation config parameters have been renamed in kernel 6.9: https://www.phoronix.com/news/Linux-6.9-CONFIG-MITIGATIONS

recipes-kernel/linux/linux-yocto/security-mitigations.cfg Show resolved Hide resolved
recipes-kernel/linux/linux-yocto/security-mitigations.cfg Show resolved Hide resolved
recipes-kernel/linux/linux-yocto/security-mitigations.cfg Show resolved Hide resolved
@MoeMahhouk
Copy link
Collaborator

It looks good to me but have you tested it with building the whole image with some evm layers or searcher layer to see if nothing break them?
Specially the meta-custom-podman layer adds some necessary kernel configurations for it to work. I wonder if that would break or is still backward compatible. It is probably important for the other projects

@fnerdman
Copy link
Collaborator Author

fnerdman commented Sep 5, 2024

Haven't tested this yet, no.

These are the warnings I get when compiling linux-tiny with 6.10:

WARNING: linux-yocto-tiny-6.10+git-r0 do_kernel_configcheck: [kernel config]: This BSP contains fragments with warnings:


[INFO]: Fragments with badly formatted configuration options:
    - fragment configs/v6.10/standard/tiny/./security-mitigations.cfg has the following issues: # CONFIG_FINEIBT should consider enabling this at some point - above are 6.8 and lower, below are 6.9 and higher configurations

[INFO]: the following symbols were not found in the active configuration:
     - CONFIG_EMBEDDED
     - CONFIG_SPECULATION_MITIGATIONS
     - CONFIG_PAGE_TABLE_ISOLATION
     - CONFIG_RETPOLINE
     - CONFIG_RETHUNK
     - CONFIG_CPU_UNRET_ENTRY
     - CONFIG_CALL_DEPTH_TRACKING
     - CONFIG_CPU_IBPB_ENTRY
     - CONFIG_CPU_IBRS_ENTRY
     - CONFIG_CPU_SRSO
     - CONFIG_SLS
     - CONFIG_GDS_FORCE_MITIGATION

These are all vars that have been replaced in 6.9 (except of the embedded one, but that has been there before)
So, we can try to at least build the bob vm and see what the output of kernel compilation will be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MoeMahhouk MoeMahhouk MoeMahhouk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fnerdman @MoeMahhouk