Re: [PATCH 00/21] linux: Update to 5.15.85 and backport many IPFire 3.x changes

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 6627 bytes --]

Hello Peter,

> On 26 Dec 2022, at 20:24, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This patchset aims at updating the Linux kernel to 5.15.85, given that
> the last release we shipped dates back a while ago. However, its primary
> purpose is to backport some kernel changes recently made by Michael in
> IPFire 3.x, whenever bringing these to the IPFire 2.x userbase is sensible
> and/or feasible.

I am happy with updating the kernel.

> Patch descriptions are copy & past'ed from their IPFire 3.x counterparts,
> which are referred to by their commit IDs in ipfire-3.x. Due to different
> hardware situation as well as architecture maturity (this particularly
> affects ARM), not all changes could be backported 1:1 or to a near-complete
> extend.

As I said in our previous conversation about this, I am not too happy to see this patchset here, yet.

The current kernel in IPFire 3 is highly experimental. In order to try things out, I enabled lots of (let’s call them) risky features that are either not commonly enabled on off-the-shelf distributions, or are not tested by us.

That results in a kernel that currently does not even boot.

“Backporting” from a broken kernel that is so untested will only result in carrying over any problems from the testing environment into the production environment where they are so much more harmful.

We should test first, and then move on to the next step and figure out how we can roll out the successfully tested changes and how we can roll back those that don’t work well for us.

> Feedback is particularly appreciated regarding the last commit, which aims
> at aligning the ARM kernel configuration files to the x86_64 one. Since
> no real ARM hardware is at the author's disposal, this alignment has to be
> taken with a pinch of salt.

How is that supposed to be tested?

> As far as benchmarks are concerned, a 5.15.85 x86_64 kernel booted in an
> IPFire 2.x VM on the basis of Core Update 172 introduced the following changes
> in file size:
> 
> Location Before After
> -------------------------------------------
> /boot 48M 53M  (+ 5)
> /lib/modules 58M 71M  (+13)
> ISO 373M 394M (+21)

We cannot afford at all to make the kernel larger, since we still have plenty of installations out there is a small /boot partition and a / partition that is limited to 2GB. Not that another 13 MiB will break the camel’s back, but we should try to save space to keep those users up and running.

> Contrary to its documentation, enabling the GCC stackleak plugin (which
> is the current setting in IPFire 3.x as well) neither brought a notable
> compile time increase, nor does it seem to slow down runtime operations
> significantly. More thorough tests, especially on physical machines, are
> however, yet to come.

How many times did you rebuild the kernel with exactly the same configuration?

In IPFire 3 there is something that seems to limit the performance of ccache, which we cannot carry over into IPFire 2 under any circumstances. IPFire 2 is very sensitive towards compile time.

-Michael

> Peter Müller (21):
>  linux: Update to 5.15.85
>  linux: Disable the entire PCMCIA/CardBus subsystem
>  linux: Enable parallel crypto by default
>  linux: Disable syscalls that allows processes to r/w other processes'
>    memory
>  linux: Disable the latent entropy plugin
>  linux: Build all library routines as modules and disable self-tests
>  linux: Build all HWRNGs as modules
>  linux: Compile binfmt_misc as a module
>  linux: Wipe all memory when rebooting on EFI
>  linux: Disable the Distributed Lock Manager
>  linux: Disable some character devices that do not make sense
>  linux: Make graphics configruation sane
>  linux: Disable all sorts of useless Device Mapper targets
>  linux: Enable various modern ciphers/hashes/etc. and acceleration
>  linux: Compress the kernel, modules and firmware using Zstandard
>  linux: Disable ACPI configfs support
>  linux: Enable support for more USB host controllers as modules
>  linux: Poison kernel stack before returning from syscalls
>  linux: Enable Landlock support
>  linux: Update x86_64 rootfile
>  linux: Align ARM kernel configurations as much as possible
> 
> config/kernel/kernel.config.aarch64-ipfire    |  194 +-
> config/kernel/kernel.config.armv6l-ipfire     |  101 +-
> config/kernel/kernel.config.x86_64-ipfire     |  216 +-
> config/rootfiles/common/x86_64/linux          | 5954 ++++++++---------
> lfs/linux                                     |    9 +-
> .../linux-5.15-wifi-security-patches-1.patch  |   50 -
> .../linux-5.15-wifi-security-patches-10.patch |   98 -
> .../linux-5.15-wifi-security-patches-11.patch |   96 -
> .../linux-5.15-wifi-security-patches-12.patch | 1179 ----
> .../linux-5.15-wifi-security-patches-13.patch |  130 -
> .../linux-5.15-wifi-security-patches-14.patch |  107 -
> .../linux-5.15-wifi-security-patches-2.patch  |   59 -
> .../linux-5.15-wifi-security-patches-3.patch  |   49 -
> .../linux-5.15-wifi-security-patches-4.patch  |   96 -
> .../linux-5.15-wifi-security-patches-5.patch  |   56 -
> .../linux-5.15-wifi-security-patches-6.patch  |   39 -
> .../linux-5.15-wifi-security-patches-7.patch  |   60 -
> .../linux-5.15-wifi-security-patches-8.patch  |   94 -
> .../linux-5.15-wifi-security-patches-9.patch  |  126 -
> 19 files changed, 3183 insertions(+), 5530 deletions(-)
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch
> delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
> 
> -- 
> 2.35.3