* [PATCH 01/13] kernel: Change timer tick to 1000Hz
@ 2021-09-17 11:42 Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
` (12 more replies)
0 siblings, 13 replies; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3492 bytes --]
This change is required to make the system respond faster to any
realtime events (sending or receiving data packets).
It will wake up at least one core 1000 times a second which will result
in finer timer granularity and make scheduling smoother. HTB for
example sends large packet bursts on each timer even to keep up data
rates which is not helpful for most applications.
The change might increase resource consumption and overhead slightly on
some systems, but since we are running in an idle-dyntick configuration,
we should not keep awake any cores that have not been awake before.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 6 +++---
config/kernel/kernel.config.armv6l-ipfire | 6 +++---
config/kernel/kernel.config.i586-ipfire | 6 +++---
config/kernel/kernel.config.x86_64-ipfire | 6 +++---
4 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 450835d8b..54cd7c084 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -370,11 +370,11 @@ CONFIG_NR_CPUS=8
CONFIG_HOTPLUG_CPU=y
# CONFIG_NUMA is not set
CONFIG_HOLES_IN_ZONE=y
-CONFIG_HZ_100=y
+# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=100
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
CONFIG_ARCH_SPARSEMEM_ENABLE=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index b1af6555c..6fe17954d 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -588,13 +588,13 @@ CONFIG_HOTPLUG_CPU=y
CONFIG_ARM_PSCI=y
CONFIG_ARCH_NR_GPIO=512
CONFIG_HZ_FIXED=0
-CONFIG_HZ_100=y
+# CONFIG_HZ_100 is not set
# CONFIG_HZ_200 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
# CONFIG_HZ_500 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=100
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
CONFIG_ARM_PATCH_IDIV=y
CONFIG_AEABI=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 5f5a496a8..a915682e4 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -438,11 +438,11 @@ CONFIG_X86_INTEL_TSX_MODE_OFF=y
# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
CONFIG_EFI=y
CONFIG_EFI_STUB=y
-CONFIG_HZ_100=y
+# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=100
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
# CONFIG_KEXEC is not set
CONFIG_CRASH_DUMP=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index f8289aeb8..730e0791e 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -430,11 +430,11 @@ CONFIG_X86_INTEL_TSX_MODE_OFF=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
-CONFIG_HZ_100=y
+# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=100
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
# CONFIG_KEXEC is not set
# CONFIG_KEXEC_FILE is not set
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 02/13] kernel: Disable suspending systems to RAM
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:09 ` Peter Müller
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
` (11 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2992 bytes --]
We do not make any use of this functionality
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 4 +---
config/kernel/kernel.config.armv6l-ipfire | 4 +---
config/kernel/kernel.config.i586-ipfire | 5 +----
config/kernel/kernel.config.x86_64-ipfire | 5 +----
4 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 54cd7c084..589e0440d 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -480,9 +480,7 @@ CONFIG_SYSVIPC_COMPAT=y
#
# Power management options
#
-CONFIG_SUSPEND=y
-CONFIG_SUSPEND_FREEZER=y
-# CONFIG_SUSPEND_SKIP_SYNC is not set
+# CONFIG_SUSPEND is not set
# CONFIG_HIBERNATION is not set
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 6fe17954d..1dc5b1c58 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -702,9 +702,7 @@ CONFIG_NEON=y
#
# Power management options
#
-CONFIG_SUSPEND=y
-CONFIG_SUSPEND_FREEZER=y
-# CONFIG_SUSPEND_SKIP_SYNC is not set
+# CONFIG_SUSPEND is not set
# CONFIG_HIBERNATION is not set
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index a915682e4..b159db581 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -464,9 +464,7 @@ CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
#
# Power management and ACPI options
#
-CONFIG_SUSPEND=y
-CONFIG_SUSPEND_FREEZER=y
-# CONFIG_SUSPEND_SKIP_SYNC is not set
+# CONFIG_SUSPEND is not set
# CONFIG_HIBERNATION is not set
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
@@ -484,7 +482,6 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
# CONFIG_ACPI_DEBUGGER is not set
CONFIG_ACPI_SPCR_TABLE=y
-CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
CONFIG_ACPI_EC_DEBUGFS=m
CONFIG_ACPI_AC=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 730e0791e..bf738bda5 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -468,9 +468,7 @@ CONFIG_ARCH_ENABLE_THP_MIGRATION=y
#
# Power management and ACPI options
#
-CONFIG_SUSPEND=y
-CONFIG_SUSPEND_FREEZER=y
-# CONFIG_SUSPEND_SKIP_SYNC is not set
+# CONFIG_SUSPEND is not set
CONFIG_HIBERNATE_CALLBACKS=y
# CONFIG_HIBERNATION is not set
CONFIG_PM_SLEEP=y
@@ -490,7 +488,6 @@ CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
# CONFIG_ACPI_DEBUGGER is not set
CONFIG_ACPI_SPCR_TABLE=y
CONFIG_ACPI_LPIT=y
-CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
CONFIG_ACPI_EC_DEBUGFS=m
CONFIG_ACPI_AC=y
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 03/13] kernel: Disable IRQ time accounting
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
` (10 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1589 bytes --]
This feature is now disabled (was disabled on ARM before) as we do not
need it:
"Select this option to enable fine granularity task irq time accounting.
This is done by reading a timestamp on each transitions between softirq
and hardirq state, so there can be a small performance impact."
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.i586-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index b159db581..ff94e949e 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -103,7 +103,7 @@ CONFIG_PREEMPT_VOLUNTARY=y
# CPU/Task time and stats accounting
#
CONFIG_TICK_CPU_ACCOUNTING=y
-CONFIG_IRQ_TIME_ACCOUNTING=y
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
CONFIG_HAVE_SCHED_AVG_IRQ=y
CONFIG_BSD_PROCESS_ACCT=y
# CONFIG_BSD_PROCESS_ACCT_V3 is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index bf738bda5..43c483f00 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -107,7 +107,7 @@ CONFIG_PREEMPT_VOLUNTARY=y
#
CONFIG_TICK_CPU_ACCOUNTING=y
# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
-CONFIG_IRQ_TIME_ACCOUNTING=y
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
CONFIG_HAVE_SCHED_AVG_IRQ=y
CONFIG_BSD_PROCESS_ACCT=y
# CONFIG_BSD_PROCESS_ACCT_V3 is not set
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 04/13] kernel: Enable Pressure Stall Information
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:16 ` Peter Müller
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
` (9 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2517 bytes --]
This is a new type of metric to find out what resource is currently a
bottleneck for the whole system. We might use this for graphs.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 ++-
config/kernel/kernel.config.armv6l-ipfire | 3 ++-
config/kernel/kernel.config.i586-ipfire | 3 ++-
config/kernel/kernel.config.x86_64-ipfire | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 589e0440d..d0ec69ba9 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -95,7 +95,8 @@ CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_XACCT=y
CONFIG_TASK_IO_ACCOUNTING=y
-# CONFIG_PSI is not set
+CONFIG_PSI=y
+# CONFIG_PSI_DEFAULT_DISABLED is not set
# end of CPU/Task time and stats accounting
CONFIG_CPU_ISOLATION=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 1dc5b1c58..a23906796 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -103,7 +103,8 @@ CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_XACCT=y
CONFIG_TASK_IO_ACCOUNTING=y
-# CONFIG_PSI is not set
+CONFIG_PSI=y
+# CONFIG_PSI_DEFAULT_DISABLED is not set
# end of CPU/Task time and stats accounting
CONFIG_CPU_ISOLATION=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index ff94e949e..9c49a90d8 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -111,7 +111,8 @@ CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_XACCT=y
CONFIG_TASK_IO_ACCOUNTING=y
-# CONFIG_PSI is not set
+CONFIG_PSI=y
+# CONFIG_PSI_DEFAULT_DISABLED is not set
# end of CPU/Task time and stats accounting
CONFIG_CPU_ISOLATION=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 43c483f00..0a1f67074 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -115,7 +115,8 @@ CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_XACCT=y
CONFIG_TASK_IO_ACCOUNTING=y
-# CONFIG_PSI is not set
+CONFIG_PSI=y
+# CONFIG_PSI_DEFAULT_DISABLED is not set
# end of CPU/Task time and stats accounting
CONFIG_CPU_ISOLATION=y
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 05/13] kernel: Disable SLUB debugging
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (2 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:27 ` Peter Müller
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
` (8 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3630 bytes --]
This is not necessary on our systems and according to the documentation
will reduce code size of the allocator which will result in better
performance.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 +--
config/kernel/kernel.config.armv6l-ipfire | 3 +--
config/kernel/kernel.config.i586-ipfire | 3 +--
config/kernel/kernel.config.x86_64-ipfire | 3 +--
4 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index d0ec69ba9..b277a17b5 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -226,7 +226,7 @@ CONFIG_PERF_EVENTS=y
# end of Kernel Performance Events And Counters
CONFIG_VM_EVENT_COUNTERS=y
-CONFIG_SLUB_DEBUG=y
+# CONFIG_SLUB_DEBUG is not set
# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
@@ -7751,7 +7751,6 @@ CONFIG_GENERIC_PTDUMP=y
CONFIG_PTDUMP_CORE=y
# CONFIG_PTDUMP_DEBUGFS is not set
# CONFIG_DEBUG_OBJECTS is not set
-# CONFIG_SLUB_DEBUG_ON is not set
# CONFIG_SLUB_STATS is not set
CONFIG_HAVE_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index a23906796..9d63b36ac 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -227,7 +227,7 @@ CONFIG_PERF_EVENTS=y
# end of Kernel Performance Events And Counters
CONFIG_VM_EVENT_COUNTERS=y
-CONFIG_SLUB_DEBUG=y
+# CONFIG_SLUB_DEBUG is not set
# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
@@ -7826,7 +7826,6 @@ CONFIG_DEBUG_MISC=y
# CONFIG_DEBUG_RODATA_TEST is not set
# CONFIG_DEBUG_WX is not set
# CONFIG_DEBUG_OBJECTS is not set
-# CONFIG_SLUB_DEBUG_ON is not set
# CONFIG_SLUB_STATS is not set
CONFIG_HAVE_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 9c49a90d8..56b40eac7 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -235,7 +235,7 @@ CONFIG_PERF_EVENTS=y
# end of Kernel Performance Events And Counters
CONFIG_VM_EVENT_COUNTERS=y
-CONFIG_SLUB_DEBUG=y
+# CONFIG_SLUB_DEBUG is not set
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
CONFIG_SLUB=y
@@ -7383,7 +7383,6 @@ CONFIG_GENERIC_PTDUMP=y
CONFIG_PTDUMP_CORE=y
# CONFIG_PTDUMP_DEBUGFS is not set
# CONFIG_DEBUG_OBJECTS is not set
-# CONFIG_SLUB_DEBUG_ON is not set
# CONFIG_SLUB_STATS is not set
CONFIG_HAVE_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0a1f67074..8247e9b48 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -245,7 +245,7 @@ CONFIG_PERF_EVENTS=y
# end of Kernel Performance Events And Counters
CONFIG_VM_EVENT_COUNTERS=y
-CONFIG_SLUB_DEBUG=y
+# CONFIG_SLUB_DEBUG is not set
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
CONFIG_SLUB=y
@@ -7249,7 +7249,6 @@ CONFIG_GENERIC_PTDUMP=y
CONFIG_PTDUMP_CORE=y
# CONFIG_PTDUMP_DEBUGFS is not set
# CONFIG_DEBUG_OBJECTS is not set
-# CONFIG_SLUB_DEBUG_ON is not set
# CONFIG_SLUB_STATS is not set
CONFIG_HAVE_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 06/13] kernel: Disable any runtime testing
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (3 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:24 ` Peter Müller
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
` (7 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 8492 bytes --]
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 43 +--------------------
config/kernel/kernel.config.armv6l-ipfire | 43 +--------------------
config/kernel/kernel.config.i586-ipfire | 44 +---------------------
config/kernel/kernel.config.x86_64-ipfire | 44 +---------------------
4 files changed, 4 insertions(+), 170 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b277a17b5..1a50e10de 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7915,48 +7915,7 @@ CONFIG_IO_STRICT_DEVMEM=y
CONFIG_ARCH_HAS_KCOV=y
CONFIG_CC_HAS_SANCOV_TRACE_PC=y
# CONFIG_KCOV is not set
-CONFIG_RUNTIME_TESTING_MENU=y
-# CONFIG_LKDTM is not set
-# CONFIG_TEST_LIST_SORT is not set
-# CONFIG_TEST_MIN_HEAP is not set
-# CONFIG_TEST_SORT is not set
-# CONFIG_BACKTRACE_SELF_TEST is not set
-CONFIG_RBTREE_TEST=m
-# CONFIG_REED_SOLOMON_TEST is not set
-# CONFIG_INTERVAL_TREE_TEST is not set
-# CONFIG_PERCPU_TEST is not set
-# CONFIG_ATOMIC64_SELFTEST is not set
-CONFIG_ASYNC_RAID6_TEST=m
-# CONFIG_TEST_HEXDUMP is not set
-# CONFIG_TEST_STRING_HELPERS is not set
-# CONFIG_TEST_STRSCPY is not set
-# CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_BITMAP is not set
-# CONFIG_TEST_UUID is not set
-# CONFIG_TEST_XARRAY is not set
-# CONFIG_TEST_OVERFLOW is not set
-# CONFIG_TEST_RHASHTABLE is not set
-# CONFIG_TEST_HASH is not set
-# CONFIG_TEST_IDA is not set
-# CONFIG_TEST_PARMAN is not set
-# CONFIG_TEST_LKM is not set
-# CONFIG_TEST_BITOPS is not set
-# CONFIG_TEST_VMALLOC is not set
-# CONFIG_TEST_USER_COPY is not set
-# CONFIG_TEST_BPF is not set
-# CONFIG_TEST_BLACKHOLE_DEV is not set
-# CONFIG_FIND_BIT_BENCHMARK is not set
-# CONFIG_TEST_FIRMWARE is not set
-# CONFIG_TEST_SYSCTL is not set
-# CONFIG_TEST_UDELAY is not set
-# CONFIG_TEST_STATIC_KEYS is not set
-# CONFIG_TEST_KMOD is not set
-# CONFIG_TEST_MEMCAT_P is not set
-# CONFIG_TEST_OBJAGG is not set
-# CONFIG_TEST_STACKINIT is not set
-# CONFIG_TEST_MEMINIT is not set
-# CONFIG_TEST_FREE_PAGES is not set
+# CONFIG_RUNTIME_TESTING_MENU is not set
# CONFIG_MEMTEST is not set
# end of Kernel Testing and Coverage
# end of Kernel hacking
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 9d63b36ac..29c7791e1 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7988,48 +7988,7 @@ CONFIG_UNCOMPRESS_INCLUDE="debug/uncompress.h"
CONFIG_ARCH_HAS_KCOV=y
CONFIG_CC_HAS_SANCOV_TRACE_PC=y
# CONFIG_KCOV is not set
-CONFIG_RUNTIME_TESTING_MENU=y
-# CONFIG_LKDTM is not set
-# CONFIG_TEST_LIST_SORT is not set
-# CONFIG_TEST_MIN_HEAP is not set
-# CONFIG_TEST_SORT is not set
-# CONFIG_BACKTRACE_SELF_TEST is not set
-CONFIG_RBTREE_TEST=m
-# CONFIG_REED_SOLOMON_TEST is not set
-# CONFIG_INTERVAL_TREE_TEST is not set
-# CONFIG_PERCPU_TEST is not set
-# CONFIG_ATOMIC64_SELFTEST is not set
-CONFIG_ASYNC_RAID6_TEST=m
-# CONFIG_TEST_HEXDUMP is not set
-# CONFIG_TEST_STRING_HELPERS is not set
-# CONFIG_TEST_STRSCPY is not set
-# CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_BITMAP is not set
-# CONFIG_TEST_UUID is not set
-# CONFIG_TEST_XARRAY is not set
-# CONFIG_TEST_OVERFLOW is not set
-# CONFIG_TEST_RHASHTABLE is not set
-# CONFIG_TEST_HASH is not set
-# CONFIG_TEST_IDA is not set
-# CONFIG_TEST_PARMAN is not set
-# CONFIG_TEST_LKM is not set
-# CONFIG_TEST_BITOPS is not set
-# CONFIG_TEST_VMALLOC is not set
-# CONFIG_TEST_USER_COPY is not set
-# CONFIG_TEST_BPF is not set
-# CONFIG_TEST_BLACKHOLE_DEV is not set
-# CONFIG_FIND_BIT_BENCHMARK is not set
-# CONFIG_TEST_FIRMWARE is not set
-# CONFIG_TEST_SYSCTL is not set
-# CONFIG_TEST_UDELAY is not set
-# CONFIG_TEST_STATIC_KEYS is not set
-# CONFIG_TEST_KMOD is not set
-# CONFIG_TEST_MEMCAT_P is not set
-# CONFIG_TEST_OBJAGG is not set
-# CONFIG_TEST_STACKINIT is not set
-# CONFIG_TEST_MEMINIT is not set
-# CONFIG_TEST_FREE_PAGES is not set
+# CONFIG_RUNTIME_TESTING_MENU is not set
# CONFIG_MEMTEST is not set
# end of Kernel Testing and Coverage
# end of Kernel hacking
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 56b40eac7..bee53286c 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -7575,49 +7575,7 @@ CONFIG_UNWINDER_FRAME_POINTER=y
# CONFIG_NOTIFIER_ERROR_INJECTION is not set
# CONFIG_FAULT_INJECTION is not set
CONFIG_CC_HAS_SANCOV_TRACE_PC=y
-CONFIG_RUNTIME_TESTING_MENU=y
-# CONFIG_LKDTM is not set
-# CONFIG_TEST_LIST_SORT is not set
-# CONFIG_TEST_MIN_HEAP is not set
-# CONFIG_TEST_SORT is not set
-# CONFIG_BACKTRACE_SELF_TEST is not set
-# CONFIG_RBTREE_TEST is not set
-# CONFIG_REED_SOLOMON_TEST is not set
-# CONFIG_INTERVAL_TREE_TEST is not set
-# CONFIG_PERCPU_TEST is not set
-# CONFIG_ATOMIC64_SELFTEST is not set
-# CONFIG_ASYNC_RAID6_TEST is not set
-# CONFIG_TEST_HEXDUMP is not set
-# CONFIG_TEST_STRING_HELPERS is not set
-# CONFIG_TEST_STRSCPY is not set
-# CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_BITMAP is not set
-# CONFIG_TEST_UUID is not set
-# CONFIG_TEST_XARRAY is not set
-# CONFIG_TEST_OVERFLOW is not set
-# CONFIG_TEST_RHASHTABLE is not set
-# CONFIG_TEST_HASH is not set
-# CONFIG_TEST_IDA is not set
-# CONFIG_TEST_PARMAN is not set
-# CONFIG_TEST_LKM is not set
-# CONFIG_TEST_BITOPS is not set
-# CONFIG_TEST_VMALLOC is not set
-# CONFIG_TEST_USER_COPY is not set
-# CONFIG_TEST_BPF is not set
-# CONFIG_TEST_BLACKHOLE_DEV is not set
-# CONFIG_FIND_BIT_BENCHMARK is not set
-# CONFIG_TEST_FIRMWARE is not set
-# CONFIG_TEST_SYSCTL is not set
-# CONFIG_TEST_UDELAY is not set
-# CONFIG_TEST_STATIC_KEYS is not set
-# CONFIG_TEST_KMOD is not set
-# CONFIG_TEST_MEMCAT_P is not set
-# CONFIG_TEST_OBJAGG is not set
-# CONFIG_TEST_STACKINIT is not set
-# CONFIG_TEST_MEMINIT is not set
-# CONFIG_TEST_FREE_PAGES is not set
-# CONFIG_TEST_FPU is not set
+# CONFIG_RUNTIME_TESTING_MENU is not set
# CONFIG_MEMTEST is not set
# CONFIG_HYPERV_TESTING is not set
# end of Kernel Testing and Coverage
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8247e9b48..bcea8575c 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7445,49 +7445,7 @@ CONFIG_UNWINDER_ORC=y
CONFIG_ARCH_HAS_KCOV=y
CONFIG_CC_HAS_SANCOV_TRACE_PC=y
# CONFIG_KCOV is not set
-CONFIG_RUNTIME_TESTING_MENU=y
-# CONFIG_LKDTM is not set
-# CONFIG_TEST_LIST_SORT is not set
-# CONFIG_TEST_MIN_HEAP is not set
-# CONFIG_TEST_SORT is not set
-# CONFIG_BACKTRACE_SELF_TEST is not set
-CONFIG_RBTREE_TEST=m
-# CONFIG_REED_SOLOMON_TEST is not set
-# CONFIG_INTERVAL_TREE_TEST is not set
-# CONFIG_PERCPU_TEST is not set
-# CONFIG_ATOMIC64_SELFTEST is not set
-CONFIG_ASYNC_RAID6_TEST=m
-# CONFIG_TEST_HEXDUMP is not set
-# CONFIG_TEST_STRING_HELPERS is not set
-# CONFIG_TEST_STRSCPY is not set
-# CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_BITMAP is not set
-# CONFIG_TEST_UUID is not set
-# CONFIG_TEST_XARRAY is not set
-# CONFIG_TEST_OVERFLOW is not set
-# CONFIG_TEST_RHASHTABLE is not set
-# CONFIG_TEST_HASH is not set
-# CONFIG_TEST_IDA is not set
-# CONFIG_TEST_PARMAN is not set
-# CONFIG_TEST_LKM is not set
-# CONFIG_TEST_BITOPS is not set
-# CONFIG_TEST_VMALLOC is not set
-# CONFIG_TEST_USER_COPY is not set
-# CONFIG_TEST_BPF is not set
-# CONFIG_TEST_BLACKHOLE_DEV is not set
-# CONFIG_FIND_BIT_BENCHMARK is not set
-# CONFIG_TEST_FIRMWARE is not set
-# CONFIG_TEST_SYSCTL is not set
-# CONFIG_TEST_UDELAY is not set
-# CONFIG_TEST_STATIC_KEYS is not set
-# CONFIG_TEST_KMOD is not set
-# CONFIG_TEST_MEMCAT_P is not set
-# CONFIG_TEST_OBJAGG is not set
-# CONFIG_TEST_STACKINIT is not set
-# CONFIG_TEST_MEMINIT is not set
-# CONFIG_TEST_FREE_PAGES is not set
-# CONFIG_TEST_FPU is not set
+# CONFIG_RUNTIME_TESTING_MENU is not set
# CONFIG_MEMTEST is not set
# CONFIG_HYPERV_TESTING is not set
# end of Kernel Testing and Coverage
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 07/13] kernel: Disable OpenvSwitch
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (4 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
` (6 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2734 bytes --]
We do not use this and so we should not build it to save space.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 5 +----
config/kernel/kernel.config.armv6l-ipfire | 5 +----
config/kernel/kernel.config.i586-ipfire | 5 +----
config/kernel/kernel.config.x86_64-ipfire | 5 +----
4 files changed, 4 insertions(+), 16 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 1a50e10de..dbd730e80 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1595,10 +1595,7 @@ CONFIG_NET_SCH_FIFO=y
# CONFIG_DCB is not set
CONFIG_DNS_RESOLVER=y
# CONFIG_BATMAN_ADV is not set
-CONFIG_OPENVSWITCH=m
-CONFIG_OPENVSWITCH_GRE=m
-CONFIG_OPENVSWITCH_VXLAN=m
-CONFIG_OPENVSWITCH_GENEVE=m
+# CONFIG_OPENVSWITCH is not set
CONFIG_VSOCKETS=m
CONFIG_VSOCKETS_DIAG=m
CONFIG_VSOCKETS_LOOPBACK=m
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 29c7791e1..93856d185 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -1607,10 +1607,7 @@ CONFIG_NET_SCH_FIFO=y
# CONFIG_DCB is not set
CONFIG_DNS_RESOLVER=y
# CONFIG_BATMAN_ADV is not set
-CONFIG_OPENVSWITCH=m
-CONFIG_OPENVSWITCH_GRE=m
-CONFIG_OPENVSWITCH_VXLAN=m
-CONFIG_OPENVSWITCH_GENEVE=m
+# CONFIG_OPENVSWITCH is not set
CONFIG_VSOCKETS=m
CONFIG_VSOCKETS_DIAG=m
CONFIG_VSOCKETS_LOOPBACK=m
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index bee53286c..8c99e3a60 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -1585,10 +1585,7 @@ CONFIG_NET_SCH_FIFO=y
# CONFIG_DCB is not set
CONFIG_DNS_RESOLVER=y
# CONFIG_BATMAN_ADV is not set
-CONFIG_OPENVSWITCH=m
-CONFIG_OPENVSWITCH_GRE=m
-CONFIG_OPENVSWITCH_VXLAN=m
-CONFIG_OPENVSWITCH_GENEVE=m
+# CONFIG_OPENVSWITCH is not set
CONFIG_VSOCKETS=m
CONFIG_VSOCKETS_DIAG=m
CONFIG_VSOCKETS_LOOPBACK=m
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index bcea8575c..f5c1fce9f 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1591,10 +1591,7 @@ CONFIG_NET_SCH_FIFO=y
# CONFIG_DCB is not set
CONFIG_DNS_RESOLVER=y
# CONFIG_BATMAN_ADV is not set
-CONFIG_OPENVSWITCH=m
-CONFIG_OPENVSWITCH_GRE=m
-CONFIG_OPENVSWITCH_VXLAN=m
-CONFIG_OPENVSWITCH_GENEVE=m
+# CONFIG_OPENVSWITCH is not set
CONFIG_VSOCKETS=m
CONFIG_VSOCKETS_DIAG=m
CONFIG_VSOCKETS_LOOPBACK=m
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 08/13] kernel: Disable network security hooks
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (5 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:23 ` Peter Müller
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
` (5 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2718 bytes --]
This is a feature we do not use and it should therefore be disabled
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 +--
config/kernel/kernel.config.armv6l-ipfire | 3 +--
config/kernel/kernel.config.i586-ipfire | 3 +--
config/kernel/kernel.config.x86_64-ipfire | 3 +--
4 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index dbd730e80..15f8cfc6b 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7274,8 +7274,7 @@ CONFIG_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
-CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_NETWORK_XFRM=y
+# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 93856d185..fc309c9b3 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7369,8 +7369,7 @@ CONFIG_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
-CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_NETWORK_XFRM=y
+# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 8c99e3a60..08df3d656 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -6912,8 +6912,7 @@ CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
-CONFIG_SECURITY_NETWORK=y
-# CONFIG_SECURITY_NETWORK_XFRM is not set
+# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
# CONFIG_INTEL_TXT is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index f5c1fce9f..5f8711ac4 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6749,9 +6749,8 @@ CONFIG_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
-CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK is not set
CONFIG_PAGE_TABLE_ISOLATION=y
-# CONFIG_SECURITY_NETWORK_XFRM is not set
# CONFIG_SECURITY_PATH is not set
# CONFIG_INTEL_TXT is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 09/13] kernel: Enable frontswap
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (6 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:20 ` Peter Müller
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
` (4 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3062 bytes --]
"Frontswap provides a “transcendent memory” interface for swap pages. In
some environments, dramatic performance savings may be obtained because
swapped pages are saved in RAM (or a RAM-like device) instead of a swap
disk."
https://www.kernel.org/doc/html/latest/vm/frontswap.html
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 ++-
config/kernel/kernel.config.armv6l-ipfire | 3 ++-
config/kernel/kernel.config.i586-ipfire | 3 ++-
config/kernel/kernel.config.x86_64-ipfire | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 15f8cfc6b..a59fecaea 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -956,11 +956,12 @@ CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
# CONFIG_MEMORY_FAILURE is not set
# CONFIG_TRANSPARENT_HUGEPAGE is not set
CONFIG_CLEANCACHE=y
-# CONFIG_FRONTSWAP is not set
+CONFIG_FRONTSWAP=y
CONFIG_CMA=y
# CONFIG_CMA_DEBUG is not set
# CONFIG_CMA_DEBUGFS is not set
CONFIG_CMA_AREAS=7
+# CONFIG_ZSWAP is not set
# CONFIG_ZPOOL is not set
# CONFIG_ZBUD is not set
# CONFIG_ZSMALLOC is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index fc309c9b3..dc8d3a6b9 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -964,11 +964,12 @@ CONFIG_BOUNCE=y
CONFIG_KSM=y
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
CONFIG_CLEANCACHE=y
-# CONFIG_FRONTSWAP is not set
+CONFIG_FRONTSWAP=y
CONFIG_CMA=y
# CONFIG_CMA_DEBUG is not set
# CONFIG_CMA_DEBUGFS is not set
CONFIG_CMA_AREAS=7
+# CONFIG_ZSWAP is not set
# CONFIG_ZPOOL is not set
# CONFIG_ZBUD is not set
# CONFIG_ZSMALLOC is not set
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 08df3d656..90d4ac856 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -950,8 +950,9 @@ CONFIG_TRANSPARENT_HUGEPAGE=y
CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
CONFIG_CLEANCACHE=y
-# CONFIG_FRONTSWAP is not set
+CONFIG_FRONTSWAP=y
# CONFIG_CMA is not set
+# CONFIG_ZSWAP is not set
# CONFIG_ZPOOL is not set
# CONFIG_ZBUD is not set
# CONFIG_ZSMALLOC is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 5f8711ac4..29fc30274 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -950,8 +950,9 @@ CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
CONFIG_ARCH_WANTS_THP_SWAP=y
CONFIG_THP_SWAP=y
CONFIG_CLEANCACHE=y
-# CONFIG_FRONTSWAP is not set
+CONFIG_FRONTSWAP=y
# CONFIG_CMA is not set
+# CONFIG_ZSWAP is not set
# CONFIG_ZPOOL is not set
# CONFIG_ZBUD is not set
# CONFIG_ZSMALLOC is not set
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 10/13] kernel: Enable ExFAT on all architectures
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (7 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-20 13:48 ` Adolf Belka
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
` (3 subsequent siblings)
12 siblings, 2 replies; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1944 bytes --]
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 ++-
config/kernel/kernel.config.armv6l-ipfire | 3 ++-
config/kernel/kernel.config.x86_64-ipfire | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index a59fecaea..aa34b64db 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7089,7 +7089,8 @@ CONFIG_VFAT_FS=m
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
# CONFIG_FAT_DEFAULT_UTF8 is not set
-# CONFIG_EXFAT_FS is not set
+CONFIG_EXFAT_FS=m
+CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
# CONFIG_NTFS_FS is not set
# end of DOS/FAT/EXFAT/NT Filesystems
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index dc8d3a6b9..7b82e87df 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7189,7 +7189,8 @@ CONFIG_VFAT_FS=m
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
# CONFIG_FAT_DEFAULT_UTF8 is not set
-# CONFIG_EXFAT_FS is not set
+CONFIG_EXFAT_FS=m
+CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
# CONFIG_NTFS_FS is not set
# end of DOS/FAT/EXFAT/NT Filesystems
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 29fc30274..fe93d731c 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6566,7 +6566,8 @@ CONFIG_VFAT_FS=m
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
# CONFIG_FAT_DEFAULT_UTF8 is not set
-# CONFIG_EXFAT_FS is not set
+CONFIG_EXFAT_FS=m
+CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
# CONFIG_NTFS_FS is not set
# end of DOS/FAT/EXFAT/NT Filesystems
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 11/13] kernel: Enable support for TPM hardware
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (8 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
` (2 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4383 bytes --]
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
4 files changed, 56 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index aa34b64db..49ee85970 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
CONFIG_RAW_DRIVER=y
CONFIG_MAX_RAW_DEVS=8192
CONFIG_DEVPORT=y
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
# CONFIG_XILLYBUS is not set
# end of Character devices
@@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
CONFIG_KEYS=y
# CONFIG_KEYS_REQUEST_CACHE is not set
# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_TRUSTED_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
CONFIG_SECURITY_DMESG_RESTRICT=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 7b82e87df..b11a179e3 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
CONFIG_RAW_DRIVER=y
CONFIG_MAX_RAW_DEVS=8192
CONFIG_DEVPORT=y
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
# CONFIG_XILLYBUS is not set
# end of Character devices
@@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
CONFIG_KEYS=y
# CONFIG_KEYS_REQUEST_CACHE is not set
# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_TRUSTED_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
CONFIG_SECURITY_DMESG_RESTRICT=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 90d4ac856..2d7158c96 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
CONFIG_HPET=y
# CONFIG_HPET_MMAP is not set
CONFIG_HANGCHECK_TIMER=m
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_XEN=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
# CONFIG_TELCLOCK is not set
# CONFIG_XILLYBUS is not set
# end of Character devices
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index fe93d731c..65014f41a 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
CONFIG_HPET=y
# CONFIG_HPET_MMAP is not set
CONFIG_HANGCHECK_TIMER=m
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_XEN=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
# CONFIG_TELCLOCK is not set
# CONFIG_XILLYBUS is not set
# end of Character devices
@@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
CONFIG_KEYS=y
# CONFIG_KEYS_REQUEST_CACHE is not set
# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_TRUSTED_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
CONFIG_SECURITY_DMESG_RESTRICT=y
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 12/13] kernel: Zero-init all stack variables by default
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (9 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:11 ` Peter Müller
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
2021-09-18 16:09 ` [PATCH 01/13] kernel: Change timer tick to 1000Hz Peter Müller
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2170 bytes --]
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 49ee85970..7ae9f9738 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7325,7 +7325,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
# CONFIG_GCC_PLUGIN_STACKLEAK is not set
-# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
# end of Kernel hardening options
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index b11a179e3..33117b0b4 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7416,7 +7416,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
-# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
# end of Kernel hardening options
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 65014f41a..aab0cfb25 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6805,7 +6805,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
# CONFIG_GCC_PLUGIN_STACKLEAK is not set
-# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization
# end of Kernel hardening options
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [PATCH 13/13] kernel: Enable all cgroups on all architectures
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (10 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
@ 2021-09-17 11:42 ` Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-18 16:09 ` [PATCH 01/13] kernel: Change timer tick to 1000Hz Peter Müller
12 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-17 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3382 bytes --]
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.i586-ipfire | 9 +++++++--
config/kernel/kernel.config.x86_64-ipfire | 9 +++++++--
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 7ae9f9738..4449227e9 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -142,7 +142,7 @@ CONFIG_FAIR_GROUP_SCHED=y
# CONFIG_CFS_BANDWIDTH is not set
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
-# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 33117b0b4..77a4b8661 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -147,7 +147,7 @@ CONFIG_FAIR_GROUP_SCHED=y
# CONFIG_CFS_BANDWIDTH is not set
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
-# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 2d7158c96..f426bf0b0 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -145,14 +145,18 @@ CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
CONFIG_CGROUPS=y
-# CONFIG_MEMCG is not set
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_KMEM=y
CONFIG_BLK_CGROUP=y
+CONFIG_CGROUP_WRITEBACK=y
CONFIG_CGROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
# CONFIG_CFS_BANDWIDTH is not set
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
-# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
@@ -236,6 +240,7 @@ CONFIG_PERF_EVENTS=y
CONFIG_VM_EVENT_COUNTERS=y
# CONFIG_SLUB_DEBUG is not set
+# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
CONFIG_SLUB=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index aab0cfb25..9cd6756cd 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -152,14 +152,18 @@ CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
CONFIG_CC_HAS_INT128=y
CONFIG_ARCH_SUPPORTS_INT128=y
CONFIG_CGROUPS=y
-# CONFIG_MEMCG is not set
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_KMEM=y
CONFIG_BLK_CGROUP=y
+CONFIG_CGROUP_WRITEBACK=y
CONFIG_CGROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
# CONFIG_CFS_BANDWIDTH is not set
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
-# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
@@ -246,6 +250,7 @@ CONFIG_PERF_EVENTS=y
CONFIG_VM_EVENT_COUNTERS=y
# CONFIG_SLUB_DEBUG is not set
+# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
CONFIG_SLUB=y
--
2.20.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 01/13] kernel: Change timer tick to 1000Hz
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
` (11 preceding siblings ...)
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
@ 2021-09-18 16:09 ` Peter Müller
12 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:09 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3774 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> This change is required to make the system respond faster to any
> realtime events (sending or receiving data packets).
>
> It will wake up at least one core 1000 times a second which will result
> in finer timer granularity and make scheduling smoother. HTB for
> example sends large packet bursts on each timer even to keep up data
> rates which is not helpful for most applications.
>
> The change might increase resource consumption and overhead slightly on
> some systems, but since we are running in an idle-dyntick configuration,
> we should not keep awake any cores that have not been awake before.
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 6 +++---
> config/kernel/kernel.config.armv6l-ipfire | 6 +++---
> config/kernel/kernel.config.i586-ipfire | 6 +++---
> config/kernel/kernel.config.x86_64-ipfire | 6 +++---
> 4 files changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 450835d8b..54cd7c084 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -370,11 +370,11 @@ CONFIG_NR_CPUS=8
> CONFIG_HOTPLUG_CPU=y
> # CONFIG_NUMA is not set
> CONFIG_HOLES_IN_ZONE=y
> -CONFIG_HZ_100=y
> +# CONFIG_HZ_100 is not set
> # CONFIG_HZ_250 is not set
> # CONFIG_HZ_300 is not set
> -# CONFIG_HZ_1000 is not set
> -CONFIG_HZ=100
> +CONFIG_HZ_1000=y
> +CONFIG_HZ=1000
> CONFIG_SCHED_HRTICK=y
> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
> CONFIG_ARCH_SPARSEMEM_ENABLE=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index b1af6555c..6fe17954d 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -588,13 +588,13 @@ CONFIG_HOTPLUG_CPU=y
> CONFIG_ARM_PSCI=y
> CONFIG_ARCH_NR_GPIO=512
> CONFIG_HZ_FIXED=0
> -CONFIG_HZ_100=y
> +# CONFIG_HZ_100 is not set
> # CONFIG_HZ_200 is not set
> # CONFIG_HZ_250 is not set
> # CONFIG_HZ_300 is not set
> # CONFIG_HZ_500 is not set
> -# CONFIG_HZ_1000 is not set
> -CONFIG_HZ=100
> +CONFIG_HZ_1000=y
> +CONFIG_HZ=1000
> CONFIG_SCHED_HRTICK=y
> CONFIG_ARM_PATCH_IDIV=y
> CONFIG_AEABI=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 5f5a496a8..a915682e4 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -438,11 +438,11 @@ CONFIG_X86_INTEL_TSX_MODE_OFF=y
> # CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
> CONFIG_EFI=y
> CONFIG_EFI_STUB=y
> -CONFIG_HZ_100=y
> +# CONFIG_HZ_100 is not set
> # CONFIG_HZ_250 is not set
> # CONFIG_HZ_300 is not set
> -# CONFIG_HZ_1000 is not set
> -CONFIG_HZ=100
> +CONFIG_HZ_1000=y
> +CONFIG_HZ=1000
> CONFIG_SCHED_HRTICK=y
> # CONFIG_KEXEC is not set
> CONFIG_CRASH_DUMP=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index f8289aeb8..730e0791e 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -430,11 +430,11 @@ CONFIG_X86_INTEL_TSX_MODE_OFF=y
> CONFIG_EFI=y
> CONFIG_EFI_STUB=y
> CONFIG_EFI_MIXED=y
> -CONFIG_HZ_100=y
> +# CONFIG_HZ_100 is not set
> # CONFIG_HZ_250 is not set
> # CONFIG_HZ_300 is not set
> -# CONFIG_HZ_1000 is not set
> -CONFIG_HZ=100
> +CONFIG_HZ_1000=y
> +CONFIG_HZ=1000
> CONFIG_SCHED_HRTICK=y
> # CONFIG_KEXEC is not set
> # CONFIG_KEXEC_FILE is not set
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 02/13] kernel: Disable suspending systems to RAM
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
@ 2021-09-18 16:09 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:09 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3252 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> We do not make any use of this functionality
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 4 +---
> config/kernel/kernel.config.armv6l-ipfire | 4 +---
> config/kernel/kernel.config.i586-ipfire | 5 +----
> config/kernel/kernel.config.x86_64-ipfire | 5 +----
> 4 files changed, 4 insertions(+), 14 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 54cd7c084..589e0440d 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -480,9 +480,7 @@ CONFIG_SYSVIPC_COMPAT=y
> #
> # Power management options
> #
> -CONFIG_SUSPEND=y
> -CONFIG_SUSPEND_FREEZER=y
> -# CONFIG_SUSPEND_SKIP_SYNC is not set
> +# CONFIG_SUSPEND is not set
> # CONFIG_HIBERNATION is not set
> CONFIG_PM_SLEEP=y
> CONFIG_PM_SLEEP_SMP=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 6fe17954d..1dc5b1c58 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -702,9 +702,7 @@ CONFIG_NEON=y
> #
> # Power management options
> #
> -CONFIG_SUSPEND=y
> -CONFIG_SUSPEND_FREEZER=y
> -# CONFIG_SUSPEND_SKIP_SYNC is not set
> +# CONFIG_SUSPEND is not set
> # CONFIG_HIBERNATION is not set
> CONFIG_PM_SLEEP=y
> CONFIG_PM_SLEEP_SMP=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index a915682e4..b159db581 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -464,9 +464,7 @@ CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
> #
> # Power management and ACPI options
> #
> -CONFIG_SUSPEND=y
> -CONFIG_SUSPEND_FREEZER=y
> -# CONFIG_SUSPEND_SKIP_SYNC is not set
> +# CONFIG_SUSPEND is not set
> # CONFIG_HIBERNATION is not set
> CONFIG_PM_SLEEP=y
> CONFIG_PM_SLEEP_SMP=y
> @@ -484,7 +482,6 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
> CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
> # CONFIG_ACPI_DEBUGGER is not set
> CONFIG_ACPI_SPCR_TABLE=y
> -CONFIG_ACPI_SLEEP=y
> CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
> CONFIG_ACPI_EC_DEBUGFS=m
> CONFIG_ACPI_AC=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 730e0791e..bf738bda5 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -468,9 +468,7 @@ CONFIG_ARCH_ENABLE_THP_MIGRATION=y
> #
> # Power management and ACPI options
> #
> -CONFIG_SUSPEND=y
> -CONFIG_SUSPEND_FREEZER=y
> -# CONFIG_SUSPEND_SKIP_SYNC is not set
> +# CONFIG_SUSPEND is not set
> CONFIG_HIBERNATE_CALLBACKS=y
> # CONFIG_HIBERNATION is not set
> CONFIG_PM_SLEEP=y
> @@ -490,7 +488,6 @@ CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
> # CONFIG_ACPI_DEBUGGER is not set
> CONFIG_ACPI_SPCR_TABLE=y
> CONFIG_ACPI_LPIT=y
> -CONFIG_ACPI_SLEEP=y
> CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
> CONFIG_ACPI_EC_DEBUGFS=m
> CONFIG_ACPI_AC=y
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 03/13] kernel: Disable IRQ time accounting
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
@ 2021-09-18 16:10 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]
Thanks for cleaning this up. :-)
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> This feature is now disabled (was disabled on ARM before) as we do not
> need it:
>
> "Select this option to enable fine granularity task irq time accounting.
> This is done by reading a timestamp on each transitions between softirq
> and hardirq state, so there can be a small performance impact."
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.i586-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index b159db581..ff94e949e 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -103,7 +103,7 @@ CONFIG_PREEMPT_VOLUNTARY=y
> # CPU/Task time and stats accounting
> #
> CONFIG_TICK_CPU_ACCOUNTING=y
> -CONFIG_IRQ_TIME_ACCOUNTING=y
> +# CONFIG_IRQ_TIME_ACCOUNTING is not set
> CONFIG_HAVE_SCHED_AVG_IRQ=y
> CONFIG_BSD_PROCESS_ACCT=y
> # CONFIG_BSD_PROCESS_ACCT_V3 is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index bf738bda5..43c483f00 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -107,7 +107,7 @@ CONFIG_PREEMPT_VOLUNTARY=y
> #
> CONFIG_TICK_CPU_ACCOUNTING=y
> # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
> -CONFIG_IRQ_TIME_ACCOUNTING=y
> +# CONFIG_IRQ_TIME_ACCOUNTING is not set
> CONFIG_HAVE_SCHED_AVG_IRQ=y
> CONFIG_BSD_PROCESS_ACCT=y
> # CONFIG_BSD_PROCESS_ACCT_V3 is not set
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 07/13] kernel: Disable OpenvSwitch
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
@ 2021-09-18 16:10 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2958 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> We do not use this and so we should not build it to save space.
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 5 +----
> config/kernel/kernel.config.armv6l-ipfire | 5 +----
> config/kernel/kernel.config.i586-ipfire | 5 +----
> config/kernel/kernel.config.x86_64-ipfire | 5 +----
> 4 files changed, 4 insertions(+), 16 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 1a50e10de..dbd730e80 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -1595,10 +1595,7 @@ CONFIG_NET_SCH_FIFO=y
> # CONFIG_DCB is not set
> CONFIG_DNS_RESOLVER=y
> # CONFIG_BATMAN_ADV is not set
> -CONFIG_OPENVSWITCH=m
> -CONFIG_OPENVSWITCH_GRE=m
> -CONFIG_OPENVSWITCH_VXLAN=m
> -CONFIG_OPENVSWITCH_GENEVE=m
> +# CONFIG_OPENVSWITCH is not set
> CONFIG_VSOCKETS=m
> CONFIG_VSOCKETS_DIAG=m
> CONFIG_VSOCKETS_LOOPBACK=m
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 29c7791e1..93856d185 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -1607,10 +1607,7 @@ CONFIG_NET_SCH_FIFO=y
> # CONFIG_DCB is not set
> CONFIG_DNS_RESOLVER=y
> # CONFIG_BATMAN_ADV is not set
> -CONFIG_OPENVSWITCH=m
> -CONFIG_OPENVSWITCH_GRE=m
> -CONFIG_OPENVSWITCH_VXLAN=m
> -CONFIG_OPENVSWITCH_GENEVE=m
> +# CONFIG_OPENVSWITCH is not set
> CONFIG_VSOCKETS=m
> CONFIG_VSOCKETS_DIAG=m
> CONFIG_VSOCKETS_LOOPBACK=m
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index bee53286c..8c99e3a60 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -1585,10 +1585,7 @@ CONFIG_NET_SCH_FIFO=y
> # CONFIG_DCB is not set
> CONFIG_DNS_RESOLVER=y
> # CONFIG_BATMAN_ADV is not set
> -CONFIG_OPENVSWITCH=m
> -CONFIG_OPENVSWITCH_GRE=m
> -CONFIG_OPENVSWITCH_VXLAN=m
> -CONFIG_OPENVSWITCH_GENEVE=m
> +# CONFIG_OPENVSWITCH is not set
> CONFIG_VSOCKETS=m
> CONFIG_VSOCKETS_DIAG=m
> CONFIG_VSOCKETS_LOOPBACK=m
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index bcea8575c..f5c1fce9f 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -1591,10 +1591,7 @@ CONFIG_NET_SCH_FIFO=y
> # CONFIG_DCB is not set
> CONFIG_DNS_RESOLVER=y
> # CONFIG_BATMAN_ADV is not set
> -CONFIG_OPENVSWITCH=m
> -CONFIG_OPENVSWITCH_GRE=m
> -CONFIG_OPENVSWITCH_VXLAN=m
> -CONFIG_OPENVSWITCH_GENEVE=m
> +# CONFIG_OPENVSWITCH is not set
> CONFIG_VSOCKETS=m
> CONFIG_VSOCKETS_DIAG=m
> CONFIG_VSOCKETS_LOOPBACK=m
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 10/13] kernel: Enable ExFAT on all architectures
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
@ 2021-09-18 16:10 ` Peter Müller
2021-09-20 13:48 ` Adolf Belka
1 sibling, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2111 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
> 3 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index a59fecaea..aa34b64db 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7089,7 +7089,8 @@ CONFIG_VFAT_FS=m
> CONFIG_FAT_DEFAULT_CODEPAGE=437
> CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
> # CONFIG_FAT_DEFAULT_UTF8 is not set
> -# CONFIG_EXFAT_FS is not set
> +CONFIG_EXFAT_FS=m
> +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
> # CONFIG_NTFS_FS is not set
> # end of DOS/FAT/EXFAT/NT Filesystems
>
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index dc8d3a6b9..7b82e87df 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7189,7 +7189,8 @@ CONFIG_VFAT_FS=m
> CONFIG_FAT_DEFAULT_CODEPAGE=437
> CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
> # CONFIG_FAT_DEFAULT_UTF8 is not set
> -# CONFIG_EXFAT_FS is not set
> +CONFIG_EXFAT_FS=m
> +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
> # CONFIG_NTFS_FS is not set
> # end of DOS/FAT/EXFAT/NT Filesystems
>
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 29fc30274..fe93d731c 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6566,7 +6566,8 @@ CONFIG_VFAT_FS=m
> CONFIG_FAT_DEFAULT_CODEPAGE=437
> CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
> # CONFIG_FAT_DEFAULT_UTF8 is not set
> -# CONFIG_EXFAT_FS is not set
> +CONFIG_EXFAT_FS=m
> +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
> # CONFIG_NTFS_FS is not set
> # end of DOS/FAT/EXFAT/NT Filesystems
>
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 12/13] kernel: Zero-init all stack variables by default
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
@ 2021-09-18 16:11 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
0 siblings, 1 reply; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:11 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2360 bytes --]
Peter likes this one. :-)
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 49ee85970..7ae9f9738 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7325,7 +7325,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
> -# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
> +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
> # end of Memory initialization
> # end of Kernel hardening options
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index b11a179e3..33117b0b4 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7416,7 +7416,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> -# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
> +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
> # end of Memory initialization
> # end of Kernel hardening options
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 65014f41a..aab0cfb25 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6805,7 +6805,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
> -# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
> +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
> # end of Memory initialization
> # end of Kernel hardening options
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 11/13] kernel: Enable support for TPM hardware
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
@ 2021-09-18 16:15 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
0 siblings, 1 reply; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:15 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5314 bytes --]
Hello Michael,
hello *,
just a small comment for the records: As discussed in the last monthly telephone
conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
left to be locked down in IPFire thanks to enforced kernel module signing.
So no user needs to worry about introducing TPM support coming with a lack of
digital sovereignty - that is, if something like this even exits on today's hardware. :-)
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
Thanks, and best regards,
Peter Müller
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
> 4 files changed, 56 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index aa34b64db..49ee85970 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
> CONFIG_RAW_DRIVER=y
> CONFIG_MAX_RAW_DEVS=8192
> CONFIG_DEVPORT=y
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_XILLYBUS is not set
> # end of Character devices
>
> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
> CONFIG_KEYS=y
> # CONFIG_KEYS_REQUEST_CACHE is not set
> # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
> # CONFIG_ENCRYPTED_KEYS is not set
> # CONFIG_KEY_DH_OPERATIONS is not set
> CONFIG_SECURITY_DMESG_RESTRICT=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 7b82e87df..b11a179e3 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
> CONFIG_RAW_DRIVER=y
> CONFIG_MAX_RAW_DEVS=8192
> CONFIG_DEVPORT=y
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_XILLYBUS is not set
> # end of Character devices
>
> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
> CONFIG_KEYS=y
> # CONFIG_KEYS_REQUEST_CACHE is not set
> # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
> # CONFIG_ENCRYPTED_KEYS is not set
> # CONFIG_KEY_DH_OPERATIONS is not set
> CONFIG_SECURITY_DMESG_RESTRICT=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 90d4ac856..2d7158c96 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
> CONFIG_HPET=y
> # CONFIG_HPET_MMAP is not set
> CONFIG_HANGCHECK_TIMER=m
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_NSC=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_XEN=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_TELCLOCK is not set
> # CONFIG_XILLYBUS is not set
> # end of Character devices
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index fe93d731c..65014f41a 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
> CONFIG_HPET=y
> # CONFIG_HPET_MMAP is not set
> CONFIG_HANGCHECK_TIMER=m
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_NSC=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_XEN=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_TELCLOCK is not set
> # CONFIG_XILLYBUS is not set
> # end of Character devices
> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
> CONFIG_KEYS=y
> # CONFIG_KEYS_REQUEST_CACHE is not set
> # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
> # CONFIG_ENCRYPTED_KEYS is not set
> # CONFIG_KEY_DH_OPERATIONS is not set
> CONFIG_SECURITY_DMESG_RESTRICT=y
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 13/13] kernel: Enable all cgroups on all architectures
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
@ 2021-09-18 16:15 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:15 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3682 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire | 2 +-
> config/kernel/kernel.config.i586-ipfire | 9 +++++++--
> config/kernel/kernel.config.x86_64-ipfire | 9 +++++++--
> 4 files changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 7ae9f9738..4449227e9 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -142,7 +142,7 @@ CONFIG_FAIR_GROUP_SCHED=y
> # CONFIG_CFS_BANDWIDTH is not set
> CONFIG_RT_GROUP_SCHED=y
> CONFIG_CGROUP_PIDS=y
> -# CONFIG_CGROUP_RDMA is not set
> +CONFIG_CGROUP_RDMA=y
> CONFIG_CGROUP_FREEZER=y
> CONFIG_CPUSETS=y
> CONFIG_PROC_PID_CPUSET=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 33117b0b4..77a4b8661 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -147,7 +147,7 @@ CONFIG_FAIR_GROUP_SCHED=y
> # CONFIG_CFS_BANDWIDTH is not set
> CONFIG_RT_GROUP_SCHED=y
> CONFIG_CGROUP_PIDS=y
> -# CONFIG_CGROUP_RDMA is not set
> +CONFIG_CGROUP_RDMA=y
> CONFIG_CGROUP_FREEZER=y
> CONFIG_CPUSETS=y
> CONFIG_PROC_PID_CPUSET=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 2d7158c96..f426bf0b0 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -145,14 +145,18 @@ CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
>
> CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
> CONFIG_CGROUPS=y
> -# CONFIG_MEMCG is not set
> +CONFIG_PAGE_COUNTER=y
> +CONFIG_MEMCG=y
> +CONFIG_MEMCG_SWAP=y
> +CONFIG_MEMCG_KMEM=y
> CONFIG_BLK_CGROUP=y
> +CONFIG_CGROUP_WRITEBACK=y
> CONFIG_CGROUP_SCHED=y
> CONFIG_FAIR_GROUP_SCHED=y
> # CONFIG_CFS_BANDWIDTH is not set
> CONFIG_RT_GROUP_SCHED=y
> CONFIG_CGROUP_PIDS=y
> -# CONFIG_CGROUP_RDMA is not set
> +CONFIG_CGROUP_RDMA=y
> CONFIG_CGROUP_FREEZER=y
> CONFIG_CPUSETS=y
> CONFIG_PROC_PID_CPUSET=y
> @@ -236,6 +240,7 @@ CONFIG_PERF_EVENTS=y
>
> CONFIG_VM_EVENT_COUNTERS=y
> # CONFIG_SLUB_DEBUG is not set
> +# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
> # CONFIG_COMPAT_BRK is not set
> # CONFIG_SLAB is not set
> CONFIG_SLUB=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index aab0cfb25..9cd6756cd 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -152,14 +152,18 @@ CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
> CONFIG_CC_HAS_INT128=y
> CONFIG_ARCH_SUPPORTS_INT128=y
> CONFIG_CGROUPS=y
> -# CONFIG_MEMCG is not set
> +CONFIG_PAGE_COUNTER=y
> +CONFIG_MEMCG=y
> +CONFIG_MEMCG_SWAP=y
> +CONFIG_MEMCG_KMEM=y
> CONFIG_BLK_CGROUP=y
> +CONFIG_CGROUP_WRITEBACK=y
> CONFIG_CGROUP_SCHED=y
> CONFIG_FAIR_GROUP_SCHED=y
> # CONFIG_CFS_BANDWIDTH is not set
> CONFIG_RT_GROUP_SCHED=y
> CONFIG_CGROUP_PIDS=y
> -# CONFIG_CGROUP_RDMA is not set
> +CONFIG_CGROUP_RDMA=y
> CONFIG_CGROUP_FREEZER=y
> CONFIG_CPUSETS=y
> CONFIG_PROC_PID_CPUSET=y
> @@ -246,6 +250,7 @@ CONFIG_PERF_EVENTS=y
>
> CONFIG_VM_EVENT_COUNTERS=y
> # CONFIG_SLUB_DEBUG is not set
> +# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
> # CONFIG_COMPAT_BRK is not set
> # CONFIG_SLAB is not set
> CONFIG_SLUB=y
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 04/13] kernel: Enable Pressure Stall Information
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
@ 2021-09-18 16:16 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:16 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2725 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> This is a new type of metric to find out what resource is currently a
> bottleneck for the whole system. We might use this for graphs.
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
> config/kernel/kernel.config.i586-ipfire | 3 ++-
> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
> 4 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 589e0440d..d0ec69ba9 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -95,7 +95,8 @@ CONFIG_TASKSTATS=y
> CONFIG_TASK_DELAY_ACCT=y
> CONFIG_TASK_XACCT=y
> CONFIG_TASK_IO_ACCOUNTING=y
> -# CONFIG_PSI is not set
> +CONFIG_PSI=y
> +# CONFIG_PSI_DEFAULT_DISABLED is not set
> # end of CPU/Task time and stats accounting
>
> CONFIG_CPU_ISOLATION=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 1dc5b1c58..a23906796 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -103,7 +103,8 @@ CONFIG_TASKSTATS=y
> CONFIG_TASK_DELAY_ACCT=y
> CONFIG_TASK_XACCT=y
> CONFIG_TASK_IO_ACCOUNTING=y
> -# CONFIG_PSI is not set
> +CONFIG_PSI=y
> +# CONFIG_PSI_DEFAULT_DISABLED is not set
> # end of CPU/Task time and stats accounting
>
> CONFIG_CPU_ISOLATION=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index ff94e949e..9c49a90d8 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -111,7 +111,8 @@ CONFIG_TASKSTATS=y
> CONFIG_TASK_DELAY_ACCT=y
> CONFIG_TASK_XACCT=y
> CONFIG_TASK_IO_ACCOUNTING=y
> -# CONFIG_PSI is not set
> +CONFIG_PSI=y
> +# CONFIG_PSI_DEFAULT_DISABLED is not set
> # end of CPU/Task time and stats accounting
>
> CONFIG_CPU_ISOLATION=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 43c483f00..0a1f67074 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -115,7 +115,8 @@ CONFIG_TASKSTATS=y
> CONFIG_TASK_DELAY_ACCT=y
> CONFIG_TASK_XACCT=y
> CONFIG_TASK_IO_ACCOUNTING=y
> -# CONFIG_PSI is not set
> +CONFIG_PSI=y
> +# CONFIG_PSI_DEFAULT_DISABLED is not set
> # end of CPU/Task time and stats accounting
>
> CONFIG_CPU_ISOLATION=y
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 09/13] kernel: Enable frontswap
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
@ 2021-09-18 16:20 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:20 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3308 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> "Frontswap provides a “transcendent memory” interface for swap pages. In
> some environments, dramatic performance savings may be obtained because
> swapped pages are saved in RAM (or a RAM-like device) instead of a swap
> disk."
>
> https://www.kernel.org/doc/html/latest/vm/frontswap.html
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
> config/kernel/kernel.config.i586-ipfire | 3 ++-
> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
> 4 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 15f8cfc6b..a59fecaea 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -956,11 +956,12 @@ CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
> # CONFIG_MEMORY_FAILURE is not set
> # CONFIG_TRANSPARENT_HUGEPAGE is not set
> CONFIG_CLEANCACHE=y
> -# CONFIG_FRONTSWAP is not set
> +CONFIG_FRONTSWAP=y
> CONFIG_CMA=y
> # CONFIG_CMA_DEBUG is not set
> # CONFIG_CMA_DEBUGFS is not set
> CONFIG_CMA_AREAS=7
> +# CONFIG_ZSWAP is not set
> # CONFIG_ZPOOL is not set
> # CONFIG_ZBUD is not set
> # CONFIG_ZSMALLOC is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index fc309c9b3..dc8d3a6b9 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -964,11 +964,12 @@ CONFIG_BOUNCE=y
> CONFIG_KSM=y
> CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
> CONFIG_CLEANCACHE=y
> -# CONFIG_FRONTSWAP is not set
> +CONFIG_FRONTSWAP=y
> CONFIG_CMA=y
> # CONFIG_CMA_DEBUG is not set
> # CONFIG_CMA_DEBUGFS is not set
> CONFIG_CMA_AREAS=7
> +# CONFIG_ZSWAP is not set
> # CONFIG_ZPOOL is not set
> # CONFIG_ZBUD is not set
> # CONFIG_ZSMALLOC is not set
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 08df3d656..90d4ac856 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -950,8 +950,9 @@ CONFIG_TRANSPARENT_HUGEPAGE=y
> CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
> # CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
> CONFIG_CLEANCACHE=y
> -# CONFIG_FRONTSWAP is not set
> +CONFIG_FRONTSWAP=y
> # CONFIG_CMA is not set
> +# CONFIG_ZSWAP is not set
> # CONFIG_ZPOOL is not set
> # CONFIG_ZBUD is not set
> # CONFIG_ZSMALLOC is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 5f8711ac4..29fc30274 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -950,8 +950,9 @@ CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
> CONFIG_ARCH_WANTS_THP_SWAP=y
> CONFIG_THP_SWAP=y
> CONFIG_CLEANCACHE=y
> -# CONFIG_FRONTSWAP is not set
> +CONFIG_FRONTSWAP=y
> # CONFIG_CMA is not set
> +# CONFIG_ZSWAP is not set
> # CONFIG_ZPOOL is not set
> # CONFIG_ZBUD is not set
> # CONFIG_ZSMALLOC is not set
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 08/13] kernel: Disable network security hooks
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
@ 2021-09-18 16:23 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:23 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2927 bytes --]
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> This is a feature we do not use and it should therefore be disabled
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 +--
> config/kernel/kernel.config.armv6l-ipfire | 3 +--
> config/kernel/kernel.config.i586-ipfire | 3 +--
> config/kernel/kernel.config.x86_64-ipfire | 3 +--
> 4 files changed, 4 insertions(+), 8 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index dbd730e80..15f8cfc6b 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7274,8 +7274,7 @@ CONFIG_KEYS=y
> CONFIG_SECURITY_DMESG_RESTRICT=y
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> -CONFIG_SECURITY_NETWORK=y
> -CONFIG_SECURITY_NETWORK_XFRM=y
> +# CONFIG_SECURITY_NETWORK is not set
> # CONFIG_SECURITY_PATH is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> CONFIG_HARDENED_USERCOPY=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 93856d185..fc309c9b3 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7369,8 +7369,7 @@ CONFIG_KEYS=y
> CONFIG_SECURITY_DMESG_RESTRICT=y
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> -CONFIG_SECURITY_NETWORK=y
> -CONFIG_SECURITY_NETWORK_XFRM=y
> +# CONFIG_SECURITY_NETWORK is not set
> # CONFIG_SECURITY_PATH is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> CONFIG_HARDENED_USERCOPY=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 8c99e3a60..08df3d656 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -6912,8 +6912,7 @@ CONFIG_ENCRYPTED_KEYS=y
> CONFIG_SECURITY_DMESG_RESTRICT=y
> CONFIG_SECURITY=y
> # CONFIG_SECURITYFS is not set
> -CONFIG_SECURITY_NETWORK=y
> -# CONFIG_SECURITY_NETWORK_XFRM is not set
> +# CONFIG_SECURITY_NETWORK is not set
> # CONFIG_SECURITY_PATH is not set
> # CONFIG_INTEL_TXT is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index f5c1fce9f..5f8711ac4 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6749,9 +6749,8 @@ CONFIG_KEYS=y
> CONFIG_SECURITY_DMESG_RESTRICT=y
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> -CONFIG_SECURITY_NETWORK=y
> +# CONFIG_SECURITY_NETWORK is not set
> CONFIG_PAGE_TABLE_ISOLATION=y
> -# CONFIG_SECURITY_NETWORK_XFRM is not set
> # CONFIG_SECURITY_PATH is not set
> # CONFIG_INTEL_TXT is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 06/13] kernel: Disable any runtime testing
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
@ 2021-09-18 16:24 ` Peter Müller
0 siblings, 0 replies; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 9148 bytes --]
Well, this might be useful for QA purposes, but let's hope the kernel maintainers won't
release anything that breaks those...
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 43 +--------------------
> config/kernel/kernel.config.armv6l-ipfire | 43 +--------------------
> config/kernel/kernel.config.i586-ipfire | 44 +---------------------
> config/kernel/kernel.config.x86_64-ipfire | 44 +---------------------
> 4 files changed, 4 insertions(+), 170 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b277a17b5..1a50e10de 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7915,48 +7915,7 @@ CONFIG_IO_STRICT_DEVMEM=y
> CONFIG_ARCH_HAS_KCOV=y
> CONFIG_CC_HAS_SANCOV_TRACE_PC=y
> # CONFIG_KCOV is not set
> -CONFIG_RUNTIME_TESTING_MENU=y
> -# CONFIG_LKDTM is not set
> -# CONFIG_TEST_LIST_SORT is not set
> -# CONFIG_TEST_MIN_HEAP is not set
> -# CONFIG_TEST_SORT is not set
> -# CONFIG_BACKTRACE_SELF_TEST is not set
> -CONFIG_RBTREE_TEST=m
> -# CONFIG_REED_SOLOMON_TEST is not set
> -# CONFIG_INTERVAL_TREE_TEST is not set
> -# CONFIG_PERCPU_TEST is not set
> -# CONFIG_ATOMIC64_SELFTEST is not set
> -CONFIG_ASYNC_RAID6_TEST=m
> -# CONFIG_TEST_HEXDUMP is not set
> -# CONFIG_TEST_STRING_HELPERS is not set
> -# CONFIG_TEST_STRSCPY is not set
> -# CONFIG_TEST_KSTRTOX is not set
> -# CONFIG_TEST_PRINTF is not set
> -# CONFIG_TEST_BITMAP is not set
> -# CONFIG_TEST_UUID is not set
> -# CONFIG_TEST_XARRAY is not set
> -# CONFIG_TEST_OVERFLOW is not set
> -# CONFIG_TEST_RHASHTABLE is not set
> -# CONFIG_TEST_HASH is not set
> -# CONFIG_TEST_IDA is not set
> -# CONFIG_TEST_PARMAN is not set
> -# CONFIG_TEST_LKM is not set
> -# CONFIG_TEST_BITOPS is not set
> -# CONFIG_TEST_VMALLOC is not set
> -# CONFIG_TEST_USER_COPY is not set
> -# CONFIG_TEST_BPF is not set
> -# CONFIG_TEST_BLACKHOLE_DEV is not set
> -# CONFIG_FIND_BIT_BENCHMARK is not set
> -# CONFIG_TEST_FIRMWARE is not set
> -# CONFIG_TEST_SYSCTL is not set
> -# CONFIG_TEST_UDELAY is not set
> -# CONFIG_TEST_STATIC_KEYS is not set
> -# CONFIG_TEST_KMOD is not set
> -# CONFIG_TEST_MEMCAT_P is not set
> -# CONFIG_TEST_OBJAGG is not set
> -# CONFIG_TEST_STACKINIT is not set
> -# CONFIG_TEST_MEMINIT is not set
> -# CONFIG_TEST_FREE_PAGES is not set
> +# CONFIG_RUNTIME_TESTING_MENU is not set
> # CONFIG_MEMTEST is not set
> # end of Kernel Testing and Coverage
> # end of Kernel hacking
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 9d63b36ac..29c7791e1 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7988,48 +7988,7 @@ CONFIG_UNCOMPRESS_INCLUDE="debug/uncompress.h"
> CONFIG_ARCH_HAS_KCOV=y
> CONFIG_CC_HAS_SANCOV_TRACE_PC=y
> # CONFIG_KCOV is not set
> -CONFIG_RUNTIME_TESTING_MENU=y
> -# CONFIG_LKDTM is not set
> -# CONFIG_TEST_LIST_SORT is not set
> -# CONFIG_TEST_MIN_HEAP is not set
> -# CONFIG_TEST_SORT is not set
> -# CONFIG_BACKTRACE_SELF_TEST is not set
> -CONFIG_RBTREE_TEST=m
> -# CONFIG_REED_SOLOMON_TEST is not set
> -# CONFIG_INTERVAL_TREE_TEST is not set
> -# CONFIG_PERCPU_TEST is not set
> -# CONFIG_ATOMIC64_SELFTEST is not set
> -CONFIG_ASYNC_RAID6_TEST=m
> -# CONFIG_TEST_HEXDUMP is not set
> -# CONFIG_TEST_STRING_HELPERS is not set
> -# CONFIG_TEST_STRSCPY is not set
> -# CONFIG_TEST_KSTRTOX is not set
> -# CONFIG_TEST_PRINTF is not set
> -# CONFIG_TEST_BITMAP is not set
> -# CONFIG_TEST_UUID is not set
> -# CONFIG_TEST_XARRAY is not set
> -# CONFIG_TEST_OVERFLOW is not set
> -# CONFIG_TEST_RHASHTABLE is not set
> -# CONFIG_TEST_HASH is not set
> -# CONFIG_TEST_IDA is not set
> -# CONFIG_TEST_PARMAN is not set
> -# CONFIG_TEST_LKM is not set
> -# CONFIG_TEST_BITOPS is not set
> -# CONFIG_TEST_VMALLOC is not set
> -# CONFIG_TEST_USER_COPY is not set
> -# CONFIG_TEST_BPF is not set
> -# CONFIG_TEST_BLACKHOLE_DEV is not set
> -# CONFIG_FIND_BIT_BENCHMARK is not set
> -# CONFIG_TEST_FIRMWARE is not set
> -# CONFIG_TEST_SYSCTL is not set
> -# CONFIG_TEST_UDELAY is not set
> -# CONFIG_TEST_STATIC_KEYS is not set
> -# CONFIG_TEST_KMOD is not set
> -# CONFIG_TEST_MEMCAT_P is not set
> -# CONFIG_TEST_OBJAGG is not set
> -# CONFIG_TEST_STACKINIT is not set
> -# CONFIG_TEST_MEMINIT is not set
> -# CONFIG_TEST_FREE_PAGES is not set
> +# CONFIG_RUNTIME_TESTING_MENU is not set
> # CONFIG_MEMTEST is not set
> # end of Kernel Testing and Coverage
> # end of Kernel hacking
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 56b40eac7..bee53286c 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -7575,49 +7575,7 @@ CONFIG_UNWINDER_FRAME_POINTER=y
> # CONFIG_NOTIFIER_ERROR_INJECTION is not set
> # CONFIG_FAULT_INJECTION is not set
> CONFIG_CC_HAS_SANCOV_TRACE_PC=y
> -CONFIG_RUNTIME_TESTING_MENU=y
> -# CONFIG_LKDTM is not set
> -# CONFIG_TEST_LIST_SORT is not set
> -# CONFIG_TEST_MIN_HEAP is not set
> -# CONFIG_TEST_SORT is not set
> -# CONFIG_BACKTRACE_SELF_TEST is not set
> -# CONFIG_RBTREE_TEST is not set
> -# CONFIG_REED_SOLOMON_TEST is not set
> -# CONFIG_INTERVAL_TREE_TEST is not set
> -# CONFIG_PERCPU_TEST is not set
> -# CONFIG_ATOMIC64_SELFTEST is not set
> -# CONFIG_ASYNC_RAID6_TEST is not set
> -# CONFIG_TEST_HEXDUMP is not set
> -# CONFIG_TEST_STRING_HELPERS is not set
> -# CONFIG_TEST_STRSCPY is not set
> -# CONFIG_TEST_KSTRTOX is not set
> -# CONFIG_TEST_PRINTF is not set
> -# CONFIG_TEST_BITMAP is not set
> -# CONFIG_TEST_UUID is not set
> -# CONFIG_TEST_XARRAY is not set
> -# CONFIG_TEST_OVERFLOW is not set
> -# CONFIG_TEST_RHASHTABLE is not set
> -# CONFIG_TEST_HASH is not set
> -# CONFIG_TEST_IDA is not set
> -# CONFIG_TEST_PARMAN is not set
> -# CONFIG_TEST_LKM is not set
> -# CONFIG_TEST_BITOPS is not set
> -# CONFIG_TEST_VMALLOC is not set
> -# CONFIG_TEST_USER_COPY is not set
> -# CONFIG_TEST_BPF is not set
> -# CONFIG_TEST_BLACKHOLE_DEV is not set
> -# CONFIG_FIND_BIT_BENCHMARK is not set
> -# CONFIG_TEST_FIRMWARE is not set
> -# CONFIG_TEST_SYSCTL is not set
> -# CONFIG_TEST_UDELAY is not set
> -# CONFIG_TEST_STATIC_KEYS is not set
> -# CONFIG_TEST_KMOD is not set
> -# CONFIG_TEST_MEMCAT_P is not set
> -# CONFIG_TEST_OBJAGG is not set
> -# CONFIG_TEST_STACKINIT is not set
> -# CONFIG_TEST_MEMINIT is not set
> -# CONFIG_TEST_FREE_PAGES is not set
> -# CONFIG_TEST_FPU is not set
> +# CONFIG_RUNTIME_TESTING_MENU is not set
> # CONFIG_MEMTEST is not set
> # CONFIG_HYPERV_TESTING is not set
> # end of Kernel Testing and Coverage
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 8247e9b48..bcea8575c 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7445,49 +7445,7 @@ CONFIG_UNWINDER_ORC=y
> CONFIG_ARCH_HAS_KCOV=y
> CONFIG_CC_HAS_SANCOV_TRACE_PC=y
> # CONFIG_KCOV is not set
> -CONFIG_RUNTIME_TESTING_MENU=y
> -# CONFIG_LKDTM is not set
> -# CONFIG_TEST_LIST_SORT is not set
> -# CONFIG_TEST_MIN_HEAP is not set
> -# CONFIG_TEST_SORT is not set
> -# CONFIG_BACKTRACE_SELF_TEST is not set
> -CONFIG_RBTREE_TEST=m
> -# CONFIG_REED_SOLOMON_TEST is not set
> -# CONFIG_INTERVAL_TREE_TEST is not set
> -# CONFIG_PERCPU_TEST is not set
> -# CONFIG_ATOMIC64_SELFTEST is not set
> -CONFIG_ASYNC_RAID6_TEST=m
> -# CONFIG_TEST_HEXDUMP is not set
> -# CONFIG_TEST_STRING_HELPERS is not set
> -# CONFIG_TEST_STRSCPY is not set
> -# CONFIG_TEST_KSTRTOX is not set
> -# CONFIG_TEST_PRINTF is not set
> -# CONFIG_TEST_BITMAP is not set
> -# CONFIG_TEST_UUID is not set
> -# CONFIG_TEST_XARRAY is not set
> -# CONFIG_TEST_OVERFLOW is not set
> -# CONFIG_TEST_RHASHTABLE is not set
> -# CONFIG_TEST_HASH is not set
> -# CONFIG_TEST_IDA is not set
> -# CONFIG_TEST_PARMAN is not set
> -# CONFIG_TEST_LKM is not set
> -# CONFIG_TEST_BITOPS is not set
> -# CONFIG_TEST_VMALLOC is not set
> -# CONFIG_TEST_USER_COPY is not set
> -# CONFIG_TEST_BPF is not set
> -# CONFIG_TEST_BLACKHOLE_DEV is not set
> -# CONFIG_FIND_BIT_BENCHMARK is not set
> -# CONFIG_TEST_FIRMWARE is not set
> -# CONFIG_TEST_SYSCTL is not set
> -# CONFIG_TEST_UDELAY is not set
> -# CONFIG_TEST_STATIC_KEYS is not set
> -# CONFIG_TEST_KMOD is not set
> -# CONFIG_TEST_MEMCAT_P is not set
> -# CONFIG_TEST_OBJAGG is not set
> -# CONFIG_TEST_STACKINIT is not set
> -# CONFIG_TEST_MEMINIT is not set
> -# CONFIG_TEST_FREE_PAGES is not set
> -# CONFIG_TEST_FPU is not set
> +# CONFIG_RUNTIME_TESTING_MENU is not set
> # CONFIG_MEMTEST is not set
> # CONFIG_HYPERV_TESTING is not set
> # end of Kernel Testing and Coverage
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 05/13] kernel: Disable SLUB debugging
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
@ 2021-09-18 16:27 ` Peter Müller
2021-09-21 9:42 ` Michael Tremer
0 siblings, 1 reply; 33+ messages in thread
From: Peter Müller @ 2021-09-18 16:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4331 bytes --]
Hello Michael,
hello *,
at the time of writing, I agree.
Cross-check hardening features of kernel 5.10.x is an item still open on my todo list, and
I will hopefully have some spare time for this next month. I will reevaluate SLUB debugging
then as well, since kernsec mentions this to be necessary for some page poisoning options
(whyever that is...).
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
Thanks, and best regards,
Peter Müller
> This is not necessary on our systems and according to the documentation
> will reduce code size of the allocator which will result in better
> performance.
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 +--
> config/kernel/kernel.config.armv6l-ipfire | 3 +--
> config/kernel/kernel.config.i586-ipfire | 3 +--
> config/kernel/kernel.config.x86_64-ipfire | 3 +--
> 4 files changed, 4 insertions(+), 8 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index d0ec69ba9..b277a17b5 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -226,7 +226,7 @@ CONFIG_PERF_EVENTS=y
> # end of Kernel Performance Events And Counters
>
> CONFIG_VM_EVENT_COUNTERS=y
> -CONFIG_SLUB_DEBUG=y
> +# CONFIG_SLUB_DEBUG is not set
> # CONFIG_SLUB_MEMCG_SYSFS_ON is not set
> # CONFIG_COMPAT_BRK is not set
> # CONFIG_SLAB is not set
> @@ -7751,7 +7751,6 @@ CONFIG_GENERIC_PTDUMP=y
> CONFIG_PTDUMP_CORE=y
> # CONFIG_PTDUMP_DEBUGFS is not set
> # CONFIG_DEBUG_OBJECTS is not set
> -# CONFIG_SLUB_DEBUG_ON is not set
> # CONFIG_SLUB_STATS is not set
> CONFIG_HAVE_DEBUG_KMEMLEAK=y
> # CONFIG_DEBUG_KMEMLEAK is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index a23906796..9d63b36ac 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -227,7 +227,7 @@ CONFIG_PERF_EVENTS=y
> # end of Kernel Performance Events And Counters
>
> CONFIG_VM_EVENT_COUNTERS=y
> -CONFIG_SLUB_DEBUG=y
> +# CONFIG_SLUB_DEBUG is not set
> # CONFIG_SLUB_MEMCG_SYSFS_ON is not set
> # CONFIG_COMPAT_BRK is not set
> # CONFIG_SLAB is not set
> @@ -7826,7 +7826,6 @@ CONFIG_DEBUG_MISC=y
> # CONFIG_DEBUG_RODATA_TEST is not set
> # CONFIG_DEBUG_WX is not set
> # CONFIG_DEBUG_OBJECTS is not set
> -# CONFIG_SLUB_DEBUG_ON is not set
> # CONFIG_SLUB_STATS is not set
> CONFIG_HAVE_DEBUG_KMEMLEAK=y
> # CONFIG_DEBUG_KMEMLEAK is not set
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 9c49a90d8..56b40eac7 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -235,7 +235,7 @@ CONFIG_PERF_EVENTS=y
> # end of Kernel Performance Events And Counters
>
> CONFIG_VM_EVENT_COUNTERS=y
> -CONFIG_SLUB_DEBUG=y
> +# CONFIG_SLUB_DEBUG is not set
> # CONFIG_COMPAT_BRK is not set
> # CONFIG_SLAB is not set
> CONFIG_SLUB=y
> @@ -7383,7 +7383,6 @@ CONFIG_GENERIC_PTDUMP=y
> CONFIG_PTDUMP_CORE=y
> # CONFIG_PTDUMP_DEBUGFS is not set
> # CONFIG_DEBUG_OBJECTS is not set
> -# CONFIG_SLUB_DEBUG_ON is not set
> # CONFIG_SLUB_STATS is not set
> CONFIG_HAVE_DEBUG_KMEMLEAK=y
> # CONFIG_DEBUG_KMEMLEAK is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0a1f67074..8247e9b48 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -245,7 +245,7 @@ CONFIG_PERF_EVENTS=y
> # end of Kernel Performance Events And Counters
>
> CONFIG_VM_EVENT_COUNTERS=y
> -CONFIG_SLUB_DEBUG=y
> +# CONFIG_SLUB_DEBUG is not set
> # CONFIG_COMPAT_BRK is not set
> # CONFIG_SLAB is not set
> CONFIG_SLUB=y
> @@ -7249,7 +7249,6 @@ CONFIG_GENERIC_PTDUMP=y
> CONFIG_PTDUMP_CORE=y
> # CONFIG_PTDUMP_DEBUGFS is not set
> # CONFIG_DEBUG_OBJECTS is not set
> -# CONFIG_SLUB_DEBUG_ON is not set
> # CONFIG_SLUB_STATS is not set
> CONFIG_HAVE_DEBUG_KMEMLEAK=y
> # CONFIG_DEBUG_KMEMLEAK is not set
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 10/13] kernel: Enable ExFAT on all architectures
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
2021-09-18 16:10 ` Peter Müller
@ 2021-09-20 13:48 ` Adolf Belka
1 sibling, 0 replies; 33+ messages in thread
From: Adolf Belka @ 2021-09-20 13:48 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2147 bytes --]
Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>
On 17/09/2021 13:42, Michael Tremer wrote:
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
> 3 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index a59fecaea..aa34b64db 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7089,7 +7089,8 @@ CONFIG_VFAT_FS=m
> CONFIG_FAT_DEFAULT_CODEPAGE=437
> CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
> # CONFIG_FAT_DEFAULT_UTF8 is not set
> -# CONFIG_EXFAT_FS is not set
> +CONFIG_EXFAT_FS=m
> +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
> # CONFIG_NTFS_FS is not set
> # end of DOS/FAT/EXFAT/NT Filesystems
>
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index dc8d3a6b9..7b82e87df 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7189,7 +7189,8 @@ CONFIG_VFAT_FS=m
> CONFIG_FAT_DEFAULT_CODEPAGE=437
> CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
> # CONFIG_FAT_DEFAULT_UTF8 is not set
> -# CONFIG_EXFAT_FS is not set
> +CONFIG_EXFAT_FS=m
> +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
> # CONFIG_NTFS_FS is not set
> # end of DOS/FAT/EXFAT/NT Filesystems
>
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 29fc30274..fe93d731c 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6566,7 +6566,8 @@ CONFIG_VFAT_FS=m
> CONFIG_FAT_DEFAULT_CODEPAGE=437
> CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
> # CONFIG_FAT_DEFAULT_UTF8 is not set
> -# CONFIG_EXFAT_FS is not set
> +CONFIG_EXFAT_FS=m
> +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
> # CONFIG_NTFS_FS is not set
> # end of DOS/FAT/EXFAT/NT Filesystems
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 05/13] kernel: Disable SLUB debugging
2021-09-18 16:27 ` Peter Müller
@ 2021-09-21 9:42 ` Michael Tremer
0 siblings, 0 replies; 33+ messages in thread
From: Michael Tremer @ 2021-09-21 9:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5203 bytes --]
Hello,
> On 18 Sep 2021, at 17:27, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello Michael,
> hello *,
>
> at the time of writing, I agree.
>
> Cross-check hardening features of kernel 5.10.x is an item still open on my todo list, and
> I will hopefully have some spare time for this next month. I will reevaluate SLUB debugging
> then as well, since kernsec mentions this to be necessary for some page poisoning options
> (whyever that is...).
Err. No. Why?
We want the distribution to be stable. And that means that we want to make consistent and long-standing changes.
Changing something back and forth for no reason apart from not having enough time to look into things properly right now is not what I would consider “stable”.
We can either drop this patch (i.e. NACK by you), or we can accept it and leave it.
As far as I can see this debugging option didn’t add any other configuration options that would be otherwise unavailable; and it significantly decreases the size of the memory allocator which should result in performance gains on smaller hardware with smaller CPU caches:
https://cateee.net/lkddb/web-lkddb/SLUB_DEBUG.html
-Michael
>
> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>
> Thanks, and best regards,
> Peter Müller
>
>
>> This is not necessary on our systems and according to the documentation
>> will reduce code size of the allocator which will result in better
>> performance.
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire | 3 +--
>> config/kernel/kernel.config.armv6l-ipfire | 3 +--
>> config/kernel/kernel.config.i586-ipfire | 3 +--
>> config/kernel/kernel.config.x86_64-ipfire | 3 +--
>> 4 files changed, 4 insertions(+), 8 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>> index d0ec69ba9..b277a17b5 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -226,7 +226,7 @@ CONFIG_PERF_EVENTS=y
>> # end of Kernel Performance Events And Counters
>> CONFIG_VM_EVENT_COUNTERS=y
>> -CONFIG_SLUB_DEBUG=y
>> +# CONFIG_SLUB_DEBUG is not set
>> # CONFIG_SLUB_MEMCG_SYSFS_ON is not set
>> # CONFIG_COMPAT_BRK is not set
>> # CONFIG_SLAB is not set
>> @@ -7751,7 +7751,6 @@ CONFIG_GENERIC_PTDUMP=y
>> CONFIG_PTDUMP_CORE=y
>> # CONFIG_PTDUMP_DEBUGFS is not set
>> # CONFIG_DEBUG_OBJECTS is not set
>> -# CONFIG_SLUB_DEBUG_ON is not set
>> # CONFIG_SLUB_STATS is not set
>> CONFIG_HAVE_DEBUG_KMEMLEAK=y
>> # CONFIG_DEBUG_KMEMLEAK is not set
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>> index a23906796..9d63b36ac 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -227,7 +227,7 @@ CONFIG_PERF_EVENTS=y
>> # end of Kernel Performance Events And Counters
>> CONFIG_VM_EVENT_COUNTERS=y
>> -CONFIG_SLUB_DEBUG=y
>> +# CONFIG_SLUB_DEBUG is not set
>> # CONFIG_SLUB_MEMCG_SYSFS_ON is not set
>> # CONFIG_COMPAT_BRK is not set
>> # CONFIG_SLAB is not set
>> @@ -7826,7 +7826,6 @@ CONFIG_DEBUG_MISC=y
>> # CONFIG_DEBUG_RODATA_TEST is not set
>> # CONFIG_DEBUG_WX is not set
>> # CONFIG_DEBUG_OBJECTS is not set
>> -# CONFIG_SLUB_DEBUG_ON is not set
>> # CONFIG_SLUB_STATS is not set
>> CONFIG_HAVE_DEBUG_KMEMLEAK=y
>> # CONFIG_DEBUG_KMEMLEAK is not set
>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>> index 9c49a90d8..56b40eac7 100644
>> --- a/config/kernel/kernel.config.i586-ipfire
>> +++ b/config/kernel/kernel.config.i586-ipfire
>> @@ -235,7 +235,7 @@ CONFIG_PERF_EVENTS=y
>> # end of Kernel Performance Events And Counters
>> CONFIG_VM_EVENT_COUNTERS=y
>> -CONFIG_SLUB_DEBUG=y
>> +# CONFIG_SLUB_DEBUG is not set
>> # CONFIG_COMPAT_BRK is not set
>> # CONFIG_SLAB is not set
>> CONFIG_SLUB=y
>> @@ -7383,7 +7383,6 @@ CONFIG_GENERIC_PTDUMP=y
>> CONFIG_PTDUMP_CORE=y
>> # CONFIG_PTDUMP_DEBUGFS is not set
>> # CONFIG_DEBUG_OBJECTS is not set
>> -# CONFIG_SLUB_DEBUG_ON is not set
>> # CONFIG_SLUB_STATS is not set
>> CONFIG_HAVE_DEBUG_KMEMLEAK=y
>> # CONFIG_DEBUG_KMEMLEAK is not set
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index 0a1f67074..8247e9b48 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -245,7 +245,7 @@ CONFIG_PERF_EVENTS=y
>> # end of Kernel Performance Events And Counters
>> CONFIG_VM_EVENT_COUNTERS=y
>> -CONFIG_SLUB_DEBUG=y
>> +# CONFIG_SLUB_DEBUG is not set
>> # CONFIG_COMPAT_BRK is not set
>> # CONFIG_SLAB is not set
>> CONFIG_SLUB=y
>> @@ -7249,7 +7249,6 @@ CONFIG_GENERIC_PTDUMP=y
>> CONFIG_PTDUMP_CORE=y
>> # CONFIG_PTDUMP_DEBUGFS is not set
>> # CONFIG_DEBUG_OBJECTS is not set
>> -# CONFIG_SLUB_DEBUG_ON is not set
>> # CONFIG_SLUB_STATS is not set
>> CONFIG_HAVE_DEBUG_KMEMLEAK=y
>> # CONFIG_DEBUG_KMEMLEAK is not set
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 11/13] kernel: Enable support for TPM hardware
2021-09-18 16:15 ` Peter Müller
@ 2021-09-21 9:50 ` Michael Tremer
2021-09-21 11:40 ` Adolf Belka
0 siblings, 1 reply; 33+ messages in thread
From: Michael Tremer @ 2021-09-21 9:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5644 bytes --]
Hello,
> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello Michael,
> hello *,
>
> just a small comment for the records: As discussed in the last monthly telephone
> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
> left to be locked down in IPFire thanks to enforced kernel module signing.
Does anyone have any hardware at grabs to verify that this works?
rngd —-list should list the TPM device as a potential source.
> So no user needs to worry about introducing TPM support coming with a lack of
> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>
> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>
> Thanks, and best regards,
> Peter Müller
>
>
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
>> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
>> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
>> 4 files changed, 56 insertions(+), 4 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>> index aa34b64db..49ee85970 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>> CONFIG_RAW_DRIVER=y
>> CONFIG_MAX_RAW_DEVS=8192
>> CONFIG_DEVPORT=y
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>> # CONFIG_XILLYBUS is not set
>> # end of Character devices
>> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>> CONFIG_KEYS=y
>> # CONFIG_KEYS_REQUEST_CACHE is not set
>> # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>> # CONFIG_ENCRYPTED_KEYS is not set
>> # CONFIG_KEY_DH_OPERATIONS is not set
>> CONFIG_SECURITY_DMESG_RESTRICT=y
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>> index 7b82e87df..b11a179e3 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>> CONFIG_RAW_DRIVER=y
>> CONFIG_MAX_RAW_DEVS=8192
>> CONFIG_DEVPORT=y
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>> # CONFIG_XILLYBUS is not set
>> # end of Character devices
>> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>> CONFIG_KEYS=y
>> # CONFIG_KEYS_REQUEST_CACHE is not set
>> # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>> # CONFIG_ENCRYPTED_KEYS is not set
>> # CONFIG_KEY_DH_OPERATIONS is not set
>> CONFIG_SECURITY_DMESG_RESTRICT=y
>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>> index 90d4ac856..2d7158c96 100644
>> --- a/config/kernel/kernel.config.i586-ipfire
>> +++ b/config/kernel/kernel.config.i586-ipfire
>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>> CONFIG_HPET=y
>> # CONFIG_HPET_MMAP is not set
>> CONFIG_HANGCHECK_TIMER=m
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_NSC=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_XEN=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>> # CONFIG_TELCLOCK is not set
>> # CONFIG_XILLYBUS is not set
>> # end of Character devices
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index fe93d731c..65014f41a 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>> CONFIG_HPET=y
>> # CONFIG_HPET_MMAP is not set
>> CONFIG_HANGCHECK_TIMER=m
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_NSC=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_XEN=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>> # CONFIG_TELCLOCK is not set
>> # CONFIG_XILLYBUS is not set
>> # end of Character devices
>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>> CONFIG_KEYS=y
>> # CONFIG_KEYS_REQUEST_CACHE is not set
>> # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>> # CONFIG_ENCRYPTED_KEYS is not set
>> # CONFIG_KEY_DH_OPERATIONS is not set
>> CONFIG_SECURITY_DMESG_RESTRICT=y
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 12/13] kernel: Zero-init all stack variables by default
2021-09-18 16:11 ` Peter Müller
@ 2021-09-21 9:50 ` Michael Tremer
0 siblings, 0 replies; 33+ messages in thread
From: Michael Tremer @ 2021-09-21 9:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2496 bytes --]
I thought you would :)
> On 18 Sep 2021, at 17:11, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Peter likes this one. :-)
>
> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>
>
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>> config/kernel/kernel.config.armv6l-ipfire | 2 +-
>> config/kernel/kernel.config.x86_64-ipfire | 2 +-
>> 3 files changed, 3 insertions(+), 3 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>> index 49ee85970..7ae9f9738 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -7325,7 +7325,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
>> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
>> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
>> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
>> -# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
>> +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
>> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
>> # end of Memory initialization
>> # end of Kernel hardening options
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>> index b11a179e3..33117b0b4 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -7416,7 +7416,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
>> # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
>> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
>> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
>> -# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
>> +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
>> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
>> # end of Memory initialization
>> # end of Kernel hardening options
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index 65014f41a..aab0cfb25 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -6805,7 +6805,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
>> CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
>> # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
>> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
>> -# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
>> +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
>> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
>> # end of Memory initialization
>> # end of Kernel hardening options
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 11/13] kernel: Enable support for TPM hardware
2021-09-21 9:50 ` Michael Tremer
@ 2021-09-21 11:40 ` Adolf Belka
2021-09-21 12:31 ` Adolf Belka
0 siblings, 1 reply; 33+ messages in thread
From: Adolf Belka @ 2021-09-21 11:40 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6939 bytes --]
Hi Michael,
On 21/09/2021 11:50, Michael Tremer wrote:
> Hello,
>
>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>> hello *,
>>
>> just a small comment for the records: As discussed in the last monthly telephone
>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>> left to be locked down in IPFire thanks to enforced kernel module signing.
> Does anyone have any hardware at grabs to verify that this works?
>
> rngd —-list should list the TPM device as a potential source.
On my running system I got the following response to the command:-
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)
and on my VM testbed system I got the same message:-
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)
I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
Once I have the changers in place how do I tell if it is working?
Regards,
Adolf.
>> So no user needs to worry about introducing TPM support coming with a lack of
>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>
>> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
>>> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
>>> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
>>> 4 files changed, 56 insertions(+), 4 deletions(-)
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>> index aa34b64db..49ee85970 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>> CONFIG_RAW_DRIVER=y
>>> CONFIG_MAX_RAW_DEVS=8192
>>> CONFIG_DEVPORT=y
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_ATMEL=m
>>> +CONFIG_TCG_INFINEON=m
>>> +CONFIG_TCG_CRB=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>> # CONFIG_XILLYBUS is not set
>>> # end of Character devices
>>> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>> CONFIG_KEYS=y
>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>> +# CONFIG_TRUSTED_KEYS is not set
>>> # CONFIG_ENCRYPTED_KEYS is not set
>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>> index 7b82e87df..b11a179e3 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>> CONFIG_RAW_DRIVER=y
>>> CONFIG_MAX_RAW_DEVS=8192
>>> CONFIG_DEVPORT=y
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>> # CONFIG_XILLYBUS is not set
>>> # end of Character devices
>>> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>> CONFIG_KEYS=y
>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>> +# CONFIG_TRUSTED_KEYS is not set
>>> # CONFIG_ENCRYPTED_KEYS is not set
>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>> index 90d4ac856..2d7158c96 100644
>>> --- a/config/kernel/kernel.config.i586-ipfire
>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>> CONFIG_HPET=y
>>> # CONFIG_HPET_MMAP is not set
>>> CONFIG_HANGCHECK_TIMER=m
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_NSC=m
>>> +CONFIG_TCG_ATMEL=m
>>> +CONFIG_TCG_INFINEON=m
>>> +CONFIG_TCG_XEN=m
>>> +CONFIG_TCG_CRB=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>> # CONFIG_TELCLOCK is not set
>>> # CONFIG_XILLYBUS is not set
>>> # end of Character devices
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index fe93d731c..65014f41a 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>> CONFIG_HPET=y
>>> # CONFIG_HPET_MMAP is not set
>>> CONFIG_HANGCHECK_TIMER=m
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_NSC=m
>>> +CONFIG_TCG_ATMEL=m
>>> +CONFIG_TCG_INFINEON=m
>>> +CONFIG_TCG_XEN=m
>>> +CONFIG_TCG_CRB=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>> # CONFIG_TELCLOCK is not set
>>> # CONFIG_XILLYBUS is not set
>>> # end of Character devices
>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>> CONFIG_KEYS=y
>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>> +# CONFIG_TRUSTED_KEYS is not set
>>> # CONFIG_ENCRYPTED_KEYS is not set
>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>> CONFIG_SECURITY_DMESG_RESTRICT=y
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 11/13] kernel: Enable support for TPM hardware
2021-09-21 11:40 ` Adolf Belka
@ 2021-09-21 12:31 ` Adolf Belka
2021-10-01 17:25 ` Michael Tremer
0 siblings, 1 reply; 33+ messages in thread
From: Adolf Belka @ 2021-09-21 12:31 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7368 bytes --]
Hi Michael,
After a bit more searching around I don't think I have TPM capability on my systems.
Regards,
Adolf.
On 21/09/2021 13:40, Adolf Belka wrote:
> Hi Michael,
>
> On 21/09/2021 11:50, Michael Tremer wrote:
>> Hello,
>>
>>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> Hello Michael,
>>> hello *,
>>>
>>> just a small comment for the records: As discussed in the last monthly telephone
>>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>>> left to be locked down in IPFire thanks to enforced kernel module signing.
>> Does anyone have any hardware at grabs to verify that this works?
>>
>> rngd —-list should list the TPM device as a potential source.
>
> On my running system I got the following response to the command:-
>
> Entropy sources that are available but disabled
> 1: TPM RNG Device (tpm)
> 4: NIST Network Entropy Beacon (nist)
> Available and enabled entropy sources:
> 2: Intel RDRAND Instruction RNG (rdrand)
> Available entropy sources that failed initalization:
> 0: Hardware RNG Device (hwrng)
>
>
> and on my VM testbed system I got the same message:-
>
> Entropy sources that are available but disabled
> 1: TPM RNG Device (tpm)
> 4: NIST Network Entropy Beacon (nist)
> Available and enabled entropy sources:
> 2: Intel RDRAND Instruction RNG (rdrand)
> Available entropy sources that failed initalization:
> 0: Hardware RNG Device (hwrng)
>
> I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
>
> To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
>
> Once I have the changers in place how do I tell if it is working?
>
> Regards,
>
> Adolf.
>
>>> So no user needs to worry about introducing TPM support coming with a lack of
>>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>>
>>> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>
>>> Thanks, and best regards,
>>> Peter Müller
>>>
>>>
>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> ---
>>>> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
>>>> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
>>>> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
>>>> 4 files changed, 56 insertions(+), 4 deletions(-)
>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>> index aa34b64db..49ee85970 100644
>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>>> CONFIG_RAW_DRIVER=y
>>>> CONFIG_MAX_RAW_DEVS=8192
>>>> CONFIG_DEVPORT=y
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_ATMEL=m
>>>> +CONFIG_TCG_INFINEON=m
>>>> +CONFIG_TCG_CRB=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>> # CONFIG_XILLYBUS is not set
>>>> # end of Character devices
>>>> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>>> CONFIG_KEYS=y
>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>> index 7b82e87df..b11a179e3 100644
>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>>> CONFIG_RAW_DRIVER=y
>>>> CONFIG_MAX_RAW_DEVS=8192
>>>> CONFIG_DEVPORT=y
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>> # CONFIG_XILLYBUS is not set
>>>> # end of Character devices
>>>> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>>> CONFIG_KEYS=y
>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>>> index 90d4ac856..2d7158c96 100644
>>>> --- a/config/kernel/kernel.config.i586-ipfire
>>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>>> CONFIG_HPET=y
>>>> # CONFIG_HPET_MMAP is not set
>>>> CONFIG_HANGCHECK_TIMER=m
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_NSC=m
>>>> +CONFIG_TCG_ATMEL=m
>>>> +CONFIG_TCG_INFINEON=m
>>>> +CONFIG_TCG_XEN=m
>>>> +CONFIG_TCG_CRB=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>> # CONFIG_TELCLOCK is not set
>>>> # CONFIG_XILLYBUS is not set
>>>> # end of Character devices
>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>> index fe93d731c..65014f41a 100644
>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>>> CONFIG_HPET=y
>>>> # CONFIG_HPET_MMAP is not set
>>>> CONFIG_HANGCHECK_TIMER=m
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_NSC=m
>>>> +CONFIG_TCG_ATMEL=m
>>>> +CONFIG_TCG_INFINEON=m
>>>> +CONFIG_TCG_XEN=m
>>>> +CONFIG_TCG_CRB=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>> # CONFIG_TELCLOCK is not set
>>>> # CONFIG_XILLYBUS is not set
>>>> # end of Character devices
>>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>>> CONFIG_KEYS=y
>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [PATCH 11/13] kernel: Enable support for TPM hardware
2021-09-21 12:31 ` Adolf Belka
@ 2021-10-01 17:25 ` Michael Tremer
0 siblings, 0 replies; 33+ messages in thread
From: Michael Tremer @ 2021-10-01 17:25 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 9044 bytes --]
Hello,
I gave this a go on an IPFire Business Appliance:
[root(a)fw01 ~]# rngd -x 2 -x 0 -n 1 --test
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Disabling 0: Hardware RNG Device (hwrng)
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Enabling 1: TPM RNG Device (tpm)
Initializing available sources
[tpm ]: The TPM entropy source only supports TPM1.2 hardware and is deprecated. TPM2.0 and later hardware exports entropy via /dev/hwrng, which can be collected via the hwrng entropy source in rngd
[tpm ]: Initialization Failed
can't open any entropy sourceMaybe RNG device modules are not loaded
So if the kernel is exporting this correctly, the default configuration of rngd will use the TPM:
[root(a)fw01 ~]# rngd --list
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)
This one is running the production kernel, but as soon as the kernel makes /dev/hwrng available, we should be fine.
Best,
-Michael
> On 21 Sep 2021, at 13:31, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Hi Michael,
>
> After a bit more searching around I don't think I have TPM capability on my systems.
>
> Regards,
>
> Adolf.
>
> On 21/09/2021 13:40, Adolf Belka wrote:
>> Hi Michael,
>>
>> On 21/09/2021 11:50, Michael Tremer wrote:
>>> Hello,
>>>
>>>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> Hello Michael,
>>>> hello *,
>>>>
>>>> just a small comment for the records: As discussed in the last monthly telephone
>>>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>>>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>>>> left to be locked down in IPFire thanks to enforced kernel module signing.
>>> Does anyone have any hardware at grabs to verify that this works?
>>>
>>> rngd —-list should list the TPM device as a potential source.
>>
>> On my running system I got the following response to the command:-
>>
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>>
>>
>> and on my VM testbed system I got the same message:-
>>
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>>
>> I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
>>
>> To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
>>
>> Once I have the changers in place how do I tell if it is working?
>>
>> Regards,
>>
>> Adolf.
>>
>>>> So no user needs to worry about introducing TPM support coming with a lack of
>>>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>>>
>>>> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>>
>>>>
>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> ---
>>>>> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>>> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
>>>>> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
>>>>> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
>>>>> 4 files changed, 56 insertions(+), 4 deletions(-)
>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>>> index aa34b64db..49ee85970 100644
>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>>>> CONFIG_RAW_DRIVER=y
>>>>> CONFIG_MAX_RAW_DEVS=8192
>>>>> CONFIG_DEVPORT=y
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>>>> CONFIG_KEYS=y
>>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>>> index 7b82e87df..b11a179e3 100644
>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>>>> CONFIG_RAW_DRIVER=y
>>>>> CONFIG_MAX_RAW_DEVS=8192
>>>>> CONFIG_DEVPORT=y
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>>>> CONFIG_KEYS=y
>>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>>>> index 90d4ac856..2d7158c96 100644
>>>>> --- a/config/kernel/kernel.config.i586-ipfire
>>>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>>>> CONFIG_HPET=y
>>>>> # CONFIG_HPET_MMAP is not set
>>>>> CONFIG_HANGCHECK_TIMER=m
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_NSC=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_XEN=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_TELCLOCK is not set
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>>> index fe93d731c..65014f41a 100644
>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>>>> CONFIG_HPET=y
>>>>> # CONFIG_HPET_MMAP is not set
>>>>> CONFIG_HANGCHECK_TIMER=m
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_NSC=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_XEN=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_TELCLOCK is not set
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>>>> CONFIG_KEYS=y
>>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
^ permalink raw reply [flat|nested] 33+ messages in thread
end of thread, other threads:[~2021-10-01 17:25 UTC | newest]
Thread overview: 33+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
2021-09-18 16:09 ` Peter Müller
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
2021-09-18 16:16 ` Peter Müller
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
2021-09-18 16:27 ` Peter Müller
2021-09-21 9:42 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
2021-09-18 16:24 ` Peter Müller
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
2021-09-18 16:23 ` Peter Müller
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
2021-09-18 16:20 ` Peter Müller
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-20 13:48 ` Adolf Belka
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
2021-09-21 11:40 ` Adolf Belka
2021-09-21 12:31 ` Adolf Belka
2021-10-01 17:25 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
2021-09-18 16:11 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-18 16:09 ` [PATCH 01/13] kernel: Change timer tick to 1000Hz Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox