Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 18 Apr 2023, at 21:51, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Compiling the kernel has automatically introduced
> CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to
> be confused with its stackleak counterpart). However, according to
> related documentation, this neither introduces a security nor
> performance disadvantage.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 24 ++++++++++------------
> config/kernel/kernel.config.x86_64-ipfire  | 24 ++++++++++------------
> config/rootfiles/common/x86_64/linux       |  4 ----
> lfs/linux                                  |  4 ++--
> 4 files changed, 24 insertions(+), 32 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 9fbe4b7a2..7e3918d84 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -1,15 +1,15 @@
> #
> # Automatically generated file; DO NOT EDIT.
> -# Linux/arm64 6.1.6-ipfire Kernel Configuration
> +# Linux/arm64 6.1.24-ipfire Kernel Configuration
> #
> -CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.3.0"
> +CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.0"
> CONFIG_CC_IS_GCC=y
> -CONFIG_GCC_VERSION=110300
> +CONFIG_GCC_VERSION=120200
> CONFIG_CLANG_VERSION=0
> CONFIG_AS_IS_GNU=y
> -CONFIG_AS_VERSION=23900
> +CONFIG_AS_VERSION=24000
> CONFIG_LD_IS_BFD=y
> -CONFIG_LD_VERSION=23900
> +CONFIG_LD_VERSION=24000
> CONFIG_LLD_VERSION=0
> CONFIG_CC_CAN_LINK=y
> CONFIG_CC_CAN_LINK_STATIC=y
> @@ -1536,7 +1536,6 @@ CONFIG_DEFAULT_NET_SCH="fq_codel"
> #
> CONFIG_NET_CLS=y
> CONFIG_NET_CLS_BASIC=m
> -CONFIG_NET_CLS_TCINDEX=m
> CONFIG_NET_CLS_ROUTE4=m
> CONFIG_NET_CLS_FW=m
> CONFIG_NET_CLS_U32=m
> @@ -3544,7 +3543,6 @@ CONFIG_SERIAL_ARC=m
> CONFIG_SERIAL_ARC_NR_PORTS=1
> # CONFIG_SERIAL_RP2 is not set
> CONFIG_SERIAL_FSL_LPUART=m
> -CONFIG_SERIAL_FSL_LPUART_CONSOLE=y
> CONFIG_SERIAL_FSL_LINFLEXUART=y
> CONFIG_SERIAL_FSL_LINFLEXUART_CONSOLE=y
> # CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set
> @@ -5463,7 +5461,6 @@ CONFIG_DVB_SP2=m
> CONFIG_APERTURE_HELPERS=y
> CONFIG_DRM=m
> CONFIG_DRM_MIPI_DSI=y
> -CONFIG_DRM_USE_DYNAMIC_DEBUG=y
> CONFIG_DRM_KMS_HELPER=m
> # CONFIG_DRM_DEBUG_DP_MST_TOPOLOGY_REFS is not set
> CONFIG_DRM_DEBUG_MODESET_LOCK=y
> @@ -5943,6 +5940,7 @@ CONFIG_SND_HDA_CODEC_SI3054=m
> CONFIG_SND_HDA_GENERIC=m
> CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
> # CONFIG_SND_HDA_INTEL_HDMI_SILENT_STREAM is not set
> +# CONFIG_SND_HDA_CTL_DEV_ID is not set
> # end of HD-Audio
> 
> CONFIG_SND_HDA_CORE=m
> @@ -7937,16 +7935,16 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
> #
> # Kernel hardening options
> #
> -CONFIG_GCC_PLUGIN_STRUCTLEAK=y
> 
> #
> # Memory initialization
> #
> +CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y
> +CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y
> +CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y
> # CONFIG_INIT_STACK_NONE is not set
> -# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
> -# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
> -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
> -# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> +# CONFIG_INIT_STACK_ALL_PATTERN is not set
> +CONFIG_INIT_STACK_ALL_ZERO=y
> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
> CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 988ec980b..867e99e9f 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -1,15 +1,15 @@
> #
> # Automatically generated file; DO NOT EDIT.
> -# Linux/x86 6.1.6 Kernel Configuration
> +# Linux/x86 6.1.24-ipfire Kernel Configuration
> #
> -CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.3.0"
> +CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.0"
> CONFIG_CC_IS_GCC=y
> -CONFIG_GCC_VERSION=110300
> +CONFIG_GCC_VERSION=120200
> CONFIG_CLANG_VERSION=0
> CONFIG_AS_IS_GNU=y
> -CONFIG_AS_VERSION=23900
> +CONFIG_AS_VERSION=24000
> CONFIG_LD_IS_BFD=y
> -CONFIG_LD_VERSION=23900
> +CONFIG_LD_VERSION=24000
> CONFIG_LLD_VERSION=0
> CONFIG_CC_CAN_LINK=y
> CONFIG_CC_CAN_LINK_STATIC=y
> @@ -1579,7 +1579,6 @@ CONFIG_DEFAULT_NET_SCH="fq_codel"
> #
> CONFIG_NET_CLS=y
> CONFIG_NET_CLS_BASIC=m
> -CONFIG_NET_CLS_TCINDEX=m
> CONFIG_NET_CLS_ROUTE4=m
> CONFIG_NET_CLS_FW=m
> CONFIG_NET_CLS_U32=m
> @@ -3444,7 +3443,6 @@ CONFIG_SERIAL_ARC_NR_PORTS=1
> CONFIG_SERIAL_RP2=m
> CONFIG_SERIAL_RP2_NR_UARTS=32
> CONFIG_SERIAL_FSL_LPUART=m
> -CONFIG_SERIAL_FSL_LPUART_CONSOLE=y
> CONFIG_SERIAL_FSL_LINFLEXUART=m
> CONFIG_SERIAL_SPRD=m
> # end of Serial drivers
> @@ -5171,7 +5169,6 @@ CONFIG_INTEL_GTT=y
> CONFIG_VGA_SWITCHEROO=y
> CONFIG_DRM=m
> CONFIG_DRM_MIPI_DSI=y
> -CONFIG_DRM_USE_DYNAMIC_DEBUG=y
> CONFIG_DRM_KMS_HELPER=m
> # CONFIG_DRM_DEBUG_DP_MST_TOPOLOGY_REFS is not set
> # CONFIG_DRM_DEBUG_MODESET_LOCK is not set
> @@ -5614,6 +5611,7 @@ CONFIG_SND_HDA_CODEC_SI3054=m
> CONFIG_SND_HDA_GENERIC=m
> CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
> # CONFIG_SND_HDA_INTEL_HDMI_SILENT_STREAM is not set
> +# CONFIG_SND_HDA_CTL_DEV_ID is not set
> # end of HD-Audio
> 
> CONFIG_SND_HDA_CORE=m
> @@ -7153,16 +7151,16 @@ CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
> #
> # Kernel hardening options
> #
> -CONFIG_GCC_PLUGIN_STRUCTLEAK=y
> 
> #
> # Memory initialization
> #
> +CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y
> +CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y
> +CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y
> # CONFIG_INIT_STACK_NONE is not set
> -# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set
> -# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
> -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
> -# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
> +# CONFIG_INIT_STACK_ALL_PATTERN is not set
> +CONFIG_INIT_STACK_ALL_ZERO=y
> # CONFIG_GCC_PLUGIN_STACKLEAK is not set
> CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
> index fab1e5064..58ca6d1cd 100644
> --- a/config/rootfiles/common/x86_64/linux
> +++ b/config/rootfiles/common/x86_64/linux
> @@ -7460,7 +7460,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/DRM_TTM
> #lib/modules/KVER-ipfire/build/include/config/DRM_TTM_HELPER
> #lib/modules/KVER-ipfire/build/include/config/DRM_UDL
> -#lib/modules/KVER-ipfire/build/include/config/DRM_USE_DYNAMIC_DEBUG
> #lib/modules/KVER-ipfire/build/include/config/DRM_VBOXVIDEO
> #lib/modules/KVER-ipfire/build/include/config/DRM_VIRTIO_GPU
> #lib/modules/KVER-ipfire/build/include/config/DRM_VMWGFX
> @@ -9133,7 +9132,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/NET_CLS_ROUTE4
> #lib/modules/KVER-ipfire/build/include/config/NET_CLS_RSVP
> #lib/modules/KVER-ipfire/build/include/config/NET_CLS_RSVP6
> -#lib/modules/KVER-ipfire/build/include/config/NET_CLS_TCINDEX
> #lib/modules/KVER-ipfire/build/include/config/NET_CLS_U32
> #lib/modules/KVER-ipfire/build/include/config/NET_CORE
> #lib/modules/KVER-ipfire/build/include/config/NET_DEVLINK
> @@ -10358,7 +10356,6 @@ etc/modprobe.d/ipv6.conf
> #lib/modules/KVER-ipfire/build/include/config/SERIAL_EARLYCON
> #lib/modules/KVER-ipfire/build/include/config/SERIAL_FSL_LINFLEXUART
> #lib/modules/KVER-ipfire/build/include/config/SERIAL_FSL_LPUART
> -#lib/modules/KVER-ipfire/build/include/config/SERIAL_FSL_LPUART_CONSOLE
> #lib/modules/KVER-ipfire/build/include/config/SERIAL_JSM
> #lib/modules/KVER-ipfire/build/include/config/SERIAL_LANTIQ
> #lib/modules/KVER-ipfire/build/include/config/SERIAL_MCTRL_GPIO
> @@ -22762,7 +22759,6 @@ lib/modules/KVER-ipfire/kernel
> #lib/modules/KVER-ipfire/kernel/net/sched/cls_route.ko.xz
> #lib/modules/KVER-ipfire/kernel/net/sched/cls_rsvp.ko.xz
> #lib/modules/KVER-ipfire/kernel/net/sched/cls_rsvp6.ko.xz
> -#lib/modules/KVER-ipfire/kernel/net/sched/cls_tcindex.ko.xz
> #lib/modules/KVER-ipfire/kernel/net/sched/cls_u32.ko.xz
> #lib/modules/KVER-ipfire/kernel/net/sched/em_cmp.ko.xz
> #lib/modules/KVER-ipfire/kernel/net/sched/em_ipset.ko.xz
> diff --git a/lfs/linux b/lfs/linux
> index b790a4fe3..d9f7bdd71 100644
> --- a/lfs/linux
> +++ b/lfs/linux
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER         = 6.1.11
> +VER         = 6.1.24
> ARM_PATCHES = 6.1.y-ipfire0
> 
> THISAPP    = linux-$(VER)
> @@ -75,7 +75,7 @@ objects = \
> $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
> arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
> 
> -$(DL_FILE)_BLAKE2 = 2a1dc1acd63308d72a927f39bc5a9be0bc220673655422c90113300598e754d16021cec85751044114d161a82e476473896bd778180d889d54917ce19d176b4c
> +$(DL_FILE)_BLAKE2 = 2f20ad999655226bc79caca109bde0f940420d87a293cf000f2d8304122bdfcc388c1a558ff26f2f551c9b6133b8fb120dbd537f914e1b88d0fbbd5408e648b0
> arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 3ef9a778c5c41ee8bf2942a48f63b21228a632a2910d2123f01155bbf571592898cffffa61c387a5a6c817b62e458947b4c406c6591b23b5401faa47b020337f
> 
> install : $(TARGET)
> -- 
> 2.35.3