Hello Peter,
On 26 Dec 2022, at 20:24, Peter Müller peter.mueller@ipfire.org wrote:
This patchset aims at updating the Linux kernel to 5.15.85, given that the last release we shipped dates back a while ago. However, its primary purpose is to backport some kernel changes recently made by Michael in IPFire 3.x, whenever bringing these to the IPFire 2.x userbase is sensible and/or feasible.
I am happy with updating the kernel.
Patch descriptions are copy & past'ed from their IPFire 3.x counterparts, which are referred to by their commit IDs in ipfire-3.x. Due to different hardware situation as well as architecture maturity (this particularly affects ARM), not all changes could be backported 1:1 or to a near-complete extend.
As I said in our previous conversation about this, I am not too happy to see this patchset here, yet.
The current kernel in IPFire 3 is highly experimental. In order to try things out, I enabled lots of (let’s call them) risky features that are either not commonly enabled on off-the-shelf distributions, or are not tested by us.
That results in a kernel that currently does not even boot.
“Backporting” from a broken kernel that is so untested will only result in carrying over any problems from the testing environment into the production environment where they are so much more harmful.
We should test first, and then move on to the next step and figure out how we can roll out the successfully tested changes and how we can roll back those that don’t work well for us.
Feedback is particularly appreciated regarding the last commit, which aims at aligning the ARM kernel configuration files to the x86_64 one. Since no real ARM hardware is at the author's disposal, this alignment has to be taken with a pinch of salt.
How is that supposed to be tested?
As far as benchmarks are concerned, a 5.15.85 x86_64 kernel booted in an IPFire 2.x VM on the basis of Core Update 172 introduced the following changes in file size:
Location Before After
/boot 48M 53M (+ 5) /lib/modules 58M 71M (+13) ISO 373M 394M (+21)
We cannot afford at all to make the kernel larger, since we still have plenty of installations out there is a small /boot partition and a / partition that is limited to 2GB. Not that another 13 MiB will break the camel’s back, but we should try to save space to keep those users up and running.
Contrary to its documentation, enabling the GCC stackleak plugin (which is the current setting in IPFire 3.x as well) neither brought a notable compile time increase, nor does it seem to slow down runtime operations significantly. More thorough tests, especially on physical machines, are however, yet to come.
How many times did you rebuild the kernel with exactly the same configuration?
In IPFire 3 there is something that seems to limit the performance of ccache, which we cannot carry over into IPFire 2 under any circumstances. IPFire 2 is very sensitive towards compile time.
-Michael
Peter Müller (21): linux: Update to 5.15.85 linux: Disable the entire PCMCIA/CardBus subsystem linux: Enable parallel crypto by default linux: Disable syscalls that allows processes to r/w other processes' memory linux: Disable the latent entropy plugin linux: Build all library routines as modules and disable self-tests linux: Build all HWRNGs as modules linux: Compile binfmt_misc as a module linux: Wipe all memory when rebooting on EFI linux: Disable the Distributed Lock Manager linux: Disable some character devices that do not make sense linux: Make graphics configruation sane linux: Disable all sorts of useless Device Mapper targets linux: Enable various modern ciphers/hashes/etc. and acceleration linux: Compress the kernel, modules and firmware using Zstandard linux: Disable ACPI configfs support linux: Enable support for more USB host controllers as modules linux: Poison kernel stack before returning from syscalls linux: Enable Landlock support linux: Update x86_64 rootfile linux: Align ARM kernel configurations as much as possible
config/kernel/kernel.config.aarch64-ipfire | 194 +- config/kernel/kernel.config.armv6l-ipfire | 101 +- config/kernel/kernel.config.x86_64-ipfire | 216 +- config/rootfiles/common/x86_64/linux | 5954 ++++++++--------- lfs/linux | 9 +- .../linux-5.15-wifi-security-patches-1.patch | 50 - .../linux-5.15-wifi-security-patches-10.patch | 98 - .../linux-5.15-wifi-security-patches-11.patch | 96 - .../linux-5.15-wifi-security-patches-12.patch | 1179 ---- .../linux-5.15-wifi-security-patches-13.patch | 130 - .../linux-5.15-wifi-security-patches-14.patch | 107 - .../linux-5.15-wifi-security-patches-2.patch | 59 - .../linux-5.15-wifi-security-patches-3.patch | 49 - .../linux-5.15-wifi-security-patches-4.patch | 96 - .../linux-5.15-wifi-security-patches-5.patch | 56 - .../linux-5.15-wifi-security-patches-6.patch | 39 - .../linux-5.15-wifi-security-patches-7.patch | 60 - .../linux-5.15-wifi-security-patches-8.patch | 94 - .../linux-5.15-wifi-security-patches-9.patch | 126 - 19 files changed, 3183 insertions(+), 5530 deletions(-) delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-1.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-10.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-11.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-12.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-13.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-14.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-2.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-3.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-4.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-5.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-6.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-7.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-8.patch delete mode 100644 src/patches/linux/linux-5.15-wifi-security-patches-9.patch
-- 2.35.3