This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 831ff05d898cbf3484922d33573ee067782eb663 (commit) via 198c956bb74be7eeaa919c7de3fc3ada4ca52856 (commit) from 57b17167eb6cdbc35bdcf7f6614f00d8ac50fdd1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 831ff05d898cbf3484922d33573ee067782eb663 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Feb 6 15:09:52 2020 +0100
kernel: enable and enforce signed kernel modules
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 198c956bb74be7eeaa919c7de3fc3ada4ca52856 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Feb 5 18:25:54 2020 +0100
kernel: update to 4.14.170
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 37 ++++++++++++++++---- config/kernel/kernel.config.armv5tel-ipfire-multi | 38 +++++++++++++++++---- config/kernel/kernel.config.i586-ipfire | 41 +++++++++++++++++------ config/kernel/kernel.config.i586-ipfire-pae | 41 +++++++++++++++++------ config/kernel/kernel.config.x86_64-ipfire | 41 +++++++++++++++++------ config/kernel/x509.genkey | 17 ++++++++++ config/rootfiles/common/i586/linux | 41 +++++++++++++++++++---- config/rootfiles/packages/linux-pae | 41 +++++++++++++++++++---- lfs/linux | 18 ++++++---- lfs/xtables-addons | 11 ++++-- 10 files changed, 262 insertions(+), 64 deletions(-) create mode 100644 config/kernel/x509.genkey
Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index e79403bc7..32ad2df07 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.14.154-ipfire Kernel Configuration +# Linux/arm64 4.14.166-ipfire Kernel Configuration # CONFIG_ARM64=y CONFIG_64BIT=y @@ -221,7 +221,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y # CONFIG_KPROBES is not set @@ -306,7 +306,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -369,6 +377,7 @@ CONFIG_MQ_IOSCHED_KYBER=y CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PADATA=y +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -2065,6 +2074,7 @@ CONFIG_ACENIC=m # CONFIG_ACENIC_OMIT_TIGON_I is not set CONFIG_ALTERA_TSE=m CONFIG_NET_VENDOR_AMAZON=y +CONFIG_ENA_ETHERNET=m CONFIG_NET_VENDOR_AMD=y CONFIG_AMD8111_ETH=m CONFIG_PCNET32=m @@ -6609,6 +6619,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6621,10 +6632,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_RSA=y # CONFIG_CRYPTO_DH is not set CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6741,6 +6753,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y # CONFIG_CRYPTO_USER_API_RNG is not set # CONFIG_CRYPTO_USER_API_AEAD is not set +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_MARVELL_CESA is not set # CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC is not set @@ -6751,11 +6764,21 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=y # CONFIG_CRYPTO_DEV_CHELSIO is not set CONFIG_CRYPTO_DEV_VIRTIO=m # CONFIG_CRYPTO_DEV_SAFEXCEL is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
# # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set # CONFIG_ARM64_CRYPTO is not set CONFIG_BINARY_PRINTF=y @@ -6831,11 +6854,13 @@ CONFIG_DQL=y CONFIG_GLOB=y # CONFIG_GLOB_SELFTEST is not set CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y CONFIG_CORDIC=m CONFIG_DDR=y CONFIG_IRQ_POLL=y +CONFIG_MPILIB=y CONFIG_LIBFDT=y -CONFIG_OID_REGISTRY=m +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 7e9de39ea..cfa766005 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.154-ipfire-multi Kernel Configuration +# Linux/arm 4.14.166-ipfire-multi Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -218,7 +218,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HAVE_OPROFILE=y @@ -301,7 +301,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -363,6 +371,7 @@ CONFIG_MQ_IOSCHED_KYBER=y CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PADATA=y +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -2333,6 +2342,7 @@ CONFIG_ACENIC=m # CONFIG_ACENIC_OMIT_TIGON_I is not set CONFIG_ALTERA_TSE=m CONFIG_NET_VENDOR_AMAZON=y +CONFIG_ENA_ETHERNET=m CONFIG_NET_VENDOR_AMD=y CONFIG_AMD8111_ETH=m CONFIG_PCNET32=m @@ -7045,7 +7055,6 @@ CONFIG_ARM_UNWIND=y CONFIG_OLD_MCOUNT=y # CONFIG_DEBUG_USER is not set # CONFIG_DEBUG_LL is not set -CONFIG_DEBUG_IMX_UART_PORT=1 CONFIG_DEBUG_LL_INCLUDE="mach/debug-macro.S" # CONFIG_DEBUG_UART_8250 is not set CONFIG_UNCOMPRESS_INCLUDE="debug/uncompress.h" @@ -7092,6 +7101,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -7104,10 +7114,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_RSA=y # CONFIG_CRYPTO_DH is not set CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -7224,6 +7235,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y # CONFIG_CRYPTO_USER_API_RNG is not set # CONFIG_CRYPTO_USER_API_AEAD is not set +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_MV_CESA=m # CONFIG_CRYPTO_DEV_MARVELL_CESA is not set @@ -7242,11 +7254,21 @@ CONFIG_CRYPTO_DEV_SUN4I_SS=y CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y CONFIG_CRYPTO_DEV_ROCKCHIP=y # CONFIG_CRYPTO_DEV_CHELSIO is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
# # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_ARM_CRYPTO=y CONFIG_CRYPTO_SHA1_ARM=m @@ -7327,11 +7349,13 @@ CONFIG_GLOB=y # CONFIG_GLOB_SELFTEST is not set CONFIG_NLATTR=y CONFIG_GENERIC_ATOMIC64=y +CONFIG_CLZ_TAB=y CONFIG_CORDIC=m CONFIG_DDR=y CONFIG_IRQ_POLL=y +CONFIG_MPILIB=y CONFIG_LIBFDT=y -CONFIG_OID_REGISTRY=m +CONFIG_OID_REGISTRY=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set CONFIG_FONT_8x8=y diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 2732bba42..4bb39fc20 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154-ipfire-pae Kernel Configuration +# Linux/x86 4.14.170-ipfire Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -233,7 +233,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HOTPLUG_SMT=y @@ -334,7 +334,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -398,7 +406,7 @@ CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_PADATA=y -CONFIG_ASN1=m +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -6703,6 +6711,7 @@ CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_IOMMU_STRESS is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -6766,6 +6775,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6778,11 +6788,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6851,7 +6861,7 @@ CONFIG_CRYPTO_RMD256=m CONFIG_CRYPTO_RMD320=m CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6908,6 +6918,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -6928,11 +6939,21 @@ CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m CONFIG_CRYPTO_DEV_QAT_C62XVF=m CONFIG_CRYPTO_DEV_CHELSIO=m CONFIG_CRYPTO_DEV_VIRTIO=m -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
# # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_HAVE_KVM=y CONFIG_HAVE_KVM_IRQCHIP=y @@ -7040,8 +7061,8 @@ CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y -CONFIG_MPILIB=m -CONFIG_OID_REGISTRY=m +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/kernel.config.i586-ipfire-pae b/config/kernel/kernel.config.i586-ipfire-pae index 9b53ab35c..318384613 100644 --- a/config/kernel/kernel.config.i586-ipfire-pae +++ b/config/kernel/kernel.config.i586-ipfire-pae @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154-ipfire-pae Kernel Configuration +# Linux/x86 4.14.170-ipfire-pae Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -233,7 +233,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HOTPLUG_SMT=y @@ -335,7 +335,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -399,7 +407,7 @@ CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_PADATA=y -CONFIG_ASN1=m +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -6709,6 +6717,7 @@ CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_IOMMU_STRESS is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -6772,6 +6781,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6784,11 +6794,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6857,7 +6867,7 @@ CONFIG_CRYPTO_RMD256=m CONFIG_CRYPTO_RMD320=m CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6914,6 +6924,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -6933,11 +6944,21 @@ CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m CONFIG_CRYPTO_DEV_QAT_C62XVF=m CONFIG_CRYPTO_DEV_CHELSIO=m CONFIG_CRYPTO_DEV_VIRTIO=m -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
# # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_HAVE_KVM=y CONFIG_HAVE_KVM_IRQCHIP=y @@ -7045,8 +7066,8 @@ CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y -CONFIG_MPILIB=m -CONFIG_OID_REGISTRY=m +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 2fcf1e589..b16d13504 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154-ipfire Kernel Configuration +# Linux/x86 4.14.170-ipfire Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -242,7 +242,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HOTPLUG_SMT=y @@ -354,7 +354,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -418,7 +426,7 @@ CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_PADATA=y -CONFIG_ASN1=m +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -6565,6 +6573,7 @@ CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_IOMMU_STRESS is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -6630,6 +6639,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6642,11 +6652,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6723,7 +6733,7 @@ CONFIG_CRYPTO_SHA1_MB=m CONFIG_CRYPTO_SHA256_MB=m CONFIG_CRYPTO_SHA512_MB=m CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6793,6 +6803,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -6813,11 +6824,21 @@ CONFIG_CRYPTO_DEV_NITROX=m CONFIG_CRYPTO_DEV_NITROX_CNN55XX=m CONFIG_CRYPTO_DEV_CHELSIO=m CONFIG_CRYPTO_DEV_VIRTIO=m -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_PKCS7_TEST_KEY is not set +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
# # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_HAVE_KVM=y CONFIG_HAVE_KVM_IRQCHIP=y @@ -6925,8 +6946,8 @@ CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y -CONFIG_MPILIB=m -CONFIG_OID_REGISTRY=m +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/x509.genkey b/config/kernel/x509.genkey new file mode 100644 index 000000000..9640ec6d0 --- /dev/null +++ b/config/kernel/x509.genkey @@ -0,0 +1,17 @@ +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = IPFire.org +CN = Build time autogenerated kernel key +emailAddress = development@lists.ipfire.org + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid diff --git a/config/rootfiles/common/i586/linux b/config/rootfiles/common/i586/linux index 684dbe07b..e65260974 100644 --- a/config/rootfiles/common/i586/linux +++ b/config/rootfiles/common/i586/linux @@ -2092,6 +2092,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/certs #lib/modules/KVER-ipfire/build/certs/Kconfig #lib/modules/KVER-ipfire/build/certs/Makefile +#lib/modules/KVER-ipfire/build/certs/signing_key.pem +#lib/modules/KVER-ipfire/build/certs/signing_key.x509 #lib/modules/KVER-ipfire/build/crypto #lib/modules/KVER-ipfire/build/crypto/Kconfig #lib/modules/KVER-ipfire/build/crypto/Makefile @@ -6198,6 +6200,12 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/asus/nb/wmi.h #lib/modules/KVER-ipfire/build/include/config/asus/wireless.h #lib/modules/KVER-ipfire/build/include/config/asus/wmi.h +#lib/modules/KVER-ipfire/build/include/config/asymmetric +#lib/modules/KVER-ipfire/build/include/config/asymmetric/key +#lib/modules/KVER-ipfire/build/include/config/asymmetric/key/type.h +#lib/modules/KVER-ipfire/build/include/config/asymmetric/public +#lib/modules/KVER-ipfire/build/include/config/asymmetric/public/key +#lib/modules/KVER-ipfire/build/include/config/asymmetric/public/key/subtype.h #lib/modules/KVER-ipfire/build/include/config/async #lib/modules/KVER-ipfire/build/include/config/async/core.h #lib/modules/KVER-ipfire/build/include/config/async/memcpy.h @@ -6853,7 +6861,9 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/crypto/glue #lib/modules/KVER-ipfire/build/include/config/crypto/glue/helper #lib/modules/KVER-ipfire/build/include/config/crypto/glue/helper/x86.h +#lib/modules/KVER-ipfire/build/include/config/crypto/hash #lib/modules/KVER-ipfire/build/include/config/crypto/hash.h +#lib/modules/KVER-ipfire/build/include/config/crypto/hash/info.h #lib/modules/KVER-ipfire/build/include/config/crypto/hash2.h #lib/modules/KVER-ipfire/build/include/config/crypto/hmac.h #lib/modules/KVER-ipfire/build/include/config/crypto/hw.h @@ -9077,6 +9087,13 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/module/compress #lib/modules/KVER-ipfire/build/include/config/module/compress.h #lib/modules/KVER-ipfire/build/include/config/module/compress/xz.h +#lib/modules/KVER-ipfire/build/include/config/module/sig +#lib/modules/KVER-ipfire/build/include/config/module/sig.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/all.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/force.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/hash.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/key.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/sha512.h #lib/modules/KVER-ipfire/build/include/config/module/srcversion #lib/modules/KVER-ipfire/build/include/config/module/srcversion/all.h #lib/modules/KVER-ipfire/build/include/config/module/unload.h @@ -10008,6 +10025,11 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/pinctrl/lewisburg.h #lib/modules/KVER-ipfire/build/include/config/pinctrl/mcp23s08.h #lib/modules/KVER-ipfire/build/include/config/pinmux.h +#lib/modules/KVER-ipfire/build/include/config/pkcs7 +#lib/modules/KVER-ipfire/build/include/config/pkcs7/message +#lib/modules/KVER-ipfire/build/include/config/pkcs7/message/parser.h +#lib/modules/KVER-ipfire/build/include/config/pkcs7/test +#lib/modules/KVER-ipfire/build/include/config/pkcs7/test/key.h #lib/modules/KVER-ipfire/build/include/config/plx #lib/modules/KVER-ipfire/build/include/config/plx/hermes.h #lib/modules/KVER-ipfire/build/include/config/pm @@ -11265,6 +11287,12 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/sysfs #lib/modules/KVER-ipfire/build/include/config/sysfs.h #lib/modules/KVER-ipfire/build/include/config/sysfs/syscall.h +#lib/modules/KVER-ipfire/build/include/config/system +#lib/modules/KVER-ipfire/build/include/config/system/data +#lib/modules/KVER-ipfire/build/include/config/system/data/verification.h +#lib/modules/KVER-ipfire/build/include/config/system/trusted +#lib/modules/KVER-ipfire/build/include/config/system/trusted/keyring.h +#lib/modules/KVER-ipfire/build/include/config/system/trusted/keys.h #lib/modules/KVER-ipfire/build/include/config/sysvipc #lib/modules/KVER-ipfire/build/include/config/sysvipc.h #lib/modules/KVER-ipfire/build/include/config/sysvipc/sysctl.h @@ -12118,6 +12146,9 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/wlcore/sdio.h #lib/modules/KVER-ipfire/build/include/config/wmi #lib/modules/KVER-ipfire/build/include/config/wmi/bmof.h +#lib/modules/KVER-ipfire/build/include/config/x509 +#lib/modules/KVER-ipfire/build/include/config/x509/certificate +#lib/modules/KVER-ipfire/build/include/config/x509/certificate/parser.h #lib/modules/KVER-ipfire/build/include/config/x86 #lib/modules/KVER-ipfire/build/include/config/x86.h #lib/modules/KVER-ipfire/build/include/config/x86/32 @@ -17577,6 +17608,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/dtc/util.h #lib/modules/KVER-ipfire/build/scripts/dtc/version_gen.h #lib/modules/KVER-ipfire/build/scripts/export_report.pl +#lib/modules/KVER-ipfire/build/scripts/extract-cert #lib/modules/KVER-ipfire/build/scripts/extract-cert.c #lib/modules/KVER-ipfire/build/scripts/extract-ikconfig #lib/modules/KVER-ipfire/build/scripts/extract-module-sig.pl @@ -17758,6 +17790,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/selinux/mdp/mdp.c #lib/modules/KVER-ipfire/build/scripts/setlocalversion #lib/modules/KVER-ipfire/build/scripts/show_delta +#lib/modules/KVER-ipfire/build/scripts/sign-file #lib/modules/KVER-ipfire/build/scripts/sign-file.c #lib/modules/KVER-ipfire/build/scripts/sortextable #lib/modules/KVER-ipfire/build/scripts/sortextable.c @@ -18485,6 +18518,8 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/crypto/ansi_cprng.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/anubis.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/arc4.ko.xz +#lib/modules/KVER-ipfire/kernel/crypto/asymmetric_keys +#lib/modules/KVER-ipfire/kernel/crypto/asymmetric_keys/pkcs7_test_key.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/async_tx #lib/modules/KVER-ipfire/kernel/crypto/async_tx/async_memcpy.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/async_tx/async_pq.ko.xz @@ -18527,12 +18562,10 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/crypto/rmd160.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/rmd256.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/rmd320.ko.xz -#lib/modules/KVER-ipfire/kernel/crypto/rsa_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/salsa20_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/seed.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/serpent_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/sha3_generic.ko.xz -#lib/modules/KVER-ipfire/kernel/crypto/sha512_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/tcrypt.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/tea.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/tgr192.ko.xz @@ -21202,7 +21235,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/842 #lib/modules/KVER-ipfire/kernel/lib/842/842_compress.ko.xz #lib/modules/KVER-ipfire/kernel/lib/842/842_decompress.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/asn1_decoder.ko.xz #lib/modules/KVER-ipfire/kernel/lib/cordic.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crc-itu-t.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crc7.ko.xz @@ -21212,9 +21244,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/lz4/lz4hc_compress.ko.xz #lib/modules/KVER-ipfire/kernel/lib/lzo #lib/modules/KVER-ipfire/kernel/lib/lzo/lzo_compress.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/mpi -#lib/modules/KVER-ipfire/kernel/lib/mpi/mpi.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/oid_registry.ko.xz #lib/modules/KVER-ipfire/kernel/lib/parman.ko.xz #lib/modules/KVER-ipfire/kernel/lib/raid6 #lib/modules/KVER-ipfire/kernel/lib/raid6/raid6_pq.ko.xz diff --git a/config/rootfiles/packages/linux-pae b/config/rootfiles/packages/linux-pae index c0894cd1f..8c7b1f66b 100644 --- a/config/rootfiles/packages/linux-pae +++ b/config/rootfiles/packages/linux-pae @@ -2092,6 +2092,8 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/certs #lib/modules/KVER-ipfire-pae/build/certs/Kconfig #lib/modules/KVER-ipfire-pae/build/certs/Makefile +#lib/modules/KVER-ipfire-pae/build/certs/signing_key.pem +#lib/modules/KVER-ipfire-pae/build/certs/signing_key.x509 #lib/modules/KVER-ipfire-pae/build/crypto #lib/modules/KVER-ipfire-pae/build/crypto/Kconfig #lib/modules/KVER-ipfire-pae/build/crypto/Makefile @@ -6204,6 +6206,12 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/asus/nb/wmi.h #lib/modules/KVER-ipfire-pae/build/include/config/asus/wireless.h #lib/modules/KVER-ipfire-pae/build/include/config/asus/wmi.h +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/key +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/key/type.h +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/public +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/public/key +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/public/key/subtype.h #lib/modules/KVER-ipfire-pae/build/include/config/async #lib/modules/KVER-ipfire-pae/build/include/config/async/core.h #lib/modules/KVER-ipfire-pae/build/include/config/async/memcpy.h @@ -6862,7 +6870,9 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/crypto/glue #lib/modules/KVER-ipfire-pae/build/include/config/crypto/glue/helper #lib/modules/KVER-ipfire-pae/build/include/config/crypto/glue/helper/x86.h +#lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash.h +#lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash/info.h #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash2.h #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hmac.h #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hw.h @@ -9076,6 +9086,13 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/module/compress #lib/modules/KVER-ipfire-pae/build/include/config/module/compress.h #lib/modules/KVER-ipfire-pae/build/include/config/module/compress/xz.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/all.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/force.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/hash.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/key.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/sha512.h #lib/modules/KVER-ipfire-pae/build/include/config/module/srcversion #lib/modules/KVER-ipfire-pae/build/include/config/module/srcversion/all.h #lib/modules/KVER-ipfire-pae/build/include/config/module/unload.h @@ -10012,6 +10029,11 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/pinctrl/lewisburg.h #lib/modules/KVER-ipfire-pae/build/include/config/pinctrl/mcp23s08.h #lib/modules/KVER-ipfire-pae/build/include/config/pinmux.h +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7 +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/message +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/message/parser.h +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/test +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/test/key.h #lib/modules/KVER-ipfire-pae/build/include/config/plx #lib/modules/KVER-ipfire-pae/build/include/config/plx/hermes.h #lib/modules/KVER-ipfire-pae/build/include/config/pm @@ -11268,6 +11290,12 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/sysfs #lib/modules/KVER-ipfire-pae/build/include/config/sysfs.h #lib/modules/KVER-ipfire-pae/build/include/config/sysfs/syscall.h +#lib/modules/KVER-ipfire-pae/build/include/config/system +#lib/modules/KVER-ipfire-pae/build/include/config/system/data +#lib/modules/KVER-ipfire-pae/build/include/config/system/data/verification.h +#lib/modules/KVER-ipfire-pae/build/include/config/system/trusted +#lib/modules/KVER-ipfire-pae/build/include/config/system/trusted/keyring.h +#lib/modules/KVER-ipfire-pae/build/include/config/system/trusted/keys.h #lib/modules/KVER-ipfire-pae/build/include/config/sysvipc #lib/modules/KVER-ipfire-pae/build/include/config/sysvipc.h #lib/modules/KVER-ipfire-pae/build/include/config/sysvipc/sysctl.h @@ -12121,6 +12149,9 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/wlcore/sdio.h #lib/modules/KVER-ipfire-pae/build/include/config/wmi #lib/modules/KVER-ipfire-pae/build/include/config/wmi/bmof.h +#lib/modules/KVER-ipfire-pae/build/include/config/x509 +#lib/modules/KVER-ipfire-pae/build/include/config/x509/certificate +#lib/modules/KVER-ipfire-pae/build/include/config/x509/certificate/parser.h #lib/modules/KVER-ipfire-pae/build/include/config/x86 #lib/modules/KVER-ipfire-pae/build/include/config/x86.h #lib/modules/KVER-ipfire-pae/build/include/config/x86/32 @@ -17647,6 +17678,7 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/scripts/dtc/util.h #lib/modules/KVER-ipfire-pae/build/scripts/dtc/version_gen.h #lib/modules/KVER-ipfire-pae/build/scripts/export_report.pl +#lib/modules/KVER-ipfire-pae/build/scripts/extract-cert #lib/modules/KVER-ipfire-pae/build/scripts/extract-cert.c #lib/modules/KVER-ipfire-pae/build/scripts/extract-ikconfig #lib/modules/KVER-ipfire-pae/build/scripts/extract-module-sig.pl @@ -17828,6 +17860,7 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/scripts/selinux/mdp/mdp.c #lib/modules/KVER-ipfire-pae/build/scripts/setlocalversion #lib/modules/KVER-ipfire-pae/build/scripts/show_delta +#lib/modules/KVER-ipfire-pae/build/scripts/sign-file #lib/modules/KVER-ipfire-pae/build/scripts/sign-file.c #lib/modules/KVER-ipfire-pae/build/scripts/sortextable #lib/modules/KVER-ipfire-pae/build/scripts/sortextable.c @@ -18555,6 +18588,8 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/crypto/ansi_cprng.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/anubis.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/arc4.ko.xz +#lib/modules/KVER-ipfire-pae/kernel/crypto/asymmetric_keys +#lib/modules/KVER-ipfire-pae/kernel/crypto/asymmetric_keys/pkcs7_test_key.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/async_tx #lib/modules/KVER-ipfire-pae/kernel/crypto/async_tx/async_memcpy.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/async_tx/async_pq.ko.xz @@ -18597,12 +18632,10 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/crypto/rmd160.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/rmd256.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/rmd320.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/crypto/rsa_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/salsa20_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/seed.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/serpent_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/sha3_generic.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/crypto/sha512_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/tcrypt.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/tea.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/tgr192.ko.xz @@ -21288,7 +21321,6 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/lib/842 #lib/modules/KVER-ipfire-pae/kernel/lib/842/842_compress.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/842/842_decompress.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/lib/asn1_decoder.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/cordic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/crc-itu-t.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/crc4.ko.xz @@ -21299,9 +21331,6 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/lib/lz4/lz4hc_compress.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/lzo #lib/modules/KVER-ipfire-pae/kernel/lib/lzo/lzo_compress.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/lib/mpi -#lib/modules/KVER-ipfire-pae/kernel/lib/mpi/mpi.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/lib/oid_registry.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/parman.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/raid6 #lib/modules/KVER-ipfire-pae/kernel/lib/raid6/raid6_pq.ko.xz diff --git a/lfs/linux b/lfs/linux index aac2c4868..9bfa49fb8 100644 --- a/lfs/linux +++ b/lfs/linux @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,8 +24,8 @@
include Config
-VER = 4.14.154 -ARM_PATCHES = 4.14.154-ipfire0 +VER = 4.14.170 +ARM_PATCHES = 4.14.170-ipfire0
THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -34,7 +34,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) CFLAGS = CXXFLAGS =
-PAK_VER = 89 +PAK_VER = 90 DEPS = ""
HEADERS_ARCH = $(BUILD_PLATFORM) @@ -82,8 +82,8 @@ objects =$(DL_FILE) \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_MD5 = d6cf4b51c1cd10bc48bac50f4557a0d9 -arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 539737e07e5634565b3f4f1b932c269b +$(DL_FILE)_MD5 = 2e3d6daa02e422f2387e7d2352e6aca8 +arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 2bf7ce33777ca17fd0cc8ab6c137c656
install : $(TARGET)
@@ -178,6 +178,9 @@ else cd $(DIR_APP) && make clean cd $(DIR_APP) && sed -i -e 's/EXTRAVERSION\ =.*/EXTRAVERSION\ =\ -$(VERSUFIX)/' Makefile
+ # Copy Module signing key configuration + cp -f $(DIR_SRC)/config/kernel/x509.genkey $(DIR_APP)/certs/x509.genkey + # Remove modules folder if exists rm -rf /lib/modules/$(VER)-$(VERSUFIX)
@@ -219,6 +222,9 @@ endif cd $(DIR_APP) && cp -a --parents arch/$(HEADERS_ARCH)/include /lib/modules/$(VER)-$(VERSUFIX)/build cd $(DIR_APP) && cp -a include /lib/modules/$(VER)-$(VERSUFIX)/build/include
+ # Copy module signing key for off tree modules + cd $(DIR_APP) && cp -f certs/signing_key.* /lib/modules/$(VER)-$(VERSUFIX)/build/certs/ + # Install objtool cd $(DIR_APP) && cp -a tools/objtool/objtool \ /lib/modules/$(VER)-$(VERSUFIX)/build/tools/objtool/ || : diff --git a/lfs/xtables-addons b/lfs/xtables-addons index 2152fa5fd..651a13f9c 100644 --- a/lfs/xtables-addons +++ b/lfs/xtables-addons @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -106,9 +106,14 @@ else cd $(DIR_APP) && make $(MAKETUNING)
# Install the built kernel modules. + mkdir -p $(MODPATH) cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \ - mkdir -p $(MODPATH); \ - install -m 644 $$f $(MODPATH); \ + /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \ + $$f; \ + xz $$f; \ + install -m 644 $$f.xz $(MODPATH); \ done endif
hooks/post-receive -- IPFire 2.x development tree