From 040b4fafcd00b17b016b106bde68ee9593280bca Mon Sep 17 00:00:00 2001 From: Luis Ferreira Date: Mon, 22 Apr 2024 02:48:09 +0100 Subject: [PATCH 1/3] drivers/gpio: make GPIO_FSM module depend on CONFIG_OF --- drivers/gpio/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig index a8ae6add2b3b..7ac20c42dad6 100644 --- a/drivers/gpio/Kconfig +++ b/drivers/gpio/Kconfig @@ -1329,6 +1329,7 @@ config GPIO_ELKHARTLAKE config GPIO_FSM tristate "GPIO FSM support" + depends on OF help The GPIO FSM driver allows the creation of state machines for manipulating GPIOs (both real and virtual), with state transitions From e220a10cf49875534df4842fd1b55b033c5f255e Mon Sep 17 00:00:00 2001 From: Luis Ferreira Date: Mon, 29 Apr 2024 04:58:17 +0100 Subject: [PATCH 2/3] nix: add flake with linux package --- flake.lock | 27 +++++++++ flake.nix | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 192 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 000000000000..1cb431a905f4 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1714253743, + "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 000000000000..4b6239e37e52 --- /dev/null +++ b/flake.nix @@ -0,0 +1,165 @@ +{ + description = "acjl's linux fork"; + + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + + outputs = { self, ... }@inputs: + let + lib = inputs.nixpkgs.lib; + + # ======================================================================= + + mkPackage = system: pkgs: + pkgs.linux_6_8.override { + argsOverride = rec { + src = ./.; + + version = "6.8.8"; + modDirVersion = "6.8.8-acjl1"; + + structuredExtraConfig = + with lib; + with lib.kernel; + with (lib.kernel.whenHelpers version); + { + # Report BUG() conditions and kill the offending process. + BUG = yes; + + # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n + # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter + # implicitly marks LSM hooks read-only after init. + # + # SELinux can only be disabled at boot via selinux=0 + # + # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the + # config builder fails to detect that it has indeed been unset. + SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE + SECURITY_WRITABLE_HOOKS = option no; + + STRICT_KERNEL_RWX = yes; + + # Perform additional validation of commonly targeted structures. + DEBUG_CREDENTIALS = whenOlder "6.6" yes; + DEBUG_NOTIFIERS = yes; + DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG() + DEBUG_PLIST = whenAtLeast "5.2" yes; + DEBUG_SG = yes; + DEBUG_VIRTUAL = yes; + SCHED_STACK_END_CHECK = yes; + + REFCOUNT_FULL = whenOlder "5.4.208" yes; + + # tell EFI to wipe memory during reset + # https://lwn.net/Articles/730006/ + RESET_ATTACK_MITIGATION = yes; + + # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE + CONFIG_LDISC_AUTOLOAD = option no; + + # Randomize page allocator when page_alloc.shuffle=1 + SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; + + # Wipe higher-level memory allocations on free() with page_poison=1 + PAGE_POISONING = yes; + PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; + PAGE_POISONING_ZERO = whenOlder "5.11" yes; + + # Enable init_on_alloc and init_on_free by default + INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; + INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; + + # Wipe all caller-used registers on exit from a function + ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes; + + # Enable the SafeSetId LSM + SECURITY_SAFESETID = whenAtLeast "5.1" yes; + + # Reboot devices immediately if kernel experiences an Oops. + PANIC_TIMEOUT = freeform "-1"; + + GCC_PLUGINS = yes; # Enable gcc plugin options + # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. + GCC_PLUGIN_LATENT_ENTROPY = yes; + + GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address + GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin + GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + + # Runtime undefined behaviour checks + # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html + # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan + UBSAN = yes; + UBSAN_TRAP = whenAtLeast "5.7" yes; + UBSAN_BOUNDS = whenAtLeast "5.7" yes; + UBSAN_SANITIZE_ALL = yes; + UBSAN_LOCAL_BOUNDS = option yes; # clang only + CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 + + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. + RANDSTRUCT = whenAtLeast "5.19" yes; + RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; + + # Disable various dangerous settings + ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory + PROC_KCORE = no; # Exposes kernel text image layout + INET_DIAG = no; # Has been used for heap based attacks in the past + + # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix, + # make them optional + INET_DIAG_DESTROY = option no; + INET_RAW_DIAG = option no; + INET_TCP_DIAG = option no; + INET_UDP_DIAG = option no; + INET_MPTCP_DIAG = option no; + + # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. + CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no); + CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; + + # Detect out-of-bound reads/writes and use-after-free + KFENCE = whenAtLeast "5.12" yes; + + # CONFIG_DEVMEM=n causes these to not exist anymore. + STRICT_DEVMEM = option no; + IO_STRICT_DEVMEM = option no; + + # stricter IOMMU TLB invalidation + IOMMU_DEFAULT_DMA_STRICT = option yes; + IOMMU_DEFAULT_DMA_LAZY = option no; + + # not needed for less than a decade old glibc versions + LEGACY_VSYSCALL_NONE = yes; + + # Straight-Line-Speculation + # https://lwn.net/Articles/877845/ + SLS = option yes; + + # Linux RT + # PREEMPT_RT = yes; + # Fix error: unused option: PREEMPT_RT. + # EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt) + # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n'). + # PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it. + # Fix error: unused option: RT_GROUP_SCHED. + # RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch. + }; + }; + }; + + in { + packages = builtins.listToAttrs ( + map (system: { + name = "${system}"; + value = { + default = mkPackage "${system}" (import inputs.nixpkgs { inherit system; }); + }; + }) [ + "x86_64-linux" + "aarch64-linux" + ] + ); + }; +} + From 3d1c42835aca9cec740b473e34b07d41217849f5 Mon Sep 17 00:00:00 2001 From: Luis Ferreira Date: Mon, 29 Apr 2024 05:05:19 +0100 Subject: [PATCH 3/3] ci(github): add nix workflow --- .github/workflows/nix.yml | 44 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/nix.yml diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml new file mode 100644 index 000000000000..0afcf6aa6184 --- /dev/null +++ b/.github/workflows/nix.yml @@ -0,0 +1,44 @@ +name: nix + +on: + pull_request: + branches: + - main + push: + branches: + - main + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v4 + - uses: nixbuild/nix-quick-install-action@v26 + with: + nix_conf: | + experimental-features = nix-command flakes + substituters = https://cache.nixos.org/ https://nix-community.cachix.org + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= + keep-outputs = true + + - name: Restore and cache Nix store + uses: nix-community/cache-nix-action@v4 + with: + key: nixcache-${{ hashFiles('**/*.nix') }} + restore-keys: | + nixcache- + + gc-linux: true + gc-max-store-size-linux: 1000000000 + + purge-caches: true + purge-key: nixcache- + purge-created: true + purge-created-max-age: 42 + + - uses: cachix/install-nix-action@v24 + with: + nix_path: nixpkgs=channel:nixos-unstable + - run: nix build -v -L .