Commit Graph

473 Commits

Author SHA1 Message Date
Jan Alexander Steffens fb8eb1c560 Enable RANDOMIZE_KSTACK_OFFSET_DEFAULT
Additional hardening at a minimal cost, as requested by Levente.
2021-08-18 21:30:17 +00:00
Jan Alexander Steffens 5e6049790e 5.13.9.arch1-1 2021-08-08 12:14:43 +00:00
David Runge 2589876818 Upgrade to 5.13.4.arch1.
PKGBUILD:
Add C7E7849466FE2358343588377258734B41C31549 as additional recognized valid PGP
key, as heftig might not be able to prepare releases and package for a while.

config:
Consolidate with defaults for 5.13.4 based on previous config.
Update CONFIG_LSM to order landlock before lockdown and re-add bpf, as the
issue discussed in https://bugs.archlinux.org/task/71270 seems to have been a
user-error (using obsolete kernel parameters).
2021-07-20 17:34:49 +00:00
Jan Alexander Steffens fd38ec001c 5.13.1.arch1-1 2021-07-10 00:23:52 +00:00
Jan Alexander Steffens 4aa90295a0 5.12.14.arch1-1 2021-07-01 07:57:45 +00:00
Jan Alexander Steffens 65eddc1dfd FS#71325: Enable SPI_INTEL_SPI again 2021-06-25 23:47:16 +00:00
Jan Alexander Steffens 9bff7b52e3 5.12.13.arch1-1 2021-06-23 17:14:01 +00:00
Jan Alexander Steffens 38bd62e40b FS#71296: Enable DEBUG_LIST 2021-06-20 19:20:20 +00:00
Jan Alexander Steffens e7d5c4d89c 5.12.11.arch1-1 2021-06-16 22:13:35 +00:00
Jan Alexander Steffens d7bf404c33 FS#71270: Don't enable "bpf" LSM by default
It provides all possible hooks, which makes it harder to properly use
major LSMs. Using security= to enable a major LSM puts it at the end of
the list. Some functions (like security_getprocattr) only use the first
matching hook, thus prefer bpf.
2021-06-16 22:13:34 +00:00
Jan Alexander Steffens b7f14e1a69 5.12.8.arch1-1 2021-05-28 21:05:54 +00:00
Jan Alexander Steffens 99703861e1 FS#69505: Enable MTD_ROM 2021-05-27 19:39:55 +00:00
Jan Alexander Steffens 2a8704f5e1 Set KFENCE_SAMPLE_INTERVAL to 0
Turns off KFENCE by default, as requested by Levente. There are power
use issues, see
https://lore.kernel.org/linux-mm/20210421105132.3965998-1-elver@google.com/
2021-05-15 21:38:29 +00:00
Jan Alexander Steffens 1646eced3b Enable DEBUG_INFO_DWARF4
Required for BTF to work with GCC 11.
2021-05-15 21:38:27 +00:00
Jan Alexander Steffens cc87e6b052 5.12.2.arch1-1 2021-05-07 16:08:11 +00:00
Jan Alexander Steffens db81b3eea9 FS#70742: Enable MTD_NAND_ECC_* 2021-05-07 16:08:09 +00:00
Jan Alexander Steffens 621ea2d08c 5.12.1.arch1-1 2021-05-02 13:41:41 +00:00
Jan Alexander Steffens 7f6df05917 Turn on KFENCE by default
As requested by Levente.
2021-05-02 13:41:40 +00:00
Jan Alexander Steffens b03b4f7e6f 5.12.arch1-1 2021-04-26 21:33:26 +00:00
Jan Alexander Steffens d71e920034 5.11.16.arch1-1 2021-04-21 20:39:28 +00:00
Jan Alexander Steffens 62782a577d FS#69181: Enable FB_UVESA 2021-04-21 20:39:27 +00:00
Jan Alexander Steffens 0d66f76ec1 FS#68698: Enable HID_SENSOR_CUSTOM_SENSOR 2021-04-21 20:39:26 +00:00
Jan Alexander Steffens 6f3f90e76b FS#69505: Enable MTD_RAM 2021-04-21 20:39:22 +00:00
Jan Alexander Steffens 85750f85be Revert "Enable LOAD_UEFI_KEYS"
It didn't help secure dkms modules like we thought it would.
2021-04-17 00:56:34 +00:00
Jan Alexander Steffens 4e15a9f945 5.11.15.arch1-1 2021-04-16 12:28:14 +00:00
Jan Alexander Steffens 9a383dc10f Enable LOAD_UEFI_KEYS
https://bbs.archlinux.org/viewtopic.php?pid=1861193#p1861193

Requested by Foxboron.
2021-04-16 12:28:12 +00:00
Jan Alexander Steffens 46d00c9794 5.11.13.arch1-1 2021-04-10 21:25:36 +00:00
Jan Alexander Steffens 44305ad48b FS#70375: Disable BT_HS 2021-04-09 18:49:50 +00:00
Jan Alexander Steffens 3272234053 FS#70384: Return atkbd to a module 2021-04-09 14:49:24 +00:00
Jan Alexander Steffens eac563f39e 5.11.12.arch1-1 2021-04-07 22:37:33 +00:00
Jan Alexander Steffens 56380b3e43 FS#70299: Enable IDLE_PAGE_TRACKING 2021-04-05 12:50:09 +00:00
Jan Alexander Steffens e74e4210d3 5.11.11.arch1-1 2021-03-30 14:47:29 +00:00
Jan Alexander Steffens f99611e296 FS#69441: Revert "Disable USB gadget support" 2021-03-30 14:47:28 +00:00
Jan Alexander Steffens ca32941726 5.11.9.arch1-1 2021-03-24 19:28:05 +00:00
Jan Alexander Steffens d014a88b5b FS#70140: Enable EFI_VARS_PSTORE_DEFAULT_DISABLE 2021-03-24 19:28:03 +00:00
Jan Alexander Steffens 364d5e5432 5.11.8.arch1-1 2021-03-21 02:30:21 +00:00
Jan Alexander Steffens 1cf3662d97 FS#70064: Set SND_HDA_PREALLOC_SIZE to 0
This is also the default in Fedora.
2021-03-21 02:30:20 +00:00
Jan Alexander Steffens 1c099ca397 5.11.7.arch1-1 2021-03-17 17:35:35 +00:00
Jan Alexander Steffens b4a2e977d4 FS#69992: Enable SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC 2021-03-15 16:28:21 +00:00
Jan Alexander Steffens 7e6eb07df5 FS#69479: Disable BCM63XX drivers 2021-03-14 14:40:19 +00:00
Jan Alexander Steffens fc7f97fc30 FS#33958, FS#35753: Fix tomoyo settings 2021-03-14 14:40:17 +00:00
Jan Alexander Steffens e280f34fb3 5.11.4.arch1-1 2021-03-07 18:34:36 +00:00
Jan Alexander Steffens 62f6c03f2c 5.11.3.arch1-1 2021-03-04 22:24:21 +00:00
Jan Alexander Steffens cc8cce72b9 5.11.arch1-1 2021-02-15 23:56:35 +00:00
Jan Alexander Steffens 71c2279684 FS#69158: Return psmouse to a module 2021-02-04 19:32:19 +00:00
Jan Alexander Steffens 2630980304 5.10.13.arch1-1 2021-02-04 00:25:58 +00:00
Jan Alexander Steffens 7874717d9d FS#69479: Disable Lantiq and Rockchip drivers 2021-02-04 00:25:57 +00:00
Jan Alexander Steffens 861c5dfd04 Update security config
- Build in loadpin, but keep it disabled by default
- Enable bpf by default
2021-02-04 00:25:55 +00:00
Jan Alexander Steffens d04972b60c FS#69212: Reenable multimedia test drivers 2021-01-31 01:33:42 +00:00
Jan Alexander Steffens c19564ecfa 5.10.6.arch1-1 2021-01-09 19:17:04 +00:00
Jan Alexander Steffens 87cfb1a823 Reenable MTD_PHRAM
Can be used with syslinux's memdiskfind to mount a filesystem image.
2021-01-01 06:17:41 +00:00
Jan Alexander Steffens 45857ed86c Enable SECURITY_DMESG_RESTRICT
Default on Debian, and seems to be reasonable for us since we also don't
allow access to the system journal by default.
2020-12-31 01:18:17 +00:00
Jan Alexander Steffens b54786ee1f 5.10.4.arch1-1 2020-12-31 01:18:16 +00:00
Jan Alexander Steffens ddeb06b257 Revert two config changes
As requested by Levente.
2020-12-22 01:33:12 +00:00
Jan Alexander Steffens 5ee180e682 5.10.2.arch1-1 2020-12-21 20:50:34 +00:00
Jan Alexander Steffens 2f63adc58f Disable most of MTD
Besides some support for directly flashing BIOS chips which is marked as
DANGEROUS, these seem only useful on embedded devices.

Only leave the simulator and the MTD-on-block emulator.
2020-12-18 23:32:10 +00:00
Jan Alexander Steffens a10b2065c8 Disable SFI
Only used on some exotic Intel smartphone platforms without ACPI.
2020-12-18 23:32:09 +00:00
Jan Alexander Steffens 994cbff510 Disable autosleep and wakelocks
Not useful without appropriate userspace, like Android.
2020-12-18 23:32:08 +00:00
Jan Alexander Steffens d522f29651 Disable PCI endpoint support
We're only running on host devices.
2020-12-18 23:32:08 +00:00
Jan Alexander Steffens 554f6e5ad8 Disable CAIF
Seems to be for ST-Ericsson embedded modems.
2020-12-18 23:32:07 +00:00
Jan Alexander Steffens 4d3936f486 Disable VME and RapidIO
Seems to be exotic, industrial hardware.
2020-12-18 23:32:06 +00:00
Jan Alexander Steffens 09b5d73900 Disable USB gadget support
We're only running on host devices.
2020-12-18 23:32:05 +00:00
Jan Alexander Steffens a661403002 Disable CONFIG_EXPERT
I'm not.
2020-12-18 23:32:05 +00:00
Jan Alexander Steffens bd50d947c3 Disable SDR and test media drivers
Using the device type filter menu.
2020-12-18 23:32:04 +00:00
Jan Alexander Steffens bf6633be3e Disable Comedi
Big driver set in staging of little use.
2020-12-18 23:32:03 +00:00
Jan Alexander Steffens 0c99750850 Disable I3C, SPMI and HSI
Seems to be restricted to embedded stuff with integrated modems.
2020-12-18 23:32:02 +00:00
Jan Alexander Steffens 5a395d000c Disable OpenFirmware support
This is a big chunk of drivers that doesn't seem to be useful to us.
2020-12-18 23:32:01 +00:00
Jan Alexander Steffens 56811c1973 Pick some configuration options from Fedora's default kernel
Mostly choices about which modules to build in, some more debugfs
entries and boot self-tests.

  - Unset GART_IOMMU: Old IOMMU code, should be unused.
  - Unset MICROCODE_OLD_INTERFACE: Option help emphatically asks not to
    set this.
  - Unset ARCH_MEMORY_PROBE: Manual memory hot-plug should be unused.
  - Unset USB_DYNAMIC_MINORS: We had this set forever, but it doesn't
    actually seem to be needed.
  - Unset NTFS_FS: Please use ntfs-3g.
2020-12-18 23:32:00 +00:00
Jan Alexander Steffens 056e1229cd Disable DCCP (still affected by CVE-2020-16119) 2020-12-18 17:58:35 +00:00
Jan Alexander Steffens 8c2a9a8da9 FS#68978 Enable SoundWire machine driver 2020-12-16 14:37:37 +00:00
Jan Alexander Steffens e32e0ba50d 5.10.1.arch1-1 2020-12-15 21:22:15 +00:00
Jan Alexander Steffens d0179d6259 5.9.14.arch1-1 2020-12-12 22:02:25 +00:00
Jan Alexander Steffens fe6596ab57 5.9.11.arch2-1 2020-11-28 02:51:37 +00:00
Jan Alexander Steffens 87febd662a 5.9.4.arch1-1 2020-11-04 22:42:21 +00:00
Jan Alexander Steffens 2c8951be72 5.9.arch1-1 2020-10-12 21:06:00 +00:00
Jan Alexander Steffens dc92454675 5.8.14.arch1-1: FS#68092 Restore HDA prealloc 2020-10-07 23:59:36 +00:00
Jan Alexander Steffens ea62179998 5.8.6.arch1-1 2020-09-03 18:54:38 +00:00
Jan Alexander Steffens 09a3f454bd 5.8.5.arch1-1 2020-08-27 20:01:26 +00:00
Jan Alexander Steffens 04d29ded1f 5.8.arch1-2: Enable MEM_SOFT_DIRTY (FS#67509) and USERFAULTFD (FS#62780) 2020-08-09 01:43:59 +00:00
Jan Alexander Steffens 3b798b5973 5.8.arch1-1 2020-08-03 20:08:49 +00:00
Jan Alexander Steffens ad5bfbb468 5.7.11.arch1-1 2020-07-29 22:37:08 +00:00
Jan Alexander Steffens 44c212c848 FS#67421 Enable APPLETALK again by request 2020-07-29 22:37:07 +00:00
Jan Alexander Steffens 86fcfba038 5.7.6.arch1-1 2020-06-25 01:09:41 +00:00
Jan Alexander Steffens 2db27e8ef8 5.7.1.arch1-1 2020-06-07 13:06:32 +00:00
Jan Alexander Steffens 56cd81178e 5.7.arch1-1 2020-06-02 00:16:56 +00:00
Jan Alexander Steffens 331cab0a7d 5.6.15.arch1-1 2020-05-28 00:29:18 +00:00
Jan Alexander Steffens 6f75f24bf0 5.6.8.arch1-1 2020-04-29 17:50:10 +00:00
Jan Alexander Steffens db2f694f61 5.6.5.arch2-1 2020-04-18 23:13:32 +00:00
Jan Alexander Steffens 135210db75 5.6.3.arch1-1 2020-04-08 08:45:18 +00:00
Jan Alexander Steffens f4bf2c8d61 Put lockdown LSM into default initialization list 2020-04-06 22:36:28 +00:00
Jan Alexander Steffens d917c0fbc9 5.6.2.arch1-2: FS#66076 disable EFI_DISABLE_PCI_DMA 2020-04-05 05:38:14 +00:00
Jan Alexander Steffens 7d58778a3e 5.6.arch1-1 2020-03-31 23:22:10 +00:00
Jan Alexander Steffens 1f9adc3a7c 5.5.13.arch2-1 2020-03-30 21:18:44 +00:00
Anatol Pomozov eb56d25042 Compile-in ATA/SATA drivers
ATA/SATA are one of the widely used perepherials. It makes sense to compile it as a part
of the kernel binary.
2020-03-28 00:12:04 +00:00
Jan Alexander Steffens 810a79881a FS#63260: Enable PAGE_POISONING 2020-02-22 21:30:47 +00:00
Jan Alexander Steffens 9a8a8558b5 FS#64861: Enable FONT_TER16x32 2020-02-21 21:34:57 +00:00
Jan Alexander Steffens 56d402493b FS#65518: Enable SND_SOC_INTEL_SKYLAKE 2020-02-17 00:55:11 +00:00
Jan Alexander Steffens 90b69f3da5 Disable INTEL_IOMMU_DEFAULT_ON
Intel IOMMU support is still in a shitty state. What a shame.
2020-02-04 18:04:39 +00:00
Jan Alexander Steffens 5c532afbaa 5.5.1.arch1-1: Enable INTEL_IOMMU_DEFAULT_ON
IOMMU is important for security in systems using PCI bridges (e.g.
Thunderbolt, USB4) or other means of DMA from potentially untrusted
devices (e.g. FireWire). It's also used to safely pass devices into VMs.

Enable it by default. It can still be disabled at boot using
intel_iommu=off. intel_iommu=igfx_off is also available to exclude just
the iGPU.
2020-02-01 17:53:24 +00:00
Jan Alexander Steffens 727d1e1d47 5.5.arch1-1 2020-01-27 22:28:27 +00:00
Jan Alexander Steffens 9b0026f12a 5.4.15.arch1-1 2020-01-26 10:12:29 +00:00
Jan Alexander Steffens 2231922647 5.4.13.arch1-1 2020-01-17 23:41:56 +00:00
Jan Alexander Steffens 91d5b604de FS#62384: Enable BPF_KPROBE_OVERRIDE
https://bugs.archlinux.org/task/62384
2020-01-17 23:41:55 +00:00
Jan Alexander Steffens 5ac0903843 5.4.7.arch1-1 2019-12-31 17:50:17 +00:00
Jan Alexander Steffens f3603dadd9 Disable SND_HDA_INTEL_DETECT_DMIC
It's not ready; the drivers that are supposed to step in when
snd-hda-intel aborts probing aren't working yet. v5.5 will have a better
solution for driver selection, anyway.
2019-12-13 11:34:25 +00:00
Jan Alexander Steffens 3ead601c9d 5.4.1.arch1-1 2019-11-29 14:56:15 +00:00
Jan Alexander Steffens 196a2934c5 Disable RMI4_F54
Doesn't crash now, but still pretty useless.
  - V4L device still confuses applications.
  - Reading a sensor image makes the touchpad unusable as an input
    device until it is power-cycled.
2019-11-27 20:28:02 +00:00
Jan Alexander Steffens 97381f5f19 Enable SND_HDA_INTEL_DETECT_DMIC
Now that we have SOF, let it handle systems with DMICs.
2019-11-27 20:28:01 +00:00
Jan Alexander Steffens 426a33d8ae FS#63464: Disable misbehaving SOF drivers
Reading the changes made at
https://github.com/thesofproject/linux/pull/1382/files
2019-11-27 20:27:58 +00:00
Jan Alexander Steffens d27c858681 5.4.arch1-1 2019-11-25 23:56:20 +00:00
Jan Alexander Steffens c189ce4263 Enable INIT_ON_ALLOC_DEFAULT_ON
https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/
2019-11-18 21:33:26 +00:00
Jan Alexander Steffens cad3b7156f 5.3.11.1-1 2019-11-12 23:21:40 +00:00
Jan Alexander Steffens 44420b8b15 Disable full dynticks 2019-11-03 14:24:59 +00:00
Jan Alexander Steffens aa190d3c60 Disable some stray Freescale audio modules 2019-11-03 14:24:58 +00:00
Jan Alexander Steffens 35f8455e06 FS#64302: Disable Google SMI
Crashes on various non-Google Chromebooks and Coreboot-using laptops
like Librem and reflashed ThinkPads.
2019-11-03 10:45:25 +00:00
Jan Alexander Steffens a53987ae76 FS#63464: Disable Sound Open Firmware
We don't ship any firmware files (yet) and the drivers can be loaded
in preference to the SST drivers, which we do have firmware for.
2019-11-02 08:23:45 +00:00
Jan Alexander Steffens b204fb2896 Disable CONFIG_RMI4_F54
The V4L touch device created is buggy, causing userspace applications
(PipeWire) to behave badly and even kernel panics when running

    v4l2-compliance -t 0 -s 1
2019-10-31 15:11:37 +00:00
Jan Alexander Steffens 3f306c2e10 FS#55784 enable google modules 2019-10-19 14:01:12 +00:00
Jan Alexander Steffens 964e000a29 5.3.2.arch2-1 2019-10-04 00:16:59 +00:00
Jan Alexander Steffens be16067dd6 Enable SUNRPC_DISABLE_INSECURE_ENCTYPES 2019-10-03 14:51:04 +00:00
Jan Alexander Steffens bd82bdc99a 5.3.arch1-1 2019-09-16 04:19:09 +00:00
Jan Alexander Steffens 92f97e2c06 5.2.10.arch1-1 2019-08-25 18:27:22 +00:00
Jan Alexander Steffens ec7e9200bb 5.2.5.arch1-1 2019-07-31 09:05:53 +00:00
Jan Alexander Steffens c75fb07643 FS#62432: Disable FW_LOADER_USER_HELPER 2019-07-30 21:04:09 +00:00
Jan Alexander Steffens 439e5a0af4 5.2.2.arch1-1: Disable stackleak; shows up in perf as 6-7% overhead 2019-07-21 19:43:40 +00:00
Jan Alexander Steffens 53d0c2511a 5.2.1.arch1-1 2019-07-14 21:46:06 +00:00
Jan Alexander Steffens e77150c276 Enable stackleak 2019-07-10 15:18:09 +00:00
Jan Alexander Steffens 0471ab33d5 5.2.arch2-1 2019-07-09 04:10:19 +00:00
Jan Alexander Steffens c8269e7394 Update config 2019-06-24 07:28:51 +00:00
Jan Alexander Steffens 6621446c2d 5.1.8.arch1-1 2019-06-09 21:32:47 +00:00
Jan Alexander Steffens 10505f2f9b Disable integrity, enable safesetid, only load yama by default 2019-05-07 20:04:22 +00:00
Jan Alexander Steffens 78a111327b 5.1.arch1-1 2019-05-06 23:33:26 +00:00
Jan Alexander Steffens f84d330b5f 5.0.10.arch1-1 2019-04-27 22:09:22 +00:00
Jan Alexander Steffens b16b08b24a FS#42910: Enable TOMOYO and SMACK 2019-04-09 21:53:11 +00:00
Jan Alexander Steffens bcf602c7ae 5.0.arch1-1 2019-03-04 15:36:14 +00:00
Jan Alexander Steffens 6d64c139ef 4.20.3.arch1-1 2019-01-17 00:31:30 +00:00
Jan Alexander Steffens fdbdebf5f1 4.20.1.arch1-1 2019-01-10 04:59:02 +00:00
Jan Alexander Steffens 4810e21851 4.20.arch1-1 2018-12-24 04:08:00 +00:00
Jan Alexander Steffens 03525e64df FS#60879: Enable CONFIG_IEEE802154_HWSIM 2018-12-09 23:10:36 +00:00
Jan Alexander Steffens bb9d85deef 4.19.7.arch1-1 2018-12-05 21:55:32 +00:00
Jan Alexander Steffens 21df49f85d 4.19.3.arch1-1 2018-11-22 07:41:48 +00:00
Jan Alexander Steffens 9036d47c87 FS#53288: Add GVRP 2018-11-20 22:04:33 +00:00
Jan Alexander Steffens d00e2383fc 4.19.2.arch1-1 2018-11-13 22:29:23 +00:00
Jan Alexander Steffens b1f5dbdf27 4.19.1.arch1-1 2018-11-04 17:56:31 +00:00
Jan Alexander Steffens b966f6d713 FS#60614: Enable Block-MQ by default 2018-11-04 16:36:58 +00:00
Jan Alexander Steffens 757573dfbc FS#57408: Reenable 16-bit support 2018-11-03 08:52:15 +00:00
Jan Alexander Steffens cf354551c2 Disable RANDOM_TRUST_CPU and IOMMU_DEBUGFS 2018-10-29 21:35:18 +00:00
Jan Alexander Steffens 19c2451141 FS#60520 Enable LEDS_SYSCON 2018-10-26 19:04:33 +00:00
Jan Alexander Steffens 4ce5aa26d4 4.19.arch1-1 2018-10-26 18:46:07 +00:00
Jan Alexander Steffens aac6d414e3 FS#46505 Minimal config for USB serial console support 2018-10-26 12:06:56 +00:00