Jan Alexander Steffens
d7bf404c33
FS#71270: Don't enable "bpf" LSM by default
...
It provides all possible hooks, which makes it harder to properly use
major LSMs. Using security= to enable a major LSM puts it at the end of
the list. Some functions (like security_getprocattr) only use the first
matching hook, thus prefer bpf.
2021-06-16 22:13:34 +00:00
Jan Alexander Steffens
b7f14e1a69
5.12.8.arch1-1
2021-05-28 21:05:54 +00:00
Jan Alexander Steffens
99703861e1
FS#69505: Enable MTD_ROM
2021-05-27 19:39:55 +00:00
Jan Alexander Steffens
2a8704f5e1
Set KFENCE_SAMPLE_INTERVAL to 0
...
Turns off KFENCE by default, as requested by Levente. There are power
use issues, see
https://lore.kernel.org/linux-mm/20210421105132.3965998-1-elver@google.com/
2021-05-15 21:38:29 +00:00
Jan Alexander Steffens
1646eced3b
Enable DEBUG_INFO_DWARF4
...
Required for BTF to work with GCC 11.
2021-05-15 21:38:27 +00:00
Jan Alexander Steffens
cc87e6b052
5.12.2.arch1-1
2021-05-07 16:08:11 +00:00
Jan Alexander Steffens
db81b3eea9
FS#70742: Enable MTD_NAND_ECC_*
2021-05-07 16:08:09 +00:00
Jan Alexander Steffens
621ea2d08c
5.12.1.arch1-1
2021-05-02 13:41:41 +00:00
Jan Alexander Steffens
7f6df05917
Turn on KFENCE by default
...
As requested by Levente.
2021-05-02 13:41:40 +00:00
Jan Alexander Steffens
b03b4f7e6f
5.12.arch1-1
2021-04-26 21:33:26 +00:00
Jan Alexander Steffens
d71e920034
5.11.16.arch1-1
2021-04-21 20:39:28 +00:00
Jan Alexander Steffens
62782a577d
FS#69181: Enable FB_UVESA
2021-04-21 20:39:27 +00:00
Jan Alexander Steffens
0d66f76ec1
FS#68698: Enable HID_SENSOR_CUSTOM_SENSOR
2021-04-21 20:39:26 +00:00
Jan Alexander Steffens
6f3f90e76b
FS#69505: Enable MTD_RAM
2021-04-21 20:39:22 +00:00
Jan Alexander Steffens
85750f85be
Revert "Enable LOAD_UEFI_KEYS"
...
It didn't help secure dkms modules like we thought it would.
2021-04-17 00:56:34 +00:00
Jan Alexander Steffens
4e15a9f945
5.11.15.arch1-1
2021-04-16 12:28:14 +00:00
Jan Alexander Steffens
9a383dc10f
Enable LOAD_UEFI_KEYS
...
https://bbs.archlinux.org/viewtopic.php?pid=1861193#p1861193
Requested by Foxboron.
2021-04-16 12:28:12 +00:00
Jan Alexander Steffens
46d00c9794
5.11.13.arch1-1
2021-04-10 21:25:36 +00:00
Jan Alexander Steffens
44305ad48b
FS#70375: Disable BT_HS
2021-04-09 18:49:50 +00:00
Jan Alexander Steffens
3272234053
FS#70384: Return atkbd to a module
2021-04-09 14:49:24 +00:00
Jan Alexander Steffens
eac563f39e
5.11.12.arch1-1
2021-04-07 22:37:33 +00:00
Jan Alexander Steffens
56380b3e43
FS#70299: Enable IDLE_PAGE_TRACKING
2021-04-05 12:50:09 +00:00
Jan Alexander Steffens
e74e4210d3
5.11.11.arch1-1
2021-03-30 14:47:29 +00:00
Jan Alexander Steffens
f99611e296
FS#69441: Revert "Disable USB gadget support"
2021-03-30 14:47:28 +00:00
Jan Alexander Steffens
ca32941726
5.11.9.arch1-1
2021-03-24 19:28:05 +00:00
Jan Alexander Steffens
d014a88b5b
FS#70140: Enable EFI_VARS_PSTORE_DEFAULT_DISABLE
2021-03-24 19:28:03 +00:00
Jan Alexander Steffens
364d5e5432
5.11.8.arch1-1
2021-03-21 02:30:21 +00:00
Jan Alexander Steffens
1cf3662d97
FS#70064: Set SND_HDA_PREALLOC_SIZE to 0
...
This is also the default in Fedora.
2021-03-21 02:30:20 +00:00
Jan Alexander Steffens
1c099ca397
5.11.7.arch1-1
2021-03-17 17:35:35 +00:00
Jan Alexander Steffens
b4a2e977d4
FS#69992: Enable SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC
2021-03-15 16:28:21 +00:00
Jan Alexander Steffens
7e6eb07df5
FS#69479: Disable BCM63XX drivers
2021-03-14 14:40:19 +00:00
Jan Alexander Steffens
fc7f97fc30
FS#33958, FS#35753: Fix tomoyo settings
2021-03-14 14:40:17 +00:00
Jan Alexander Steffens
e280f34fb3
5.11.4.arch1-1
2021-03-07 18:34:36 +00:00
Jan Alexander Steffens
62f6c03f2c
5.11.3.arch1-1
2021-03-04 22:24:21 +00:00
Jan Alexander Steffens
cc8cce72b9
5.11.arch1-1
2021-02-15 23:56:35 +00:00
Jan Alexander Steffens
71c2279684
FS#69158: Return psmouse to a module
2021-02-04 19:32:19 +00:00
Jan Alexander Steffens
2630980304
5.10.13.arch1-1
2021-02-04 00:25:58 +00:00
Jan Alexander Steffens
7874717d9d
FS#69479: Disable Lantiq and Rockchip drivers
2021-02-04 00:25:57 +00:00
Jan Alexander Steffens
861c5dfd04
Update security config
...
- Build in loadpin, but keep it disabled by default
- Enable bpf by default
2021-02-04 00:25:55 +00:00
Jan Alexander Steffens
d04972b60c
FS#69212: Reenable multimedia test drivers
2021-01-31 01:33:42 +00:00
Jan Alexander Steffens
c19564ecfa
5.10.6.arch1-1
2021-01-09 19:17:04 +00:00
Jan Alexander Steffens
87cfb1a823
Reenable MTD_PHRAM
...
Can be used with syslinux's memdiskfind to mount a filesystem image.
2021-01-01 06:17:41 +00:00
Jan Alexander Steffens
45857ed86c
Enable SECURITY_DMESG_RESTRICT
...
Default on Debian, and seems to be reasonable for us since we also don't
allow access to the system journal by default.
2020-12-31 01:18:17 +00:00
Jan Alexander Steffens
b54786ee1f
5.10.4.arch1-1
2020-12-31 01:18:16 +00:00
Jan Alexander Steffens
ddeb06b257
Revert two config changes
...
As requested by Levente.
2020-12-22 01:33:12 +00:00
Jan Alexander Steffens
5ee180e682
5.10.2.arch1-1
2020-12-21 20:50:34 +00:00
Jan Alexander Steffens
2f63adc58f
Disable most of MTD
...
Besides some support for directly flashing BIOS chips which is marked as
DANGEROUS, these seem only useful on embedded devices.
Only leave the simulator and the MTD-on-block emulator.
2020-12-18 23:32:10 +00:00
Jan Alexander Steffens
a10b2065c8
Disable SFI
...
Only used on some exotic Intel smartphone platforms without ACPI.
2020-12-18 23:32:09 +00:00
Jan Alexander Steffens
994cbff510
Disable autosleep and wakelocks
...
Not useful without appropriate userspace, like Android.
2020-12-18 23:32:08 +00:00
Jan Alexander Steffens
d522f29651
Disable PCI endpoint support
...
We're only running on host devices.
2020-12-18 23:32:08 +00:00
Jan Alexander Steffens
554f6e5ad8
Disable CAIF
...
Seems to be for ST-Ericsson embedded modems.
2020-12-18 23:32:07 +00:00
Jan Alexander Steffens
4d3936f486
Disable VME and RapidIO
...
Seems to be exotic, industrial hardware.
2020-12-18 23:32:06 +00:00
Jan Alexander Steffens
09b5d73900
Disable USB gadget support
...
We're only running on host devices.
2020-12-18 23:32:05 +00:00
Jan Alexander Steffens
a661403002
Disable CONFIG_EXPERT
...
I'm not.
2020-12-18 23:32:05 +00:00
Jan Alexander Steffens
bd50d947c3
Disable SDR and test media drivers
...
Using the device type filter menu.
2020-12-18 23:32:04 +00:00
Jan Alexander Steffens
bf6633be3e
Disable Comedi
...
Big driver set in staging of little use.
2020-12-18 23:32:03 +00:00
Jan Alexander Steffens
0c99750850
Disable I3C, SPMI and HSI
...
Seems to be restricted to embedded stuff with integrated modems.
2020-12-18 23:32:02 +00:00
Jan Alexander Steffens
5a395d000c
Disable OpenFirmware support
...
This is a big chunk of drivers that doesn't seem to be useful to us.
2020-12-18 23:32:01 +00:00
Jan Alexander Steffens
56811c1973
Pick some configuration options from Fedora's default kernel
...
Mostly choices about which modules to build in, some more debugfs
entries and boot self-tests.
- Unset GART_IOMMU: Old IOMMU code, should be unused.
- Unset MICROCODE_OLD_INTERFACE: Option help emphatically asks not to
set this.
- Unset ARCH_MEMORY_PROBE: Manual memory hot-plug should be unused.
- Unset USB_DYNAMIC_MINORS: We had this set forever, but it doesn't
actually seem to be needed.
- Unset NTFS_FS: Please use ntfs-3g.
2020-12-18 23:32:00 +00:00
Jan Alexander Steffens
056e1229cd
Disable DCCP (still affected by CVE-2020-16119)
2020-12-18 17:58:35 +00:00
Jan Alexander Steffens
8c2a9a8da9
FS#68978 Enable SoundWire machine driver
2020-12-16 14:37:37 +00:00
Jan Alexander Steffens
e32e0ba50d
5.10.1.arch1-1
2020-12-15 21:22:15 +00:00
Jan Alexander Steffens
d0179d6259
5.9.14.arch1-1
2020-12-12 22:02:25 +00:00
Jan Alexander Steffens
fe6596ab57
5.9.11.arch2-1
2020-11-28 02:51:37 +00:00
Jan Alexander Steffens
87febd662a
5.9.4.arch1-1
2020-11-04 22:42:21 +00:00
Jan Alexander Steffens
2c8951be72
5.9.arch1-1
2020-10-12 21:06:00 +00:00
Jan Alexander Steffens
dc92454675
5.8.14.arch1-1: FS#68092 Restore HDA prealloc
2020-10-07 23:59:36 +00:00
Jan Alexander Steffens
ea62179998
5.8.6.arch1-1
2020-09-03 18:54:38 +00:00
Jan Alexander Steffens
09a3f454bd
5.8.5.arch1-1
2020-08-27 20:01:26 +00:00
Jan Alexander Steffens
04d29ded1f
5.8.arch1-2: Enable MEM_SOFT_DIRTY (FS#67509) and USERFAULTFD (FS#62780)
2020-08-09 01:43:59 +00:00
Jan Alexander Steffens
3b798b5973
5.8.arch1-1
2020-08-03 20:08:49 +00:00
Jan Alexander Steffens
ad5bfbb468
5.7.11.arch1-1
2020-07-29 22:37:08 +00:00
Jan Alexander Steffens
44c212c848
FS#67421 Enable APPLETALK again by request
2020-07-29 22:37:07 +00:00
Jan Alexander Steffens
86fcfba038
5.7.6.arch1-1
2020-06-25 01:09:41 +00:00
Jan Alexander Steffens
2db27e8ef8
5.7.1.arch1-1
2020-06-07 13:06:32 +00:00
Jan Alexander Steffens
56cd81178e
5.7.arch1-1
2020-06-02 00:16:56 +00:00
Jan Alexander Steffens
331cab0a7d
5.6.15.arch1-1
2020-05-28 00:29:18 +00:00
Jan Alexander Steffens
6f75f24bf0
5.6.8.arch1-1
2020-04-29 17:50:10 +00:00
Jan Alexander Steffens
db2f694f61
5.6.5.arch2-1
2020-04-18 23:13:32 +00:00
Jan Alexander Steffens
135210db75
5.6.3.arch1-1
2020-04-08 08:45:18 +00:00
Jan Alexander Steffens
f4bf2c8d61
Put lockdown LSM into default initialization list
2020-04-06 22:36:28 +00:00
Jan Alexander Steffens
d917c0fbc9
5.6.2.arch1-2: FS#66076 disable EFI_DISABLE_PCI_DMA
2020-04-05 05:38:14 +00:00
Jan Alexander Steffens
7d58778a3e
5.6.arch1-1
2020-03-31 23:22:10 +00:00
Jan Alexander Steffens
1f9adc3a7c
5.5.13.arch2-1
2020-03-30 21:18:44 +00:00
Anatol Pomozov
eb56d25042
Compile-in ATA/SATA drivers
...
ATA/SATA are one of the widely used perepherials. It makes sense to compile it as a part
of the kernel binary.
2020-03-28 00:12:04 +00:00
Jan Alexander Steffens
810a79881a
FS#63260: Enable PAGE_POISONING
2020-02-22 21:30:47 +00:00
Jan Alexander Steffens
9a8a8558b5
FS#64861: Enable FONT_TER16x32
2020-02-21 21:34:57 +00:00
Jan Alexander Steffens
56d402493b
FS#65518: Enable SND_SOC_INTEL_SKYLAKE
2020-02-17 00:55:11 +00:00
Jan Alexander Steffens
90b69f3da5
Disable INTEL_IOMMU_DEFAULT_ON
...
Intel IOMMU support is still in a shitty state. What a shame.
2020-02-04 18:04:39 +00:00
Jan Alexander Steffens
5c532afbaa
5.5.1.arch1-1: Enable INTEL_IOMMU_DEFAULT_ON
...
IOMMU is important for security in systems using PCI bridges (e.g.
Thunderbolt, USB4) or other means of DMA from potentially untrusted
devices (e.g. FireWire). It's also used to safely pass devices into VMs.
Enable it by default. It can still be disabled at boot using
intel_iommu=off. intel_iommu=igfx_off is also available to exclude just
the iGPU.
2020-02-01 17:53:24 +00:00
Jan Alexander Steffens
727d1e1d47
5.5.arch1-1
2020-01-27 22:28:27 +00:00
Jan Alexander Steffens
9b0026f12a
5.4.15.arch1-1
2020-01-26 10:12:29 +00:00
Jan Alexander Steffens
2231922647
5.4.13.arch1-1
2020-01-17 23:41:56 +00:00
Jan Alexander Steffens
91d5b604de
FS#62384: Enable BPF_KPROBE_OVERRIDE
...
https://bugs.archlinux.org/task/62384
2020-01-17 23:41:55 +00:00
Jan Alexander Steffens
5ac0903843
5.4.7.arch1-1
2019-12-31 17:50:17 +00:00
Jan Alexander Steffens
f3603dadd9
Disable SND_HDA_INTEL_DETECT_DMIC
...
It's not ready; the drivers that are supposed to step in when
snd-hda-intel aborts probing aren't working yet. v5.5 will have a better
solution for driver selection, anyway.
2019-12-13 11:34:25 +00:00
Jan Alexander Steffens
3ead601c9d
5.4.1.arch1-1
2019-11-29 14:56:15 +00:00
Jan Alexander Steffens
196a2934c5
Disable RMI4_F54
...
Doesn't crash now, but still pretty useless.
- V4L device still confuses applications.
- Reading a sensor image makes the touchpad unusable as an input
device until it is power-cycled.
2019-11-27 20:28:02 +00:00
Jan Alexander Steffens
97381f5f19
Enable SND_HDA_INTEL_DETECT_DMIC
...
Now that we have SOF, let it handle systems with DMICs.
2019-11-27 20:28:01 +00:00
Jan Alexander Steffens
426a33d8ae
FS#63464: Disable misbehaving SOF drivers
...
Reading the changes made at
https://github.com/thesofproject/linux/pull/1382/files
2019-11-27 20:27:58 +00:00
Jan Alexander Steffens
d27c858681
5.4.arch1-1
2019-11-25 23:56:20 +00:00
Jan Alexander Steffens
c189ce4263
Enable INIT_ON_ALLOC_DEFAULT_ON
...
https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/
2019-11-18 21:33:26 +00:00
Jan Alexander Steffens
cad3b7156f
5.3.11.1-1
2019-11-12 23:21:40 +00:00
Jan Alexander Steffens
44420b8b15
Disable full dynticks
2019-11-03 14:24:59 +00:00
Jan Alexander Steffens
aa190d3c60
Disable some stray Freescale audio modules
2019-11-03 14:24:58 +00:00
Jan Alexander Steffens
35f8455e06
FS#64302: Disable Google SMI
...
Crashes on various non-Google Chromebooks and Coreboot-using laptops
like Librem and reflashed ThinkPads.
2019-11-03 10:45:25 +00:00
Jan Alexander Steffens
a53987ae76
FS#63464: Disable Sound Open Firmware
...
We don't ship any firmware files (yet) and the drivers can be loaded
in preference to the SST drivers, which we do have firmware for.
2019-11-02 08:23:45 +00:00
Jan Alexander Steffens
b204fb2896
Disable CONFIG_RMI4_F54
...
The V4L touch device created is buggy, causing userspace applications
(PipeWire) to behave badly and even kernel panics when running
v4l2-compliance -t 0 -s 1
2019-10-31 15:11:37 +00:00
Jan Alexander Steffens
3f306c2e10
FS#55784 enable google modules
2019-10-19 14:01:12 +00:00
Jan Alexander Steffens
964e000a29
5.3.2.arch2-1
2019-10-04 00:16:59 +00:00
Jan Alexander Steffens
be16067dd6
Enable SUNRPC_DISABLE_INSECURE_ENCTYPES
2019-10-03 14:51:04 +00:00
Jan Alexander Steffens
bd82bdc99a
5.3.arch1-1
2019-09-16 04:19:09 +00:00
Jan Alexander Steffens
92f97e2c06
5.2.10.arch1-1
2019-08-25 18:27:22 +00:00
Jan Alexander Steffens
ec7e9200bb
5.2.5.arch1-1
2019-07-31 09:05:53 +00:00
Jan Alexander Steffens
c75fb07643
FS#62432: Disable FW_LOADER_USER_HELPER
2019-07-30 21:04:09 +00:00
Jan Alexander Steffens
439e5a0af4
5.2.2.arch1-1: Disable stackleak; shows up in perf as 6-7% overhead
2019-07-21 19:43:40 +00:00
Jan Alexander Steffens
53d0c2511a
5.2.1.arch1-1
2019-07-14 21:46:06 +00:00
Jan Alexander Steffens
e77150c276
Enable stackleak
2019-07-10 15:18:09 +00:00
Jan Alexander Steffens
0471ab33d5
5.2.arch2-1
2019-07-09 04:10:19 +00:00
Jan Alexander Steffens
c8269e7394
Update config
2019-06-24 07:28:51 +00:00
Jan Alexander Steffens
6621446c2d
5.1.8.arch1-1
2019-06-09 21:32:47 +00:00
Jan Alexander Steffens
10505f2f9b
Disable integrity, enable safesetid, only load yama by default
2019-05-07 20:04:22 +00:00
Jan Alexander Steffens
78a111327b
5.1.arch1-1
2019-05-06 23:33:26 +00:00
Jan Alexander Steffens
f84d330b5f
5.0.10.arch1-1
2019-04-27 22:09:22 +00:00
Jan Alexander Steffens
b16b08b24a
FS#42910: Enable TOMOYO and SMACK
2019-04-09 21:53:11 +00:00
Jan Alexander Steffens
bcf602c7ae
5.0.arch1-1
2019-03-04 15:36:14 +00:00
Jan Alexander Steffens
6d64c139ef
4.20.3.arch1-1
2019-01-17 00:31:30 +00:00
Jan Alexander Steffens
fdbdebf5f1
4.20.1.arch1-1
2019-01-10 04:59:02 +00:00
Jan Alexander Steffens
4810e21851
4.20.arch1-1
2018-12-24 04:08:00 +00:00
Jan Alexander Steffens
03525e64df
FS#60879: Enable CONFIG_IEEE802154_HWSIM
2018-12-09 23:10:36 +00:00
Jan Alexander Steffens
bb9d85deef
4.19.7.arch1-1
2018-12-05 21:55:32 +00:00
Jan Alexander Steffens
21df49f85d
4.19.3.arch1-1
2018-11-22 07:41:48 +00:00
Jan Alexander Steffens
9036d47c87
FS#53288: Add GVRP
2018-11-20 22:04:33 +00:00
Jan Alexander Steffens
d00e2383fc
4.19.2.arch1-1
2018-11-13 22:29:23 +00:00
Jan Alexander Steffens
b1f5dbdf27
4.19.1.arch1-1
2018-11-04 17:56:31 +00:00
Jan Alexander Steffens
b966f6d713
FS#60614: Enable Block-MQ by default
2018-11-04 16:36:58 +00:00
Jan Alexander Steffens
757573dfbc
FS#57408: Reenable 16-bit support
2018-11-03 08:52:15 +00:00
Jan Alexander Steffens
cf354551c2
Disable RANDOM_TRUST_CPU and IOMMU_DEBUGFS
2018-10-29 21:35:18 +00:00
Jan Alexander Steffens
19c2451141
FS#60520 Enable LEDS_SYSCON
2018-10-26 19:04:33 +00:00
Jan Alexander Steffens
4ce5aa26d4
4.19.arch1-1
2018-10-26 18:46:07 +00:00
Jan Alexander Steffens
aac6d414e3
FS#46505 Minimal config for USB serial console support
2018-10-26 12:06:56 +00:00
Jan Alexander Steffens
6e7f717f02
4.18.16.arch1-1: Build in VFIO for FS#46505
2018-10-20 22:05:36 +00:00
Jan Alexander Steffens
c11f879fad
FS#46505: USB Serial console support; build in USB keyboard support
2018-09-27 00:45:46 +00:00
Jan Alexander Steffens
3a29867f82
4.18.8.arch1-1
2018-09-15 22:53:00 +00:00
Jan Alexander Steffens
81fa94f9fc
Add module signatures (but don't require)
2018-09-12 17:25:54 +00:00
Jan Alexander Steffens
6b918f8941
FS#59833: Disable BPFILTER
2018-09-03 19:15:29 +00:00
Jan Alexander Steffens
2e347a387f
Revert "Enable TXT, SELinux and AppArmor"
...
All of these require significant userspace support. SELinux in
particular requires linking against its library in numerous places,
including coreutils. This makes making them available in the kernel of
dubious value. Still, AppArmor and SELinux are available in
linux-hardened for those who want it.
This reverts commit 8215d0422d37317bd154497a2240ebbdd14c131d.
2018-09-03 19:15:26 +00:00
Jan Alexander Steffens
304ce7dbcb
FS#59824: build in PC RTC driver
2018-08-31 07:05:30 +00:00
Jan Alexander Steffens
8ff0dbd8eb
Enable TXT, SELinux and AppArmor
2018-08-26 09:25:52 +00:00
Jan Alexander Steffens
30e994930b
4.18.1.arch1-1
2018-08-16 06:57:20 +00:00