diff --git a/04_build_linux.sh b/04_build_linux.sh index ceb40c3..35292a1 100755 --- a/04_build_linux.sh +++ b/04_build_linux.sh @@ -22,6 +22,15 @@ cp -v ../patches/linux/Makefile arch/riscv/boot/dts/microchip/ make ARCH=riscv CROSS_COMPILE=${CC} clean make ARCH=riscv CROSS_COMPILE=${CC} mpfs_defconfig +# +# Scheduler features +# +# end of Scheduler features + +./scripts/config --enable CONFIG_MEMCG +./scripts/config --enable CONFIG_MEMCG_KMEM +./scripts/config --enable CONFIG_CGROUP_HUGETLB + ./scripts/config --set-str CONFIG_CMDLINE "" ./scripts/config --disable CONFIG_CMDLINE_FALLBACK ./scripts/config --enable CONFIG_EEPROM_AT24 @@ -30,6 +39,57 @@ make ARCH=riscv CROSS_COMPILE=${CC} mpfs_defconfig ./scripts/config --enable CONFIG_MCP356X ./scripts/config --enable CONFIG_POLARFIRE_SOC_GENERIC_SERVICE +# +# Networking options +# +./scripts/config --disable CONFIG_NETLABEL + +# +# File systems +# +./scripts/config --enable CONFIG_EXT4_FS_SECURITY +./scripts/config --disable CONFIG_FANOTIFY +./scripts/config --enable CONFIG_AUTOFS_FS + +# +# DOS/FAT/EXFAT/NT Filesystems +# +./scripts/config --enable CONFIG_FAT_FS +./scripts/config --enable CONFIG_MSDOS_FS +./scripts/config --enable CONFIG_VFAT_FS + +# +# Pseudo filesystems +# +./scripts/config --enable CONFIG_PROC_CHILDREN +./scripts/config --enable CONFIG_HUGETLBFS +./scripts/config --enable CONFIG_NLS_CODEPAGE_437 + +# +# Security options +# +./scripts/config --enable CONFIG_SECURITY +./scripts/config --enable CONFIG_SECURITYFS +./scripts/config --enable CONFIG_SECURITY_NETWORK +./scripts/config --enable CONFIG_SECURITY_PATH +./scripts/config --set-val CONFIG_LSM_MMAP_MIN_ADDR 65536 + +./scripts/config --disable CONFIG_SECURITY_SELINUX +./scripts/config --disable CONFIG_SECURITY_SMACK +./scripts/config --disable CONFIG_SECURITY_TOMOYO +./scripts/config --disable CONFIG_SECURITY_APPARMOR +./scripts/config --disable CONFIG_SECURITY_LOADPIN +./scripts/config --disable CONFIG_SECURITY_YAMA +./scripts/config --disable CONFIG_SECURITY_SAFESETID +./scripts/config --disable CONFIG_SECURITY_LOCKDOWN_LSM +./scripts/config --disable CONFIG_SECURITY_LANDLOCK + +./scripts/config --enable CONFIG_INTEGRITY +./scripts/config --disable CONFIG_INTEGRITY_SIGNATURE + +./scripts/config --disable CONFIG_IMA +./scripts/config --disable CONFIG_EVM + echo "make -j${CORES} ARCH=riscv CROSS_COMPILE=${CC} Image modules dtbs" make -j${CORES} ARCH=riscv CROSS_COMPILE=${CC} Image modules dtbs @@ -61,3 +121,4 @@ cp -v ./arch/riscv/boot/dts/microchip/mpfs-beaglev-fire.dtb ../deploy/input/ cd ../ +# diff --git a/06_generate_debian_console_root.sh b/06_generate_debian_console_root.sh index 8a9e18a..c39781e 100755 --- a/06_generate_debian_console_root.sh +++ b/06_generate_debian_console_root.sh @@ -32,6 +32,7 @@ if [ -d ./ignore/.root ] ; then fi mkdir -p ./ignore/.root +echo "Extracting: debian-sid-console-riscv64-${datestamp}/riscv64-rootfs-*.tar" tar xfp ./deploy/debian-sid-console-riscv64-${datestamp}/riscv64-rootfs-*.tar -C ./ignore/.root sync diff --git a/patches/linux/mpfs_defconfig b/patches/linux/mpfs_defconfig index a0fda5a..72f47d9 100644 --- a/patches/linux/mpfs_defconfig +++ b/patches/linux/mpfs_defconfig @@ -144,8 +144,10 @@ CONFIG_GCC11_NO_ARRAY_BOUNDS=y CONFIG_CC_NO_ARRAY_BOUNDS=y CONFIG_ARCH_SUPPORTS_INT128=y CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y # CONFIG_CGROUP_FAVOR_DYNMODS is not set -# CONFIG_MEMCG is not set +CONFIG_MEMCG=y +CONFIG_MEMCG_KMEM=y # CONFIG_BLK_CGROUP is not set CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y @@ -154,6 +156,7 @@ CONFIG_CFS_BANDWIDTH=y # CONFIG_CGROUP_PIDS is not set # CONFIG_CGROUP_RDMA is not set # CONFIG_CGROUP_FREEZER is not set +CONFIG_CGROUP_HUGETLB=y # CONFIG_CPUSETS is not set # CONFIG_CGROUP_DEVICE is not set # CONFIG_CGROUP_CPUACCT is not set @@ -526,6 +529,7 @@ CONFIG_COMPACTION=y CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1 # CONFIG_PAGE_REPORTING is not set CONFIG_MIGRATION=y +CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y CONFIG_PHYS_ADDR_T_64BIT=y # CONFIG_KSM is not set CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 @@ -612,6 +616,7 @@ CONFIG_IPV6_NDISC_NODETYPE=y # CONFIG_IPV6_SEG6_HMAC is not set # CONFIG_IPV6_RPL_LWTUNNEL is not set # CONFIG_IPV6_IOAM6_LWTUNNEL is not set +# CONFIG_NETLABEL is not set # CONFIG_MPTCP is not set # CONFIG_NETWORK_SECMARK is not set CONFIG_NET_PTP_CLASSIFY=y @@ -3990,7 +3995,7 @@ CONFIG_FS_IOMAP=y CONFIG_EXT4_FS=y CONFIG_EXT4_USE_FOR_EXT2=y CONFIG_EXT4_FS_POSIX_ACL=y -# CONFIG_EXT4_FS_SECURITY is not set +CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_DEBUG is not set CONFIG_JBD2=y # CONFIG_JBD2_DEBUG is not set @@ -4013,10 +4018,10 @@ CONFIG_FILE_LOCKING=y CONFIG_FSNOTIFY=y CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y -CONFIG_FANOTIFY=y +# CONFIG_FANOTIFY is not set # CONFIG_QUOTA is not set # CONFIG_AUTOFS4_FS is not set -# CONFIG_AUTOFS_FS is not set +CONFIG_AUTOFS_FS=y # CONFIG_FUSE_FS is not set # CONFIG_OVERLAY_FS is not set @@ -4036,9 +4041,9 @@ CONFIG_FANOTIFY=y # # DOS/FAT/EXFAT/NT Filesystems # -CONFIG_FAT_FS=m -CONFIG_MSDOS_FS=m -CONFIG_VFAT_FS=m +CONFIG_FAT_FS=y +CONFIG_MSDOS_FS=y +CONFIG_VFAT_FS=y CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="ascii" # CONFIG_FAT_DEFAULT_UTF8 is not set @@ -4055,7 +4060,7 @@ CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set CONFIG_PROC_SYSCTL=y CONFIG_PROC_PAGE_MONITOR=y -# CONFIG_PROC_CHILDREN is not set +CONFIG_PROC_CHILDREN=y CONFIG_KERNFS=y CONFIG_SYSFS=y CONFIG_TMPFS=y @@ -4063,7 +4068,8 @@ CONFIG_TMPFS_POSIX_ACL=y CONFIG_TMPFS_XATTR=y # CONFIG_TMPFS_INODE64 is not set CONFIG_ARCH_SUPPORTS_HUGETLBFS=y -# CONFIG_HUGETLBFS is not set +CONFIG_HUGETLBFS=y +CONFIG_HUGETLB_PAGE=y CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y CONFIG_CONFIGFS_FS=y @@ -4107,6 +4113,7 @@ CONFIG_PNFS_FILE_LAYOUT=m CONFIG_PNFS_FLEXFILE_LAYOUT=m CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" # CONFIG_NFS_V4_1_MIGRATION is not set +CONFIG_NFS_V4_SECURITY_LABEL=y # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_NFS_USE_KERNEL_DNS=y CONFIG_NFS_DISABLE_UDP_SUPPORT=y @@ -4128,7 +4135,7 @@ CONFIG_SUNRPC_BACKCHANNEL=y # CONFIG_AFS_FS is not set CONFIG_NLS=y CONFIG_NLS_DEFAULT="iso8859-1" -CONFIG_NLS_CODEPAGE_437=m +CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set CONFIG_NLS_CODEPAGE_850=m @@ -4192,12 +4199,26 @@ CONFIG_KEYS=y # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_KEY_DH_OPERATIONS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set -# CONFIG_SECURITY is not set -# CONFIG_SECURITYFS is not set +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_PATH=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y # CONFIG_HARDENED_USERCOPY is not set # CONFIG_FORTIFY_SOURCE is not set # CONFIG_STATIC_USERMODEHELPER is not set +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +# CONFIG_SECURITY_YAMA is not set +# CONFIG_SECURITY_SAFESETID is not set +# CONFIG_SECURITY_LOCKDOWN_LSM is not set +# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_INTEGRITY=y +# CONFIG_INTEGRITY_SIGNATURE is not set +# CONFIG_IMA is not set +# CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"