V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 22:14:22 +01:00
parent be0a6c7c6a
commit 353568eb69
60 changed files with 2267 additions and 1163 deletions
--- a/upgrades/linux-image/linux_image_clang_options.sh
+++ b/upgrades/linux-image/linux_image_clang_options.sh
@@ -11,7 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu

 set   -o errexit
-set   -o ignoreeof
 set   -o noclobber
 set   -o nounset
 set   -o pipefail
@@ -23,20 +22,219 @@ shopt -u dotglob
 shopt -u extglob
 shopt -u nullglob

-declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+umask 0077
+
+declare      VAR_BRANCH="${1-}"
+declare -grx VAR_BRANCH="${VAR_BRANCH,,}"
+
 declare -gx IFS=$' \t\n'
-declare -gx PATH="/usr/lib/llvm-18/bin:${PATH}"
-declare -gx LLVM="1"
+declare -gx PATH="/usr/lib/llvm-18/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+declare -gx AR="llvm-ar-18"
 declare -gx CC="clang-18 -target x86_64-linux-gnu"
-declare -gx LD="ld.lld-18"
 declare -gx HOSTCC="clang-18"
 declare -gx HOSTCXX="clang++-18"
-declare -gx AR="llvm-ar-18" NM="llvm-nm-18" OBJCOPY="llvm-objcopy-18" STRIP="llvm-strip-18"
-umask 0022
+declare -gx LD="ld.lld-18"
+declare -gx LLVM="1"
+declare -gx LLVM_IAS="1"
+declare -gx NM="llvm-nm-18"
+declare -gx OBJCOPY="llvm-objcopy-18"
+# shellcheck disable=SC2155
+declare -gx SOURCE_DATE_EPOCH=$(date -ud '2025-10-11 00:00:00Z' +%s)
+declare -gx STRIP="llvm-strip-18"
+unset LOCALVERSION || true
+
+cd "${HOME}"
+if [[ -d "${HOME}/src/kernel" ]]; then
+  rm -rf --one-file-system -- "${HOME}/src/kernel"
+fi
+
+declare -gx DEBIAN_FRONTEND="noninteractive"
+apt-get update -qq
+apt-get install -y \
+  bc \
+  bison \
+  build-essential \
+  clang-18 \
+  dpkg-dev \
+  fakeroot \
+  flex \
+  git \
+  libelf-dev \
+  libncurses-dev \
+  libssl-dev \
+  lld-18 \
+  llvm-18-dev \
+  rsync
+
+#######################################
+# Extract the kernel version from a freshly unpacked 'apt-get source linux' tree.
+# Exports (declare -g):
+#   var_kver_debian = e.g., "6.16.3-1~deb13u1"
+#   var_kver        = e.g., "6.16.3"
+#   var_srcdir      = e.g., "linux-6.16.3"
+# Globals:
+#   var_kver
+#   var_kver_debian
+#   var_srcdir
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   1: on failure
+#######################################
+extract_kver_from_apt_source_linux() {
+  ### Prefer debian/changelog in linux-* (more canonical), then fall back to .dsc.
+  shopt -s nullglob
+
+  ### Try A: from debian/changelog in linux-*/
+  declare -a _srcdirs=(linux-*/)
+
+  if [[ ${#_srcdirs[@]} -ge 1 ]]; then
+
+    ### Pick the first match; in a clean workdir there should be exactly one.
+    declare _dir="${_srcdirs[0]%/}"
+    declare _chg="${_dir}/debian/changelog"
+
+    if [[ -f "${_chg}" ]]; then
+
+      ### Read the first line: "linux (6.x.y-... ) suite; urgency=...".
+      declare _line
+      IFS= read -r _line < "${_chg}" || _line=
+      ### Extract between '(' and ')'
+      ### 1) strip prefix up to '('
+      declare _ver="${_line#*\(}"
+      ### 2) strip suffix after ')'
+      _ver="${_ver%%\)*}"
+
+      ### Debian full version (may include epoch and Debian revision).
+      declare -gx var_kver_debian="${_ver}"
+
+      ### Upstream version (strip optional epoch "N:" and Debian revision "-...").
+      declare _noepoch="${_ver#*:}"           # Drop "1:" if present, else no change.
+      declare -gx var_kver="${_noepoch%%-*}"  # Drop the "-deb" part.
+      declare -gx var_srcdir="${_dir}"
+      shopt -u nullglob
+      return 0
+
+    fi
+
+  fi
+
+  ### Try B: from the .dsc file (fallback).
+  declare -a _dscs=(linux_*.dsc)
+
+  if [[ ${#_dscs[@]} -ge 1 ]]; then
+
+    ### Pick the first .dsc (in a clean workdir there should be exactly one).
+    declare _dsc="${_dscs[0]}"
+    declare _verline _ver
+
+    ### Read the 'Version: ...' line without grep/sed.
+    while IFS= read -r _verline; do
+
+      # shellcheck disable=SC2249
+      case "${_verline}" in
+
+        Version:*)
+          _ver="${_verline#Version: }"
+          break
+          ;;
+
+      esac
+
+    done < "${_dsc}"
+
+    [[ -n "${_ver:-}" ]] || return 1
+
+    declare -gx var_kver_debian="${_ver}"
+    declare _noepoch="${_ver#*:}"
+    declare -gx var_kver="${_noepoch%%-*}"
+
+    ### Best-effort srcdir guess from the upstream part (common unpacking layout).
+    declare _up="${var_kver}"
+
+    if [[ -d "linux-${_up}" ]]; then
+
+      declare -gx var_srcdir="linux-${_up}"
+
+    else
+
+      declare -gx var_srcdir=""
+
+    fi
+
+    shopt -u nullglob
+    return 0
+
+  fi
+
+  ### Nothing found.
+  shopt -u nullglob
+
+  return 1
+}
+# --- Prevents accidental 'unset -f' ------------------------------------------
+# shellcheck disable=SC2034
+readonly -f extract_kver_from_apt_source_linux
+
+# --- Generate skeleton and download sources ----------------------------------
+case "${VAR_BRANCH}" in
+
+  bpo)
+    mkdir -p ~/src/kernel/bpo && cd ~/src/kernel/bpo
+    apt-get source -t trixie-backports linux
+    apt-get -y build-dep -t trixie-backports linux
+    ;;
+
+  security)
+    mkdir -p ~/src/kernel/security && cd ~/src/kernel/security
+    apt-get source -t trixie-security linux
+    apt-get -y build-dep -t trixie-security linux
+    ;;
+
+  *)
+    printf "No valid branch selected.\n"
+    exit 1
+    ;;
+
+esac
+
+extract_kver_from_apt_source_linux
+printf '%b  var_srcdir=%s\n  var_kver_debian=%s\n  var_kver=%s%b\n' '\e[92m' "${var_srcdir:-<none>}" "${var_kver_debian:-<none>}" "${var_kver:-<none>}" '\e[0m'
+
+case "${VAR_BRANCH}" in
+
+  bpo)
+    cd "${HOME}/src/kernel/bpo/${var_srcdir}"
+    ;;
+
+  security)
+    cd "${HOME}/src/kernel/security/${var_srcdir}"
+    ;;
+
+  *)
+    printf "No valid branch selected.\n"
+    exit 1
+    ;;
+
+esac
+
+# --- Identify yourself for Maintainer and Changed-By -------------------------
+declare -gx DEBFULLNAME="Marc S. Weidner"
+declare -gx DEBEMAIL="msw@coresecret.dev"
+
+# --- Embed build user/host in 'uname -v' string of the kernel ----------------
+declare -gx KBUILD_BUILD_USER="msw"
+declare -gx KBUILD_BUILD_HOST="coresecret.dev"
+
+# --- Package/version labelling for Debian packages ---------------------------
+declare -gx KDEB_PKGVERSION="${var_kver}-1ciss0"
+declare -gx KDEB_CHANGELOG_DIST="trixie"

 # --- Identity / naming -------------------------------------------------------
 # Ensure unique artifact names in /boot to avoid collisions with Production.
 scripts/config --set-str CONFIG_LOCALVERSION "-rescue"
+scripts/config --disable CONFIG_LOCALVERSION_AUTO

 # --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
 # Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
@@ -97,21 +295,21 @@ scripts/config --enable  CONFIG_SATA_AHCI
 scripts/config --enable  CONFIG_BLK_DEV_NVME
 scripts/config --enable  CONFIG_SCSI
 scripts/config --enable  CONFIG_BLK_DEV_SD
+scripts/config --enable  CONFIG_USB_EHCI_HCD
 scripts/config --enable  CONFIG_USB_XHCI_HCD
 scripts/config --enable  CONFIG_USB_STORAGE
 scripts/config --disable CONFIG_ATA_SFF
 scripts/config --disable CONFIG_CHR_DEV_SG
-scripts/config --disable CONFIG_USB_EHCI_HCD

 # --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
 scripts/config --enable  CONFIG_BLK_DEV_DM
 scripts/config --enable  CONFIG_DM_CRYPT
 scripts/config --enable  CONFIG_DM_MOD
-scripts/config --disable CONFIG_MD_RAID1
-scripts/config --disable CONFIG_MD_RAID10
-scripts/config --disable CONFIG_MD_RAID456
-scripts/config --disable CONFIG_BLK_DEV_MD
-scripts/config --disable CONFIG_MD
+scripts/config --enable  CONFIG_MD_RAID1
+scripts/config --enable  CONFIG_MD_RAID10
+scripts/config --enable  CONFIG_MD_RAID456
+scripts/config --enable  CONFIG_BLK_DEV_MD
+scripts/config --enable  CONFIG_MD
 scripts/config --disable CONFIG_MD_AUTODETECT

 # --- Do not allow device-mapper table creation from the kernel command line --
@@ -142,8 +340,8 @@ scripts/config --enable  CONFIG_VLAN_8021Q
 scripts/config --disable CONFIG_BRIDGE
 scripts/config --disable CONFIG_BONDING
 scripts/config --disable CONFIG_BNX2X
-scripts/config --disable CONFIG_IGC
-scripts/config --disable CONFIG_R8169
+scripts/config --enable  CONFIG_IGC
+scripts/config --enable  CONFIG_R8169

 # --- Virtualization ----------------------------------------------------------
 scripts/config --enable  CONFIG_HW_RANDOM_VIRTIO
@@ -158,7 +356,6 @@ scripts/config --enable  CONFIG_VIRTIO_PCI
 scripts/config --enable  CONFIG_VIRTIO_SCSI
 scripts/config --disable CONFIG_HYPERV
 scripts/config --disable CONFIG_VIRTIO_GPU
-scripts/config --disable CONFIG_VMXNET3
 scripts/config --disable CONFIG_XEN

 # --- Media, Sound, Wireless --------------------------------------------------
@@ -169,7 +366,8 @@ scripts/config --disable CONFIG_NFC
 scripts/config --disable CONFIG_SND

 # --- Disable entire DRM/GPU graphics stack -----------------------------------
-scripts/config --disable CONFIG_DRM
+scripts/config --enable  CONFIG_DRM
+scripts/config --enable  CONFIG_DRM_SIMPLEDRM
 scripts/config --disable CONFIG_DRM_AMDGPU
 scripts/config --disable CONFIG_DRM_BRIDGE
 scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
@@ -179,7 +377,6 @@ scripts/config --disable CONFIG_DRM_NOUVEAU
 scripts/config --disable CONFIG_DRM_PANEL
 scripts/config --disable CONFIG_DRM_QXL
 scripts/config --disable CONFIG_DRM_RADEON
-scripts/config --disable CONFIG_DRM_SIMPLEDRM
 scripts/config --disable CONFIG_DRM_VIRTIO_GPU
 scripts/config --disable CONFIG_DRM_VMWGFX

@@ -298,6 +495,83 @@ scripts/config --disable CONFIG_PINCTRL
 # --- Disable any other features ----------------------------------------------
 scripts/config --disable CONFIG_TEGRA_HOST1X

+# --- Harden memory permissions and control-flow ------------------------------
+scripts/config --enable  CONFIG_STRICT_KERNEL_RWX
+scripts/config --enable  CONFIG_DEBUG_WX
+scripts/config --enable  CONFIG_VMAP_STACK
+scripts/config --enable  CONFIG_FORTIFY_SOURCE
+scripts/config --enable  CONFIG_REFCOUNT_FULL
+scripts/config --enable  CONFIG_STACKPROTECTOR
+scripts/config --enable  CONFIG_STACKPROTECTOR_STRONG
+scripts/config --enable  CONFIG_INIT_STACK_ALL_ZERO
+scripts/config --enable  CONFIG_RANDOMIZE_BASE
+scripts/config --enable  CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
+
+# --- Allocator hardening -----------------------------------------------------
+scripts/config --enable  CONFIG_SLAB_FREELIST_RANDOM
+scripts/config --enable  CONFIG_SLAB_FREELIST_HARDENED
+scripts/config --disable CONFIG_SLAB_MERGE_DEFAULT
+scripts/config --enable  CONFIG_SHUFFLE_PAGE_ALLOCATOR
+
+# --- LSM / Lockdown ----------------------------------------------------------
+scripts/config --enable  CONFIG_SECURITY_LOCKDOWN_LSM
+scripts/config --enable  CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
+scripts/config --enable  CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+scripts/config --enable  CONFIG_SECURITY_YAMA
+scripts/config --enable  CONFIG_SECURITY_LANDLOCK
+
+# --- IOMMU / DMA -------------------------------------------------------------
+scripts/config --enable  CONFIG_EFI_DISABLE_PCI_DMA
+scripts/config --enable  CONFIG_IOMMU_SUPPORT
+scripts/config --enable  CONFIG_IOMMU_DEFAULT_DMA_STRICT
+scripts/config --enable  CONFIG_INTEL_IOMMU
+scripts/config --enable  CONFIG_INTEL_IOMMU_DEFAULT_ON
+scripts/config --enable  CONFIG_AMD_IOMMU
+scripts/config --enable  CONFIG_AMD_IOMMU_V2
+
+# --- Page table isolation and checks -----------------------------------------
+scripts/config --enable  CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
+scripts/config --enable  CONFIG_PAGE_TABLE_CHECK
+scripts/config --enable  CONFIG_PAGE_TABLE_CHECK_ENFORCED
+
+# --- UBSAN / KFENCE (low overhead) -------------------------------------------
+scripts/config --enable  CONFIG_UBSAN
+scripts/config --enable  CONFIG_UBSAN_TRAP
+scripts/config --enable  CONFIG_UBSAN_BOUNDS
+scripts/config --enable  CONFIG_UBSAN_LOCAL_BOUNDS
+scripts/config --enable  CONFIG_KFENCE
+
+# --- x86 specifics -----------------------------------------------------------
+scripts/config --enable  CONFIG_X86_KERNEL_IBT
+scripts/config --enable  CONFIG_CFI_CLANG
+scripts/config --disable CONFIG_X86_VSYSCALL_EMULATION
+scripts/config --enable  CONFIG_LEGACY_VSYSCALL_NONE
+
+# --- Remove legacy debug / attack surfaces -----------------------------------
+scripts/config --disable CONFIG_DEVMEM
+scripts/config --enable  CONFIG_STRICT_DEVMEM
+scripts/config --enable  CONFIG_IO_STRICT_DEVMEM
+scripts/config --disable CONFIG_DEVKMEM
+scripts/config --disable CONFIG_DEBUG_FS
+scripts/config --disable CONFIG_PROC_KCORE
+
+# --- Optional, stricter ------------------------------------------------------
+scripts/config --enable  CONFIG_PANIC_ON_OOPS
+scripts/config --set-val CONFIG_PANIC_TIMEOUT -1
+
+make olddefconfig
+
+make -s kernelrelease
+grep -E '^(CONFIG_LOCALVERSION|CONFIG_LOCALVERSION_AUTO)=' .config || true
+env | grep -E '^LOCALVERSION=' || true
+
+touch build.log
+
+# shellcheck disable=SC2312
+if make -j"$(nproc)" bindeb-pkg 2>&1 | tee build.log; then
+  printf '%bBuild successful%b\n' '\e[92m' '\e[0m'
+fi
+
 exit 0

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh