Not having a journal by default is a major "gotcha".
Because openwrt does not fsck on boot, a power loss without journaling
can result in a dirty filesystem that openwrt will mount as read-only
which requires intervention to restore the router to working order.
Signed-off-by: Jordan Woyak <jordan.woyak@gmail.com>
KASAN has supported more architectures, such as ARM, PPC32 and RISC-V 64.
Enable KASAN option for those architectures.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks.
This option enhances the stack-smashing protection provided by -fstack-protector-strong.
-fstack-protector-all option applies stack protection to all functions, regardless of their characteristics.
While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact
the performance of the program because every function call includes additional checks for stack integrity.
This option can incur a performance penalty because of the extra checks added to every function call,
but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code.
It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable.
Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
The newly added device Linksys MX4200, however, has limited kernel
partition and it's too small to place BTF kernel there.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
GRUB_SERIAL is also used for the default serial on the target and not
only in grub. When no grub was build it was not available and the build
fails.
Rename GRUB_SERIAL to TARGET_SERIAL and make it always available on x86
and armsr targets.
Fixes: #14063
Fixes: b10768476f ("x86,armsr: interpolate GRUB_SERIAL into /etc/inittab")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Allow selecting KERNEL_SLUB_DEBUG and KERNEL_SLUB_DEBUG_ON manually and
provide detailed help for both.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.
So lets add support for CycloneDX SBOM for packages and images
manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
CONFIG_ARM_PMU (Arm Performance Monitor Unit) is a requirement
to use KVM (virtualization) from Linux 5.11+, as the virtualised
guest has virtualized PMU access.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Currently KASAN is supported but only the generic one. SW-tag and HW-tag
based KASAN have less impact on memory footprint or performance, and are
worth supporting.
Add choice menu for software and hardware Tag-Based KASAN, in addition
to the generic one.
Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com>
[Restructure commit message]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Building it requires gcc >= 10.2 or clang >= 12.
Using sstrip with its -z argument can produce non-working binaries, like
a segfaulting `getrandom`, so don't allow that combination.
Signed-off-by: Andre Heider <a.heider@gmail.com>
sstrip only has one functional arg. Make that a bool option, which can
easily depend on other knobs then.
This is required to be disabled for the mold linker.
Signed-off-by: Andre Heider <a.heider@gmail.com>
In commit b2d1eb717b ("generic: 5.15: enable Werror by default for
kernel compile") CONFIG_WERROR=y was enabled and all warnings/errors
reported with GCC 12 were fixed.
Keeping this in sync with past/future GCC versions is going to be uphill
battle, so lets introduce new KERNEL_WERROR config option, enable it by
default only for tested/known working combinations and on buildbots.
References: #12687
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, ipq807x only covers Qualcomm IPQ807x SoC-s.
However, Qualcomm also has IPQ60xx and IPQ50xx SoC-s under the AX WiSoC-s
and they share a lot of stuff with IPQ807x, especially IPQ60xx so to avoid
duplicating kernel patches and everything lets make a common target with
per SoC subtargets.
Start doing that by renaming ipq807x to qualcommax so that dependencies
on ipq807x target can be updated.
Signed-off-by: Robert Marko <robimarko@gmail.com>
armvirt target has been renamed to armsr (Arm SystemReady),
so the config defaults need to be changed as well.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
The nominal partition type for EFI boot partitions is FAT32,
which has a minimum size of 32MiB on a 512-byte-sector block device.
To ensure that the boot partition is created as FAT32 set a size
well above this minimum.
A useful discussion about EFI partition sizes can be found here:
https://superuser.com/questions/1310927/what-is-the-absolute-minimum-size-a-uefi-system-partition-can-be
I have found 128MiB works pretty consistently across both
tools (mkfs.fat) and firmwares (EDKII)
Signed-off-by: Mathew McBride <matt@traverse.com.au>
This adds a separate package for EFI on Arm SystemReady
compatible machines. 32-bit Arm UEFI is supported as well.
It is very similar to x86-64 EFI setup, without the
need for BIOS backward compatibility and slightly
different default modules.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
This set the CONFIG_FRAME_WARN option depending on some target settings.
It will use the default from the upstream kernel and not the hard coded
value of 1024 now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
BTF mismatch can occur for a separately-built module even when the ABI
is otherwise compatible and nothing else would prevent successfully
loading. Add a new config to control how mismatches are handled. By
default, preserve the current behavior of refusing to load the
module. If MODULE_ALLOW_BTF_MISMATCH is enabled, load the module but
ignore its BTF information.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
We only use 5.15 kernel. So remove all those unnecessary symbols
referencing 5.10 or 5.15 kernel.
Can be found with:
git grep -E 'LINUX_5_1(0|5)'
Note that we remove the dependency from "sound-soc-chipdip-dac" instead
of removing the complete kernel package. The 5.15 version bump forgot to
delete the "@LINUX_5_10" dependency. The kernel package is still needed
in 5.15 kernel.
Signed-off-by: Nick Hainke <vincent@systemli.org>