Date   

[ANNOUNCE] Release v4.19.177-cip44

Nobuhiro Iwamatsu
 

Hi,

CIP kernel team has released Linux kernel v4.19.177-cip44.
This tree has been updated base version from v4.19.175 to v4.19.177.

You can get this release via the git tree at:

v4.19.177-cip44:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
e48c182113555669a03ec13050eed01d1dc66e9f
added commits:
CIP: Bump version suffix to -cip44 after merge from stable

Best regards,
Nobuhiro


Re: hitachi_omap defconfigs

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, Kawai-san,

Thanks for your response.
Then, for now, we will disable nouveau driver.
If we need to re-enable this, please feel free to let us know.

Best regards,
--
M. Kudo

-----Original Message-----
From: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>
Sent: Friday, February 26, 2021 9:40 PM
To: 工藤 雅司(CTJ OSS事業推進室) <masashi.kudo@cybertrust.co.jp>;
wens@csie.org
Cc: cip-dev@lists.cip-project.org; cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Kudo-san,

I'm sorry about this.

I think we can disable some DRM drivers, but I haven't received response from
related persons yet.
So, please simply disable nouveau driver.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: masashi.kudo@cybertrust.co.jp <masashi.kudo@cybertrust.co.jp>

Hi, Kawai-san,

It's been a while since we last chatted about this issue.
If it takes more time, shall we disable nouveau driver as you suggested?

Best regards,
--
M. Kudo

-----Original Message-----
From: 工藤 雅司(CTJ OSS事業推進室)
Sent: Friday, December 25, 2020 6:28 PM
To: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>;
'wens@csie.org' <wens@csie.org>
Cc: cip-dev@lists.cip-project.org; cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Hi, Kawai-san,

Thanks very much for letting us know the current status.
We will wait for your response, so I would appreciate it if you can keep us
updated.

Best regards,
--
M. Kudo

-----Original Message-----
From: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>
Sent: Friday, December 25, 2020 3:34 PM
To: 工藤 雅司(CTJ OSS事業推進室) <masashi.kudo@cybertrust.co.jp>;
'wens@csie.org' <wens@csie.org>
Cc: cip-dev@lists.cip-project.org;
cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Kudo-san and ChenYu-san,

We are sorry for the inconvenience. The confirmation will take some time.
If you'd like to solve this issue quickly, please disable nouveau driver now.
After the confirmation, we'll send an updated defconfig.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: cip-members@lists.cip-project.org
<cip-members@lists.cip-project.org> On Behalf Of Hidehiro Kawai

Hello Kudo-san and ChenYu-san,

Thanks for reporting the issue.
Including nouveau driver, it seems that our defconfigs have some
unneeded drivers. I'm confirming this with our development
team, please wait
a moment.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: cip-dev@lists.cip-project.org
<cip-dev@lists.cip-project.org> On Behalf Of
masashi.kudo@cybertrust.co.jp Hi, Hitachi-team,

Last week, CVE-2020-27820 [drm/nouveau UAF] was reported by
the
following email.
https://clicktime.symantec.com/3HW3CdVzyukGSgx2iFmjhKS7Vc?u=ht
tp
s%3A%2F%2Fclicktime.symantec.com%2F3Hrgtrrm6ninbLpVgrZpbS37Vc%
3F
u%3Dhttps%25
3A
%2 F%2Flore.kernel.org%2Fcip-dev%2FCAGb2v641%3DSr
fdDh9CS4fwWVrfuCG2O2oni9V_QsVJEza%2Bg5mRg%40mail.gmail.com%2FT%2
F%23
u

According to the kernel team analysis, it seems that the
nouveau driver is enabled in hitachi_omap defconfigs for both
4.4 and 4.19.
However, the configs are for OMAP platforms which, according
to our
understanding, don't have PCI for a graphics card.
So we think that the hitachi_omap defconfigs should be
corrected to disable
the nouveau driver.

We could be wrong, so please advise us. Once you confirm it to
be corrected,
we will go ahead to change it.
Best regards,
--
M. Kudo


Re: hitachi_omap defconfigs

Hidehiro Kawai
 

Kudo-san,

I'm sorry about this.

I think we can disable some DRM drivers, but I haven't received
response from related persons yet.
So, please simply disable nouveau driver.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: masashi.kudo@cybertrust.co.jp <masashi.kudo@cybertrust.co.jp>

Hi, Kawai-san,

It's been a while since we last chatted about this issue.
If it takes more time, shall we disable nouveau driver as you suggested?

Best regards,
--
M. Kudo

-----Original Message-----
From: 工藤 雅司(CTJ OSS事業推進室)
Sent: Friday, December 25, 2020 6:28 PM
To: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>;
'wens@csie.org' <wens@csie.org>
Cc: cip-dev@lists.cip-project.org; cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Hi, Kawai-san,

Thanks very much for letting us know the current status.
We will wait for your response, so I would appreciate it if you can keep us updated.

Best regards,
--
M. Kudo

-----Original Message-----
From: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>
Sent: Friday, December 25, 2020 3:34 PM
To: 工藤 雅司(CTJ OSS事業推進室) <masashi.kudo@cybertrust.co.jp>;
'wens@csie.org' <wens@csie.org>
Cc: cip-dev@lists.cip-project.org; cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Kudo-san and ChenYu-san,

We are sorry for the inconvenience. The confirmation will take some time.
If you'd like to solve this issue quickly, please disable nouveau driver now.
After the confirmation, we'll send an updated defconfig.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: cip-members@lists.cip-project.org
<cip-members@lists.cip-project.org> On Behalf Of Hidehiro Kawai

Hello Kudo-san and ChenYu-san,

Thanks for reporting the issue.
Including nouveau driver, it seems that our defconfigs have some
unneeded drivers. I'm confirming this with our development team,
please wait
a moment.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: cip-dev@lists.cip-project.org
<cip-dev@lists.cip-project.org> On Behalf Of
masashi.kudo@cybertrust.co.jp Hi, Hitachi-team,

Last week, CVE-2020-27820 [drm/nouveau UAF] was reported by the
following email.
https://clicktime.symantec.com/3HW3CdVzyukGSgx2iFmjhKS7Vc?u=http
s%3A%2F%2Fclicktime.symantec.com%2F3Hrgtrrm6ninbLpVgrZpbS37Vc%3F
u%3Dhttps%25
3A
%2 F%2Flore.kernel.org%2Fcip-dev%2FCAGb2v641%3DSr
fdDh9CS4fwWVrfuCG2O2oni9V_QsVJEza%2Bg5mRg%40mail.gmail.com%2FT%2
F%23
u

According to the kernel team analysis, it seems that the nouveau
driver is enabled in hitachi_omap defconfigs for both
4.4 and 4.19.
However, the configs are for OMAP platforms which, according to
our
understanding, don't have PCI for a graphics card.
So we think that the hitachi_omap defconfigs should be corrected
to disable
the nouveau driver.

We could be wrong, so please advise us. Once you confirm it to
be corrected,
we will go ahead to change it.
Best regards,
--
M. Kudo


i915 -- c784e5249e -- backporting

Pavel Machek
 

Hi!

I took a look at c784e5249e and it does not seem to be easy to
backport. Files are at different locations, defines it wants to change
have different values, ... I did not get anywhere.

Best regards,

Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: [cip-kernel-config][PATCH v2 1/2] 4.19.y-cip: Remove XEN guest support for siemens_ipc227e

Nobuhiro Iwamatsu
 

Hi Florian,

Thanks for your patch.
I applied this patch series.

Best regards,
Npbuhiro

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of florian.bezdeka@siemens.com
Sent: Wednesday, February 24, 2021 9:50 PM
To: cip-dev@lists.cip-project.org; pavel@denx.de
Cc: jan.kiszka@siemens.com; henning.schild@siemens.com; florian.bezdeka@siemens.com
Subject: [cip-dev][cip-kernel-config][PATCH v2 1/2] 4.19.y-cip: Remove XEN guest support for siemens_ipc227e

From: Florian Bezdeka <florian.bezdeka@siemens.com>

Remove XEN guest support which is not needed and helps to keep
maintanance simple.

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---

Changes in v2:
- resend due to local tooling problem


4.19.y-cip/x86/siemens_ipc227e_defconfig | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/4.19.y-cip/x86/siemens_ipc227e_defconfig b/4.19.y-cip/x86/siemens_ipc227e_defconfig
index 273d20e..5d069f0 100644
--- a/4.19.y-cip/x86/siemens_ipc227e_defconfig
+++ b/4.19.y-cip/x86/siemens_ipc227e_defconfig
@@ -43,8 +43,6 @@ CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
-CONFIG_XEN=y
-CONFIG_XEN_PVH=y
CONFIG_GART_IOMMU=y
CONFIG_CALGARY_IOMMU=y
CONFIG_NR_CPUS=512
@@ -86,7 +84,6 @@ CONFIG_INTEL_IDLE=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_PCI_REALLOC_ENABLE_AUTO=y
-# CONFIG_XEN_PCIDEV_FRONTEND is not set
CONFIG_PCI_IOV=y
CONFIG_HOTPLUG_PCI=y
CONFIG_HOTPLUG_PCI_ACPI=y
@@ -218,7 +215,6 @@ CONFIG_DEVTMPFS=y
CONFIG_CONNECTOR=y
# CONFIG_PNP_DEBUG_MESSAGES is not set
CONFIG_BLK_DEV_LOOP=m
-# CONFIG_XEN_BLKDEV_FRONTEND is not set
# CONFIG_SCSI_MQ_DEFAULT is not set
# CONFIG_SCSI_PROC_FS is not set
CONFIG_BLK_DEV_SD=m
@@ -255,7 +251,6 @@ CONFIG_FDDI=y
CONFIG_HIPPI=y
# CONFIG_USB_NET_DRIVERS is not set
CONFIG_WAN=y
-# CONFIG_XEN_NETDEV_FRONTEND is not set
CONFIG_FUJITSU_ES=m
CONFIG_ISDN=y
CONFIG_INPUT_MOUSEDEV=y
@@ -358,14 +353,6 @@ CONFIG_DMADEVICES=y
CONFIG_INTEL_IOATDMA=m
CONFIG_ASYNC_TX_DMA=y
CONFIG_VIRT_DRIVERS=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-# CONFIG_XEN_DEV_EVTCHN is not set
-# CONFIG_XENFS is not set
-# CONFIG_XEN_GNTDEV is not set
-# CONFIG_XEN_GRANT_DEV_ALLOC is not set
-# CONFIG_XEN_PCIDEV_BACKEND is not set
-# CONFIG_XEN_ACPI_PROCESSOR is not set
-CONFIG_XEN_MCE_LOG=y
CONFIG_STAGING=y
CONFIG_STAGING_MEDIA=y
CONFIG_CHROME_PLATFORMS=y
@@ -404,8 +391,8 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_ASCII=y
CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
--
2.29.2


Re: hitachi_omap defconfigs

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, Kawai-san,

It's been a while since we last chatted about this issue.
If it takes more time, shall we disable nouveau driver as you suggested?

Best regards,
--
M. Kudo

-----Original Message-----
From: 工藤 雅司(CTJ OSS事業推進室)
Sent: Friday, December 25, 2020 6:28 PM
To: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>;
'wens@csie.org' <wens@csie.org>
Cc: cip-dev@lists.cip-project.org; cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Hi, Kawai-san,

Thanks very much for letting us know the current status.
We will wait for your response, so I would appreciate it if you can keep us updated.

Best regards,
--
M. Kudo

-----Original Message-----
From: 河合英宏 / KAWAI,HIDEHIRO <hidehiro.kawai.ez@hitachi.com>
Sent: Friday, December 25, 2020 3:34 PM
To: 工藤 雅司(CTJ OSS事業推進室) <masashi.kudo@cybertrust.co.jp>;
'wens@csie.org' <wens@csie.org>
Cc: cip-dev@lists.cip-project.org; cip-members@lists.cip-project.org
Subject: RE: hitachi_omap defconfigs

Kudo-san and ChenYu-san,

We are sorry for the inconvenience. The confirmation will take some time.
If you'd like to solve this issue quickly, please disable nouveau driver now.
After the confirmation, we'll send an updated defconfig.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: cip-members@lists.cip-project.org
<cip-members@lists.cip-project.org> On Behalf Of Hidehiro Kawai

Hello Kudo-san and ChenYu-san,

Thanks for reporting the issue.
Including nouveau driver, it seems that our defconfigs have some
unneeded drivers. I'm confirming this with our development team,
please wait
a moment.

Best regards,

Hidehiro Kawai
Hitachi, Ltd. Research & Development Group

From: cip-dev@lists.cip-project.org
<cip-dev@lists.cip-project.org> On Behalf Of
masashi.kudo@cybertrust.co.jp Hi, Hitachi-team,

Last week, CVE-2020-27820 [drm/nouveau UAF] was reported by the
following email.
https://clicktime.symantec.com/3Hrgtrrm6ninbLpVgrZpbS37Vc?u=https%
3A
%2 F%2Flore.kernel.org%2Fcip-dev%2FCAGb2v641%3DSr
fdDh9CS4fwWVrfuCG2O2oni9V_QsVJEza%2Bg5mRg%40mail.gmail.com%2FT%2
F%23
u

According to the kernel team analysis, it seems that the nouveau
driver is enabled in hitachi_omap defconfigs for both
4.4 and 4.19.
However, the configs are for OMAP platforms which, according to
our
understanding, don't have PCI for a graphics card.
So we think that the hitachi_omap defconfigs should be corrected
to disable
the nouveau driver.

We could be wrong, so please advise us. Once you confirm it to be
corrected,
we will go ahead to change it.
Best regards,
--
M. Kudo


Re: CIP IRC weekly meeting today

Kento Yoshida
 

Hello Kudo-san,

I cannot attend IRC weekly meeting today due to schedule conflict. Sorry for my absence and there is no major update from SWG.

Best regards,
Kent

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
masashi.kudo@cybertrust.co.jp via lists.cip-project.org
Sent: Thursday, February 25, 2021 10:37 AM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] CIP IRC weekly meeting today

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical
topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting
from the first week of Apr. according to TSC meeting*
https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.timea
nddate.com%2Fworldclock%2Fmeetingdetails.html%3Fyear%3D2021%26month%
3D2%26day%3D25%26hour%3D9%26min%3D0%26sec%3D0%26p1%3D224%26
p2%3D179%26p3%3D136%26p4%3D37%26p5%3D241%26p6%3D248&amp;dat
a=04%7C01%7Ckento.yoshida.wz%40renesas.com%7Cc26ab53fd2294eaf71ca08d
8d92de5f1%7C53d82571da1947e49cb4625a166a4a2a%7C0%7C0%7C6374981
38442607268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%2Blww0ze7b
KigXlsm%2Beioh%2Bj22yUQnKNuHqT74nYDiLw%3D&amp;reserved=0

USWest USEast UK DE TW JP
01:00 04:00 9:00 10:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Firclogs.base
rock.org%2Fmeetings%2Fcip%2F2021%2F02%2Fcip.2021-02-18-09.00.log.html&
amp;data=04%7C01%7Ckento.yoshida.wz%40renesas.com%7Cc26ab53fd2294eaf
71ca08d8d92de5f1%7C53d82571da1947e49cb4625a166a4a2a%7C0%7C0%7C
637498138442607268%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=6aK
FrdRkBmbsSnaBOi2IMj6FZuWUx1764p1dmW9IOpA%3D&amp;reserved=0

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Do some experiment to lower burdens on CI - patersonc
3. Check hitachi_omap defconfigs wrt CVE-2020-27820 [drm/nouveau UAF] -
Hitachi-team

* Kernel maintenance updates
* Kernel testing
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes
sense and those involved in the topics can stay. Otherwise, the topic will be taken
offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=2&day=25&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
01:00 04:00 9:00 10:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2021/02/cip.2021-02-18-09.00.log.html

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Do some experiment to lower burdens on CI - patersonc
3. Check hitachi_omap defconfigs wrt CVE-2020-27820 [drm/nouveau UAF] - Hitachi-team

* Kernel maintenance updates
* Kernel testing
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Cip-kernel-sec Updates for Week of 2021-02-25

Chen-Yu Tsai (Moxa) <wens@...>
 

Hi everyone,

Five new issues this week:
- CVE-2020-24502 [e810: local DoS] - out-of-tree?
- CVE-2020-24503 [e810: local information leak] - out-of-tree?
- CVE-2020-24504 [e810: local DoS] - out-of-tree?
- CVE-2020-35501 [auditd: open_by_handle_at not covered by file watch] - no fix
- CVE-2021-3411 [broken KRETPROBES on x86] - fixed

Regarding e810, the Intel advisory [1] seems to be referring to the
out-of-tree driver, of which version 1.0.4 was released on 7/14/2020.

Also, a bug was found in the Debian import script. The script was not
picking up fixes which spanned multiple stable kernel releases. This
has now been fixed and a re-import was attempted, though it may be
insufficient to fix all the data already in the repository.

Last, CVE-2020-12362, CVE-2020-12363, and CVE-2020-12364 are now known
to be fixed by a firmware update. However to use the new firmware, a
kernel patch [2] is required.


Regards
ChenYu

[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00462.html
[2] https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26


Re: Cip-kernel-sec Updates for Week of 2021-02-11

Chen-Yu Tsai (Moxa) <wens@...>
 

Hi,

On Thu, Feb 11, 2021 at 4:50 PM Chen-Yu Tsai <wens@csie.org> wrote:

Hi everyone,

Six new issues this week:
- CVE-2020-12362, CVE-2020-12363, CVE-2020-12364:
CVEs from Intel Advisory affecting Intel Graphics Driver. Details unknown
So the fix for these three are a firmware update. However to use the newer
firmware, a kernel patch [1] is required.

Not sure how we should mark this in our repository... ignore or fixed by
said patch?


Thanks
ChenYu

[1] https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26

- CVE-2021-20194 [bpf heap overflow] - fixed for relevant kernels
- CVE-2021-20226 [io_uring UAF] - likely a duplicate of
CVE-2020-29534, already fixed
- CVE-2021-26708 [AF_VSOCK: local priv. escalation] - fixed for relevant kernels

Additionally, CVE-2021-3347 is fixed for 4.4 and 4.9.
I still need to match patches for 4.4 against 4.9, but it looks like
the fixes are there.


Regards
ChenYu


Re: Cip-kernel-sec Updates for Week of 2021-02-11

Chen-Yu Tsai (Moxa) <wens@...>
 

Hi,

On Thu, Feb 11, 2021 at 7:39 PM Pavel Machek <pavel@denx.de> wrote:

Hi!

Six new issues this week:
- CVE-2020-12362, CVE-2020-12363, CVE-2020-12364:
CVEs from Intel Advisory affecting Intel Graphics Driver. Details
unknown
It seems there's more for the intel graphics, but it is not mentioned
in our repository. OTOH trailer there that these are rather old
issues, fixed in 5.5...
Looks like CVE-2020-0544 and CVE-2020-0521 are for Windows. Debian lists
them as such [1][2]. Seems the Intel advisory directly refers to Linux
drivers by kernel version. Any other version string likely refers to
the Windows drivers.


ChenYu

[1] https://security-tracker.debian.org/tracker/CVE-2020-0521
[2] https://security-tracker.debian.org/tracker/CVE-2020-0544

Best regards,
Pavel

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html

CVEID: CVE-2020-0544

Description: Insufficient control flow management in the kernel mode
driver for some Intel(R) Graphics Drivers before version 15.36.39.5145
may allow an authenticated user to potentially enable escalation of
privilege via local access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H



CVEID: CVE-2020-0521

Description: Insufficient control flow management in some Intel(R)
Graphics Drivers before version 15.45.32.5145 may allow an
authenticated user to potentially enable escalation of privilege via
local access.

CVSS Base Score: 7.7 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

...

Affected Products:
Intel® Graphics Drivers for 3rd, 4th, 5th, 6th, 7th, 8th, 9th and 10th
Generation Intel® Processors for Windows* 7, 8.1 and 10 before
versions 15.33.51.5146, 15.36.39.5145, 15.40.46.5144, 15.45.32.5164,
26.20.100.8141, 27.20.100.8587 and Intel® Graphics Drivers for Linux
before Linux kernel version 5.5.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


[cip-kernel-config][PATCH v2 2/2] 5.10.y-cip: Removing XEN guest support for siemens_ipc227e

florian.bezdeka@siemens.com
 

From: Florian Bezdeka <florian.bezdeka@siemens.com>

Remove XEN guest support which is not needed and helps to keep
maintanance simple.

There are some relocations because this file was based on a 4.19
defconfig before.

Notable changes:
- CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND
Depends on: <choice> && (!X86_INTEL_PSTATE [=y] || !SMP [=y])
Dependencies are no longer fulfilled, so no longer enabled

- CONFIG_IA32_AOUT
Depends on: IA32_EMULATION [=y] && BROKEN [=n]
Dependencies are no longer fulfilled, so no longer enabled

- CONFIG_PCIEAER is now set to "y", CONFIG_ACPI_APEI_PCIEAER needs it
and was already part of the defconfig

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---

Changes in v2:
- resend due to local tooling problem

5.10.y-cip/x86/siemens_ipc227e_defconfig | 69 ++++++------------------
1 file changed, 17 insertions(+), 52 deletions(-)

diff --git a/5.10.y-cip/x86/siemens_ipc227e_defconfig b/5.10.y-cip/x86/siemens_ipc227e_defconfig
index 83cc71c..6a0b67e 100644
--- a/5.10.y-cip/x86/siemens_ipc227e_defconfig
+++ b/5.10.y-cip/x86/siemens_ipc227e_defconfig
@@ -14,7 +14,6 @@ CONFIG_IKCONFIG_PROC=y
CONFIG_NUMA_BALANCING=y
# CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set
CONFIG_MEMCG=y
-CONFIG_MEMCG_SWAP=y
CONFIG_BLK_CGROUP=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_CGROUP_PIDS=y
@@ -43,22 +42,17 @@ CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
-CONFIG_XEN=y
-CONFIG_XEN_PVH=y
CONFIG_GART_IOMMU=y
-CONFIG_CALGARY_IOMMU=y
CONFIG_NR_CPUS=512
CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
CONFIG_MICROCODE_AMD=y
CONFIG_NUMA=y
CONFIG_NUMA_EMU=y
-CONFIG_X86_INTEL_MPX=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
CONFIG_LIVEPATCH=y
CONFIG_HIBERNATION=y
@@ -80,19 +74,9 @@ CONFIG_ACPI_APEI_MEMORY_FAILURE=y
CONFIG_ACPI_EXTLOG=y
CONFIG_SFI=y
CONFIG_CPU_FREQ_STAT=y
-CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
CONFIG_CPU_IDLE_GOV_LADDER=y
CONFIG_INTEL_IDLE=y
-CONFIG_PCIEPORTBUS=y
-CONFIG_HOTPLUG_PCI_PCIE=y
-CONFIG_PCI_REALLOC_ENABLE_AUTO=y
-# CONFIG_XEN_PCIDEV_FRONTEND is not set
-CONFIG_PCI_IOV=y
-CONFIG_HOTPLUG_PCI=y
-CONFIG_HOTPLUG_PCI_ACPI=y
-CONFIG_HOTPLUG_PCI_CPCI=y
CONFIG_IA32_EMULATION=y
-CONFIG_IA32_AOUT=y
CONFIG_X86_X32=y
CONFIG_DMI_SYSFS=y
CONFIG_EFI_VARS=m
@@ -105,6 +89,7 @@ CONFIG_MODULE_FORCE_LOAD=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
+# CONFIG_UNUSED_SYMBOLS is not set
CONFIG_BLK_DEV_BSGLIB=y
CONFIG_BLK_DEV_INTEGRITY=y
CONFIG_BLK_DEV_THROTTLING=y
@@ -125,7 +110,6 @@ CONFIG_SGI_PARTITION=y
CONFIG_ULTRIX_PARTITION=y
CONFIG_SUN_PARTITION=y
CONFIG_KARMA_PARTITION=y
-CONFIG_CFQ_GROUP_IOSCHED=y
CONFIG_MEMORY_HOTPLUG=y
CONFIG_MEMORY_HOTREMOVE=y
CONFIG_KSM=y
@@ -136,7 +120,6 @@ CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
CONFIG_FRONTSWAP=y
CONFIG_MEM_SOFT_DIRTY=y
CONFIG_ZSWAP=y
-CONFIG_ZBUD=y
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
@@ -159,9 +142,6 @@ CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_SYN_COOKIES=y
-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
-# CONFIG_INET_XFRM_MODE_BEET is not set
# CONFIG_INET_DIAG is not set
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
@@ -172,9 +152,6 @@ CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=y
-# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
-# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
-# CONFIG_INET6_XFRM_MODE_BEET is not set
# CONFIG_IPV6_SIT is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
@@ -213,13 +190,19 @@ CONFIG_CGROUP_NET_PRIO=y
CONFIG_BPF_JIT=y
CONFIG_HAMRADIO=y
CONFIG_LWTUNNEL=y
-# CONFIG_UEVENT_HELPER is not set
+CONFIG_PCI=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_HOTPLUG_PCI_PCIE=y
+CONFIG_PCIEAER=y
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
+CONFIG_PCI_IOV=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HOTPLUG_PCI_ACPI=y
+CONFIG_HOTPLUG_PCI_CPCI=y
CONFIG_DEVTMPFS=y
CONFIG_CONNECTOR=y
# CONFIG_PNP_DEBUG_MESSAGES is not set
CONFIG_BLK_DEV_LOOP=m
-# CONFIG_XEN_BLKDEV_FRONTEND is not set
-# CONFIG_SCSI_MQ_DEFAULT is not set
# CONFIG_SCSI_PROC_FS is not set
CONFIG_BLK_DEV_SD=m
CONFIG_CHR_DEV_SG=m
@@ -249,14 +232,12 @@ CONFIG_VETH=m
# CONFIG_NET_VENDOR_ARC is not set
# CONFIG_NET_VENDOR_AURORA is not set
CONFIG_NET_TULIP=y
-CONFIG_PCI=y
CONFIG_IGB=y
# CONFIG_NET_VENDOR_SEEQ is not set
CONFIG_FDDI=y
CONFIG_HIPPI=y
# CONFIG_USB_NET_DRIVERS is not set
CONFIG_WAN=y
-# CONFIG_XEN_NETDEV_FRONTEND is not set
CONFIG_FUJITSU_ES=m
CONFIG_ISDN=y
CONFIG_INPUT_MOUSEDEV=y
@@ -274,7 +255,6 @@ CONFIG_INPUT_PCSPKR=m
# CONFIG_SERIO_SERPORT is not set
CONFIG_SERIO_RAW=m
# CONFIG_LEGACY_PTYS is not set
-CONFIG_SERIAL_NONSTANDARD=y
CONFIG_SERIAL_8250=y
# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
CONFIG_SERIAL_8250_FINTEK=y
@@ -285,6 +265,7 @@ CONFIG_SERIAL_8250_MANY_PORTS=y
CONFIG_SERIAL_8250_SHARE_IRQ=y
CONFIG_SERIAL_8250_RSA=y
CONFIG_SERIAL_8250_DW=y
+CONFIG_SERIAL_NONSTANDARD=y
# CONFIG_HW_RANDOM is not set
CONFIG_HPET=y
CONFIG_I2C_I801=m
@@ -321,9 +302,7 @@ CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y
CONFIG_FB_VESA=y
CONFIG_FB_EFI=y
-# CONFIG_LCD_CLASS_DEVICE is not set
CONFIG_BACKLIGHT_CLASS_DEVICE=y
-# CONFIG_BACKLIGHT_GENERIC is not set
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
CONFIG_SOUND=m
@@ -333,9 +312,9 @@ CONFIG_SND_HDA_HWDEP=y
CONFIG_SND_HDA_INPUT_BEEP=y
CONFIG_SND_HDA_PATCH_LOADER=y
CONFIG_SND_HDA_CODEC_HDMI=m
-CONFIG_SND_HDA_PREALLOC_SIZE=2048
CONFIG_HID=m
CONFIG_HID_PID=y
+CONFIG_USB_LED_TRIG=y
CONFIG_USB=m
CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
CONFIG_USB_DYNAMIC_MINORS=y
@@ -345,7 +324,6 @@ CONFIG_USB_EHCI_ROOT_HUB_TT=y
CONFIG_USB_STORAGE=m
CONFIG_USB_UAS=m
CONFIG_USB_GADGET=m
-CONFIG_USB_LED_TRIG=y
CONFIG_NEW_LEDS=y
CONFIG_LEDS_CLASS=y
CONFIG_LEDS_TRIGGERS=y
@@ -359,14 +337,6 @@ CONFIG_DMADEVICES=y
CONFIG_INTEL_IOATDMA=m
CONFIG_ASYNC_TX_DMA=y
CONFIG_VIRT_DRIVERS=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-# CONFIG_XEN_DEV_EVTCHN is not set
-# CONFIG_XENFS is not set
-# CONFIG_XEN_GNTDEV is not set
-# CONFIG_XEN_GRANT_DEV_ALLOC is not set
-# CONFIG_XEN_PCIDEV_BACKEND is not set
-# CONFIG_XEN_ACPI_PROCESSOR is not set
-CONFIG_XEN_MCE_LOG=y
CONFIG_STAGING=y
CONFIG_STAGING_MEDIA=y
CONFIG_CHROME_PLATFORMS=y
@@ -405,8 +375,8 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_ASCII=y
CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
@@ -423,11 +393,9 @@ CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_APPRAISE=y
CONFIG_DEFAULT_SECURITY_DAC=y
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
-# CONFIG_CRYPTO_ECHAINIV is not set
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
-CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_CRYPTO_DEV_CCP_DD is not set
@@ -441,23 +409,20 @@ CONFIG_BOOT_PRINTK_DELAY=y
CONFIG_DYNAMIC_DEBUG=y
CONFIG_DEBUG_INFO=y
CONFIG_STRIP_ASM_SYMS=y
-# CONFIG_UNUSED_SYMBOLS is not set
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
CONFIG_PAGE_EXTENSION=y
CONFIG_PAGE_POISONING=y
+CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_MEMORY_INIT=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_SCHEDSTATS=y
-CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_LIST=y
# CONFIG_RCU_TRACE is not set
+CONFIG_STACK_TRACER=y
+CONFIG_MMIOTRACE=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_TRACER_SNAPSHOT=y
-CONFIG_STACK_TRACER=y
CONFIG_BLK_DEV_IO_TRACE=y
-CONFIG_MMIOTRACE=y
-CONFIG_MEMTEST=y
# CONFIG_X86_VERBOSE_BOOTUP is not set
-CONFIG_EARLY_PRINTK_EFI=y
-CONFIG_OPTIMIZE_INLINING=y
+CONFIG_MEMTEST=y
--
2.29.2


[cip-kernel-config][PATCH v2 1/2] 4.19.y-cip: Remove XEN guest support for siemens_ipc227e

florian.bezdeka@siemens.com
 

From: Florian Bezdeka <florian.bezdeka@siemens.com>

Remove XEN guest support which is not needed and helps to keep
maintanance simple.

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---

Changes in v2:
- resend due to local tooling problem


4.19.y-cip/x86/siemens_ipc227e_defconfig | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/4.19.y-cip/x86/siemens_ipc227e_defconfig b/4.19.y-cip/x86/siemens_ipc227e_defconfig
index 273d20e..5d069f0 100644
--- a/4.19.y-cip/x86/siemens_ipc227e_defconfig
+++ b/4.19.y-cip/x86/siemens_ipc227e_defconfig
@@ -43,8 +43,6 @@ CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
-CONFIG_XEN=y
-CONFIG_XEN_PVH=y
CONFIG_GART_IOMMU=y
CONFIG_CALGARY_IOMMU=y
CONFIG_NR_CPUS=512
@@ -86,7 +84,6 @@ CONFIG_INTEL_IDLE=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_PCI_REALLOC_ENABLE_AUTO=y
-# CONFIG_XEN_PCIDEV_FRONTEND is not set
CONFIG_PCI_IOV=y
CONFIG_HOTPLUG_PCI=y
CONFIG_HOTPLUG_PCI_ACPI=y
@@ -218,7 +215,6 @@ CONFIG_DEVTMPFS=y
CONFIG_CONNECTOR=y
# CONFIG_PNP_DEBUG_MESSAGES is not set
CONFIG_BLK_DEV_LOOP=m
-# CONFIG_XEN_BLKDEV_FRONTEND is not set
# CONFIG_SCSI_MQ_DEFAULT is not set
# CONFIG_SCSI_PROC_FS is not set
CONFIG_BLK_DEV_SD=m
@@ -255,7 +251,6 @@ CONFIG_FDDI=y
CONFIG_HIPPI=y
# CONFIG_USB_NET_DRIVERS is not set
CONFIG_WAN=y
-# CONFIG_XEN_NETDEV_FRONTEND is not set
CONFIG_FUJITSU_ES=m
CONFIG_ISDN=y
CONFIG_INPUT_MOUSEDEV=y
@@ -358,14 +353,6 @@ CONFIG_DMADEVICES=y
CONFIG_INTEL_IOATDMA=m
CONFIG_ASYNC_TX_DMA=y
CONFIG_VIRT_DRIVERS=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-# CONFIG_XEN_DEV_EVTCHN is not set
-# CONFIG_XENFS is not set
-# CONFIG_XEN_GNTDEV is not set
-# CONFIG_XEN_GRANT_DEV_ALLOC is not set
-# CONFIG_XEN_PCIDEV_BACKEND is not set
-# CONFIG_XEN_ACPI_PROCESSOR is not set
-CONFIG_XEN_MCE_LOG=y
CONFIG_STAGING=y
CONFIG_STAGING_MEDIA=y
CONFIG_CHROME_PLATFORMS=y
@@ -404,8 +391,8 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_ASCII=y
CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
--
2.29.2


[cip-kernel-config] 2/2] 5.10.y-cip: Removing XEN guest support for siemens_ipc227e

florian.bezdeka@siemens.com
 

From: Florian Bezdeka <florian.bezdeka@siemens.com>

Remove XEN guest support which is not needed and helps to keep
maintanance simple.

There are some relocations because this file was based on a 4.19
defconfig before.

Notable changes:
- CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND
Depends on: <choice> && (!X86_INTEL_PSTATE [=y] || !SMP [=y])
Dependencies are no longer fulfilled, so no longer enabled

- CONFIG_IA32_AOUT
Depends on: IA32_EMULATION [=y] && BROKEN [=n]
Dependencies are no longer fulfilled, so no longer enabled

- CONFIG_PCIEAER is now set to "y", CONFIG_ACPI_APEI_PCIEAER needs it
and was already part of the defconfig

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---
5.10.y-cip/x86/siemens_ipc227e_defconfig | 69 ++++++------------------
1 file changed, 17 insertions(+), 52 deletions(-)

diff --git a/5.10.y-cip/x86/siemens_ipc227e_defconfig b/5.10.y-cip/x86/siemens_ipc227e_defconfig
index 83cc71c..6a0b67e 100644
--- a/5.10.y-cip/x86/siemens_ipc227e_defconfig
+++ b/5.10.y-cip/x86/siemens_ipc227e_defconfig
@@ -14,7 +14,6 @@ CONFIG_IKCONFIG_PROC=y
CONFIG_NUMA_BALANCING=y
# CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set
CONFIG_MEMCG=y
-CONFIG_MEMCG_SWAP=y
CONFIG_BLK_CGROUP=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_CGROUP_PIDS=y
@@ -43,22 +42,17 @@ CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
-CONFIG_XEN=y
-CONFIG_XEN_PVH=y
CONFIG_GART_IOMMU=y
-CONFIG_CALGARY_IOMMU=y
CONFIG_NR_CPUS=512
CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
CONFIG_MICROCODE_AMD=y
CONFIG_NUMA=y
CONFIG_NUMA_EMU=y
-CONFIG_X86_INTEL_MPX=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
CONFIG_LIVEPATCH=y
CONFIG_HIBERNATION=y
@@ -80,19 +74,9 @@ CONFIG_ACPI_APEI_MEMORY_FAILURE=y
CONFIG_ACPI_EXTLOG=y
CONFIG_SFI=y
CONFIG_CPU_FREQ_STAT=y
-CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
CONFIG_CPU_IDLE_GOV_LADDER=y
CONFIG_INTEL_IDLE=y
-CONFIG_PCIEPORTBUS=y
-CONFIG_HOTPLUG_PCI_PCIE=y
-CONFIG_PCI_REALLOC_ENABLE_AUTO=y
-# CONFIG_XEN_PCIDEV_FRONTEND is not set
-CONFIG_PCI_IOV=y
-CONFIG_HOTPLUG_PCI=y
-CONFIG_HOTPLUG_PCI_ACPI=y
-CONFIG_HOTPLUG_PCI_CPCI=y
CONFIG_IA32_EMULATION=y
-CONFIG_IA32_AOUT=y
CONFIG_X86_X32=y
CONFIG_DMI_SYSFS=y
CONFIG_EFI_VARS=m
@@ -105,6 +89,7 @@ CONFIG_MODULE_FORCE_LOAD=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
+# CONFIG_UNUSED_SYMBOLS is not set
CONFIG_BLK_DEV_BSGLIB=y
CONFIG_BLK_DEV_INTEGRITY=y
CONFIG_BLK_DEV_THROTTLING=y
@@ -125,7 +110,6 @@ CONFIG_SGI_PARTITION=y
CONFIG_ULTRIX_PARTITION=y
CONFIG_SUN_PARTITION=y
CONFIG_KARMA_PARTITION=y
-CONFIG_CFQ_GROUP_IOSCHED=y
CONFIG_MEMORY_HOTPLUG=y
CONFIG_MEMORY_HOTREMOVE=y
CONFIG_KSM=y
@@ -136,7 +120,6 @@ CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
CONFIG_FRONTSWAP=y
CONFIG_MEM_SOFT_DIRTY=y
CONFIG_ZSWAP=y
-CONFIG_ZBUD=y
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
@@ -159,9 +142,6 @@ CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_SYN_COOKIES=y
-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
-# CONFIG_INET_XFRM_MODE_BEET is not set
# CONFIG_INET_DIAG is not set
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
@@ -172,9 +152,6 @@ CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=y
-# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
-# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
-# CONFIG_INET6_XFRM_MODE_BEET is not set
# CONFIG_IPV6_SIT is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
@@ -213,13 +190,19 @@ CONFIG_CGROUP_NET_PRIO=y
CONFIG_BPF_JIT=y
CONFIG_HAMRADIO=y
CONFIG_LWTUNNEL=y
-# CONFIG_UEVENT_HELPER is not set
+CONFIG_PCI=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_HOTPLUG_PCI_PCIE=y
+CONFIG_PCIEAER=y
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
+CONFIG_PCI_IOV=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HOTPLUG_PCI_ACPI=y
+CONFIG_HOTPLUG_PCI_CPCI=y
CONFIG_DEVTMPFS=y
CONFIG_CONNECTOR=y
# CONFIG_PNP_DEBUG_MESSAGES is not set
CONFIG_BLK_DEV_LOOP=m
-# CONFIG_XEN_BLKDEV_FRONTEND is not set
-# CONFIG_SCSI_MQ_DEFAULT is not set
# CONFIG_SCSI_PROC_FS is not set
CONFIG_BLK_DEV_SD=m
CONFIG_CHR_DEV_SG=m
@@ -249,14 +232,12 @@ CONFIG_VETH=m
# CONFIG_NET_VENDOR_ARC is not set
# CONFIG_NET_VENDOR_AURORA is not set
CONFIG_NET_TULIP=y
-CONFIG_PCI=y
CONFIG_IGB=y
# CONFIG_NET_VENDOR_SEEQ is not set
CONFIG_FDDI=y
CONFIG_HIPPI=y
# CONFIG_USB_NET_DRIVERS is not set
CONFIG_WAN=y
-# CONFIG_XEN_NETDEV_FRONTEND is not set
CONFIG_FUJITSU_ES=m
CONFIG_ISDN=y
CONFIG_INPUT_MOUSEDEV=y
@@ -274,7 +255,6 @@ CONFIG_INPUT_PCSPKR=m
# CONFIG_SERIO_SERPORT is not set
CONFIG_SERIO_RAW=m
# CONFIG_LEGACY_PTYS is not set
-CONFIG_SERIAL_NONSTANDARD=y
CONFIG_SERIAL_8250=y
# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
CONFIG_SERIAL_8250_FINTEK=y
@@ -285,6 +265,7 @@ CONFIG_SERIAL_8250_MANY_PORTS=y
CONFIG_SERIAL_8250_SHARE_IRQ=y
CONFIG_SERIAL_8250_RSA=y
CONFIG_SERIAL_8250_DW=y
+CONFIG_SERIAL_NONSTANDARD=y
# CONFIG_HW_RANDOM is not set
CONFIG_HPET=y
CONFIG_I2C_I801=m
@@ -321,9 +302,7 @@ CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y
CONFIG_FB_VESA=y
CONFIG_FB_EFI=y
-# CONFIG_LCD_CLASS_DEVICE is not set
CONFIG_BACKLIGHT_CLASS_DEVICE=y
-# CONFIG_BACKLIGHT_GENERIC is not set
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
CONFIG_SOUND=m
@@ -333,9 +312,9 @@ CONFIG_SND_HDA_HWDEP=y
CONFIG_SND_HDA_INPUT_BEEP=y
CONFIG_SND_HDA_PATCH_LOADER=y
CONFIG_SND_HDA_CODEC_HDMI=m
-CONFIG_SND_HDA_PREALLOC_SIZE=2048
CONFIG_HID=m
CONFIG_HID_PID=y
+CONFIG_USB_LED_TRIG=y
CONFIG_USB=m
CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
CONFIG_USB_DYNAMIC_MINORS=y
@@ -345,7 +324,6 @@ CONFIG_USB_EHCI_ROOT_HUB_TT=y
CONFIG_USB_STORAGE=m
CONFIG_USB_UAS=m
CONFIG_USB_GADGET=m
-CONFIG_USB_LED_TRIG=y
CONFIG_NEW_LEDS=y
CONFIG_LEDS_CLASS=y
CONFIG_LEDS_TRIGGERS=y
@@ -359,14 +337,6 @@ CONFIG_DMADEVICES=y
CONFIG_INTEL_IOATDMA=m
CONFIG_ASYNC_TX_DMA=y
CONFIG_VIRT_DRIVERS=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-# CONFIG_XEN_DEV_EVTCHN is not set
-# CONFIG_XENFS is not set
-# CONFIG_XEN_GNTDEV is not set
-# CONFIG_XEN_GRANT_DEV_ALLOC is not set
-# CONFIG_XEN_PCIDEV_BACKEND is not set
-# CONFIG_XEN_ACPI_PROCESSOR is not set
-CONFIG_XEN_MCE_LOG=y
CONFIG_STAGING=y
CONFIG_STAGING_MEDIA=y
CONFIG_CHROME_PLATFORMS=y
@@ -405,8 +375,8 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_ASCII=y
CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
@@ -423,11 +393,9 @@ CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_APPRAISE=y
CONFIG_DEFAULT_SECURITY_DAC=y
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
-# CONFIG_CRYPTO_ECHAINIV is not set
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
-CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_CRYPTO_DEV_CCP_DD is not set
@@ -441,23 +409,20 @@ CONFIG_BOOT_PRINTK_DELAY=y
CONFIG_DYNAMIC_DEBUG=y
CONFIG_DEBUG_INFO=y
CONFIG_STRIP_ASM_SYMS=y
-# CONFIG_UNUSED_SYMBOLS is not set
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
CONFIG_PAGE_EXTENSION=y
CONFIG_PAGE_POISONING=y
+CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_MEMORY_INIT=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_SCHEDSTATS=y
-CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_LIST=y
# CONFIG_RCU_TRACE is not set
+CONFIG_STACK_TRACER=y
+CONFIG_MMIOTRACE=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_TRACER_SNAPSHOT=y
-CONFIG_STACK_TRACER=y
CONFIG_BLK_DEV_IO_TRACE=y
-CONFIG_MMIOTRACE=y
-CONFIG_MEMTEST=y
# CONFIG_X86_VERBOSE_BOOTUP is not set
-CONFIG_EARLY_PRINTK_EFI=y
-CONFIG_OPTIMIZE_INLINING=y
+CONFIG_MEMTEST=y
--
2.29.2


[cip-kernel-config] 1/2] 4.19.y-cip: Remove XEN guest support for siemens_ipc227e

florian.bezdeka@siemens.com
 

From: Florian Bezdeka <florian.bezdeka@siemens.com>

Remove XEN guest support which is not needed and helps to keep
maintanance simple.

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---
4.19.y-cip/x86/siemens_ipc227e_defconfig | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/4.19.y-cip/x86/siemens_ipc227e_defconfig b/4.19.y-cip/x86/siemens_ipc227e_defconfig
index 273d20e..5d069f0 100644
--- a/4.19.y-cip/x86/siemens_ipc227e_defconfig
+++ b/4.19.y-cip/x86/siemens_ipc227e_defconfig
@@ -43,8 +43,6 @@ CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
-CONFIG_XEN=y
-CONFIG_XEN_PVH=y
CONFIG_GART_IOMMU=y
CONFIG_CALGARY_IOMMU=y
CONFIG_NR_CPUS=512
@@ -86,7 +84,6 @@ CONFIG_INTEL_IDLE=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_PCI_REALLOC_ENABLE_AUTO=y
-# CONFIG_XEN_PCIDEV_FRONTEND is not set
CONFIG_PCI_IOV=y
CONFIG_HOTPLUG_PCI=y
CONFIG_HOTPLUG_PCI_ACPI=y
@@ -218,7 +215,6 @@ CONFIG_DEVTMPFS=y
CONFIG_CONNECTOR=y
# CONFIG_PNP_DEBUG_MESSAGES is not set
CONFIG_BLK_DEV_LOOP=m
-# CONFIG_XEN_BLKDEV_FRONTEND is not set
# CONFIG_SCSI_MQ_DEFAULT is not set
# CONFIG_SCSI_PROC_FS is not set
CONFIG_BLK_DEV_SD=m
@@ -255,7 +251,6 @@ CONFIG_FDDI=y
CONFIG_HIPPI=y
# CONFIG_USB_NET_DRIVERS is not set
CONFIG_WAN=y
-# CONFIG_XEN_NETDEV_FRONTEND is not set
CONFIG_FUJITSU_ES=m
CONFIG_ISDN=y
CONFIG_INPUT_MOUSEDEV=y
@@ -358,14 +353,6 @@ CONFIG_DMADEVICES=y
CONFIG_INTEL_IOATDMA=m
CONFIG_ASYNC_TX_DMA=y
CONFIG_VIRT_DRIVERS=y
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-# CONFIG_XEN_DEV_EVTCHN is not set
-# CONFIG_XENFS is not set
-# CONFIG_XEN_GNTDEV is not set
-# CONFIG_XEN_GRANT_DEV_ALLOC is not set
-# CONFIG_XEN_PCIDEV_BACKEND is not set
-# CONFIG_XEN_ACPI_PROCESSOR is not set
-CONFIG_XEN_MCE_LOG=y
CONFIG_STAGING=y
CONFIG_STAGING_MEDIA=y
CONFIG_CHROME_PLATFORMS=y
@@ -404,8 +391,8 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_ASCII=y
CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
--
2.29.2


Security from kernel's point of view

Pavel Machek
 

Hi!

I put this together... it may be useful for someone to understand what
the issues are. I guess I'd like to know from security team if they
find it useful, and from kernel people if I'm missing something or if
there are errors...

Best regards,
Pavel

Good and bad ideas w.r.t. kernel and security

Kernel tries to provid many security guarantees at different
levels. Still, some things are easier to guarantee than others, and
some security barriers are really important, while others... not so
much.

Kernel should be secure against remote attackers.

And it reasonably is, when not, we get it fixed with high priority.

Kernel should protect itself and other users against local, non-priviledged users.

Tries, but attack surface is big.
People don't care about DoS attacks much.
=> Running untrusted code is a bad idea. Forkbomb is few characters in sh.

Fast, out-of-order CPUs leak user data via timing side-channels. Those
CPUs should not process sensitive data. JITs can be used to extract the data.

We can try to work around the problems and apply vendor-provided
workarounds, but there are likely more problems in future. Similar
bugs are hidden in CPU microarchitectures, and in particular
Spectre workarounds are whack-a-mole and thus incomplete.

Hyperthreading makes those attacks easier.
=> Use suitable CPUs to process sensitive data.

Filesystems are complex, robustness against malformed filesystems is hard.

Some filesystems try to be robust against filesystems corruption,
and some don't even do that. Some perform checks during mount, but
that means that malicious device can work around them.

=> Don't mount untrusted filesystems. If you have to, use simple and
common filesystem. VFAT might be good choice.

Kernel should protect itself against local users with CAP_XX.

Yes, there's capability system, and in theory capabilities should be separated.
=> Don't rely on that. Noone else does.

Some systems try to protect themselves against people with physical access.

Laws of physics says it is impossible, but people can still try to
make it more costly for the "attacker".
=> Please don't rely on that.

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: Cip-kernel-sec Updates for Week of 2021-02-18

Pavel Machek
 

Hi!

Linus doesn't seem to be processing PRs for the new merge window yet,
so we might have to wait a while before the Xen ones are fixed and
backported.
Well, Xen is not a typical thing to run on embbeded hardware, but I
did not check the configs.
I see Renesas and Siemens have it enabled. Is Xen still relevant?
Or has everyone switched over to KVM + QEMU?
Where is the mentioned kernel config located? I wasn't able to find the
correct git tree.

We already had a short internal discussion and are quite sure that we
don't need it. Just point me to the configuration. We will review again
and come up with the necessary patch to disable it.
It should be in

https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/tree/master/

One example is:

https://gitlab.com/cip-project/cip-kernel/cip-kernel-config/-/blob/master/4.19.y-cip/x86/siemens_iot2000.config

If there are other options that can be disabled (maybe you don't need
CONFIG_UNIXWARE_DISKLABEL=y), that would be good to know, too.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: Cip-kernel-sec Updates for Week of 2021-02-18

florian.bezdeka@siemens.com
 

On Thu, 2021-02-18 at 17:52 +0800, Chen-Yu Tsai (Moxa) wrote:
On Thu, Feb 18, 2021 at 5:49 PM Pavel Machek <pavel@denx.de> wrote:

On Thu 2021-02-18 17:21:57, Chen-Yu Tsai wrote:
Hi everyone,

Five new issues this week:

CVE-2021-20239 [setsockopt copy_from_user error] - fixed in 5.4 and
removed from 5.10
CVE-2021-26930 [xen-blkback error handling] - PR sent
CVE-2021-26931 [xen backends: BUG_ON in error handling] - PR sent
CVE-2021-26932 [xen grant mapping error handling] - PR sent
CVE-2021-26934 [xen unsupported driver] - Xen documentation change
stating be-alloc display driver is unsupported

Linus doesn't seem to be processing PRs for the new merge window yet,
so we might have to wait a while before the Xen ones are fixed and
backported.
Well, Xen is not a typical thing to run on embbeded hardware, but I
did not check the configs.
I see Renesas and Siemens have it enabled. Is Xen still relevant?
Or has everyone switched over to KVM + QEMU?
Where is the mentioned kernel config located? I wasn't able to find the
correct git tree.

We already had a short internal discussion and are quite sure that we
don't need it. Just point me to the configuration. We will review again
and come up with the necessary patch to disable it.


It seems Linus is having power problems:
I read the headline on Phoronix, but didn't know it was this bad.
That also explains why lkml.org was completely empty yesterday.


ChenYu

Best regards,
                                                                Pavel

Date: Tue, 16 Feb 2021 12:25:06 -0800
From: Linus Torvalds <torvalds@linuxfoundation.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: users@linux.kernel.org
Subject: Re: [kernel.org users] Partial power outage in the PDX
datacentre

[-- Attachment #1 --]
[-- Type: multipart/alternative, Encoding: 7bit, Size: 2.2K --]

Sadly, the power at my house is still entirely out, although cell
service
has now been fixed so at least I can read some email without walking
outside.

But with no power for my laptop or workstation, I won't be starting
the
merge window until power is back more widely in they Portland area.

My neighborhood is likely not a priority, so it very possibly will be
a few
more days (so far without power since Sunday evening).

Even the local highway 43 (ok, not a big highway, but still) is still
closed down two days later due to downed trees.

        Linus


--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: Cip-kernel-sec Updates for Week of 2021-02-18

Chen-Yu Tsai (Moxa) <wens@...>
 

On Thu, Feb 18, 2021 at 5:49 PM Pavel Machek <pavel@denx.de> wrote:

On Thu 2021-02-18 17:21:57, Chen-Yu Tsai wrote:
Hi everyone,

Five new issues this week:

CVE-2021-20239 [setsockopt copy_from_user error] - fixed in 5.4 and
removed from 5.10
CVE-2021-26930 [xen-blkback error handling] - PR sent
CVE-2021-26931 [xen backends: BUG_ON in error handling] - PR sent
CVE-2021-26932 [xen grant mapping error handling] - PR sent
CVE-2021-26934 [xen unsupported driver] - Xen documentation change
stating be-alloc display driver is unsupported

Linus doesn't seem to be processing PRs for the new merge window yet,
so we might have to wait a while before the Xen ones are fixed and
backported.
Well, Xen is not a typical thing to run on embbeded hardware, but I
did not check the configs.
I see Renesas and Siemens have it enabled. Is Xen still relevant?
Or has everyone switched over to KVM + QEMU?

It seems Linus is having power problems:
I read the headline on Phoronix, but didn't know it was this bad.
That also explains why lkml.org was completely empty yesterday.


ChenYu

Best regards,
Pavel

Date: Tue, 16 Feb 2021 12:25:06 -0800
From: Linus Torvalds <torvalds@linuxfoundation.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: users@linux.kernel.org
Subject: Re: [kernel.org users] Partial power outage in the PDX
datacentre

[-- Attachment #1 --]
[-- Type: multipart/alternative, Encoding: 7bit, Size: 2.2K --]

Sadly, the power at my house is still entirely out, although cell
service
has now been fixed so at least I can read some email without walking
outside.

But with no power for my laptop or workstation, I won't be starting
the
merge window until power is back more widely in they Portland area.

My neighborhood is likely not a priority, so it very possibly will be
a few
more days (so far without power since Sunday evening).

Even the local highway 43 (ok, not a big highway, but still) is still
closed down two days later due to downed trees.

Linus


--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: Cip-kernel-sec Updates for Week of 2021-02-18

Pavel Machek
 

On Thu 2021-02-18 17:21:57, Chen-Yu Tsai wrote:
Hi everyone,

Five new issues this week:

CVE-2021-20239 [setsockopt copy_from_user error] - fixed in 5.4 and
removed from 5.10
CVE-2021-26930 [xen-blkback error handling] - PR sent
CVE-2021-26931 [xen backends: BUG_ON in error handling] - PR sent
CVE-2021-26932 [xen grant mapping error handling] - PR sent
CVE-2021-26934 [xen unsupported driver] - Xen documentation change
stating be-alloc display driver is unsupported

Linus doesn't seem to be processing PRs for the new merge window yet,
so we might have to wait a while before the Xen ones are fixed and
backported.
Well, Xen is not a typical thing to run on embbeded hardware, but I
did not check the configs.

It seems Linus is having power problems:

Best regards,
Pavel

Date: Tue, 16 Feb 2021 12:25:06 -0800
From: Linus Torvalds <torvalds@linuxfoundation.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: users@linux.kernel.org
Subject: Re: [kernel.org users] Partial power outage in the PDX
datacentre

[-- Attachment #1 --]
[-- Type: multipart/alternative, Encoding: 7bit, Size: 2.2K --]

Sadly, the power at my house is still entirely out, although cell
service
has now been fixed so at least I can read some email without walking
outside.

But with no power for my laptop or workstation, I won't be starting
the
merge window until power is back more widely in they Portland area.

My neighborhood is likely not a priority, so it very possibly will be
a few
more days (so far without power since Sunday evening).

Even the local highway 43 (ok, not a big highway, but still) is still
closed down two days later due to downed trees.

Linus


--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

1261 - 1280 of 7462