331 lines
12 KiB
Plaintext
331 lines
12 KiB
Plaintext
|
# Maintainer: Minoplhy <c@3qx.nl>
|
||
|
|
||
|
_flavor=hardened
|
||
|
pkgname=linux-$_flavor
|
||
|
pkgver=6.11.9
|
||
|
_relver=hardened1
|
||
|
#_kernver=${pkgver%.*}
|
||
|
_kernver=$pkgver
|
||
|
pkgrel=0
|
||
|
pkgdesc="Linux Hardened kernel"
|
||
|
url="https://github.com/anthraxx/linux-hardened"
|
||
|
depends="initramfs-generator"
|
||
|
_depends_dev="perl gmp-dev mpc1-dev mpfr-dev elfutils-dev bash flex bison zstd"
|
||
|
makedepends="$_depends_dev sed installkernel bc linux-headers linux-firmware-any openssl-dev>3 mawk
|
||
|
diffutils findutils zstd pahole python3 gcc>=13.1.1_git20230624"
|
||
|
options="!strip !check"
|
||
|
_config=${config:-config-lts.${CARCH}}
|
||
|
source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz
|
||
|
|
||
|
hardened.x86_64.config
|
||
|
hardened.aarch64.config
|
||
|
"
|
||
|
subpackages="$pkgname-dev:_dev:$CBUILD_ARCH $pkgname-doc"
|
||
|
for _i in $source; do
|
||
|
case $_i in
|
||
|
*.$CARCH.config)
|
||
|
_f=${_i%."$CARCH".config}
|
||
|
_flavors="$_flavors $_f"
|
||
|
if [ "linux-$_f" != "$pkgname" ]; then
|
||
|
subpackages="$subpackages linux-$_f::$CBUILD_ARCH linux-$_f-dev:_dev:$CBUILD_ARCH"
|
||
|
fi
|
||
|
;;
|
||
|
esac
|
||
|
done
|
||
|
|
||
|
builddir="$srcdir"/linux-$_kernver
|
||
|
|
||
|
if [ "${pkgver%.0}" = "$pkgver" ]; then
|
||
|
# Prepend to apply first
|
||
|
source="patch-$pkgver.patch::https://github.com/anthraxx/linux-hardened/releases/download/v$pkgver-$_relver/linux-hardened-v$pkgver-$_relver.patch $source"
|
||
|
fi
|
||
|
#arch="all !armhf !riscv64"
|
||
|
|
||
|
# Linux Hardened official support arch:
|
||
|
arch="x86_64 aarch64"
|
||
|
license="GPL-2.0-only"
|
||
|
|
||
|
prepare() {
|
||
|
default_prepare
|
||
|
|
||
|
# remove localversion from patch if any
|
||
|
rm -f localversion*
|
||
|
}
|
||
|
|
||
|
_kernelarch() {
|
||
|
local arch="$1"
|
||
|
case "$arch" in
|
||
|
aarch64*) arch="arm64" ;;
|
||
|
arm*) arch="arm" ;;
|
||
|
ppc*) arch="powerpc" ;;
|
||
|
s390*) arch="s390" ;;
|
||
|
riscv*) arch="riscv" ;;
|
||
|
loongarch64) arch="loongarch" ;;
|
||
|
esac
|
||
|
echo "$arch"
|
||
|
}
|
||
|
|
||
|
_prepareconfig() {
|
||
|
local _flavor="$1"
|
||
|
local _arch="$2"
|
||
|
local _config=$_flavor.$_arch.config
|
||
|
local _builddir="$srcdir"/build-$_flavor.$_arch
|
||
|
mkdir -p "$_builddir"
|
||
|
echo "-$pkgrel-$_flavor" > "$_builddir"/localversion-alpine
|
||
|
|
||
|
cp "$srcdir"/$_config "$_builddir"/.config
|
||
|
msg "Configuring $_flavor kernel ($_arch)"
|
||
|
make -C "$builddir" \
|
||
|
O="$_builddir" \
|
||
|
ARCH="$(_kernelarch $_arch)" \
|
||
|
olddefconfig
|
||
|
|
||
|
if grep "CONFIG_MODULE_SIG=y" "$_builddir"/.config >/dev/null; then
|
||
|
if [ -f "$KERNEL_SIGNING_KEY" ]; then
|
||
|
sed -i -e "s:^CONFIG_MODULE_SIG_KEY=.*:CONFIG_MODULE_SIG_KEY=\"$KERNEL_SIGNING_KEY\":" \
|
||
|
"$_builddir"/.config
|
||
|
msg "Using $KERNEL_SIGNING_KEY to sign $_flavor kernel ($_arch) modules"
|
||
|
else
|
||
|
warning "KERNEL_SIGNING_KEY was not set. A signing key will be generated, but 3rd"
|
||
|
warning "party modules can not be signed"
|
||
|
fi
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
listconfigs() {
|
||
|
for i in $source; do
|
||
|
case "$i" in
|
||
|
*.config) echo $i;;
|
||
|
esac
|
||
|
done
|
||
|
}
|
||
|
|
||
|
prepareconfigs() {
|
||
|
for _config in $(listconfigs); do
|
||
|
local _flavor=${_config%%.*}
|
||
|
local _arch=${_config%.config}
|
||
|
_arch=${_arch#*.}
|
||
|
local _builddir="$srcdir"/build-$_flavor.$_arch
|
||
|
_prepareconfig "$_flavor" "$_arch"
|
||
|
done
|
||
|
}
|
||
|
|
||
|
# this is supposed to be run before version is bumped so we can compare
|
||
|
# what new kernel config knobs are introduced
|
||
|
prepareupdate() {
|
||
|
clean && fetch && unpack && prepare && deps
|
||
|
prepareconfigs
|
||
|
rm -r "$builddir"
|
||
|
}
|
||
|
|
||
|
updateconfigs() {
|
||
|
if ! [ -d "$builddir" ]; then
|
||
|
deps && fetch && unpack && prepare
|
||
|
fi
|
||
|
for _config in ${CONFIGS:-$(listconfigs)}; do
|
||
|
msg "updating $_config"
|
||
|
local _flavor=${_config%%.*}
|
||
|
local _arch=${_config%.config}
|
||
|
_arch=${_arch#*.}
|
||
|
local _builddir="$srcdir"/build-$_flavor.$_arch
|
||
|
mkdir -p "$_builddir"
|
||
|
echo "-$pkgrel-$_flavor" > "$_builddir"/localversion-alpine
|
||
|
local actions="listnewconfig oldconfig"
|
||
|
if ! [ -f "$_builddir"/.config ]; then
|
||
|
cp "$srcdir"/$_config "$_builddir"/.config
|
||
|
actions="olddefconfig"
|
||
|
fi
|
||
|
env | grep ^CONFIG_ >> "$_builddir"/.config || true
|
||
|
make -j1 -C "$builddir" \
|
||
|
O="$_builddir" \
|
||
|
ARCH="$(_kernelarch $_arch)" \
|
||
|
$actions savedefconfig
|
||
|
|
||
|
cp "$_builddir"/defconfig "$startdir"/$_config
|
||
|
done
|
||
|
}
|
||
|
|
||
|
set_kbuild_timestamp() {
|
||
|
# KBUILD_BUILD_TIMESTAMP needs to be parsable by busybox date
|
||
|
export KBUILD_BUILD_TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S' -u${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
|
||
|
}
|
||
|
|
||
|
build() {
|
||
|
unset LDFLAGS
|
||
|
# for some reason these sometimes leak into the kernel build,
|
||
|
# -Werror=format-security breaks some stuff
|
||
|
unset CFLAGS CPPFLAGS CXXFLAGS
|
||
|
set_kbuild_timestamp
|
||
|
for i in $_flavors; do
|
||
|
_prepareconfig "$i" "$CARCH"
|
||
|
done
|
||
|
for i in $_flavors; do
|
||
|
msg "Building $i kernel"
|
||
|
cd "$srcdir"/build-$i.$CARCH
|
||
|
|
||
|
# set org in cert for modules signing
|
||
|
# https://www.kernel.org/doc/html/v6.1/admin-guide/module-signing.html#generating-signing-keys
|
||
|
mkdir -p certs
|
||
|
sed -e 's/#O = Unspecified company/O = alpinelinux.org/' \
|
||
|
"$builddir"/certs/default_x509.genkey \
|
||
|
> certs/x509.genkey
|
||
|
|
||
|
make ARCH="$(_kernelarch $CARCH)" \
|
||
|
CC="${CC:-gcc}" \
|
||
|
AWK="${AWK:-mawk}" \
|
||
|
KBUILD_BUILD_VERSION="$((pkgrel + 1 ))-Alpine"
|
||
|
done
|
||
|
}
|
||
|
|
||
|
_package() {
|
||
|
local _buildflavor="$1" _outdir="$2"
|
||
|
set_kbuild_timestamp
|
||
|
|
||
|
cd "$srcdir"/build-$_buildflavor.$CARCH
|
||
|
local _abi_release="$(make -s kernelrelease)"
|
||
|
# modules_install seems to regenerate a defect Modules.symvers on s390x. Work
|
||
|
# around it by backing it up and restore it after modules_install
|
||
|
cp Module.symvers Module.symvers.backup
|
||
|
|
||
|
mkdir -p "$_outdir"/boot "$_outdir"/lib/modules
|
||
|
|
||
|
local _install
|
||
|
case "$CARCH" in
|
||
|
arm*|aarch64|riscv*) _install="zinstall dtbs_install";;
|
||
|
*) _install=install;;
|
||
|
esac
|
||
|
|
||
|
make modules_install $_install \
|
||
|
ARCH="$(_kernelarch $CARCH)" \
|
||
|
INSTALL_MOD_PATH="$_outdir" \
|
||
|
INSTALL_MOD_STRIP=1 \
|
||
|
INSTALL_PATH="$_outdir"/boot \
|
||
|
INSTALL_DTBS_PATH="$_outdir/boot/dtbs-$_buildflavor"
|
||
|
|
||
|
cp Module.symvers.backup Module.symvers
|
||
|
|
||
|
rm -f "$_outdir"/lib/modules/"$_abi_release"/build \
|
||
|
"$_outdir"/lib/modules/"$_abi_release"/source
|
||
|
rm -rf "$_outdir"/lib/firmware
|
||
|
|
||
|
install -D -m644 include/config/kernel.release \
|
||
|
"$_outdir"/usr/share/kernel/$_buildflavor/kernel.release
|
||
|
|
||
|
case "$CARCH" in
|
||
|
loongarch64)
|
||
|
mv "$_outdir"/boot/vmlinuz-$_abi_release \
|
||
|
"$_outdir"/boot/vmlinuz-$_buildflavor
|
||
|
|
||
|
mv "$_outdir"/boot/config-$_abi_release \
|
||
|
"$_outdir"/boot/config-$_buildflavor
|
||
|
|
||
|
mv "$_outdir"/boot/System.map-$_abi_release \
|
||
|
"$_outdir"/boot/System.map-$_buildflavor
|
||
|
;;
|
||
|
esac
|
||
|
}
|
||
|
|
||
|
# main flavor installs in $pkgdir
|
||
|
package() {
|
||
|
depends="$depends linux-firmware-any"
|
||
|
|
||
|
_package "$_flavor" "$pkgdir"
|
||
|
|
||
|
# copy files for linux-lts-doc sub package
|
||
|
mkdir -p "$pkgdir"/usr/share/doc
|
||
|
cp -r "$builddir"/Documentation \
|
||
|
"$pkgdir"/usr/share/doc/linux-doc-"$pkgver"/
|
||
|
# remove files that aren't part of the documentation itself
|
||
|
for nondoc in \
|
||
|
.gitignore conf.py docutils.conf \
|
||
|
dontdiff Kconfig Makefile
|
||
|
do
|
||
|
rm "$pkgdir"/usr/share/doc/linux-doc-"$pkgver"/"$nondoc"
|
||
|
done
|
||
|
# create /usr/share/doc/linux-doc symlink
|
||
|
cd "$pkgdir"/usr/share/doc; ln -s linux-doc-"$pkgver" linux-doc
|
||
|
}
|
||
|
|
||
|
# subflavors install in $subpkgdir
|
||
|
virt() {
|
||
|
_package virt "$subpkgdir"
|
||
|
}
|
||
|
|
||
|
_dev() {
|
||
|
local _flavor=$(echo $subpkgname | sed -E 's/(^linux-|-dev$)//g')
|
||
|
local _builddir="$srcdir"/build-$_flavor.$CARCH
|
||
|
local _abi_release="$(make -C "$_builddir" -s kernelrelease)"
|
||
|
# copy the only the parts that we really need for build 3rd party
|
||
|
# kernel modules and install those as /usr/src/linux-headers,
|
||
|
# simlar to what ubuntu does
|
||
|
#
|
||
|
# this way you dont need to install the 300-400 kernel sources to
|
||
|
# build a tiny kernel module
|
||
|
#
|
||
|
pkgdesc="Headers and script for third party modules for $_flavor kernel"
|
||
|
depends="$_depends_dev"
|
||
|
local dir="$subpkgdir"/usr/src/linux-headers-"$_abi_release"
|
||
|
set_kbuild_timestamp
|
||
|
|
||
|
# first we import config, run prepare to set up for building
|
||
|
# external modules, and create the scripts
|
||
|
mkdir -p "$dir"
|
||
|
cp -a "$_builddir"/.config "$_builddir"/localversion-alpine \
|
||
|
"$dir"/
|
||
|
|
||
|
install -D -t "$dir"/certs "$_builddir"/certs/signing_key.x509 || :
|
||
|
|
||
|
make -C "$builddir" \
|
||
|
O="$dir" \
|
||
|
ARCH="$(_kernelarch $CARCH)" \
|
||
|
AWK="${AWK:-mawk}" \
|
||
|
prepare modules_prepare scripts
|
||
|
|
||
|
# remove the stuff that points to real sources. we want 3rd party
|
||
|
# modules to believe this is the sources
|
||
|
rm "$dir"/Makefile "$dir"/source
|
||
|
|
||
|
# copy the needed stuff from real sources
|
||
|
#
|
||
|
# this is taken from ubuntu kernel build script
|
||
|
# http://kernel.ubuntu.com/git/ubuntu/ubuntu-zesty.git/tree/debian/rules.d/3-binary-indep.mk
|
||
|
cd "$builddir"
|
||
|
find . -path './include/*' -prune \
|
||
|
-o -path './scripts/*' -prune -o -type f \
|
||
|
\( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
|
||
|
-name '*.sh' -o -name '*.pl' -o -name '*.lds' -o -name 'Platform' \) \
|
||
|
-print | cpio -pdm "$dir"
|
||
|
|
||
|
cp -a scripts include "$dir"
|
||
|
|
||
|
find "arch/$_karch" -name include -type d -print | while IFS='' read -r folder; do
|
||
|
find "$folder" -type f
|
||
|
done | sort -u | cpio -pdm "$dir"
|
||
|
|
||
|
install -Dm644 "$srcdir"/build-$_flavor.$CARCH/Module.symvers \
|
||
|
"$dir"/Module.symvers
|
||
|
|
||
|
# remove unneeded things
|
||
|
msg "Removing documentation..."
|
||
|
rm -r "$dir"/Documentation
|
||
|
find "$dir" -type f -name '*.o' -printf 'Removing %P\n' -delete
|
||
|
local _karch="$(_kernelarch $CARCH | sed 's/x86_64/x86/')"
|
||
|
msg "Removing unneeded arch headers..."
|
||
|
for i in "$dir"/arch/*; do
|
||
|
if [ "${i##*/}" != "$_karch" ]; then
|
||
|
echo " ${i##*/}"
|
||
|
rm -r "$i"
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
mkdir -p "$subpkgdir"/lib/modules/"$_abi_release"
|
||
|
ln -sf /usr/src/linux-headers-"$_abi_release" \
|
||
|
"$subpkgdir"/lib/modules/"$_abi_release"/build
|
||
|
}
|
||
|
|
||
|
sha512sums="
|
||
|
2b6e206c954199789010bbd87e1219495d3d4b4f26e6ca3b138f81ce9cea8817a0a87e949e661d96113854c3a539f4dd70f1db745188b90bda47d1a68a0d488d patch-6.11.9.patch
|
||
|
4b4e986150e09404a529828aaca59d42c9553d5159863bb88a215d9e7dc208e2fceff33a01019ef4e9c474db8d988779d89a64e04c961c9db16db8948022d123 linux-6.11.9.tar.xz
|
||
|
ff49e4218bb73e8ab6a49b2c7045b1db90d1d777eccdc2a9aafdef64a9537ee18fe3f6233d3e8143a45d25b681981e43354f98e8ea8cb0a23539a4d36f14256a hardened.x86_64.config
|
||
|
fe36a7aa4684128fc40bf7310875cf161f7990f16b5deb45ba880f630406f5a8a04c0a6dfed5fcbd38715b1d47d23f7560ba1d4aaafcec7ffa4bd15649038e99 hardened.aarch64.config
|
||
|
"
|