# Maintainer: Minoplhy _flavor=hardened pkgname=linux-$_flavor pkgver=6.11.9 _relver=hardened1 #_kernver=${pkgver%.*} _kernver=$pkgver pkgrel=0 pkgdesc="Linux Hardened kernel" url="https://github.com/anthraxx/linux-hardened" depends="initramfs-generator" _depends_dev="perl gmp-dev mpc1-dev mpfr-dev elfutils-dev bash flex bison zstd" makedepends="$_depends_dev sed installkernel bc linux-headers linux-firmware-any openssl-dev>3 mawk diffutils findutils zstd pahole python3 gcc>=13.1.1_git20230624" options="!strip !check" _config=${config:-config-lts.${CARCH}} source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz hardened.x86_64.config hardened.aarch64.config " subpackages="$pkgname-dev:_dev:$CBUILD_ARCH $pkgname-doc" for _i in $source; do case $_i in *.$CARCH.config) _f=${_i%."$CARCH".config} _flavors="$_flavors $_f" if [ "linux-$_f" != "$pkgname" ]; then subpackages="$subpackages linux-$_f::$CBUILD_ARCH linux-$_f-dev:_dev:$CBUILD_ARCH" fi ;; esac done builddir="$srcdir"/linux-$_kernver if [ "${pkgver%.0}" = "$pkgver" ]; then # Prepend to apply first source="patch-$pkgver.patch::https://github.com/anthraxx/linux-hardened/releases/download/v$pkgver-$_relver/linux-hardened-v$pkgver-$_relver.patch $source" fi #arch="all !armhf !riscv64" # Linux Hardened official support arch: arch="x86_64 aarch64" license="GPL-2.0-only" prepare() { default_prepare # remove localversion from patch if any rm -f localversion* } _kernelarch() { local arch="$1" case "$arch" in aarch64*) arch="arm64" ;; arm*) arch="arm" ;; ppc*) arch="powerpc" ;; s390*) arch="s390" ;; riscv*) arch="riscv" ;; loongarch64) arch="loongarch" ;; esac echo "$arch" } _prepareconfig() { local _flavor="$1" local _arch="$2" local _config=$_flavor.$_arch.config local _builddir="$srcdir"/build-$_flavor.$_arch mkdir -p "$_builddir" echo "-$pkgrel-$_flavor" > "$_builddir"/localversion-alpine cp "$srcdir"/$_config "$_builddir"/.config msg "Configuring $_flavor kernel ($_arch)" make -C "$builddir" \ O="$_builddir" \ ARCH="$(_kernelarch $_arch)" \ olddefconfig if grep "CONFIG_MODULE_SIG=y" "$_builddir"/.config >/dev/null; then if [ -f "$KERNEL_SIGNING_KEY" ]; then sed -i -e "s:^CONFIG_MODULE_SIG_KEY=.*:CONFIG_MODULE_SIG_KEY=\"$KERNEL_SIGNING_KEY\":" \ "$_builddir"/.config msg "Using $KERNEL_SIGNING_KEY to sign $_flavor kernel ($_arch) modules" else warning "KERNEL_SIGNING_KEY was not set. A signing key will be generated, but 3rd" warning "party modules can not be signed" fi fi } listconfigs() { for i in $source; do case "$i" in *.config) echo $i;; esac done } prepareconfigs() { for _config in $(listconfigs); do local _flavor=${_config%%.*} local _arch=${_config%.config} _arch=${_arch#*.} local _builddir="$srcdir"/build-$_flavor.$_arch _prepareconfig "$_flavor" "$_arch" done } # this is supposed to be run before version is bumped so we can compare # what new kernel config knobs are introduced prepareupdate() { clean && fetch && unpack && prepare && deps prepareconfigs rm -r "$builddir" } updateconfigs() { if ! [ -d "$builddir" ]; then deps && fetch && unpack && prepare fi for _config in ${CONFIGS:-$(listconfigs)}; do msg "updating $_config" local _flavor=${_config%%.*} local _arch=${_config%.config} _arch=${_arch#*.} local _builddir="$srcdir"/build-$_flavor.$_arch mkdir -p "$_builddir" echo "-$pkgrel-$_flavor" > "$_builddir"/localversion-alpine local actions="listnewconfig oldconfig" if ! [ -f "$_builddir"/.config ]; then cp "$srcdir"/$_config "$_builddir"/.config actions="olddefconfig" fi env | grep ^CONFIG_ >> "$_builddir"/.config || true make -j1 -C "$builddir" \ O="$_builddir" \ ARCH="$(_kernelarch $_arch)" \ $actions savedefconfig cp "$_builddir"/defconfig "$startdir"/$_config done } set_kbuild_timestamp() { # KBUILD_BUILD_TIMESTAMP needs to be parsable by busybox date export KBUILD_BUILD_TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S' -u${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})" } build() { unset LDFLAGS # for some reason these sometimes leak into the kernel build, # -Werror=format-security breaks some stuff unset CFLAGS CPPFLAGS CXXFLAGS set_kbuild_timestamp for i in $_flavors; do _prepareconfig "$i" "$CARCH" done for i in $_flavors; do msg "Building $i kernel" cd "$srcdir"/build-$i.$CARCH # set org in cert for modules signing # https://www.kernel.org/doc/html/v6.1/admin-guide/module-signing.html#generating-signing-keys mkdir -p certs sed -e 's/#O = Unspecified company/O = alpinelinux.org/' \ "$builddir"/certs/default_x509.genkey \ > certs/x509.genkey make ARCH="$(_kernelarch $CARCH)" \ CC="${CC:-gcc}" \ AWK="${AWK:-mawk}" \ KBUILD_BUILD_VERSION="$((pkgrel + 1 ))-Alpine" done } _package() { local _buildflavor="$1" _outdir="$2" set_kbuild_timestamp cd "$srcdir"/build-$_buildflavor.$CARCH local _abi_release="$(make -s kernelrelease)" # modules_install seems to regenerate a defect Modules.symvers on s390x. Work # around it by backing it up and restore it after modules_install cp Module.symvers Module.symvers.backup mkdir -p "$_outdir"/boot "$_outdir"/lib/modules local _install case "$CARCH" in arm*|aarch64|riscv*) _install="zinstall dtbs_install";; *) _install=install;; esac make modules_install $_install \ ARCH="$(_kernelarch $CARCH)" \ INSTALL_MOD_PATH="$_outdir" \ INSTALL_MOD_STRIP=1 \ INSTALL_PATH="$_outdir"/boot \ INSTALL_DTBS_PATH="$_outdir/boot/dtbs-$_buildflavor" cp Module.symvers.backup Module.symvers rm -f "$_outdir"/lib/modules/"$_abi_release"/build \ "$_outdir"/lib/modules/"$_abi_release"/source rm -rf "$_outdir"/lib/firmware install -D -m644 include/config/kernel.release \ "$_outdir"/usr/share/kernel/$_buildflavor/kernel.release case "$CARCH" in loongarch64) mv "$_outdir"/boot/vmlinuz-$_abi_release \ "$_outdir"/boot/vmlinuz-$_buildflavor mv "$_outdir"/boot/config-$_abi_release \ "$_outdir"/boot/config-$_buildflavor mv "$_outdir"/boot/System.map-$_abi_release \ "$_outdir"/boot/System.map-$_buildflavor ;; esac } # main flavor installs in $pkgdir package() { depends="$depends linux-firmware-any" _package "$_flavor" "$pkgdir" # copy files for linux-lts-doc sub package mkdir -p "$pkgdir"/usr/share/doc cp -r "$builddir"/Documentation \ "$pkgdir"/usr/share/doc/linux-doc-"$pkgver"/ # remove files that aren't part of the documentation itself for nondoc in \ .gitignore conf.py docutils.conf \ dontdiff Kconfig Makefile do rm "$pkgdir"/usr/share/doc/linux-doc-"$pkgver"/"$nondoc" done # create /usr/share/doc/linux-doc symlink cd "$pkgdir"/usr/share/doc; ln -s linux-doc-"$pkgver" linux-doc } # subflavors install in $subpkgdir virt() { _package virt "$subpkgdir" } _dev() { local _flavor=$(echo $subpkgname | sed -E 's/(^linux-|-dev$)//g') local _builddir="$srcdir"/build-$_flavor.$CARCH local _abi_release="$(make -C "$_builddir" -s kernelrelease)" # copy the only the parts that we really need for build 3rd party # kernel modules and install those as /usr/src/linux-headers, # simlar to what ubuntu does # # this way you dont need to install the 300-400 kernel sources to # build a tiny kernel module # pkgdesc="Headers and script for third party modules for $_flavor kernel" depends="$_depends_dev" local dir="$subpkgdir"/usr/src/linux-headers-"$_abi_release" set_kbuild_timestamp # first we import config, run prepare to set up for building # external modules, and create the scripts mkdir -p "$dir" cp -a "$_builddir"/.config "$_builddir"/localversion-alpine \ "$dir"/ install -D -t "$dir"/certs "$_builddir"/certs/signing_key.x509 || : make -C "$builddir" \ O="$dir" \ ARCH="$(_kernelarch $CARCH)" \ AWK="${AWK:-mawk}" \ prepare modules_prepare scripts # remove the stuff that points to real sources. we want 3rd party # modules to believe this is the sources rm "$dir"/Makefile "$dir"/source # copy the needed stuff from real sources # # this is taken from ubuntu kernel build script # http://kernel.ubuntu.com/git/ubuntu/ubuntu-zesty.git/tree/debian/rules.d/3-binary-indep.mk cd "$builddir" find . -path './include/*' -prune \ -o -path './scripts/*' -prune -o -type f \ \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \ -name '*.sh' -o -name '*.pl' -o -name '*.lds' -o -name 'Platform' \) \ -print | cpio -pdm "$dir" cp -a scripts include "$dir" find "arch/$_karch" -name include -type d -print | while IFS='' read -r folder; do find "$folder" -type f done | sort -u | cpio -pdm "$dir" install -Dm644 "$srcdir"/build-$_flavor.$CARCH/Module.symvers \ "$dir"/Module.symvers # remove unneeded things msg "Removing documentation..." rm -r "$dir"/Documentation find "$dir" -type f -name '*.o' -printf 'Removing %P\n' -delete local _karch="$(_kernelarch $CARCH | sed 's/x86_64/x86/')" msg "Removing unneeded arch headers..." for i in "$dir"/arch/*; do if [ "${i##*/}" != "$_karch" ]; then echo " ${i##*/}" rm -r "$i" fi done mkdir -p "$subpkgdir"/lib/modules/"$_abi_release" ln -sf /usr/src/linux-headers-"$_abi_release" \ "$subpkgdir"/lib/modules/"$_abi_release"/build } sha512sums=" 2b6e206c954199789010bbd87e1219495d3d4b4f26e6ca3b138f81ce9cea8817a0a87e949e661d96113854c3a539f4dd70f1db745188b90bda47d1a68a0d488d patch-6.11.9.patch 4b4e986150e09404a529828aaca59d42c9553d5159863bb88a215d9e7dc208e2fceff33a01019ef4e9c474db8d988779d89a64e04c961c9db16db8948022d123 linux-6.11.9.tar.xz ff49e4218bb73e8ab6a49b2c7045b1db90d1d777eccdc2a9aafdef64a9537ee18fe3f6233d3e8143a45d25b681981e43354f98e8ea8cb0a23539a4d36f14256a hardened.x86_64.config fe36a7aa4684128fc40bf7310875cf161f7990f16b5deb45ba880f630406f5a8a04c0a6dfed5fcbd38715b1d47d23f7560ba1d4aaafcec7ffa4bd15649038e99 hardened.aarch64.config "