From 5319920383e7be4f597f629a7c821c1c8d33cce0 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 1 Aug 2023 12:28:54 +0200 Subject: [PATCH 1/4] overlay coreos-firmware: update to 20230625_p20230724 Update coreos-firmware to 20230625_p20230724, syncing with linux-firmware of Gentoo, mainly to address CVE-2023-20593. Gentoo ref: 6390ce05738eac80fc06663a73ca6b22fdaee8d1 --- .../sys-kernel/coreos-firmware/Manifest | 2 +- ...coreos-firmware-20230625_p20230724.ebuild} | 0 .../coreos-firmware-99999999.ebuild | 472 +++++++++++++----- 3 files changed, 340 insertions(+), 134 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/{coreos-firmware-20230625.ebuild => coreos-firmware-20230625_p20230724.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest index ff46bac4dae..fa71770299b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest @@ -1 +1 @@ -DIST linux-firmware-20230625.tar.xz 280854212 BLAKE2B 8ad8ce864e2a7b7d542569f5171ae0a7d9b05a1d55a04c507dbfb1939a60507ac8275eef24a165814aca8fdf93e6dbf3f7fbeaf25a8f46f022ca47b7b512401d SHA512 0e48aa7f63495485426d37491c7cb61843165625bd47f912c5d83628c6de871759f1a78be3af3d651f7c396bd87dff07e21ba7afc47896c1c143106d5f16d351 +DIST linux-firmware-20230625_p20230724.tar.gz 441906566 BLAKE2B 5bed31d9ad78440bb12feeacb1ba27a07ad30b0eb8c7bfd03a4e7a7590012af1f9535a49fbf031abf79dd05ca90be79566f06db6f955910edfdca61281831c67 SHA512 daaf07422eb6f3e1b50f8a5dba5bfff747fe6750c0210ab798745f61d774eef7642ab45b9b404c668cf017d6b7fcf89c34bce9e6c77053b1b81f1a3498c5be18 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625_p20230724.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625_p20230724.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild index 49f3564d48a..706b523565c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild @@ -1,197 +1,403 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 - -# Tell linux-info where to find the kernel source/build -KERNEL_DIR="${SYSROOT%/}/usr/src/linux" -KBUILD_OUTPUT="${SYSROOT%/}/var/cache/portage/sys-kernel/coreos-kernel" -inherit linux-info savedconfig +inherit linux-info mount-boot savedconfig multiprocessing # In case this is a real snapshot, fill in commit below. # For normal, tagged releases, leave blank -MY_COMMIT= +MY_COMMIT="59fbffa9ec8e4b0b31d2d13e715cf6580ad0e99c" if [[ ${PV} == 99999999* ]]; then inherit git-r3 - EGIT_REPO_URI="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + EGIT_REPO_URI="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/${PN}.git" else if [[ -n "${MY_COMMIT}" ]]; then - SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/${MY_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz" + SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/${MY_COMMIT}.tar.gz -> ${P}.tar.gz" + S="${WORKDIR}/${MY_COMMIT}" else - SRC_URI="https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/linux-firmware-${PV}.tar.xz -> linux-firmware-${PV}.tar.xz" + SRC_URI="https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/${P}.tar.xz" fi - KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 s390 sparc x86" + + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" fi DESCRIPTION="Linux firmware files" HOMEPAGE="https://git.kernel.org/?p=linux/kernel/git/firmware/linux-firmware.git" LICENSE="GPL-2 GPL-2+ GPL-3 BSD MIT || ( MPL-1.1 GPL-2 ) - BSD-2 BSD BSD-4 ISC MIT no-source-code" + redistributable? ( linux-fw-redistributable BSD-2 BSD BSD-4 ISC MIT ) + unknown-license? ( all-rights-reserved )" SLOT="0" -IUSE="savedconfig" +IUSE="compress-xz compress-zstd initramfs +redistributable savedconfig unknown-license" +REQUIRED_USE="initramfs? ( redistributable ) + ?? ( compress-xz compress-zstd )" + +RESTRICT="binchecks strip test + unknown-license? ( bindist )" + +BDEPEND="initramfs? ( app-arch/cpio ) + compress-xz? ( app-arch/xz-utils ) + compress-zstd? ( app-arch/zstd )" -CDEPEND=">=sys-kernel/coreos-modules-4.6.3-r1:=" -DEPEND="${CDEPEND} - sys-kernel/coreos-sources" #add anything else that collides to this RDEPEND="!savedconfig? ( - !sys-firmware/alsa-firmware[alsa_cards_ca0132] - !sys-firmware/alsa-firmware[alsa_cards_korg1212] - !sys-firmware/alsa-firmware[alsa_cards_maestro3] - !sys-firmware/alsa-firmware[alsa_cards_sb16] - !sys-firmware/alsa-firmware[alsa_cards_ymfpci] - !net-dialup/ueagle-atm - !net-dialup/ueagle4-atm - !sys-block/qla-fc-firmware - !sys-firmware/iwl1000-ucode - !sys-firmware/iwl6005-ucode - !sys-firmware/iwl6030-ucode - !sys-firmware/iwl6050-ucode - !sys-firmware/iwl3160-ucode - !sys-firmware/iwl7260-ucode - !sys-firmware/iwl3160-7260-bt-ucode + redistributable? ( + !sys-firmware/alsa-firmware[alsa_cards_ca0132] + !sys-block/qla-fc-firmware + !sys-firmware/iwl1000-ucode + !sys-firmware/iwl6005-ucode + !sys-firmware/iwl6030-ucode + !sys-firmware/iwl3160-ucode + !sys-firmware/iwl7260-ucode + !sys-firmware/iwl3160-7260-bt-ucode + !sys-firmware/raspberrypi-wifi-ucode + ) + unknown-license? ( + !sys-firmware/alsa-firmware[alsa_cards_korg1212] + !sys-firmware/alsa-firmware[alsa_cards_maestro3] + !sys-firmware/alsa-firmware[alsa_cards_sb16] + !sys-firmware/alsa-firmware[alsa_cards_ymfpci] + ) )" -RESTRICT="binchecks strip" +QA_PREBUILT="*" -# source name is linux-firmware, not coreos-firmware -S="${WORKDIR}/linux-firmware-${PV}" +pkg_setup() { + if use compress-xz || use compress-zstd ; then + local CONFIG_CHECK + + if kernel_is -ge 5 19; then + use compress-xz && CONFIG_CHECK="~FW_LOADER_COMPRESS_XZ" + use compress-zstd && CONFIG_CHECK="~FW_LOADER_COMPRESS_ZSTD" + else + use compress-xz && CONFIG_CHECK="~FW_LOADER_COMPRESS" + if use compress-zstd; then + eerror "Kernels <5.19 do not support ZSTD-compressed firmware files" + fi + fi + linux-info_pkg_setup + fi +} -CXGB_VERSION="1.27.3.0" -ICE_DDP_VERSION="1.3.30.0" +pkg_pretend() { + use initramfs && mount-boot_pkg_pretend +} src_unpack() { if [[ ${PV} == 99999999* ]]; then git-r3_src_unpack else default - # Upstream linux-firmware tarball does not contain - # symlinks for cxgb4 firmware files, but "modinfo - # cxgb4.ko" shows it requires t?fw.bin files. These - # normally are installed by the copy-firmware.sh - # script, which refers to the WHENCE file. Both the - # script and the file are in the tarball. The WHENCE - # file actually mentions that these symlinks should be - # created, but apparently our ebuild is not using this - # way of installing the firmware files, so we need to - # create the symlinks to avoid failures at the - # firmware scanning stage. - ln -sfn t4fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t4fw.bin - ln -sfn t5fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t5fw.bin - ln -sfn t6fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t6fw.bin - - # Upstream linux-firmware tarball does not contain - # a correct symlink to intel/ice/ddp/ice-1.3.28.0.pkg, - # but "modinfo ice.ko" shows it requires ice.pkg. - # So we need to create the symlink to avoid failures at the - # firmware scanning stage. - ln -sfn ice-${ICE_DDP_VERSION}.pkg linux-firmware-${PV}/intel/ice/ddp/ice.pkg - - # The xhci-pci.ko kernel module started requiring a - # renesas_usb_fw.mem firmware file, but this file is - # nowhere to be found in the tarball. So we just fake - # the existence of the firmware, so the firmware - # scanning stage won't fail. Obviously, this means - # that if someone is going to use this specific - # renesas controller that requires the firmware, it - # won't work. Hopefully that file appears at some - # point in the tarball. - touch "linux-firmware-${PV}/renesas_usb_fw.mem" + # rename directory from git snapshot tarball + if [[ ${#GIT_COMMIT} -gt 8 ]]; then + mv ${PN}-*/ ${P} || die + fi fi } src_prepare() { - local kernel_mods="${SYSROOT%/}/lib/modules/${KV_FULL}" - - # Fail if any firmware is missing. - einfo "Scanning for files required by ${KV_FULL}" - echo -n > "${T}/firmware-scan" - local kofile fwfile failed - for kofile in $(find "${kernel_mods}" -name '*.ko' -o -name '*.ko.xz'); do - for fwfile in $(modinfo --field firmware "${kofile}"); do - if [[ ! -e "${fwfile}" ]]; then - eerror "Missing firmware: ${fwfile} (${kofile##*/})" - failed=1 - elif [[ -L "${fwfile}" ]]; then - echo "${fwfile}" >> "${T}/firmware-scan" - realpath --relative-to=. "${fwfile}" >> "${T}/firmware-scan" - else - echo "${fwfile}" >> "${T}/firmware-scan" + default + + find . -type f -not -perm 0644 -print0 \ + | xargs --null --no-run-if-empty chmod 0644 \ + || die + + chmod +x copy-firmware.sh || die + + if use initramfs; then + if [[ -d "${S}/amd-ucode" ]]; then + local UCODETMP="${T}/ucode_tmp" + local UCODEDIR="${UCODETMP}/kernel/x86/microcode" + mkdir -p "${UCODEDIR}" || die + echo 1 > "${UCODETMP}/early_cpio" + + local amd_ucode_file="${UCODEDIR}/AuthenticAMD.bin" + cat "${S}"/amd-ucode/*.bin > "${amd_ucode_file}" || die "Failed to concat amd cpu ucode" + + if [[ ! -s "${amd_ucode_file}" ]]; then + die "Sanity check failed: '${amd_ucode_file}' is empty!" fi - done - done - if [[ -n "${failed}" ]]; then - die "Missing firmware" + + pushd "${UCODETMP}" &>/dev/null || die + find . -print0 | cpio --quiet --null -o -H newc -R 0:0 > "${S}"/amd-uc.img + popd &>/dev/null || die + if [[ ! -s "${S}/amd-uc.img" ]]; then + die "Failed to create '${S}/amd-uc.img'!" + fi + else + # If this will ever happen something has changed which + # must be reviewed + die "'${S}/amd-ucode' not found!" + fi fi - # AMD's microcode is shipped as part of coreos-firmware, but not a dependency to - # any module, so add it manually - use amd64 && find amd-ucode/ -type f -not -name "*.asc" >> "${T}/firmware-scan" + # whitelist of misc files + local misc_files=( + copy-firmware.sh + WHENCE + README + ) - einfo "Pruning all unneeded firmware files..." - sort -u "${T}/firmware-scan" > "${T}/firmware" - find * -not -type d \ - | sort "${T}/firmware" "${T}/firmware" - \ - | uniq -u | xargs -r rm - find * -type f -name "* *" -exec rm -f {} \; + # whitelist of images with a free software license + local free_software=( + # keyspan_pda (GPL-2+) + keyspan_pda/keyspan_pda.fw + keyspan_pda/xircom_pgs.fw + # dsp56k (GPL-2+) + dsp56k/bootstrap.bin + # ath9k_htc (BSD GPL-2+ MIT) + ath9k_htc/htc_7010-1.4.0.fw + ath9k_htc/htc_9271-1.4.0.fw + # pcnet_cs, 3c589_cs, 3c574_cs, serial_cs (dual GPL-2/MPL-1.1) + cis/LA-PCM.cis + cis/PCMLM28.cis + cis/DP83903.cis + cis/NE2K.cis + cis/tamarack.cis + cis/PE-200.cis + cis/PE520.cis + cis/3CXEM556.cis + cis/3CCFEM556.cis + cis/MT5634ZLX.cis + cis/RS-COM-2P.cis + cis/COMpad2.cis + cis/COMpad4.cis + # serial_cs (GPL-3) + cis/SW_555_SER.cis + cis/SW_7xx_SER.cis + cis/SW_8xx_SER.cis + # dvb-ttpci (GPL-2+) + av7110/bootcode.bin + # usbdux, usbduxfast, usbduxsigma (GPL-2+) + usbdux_firmware.bin + usbduxfast_firmware.bin + usbduxsigma_firmware.bin + # brcmfmac (GPL-2+) + brcm/brcmfmac4330-sdio.Prowise-PT301.txt + brcm/brcmfmac43340-sdio.meegopad-t08.txt + brcm/brcmfmac43362-sdio.cubietech,cubietruck.txt + brcm/brcmfmac43362-sdio.lemaker,bananapro.txt + brcm/brcmfmac43430a0-sdio.jumper-ezpad-mini3.txt + "brcm/brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt" + brcm/brcmfmac43430-sdio.AP6212.txt + brcm/brcmfmac43430-sdio.Hampoo-D2D3_Vi8A1.txt + brcm/brcmfmac43430-sdio.MUR1DX.txt + brcm/brcmfmac43430-sdio.raspberrypi,3-model-b.txt + brcm/brcmfmac43455-sdio.raspberrypi,3-model-b-plus.txt + brcm/brcmfmac4356-pcie.gpd-win-pocket.txt + # isci (GPL-2) + isci/isci_firmware.bin + # carl9170 (GPL-2+) + carl9170-1.fw + # atusb (GPL-2+) + atusb/atusb-0.2.dfu + atusb/atusb-0.3.dfu + atusb/rzusb-0.3.bin + # mlxsw_spectrum (dual BSD/GPL-2) + mellanox/mlxsw_spectrum-13.1420.122.mfa2 + mellanox/mlxsw_spectrum-13.1530.152.mfa2 + mellanox/mlxsw_spectrum-13.1620.192.mfa2 + mellanox/mlxsw_spectrum-13.1702.6.mfa2 + mellanox/mlxsw_spectrum-13.1703.4.mfa2 + mellanox/mlxsw_spectrum-13.1910.622.mfa2 + mellanox/mlxsw_spectrum-13.2000.1122.mfa2 + ) - default + # blacklist of images with unknown license + local unknown_license=( + korg/k1212.dsp + ess/maestro3_assp_kernel.fw + ess/maestro3_assp_minisrc.fw + yamaha/ds1_ctrl.fw + yamaha/ds1_dsp.fw + yamaha/ds1e_ctrl.fw + ttusb-budget/dspbootcode.bin + emi62/bitstream.fw + emi62/loader.fw + emi62/midi.fw + emi62/spdif.fw + ti_3410.fw + ti_5052.fw + mts_mt9234mu.fw + mts_mt9234zba.fw + whiteheat.fw + whiteheat_loader.fw + cpia2/stv0672_vp4.bin + vicam/firmware.fw + edgeport/boot.fw + edgeport/boot2.fw + edgeport/down.fw + edgeport/down2.fw + edgeport/down3.bin + sb16/mulaw_main.csp + sb16/alaw_main.csp + sb16/ima_adpcm_init.csp + sb16/ima_adpcm_playback.csp + sb16/ima_adpcm_capture.csp + sun/cassini.bin + acenic/tg1.bin + acenic/tg2.bin + adaptec/starfire_rx.bin + adaptec/starfire_tx.bin + yam/1200.bin + yam/9600.bin + ositech/Xilinx7OD.bin + qlogic/isp1000.bin + myricom/lanai.bin + yamaha/yss225_registers.bin + lgs8g75.fw + ) + + if use !unknown-license; then + einfo "Removing files with unknown license ..." + rm -v "${unknown_license[@]}" || die + fi + + if use !redistributable; then + # remove files _not_ in the free_software or unknown_license lists + # everything else is confirmed (or assumed) to be redistributable + # based on upstream acceptance policy + einfo "Removing non-redistributable files ..." + local OLDIFS="${IFS}" + local IFS=$'\n' + set -o pipefail + find ! -type d -printf "%P\n" \ + | grep -Fvx -e "${misc_files[*]}" -e "${free_software[*]}" -e "${unknown_license[*]}" \ + | xargs -d '\n' --no-run-if-empty rm -v + + [[ ${?} -ne 0 ]] && die "Failed to remove non-redistributable files" + + IFS="${OLDIFS}" + fi + + restore_config ${PN}.conf +} - echo "# Remove files that shall not be installed from this list." > ${PN}.conf - find * \( \! -type d -and \! -name ${PN}.conf \) >> ${PN}.conf +src_install() { + ./copy-firmware.sh -v "${ED}/lib/firmware" || die + + pushd "${ED}/lib/firmware" &>/dev/null || die + + # especially use !redistributable will cause some broken symlinks + einfo "Removing broken symlinks ..." + find * -xtype l -print -delete || die if use savedconfig; then - restore_config ${PN}.conf - ebegin "Removing all files not listed in config" + if [[ -s "${S}/${PN}.conf" ]]; then + local files_to_keep="${T}/files_to_keep.lst" + grep -v '^#' "${S}/${PN}.conf" 2>/dev/null > "${files_to_keep}" || die + [[ -s "${files_to_keep}" ]] || die "grep failed, empty config file?" - local file delete_file preserved_file preserved_files=() + einfo "Applying USE=savedconfig; Removing all files not listed in config ..." + find ! -type d -printf "%P\n" \ + | grep -Fvx -f "${files_to_keep}" \ + | xargs -d '\n' --no-run-if-empty rm -v - while IFS= read -r file; do - # Ignore comments. - if [[ ${file} != "#"* ]]; then - preserved_files+=("${file}") - fi - done < ${PN}.conf || die - - while IFS= read -d "" -r file; do - delete_file=true - for preserved_file in "${preserved_files[@]}"; do - if [[ "${file}" == "${preserved_file}" ]]; then - delete_file=false - fi - done - - if ${delete_file}; then - rm "${file}" || die + if [[ ${PIPESTATUS[0]} -ne 0 ]]; then + die "Find failed to print installed files" + elif [[ ${PIPESTATUS[1]} -eq 2 ]]; then + # grep returns exit status 1 if no lines were selected + # which is the case when we want to keep all files + die "Grep failed to select files to keep" + elif [[ ${PIPESTATUS[2]} -ne 0 ]]; then + die "Failed to remove files not listed in config" fi - done < <(find * \( \! -type d -and \! -name ${PN}.conf \) -print0 || die) + fi + fi - eend || die + # remove empty directories, bug #396073 + find -type d -empty -delete || die - # remove empty directories, bug #396073 - find -type d -empty -delete || die + # sanity check + if ! ( shopt -s failglob; : * ) 2>/dev/null; then + eerror "No files to install. Check your USE flag settings" + eerror "and the list of files in your saved configuration." + die "Refusing to install an empty package" fi -} -src_install() { - # Flatcar: Don't save the firmware config to /etc/portage/savedconfig/ - # if use !savedconfig; then - # save_config ${PN}.conf - # fi - rm ${PN}.conf || die - insinto /lib/firmware/ - doins -r * + # create config file + echo "# Remove files that shall not be installed from this list." > "${S}"/${PN}.conf || die + find * ! -type d >> "${S}"/${PN}.conf || die + save_config "${S}"/${PN}.conf + + if use compress-xz || use compress-zstd; then + einfo "Compressing firmware ..." + local target + local ext + local compressor + + if use compress-xz; then + ext=xz + compressor="xz -T1 -C crc32" + elif use compress-zstd; then + ext=zst + compressor="zstd -15 -T1 -C -q --rm" + fi + + # rename symlinks + while IFS= read -r -d '' f; do + # skip symlinks pointing to directories + [[ -d ${f} ]] && continue + + target=$(readlink "${f}") + [[ $? -eq 0 ]] || die + ln -sf "${target}".${ext} "${f}" || die + mv -T "${f}" "${f}".${ext} || die + done < <(find . -type l -print0) || die + + find . -type f ! -path "./amd-ucode/*" -print0 | \ + xargs -0 -P $(makeopts_jobs) -I'{}' ${compressor} '{}' || die + + fi + + popd &>/dev/null || die + + if use initramfs ; then + insinto /boot + doins "${S}"/amd-uc.img + fi } pkg_preinst() { if use savedconfig; then ewarn "USE=savedconfig is active. You must handle file collisions manually." fi + + # Fix 'symlink is blocked by a directory' Bug #871315 + if has_version "<${CATEGORY}/${PN}-20220913-r2" ; then + rm -rf "${EROOT}"/lib/firmware/qcom/LENOVO/21BX + fi + + # Make sure /boot is available if needed. + use initramfs && mount-boot_pkg_preinst } pkg_postinst() { elog "If you are only interested in particular firmware files, edit the saved" elog "configfile and remove those that you do not want." + + local ver + for ver in ${REPLACING_VERSIONS}; do + if ver_test ${ver} -lt 20190514; then + elog + elog 'Starting with version 20190514, installation of many firmware' + elog 'files is controlled by USE flags. Please review your USE flag' + elog 'and package.license settings if you are missing some files.' + break + fi + done + + # Don't forget to umount /boot if it was previously mounted by us. + use initramfs && mount-boot_pkg_postinst +} + +pkg_prerm() { + # Make sure /boot is mounted so that we can remove /boot/amd-uc.img! + use initramfs && mount-boot_pkg_prerm +} + +pkg_postrm() { + # Don't forget to umount /boot if it was previously mounted by us. + use initramfs && mount-boot_pkg_postrm } From ac5c5e6d156c6e6eecb16fccef39f3d00cad2301 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 1 Aug 2023 12:30:12 +0200 Subject: [PATCH 2/4] overlay coreos-firmware: Apply Flatcar modifications Apply Flatcar modifications on top of Gentoo ebuilds. * Specify coreos-* directories for Kernel builds. * Use hard-coded linux-firmware directory instead of ${PN} as well as ${S} to avoid naming conflicts. * Depend on packages of Kernel source and modules. * Create symlinks for CXGB and ICE DDP firmware files. * Rewrite src_prepare and src_install. * Remove acenic/tg?.bin from unknown_license to force to install. --- .../coreos-firmware-99999999.ebuild | 240 +++++++++--------- 1 file changed, 122 insertions(+), 118 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild index 706b523565c..a14b76a9a3d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild @@ -2,23 +2,27 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=7 -inherit linux-info mount-boot savedconfig multiprocessing + +# Flatcar: Tell linux-info where to find the kernel source/build +KERNEL_DIR="${SYSROOT%/}/usr/src/linux" +KBUILD_OUTPUT="${SYSROOT%/}/var/cache/portage/sys-kernel/coreos-kernel" +inherit linux-info savedconfig # In case this is a real snapshot, fill in commit below. # For normal, tagged releases, leave blank MY_COMMIT="59fbffa9ec8e4b0b31d2d13e715cf6580ad0e99c" +# Flatcar: use linux-firmware instead of ${PN}, coreos-firmware to avoid naming conflicts. if [[ ${PV} == 99999999* ]]; then inherit git-r3 - EGIT_REPO_URI="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/${PN}.git" + EGIT_REPO_URI="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" else if [[ -n "${MY_COMMIT}" ]]; then - SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/${MY_COMMIT}.tar.gz -> ${P}.tar.gz" + SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/${MY_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz" S="${WORKDIR}/${MY_COMMIT}" else - SRC_URI="https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/${P}.tar.xz" + SRC_URI="https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/linux-firmware-${PV}.tar.xz -> linux-firmware-${PV}.tar.xz" fi - KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" fi @@ -40,6 +44,9 @@ BDEPEND="initramfs? ( app-arch/cpio ) compress-xz? ( app-arch/xz-utils ) compress-zstd? ( app-arch/zstd )" +# Flatcar: depend on Kernel source and modules +DEPEND=">=sys-kernel/coreos-modules-6.1:= + sys-kernel/coreos-sources" #add anything else that collides to this RDEPEND="!savedconfig? ( redistributable? ( @@ -63,6 +70,9 @@ RDEPEND="!savedconfig? ( QA_PREBUILT="*" +# Flatcar: source name is linux-firmware, not coreos-firmware +S="${WORKDIR}/linux-firmware-${PV}" + pkg_setup() { if use compress-xz || use compress-zstd ; then local CONFIG_CHECK @@ -84,52 +94,117 @@ pkg_pretend() { use initramfs && mount-boot_pkg_pretend } +# Flatcar: create symlinks for cxgb and ice firmwares +CXGB_VERSION="1.27.3.0" +ICE_DDP_VERSION="1.3.30.0" + src_unpack() { if [[ ${PV} == 99999999* ]]; then git-r3_src_unpack else default # rename directory from git snapshot tarball - if [[ ${#GIT_COMMIT} -gt 8 ]]; then - mv ${PN}-*/ ${P} || die + # Flatcar: move a correct directory ${MY_COMMIT}, as defined + # above in ${S}. + if [[ ${#MY_COMMIT} -gt 8 ]]; then + mv ${MY_COMMIT}/ linux-firmware-${PV} || die fi + + # Flatcar: Upstream linux-firmware tarball does not contain + # symlinks for cxgb4 firmware files, but "modinfo + # cxgb4.ko" shows it requires t?fw.bin files. These + # normally are installed by the copy-firmware.sh + # script, which refers to the WHENCE file. Both the + # script and the file are in the tarball. The WHENCE + # file actually mentions that these symlinks should be + # created, but apparently our ebuild is not using this + # way of installing the firmware files, so we need to + # create the symlinks to avoid failures at the + # firmware scanning stage. + ln -sfn t4fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t4fw.bin + ln -sfn t5fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t5fw.bin + ln -sfn t6fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t6fw.bin + + # Flatcar: Upstream linux-firmware tarball does not contain + # a correct symlink to intel/ice/ddp/ice-1.3.28.0.pkg, + # but "modinfo ice.ko" shows it requires ice.pkg. + # So we need to create the symlink to avoid failures at the + # firmware scanning stage. + ln -sfn ice-${ICE_DDP_VERSION}.pkg linux-firmware-${PV}/intel/ice/ddp/ice.pkg fi } src_prepare() { - default + # Flatcar: generate a list of firmware + local kernel_mods="${SYSROOT%/}/lib/modules/${KV_FULL}" + + # Fail if any firmware is missing. + einfo "Scanning for files required by ${KV_FULL}" + echo -n > "${T}/firmware-scan" + local kofile fwfile failed + for kofile in $(find "${kernel_mods}" -name '*.ko' -o -name '*.ko.xz'); do + for fwfile in $(modinfo --field firmware "${kofile}"); do + if [[ ! -e "${fwfile}" ]]; then + eerror "Missing firmware: ${fwfile} (${kofile##*/})" + failed=1 + elif [[ -L "${fwfile}" ]]; then + echo "${fwfile}" >> "${T}/firmware-scan" + realpath --relative-to=. "${fwfile}" >> "${T}/firmware-scan" + else + echo "${fwfile}" >> "${T}/firmware-scan" + fi + done + done + if [[ -n "${failed}" ]]; then + die "Missing firmware" + fi - find . -type f -not -perm 0644 -print0 \ - | xargs --null --no-run-if-empty chmod 0644 \ - || die + # AMD's microcode is shipped as part of coreos-firmware, but not a dependency to + # any module, so add it manually + use amd64 && find amd-ucode/ -type f -not -name "*.asc" >> "${T}/firmware-scan" - chmod +x copy-firmware.sh || die + einfo "Pruning all unneeded firmware files..." + sort -u "${T}/firmware-scan" > "${T}/firmware" + find * -not -type d \ + | sort "${T}/firmware" "${T}/firmware" - \ + | uniq -u | xargs -r rm + find * -type f -name "* *" -exec rm -f {} \; - if use initramfs; then - if [[ -d "${S}/amd-ucode" ]]; then - local UCODETMP="${T}/ucode_tmp" - local UCODEDIR="${UCODETMP}/kernel/x86/microcode" - mkdir -p "${UCODEDIR}" || die - echo 1 > "${UCODETMP}/early_cpio" + default - local amd_ucode_file="${UCODEDIR}/AuthenticAMD.bin" - cat "${S}"/amd-ucode/*.bin > "${amd_ucode_file}" || die "Failed to concat amd cpu ucode" + echo "# Remove files that shall not be installed from this list." > ${PN}.conf + find * \( \! -type d -and \! -name ${PN}.conf \) >> ${PN}.conf - if [[ ! -s "${amd_ucode_file}" ]]; then - die "Sanity check failed: '${amd_ucode_file}' is empty!" - fi + if use savedconfig; then + restore_config ${PN}.conf + ebegin "Removing all files not listed in config" + + local file delete_file preserved_file preserved_files=() - pushd "${UCODETMP}" &>/dev/null || die - find . -print0 | cpio --quiet --null -o -H newc -R 0:0 > "${S}"/amd-uc.img - popd &>/dev/null || die - if [[ ! -s "${S}/amd-uc.img" ]]; then - die "Failed to create '${S}/amd-uc.img'!" + while IFS= read -r file; do + # Ignore comments. + if [[ ${file} != "#"* ]]; then + preserved_files+=("${file}") fi - else - # If this will ever happen something has changed which - # must be reviewed - die "'${S}/amd-ucode' not found!" - fi + done < ${PN}.conf || die + + while IFS= read -d "" -r file; do + delete_file=true + for preserved_file in "${preserved_files[@]}"; do + if [[ "${file}" == "${preserved_file}" ]]; then + delete_file=false + fi + done + + if ${delete_file}; then + rm "${file}" || die + fi + done < <(find * \( \! -type d -and \! -name ${PN}.conf \) -print0 || die) + + eend || die + + # remove empty directories, bug #396073 + find -type d -empty -delete || die fi # whitelist of misc files @@ -205,6 +280,8 @@ src_prepare() { ) # blacklist of images with unknown license + # Flatcar: remove Alteon AceNIC drivers from unknown_license to install + # the firmware files: acenic/tg?.bin. local unknown_license=( korg/k1212.dsp ess/maestro3_assp_kernel.fw @@ -236,8 +313,6 @@ src_prepare() { sb16/ima_adpcm_playback.csp sb16/ima_adpcm_capture.csp sun/cassini.bin - acenic/tg1.bin - acenic/tg2.bin adaptec/starfire_rx.bin adaptec/starfire_tx.bin yam/1200.bin @@ -251,7 +326,8 @@ src_prepare() { if use !unknown-license; then einfo "Removing files with unknown license ..." - rm -v "${unknown_license[@]}" || die + # Flatcar: do not die even if no such license file is there. + rm -v "${unknown_license[@]}" fi if use !redistributable; then @@ -275,88 +351,16 @@ src_prepare() { } src_install() { - ./copy-firmware.sh -v "${ED}/lib/firmware" || die - - pushd "${ED}/lib/firmware" &>/dev/null || die - - # especially use !redistributable will cause some broken symlinks - einfo "Removing broken symlinks ..." - find * -xtype l -print -delete || die - - if use savedconfig; then - if [[ -s "${S}/${PN}.conf" ]]; then - local files_to_keep="${T}/files_to_keep.lst" - grep -v '^#' "${S}/${PN}.conf" 2>/dev/null > "${files_to_keep}" || die - [[ -s "${files_to_keep}" ]] || die "grep failed, empty config file?" - - einfo "Applying USE=savedconfig; Removing all files not listed in config ..." - find ! -type d -printf "%P\n" \ - | grep -Fvx -f "${files_to_keep}" \ - | xargs -d '\n' --no-run-if-empty rm -v - - if [[ ${PIPESTATUS[0]} -ne 0 ]]; then - die "Find failed to print installed files" - elif [[ ${PIPESTATUS[1]} -eq 2 ]]; then - # grep returns exit status 1 if no lines were selected - # which is the case when we want to keep all files - die "Grep failed to select files to keep" - elif [[ ${PIPESTATUS[2]} -ne 0 ]]; then - die "Failed to remove files not listed in config" - fi - fi - fi - - # remove empty directories, bug #396073 - find -type d -empty -delete || die - - # sanity check - if ! ( shopt -s failglob; : * ) 2>/dev/null; then - eerror "No files to install. Check your USE flag settings" - eerror "and the list of files in your saved configuration." - die "Refusing to install an empty package" - fi - - # create config file - echo "# Remove files that shall not be installed from this list." > "${S}"/${PN}.conf || die - find * ! -type d >> "${S}"/${PN}.conf || die - save_config "${S}"/${PN}.conf - - if use compress-xz || use compress-zstd; then - einfo "Compressing firmware ..." - local target - local ext - local compressor - - if use compress-xz; then - ext=xz - compressor="xz -T1 -C crc32" - elif use compress-zstd; then - ext=zst - compressor="zstd -15 -T1 -C -q --rm" - fi - - # rename symlinks - while IFS= read -r -d '' f; do - # skip symlinks pointing to directories - [[ -d ${f} ]] && continue - - target=$(readlink "${f}") - [[ $? -eq 0 ]] || die - ln -sf "${target}".${ext} "${f}" || die - mv -T "${f}" "${f}".${ext} || die - done < <(find . -type l -print0) || die - - find . -type f ! -path "./amd-ucode/*" -print0 | \ - xargs -0 -P $(makeopts_jobs) -I'{}' ${compressor} '{}' || die - - fi - - popd &>/dev/null || die - - if use initramfs ; then - insinto /boot - doins "${S}"/amd-uc.img - fi + # Flatcar: take a simplified approach instead of cumbersome installation + # like done in Gentoo. + # + # Don't save the firmware config to /etc/portage/savedconfig/ + # if we use !savedconfig; then + # save_config ${PN}.conf + # fi + rm ${PN}.conf || die + insinto /lib/firmware/ + doins -r * } pkg_preinst() { From f34f840d4d7c54eacaa08dbd2eb5d2dbc802498f Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Wed, 2 Aug 2023 13:14:30 +0200 Subject: [PATCH 3/4] overlay profiles: accept license linux-fw-redistributable Add a license linux-fw-redistributable to ACCEPT_LICENSE, to be able to build coreos-firmware as needed by linux-firmware of Gentoo. --- .../coreos-overlay/profiles/coreos/base/make.defaults | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults index 64dce521c71..1b49142ee60 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults @@ -62,10 +62,12 @@ USE="${USE} bindist" # # netperf - license for net-analyzer/netperf # no-source-code - license for sys-kernel/coreos-firmware +# linux-fw-redistributable - license for sys-kernel/coreos-firmware # freedist - license for sys-kernel/coreos-kernel # BSD-2-Clause-Patent - license for sys-firmware/edk2-aarch64 # intel-ucode - license for sys-firmware/intel-microcode -ACCEPT_LICENSE="${ACCEPT_LICENSE} netperf no-source-code freedist BSD-2-Clause-Patent intel-ucode" +ACCEPT_LICENSE="${ACCEPT_LICENSE} netperf no-source-code + linux-fw-redistributable freedist BSD-2-Clause-Patent intel-ucode" # Favor our own mirrors over Gentoo's GENTOO_MIRRORS=" From 388896fa4fc835412e91906e76356868a2ac7c00 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 1 Aug 2023 15:19:23 +0200 Subject: [PATCH 4/4] changelog: add security changelog for linux-firmware 20230625_p20230724 --- .../security/2023-08-01-linux-firmware-20230625_p20230724.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md diff --git a/changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md b/changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md new file mode 100644 index 00000000000..64d37e1302e --- /dev/null +++ b/changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md @@ -0,0 +1 @@ +- linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593))