Enable the required config options to run docker in the default defconfig for Morello Transitional PureCap User ABI (PCuABI) (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary: - cgroup hierarchy: properly mounted [/sys/fs/cgroup] - apparmor: enabled and tools installed - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled - CONFIG_BRIDGE: enabled - CONFIG_BRIDGE_NETFILTER: enabled - CONFIG_IP_NF_FILTER: enabled - CONFIG_IP_NF_TARGET_MASQUERADE: enabled - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled - CONFIG_NETFILTER_XT_MARK: enabled - CONFIG_IP_NF_NAT: enabled - CONFIG_NF_NAT: enabled - CONFIG_POSIX_MQUEUE: enabled - CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
A rebased version of the patches on morello/next, to be used for testing purposes, can be found at: https://git.morello-project.org/vincenzo/linux morello/docker/v1
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
Vincenzo Frascino (5): bpf: Use proper typecast for capability type net: Use proper typecast for capability type security/keys: Use proper typecast for capability type arm64: compat64: Use correct keyctl system call handler morello: Enable docker in defconfig
.../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ arch/arm64/kernel/sys_compat64.c | 1 + kernel/bpf/helpers.c | 2 +- net/bridge/br_ioctl.c | 4 +++ security/keys/keyring.c | 2 +- 5 files changed, 32 insertions(+), 2 deletions(-)
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation warning below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/kernel/bpf/helpers.c: warning: the following conversion will result in a CToPtr operation; the behaviour of CToPtr can be confusing since using CToPtr on an untagged capability will give 0 instead of the integer value and should therefore be explicitly annotated [-Wcheri-pointer-conversion] ret = access_process_vm(tsk, (unsigned long)user_ptr, dst,size, 0);
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- kernel/bpf/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 315053ef6a75..33058bc56243 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -680,7 +680,7 @@ BPF_CALL_5(bpf_copy_from_user_task, void *, dst, u32, size, if (unlikely(!size)) return 0;
- ret = access_process_vm(tsk, (unsigned long)user_ptr, dst, size, 0); + ret = access_process_vm(tsk, (user_uintptr_t)user_ptr, dst, size, 0); if (ret == size) return 0;
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
I failed to parse the sentence, I think the subject of "does" is missing :)
Address the compilation warning below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/kernel/bpf/helpers.c: warning: the following conversion will result in a CToPtr operation; the behaviour of CToPtr can be confusing since using CToPtr on an untagged capability will give 0 instead of the integer value and should therefore be explicitly annotated [-Wcheri-pointer-conversion] ret = access_process_vm(tsk, (unsigned long)user_ptr, dst,size, 0);
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
kernel/bpf/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 315053ef6a75..33058bc56243 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -680,7 +680,7 @@ BPF_CALL_5(bpf_copy_from_user_task, void *, dst, u32, size, if (unlikely(!size)) return 0;
- ret = access_process_vm(tsk, (unsigned long)user_ptr, dst, size, 0);
- ret = access_process_vm(tsk, (user_uintptr_t)user_ptr, dst, size, 0);
This works, but since the desired operation here is to obtain the address of the user pointer, using user_ptr_addr() is preferred, see [1].
Adding a "TODO [PCuABI]" comment, like in 6914d33e4bcc ("fs/io_uring: Fix user pointer downcast") for instance, would also be good as it looks like we might be able to check the uaccess against the capability.
Kevin
[1] https://git.morello-project.org/morello/kernel/linux/-/blob/morello/master/D...
if (ret == size) return 0;
On 9/1/22 09:12, Kevin Brodsky wrote:
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
I failed to parse the sentence, I think the subject of "does" is missing :)
Yes, it is missing an "it". I will rephrase it to make it clearer.
Address the compilation warning below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/kernel/bpf/helpers.c: warning: the following conversion will result in a CToPtr operation; the behaviour of CToPtr can be confusing since using CToPtr on an untagged capability will give 0 instead of the integer value and should therefore be explicitly annotated [-Wcheri-pointer-conversion] ret = access_process_vm(tsk, (unsigned long)user_ptr, dst,size, 0);
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
kernel/bpf/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 315053ef6a75..33058bc56243 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -680,7 +680,7 @@ BPF_CALL_5(bpf_copy_from_user_task, void *, dst, u32, size, if (unlikely(!size)) return 0; - ret = access_process_vm(tsk, (unsigned long)user_ptr, dst, size, 0); + ret = access_process_vm(tsk, (user_uintptr_t)user_ptr, dst, size, 0);
This works, but since the desired operation here is to obtain the address of the user pointer, using user_ptr_addr() is preferred, see [1].
Adding a "TODO [PCuABI]" comment, like in 6914d33e4bcc ("fs/io_uring: Fix user pointer downcast") for instance, would also be good as it looks like we might be able to check the uaccess against the capability.
Kevin
Good point, I will address this in v2.
[1] https://git.morello-project.org/morello/kernel/linux/-/blob/morello/master/D...
if (ret == size) return 0;
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/net/bridge/br_ioctl.c: error: use of __capability is ambiguous void __user **argp, void __user *data)
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- net/bridge/br_ioctl.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index f213ed108361..6c11d6e15102 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -105,7 +105,11 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
#define BR_UARGS_MAX 4 static int br_dev_read_uargs(unsigned long *args, size_t nr_args, +#if defined(CONFIG_CHERI_PURECAP_UABI) + void * __capability * __capability argp, void __user *data) +#else void __user **argp, void __user *data) +#endif { int ret;
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/net/bridge/br_ioctl.c: error: use of __capability is ambiguous void __user **argp, void __user *data)
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
net/bridge/br_ioctl.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index f213ed108361..6c11d6e15102 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -105,7 +105,11 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd) #define BR_UARGS_MAX 4 static int br_dev_read_uargs(unsigned long *args, size_t nr_args, +#if defined(CONFIG_CHERI_PURECAP_UABI)
Nit: we've always used #ifdef CONFIG_... for such fixups so far, see for instance 54b8a7a3d2d4 ("linux/regset.h: Fix the position of __capability in double pointers"), it would be good to stay consistent with that.
Kevin
void * __capability * __capability argp, void __user *data)+#else void __user **argp, void __user *data) +#endif { int ret;
On 9/1/22 09:16, Kevin Brodsky wrote:
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/net/bridge/br_ioctl.c: error: use of __capability is ambiguous void __user **argp, void __user *data)
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
net/bridge/br_ioctl.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index f213ed108361..6c11d6e15102 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -105,7 +105,11 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd) #define BR_UARGS_MAX 4 static int br_dev_read_uargs(unsigned long *args, size_t nr_args, +#if defined(CONFIG_CHERI_PURECAP_UABI)
Nit: we've always used #ifdef CONFIG_... for such fixups so far, see for instance 54b8a7a3d2d4 ("linux/regset.h: Fix the position of __capability in double pointers"), it would be good to stay consistent with that.
Sure will do in v2, even if grep'ing the kernel shows equal distributions of both the cases.
Kevin
+ void * __capability * __capability argp, void __user *data) +#else void __user **argp, void __user *data) +#endif { int ret;
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
On 01/09/2022 10:39, Vincenzo Frascino wrote:
On 9/1/22 09:16, Kevin Brodsky wrote:
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/net/bridge/br_ioctl.c: error: use of __capability is ambiguous void __user **argp, void __user *data)
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
net/bridge/br_ioctl.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index f213ed108361..6c11d6e15102 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -105,7 +105,11 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd) #define BR_UARGS_MAX 4 static int br_dev_read_uargs(unsigned long *args, size_t nr_args, +#if defined(CONFIG_CHERI_PURECAP_UABI)
Nit: we've always used #ifdef CONFIG_... for such fixups so far, see for instance 54b8a7a3d2d4 ("linux/regset.h: Fix the position of __capability in double pointers"), it would be good to stay consistent with that.
Sure will do in v2, even if grep'ing the kernel shows equal distributions of both the cases.
Oh sure I meant the #ifdef CONFIG_CHERI_PURECAP_UABI fixups specifically, not #if/#ifdef in general :)
Kevin
Kevin
+ void * __capability * __capability argp, void __user *data) +#else void __user **argp, void __user *data) +#endif { int ret;
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen);
struct key_type key_type_keyring = { .name = "keyring",
I don't think the commit title has much to do with what the commit actually does, maybe something along the lines of "Remove inconsistent __user annotation"?
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Not sure I understand what this last sentence refers to. I think the most useful thing to say in the commit message is that the declaration doesn't match the definition, and the definition is correct (it matches what struct key_type::read expects).
Anyway it's a good finding, can't believe no one has noticed since essentially forever!
Kevin
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring,
char __user *buffer, size_t buflen);
char *buffer, size_t buflen);struct key_type key_type_keyring = { .name = "keyring",
On 9/1/22 09:24, Kevin Brodsky wrote:
I don't think the commit title has much to do with what the commit actually does, maybe something along the lines of "Remove inconsistent __user annotation"?
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Not sure I understand what this last sentence refers to. I think the most useful thing to say in the commit message is that the declaration doesn't match the definition, and the definition is correct (it matches what struct key_type::read expects).
I missed an underscore here ("user_defined").
Anyway it's a good finding, can't believe no one has noticed since essentially forever!
Yes, once this is merged, I am going to post it upstream.
Kevin
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
Shouldn't this be a separate patch set as it's not to do with docker?
On 9/1/22 09:24, Kevin Brodsky wrote:
I don't think the commit title has much to do with what the commit actually does, maybe something along the lines of "Remove inconsistent __user annotation"?
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Not sure I understand what this last sentence refers to. I think the most useful thing to say in the commit message is that the declaration doesn't match the definition, and the definition is correct (it matches what struct key_type::read expects).
Anyway it's a good finding, can't believe no one has noticed since essentially forever!
Kevin
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
Hi Carsten,
On 9/1/22 21:03, Carsten Haitzler wrote:
Shouldn't this be a separate patch set as it's not to do with docker?
Without this patch you cannot enable docker successfully, hence I would keep it as part of the same series (for testability of the usecase).
Thanks, Vincenzo
On 9/1/22 09:24, Kevin Brodsky wrote:
I don't think the commit title has much to do with what the commit actually does, maybe something along the lines of "Remove inconsistent __user annotation"?
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Not sure I understand what this last sentence refers to. I think the most useful thing to say in the commit message is that the declaration doesn't match the definition, and the definition is correct (it matches what struct key_type::read expects).
Anyway it's a good finding, can't believe no one has noticed since essentially forever!
Kevin
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
Oh docker is using the key infra? I didn't know it did.
On 9/2/22 08:08, Vincenzo Frascino wrote:
Hi Carsten,
On 9/1/22 21:03, Carsten Haitzler wrote:
Shouldn't this be a separate patch set as it's not to do with docker?
Without this patch you cannot enable docker successfully, hence I would keep it as part of the same series (for testability of the usecase).
Thanks, Vincenzo
On 9/1/22 09:24, Kevin Brodsky wrote:
I don't think the commit title has much to do with what the commit actually does, maybe something along the lines of "Remove inconsistent __user annotation"?
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Not sure I understand what this last sentence refers to. I think the most useful thing to say in the commit message is that the declaration doesn't match the definition, and the definition is correct (it matches what struct key_type::read expects).
Anyway it's a good finding, can't believe no one has noticed since essentially forever!
Kevin
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
On 9/2/22 08:39, Carsten Haitzler wrote:
Oh docker is using the key infra? I didn't know it did.
And a really difficult one to catch if there is an issue, because docker fails silently...
On 9/2/22 08:08, Vincenzo Frascino wrote:
Hi Carsten,
On 9/1/22 21:03, Carsten Haitzler wrote:
Shouldn't this be a separate patch set as it's not to do with docker?
Without this patch you cannot enable docker successfully, hence I would keep it as part of the same series (for testability of the usecase).
Thanks, Vincenzo
On 9/1/22 09:24, Kevin Brodsky wrote:
I don't think the commit title has much to do with what the commit actually does, maybe something along the lines of "Remove inconsistent __user annotation"?
On 31/08/2022 16:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Not sure I understand what this last sentence refers to. I think the most useful thing to say in the commit message is that the declaration doesn't match the definition, and the definition is correct (it matches what struct key_type::read expects).
Anyway it's a good finding, can't believe no one has noticed since essentially forever!
Kevin
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
while I'm at it this is missing part of the fix. I had the other bits but failing in compat. missing this:
-SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) +SYSCALL_DEFINE5(keyctl, int, option, uintptr_t, arg2, uintptr_t, arg3, + uintptr_t, arg4, uintptr_t, arg5)
in keyctl.c - then LTP passes tests. so merge of my (as yet unsubmitted patch) and yours - i've verified with LTP.
On 8/31/22 15:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring,
char __user *buffer, size_t buflen);
char *buffer, size_t buflen);struct key_type key_type_keyring = { .name = "keyring",
Given this is going to stay here - shall I do the below as a purecap enablement patch on top of yours below? I already had these fixes in my tree except the compat define which is what i was hunting for/missing. I've also fixed LTP to match too - but I thought I'd polish off kernel first.
On 9/1/22 21:12, Carsten Haitzler wrote:
while I'm at it this is missing part of the fix. I had the other bits but failing in compat. missing this:
-SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) +SYSCALL_DEFINE5(keyctl, int, option, uintptr_t, arg2, uintptr_t, arg3, + uintptr_t, arg4, uintptr_t, arg5)
in keyctl.c - then LTP passes tests. so merge of my (as yet unsubmitted patch) and yours - i've verified with LTP.
On 8/31/22 15:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
On 9/2/22 08:42, Carsten Haitzler wrote:
Given this is going to stay here - shall I do the below as a purecap enablement patch on top of yours below? I already had these fixes in my tree except the compat define which is what i was hunting for/missing. I've also fixed LTP to match too - but I thought I'd polish off kernel first.
Yes please, you can post it separately and give to the maintainers indication (cover?) that there is a direct dependency on my series.
Thank you for that.
Vincenzo
On 9/1/22 21:12, Carsten Haitzler wrote:
while I'm at it this is missing part of the fix. I had the other bits but failing in compat. missing this:
-SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) +SYSCALL_DEFINE5(keyctl, int, option, uintptr_t, arg2, uintptr_t, arg3, + uintptr_t, arg4, uintptr_t, arg5)
in keyctl.c - then LTP passes tests. so merge of my (as yet unsubmitted patch) and yours - i've verified with LTP.
On 8/31/22 15:37, Vincenzo Frascino wrote:
With the introduction of capabilities and PCuABI being enabled when dealing with the user pointers does expect a capability.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: User defined interface is in separate compilation unit.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen); struct key_type key_type_keyring = { .name = "keyring",
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
Since native AArch64 uses the keyctl handler, let's do that for 64-bit compat as well.
Note: This fixes a silent error that prevents running docker correctly in compat64 mode.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- arch/arm64/kernel/sys_compat64.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/arm64/kernel/sys_compat64.c b/arch/arm64/kernel/sys_compat64.c index 819b895ec21d..6cbf58d4a6e7 100644 --- a/arch/arm64/kernel/sys_compat64.c +++ b/arch/arm64/kernel/sys_compat64.c @@ -82,6 +82,7 @@ #define __arm64_compatentry_compat_sys_getitimer __arm64_compatentry_sys_getitimer #define __arm64_compatentry_compat_sys_setitimer __arm64_compatentry_sys_setitimer #define __arm64_compatentry_compat_sys_getrusage __arm64_compatentry_sys_getrusage +#define __arm64_compatentry_compat_sys_keyctl __arm64_compatentry_sys_keyctl
asmlinkage long sys_ni_syscall(void);
On 31/08/2022 16:37, Vincenzo Frascino wrote:
Since native AArch64 uses the keyctl handler, let's do that for 64-bit compat as well.
Note: This fixes a silent error that prevents running docker correctly in compat64 mode.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
arch/arm64/kernel/sys_compat64.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/arm64/kernel/sys_compat64.c b/arch/arm64/kernel/sys_compat64.c index 819b895ec21d..6cbf58d4a6e7 100644 --- a/arch/arm64/kernel/sys_compat64.c +++ b/arch/arm64/kernel/sys_compat64.c @@ -82,6 +82,7 @@ #define __arm64_compatentry_compat_sys_getitimer __arm64_compatentry_sys_getitimer #define __arm64_compatentry_compat_sys_setitimer __arm64_compatentry_sys_setitimer #define __arm64_compatentry_compat_sys_getrusage __arm64_compatentry_sys_getrusage +#define __arm64_compatentry_compat_sys_keyctl __arm64_compatentry_sys_keyctl
This works, but overall we have tried to avoid this approach as it can be rather confusing to have a compat handler that is simply unused, and it is also rather ad-hoc. It's a trade-off, sometimes making the compat handler work for compat64 is just not worth it. However it seems that in that case it would be just a two-line change in security/keys/compat.c, replacing the u32's in the signature with compat_ulong_t. What do you think?
Kevin
asmlinkage long sys_ni_syscall(void);
On 9/1/22 09:58, Kevin Brodsky wrote:
On 31/08/2022 16:37, Vincenzo Frascino wrote:
Since native AArch64 uses the keyctl handler, let's do that for 64-bit compat as well.
Note: This fixes a silent error that prevents running docker correctly in compat64 mode.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
arch/arm64/kernel/sys_compat64.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/arm64/kernel/sys_compat64.c b/arch/arm64/kernel/sys_compat64.c index 819b895ec21d..6cbf58d4a6e7 100644 --- a/arch/arm64/kernel/sys_compat64.c +++ b/arch/arm64/kernel/sys_compat64.c @@ -82,6 +82,7 @@ #define __arm64_compatentry_compat_sys_getitimer __arm64_compatentry_sys_getitimer #define __arm64_compatentry_compat_sys_setitimer __arm64_compatentry_sys_setitimer #define __arm64_compatentry_compat_sys_getrusage __arm64_compatentry_sys_getrusage +#define __arm64_compatentry_compat_sys_keyctl __arm64_compatentry_sys_keyctl
This works, but overall we have tried to avoid this approach as it can be rather confusing to have a compat handler that is simply unused, and it is also rather ad-hoc. It's a trade-off, sometimes making the compat handler work for compat64 is just not worth it. However it seems that in that case it would be just a two-line change in security/keys/compat.c, replacing the u32's in the signature with compat_ulong_t. What do you think?
I think that both the approaches are acceptable. I can try to have a look and see if changing the signature is sufficient.
Kevin
asmlinkage long sys_ni_syscall(void);
linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary: - cgroup hierarchy: properly mounted [/sys/fs/cgroup] - apparmor: enabled and tools installed - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled - CONFIG_BRIDGE: enabled - CONFIG_BRIDGE_NETFILTER: enabled - CONFIG_IP_NF_FILTER: enabled - CONFIG_IP_NF_TARGET_MASQUERADE: enabled - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled - CONFIG_NETFILTER_XT_MARK: enabled - CONFIG_IP_NF_NAT: enabled - CONFIG_NF_NAT: enabled - CONFIG_POSIX_MQUEUE: enabled - CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- .../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..693e1604b58d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,7 +67,21 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y +CONFIG_PCI_MSI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y @@ -77,6 +94,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -86,6 +104,11 @@ CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_GPIOLIB=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_POWER_RESET=y +CONFIG_POWER_SUPPLY=y +CONFIG_MFD_SYSCON=y CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y @@ -113,8 +136,10 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y +CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y
On 31/08/2022 16:37, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
.../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..693e1604b58d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,7 +67,21 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y +CONFIG_PCI_MSI=y
If I use make savedefconfig, this option does not appear in the generated defconfig, presumably because it is implied by another. We try to amend this defconfig in line with the output of savedefconfig to keep it minimal and stable.
CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y @@ -77,6 +94,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -86,6 +104,11 @@ CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_GPIOLIB=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_POWER_RESET=y +CONFIG_POWER_SUPPLY=y +CONFIG_MFD_SYSCON=y
Same observation for these 5 options...
CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y @@ -113,8 +136,10 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y +CONFIG_LSM_MMAP_MIN_ADDR=32768
... and this one.
Kevin
CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y
On 9/1/22 09:34, Kevin Brodsky wrote:
If I use make savedefconfig, this option does not appear in the generated defconfig, presumably because it is implied by another. We try to amend this defconfig in line with the output of savedefconfig to keep it minimal and stable.
This .config is generated using savedefconfig. I would prefer to not have to amend it manually because it can have unwanted effects. Though it is interesting that we have different results.
The sequence I used is "make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig".
On 9/1/22 09:48, Vincenzo Frascino wrote:
On 9/1/22 09:34, Kevin Brodsky wrote:
If I use make savedefconfig, this option does not appear in the generated defconfig, presumably because it is implied by another. We try to amend this defconfig in line with the output of savedefconfig to keep it minimal and stable.
This .config is generated using savedefconfig. I would prefer to not have to
What I meant is that the defconfig is generated by .config using savedefconfig. I suppose I summarized it too much :)
amend it manually because it can have unwanted effects. Though it is interesting that we have different results.
The sequence I used is "make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig".
On 01/09/2022 10:48, Vincenzo Frascino wrote:
On 9/1/22 09:34, Kevin Brodsky wrote:
If I use make savedefconfig, this option does not appear in the generated defconfig, presumably because it is implied by another. We try to amend this defconfig in line with the output of savedefconfig to keep it minimal and stable.
This .config is generated using savedefconfig. I would prefer to not have to amend it manually because it can have unwanted effects. Though it is interesting that we have different results.
The sequence I used is "make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig".
I have just tried this from a clean tree and environment:
export ARCH=arm64 export CROSS_COMPILE=aarch64-linux-gnu- export PATH=<path/to/clang>:$PATH export LLVM=1 make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig
I get the same result as before, that is without the 7 options I mentioned. Some environment problem maybe?
Kevin
On 9/1/22 13:09, Kevin Brodsky wrote:
On 01/09/2022 10:48, Vincenzo Frascino wrote:
On 9/1/22 09:34, Kevin Brodsky wrote:
If I use make savedefconfig, this option does not appear in the generated defconfig, presumably because it is implied by another. We try to amend this defconfig in line with the output of savedefconfig to keep it minimal and stable.
This .config is generated using savedefconfig. I would prefer to not have to amend it manually because it can have unwanted effects. Though it is interesting that we have different results.
The sequence I used is "make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig".
I have just tried this from a clean tree and environment:
export ARCH=arm64 export CROSS_COMPILE=aarch64-linux-gnu- export PATH=<path/to/clang>:$PATH export LLVM=1 make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig
I get the same result as before, that is without the 7 options I mentioned. Some environment problem maybe?
Fresh tree just downloaded. Attach your defconfig I will try it.
Kevin
On 01/09/2022 14:40, Vincenzo Frascino wrote:
On 9/1/22 13:09, Kevin Brodsky wrote:
On 01/09/2022 10:48, Vincenzo Frascino wrote:
On 9/1/22 09:34, Kevin Brodsky wrote:
If I use make savedefconfig, this option does not appear in the generated defconfig, presumably because it is implied by another. We try to amend this defconfig in line with the output of savedefconfig to keep it minimal and stable.
This .config is generated using savedefconfig. I would prefer to not have to amend it manually because it can have unwanted effects. Though it is interesting that we have different results.
The sequence I used is "make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig".
I have just tried this from a clean tree and environment:
export ARCH=arm64 export CROSS_COMPILE=aarch64-linux-gnu- export PATH=<path/to/clang>:$PATH export LLVM=1 make morello_transitional_pcuabi_defconfig && make menuconfig && make Image && make O=. savedefconfig
I get the same result as before, that is without the 7 options I mentioned. Some environment problem maybe?
Fresh tree just downloaded. Attach your defconfig I will try it.
Sure, inline below.
Kevin
------8<------
CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y CONFIG_TASK_XACCT=y CONFIG_TASK_IO_ACCOUNTING=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y CONFIG_UCLAMP_TASK=y CONFIG_NUMA_BALANCING=y CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y CONFIG_KALLSYMS_ALL=y # CONFIG_COMPAT_BRK is not set CONFIG_PROFILING=y CONFIG_ARCH_VEXPRESS=y CONFIG_ARM64_VA_BITS_48=y CONFIG_SCHED_MC=y CONFIG_NUMA=y CONFIG_KEXEC=y CONFIG_CRASH_DUMP=y CONFIG_COMPAT=y CONFIG_RANDOMIZE_BASE=y CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y CONFIG_ENERGY_MODEL=y CONFIG_ARM_CPUIDLE=y CONFIG_ARM_PSCI_CPUIDLE=y CONFIG_CPU_FREQ=y CONFIG_CPU_FREQ_STAT=y CONFIG_ACPI=y CONFIG_ACPI_APEI=y CONFIG_ACPI_APEI_GHES=y CONFIG_ACPI_APEI_MEMORY_FAILURE=y CONFIG_ACPI_APEI_EINJ=y CONFIG_JUMP_LABEL=y CONFIG_CHERI_PURECAP_UABI=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y # CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set CONFIG_KSM=y CONFIG_MEMORY_FAILURE=y CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_CMA=y CONFIG_NET=y CONFIG_PACKET=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_NETFILTER=y CONFIG_BRIDGE_NETFILTER=y CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NETFILTER_XT_MATCH_MARK=y CONFIG_IP_VS=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_BRIDGE=y CONFIG_PCI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y CONFIG_EFI_CAPSULE_LOADER=y CONFIG_BLK_DEV_LOOP=y CONFIG_VIRTIO_BLK=y CONFIG_BLK_DEV_SD=y CONFIG_ATA=y CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y # CONFIG_SERIO_SERPORT is not set CONFIG_LEGACY_PTY_COUNT=16 CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_STORAGE=y CONFIG_MMC=y CONFIG_MMC_BLOCK_MINORS=32 CONFIG_MMC_ARMMMCI=y CONFIG_VIRTIO_MMIO=y CONFIG_ARM_SMMU_V3=y CONFIG_MEMORY=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y CONFIG_EXT4_FS=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y CONFIG_FANOTIFY=y CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y CONFIG_QUOTA=y CONFIG_AUTOFS4_FS=y CONFIG_VFAT_FS=y CONFIG_TMPFS=y CONFIG_HUGETLBFS=y CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y CONFIG_MAGIC_SYSRQ=y CONFIG_DEBUG_FS=y # CONFIG_SCHED_DEBUG is not set # CONFIG_DEBUG_PREEMPT is not set # CONFIG_FTRACE is not set CONFIG_MEMTEST=y
Shouldn't this be split as this enables keys which has nothing to do with running in docker?
On 8/31/22 15:37, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
.../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..693e1604b58d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,7 +67,21 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y +CONFIG_PCI_MSI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y @@ -77,6 +94,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -86,6 +104,11 @@ CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_GPIOLIB=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_POWER_RESET=y +CONFIG_POWER_SUPPLY=y +CONFIG_MFD_SYSCON=y CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y @@ -113,8 +136,10 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y +CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y
Hi Carsten,
On 9/1/22 21:03, Carsten Haitzler wrote:
Shouldn't this be split as this enables keys which has nothing to do with running in docker?
The patches will go in together anyway and keeping them in the same series helps with the testing of the usecase.
Thanks, Vincenzo
On 8/31/22 15:37, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
.../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..693e1604b58d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,7 +67,21 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y +CONFIG_PCI_MSI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y @@ -77,6 +94,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -86,6 +104,11 @@ CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_GPIOLIB=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_POWER_RESET=y +CONFIG_POWER_SUPPLY=y +CONFIG_MFD_SYSCON=y CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y @@ -113,8 +136,10 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y +CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y
OK - there are other fixes needed. will comment on that patch specifically.
On 9/2/22 08:10, Vincenzo Frascino wrote:
Hi Carsten,
On 9/1/22 21:03, Carsten Haitzler wrote:
Shouldn't this be split as this enables keys which has nothing to do with running in docker?
The patches will go in together anyway and keeping them in the same series helps with the testing of the usecase.
Thanks, Vincenzo
On 8/31/22 15:37, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
.../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..693e1604b58d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,7 +67,21 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y +CONFIG_PCI_MSI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y @@ -77,6 +94,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -86,6 +104,11 @@ CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_GPIOLIB=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_POWER_RESET=y +CONFIG_POWER_SUPPLY=y +CONFIG_MFD_SYSCON=y CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y @@ -113,8 +136,10 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y +CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y
Shouldn't this be split as this enables keys which has nothing to do with running in docker.
On 8/31/22 15:37, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
.../morello_transitional_pcuabi_defconfig | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..693e1604b58d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,7 +67,21 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y +CONFIG_PCI_MSI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y @@ -77,6 +94,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -86,6 +104,11 @@ CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_GPIOLIB=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_POWER_RESET=y +CONFIG_POWER_SUPPLY=y +CONFIG_MFD_SYSCON=y CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y CONFIG_USB=y @@ -113,8 +136,10 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y +CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_SECURITY_SELINUX=y CONFIG_PRINTK_TIME=y CONFIG_DEBUG_KERNEL=y
linux-morello@op-lists.linaro.org
-
Carsten Haitzler -
Kevin Brodsky -
Vincenzo Frascino