From 83b86449a152433dbb623a7b275b6cc5a4becdf6 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Wed, 24 Aug 2022 16:25:19 +0800 Subject: [PATCH 1/5] linux kernel: enable CONFIG_X86_X2APIC It's recommended for CVE-2022-21233 mitigation. And, if the BIOS has enabled x2APIC but CONFIG_X86_X2APIC=n, the kernel will panic on boot. If x2APIC is disabled or not available, the kernel with CONFIG_X86_X2APIC=y can still boot normally. No need to tag anything again because interrupt handling cannot affect userspace. --- chapter10/kernel.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml index 1bf8b112e..32c9682b8 100644 --- a/chapter10/kernel.xml +++ b/chapter10/kernel.xml @@ -149,6 +149,21 @@ File systems ---> [*] Inotify support for userspace [CONFIG_INOTIFY_USER] Pseudo filesystems ---> [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL] + + Enable some additional features if you are building a 64-bit + system. If you are using menuconfig, enable them in the order of + CONFIG_PCI_MSI first, then + CONFIG_IRQ_REMAP, at last + CONFIG_X86_X2APIC because an option only + shows up after its dependencies are selected. + + Processor type and features ---> + [*] Support x2apic [CONFIG_X86_X2APIC] +Device Drivers ---> + [*] PCI Support ---> [CONFIG_PCI] + [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI] + [*] IOMMU Hardware Support ---> [CONFIG_IOMMU_SUPPORT] + [*] Support for Interrupt Remapping [CONFIG_IRQ_REMAP] @@ -225,6 +240,16 @@ File systems ---> + + Support x2apic + + Avoid a kernel panic booting on a system with x2APIC enabled + by the BIOS. This option does no harm if x2APIC is not enabled + or not available, but it's recommended to enable x2APIC in the + BIOS setting for a modern 64-bit x86 system. + + + Alternatively, make oldconfig may be more From 098f4de3369ae0fc7d50fc6060b059eb5627de4e Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Wed, 24 Aug 2022 16:41:16 +0800 Subject: [PATCH 2/5] linux kernel: disable CONFIG_USERFAULTFD to avoid CVE-2022-2590 for now --- chapter10/kernel.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml index 32c9682b8..4775d9ad7 100644 --- a/chapter10/kernel.xml +++ b/chapter10/kernel.xml @@ -159,6 +159,8 @@ File systems ---> Processor type and features ---> [*] Support x2apic [CONFIG_X86_X2APIC] +Memory Management options ---> + [ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD] Device Drivers ---> [*] PCI Support ---> [CONFIG_PCI] [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI] @@ -250,6 +252,16 @@ Device Drivers ---> + + Enable userfaultfd() system call + + If this option is enabled, a security vulnerability not + resolved in Linux-&linux-version; yet will be exploitable. + Disable this option to avoid the vulnerability. This system call + is not used by any part of LFS or BLFS. + + + Alternatively, make oldconfig may be more From 85cdcb09807abdf8f3514dc174d97c74afcb73cf Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Wed, 24 Aug 2022 23:42:27 +0800 Subject: [PATCH 3/5] glibc: don't mention "/lib" as ld.so search path anymore Text change only. Since 11.0, /lib is a symlink to usr/lib. With libc_cv_slibdir=/usr/lib, /lib won't be searched by default anymore (if someone mess up the system by removing /lib symlink and create an real directory there, for example the initramfs before r10.1-439). --- chapter08/glibc.xml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/chapter08/glibc.xml b/chapter08/glibc.xml index 7a1796a54..ff7ba02f5 100644 --- a/chapter08/glibc.xml +++ b/chapter08/glibc.xml @@ -448,10 +448,9 @@ unset ZONEINFO By default, the dynamic loader (/lib/ld-linux.so.2) searches through - /lib and /usr/lib for dynamic libraries that are - needed by programs as they are run. However, if there are libraries in - directories other than /lib and + /usr/lib for dynamic libraries + that are needed by programs as they are run. However, if there are + libraries in directories other than /usr/lib, these need to be added to the /etc/ld.so.conf file in order for the dynamic loader to find them. Two directories that are commonly known From feed7fea369afce86073fce8779f3b53d954d2ce Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Thu, 25 Aug 2022 01:05:55 +0800 Subject: [PATCH 4/5] linux kernel: reword description for CONFIG_X86_X2APIC --- chapter10/kernel.xml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml index 4775d9ad7..157fb9f64 100644 --- a/chapter10/kernel.xml +++ b/chapter10/kernel.xml @@ -245,10 +245,12 @@ Device Drivers ---> Support x2apic - Avoid a kernel panic booting on a system with x2APIC enabled - by the BIOS. This option does no harm if x2APIC is not enabled - or not available, but it's recommended to enable x2APIC in the - BIOS setting for a modern 64-bit x86 system. + Support running the interrupt controller of 64-bit x86 + processors in x2APIC mode. x2APIC may be enabled by firmware on + 64-bit x86 systems, and a kernel without this option enabled will + panic on boot if x2APIC is enabled by firmware. This option has + has no effect, but also does no harm if x2APIC is disabled by the + firmware. From b3f157c685d6cc34173911e959bb7506dd8a4e72 Mon Sep 17 00:00:00 2001 From: Pierre Labastie Date: Thu, 25 Aug 2022 09:24:58 +0200 Subject: [PATCH 5/5] Don't use dummy.c for glibc sanity check in chap 5 It seems glibc creates dummy.c for its own use. This leaves some dummy.xxx files in the directory, that may lead some users to think that the directory is not properly cleaned up after the test (I did :) So use a pipe so that only a.out is created --- chapter05/glibc.xml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/chapter05/glibc.xml b/chapter05/glibc.xml index e3685c4e4..103fa42c8 100644 --- a/chapter05/glibc.xml +++ b/chapter05/glibc.xml @@ -195,9 +195,8 @@ cd build functions (compiling and linking) of the new toolchain are working as expected. To perform a sanity check, run the following commands: -echo 'int main(){}' > dummy.c -$LFS_TGT-gcc dummy.c -readelf -l a.out | grep '/ld-linux' +echo 'int main(){}' | gcc -xc - +readelf -l a.out | grep ld-linux If everything is working correctly, there should be no errors, and the output of the last command will be of the form: @@ -212,9 +211,9 @@ readelf -l a.out | grep '/ld-linux' where the problem is and correct it. This issue must be resolved before continuing on. - Once all is well, clean up the test files: + Once all is well, clean up the test file: -rm -v dummy.c a.out +rm -v a.out