On powerpc architectures that may use a bootwrapper, we create a
temporary build_<arch>_<featureset>_<flavour>_bootwrapper directory
for each kernel configuration to hold the related tools which we won't
install for real (because they are always native).
This directory is then matched by the wildcard used in building
linux-config, causing linux-config packages to contain spurious
(empty) kconfig files based on these directories in addition to the
real kconfig files.
Rename the temporary directory to avoid matching that wildcard.
In unstable, linux-image-*-unsigned packages and any corresponding
metapackage updates tend to be available a few hours before the
corresponding signed packages. An automatic upgrade with aptitude (at
least) may then install the unsigned kernel where a signed kernel
was previously used, resulting in boot failure.
I gave the linux-image-*-unsigned packages a Provides relation to the
unsuffixed (i.e. signed) package name because I thought packages built
by module-assistant generally depended on the corresponding kernel
package. That may have been true once but doesn't appear to be so
now.
So the Provides field can be harmful and doesn't appear to be useful,
and should be removed.
The current check has never worked because the find -path predicate
matches against the whole path, including the given root. In this
case that is $DESTDIR which always includes the version string.
Change to use cd before find.
Also, check all non-directories rather than all entries with "perf" in
the name.
Backport Amazon ENA ethernet driver version 2.0.2 from Linux 4.20
This mostly ammounts to cherry-picking the commits in the range described by
git log v4.19.5..v4.20-rc7 drivers/net/ethernet/amazon
Change e641e99f261f5203a911a9e0db54a214460d2cc4 introduced changes outside the
ena directory, but only removed a redundant #include and was trivial to scope
down.
Upstream dealt with merge conflicts in
d864991b220b7c62e81d21209e1fd978fd67352c; the resolution here was identical to
upstream.
tl;dr: Xen PVH is the perfect upgrade path from PV and in combination
with grub2 support, it's the Xen "killer feature" we really should have
in Buster.
Background info about Xen PVH:
https://wiki.xen.org/wiki/Virtualization_Spectrum#Almost_fully_PV:_PVH_mode
PVH mode in Xen, a.k.a. "HVM without having to run qemu" is a Xen guest
type best supported since Xen 4.11 and Linux kernel 4.17. Just like when
using PV mode, the guest does not have an emulated BIOS and the guest
kernel is directly started by the dom0. Buster will ship with Xen 4.11.
Why is PVH interesting?
1. When the whole Meltdown/Spectre story started, it quickly became
apparent that 64-bit PV is the most problematic virtualization mode to
protect and to protect from, since address space from the hypervisor and
other guests (including dom0) is reachable from a 64-bit PV domU. To
mitigate this, XPTI (the Xen variant of PTI) has been implemented in the
hypervisor, but with a performance hit. HVM (so, also PVH) guests are
better isolated from the hypervisor and other guests. Inside the guest a
choice can be made about which mitigations to enable or not. Also see
https://xenbits.xen.org/xsa/advisory-254.html
2. Unlike HVM, it's not needed to have a boot loader/sector, partitions,
and a qemu process in the dom0 (using cpu and memory and having an
attack surface). Also, when running a largeish amount of domUs on a
physical server, not having all the qemu processes is an advantage.
3. Unlike PV, PVH makes use of all hardware features that accelerate
virtualization.
The upgrade path from PV to PVH is super optimal. It's just setting
type='pvh' in the guest file and doing a full restart of the domU!
Unless... (insert Monty Python's Dramatic Chord!)
Unless... grub2 was used to boot the PV guests.
Why is it interesting to be able to use grub?
Without using grub in between, the guest kernel and initrd have to be
copied out of the guest onto the dom0 filesystem, because the guest has
to be booted with them directly. Currently, we already have the
grub-xen packages in Debian, which provide grub images which can be used
as kernel for a PV guest, after which it can load the actual linux
kernel that is symlinked from /vmlinuz on the guest filesystem at that
moment.
The final changes to the Linux kernel for grub+PVH are in Linux 4.20.
This request, to carry a few patches from Linux 4.20, provides one half
of the dots that need to be connected to make the full thing happen for
Buster.
Since we'll have Xen 4.11 in Buster, PVH is supported. The related grub2
patchset was committed to the grub master branch on Dec 12 2018 (yup,
today). So, I'll also start contacting the debian grub team soon to ask
(and help) to get the current grub-xen functionality in Debian to be
extended with PVH capabilities as well.
Test reports:
https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg01913.htmlhttps://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03312.html
Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.
Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.
Testable with:
sudo modprobe overlay permit_mounts_in_userns=1
sudo sysctl -w kernel.unprivileged_userns_clone=1
mkdir -p lower upper work mnt
unshare --map-root-user --mount \
mount -t overlay none mnt \
-o lowerdir=lower,upperdir=upper,workdir=work
[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Split the rules in d/rules.real so that the [un]versioned_tools
knobs can be used to avoid building them.
This is necessary since the build-dependency were moved to be
conditional on those knobs, so the build fails when the
unversioned tools are set to disabled as libpci-dev is not
installed but the tools are built and fail due to it missing.
Signed-off-by: Luca Boccassi <bluca@debian.org>
This reverts commit 542ffe7fe2.
All drivers built under drivers/net/ethernet are included already
and should not be explicitly listed.
Move the bug closure to the previous log line.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlv18cwACgkQ57/I7JWG
EQnmrBAA0cIq67bC0g/calV1FyAnByc88h15W2BCN8+dD25PKRlsRsbSvQLx/E6J
mEwPMu6bw/yJuIA8ADTFpjh4CmulBhQMC/cpQHy82F5umt/wNAPlhryDc0n96eRX
bJfh3dzboyFEWBOSUgb6EWEdWZX1tMblf4ZpX1LfP5L/pJyq/Jz1xrpz31nGcz9E
2m4mpovTAT2N34I9FF9PSuaYlPxljU/eZe7wyDmM+leMnmV4MGEOpV+CMNEohLsp
8APxTJim6ZJXJ4ppl/Qk7yW1glTL3q5OqI+s5YB4RBKI4KBN/N3FF0PwWQ+L76bj
B6b3nKT4PZA4V6Y6OEY8Q53NxjHmRJo5opG9Xp3Kr4HO0PZHH9Ih/YApaZipSDLg
t3i/C05I/Jss2e6FZ5Ocx9L/nhzoEv9Lt0K2P6nxMJgc5U7lcTaiehcrVqQ2oBhO
QZoEwUh9G8p5dnll/MTf3nj4UzZOimr2RSpktNT8w4kBEVAFFfZL5hGdk1UmBQTu
peAPksjndtfjWvvzlhnWu3JoFMZ+J5yA8l7t8HwKI5yIlfJaM4QbjOb8YqsZQRNR
qUxXxgn85o7QdSlCX/JFSK5fBxRphZHDtyWt9wTp1Ko0PjNtHLGv2oWj+SdvrJWu
X0otIjqlEMMVCcZDlrzXboU6Cxae9FGXk6yzM5QfE1/D7F4tEuI=
=E5AV
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.20-1'
Release linux (4.18.20-1).
* [rt] Drop all changes from 4.18-rt
* Drop added patches which are already in 4.19
* Drop ABI bump
The default compression for the Debian tarball has been xz since dpkg
1.16.5 (pre-wheezy). lintian now warns about setting the compression
option, even though we don't change the default.
On AMD platforms, some pins are GPIO memory mapped pins and are used to mux some
functionalities by firmware. This fixes a not available Elantech touchpad on
Lenovo IdeaPad 320-15ABR.