In order to access Azure's VMbus via /sys/vmbus, the corresponding
UIO module must be available.
Also enable VFIO for safe userspace device handling when the host
exposes a vIOMMU.
We use the default compiler provided by (cross-)build-essential for
userland, so the compiler build-dependencies are not needed when
the pkg.linux.nokernel profile is used.
Since commit f5f169ba99 "Split build rules for tools to allow
skipping them." these recursive makefiles are not used.
(debian/rules.d/Makefile can additionally install the top-level Kbuild
and Makefile, but that target hasn't been used since svn rev 18133
(version 3.1-1~experimental.1).)
Since commit f5f169ba99 "Split build rules for tools to allow
skipping them." debian/rules.d/Makefile is not used and the current
kernel's UAPI headers are not installed. This hasn't caused breakage
yet, probably because many tools have their own workaround using
include/uapi etc. directly, but could break backports builds at some
point.
Move the build of userland headers up into debian/rules.real and
make all tools build targets depend on it.
With the recent refactor, setting source: false in debian/config/defines
is no longer enough to disable the linux-source-$ver package build, as
dh_listpackages is used to determine what is built.
Do not add linux-source-$ver to d/control if it is disabled.
Some new Loongson servers are using Aspeed BMC, which has an GPU.
Some other Loongson servers are using SM750 GPU instead of AMD's.
Since MIPS doesn't have a generic display driver like VESA, we need
to install sm750fb and (drm_)ast into Loongson's fb-moduels udeb package.
(cherry picked from commit 6fbe9f4e363b32a70adf391e6d74ae21c52f16b6)
The packages we should build are restricted by:
* Package configuration in debian/config (limits which binary packages are
included in debian/control)
* Architecture (specified per package in debian/templates/control.* and
then in debian/control)
* Build profile (specified per package in debian/templates/control.* and
then in debian/control)
The logic for these restrictions is currently repeated in
debian/rules.real, but sometimes it becomes inconsistent with
debian/control (as with my recent changes for libbpf).
dh_listpackages reads debian/control and filters it by the current
host architecture and build profiles, so that it reliably reports
which packages we should build.
Therefore:
* Replace the logic in debian/rules.real with checks for package names
in the output of dh_listpackages
* Remove the redundant flag variables passed by debian/rules and
debian/rules.gen
* Remove the special-casing of stage1 in debian/rules and
debian/rules.gen
Drop iomap-Revert-fs-iomap.c-get-put-the-page-in-iomap_pa.patch
Drop usb-hso-fix-oob-memory-access-in-hso_probe-hso_get_config_data.patch
Add bug closer for #917569
Cleanup debian/changelog file
Python 3.7 warns:
.../debian/lib/python/debian_linux/debian.py:403: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
class PackageArchitecture(collections.MutableSet):
On powerpc architectures that may use a bootwrapper, we create a
temporary build_<arch>_<featureset>_<flavour>_bootwrapper directory
for each kernel configuration to hold the related tools which we won't
install for real (because they are always native).
This directory is then matched by the wildcard used in building
linux-config, causing linux-config packages to contain spurious
(empty) kconfig files based on these directories in addition to the
real kconfig files.
Rename the temporary directory to avoid matching that wildcard.
In unstable, linux-image-*-unsigned packages and any corresponding
metapackage updates tend to be available a few hours before the
corresponding signed packages. An automatic upgrade with aptitude (at
least) may then install the unsigned kernel where a signed kernel
was previously used, resulting in boot failure.
I gave the linux-image-*-unsigned packages a Provides relation to the
unsuffixed (i.e. signed) package name because I thought packages built
by module-assistant generally depended on the corresponding kernel
package. That may have been true once but doesn't appear to be so
now.
So the Provides field can be harmful and doesn't appear to be useful,
and should be removed.
The current check has never worked because the find -path predicate
matches against the whole path, including the given root. In this
case that is $DESTDIR which always includes the version string.
Change to use cd before find.
Also, check all non-directories rather than all entries with "perf" in
the name.
Backport Amazon ENA ethernet driver version 2.0.2 from Linux 4.20
This mostly ammounts to cherry-picking the commits in the range described by
git log v4.19.5..v4.20-rc7 drivers/net/ethernet/amazon
Change e641e99f261f5203a911a9e0db54a214460d2cc4 introduced changes outside the
ena directory, but only removed a redundant #include and was trivial to scope
down.
Upstream dealt with merge conflicts in
d864991b220b7c62e81d21209e1fd978fd67352c; the resolution here was identical to
upstream.
tl;dr: Xen PVH is the perfect upgrade path from PV and in combination
with grub2 support, it's the Xen "killer feature" we really should have
in Buster.
Background info about Xen PVH:
https://wiki.xen.org/wiki/Virtualization_Spectrum#Almost_fully_PV:_PVH_mode
PVH mode in Xen, a.k.a. "HVM without having to run qemu" is a Xen guest
type best supported since Xen 4.11 and Linux kernel 4.17. Just like when
using PV mode, the guest does not have an emulated BIOS and the guest
kernel is directly started by the dom0. Buster will ship with Xen 4.11.
Why is PVH interesting?
1. When the whole Meltdown/Spectre story started, it quickly became
apparent that 64-bit PV is the most problematic virtualization mode to
protect and to protect from, since address space from the hypervisor and
other guests (including dom0) is reachable from a 64-bit PV domU. To
mitigate this, XPTI (the Xen variant of PTI) has been implemented in the
hypervisor, but with a performance hit. HVM (so, also PVH) guests are
better isolated from the hypervisor and other guests. Inside the guest a
choice can be made about which mitigations to enable or not. Also see
https://xenbits.xen.org/xsa/advisory-254.html
2. Unlike HVM, it's not needed to have a boot loader/sector, partitions,
and a qemu process in the dom0 (using cpu and memory and having an
attack surface). Also, when running a largeish amount of domUs on a
physical server, not having all the qemu processes is an advantage.
3. Unlike PV, PVH makes use of all hardware features that accelerate
virtualization.
The upgrade path from PV to PVH is super optimal. It's just setting
type='pvh' in the guest file and doing a full restart of the domU!
Unless... (insert Monty Python's Dramatic Chord!)
Unless... grub2 was used to boot the PV guests.
Why is it interesting to be able to use grub?
Without using grub in between, the guest kernel and initrd have to be
copied out of the guest onto the dom0 filesystem, because the guest has
to be booted with them directly. Currently, we already have the
grub-xen packages in Debian, which provide grub images which can be used
as kernel for a PV guest, after which it can load the actual linux
kernel that is symlinked from /vmlinuz on the guest filesystem at that
moment.
The final changes to the Linux kernel for grub+PVH are in Linux 4.20.
This request, to carry a few patches from Linux 4.20, provides one half
of the dots that need to be connected to make the full thing happen for
Buster.
Since we'll have Xen 4.11 in Buster, PVH is supported. The related grub2
patchset was committed to the grub master branch on Dec 12 2018 (yup,
today). So, I'll also start contacting the debian grub team soon to ask
(and help) to get the current grub-xen functionality in Debian to be
extended with PVH capabilities as well.
Test reports:
https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg01913.htmlhttps://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03312.html
Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.
Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.
Testable with:
sudo modprobe overlay permit_mounts_in_userns=1
sudo sysctl -w kernel.unprivileged_userns_clone=1
mkdir -p lower upper work mnt
unshare --map-root-user --mount \
mount -t overlay none mnt \
-o lowerdir=lower,upperdir=upper,workdir=work
[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Split the rules in d/rules.real so that the [un]versioned_tools
knobs can be used to avoid building them.
This is necessary since the build-dependency were moved to be
conditional on those knobs, so the build fails when the
unversioned tools are set to disabled as libpci-dev is not
installed but the tools are built and fail due to it missing.
Signed-off-by: Luca Boccassi <bluca@debian.org>
This reverts commit 542ffe7fe2.
All drivers built under drivers/net/ethernet are included already
and should not be explicitly listed.
Move the bug closure to the previous log line.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlv18cwACgkQ57/I7JWG
EQnmrBAA0cIq67bC0g/calV1FyAnByc88h15W2BCN8+dD25PKRlsRsbSvQLx/E6J
mEwPMu6bw/yJuIA8ADTFpjh4CmulBhQMC/cpQHy82F5umt/wNAPlhryDc0n96eRX
bJfh3dzboyFEWBOSUgb6EWEdWZX1tMblf4ZpX1LfP5L/pJyq/Jz1xrpz31nGcz9E
2m4mpovTAT2N34I9FF9PSuaYlPxljU/eZe7wyDmM+leMnmV4MGEOpV+CMNEohLsp
8APxTJim6ZJXJ4ppl/Qk7yW1glTL3q5OqI+s5YB4RBKI4KBN/N3FF0PwWQ+L76bj
B6b3nKT4PZA4V6Y6OEY8Q53NxjHmRJo5opG9Xp3Kr4HO0PZHH9Ih/YApaZipSDLg
t3i/C05I/Jss2e6FZ5Ocx9L/nhzoEv9Lt0K2P6nxMJgc5U7lcTaiehcrVqQ2oBhO
QZoEwUh9G8p5dnll/MTf3nj4UzZOimr2RSpktNT8w4kBEVAFFfZL5hGdk1UmBQTu
peAPksjndtfjWvvzlhnWu3JoFMZ+J5yA8l7t8HwKI5yIlfJaM4QbjOb8YqsZQRNR
qUxXxgn85o7QdSlCX/JFSK5fBxRphZHDtyWt9wTp1Ko0PjNtHLGv2oWj+SdvrJWu
X0otIjqlEMMVCcZDlrzXboU6Cxae9FGXk6yzM5QfE1/D7F4tEuI=
=E5AV
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.20-1'
Release linux (4.18.20-1).
* [rt] Drop all changes from 4.18-rt
* Drop added patches which are already in 4.19
* Drop ABI bump
The default compression for the Debian tarball has been xz since dpkg
1.16.5 (pre-wheezy). lintian now warns about setting the compression
option, even though we don't change the default.
On AMD platforms, some pins are GPIO memory mapped pins and are used to mux some
functionalities by firmware. This fixes a not available Elantech touchpad on
Lenovo IdeaPad 320-15ABR.
4.18.12-1 was never released with the cherry picked patch, and as such
we drop the maintainer stanza entry but add relevant information (e.g.
bug closer or CVE id) to the upstream changelog entry.
hv_{kvp,vss}_daemon used to communicate with the corresponding kernel
drivers over netlink, but now they use char devices. hv_fcopy_daemon
always used a char device. Rather than checking for Hyper-V
specifically, change all of the init scripts and systemd service
definitions to check for the appropriate device nodes.
Delete the check-hyperv program that we used to check for Hyper-V
in init scripts.
CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG are added in gencontrol.py,
so be consistent with that.
This unfortunately requires some ugly escaping of quotes.
Checksumming the whole of debian/changelog when deciding whether to
run gencontrol.py results in (a) frequent changes to control.md5sum
and (b) the need to invoke various targets twice during development.
I originally made this change to address (a), which would be an
annoyance if and when we start using dgit. However, fixing (b) is a
nice benefit regardless of whether we do that.
The rt patch "of: allocate / free phandle cache outside of the
devtree_lock" drops the lock earlier in of_populate_phandle_cache()
and removes the "out" label which is no longer needed.
4.18.10 includes "of: fix phandle cache creation for DTs with no
phandles" which adds another "goto out" inside the locked section.
The previous textual conflict resolution between these changes left
the "goto out" in place, but it needs to be a "return".
SchemaItemBoolean and SchemaItemInteger attempt to raise an exception
of type Error when given invalid input, but this type has never been
defined. Use ValueError instead.
MakeFlags.__repr__ references a "flags" type (probably meant to be
MakeFlags). Gencontrol.write_config references the "file" type which
was removed in Python 3. Clearly neither of these methods are
actually used, so delete them.
- Add explicit imports for all needed modules, rather than indirectly
(accidentally!) importing them with "from ... import *"
- Replace all "from ... import *" statements, which inhibit static
checking, with explicit lists of names to import
- Delete the remaining unneeded imports reported by pyflakes
Fix coding style violations reported by pycodestyle. This is
mostly a matter of reformatting code, particularly to eliminate
over-long lines. I also rename one variable ("l" is considered
visually ambiguous) and change a bare "except" to explicitly
catch all exceptions.
There are three types of error or warning remaining:
- debian/bin/...: E402 module level import not at top of file
Scripts in debian/bin need to modify the import path before
importing from debian/lib/python.
- E127 continuation line over-indented for visual indent
This seems to be a false positive. pycodestyle doesn't seem to be
happy with any level of indent (including 0) on a continuation line
in a "with" statement.
- debian/lib/python/debian_linux/debian.py:15:2: W291 trailing whitespace
This is a false positive. The trailing spaces are in a long
string and are intentional.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAluyLtYACgkQ57/I7JWG
EQkvcBAAl2AxUxQKDRyS4mgohOa881NpHGdwfcxIXyEVIsPVVtUE+Dg5dzGku/J2
C1iA6R8tbOZuxOWQbNkGTFZml3JjfcikH21EGD1aqq5z1PmRudA/XBXdl2aItMUi
lV6HMQcG4GWTjMC/cwrxW5D7rrIqGfp+CCAiACheGbK7mrwAwpioCP3u4JUQm0+F
kGU4znfQbCScXtoegAwRBHB5nUWRbKZMHMe4vNgVl4Na5wTy4dL4Eh3qWulwOzGx
94OiJPsV9thctA6vusqrub5DpABjQveDPJyHt2EgvAt2W8MrE/NUiU+4ol2tTNcT
Ev4P66Jz2bmr3pisx5Cz+3fUXcesrllvWJx5RxPV8f4gCj4/A3zNNz0UdcqcIR/h
ptTMM9fDC8srz6bnKSYWSii3cmnxMVx5OjNztaoeJMFY6M7rn58rW9e53pkVWeJf
eKZ27T7RvNMoGDr99u10ca+zb8qBygxQBQea1rKL49T2Jl/5ROkkPvoQ0SNT5kIe
DL9Z7MDwBI5H5kQW7e9jCiOH65PG/DeVwddko3FeHQy9INxgd6toKiiU0HM4U+8Y
lsUbuAHRHeVsuLQ1U5YTFHrG56CjqYeU10A7UnxRbqvIOd2MTfp/4fAcM4X+15yZ
2Q1MRd/fCXIlRBMGfGRnNMX9327/I+XQ8kamktE5H55JWF+KyeI=
=eMi7
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.10-1'
Release linux (4.18.10-1).
- Drop new patches that are already included upstream
- Keep ABI number set to "trunk"
- Refresh arm64 APEI workaround patch for 4.19
This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
Marcin Juszkiewicz
Salvatore Bonaccorso
Romain Perier
Hideki Yamane
Ben Hutchings
Luca Boccassi
Luigi Baldoni
Yves-Alexis Perez
YunQiang Su
Michal Simek
John Paul Adrian Glaubitz
Romain Perier
Uwe Kleine-König
Bastian Blank
Noah Meyerhans
Hans van Kranenburg
Christoph Anton Mitterer
Hilko Bengen
Nicolas Schier
Vagrant Cascadian