commit: 78d3124bdd04e9ccc71dd98aebf63d940e9032ca Author: Tomáš Mózes <hydrapolic <AT> gmail <DOT> com> AuthorDate: Tue Oct 12 06:39:39 2021 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Oct 20 09:59:23 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78d3124b
app-emulation/xen: add upstream security patches Bug: https://bugs.gentoo.org/816882 Signed-off-by: Tomáš Mózes <hydrapolic <AT> gmail.com> Signed-off-by: Sam James <sam <AT> gentoo.org> app-emulation/xen/Manifest | 2 + app-emulation/xen/xen-4.14.3-r1.ebuild | 167 +++++++++++++++++++++++++++++++++ app-emulation/xen/xen-4.15.1-r1.ebuild | 167 +++++++++++++++++++++++++++++++++ 3 files changed, 336 insertions(+) diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest index 5c2893094f3..aeaa096063b 100644 --- a/app-emulation/xen/Manifest +++ b/app-emulation/xen/Manifest @@ -1,6 +1,8 @@ DIST xen-4.14.2-upstream-patches-0.tar.xz 23304 BLAKE2B 954e0a49e5c3ec122aefe52afe328f440b8a4c8db966e0fa91e0b6d6cb3c0462b75fb99b3e7392811bd2e680cd7945e8a4d68317245fd42fdf0ad6cab33fbc68 SHA512 64d243f0c8acfec87812e4d78e3d8b24a86315824853f4f3b17122b7119425d180650695bc12e1a30f5b30c6ef684be7c08b2bc677ca2f0668d0335d92e2bf78 DIST xen-4.14.2.tar.gz 39973157 BLAKE2B db5d3570f79e0fd97872f5e5dd57a4eb39e005728387bfef3b51fabe1c693cfd8108d09b1026f5a5a7eb79de71be6f4af36d252f7e0b35a65a1567b7949e3e29 SHA512 83c9333b70dbee3e29c6bf08e5ad030676e6c4a32b976f3f5e6a8f8d0dd9e4898bac88dd8e1c9d2ad3509cebb5d212e1745f9392a469d7afeb841d79801ccf39 +DIST xen-4.14.3-upstream-patches-0.tar.xz 3532 BLAKE2B b3e1530a9e14bb1481296f3a878cceb81f1979b1cfb9105d4d1b03681a3449c40cabd1807109acfb3742fd8085c28094c29889d22dab5a99c9bf22443d1e848e SHA512 d6b39830bff83da745279041d144d56c3b153beae09e96fa878397f388575d106509816d710e94fa79dd60a874087921eba98e1316877f6ef4591a12f05846ee DIST xen-4.14.3.tar.gz 39982036 BLAKE2B 927fd2937f451567238702430cea3a6e5d2db70d5eef10f029bb1d6d030681573c851eb8076c8bad89c97c115f81a19ac8e46e78ca3f0e642565f7300c264ca1 SHA512 b462fcc1549f6e57f7f2a4fd10ce1e957a25a6a7c0319672b62699468f6c4330b9cd0cf2b0231b5cce94f4bb142a957eb8aa58aa0ffb5c85b37211d6b34ccf16 DIST xen-4.15.0-upstream-patches-1.tar.xz 35180 BLAKE2B eb3b2a44b717a04daa4a2f158040cce78b42cba5a72c437d7b2f8f1237b808f6f13c2140d82e95056818db6c0eb706ebd7dead822a6a4e689e5d5e7c83523fdb SHA512 a7cfe2dbc82b15c48fa781a77b3ca1622fc2feac3874bf17cf56e82be46e9817913f94992e0e1a1cd2be2e719d4abb9a15744c8a1017e30c0d5c01d7db64dbb5 DIST xen-4.15.0.tar.gz 40785399 BLAKE2B 8b0530f5516c39656506f4bb705952da0555a8ab7f47323473b171caeb7692f3107e9d94f13171d40576600064589eed35f4d210af02db4cc4706dd4fc202100 SHA512 93683b8a97387ca5f003c635a11d163e61c87dbdc9a03081f9155fe87b49f1dfa74ce243fcd5e04dc009353a36e2375b786f1ebde828b5951a094cd64197b4c7 +DIST xen-4.15.1-upstream-patches-0.tar.xz 3532 BLAKE2B 797f6c4ce44b43c9b43ee27718dc6d0b234588df2148961f8b078b3362b23bec6c2326eb0584255b0f3128c2f8b673ac6b9590596119c5fec82e7b03a1305b2c SHA512 c7d1a21042a3003eb9d968b3eb00aabbbc5c145b8b05fdd9e520cde34d1643d7f4f8f7039f30843a65439b1d40584c751e31ead620b88332d50b10f14fe81c0d DIST xen-4.15.1.tar.gz 40800852 BLAKE2B 39475ea33f029fb0e84b82b4a2b13fd613bab01e3ef6c241dfede3d190ee9be53c99b62121d37d83b1e078764b3e4d88d1dfb99be1b5623691e56519850c6798 SHA512 8d3cbdf708f46477e32ee7cbd16a490c82efa855cecd84ee712b8680df4d69c987ba9ab00ff3851f627b98a8ebbc5dab71f92f142ed958ee2bc538bc792cd4b9 diff --git a/app-emulation/xen/xen-4.14.3-r1.ebuild b/app-emulation/xen/xen-4.14.3-r1.ebuild new file mode 100644 index 00000000000..5c85c91a72d --- /dev/null +++ b/app-emulation/xen/xen-4.14.3-r1.ebuild @@ -0,0 +1,167 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{8..9} ) + +inherit flag-o-matic mount-boot multilib python-any-r1 toolchain-funcs + +MY_PV=${PV/_/-} +MY_P=${PN}-${MY_PV} + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="git://xenbits.xen.org/xen.git" + SRC_URI="" +else + KEYWORDS="~amd64 ~arm -x86" + UPSTREAM_VER=0 + SECURITY_VER= + GENTOO_VER= + + [[ -n ${UPSTREAM_VER} ]] && \ + UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz + https://github.com/hydrapolic/gentoo-dist/raw/master/xen/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz"; + [[ -n ${SECURITY_VER} ]] && \ + SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz"; + [[ -n ${GENTOO_VER} ]] && \ + GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz"; + SRC_URI="https://downloads.xenproject.org/release/xen/${MY_PV}/${MY_P}.tar.gz + ${UPSTREAM_PATCHSET_URI} + ${SECURITY_PATCHSET_URI} + ${GENTOO_PATCHSET_URI}" +fi + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="https://www.xenproject.org"; +LICENSE="GPL-2" +SLOT="0" +IUSE="debug efi flask" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22 ) + flask? ( sys-apps/checkpolicy )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +# no tests are available for the hypervisor +# prevent the silliness of /usr/lib/debug/usr/lib/debug files +# prevent stripping of the debug info from the /usr/lib/debug/xen-syms +RESTRICT="test splitdebug strip" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="arm? ( debug )" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use amd64; then + export XEN_TARGET_ARCH="x86_64" + elif use arm; then + export XEN_TARGET_ARCH="arm32" + elif use arm64; then + export XEN_TARGET_ARCH="arm64" + else + die "Unsupported architecture!" + fi + fi +} + +src_prepare() { + # Upstream's patchset + [[ -n ${UPSTREAM_VER} ]] && eapply "${WORKDIR}"/patches-upstream + + # Security patchset + if [[ -n ${SECURITY_VER} ]]; then + einfo "Try to apply Xen Security patch set" + # apply main xen patches + # Two parallel systems, both work side by side + # Over time they may concdense into one. This will suffice for now + source "${WORKDIR}"/patches-security/${PV}.conf + + local i + for i in ${XEN_SECURITY_MAIN}; do + eapply "${WORKDIR}"/patches-security/xen/$i + done + fi + + # Gentoo's patchset + [[ -n ${GENTOO_VER} ]] && eapply "${WORKDIR}"/patches-gentoo + + # Symlinks do not work on fat32 volumes + eapply "${FILESDIR}"/${PN}-4.14-efi.patch + + # Enable XSM-FLASK + use flask && eapply "${FILESDIR}"/${PN}-4.15-flask.patch + + # Workaround new gcc-11 options + sed -e '/^CFLAGS/s/-Werror//g' -i xen/Makefile || die + + # Drop .config + sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" + + if use efi; then + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="/boot" + fi + + default +} + +src_configure() { + use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i" + use debug && myopt="${myopt} debug=y" + + # remove flags + unset CFLAGS + unset LDFLAGS + unset ASFLAGS + + tc-ld-disable-gold # Bug 700374 +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" DESTDIR="${D}" -C xen ${myopt} install + + # make install likes to throw in some extra EFI bits if it built + use efi || rm -rf "${D}/usr/$(get_libdir)/efi" +} + +pkg_postinst() { + elog "Official Xen Guide:" + elog " https://wiki.gentoo.org/wiki/Xen"; + + use efi && einfo "The efi executable is installed in /boot/efi/gentoo" + + elog "You can optionally block the installation of /boot/xen-syms by an entry" + elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK" + elog "e.g. echo ${msg} > /etc/portage/env/xen.conf" + + ewarn + ewarn "Xen 4.12+ changed the default scheduler to credit2 which can cause" + ewarn "domU lockups on multi-cpu systems. The legacy credit scheduler seems" + ewarn "to work fine." + ewarn + ewarn "Add sched=credit to xen command line options to use the legacy scheduler." + ewarn + ewarn "https://wiki.gentoo.org/wiki/Xen#Xen_domU_hanging_with_Xen_4.12.2B"; +} diff --git a/app-emulation/xen/xen-4.15.1-r1.ebuild b/app-emulation/xen/xen-4.15.1-r1.ebuild new file mode 100644 index 00000000000..b49ac4f28ca --- /dev/null +++ b/app-emulation/xen/xen-4.15.1-r1.ebuild @@ -0,0 +1,167 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{8..9} ) + +inherit flag-o-matic mount-boot multilib python-any-r1 toolchain-funcs + +MY_PV=${PV/_/-} +MY_P=${PN}-${MY_PV} + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="git://xenbits.xen.org/xen.git" + SRC_URI="" +else + KEYWORDS="~amd64 ~arm -x86" + UPSTREAM_VER=0 + SECURITY_VER= + GENTOO_VER= + + [[ -n ${UPSTREAM_VER} ]] && \ + UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz + https://github.com/hydrapolic/gentoo-dist/raw/master/xen/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz"; + [[ -n ${SECURITY_VER} ]] && \ + SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz"; + [[ -n ${GENTOO_VER} ]] && \ + GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz"; + SRC_URI="https://downloads.xenproject.org/release/xen/${MY_PV}/${MY_P}.tar.gz + ${UPSTREAM_PATCHSET_URI} + ${SECURITY_PATCHSET_URI} + ${GENTOO_PATCHSET_URI}" +fi + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="https://www.xenproject.org"; +LICENSE="GPL-2" +SLOT="0" +IUSE="debug efi flask" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22 ) + flask? ( sys-apps/checkpolicy )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +# no tests are available for the hypervisor +# prevent the silliness of /usr/lib/debug/usr/lib/debug files +# prevent stripping of the debug info from the /usr/lib/debug/xen-syms +RESTRICT="test splitdebug strip" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="arm? ( debug )" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use amd64; then + export XEN_TARGET_ARCH="x86_64" + elif use arm; then + export XEN_TARGET_ARCH="arm32" + elif use arm64; then + export XEN_TARGET_ARCH="arm64" + else + die "Unsupported architecture!" + fi + fi +} + +src_prepare() { + # Upstream's patchset + [[ -n ${UPSTREAM_VER} ]] && eapply "${WORKDIR}"/patches-upstream + + # Security patchset + if [[ -n ${SECURITY_VER} ]]; then + einfo "Try to apply Xen Security patch set" + # apply main xen patches + # Two parallel systems, both work side by side + # Over time they may concdense into one. This will suffice for now + source "${WORKDIR}"/patches-security/${PV}.conf + + local i + for i in ${XEN_SECURITY_MAIN}; do + eapply "${WORKDIR}"/patches-security/xen/$i + done + fi + + # Gentoo's patchset + [[ -n ${GENTOO_VER} ]] && eapply "${WORKDIR}"/patches-gentoo + + # Symlinks do not work on fat32 volumes + eapply "${FILESDIR}"/${PN}-4.15-efi.patch + + # Enable XSM-FLASK + use flask && eapply "${FILESDIR}"/${PN}-4.15-flask.patch + + # Workaround new gcc-11 options + sed -e '/^CFLAGS/s/-Werror//g' -i xen/Makefile || die + + # Drop .config + sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" + + if use efi; then + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="/boot" + fi + + default +} + +src_configure() { + use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i" + use debug && myopt="${myopt} debug=y" + + # remove flags + unset CFLAGS + unset LDFLAGS + unset ASFLAGS + + tc-ld-disable-gold # Bug 700374 +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" DESTDIR="${D}" -C xen ${myopt} install + + # make install likes to throw in some extra EFI bits if it built + use efi || rm -rf "${D}/usr/$(get_libdir)/efi" +} + +pkg_postinst() { + elog "Official Xen Guide:" + elog " https://wiki.gentoo.org/wiki/Xen"; + + use efi && einfo "The efi executable is installed in /boot/efi/gentoo" + + elog "You can optionally block the installation of /boot/xen-syms by an entry" + elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK" + elog "e.g. echo ${msg} > /etc/portage/env/xen.conf" + + ewarn + ewarn "Xen 4.12+ changed the default scheduler to credit2 which can cause" + ewarn "domU lockups on multi-cpu systems. The legacy credit scheduler seems" + ewarn "to work fine." + ewarn + ewarn "Add sched=credit to xen command line options to use the legacy scheduler." + ewarn + ewarn "https://wiki.gentoo.org/wiki/Xen#Xen_domU_hanging_with_Xen_4.12.2B"; +}
