Hello Guix,

I'm not necessarily proposing that we apply this patch to 'master', but
since I mentioned in another thread that I'm using this patch on my own
GuixSD system, I thought I would make it available to you all.

      Mark

>From 7ddcef480cc3f2cfa8428af9a98bab144ceae925 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <m...@netris.org>
Date: Fri, 21 Jul 2017 06:13:02 -0400
Subject: [PATCH] DRAFT: gnu: linux-libre@4.9: Add selected patches from
 Debian.

* gnu/packages/linux.scm (debian-patches-for-linux-libre-4.9): New variable.
(linux-libre@4.9): Add debian-patches-for-linux-libre-4.9 to #:patches.
---
 gnu/packages/aux-files/linux-libre/4.9-i686.conf   |  11 +-
 gnu/packages/aux-files/linux-libre/4.9-x86_64.conf |  14 ++-
 gnu/packages/linux.scm                             | 116 ++++++++++++++++++++-
 3 files changed, 132 insertions(+), 9 deletions(-)

diff --git a/gnu/packages/aux-files/linux-libre/4.9-i686.conf b/gnu/packages/aux-files/linux-libre/4.9-i686.conf
index 4f3a9f927..529cfcef2 100644
--- a/gnu/packages/aux-files/linux-libre/4.9-i686.conf
+++ b/gnu/packages/aux-files/linux-libre/4.9-i686.conf
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.0-gnu Kernel Configuration
+# Linux/x86 4.9.38-gnu Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -593,6 +593,7 @@ CONFIG_X86_SMAP=y
 CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 CONFIG_HZ_250=y
@@ -5775,6 +5776,7 @@ CONFIG_LOGO=y
 # CONFIG_LOGO_LINUX_MONO is not set
 # CONFIG_LOGO_LINUX_VGA16 is not set
 # CONFIG_LOGO_LINUX_CLUT224 is not set
+CONFIG_LOGO_LIBRE_CLUT224=y
 CONFIG_SOUND=m
 CONFIG_SOUND_OSS_CORE=y
 # CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
@@ -6038,6 +6040,7 @@ CONFIG_SND_SOC_INTEL_HASWELL=m
 CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
+CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m
 CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
@@ -6112,7 +6115,8 @@ CONFIG_SND_SOC_RT5645=m
 CONFIG_SND_SOC_RT5651=m
 CONFIG_SND_SOC_RT5663=m
 CONFIG_SND_SOC_RT5670=m
-# CONFIG_SND_SOC_RT5677_SPI is not set
+CONFIG_SND_SOC_RT5677=m
+CONFIG_SND_SOC_RT5677_SPI=m
 CONFIG_SND_SOC_SGTL5000=m
 CONFIG_SND_SOC_SI476X=m
 CONFIG_SND_SOC_SIGMADSP=m
@@ -8493,7 +8497,6 @@ CONFIG_SCHED_INFO=y
 CONFIG_SCHEDSTATS=y
 CONFIG_SCHED_STACK_END_CHECK=y
 # CONFIG_DEBUG_TIMEKEEPING is not set
-CONFIG_TIMER_STATS=y
 
 #
 # Lock Debugging (spinlocks, mutexes, etc...)
@@ -8675,11 +8678,13 @@ CONFIG_TRUSTED_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
 CONFIG_KEY_DH_OPERATIONS=y
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
+CONFIG_SECURITY_SECURELEVEL=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=0
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
diff --git a/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf b/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
index ca0fcded6..a2ac30e4a 100644
--- a/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
+++ b/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.0-gnu Kernel Configuration
+# Linux/x86 4.9.38-gnu Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -596,6 +596,7 @@ CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_MIXED=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 CONFIG_HZ_250=y
@@ -868,6 +869,7 @@ CONFIG_COREDUMP=y
 CONFIG_IA32_EMULATION=y
 # CONFIG_IA32_AOUT is not set
 CONFIG_X86_X32=y
+CONFIG_X86_X32_DISABLED=y
 CONFIG_COMPAT=y
 CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
 CONFIG_SYSVIPC_COMPAT=y
@@ -4473,8 +4475,6 @@ CONFIG_USBPCWATCHDOG=m
 # Watchdog Pretimeout Governors
 #
 # CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set
-# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set
-# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC is not set
 CONFIG_SSB_POSSIBLE=y
 
 #
@@ -5642,6 +5642,7 @@ CONFIG_LOGO=y
 # CONFIG_LOGO_LINUX_MONO is not set
 # CONFIG_LOGO_LINUX_VGA16 is not set
 # CONFIG_LOGO_LINUX_CLUT224 is not set
+CONFIG_LOGO_LIBRE_CLUT224=y
 CONFIG_SOUND=m
 CONFIG_SOUND_OSS_CORE=y
 # CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
@@ -5848,6 +5849,7 @@ CONFIG_SND_SOC_INTEL_HASWELL=m
 CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
+CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m
 CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
@@ -5922,7 +5924,8 @@ CONFIG_SND_SOC_RT5645=m
 CONFIG_SND_SOC_RT5651=m
 CONFIG_SND_SOC_RT5663=m
 CONFIG_SND_SOC_RT5670=m
-# CONFIG_SND_SOC_RT5677_SPI is not set
+CONFIG_SND_SOC_RT5677=m
+CONFIG_SND_SOC_RT5677_SPI=m
 CONFIG_SND_SOC_SGTL5000=m
 CONFIG_SND_SOC_SI476X=m
 CONFIG_SND_SOC_SIGMADSP=m
@@ -8317,7 +8320,6 @@ CONFIG_SCHED_INFO=y
 CONFIG_SCHEDSTATS=y
 CONFIG_SCHED_STACK_END_CHECK=y
 # CONFIG_DEBUG_TIMEKEEPING is not set
-CONFIG_TIMER_STATS=y
 
 #
 # Lock Debugging (spinlocks, mutexes, etc...)
@@ -8501,11 +8503,13 @@ CONFIG_TRUSTED_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
 CONFIG_KEY_DH_OPERATIONS=y
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
+CONFIG_SECURITY_SECURELEVEL=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=0
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0cb925e31..add56628e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -375,11 +375,125 @@ It has been modified to remove all non-free binary blobs.")
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
+(define debian-patches-for-linux-libre-4.9
+  (let ()
+    (define (debian-patch file-name hash)
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://anonscm.debian.org/cgit/kernel/linux.git/";
+                            "plain/debian/patches/"
+                            file-name
+                            "?h=debian/4.9.30-2%2bdeb9u2"))
+        (sha256 (base32 hash))
+        (file-name (basename file-name))))
+    (list
+     ;; Change some defaults for security reasons
+     (debian-patch "debian/af_802154-Disable-auto-loading-as-mitigation-against.patch"
+                   "1vxi81m5rvvnkgr7nnqs45vb7i8p2cm9vyh0cwg1zvqn3ijxi9ld")
+     (debian-patch "debian/rds-Disable-auto-loading-as-mitigation-against-local.patch"
+                   "0qn4dri48wn9mrwxra3n23yn3ihjzc4h87igb8r80ahbla0fnwfi")
+     (debian-patch "debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch"
+                   "10n43hi5j1h1yk2khlhrdbkfbvy1cj70z6mj9xsji5z3klb35lbq")
+     (debian-patch "debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch"
+                   "18xmy9dkip3sfy9iwhmcaa4k1gy72s1aq94xw4l68ki5w191h6kw")
+     (debian-patch "debian/fs-enable-link-security-restrictions-by-default.patch"
+                   "12p3h33k25bl6ny8xm3gchfijb7d9463xwyn9y9lyap6kv4grzqj")
+
+     ;; Set various features runtime-disabled by default
+     (debian-patch "debian/sched-autogroup-disabled.patch"
+                   "0yn8zva4kp4lnzdsrwywcpsw60bdlh053ap65lcr81l38jmfyihx")
+     (debian-patch "debian/yama-disable-by-default.patch"
+                   "0xqd14yckirjagd3z91gcv11g9zb1p9x4lvgxsa1zgcpdyv5j70z")
+     (debian-patch "debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch"
+                   "1kjl4vp8v4xs9r94g048j9w3s59g0g86mdrj54dnaazp5wi7cxy5")
+     (debian-patch "features/all/security-perf-allow-further-restriction-of-perf_event_open.patch"
+                   "0wz2jm6rnchzy4qbm7bi5qdp1vk3y377lj5b4dkix0bif0rqdzdf")
+
+     ;; Disable autoloading/probing of various drivers by default
+     (debian-patch "debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch"
+                   "1zp39dzd7hh0vxpihvr326ndg2vaicrdllwj3ba45vznfg06a74h")
+     (debian-patch "debian/snd-pcsp-disable-autoload.patch"
+                   "136b978v92v82z3dcyrjwib4v830gc8nmi19763phfnw3gvglbpr")
+     (debian-patch "debian/fjes-disable-autoload.patch"
+                   "14cxxgjis07587g1q01gsp66rzrlnldpxg1078z2hkx51hgyzggm")
+
+     ;; Taint if dangerous features are used
+     (debian-patch "debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch"
+                   "1l8399ma3nlgd5sj8nhyqlcyfqhw2q2kdys59rs78jbawyh66q25")
+     (debian-patch "debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch"
+                   "0xa108vzyrh3ij64aagj17ji4gp1mrjnmdby269vn2q2f5rcficc")
+
+     ;; Arch features
+     (debian-patch "features/x86/x86-memtest-WARN-if-bad-RAM-found.patch"
+                   "0xwl7bjrdzh96pmhjc1g1kk8693fbccgn19pdb4rdpng8nv9gzsn")
+     (debian-patch "features/x86/x86-make-x32-syscall-support-conditional.patch"
+                   "1j23x5xvagwf6r591z9p9ac80mjpvhhzh6jnxjjcjcqiqxwf9m3p")
+
+     ;; Securelevel patchset from mjg59
+     (debian-patch "features/all/securelevel/add-bsd-style-securelevel-support.patch"
+                   "15s7m7rakq9v8b6wizc3zngcalfmx68h9vi35g8bnpyjqjdk2xq3")
+     (debian-patch "features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch"
+                   "1v2ad3hjly5k9kg3l53nk6ssxc3danz6ynh9l22wlwhxlw1fq4gf")
+     (debian-patch "features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch"
+                   "1rqawcv1bykcxklab9iz942xrvpyhxf673xzqzv7lkzdza8j4nzw")
+     (debian-patch "features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch"
+                   "1padscg703iww4znhqqazh5lxrlr55a1i05kyg906hkhv4vm5yfb")
+     (debian-patch "features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch"
+                   "10il8z5cxcdrryihskfm1qwdy1i71bnf2smzy4xq3hcyy7bv484x")
+     (debian-patch "features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch"
+                   "0pdaghyisvwym5b5i0vvcfm0ihwki5207ca27qly7dy76pzajb2i")
+     (debian-patch "features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch"
+                   "0dks5bihlag0yylg7qkv8vmhyspjqlh6i6jnkf54b0gx14fs54h9")
+     (debian-patch "features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch"
+                   "18406qv89pf1riishqsv7yhgg2wbm4mq4x1hgan87m6jk6wh4hkd")
+     (debian-patch "features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch"
+                   "1hy8l18ppn0zi652656nr5mcz46mq7xi89b5zmc852cm0lvqxazq")
+     (debian-patch "features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch"
+                   "1s6nvwglb0hyrp64kwk1rxpzc6gfd5926mvmk3b8rq04g7a615pk")
+     (debian-patch "features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch"
+                   "0fm8hn62d2ik3739x9mi56xrywpmqpyzwp3jfpfp8ha0izaqrm6y")
+     (debian-patch "features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch"
+                   "040862b35nfw5qb4xnz53wrm9kvwim8wijh033ysr490xn6grlvp")
+     (debian-patch "features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch"
+                   "1rc7m5aj92ny3adzm2852x2x4bpd61zamp0sc1na5mhcd96qs724")
+     (debian-patch "features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch"
+                   "0fw42j1g505qmx910cwqynpvs43rb2vkwwx4n8d2vy27272f534b")
+     (debian-patch "features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch"
+                   "16p53qsmywcl7p97gx40lc0i8ki9b5m22az2p9g4yzhg75z37w9c")
+     (debian-patch "features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch"
+                   "1yj9k8lxpm2xjhi3hrgl30777ldcjlfabl8ihaiyq54mzncxc3jl")
+     (debian-patch "features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch"
+                   "0cssqxx8brn0pq8i9brjv014f9j98msq37p7y64aahchhfvkc6xv")
+     (debian-patch "features/all/securelevel/enable-cold-boot-attack-mitigation.patch"
+                   "005ghbfxznybhzcslwf3pl2mxmklm659xfq4i3afaybnf6gs7xjs")
+     (debian-patch "features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch"
+                   "1jy9f2lbw6lzq4241fc22dham4pry95j5kk2m3yg7kjw6ciz4bik")
+     ;; same for arm64
+     (debian-patch "features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch"
+                   "0vnc0yy4ksqfv22xziy8alycv0173n0y3ldgqbpccmgcxqwlgrsw")
+     (debian-patch "features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch"
+                   "15a2y4zy9jifv3d4pwkhzdyz2ki5iqjkx2z0hp6bg02d5m6khps2")
+
+     ;; Security fixes
+     (debian-patch "debian/i386-686-pae-pci-set-pci-nobios-by-default.patch"
+                   "0d4gxrqj41vmgf2i5jx79za8rbvr3w5xkwjizz60dbfgjaq58zhr")
+     (debian-patch "debian/time-mark-timer_stats-as-broken.patch"
+                   "0m0na1ihxj71h96c128g8pnks85125jlx5pbr6w5585ak4zbnp3y")
+     (debian-patch "bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch"
+                   "0qf8a3ggvvdhph9gvbfbh1645d60xclxwlnhhxpgakih6c60h6dn")
+     (debian-patch "bugfix/all/sunrpc-refactor-svc_set_num_threads.patch"
+                   "1fgcpf1cqi4j4br29snlzl48cz62dyg0fyrxihn2v3zapfpf9yhv")
+     (debian-patch "bugfix/all/nfsv4-fix-callback-server-shutdown.patch"
+                   "00cwa4kkjjffh813n9j2m3541fg08hrvcnr5d2bz68bc2rijvpn3"))))
+
 (define-public linux-libre-4.9
   (make-linux-libre "4.9.41"
                     "1mkx7rvcny8b0yjkzd8zc53d15h1w8y75m0x6jx0dz3r9y3k0nql"
                     %intel-compatible-systems
-                    #:configuration-file kernel-config))
+                    #:configuration-file kernel-config
+                    #:patches
+                    (cons %boot-logo-patch
+                          debian-patches-for-linux-libre-4.9)))
 
 (define-public linux-libre-4.4
   (make-linux-libre "4.4.80"
-- 
2.14.0

Reply via email to