From 58612231d49e3606a61abd8dfeb8f8d9dac55a8d Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Tue, 26 Mar 2024 22:57:02 +0530 Subject: [PATCH] fix: kernel boot on arm64 metal Enabling `CONFIG_EFI_DISABLE_PCI_DMA` brokes the kernel boot on ARM metal platforms without any messages during boot making it so hard to debug. This happened on an Ampere Altra ARM64 bare metal server. Reverts ARM64 Kconfig from https://github.com/siderolabs/pkgs/commit/87eb0134fab2aa7e6a3d52d541a84847dd265329. Also update the KSPP script with per-arch violations denylist. Signed-off-by: Noel Georgi --- kernel/build/config-arm64 | 2 +- kernel/build/pkg.yaml | 2 +- kernel/build/scripts/filter-hardened-check.py | 24 +++++++++++++++++-- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index 98099db3a..a107e79e8 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -2080,7 +2080,7 @@ CONFIG_EFI_BOOTLOADER_CONTROL=y CONFIG_EFI_CAPSULE_LOADER=y CONFIG_EFI_TEST=y CONFIG_RESET_ATTACK_MITIGATION=y -CONFIG_EFI_DISABLE_PCI_DMA=y +# CONFIG_EFI_DISABLE_PCI_DMA is not set CONFIG_EFI_EARLYCON=y CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y # CONFIG_EFI_DISABLE_RUNTIME is not set diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml index d54453848..27aaccf22 100644 --- a/kernel/build/pkg.yaml +++ b/kernel/build/pkg.yaml @@ -21,7 +21,7 @@ steps: {{ else }} - | cd /src - python3 /toolchain/kernel-hardening-checker/bin/kernel-hardening-checker -c .config -m json | python3 /pkg/scripts/filter-hardened-check.py + python3 /toolchain/kernel-hardening-checker/bin/kernel-hardening-checker -c .config -m json | python3 /pkg/scripts/filter-hardened-check.py ${CARCH} - | cd /src diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py index 2b5b49a32..085ae2bf8 100644 --- a/kernel/build/scripts/filter-hardened-check.py +++ b/kernel/build/scripts/filter-hardened-check.py @@ -27,11 +27,28 @@ 'CONFIG_RANDSTRUCT_PERFORMANCE', # disabled due to performance reasons 'CONFIG_UBSAN_TRAP', # disabled due to performance reasons 'CONFIG_CFI_CLANG', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/918 - 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/918 - 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918 + 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/91 +} + +""" +Names of violations per arch we ignore for a good reason. +""" +IGNORE_VIOLATIONS_BY_ARCH = { + 'arm64': { + 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918 + 'CONFIG_EFI_DISABLE_PCI_DMA', # for arm64, enabling this breaks boot with no visible error messages to debug. + }, + 'amd64': {}, } def main(): + if len(sys.argv) != 2: + print("Usage: {} ".format(sys.argv[0])) + + sys.exit(1) + + arch = sys.argv[1] + violations = json.load(sys.stdin) # filter out non-failures @@ -40,6 +57,9 @@ def main(): # filter only failures in the groups we're interested in violations = [item for item in violations if item["decision"] in GROUPS] + # add violations we ignore per arch + IGNORE_VIOLATIONS.update(IGNORE_VIOLATIONS_BY_ARCH[arch]) + # filter out violations we ignore violations = [item for item in violations if item["option_name"] not in IGNORE_VIOLATIONS]