From: Arne Fitzenreiter Date: Fri, 11 Aug 2023 21:32:01 +0000 (+0200) Subject: core178: insert urgent core update for new cpu vulnerability mitigations X-Git-Tag: v2.27-core178~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee0ee298435ada541e4cfed95cfd38b328a41eca;p=ipfire-2.x.git core178: insert urgent core update for new cpu vulnerability mitigations this contain kernel-6.1.45, intel-microcode-20230808, linux-firmware-20230804 + fam19h patches and a fix for early microcode load from initramdisk. Signed-off-by: Arne Fitzenreiter --- diff --git a/config/rootfiles/core/177/exclude b/config/rootfiles/core/178/exclude similarity index 100% rename from config/rootfiles/core/177/exclude rename to config/rootfiles/core/178/exclude diff --git a/config/rootfiles/core/177/filelists/aarch64/linux b/config/rootfiles/core/178/filelists/aarch64/linux similarity index 100% rename from config/rootfiles/core/177/filelists/aarch64/linux rename to config/rootfiles/core/178/filelists/aarch64/linux diff --git a/config/rootfiles/core/177/filelists/aarch64/u-boot-mkimage b/config/rootfiles/core/178/filelists/aarch64/u-boot-mkimage similarity index 100% rename from config/rootfiles/core/177/filelists/aarch64/u-boot-mkimage rename to config/rootfiles/core/178/filelists/aarch64/u-boot-mkimage diff --git a/config/rootfiles/core/177/filelists/core-files b/config/rootfiles/core/178/filelists/core-files similarity index 100% rename from config/rootfiles/core/177/filelists/core-files rename to config/rootfiles/core/178/filelists/core-files diff --git a/config/rootfiles/core/178/filelists/files b/config/rootfiles/core/178/filelists/files new file mode 100644 index 0000000000..00198bcc3e --- /dev/null +++ b/config/rootfiles/core/178/filelists/files @@ -0,0 +1 @@ +srv/web/ipfire/cgi-bin/vulnerabilities.cgi diff --git a/config/rootfiles/core/178/filelists/linux-firmware-update b/config/rootfiles/core/178/filelists/linux-firmware-update new file mode 100644 index 0000000000..21e8e86028 --- /dev/null +++ b/config/rootfiles/core/178/filelists/linux-firmware-update @@ -0,0 +1,66 @@ +lib/firmware/amdgpu/dcn_3_1_4_dmcub.bin +lib/firmware/amdgpu/dcn_3_1_5_dmcub.bin +lib/firmware/amdgpu/dcn_3_2_0_dmcub.bin +lib/firmware/amdgpu/dcn_3_2_1_dmcub.bin +lib/firmware/amdgpu/gc_11_0_3_imu.bin +lib/firmware/amdgpu/gc_11_0_3_me.bin +lib/firmware/amdgpu/gc_11_0_3_mec.bin +lib/firmware/amdgpu/gc_11_0_3_mes1.bin +lib/firmware/amdgpu/gc_11_0_3_mes_2.bin +lib/firmware/amdgpu/gc_11_0_3_pfp.bin +lib/firmware/amdgpu/gc_11_0_3_rlc.bin +lib/firmware/amdgpu/green_sardine_vcn.bin +lib/firmware/amdgpu/picasso_vcn.bin +lib/firmware/amdgpu/psp_13_0_10_sos.bin +lib/firmware/amdgpu/psp_13_0_10_ta.bin +lib/firmware/amdgpu/raven2_vcn.bin +lib/firmware/amdgpu/raven_vcn.bin +lib/firmware/amdgpu/renoir_vcn.bin +lib/firmware/amdgpu/sdma_6_0_3.bin +lib/firmware/amdgpu/smu_13_0_10.bin +lib/firmware/amdgpu/vcn_4_0_0.bin +lib/firmware/amdgpu/yellow_carp_dmcub.bin +lib/firmware/amd-ucode/microcode_amd_fam17h.bin +lib/firmware/amd-ucode/microcode_amd_fam19h.bin +lib/firmware/i915/adlp_dmc.bin +lib/firmware/i915/dg2_guc_70.bin +lib/firmware/i915/mtl_dmc.bin +lib/firmware/i915/mtl_guc_70.bin +lib/firmware/i915/mtl_huc_gsc.bin +lib/firmware/intel/ibt-0040-0041.sfi +lib/firmware/intel/ibt-0040-4150.sfi +lib/firmware/intel/ibt-0041-0041.sfi +lib/firmware/intel/ibt-1040-0041.sfi +lib/firmware/intel/ibt-1040-4150.sfi +lib/firmware/intel/ibt-19-0-0.sfi +lib/firmware/intel/ibt-19-0-1.sfi +lib/firmware/intel/ibt-19-0-4.sfi +lib/firmware/intel/ibt-19-16-4.sfi +lib/firmware/intel/ibt-19-240-1.sfi +lib/firmware/intel/ibt-19-240-4.sfi +lib/firmware/intel/ibt-19-32-0.sfi +lib/firmware/intel/ibt-19-32-1.sfi +lib/firmware/intel/ibt-19-32-4.sfi +lib/firmware/intel/ibt-20-0-3.sfi +lib/firmware/intel/ibt-20-1-3.sfi +lib/firmware/intel/ibt-20-1-4.sfi +lib/firmware/intel/ice/ddp-lag +lib/firmware/iwlwifi-cc-a0-77.ucode +lib/firmware/iwlwifi-Qu-b0-hr-b0-77.ucode +lib/firmware/iwlwifi-Qu-b0-jf-b0-77.ucode +lib/firmware/iwlwifi-Qu-c0-hr-b0-77.ucode +lib/firmware/iwlwifi-Qu-c0-jf-b0-77.ucode +lib/firmware/iwlwifi-QuZ-a0-hr-b0-77.ucode +lib/firmware/iwlwifi-so-a0-gf4-a0-83.ucode +lib/firmware/iwlwifi-so-a0-gf4-a0.pnvm +lib/firmware/iwlwifi-so-a0-gf-a0-83.ucode +lib/firmware/iwlwifi-so-a0-gf-a0.pnvm +lib/firmware/iwlwifi-ty-a0-gf-a0-83.ucode +lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm +lib/firmware/mediatek/BT_RAM_CODE_MT7922_1_1_hdr.bin +lib/firmware/mediatek/mt8195/scp.img +lib/firmware/mediatek/WIFI_MT7922_patch_mcu_1_1_hdr.bin +lib/firmware/mediatek/WIFI_RAM_CODE_MT7922_1.bin +lib/firmware/nxp/sr150_fw.bin +lib/firmware/rtw89/rtw8851b_fw.bin +lib/firmware/wfx/wfm_wf200_C0.sec diff --git a/config/rootfiles/core/178/filelists/x86_64/intel-microcode b/config/rootfiles/core/178/filelists/x86_64/intel-microcode new file mode 120000 index 0000000000..d5ac074e2e --- /dev/null +++ b/config/rootfiles/core/178/filelists/x86_64/intel-microcode @@ -0,0 +1 @@ +../../../../common/x86_64/intel-microcode \ No newline at end of file diff --git a/config/rootfiles/core/177/filelists/x86_64/linux b/config/rootfiles/core/178/filelists/x86_64/linux similarity index 100% rename from config/rootfiles/core/177/filelists/x86_64/linux rename to config/rootfiles/core/178/filelists/x86_64/linux diff --git a/config/rootfiles/core/178/update.sh b/config/rootfiles/core/178/update.sh new file mode 100644 index 0000000000..caa15bee79 --- /dev/null +++ b/config/rootfiles/core/178/update.sh @@ -0,0 +1,149 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2023 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=178 + +exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # force fsck at next boot, this may fix free space on xfs + touch /forcefsck + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/rc.d/init.d/squid stop + +KVER="xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks prior to the kernel update +case $(uname -r) in + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + +# Check diskspace on root +ROOTSPACE=$( df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1 ) + +if [ $ROOTSPACE -lt 100000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root." 2 + exit 2 +fi + +# Remove the old kernel +rm -rvf \ + /boot/System.map-* \ + /boot/config-* \ + /boot/ipfirerd-* \ + /boot/initramfs-* \ + /boot/vmlinuz-* \ + /boot/uImage-* \ + /boot/zImage-* \ + /boot/uInit-* \ + /boot/dtb-* \ + /lib/modules + +# Extract files +extract_files + +# Remove files +#rm -rvf \ + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Filesytem cleanup +/usr/local/bin/filesystem-cleanup + +# Start services +/etc/init.d/sshd restart +/etc/init.d/unbound reload +if [ -f /var/ipfire/proxy/enable ]; then + /etc/init.d/squid start +fi + +# Rebuild initial ramdisks +dracut --regenerate-all --force +KVER="xxxKVERxxx" +case "$(uname -m)" in + aarch64) + mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}-ipfire.img /boot/uInit-${KVER}-ipfire + # dont remove initramfs because grub need this to boot. + ;; +esac + +# remove lm_sensor config after collectd was started +# to re-search sensors at next boot with updated kernel +rm -f /etc/sysconfig/lm_sensors + +# Upadate Kernel version in uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# Call user update script (needed for some ARM boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + +# This update needs a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/177/exclude b/config/rootfiles/oldcore/177/exclude new file mode 100644 index 0000000000..8ee1c3c2f5 --- /dev/null +++ b/config/rootfiles/oldcore/177/exclude @@ -0,0 +1,35 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +boot/uEnv.txt +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/firewall/locationblock +var/ipfire/fwhosts/customlocationgrp +var/ipfire/ovpn +var/ipfire/urlfilter/blacklist +var/ipfire/urlfilter/settings +var/lib/alternatives +var/lib/location/database.db +var/lib/location/ipset +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/177/filelists/aarch64/linux b/config/rootfiles/oldcore/177/filelists/aarch64/linux new file mode 120000 index 0000000000..3a2532bc7d --- /dev/null +++ b/config/rootfiles/oldcore/177/filelists/aarch64/linux @@ -0,0 +1 @@ +../../../../common/aarch64/linux \ No newline at end of file diff --git a/config/rootfiles/oldcore/177/filelists/aarch64/u-boot-mkimage b/config/rootfiles/oldcore/177/filelists/aarch64/u-boot-mkimage new file mode 120000 index 0000000000..8606a8983b --- /dev/null +++ b/config/rootfiles/oldcore/177/filelists/aarch64/u-boot-mkimage @@ -0,0 +1 @@ +../../../../common/aarch64/u-boot-mkimage \ No newline at end of file diff --git a/config/rootfiles/core/177/filelists/aarch64/util-linux b/config/rootfiles/oldcore/177/filelists/aarch64/util-linux similarity index 100% rename from config/rootfiles/core/177/filelists/aarch64/util-linux rename to config/rootfiles/oldcore/177/filelists/aarch64/util-linux diff --git a/config/rootfiles/oldcore/177/filelists/core-files b/config/rootfiles/oldcore/177/filelists/core-files new file mode 100644 index 0000000000..0dec37e538 --- /dev/null +++ b/config/rootfiles/oldcore/177/filelists/core-files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +etc/os-release +srv/web/ipfire/cgi-bin/credits.cgi +var/ipfire/langs diff --git a/config/rootfiles/core/177/filelists/files b/config/rootfiles/oldcore/177/filelists/files similarity index 100% rename from config/rootfiles/core/177/filelists/files rename to config/rootfiles/oldcore/177/filelists/files diff --git a/config/rootfiles/core/177/filelists/fireinfo b/config/rootfiles/oldcore/177/filelists/fireinfo similarity index 100% rename from config/rootfiles/core/177/filelists/fireinfo rename to config/rootfiles/oldcore/177/filelists/fireinfo diff --git a/config/rootfiles/core/177/filelists/iproute2 b/config/rootfiles/oldcore/177/filelists/iproute2 similarity index 100% rename from config/rootfiles/core/177/filelists/iproute2 rename to config/rootfiles/oldcore/177/filelists/iproute2 diff --git a/config/rootfiles/core/177/filelists/ntp b/config/rootfiles/oldcore/177/filelists/ntp similarity index 100% rename from config/rootfiles/core/177/filelists/ntp rename to config/rootfiles/oldcore/177/filelists/ntp diff --git a/config/rootfiles/core/177/filelists/openssh b/config/rootfiles/oldcore/177/filelists/openssh similarity index 100% rename from config/rootfiles/core/177/filelists/openssh rename to config/rootfiles/oldcore/177/filelists/openssh diff --git a/config/rootfiles/core/177/filelists/squid b/config/rootfiles/oldcore/177/filelists/squid similarity index 100% rename from config/rootfiles/core/177/filelists/squid rename to config/rootfiles/oldcore/177/filelists/squid diff --git a/config/rootfiles/core/177/filelists/squid-asnbl b/config/rootfiles/oldcore/177/filelists/squid-asnbl similarity index 100% rename from config/rootfiles/core/177/filelists/squid-asnbl rename to config/rootfiles/oldcore/177/filelists/squid-asnbl diff --git a/config/rootfiles/core/177/filelists/sudo b/config/rootfiles/oldcore/177/filelists/sudo similarity index 100% rename from config/rootfiles/core/177/filelists/sudo rename to config/rootfiles/oldcore/177/filelists/sudo diff --git a/config/rootfiles/oldcore/177/filelists/x86_64/linux b/config/rootfiles/oldcore/177/filelists/x86_64/linux new file mode 120000 index 0000000000..0615b5b9ad --- /dev/null +++ b/config/rootfiles/oldcore/177/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/177/filelists/x86_64/util-linux b/config/rootfiles/oldcore/177/filelists/x86_64/util-linux similarity index 100% rename from config/rootfiles/core/177/filelists/x86_64/util-linux rename to config/rootfiles/oldcore/177/filelists/x86_64/util-linux diff --git a/config/rootfiles/core/177/update.sh b/config/rootfiles/oldcore/177/update.sh similarity index 100% rename from config/rootfiles/core/177/update.sh rename to config/rootfiles/oldcore/177/update.sh diff --git a/make.sh b/make.sh index 30a0faa6a8..1c3fcf26b3 100755 --- a/make.sh +++ b/make.sh @@ -23,7 +23,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name # If you update the version don't forget to update backupiso and add it to core update VERSION="2.27" # Version number -CORE="177" # Core Level (Filename) +CORE="178" # Core Level (Filename) SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir MAX_RETRIES=1 # prefetch/check loop