WIP Patched Kernel Sources (Linux 4.15.*)
Clone or download
AndyLavr 4.15.15-wip-x45
Changes-4.15.15-wip-x45:
https://github.com/AndyLavr/wip-kernel/commits/experimental

ChangeLog-4.15.15:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.15

WIP Kernel (Patched Kernel Sources Linux 4.15.15)

- Full kernel adaptation to version Ubuntu 18.04 LTS Bionic.
- Full kernel adaptation to build GCC7/GCC8.

Full support:
- Indirect Branch Restricted Speculation (IBRS)
- Indirect Branch Prediction Barrier (IBPB)

Add Linux Kernel Runtime Guard (LKRG):

 Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that
performs runtime integrity checking of the Linux kernel and detection of
security vulnerability exploits against the kernel.

Current status of this kernel for the Spectre and Meltdown
vulnerabilities:

Spectre V2: Mitigation: Full generic retpoline
Spectre V2: Enabling Indirect Branch Prediction Barrier
Spectre V2: Enabling Restricted Speculation for firmware calls

Meltdown: Mitigation: PTI
Spectre V1: Mitigation: __user pointer sanitization
Spectre V2: Enable Mitigation: Full generic retpoline, IBPB, IBRS_FW

and IBRS mode only:

Spectre V2 : ibrs selected on command line.
Spectre V2 : Mitigation: Indirect Branch Restricted Speculation
Spectre V2 : IBPB - Enabling Indirect Branch Prediction Barrier
Spectre V2 : IBRS - Enabling Restricted Speculation for firmware calls

Meltdown: Mitigation: PTI
Spectre V1: Mitigation: __user pointer sanitization
Spectre V2: Mitigation: Indirect Branch Restricted Speculation, IBPB
Latest commit 01b529f Apr 1, 2018
Permalink
Failed to load latest commit information.
Documentation Partial update from Linux 4.15.14 Mar 29, 2018
arch x86/cpu/intel: Add Cannonlake to Intel family Apr 1, 2018
block Linux 4.15.8 Mar 10, 2018
certs certs/blacklist_nohashes.c: fix const confusion in certs blacklist Feb 23, 2018
crypto Partial update from Linux 4.15.11 Mar 19, 2018
debian.master 4.15.15-wip-x45 Apr 1, 2018
debian 4.15.15-wip-x45 Apr 1, 2018
drivers Partial update from Linux 4.15.15 Apr 1, 2018
firmware Initial commit WIP Kernel 4.15 Jan 29, 2018
fs Partial update from Linux 4.15.15 Apr 1, 2018
include Partial update from Linux 4.15.15 Apr 1, 2018
init efi: Add embedded peripheral firmware support Mar 26, 2018
ipc ipc/shm.c: add split function to shm_vm_ops Mar 29, 2018
kernel sched/cpufreq/schedutil: Fix error path mutex unlock Apr 1, 2018
lib Partial update from Linux 4.15.15 Apr 1, 2018
mm mm/kmemleak.c: wait for scan completion before disabling free Mar 29, 2018
net Partial update from Linux 4.15.15 Apr 1, 2018
samples Initial commit WIP Kernel 4.15 Jan 29, 2018
scripts kbuild: rpm-pkg: Support GNU tar >= 1.29 Mar 31, 2018
security Partial update from Linux 4.15.13 Mar 26, 2018
sound Partial update from Linux 4.15.14 Mar 29, 2018
spl Update ZFS version Feb 23, 2018
tools Partial update from Linux 4.15.14 Mar 29, 2018
usr Initial commit WIP Kernel 4.15 Jan 29, 2018
virt Partial update from Linux 4.15.12 Mar 22, 2018
zfs zfs: Update to version 0.7.5-1ubuntu13 Mar 29, 2018
.cocciconfig Initial commit WIP Kernel 4.15 Jan 29, 2018
.get_maintainer.ignore Initial commit WIP Kernel 4.15 Jan 29, 2018
.gitattributes Initial commit WIP Kernel 4.15 Jan 29, 2018
.gitignore Update .jitignore Mar 5, 2018
.mailmap Initial commit WIP Kernel 4.15 Jan 29, 2018
.project Initial commit WIP Kernel 4.15 Jan 29, 2018
COPYING Initial commit WIP Kernel 4.15 Jan 29, 2018
CREDITS Initial commit WIP Kernel 4.15 Jan 29, 2018
Kbuild Initial commit WIP Kernel 4.15 Jan 29, 2018
Kconfig Initial commit WIP Kernel 4.15 Jan 29, 2018
LICENSE Initial commit Jan 29, 2018
MAINTAINERS Partial update from Linux 4.15.10 Mar 15, 2018
Makefile 4.15.15-wip-x45 Apr 1, 2018
README Initial commit WIP Kernel 4.15 Jan 29, 2018
README.md 4.15.15-wip-x45 Apr 1, 2018

README.md

WIP Kernel 4.15.15-wip-x45

WIP Kernel

standard-readme compliant Releases Donate with Bitcoin Donate with Ethereum


PERFORMANCE AND TO POWER AMAZING EXPERIENCE FOR GAMING G SERIES

WIP Patched Kernel kernel distribution with custom settings (Linux 4.15.15)

  • Experience a whole new way to interact with your PC like never before.
  • Full kernel adaptation to version Ubuntu 18.04 LTS Bionic.
  • Full kernel adaptation to build GCC7/GCC8.
  • Optimized to take full advantage of high-performance.
  • Supports all recent 64-bit versions of Debian and Ubuntu-based systems.

Main Features:

  • Tuned CPU for Intel i5/i7/Atom platform.
  • PDS CPU Scheduler & Multi-Queue I/O Block Layer w/ BFQ-MQ for smoothness and responsiveness.
  • Caching, Virtual Memory Manager and CPU Governor Improvements.
  • General-purpose Multitasking Kernel.
  • Built on the latest GCC 8
  • DRM Optimized Performance.
  • Intel CPUFreq (P-State passive mode).
  • ZFS, AUFS, BFQ and Ureadahead support available.

Meltdown-Spectre

Full security support:

  • Indirect Branch Restricted Speculation (IBRS)
  • Indirect Branch Prediction Barrier (IBPB)

LKRG - Linux Kernel Runtime Guard

Add Linux Kernel Runtime Guard (LKRG)

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.


Linux Test Project

Kernel tested by - Linux Test Project

Linux Test Project is a joint project started by SGI, developed and maintained by IBM, Cisco, Fujitsu, SUSE, Red Hat and others, that has a goal to deliver test suites to the open source community that validate the reliability, robustness, and stability of Linux. The LTP testsuite contains a collection of tools for testing the Linux kernel and related features.


Install

Update Intel microcode for use IBRS/IBPB:

Download

Download the installation packages for your CPU, only x86_64 packages:

Download Download Download Download

Builds Release Date
Last GitHub release GitHub Release Date
Stable GitHub release GitHub Release Date
 This is a mainline Linux kernel distribution with custom settings.
Optimized to take full advantage of high-performance.

Supports all recent 64-bit versions of Debian and Ubuntu-based systems. 

Main Features:

Tuned CPU for Intel i5/i7/Atom and Amd K10 platform.
PDS CPU Scheduler & Multi-Queue I/O Block Layer w/ BFQ-MQ for smoothness and responsiveness.
Caching, Virtual Memory Manager and CPU Governor Improvements.
General-purpose Multitasking Kernel.
Built on the latest GCC 8.0.1
DRM Optimized Performance.
BBR TCP Congestion Control.
Intel CPUFreq (P-State passive mode).
ZFS, AUFS, BFQ and Ureadahead support available.
Linux Kernel Runtime Guard (LKRG)

Kernel config file

 Kernel config file locate to directory
 debian.master/config/amd64/config.flavour.generic
 debian.master/config/amd64/config.flavour.atom
 debian.master/config/amd64/config.flavour.broadwell
 debian.master/config/amd64/config.flavour.westmere
 debian.master/config/amd64/config.flavour.k10

Recommended system configuration

Example config files for Intel i7 Broadwell, 32Mb RAM

  • /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="spectre_v2=auto pti=auto ipv6.disable=1 intremap=no_x2apic_optout acpi_osi=Linux acpi_backlight=vendor intel_iommu=on swiotlb=32768 apparmor=0"
GRUB_CMDLINE_LINUX="noresume systemd.gpt_auto=0"

If yours update microcode CPU is supported "IBRS/IBPB" then enable IBRS option:

"spectre_v2=ibrs"

IBPB will be turned on automatically.


$ dmesg | egrep microcode

[0.000000] microcode: microcode updated early to revision 0x1d, date = 2018-01-21
[0.766365] microcode: sig=0x40671, pf=0x20, revision=0x1d
[0.767580] microcode: Microcode Update Driver: v2.2.

$ dmesg | egrep Spectre

[0.012444] Spectre V2 : ibrs selected on command line.
[0.012445] Spectre V2 : Mitigation: Indirect Branch Restricted Speculation
[0.012446] Spectre V2 : IBPB - Enabling Indirect Branch Prediction Barrier
[0.012447] Spectre V2 : IBRS - Enabling Restricted Speculation for firmware calls

~$ grep . /sys/devices/system/cpu/vulnerabilities/*

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation:PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation:__user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Indirect Branch Restricted Speculation,IBPB
  • /etc/sysctl.conf
vm.laptop_mode=0
vm.swappiness=60
vm.vfs_cache_pressure=1000
vm.dirty_writeback_centisecs=15000

# You can monitor the kernel behavior with regard to the dirty
# pages by using grep -A 1 dirty /proc/vmstat
vm.dirty_background_ratio=5
vm.dirty_ratio=15

# required free memory (set to 1% of physical ram)
vm.min_free_kbytes=328979

# system open file limit
fs.file-max=2055936

# Core dump suidsafe
kernel.core_uses_pid = 1
kernel.core_pattern = /tmp/core-%e-%s-%u-%g-%p-%t
fs.suid_dumpable = 2

kernel.printk=4 4 1 7
kernel.core_uses_pid=1
kernel.sysrq=0

# VMware
kernel.shmmax=30318719385
kernel.shmmni = 16384

### ---

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_max_orphans = 65536
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_mem = 50576   64768   98152
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_syncookies = 1
net.netfilter.nf_conntrack_max = 16777216
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_congestion_control = yeah
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.route.flush = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_forward = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.core.somaxconn = 65535
fs.inotify.max_user_watches = 16777216
#
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_default_ttl = 63
#
net.ipv4.tcp_ecn = 1
net.core.default_qdisc = fq_codel
#
net.ipv4.tcp_fastopen = 3
#
# IO shedulers
vm.dirty_background_bytes=67108864
vm.dirty_bytes=134217728
#
# Huge Page
vm.nr_hugepages=4096
vm.nr_overcommit_hugepages=4096
vm.hugetlb_shm_group=1001
#
# Memory
net.core.rmem_default = 33554432
net.core.wmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.core.netdev_max_backlog = 16384
#
net.ipv4.tcp_rmem = 8192 87380 33554432
net.ipv4.tcp_wmem = 8192 65536 33554432
#
#
kernel.yama.ptrace_scope=2
#
kernel.perf_event_paranoid=2
#
net.netfilter.nf_conntrack_helper=1
  • /etc/network/interfaces
wireless-power off
  • /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
[connection]
wifi.powersave = 2

Installation Linux Kernel Runtime Guard (LKRG):

Installation of LKRG is exactly the same as loading normal kernel module. As soon as system is installed it starts the work. If default logging level is used, LKRG produces one short sentence saying that system is clean unless corruptions are detected.

$ modprobe lkrg

$ modinfo lkrg
filename:       /lib/modules/4.15.* -wip-x* -broadwell/kernel/drivers/staging/lkrg/lkrg.ko
license:        GPL v2
description:    pi3's Linux kernel Runtime Guard
author:         Adam 'pi3' Zabrocki (http://pi3.com.pl)
srcversion:     Current version
depends:
staging:        Y
retpoline:      Y
intree:         Y
name:           lkrg
vermagic:       4.15.* -wip-x* -broadwell SMP mod_unload modversions retpoline
signat:         PKCS#7
signer:
sig_key:
sig_hashalgo:   md4
parm:           p_init_log_level:Logging level init value [1 (alive) is default] (uint)


 Add file /etc/modprobe.d/lkrg.conf

and insert string options:

options lkrg p_init_log_level=3

The project has built in a sysctl interface which enables the interaction between the administrator and LKRG. By default 5 different options are available:

 # sysctl -a|grep lkrg
 lkrg.block_modules = 0
 lkrg.clean_message = 0
 lkrg.force_run = 0
 lkrg.hide = 0
 lkrg.log_level = 3
 lkrg.random_events = 1
 lkrg.timestamp = 15

Fix ATH10k WiFi work

Add to /etc/modprobe.d file ath10k_core.conf and add string:

 options ath10k_core skip_otp=y

Create a symbolic link from firmware files:

Example for (Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter)

ln -s /lib/firmware/ath10k/QCA6174/hw2.1/board.bin /lib/firmware/ath10k/pre-cal-pci-0000:05:00.0.bin

ln -s /lib/firmware/ath10k/QCA6174/hw2.1/board-2.bin /lib/firmware/ath10k/cal-pci-0000:05:00.0.bin

Fix start X session

If start X session fail and error from system journal :

lightdm[1182]: PAM unable to dlopen(pam_kwallet.so): 
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory

then turn off all the lines containing pam_kwallet.co and pam_kwallet5.so in
all the files in this directory /etc/pam.d

Intel – Fix MMC/GPT warning.

 I had been getting a warning on boot with recent kernels on my 
Intel based UP system, and found a workaround.
The error flagged is – apparently – harmless, and is due to systemd
not being able to recognise some mmc disk partitions at that stage of the boot process.

......
[ 5.124250] systemd-gpt-auto-generator[416]: Failed to dissect: Input/output error
......

The workaround is to add systemd.gpt_auto=0 to the kernel command line.

Donate with Bitcoin Donate with Ethereum