From 0dc479076cd7e24a28e938c3e385b1847a015cf5 Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 22:26:27 +0000 Subject: [PATCH 1/7] Enable CONFIG_ARM_SMMU and CONFIG_ARM_SMMU_V3 in aarch64. --- SPECS/kernel/config_aarch64 | 10 ++++++++-- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index e093d43607f..003467b955a 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -8147,6 +8147,7 @@ CONFIG_SUN6I_MSGBOX=y # CONFIG_SPRD_MBOX is not set # CONFIG_QCOM_IPCC is not set CONFIG_IOMMU_IOVA=y +CONFIG_IOASID=y CONFIG_IOMMU_API=y CONFIG_IOMMU_SUPPORT=y @@ -8165,12 +8166,17 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set CONFIG_OF_IOMMU=y CONFIG_IOMMU_DMA=y +CONFIG_IOMMU_SVA_LIB=y # CONFIG_ROCKCHIP_IOMMU is not set # CONFIG_SUN50I_IOMMU is not set # CONFIG_TEGRA_IOMMU_SMMU is not set # CONFIG_IPMMU_VMSA is not set -# CONFIG_ARM_SMMU is not set -# CONFIG_ARM_SMMU_V3 is not set +CONFIG_ARM_SMMU=y +# CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS is not set +# CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT is not set +CONFIG_ARM_SMMU_QCOM=y +CONFIG_ARM_SMMU_V3=y +CONFIG_ARM_SMMU_V3_SVA=y # CONFIG_MTK_IOMMU is not set # CONFIG_QCOM_IOMMU is not set # CONFIG_VIRTIO_IOMMU is not set diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 467157a0ab1..1d784ee57d3 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", "config": "f529b9e9ad21c4f26edc849658bf38de43736901d8f3aabc9f3be2f0dc37497e", - "config_aarch64": "00728640d6c8bbe24667e0f63059a9bfef523962805648860e0d2e22e7fe0079", + "config_aarch64": "5d6753667634b2c9737096477d9fc6c0801300b95bacda722c72366864bc79f7", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", "kernel-5.15.137.1.tar.gz": "c00abd18daa5fcdf732d88bed57eb26a247473888c8aa9003897baa15d6c0e58" } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index abbd2d02f43..2b7898e368e 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -28,7 +28,7 @@ Summary: Linux Kernel Name: kernel Version: 5.15.137.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner From 7598ee5d3bc96613285907c49be5e5bf7fc12562 Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 17:28:35 -0600 Subject: [PATCH 2/7] Set CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT for aarch64 kernel. It is the more secure setting. --- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 003467b955a..13a980a523e 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -8173,7 +8173,7 @@ CONFIG_IOMMU_SVA_LIB=y # CONFIG_IPMMU_VMSA is not set CONFIG_ARM_SMMU=y # CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS is not set -# CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT is not set +CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y CONFIG_ARM_SMMU_QCOM=y CONFIG_ARM_SMMU_V3=y CONFIG_ARM_SMMU_V3_SVA=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 1d784ee57d3..395bc196fdc 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -2,8 +2,8 @@ "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", "config": "f529b9e9ad21c4f26edc849658bf38de43736901d8f3aabc9f3be2f0dc37497e", - "config_aarch64": "5d6753667634b2c9737096477d9fc6c0801300b95bacda722c72366864bc79f7", + "config_aarch64": "54f395290e569cc08f176166a8bed851f4bcae3628bbb4772fc6288164224aa2", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", "kernel-5.15.137.1.tar.gz": "c00abd18daa5fcdf732d88bed57eb26a247473888c8aa9003897baa15d6c0e58" } -} \ No newline at end of file +} From 1e9573116c697ef56615ab06fcc1bc8f8ef29f2d Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 17:29:41 -0600 Subject: [PATCH 3/7] Adjust mariner-required-configs.json for aarch64 kernel IOMMU configs. --- toolkit/scripts/mariner-required-configs.json | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/toolkit/scripts/mariner-required-configs.json b/toolkit/scripts/mariner-required-configs.json index cc2719d98db..9b380572e7f 100644 --- a/toolkit/scripts/mariner-required-configs.json +++ b/toolkit/scripts/mariner-required-configs.json @@ -1213,6 +1213,91 @@ "PR": [ "https://github.com/microsoft/CBL-Mariner/pull/6574" ] + }, + "CONFIG_IOASID": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "Needed for CONFIG_ARM_SMMU", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + }, + "CONFIG_IOMMU_SVA_LIB": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "Needed for CONFIG_ARM_SMMU_V3_SVA", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + }, + "CONFIG_ARM_SMMU": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "Needed for VFIO to work", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + }, + "CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS": { + "value": [ + "", + "is not set" + ], + "arch": [ + "ARM64" + ], + "comment": "No device tree support needed", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + }, + "CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "More secure when set", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + }, + "CONFIG_ARM_SMMU_V3": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "Needed for VFIO to work", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + } + "CONFIG_ARM_SMMU_V3_SVA": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "Needed for CONFIG_ARM_SMMU_V3", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] } } } From c711ad6771bdb7d39b79bf26877de98984242490 Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 17:34:42 -0600 Subject: [PATCH 4/7] Update Release to match kernel.spec --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 2 +- SPECS/kernel-headers/kernel-headers.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 6ac1dda85b5..54a2fcdbd88 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 5.15.137.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index a4c3a7c7518..9ad48b03d4c 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,7 +1,7 @@ Summary: Linux API header files Name: kernel-headers Version: 5.15.137.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner From e7432ee89e58fc8d0534e4095aa6e36938a3cea8 Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 17:41:31 -0600 Subject: [PATCH 5/7] Update manifests to match kernel-headers-5.15.137.1-2.cm2. --- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 4b4d7a16506..32ea94101dc 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-17.cm2.aarch64.rpm -kernel-headers-5.15.137.1-1.cm2.noarch.rpm +kernel-headers-5.15.137.1-2.cm2.noarch.rpm glibc-2.35-6.cm2.aarch64.rpm glibc-devel-2.35-6.cm2.aarch64.rpm glibc-i18n-2.35-6.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index ca8d153ae93..1e26059c027 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-17.cm2.x86_64.rpm -kernel-headers-5.15.137.1-1.cm2.noarch.rpm +kernel-headers-5.15.137.1-2.cm2.noarch.rpm glibc-2.35-6.cm2.x86_64.rpm glibc-devel-2.35-6.cm2.x86_64.rpm glibc-i18n-2.35-6.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 0bd3e09f9e4..802f43db8c1 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.137.1-1.cm2.noarch.rpm +kernel-headers-5.15.137.1-2.cm2.noarch.rpm kmod-29-2.cm2.aarch64.rpm kmod-debuginfo-29-2.cm2.aarch64.rpm kmod-devel-29-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index e168b9fb0fa..6f1d5d5a5c1 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-headers-5.15.137.1-1.cm2.noarch.rpm +kernel-headers-5.15.137.1-2.cm2.noarch.rpm kmod-29-2.cm2.x86_64.rpm kmod-debuginfo-29-2.cm2.x86_64.rpm kmod-devel-29-2.cm2.x86_64.rpm From 6eac7a855c53ef53e460662fd4766aa61161f4fc Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 17:45:12 -0600 Subject: [PATCH 6/7] Fix missing comman syntax error in mariner-required-configs.json. --- toolkit/scripts/mariner-required-configs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/toolkit/scripts/mariner-required-configs.json b/toolkit/scripts/mariner-required-configs.json index 9b380572e7f..0faa1d1f1b2 100644 --- a/toolkit/scripts/mariner-required-configs.json +++ b/toolkit/scripts/mariner-required-configs.json @@ -1286,7 +1286,7 @@ "PR": [ "https://github.com/microsoft/CBL-Mariner/pull/6823" ] - } + }, "CONFIG_ARM_SMMU_V3_SVA": { "value": [ "y" From 135a32b45635c27cee3085f5210926b654311c2d Mon Sep 17 00:00:00 2001 From: David Daney Date: Tue, 21 Nov 2023 17:49:44 -0600 Subject: [PATCH 7/7] Add CONFIG_ARM_SMMU_QCOM to mariner-required-configs.json. Need to match the config. --- toolkit/scripts/mariner-required-configs.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/toolkit/scripts/mariner-required-configs.json b/toolkit/scripts/mariner-required-configs.json index 0faa1d1f1b2..37cf2bc8b3d 100644 --- a/toolkit/scripts/mariner-required-configs.json +++ b/toolkit/scripts/mariner-required-configs.json @@ -1275,6 +1275,18 @@ "https://github.com/microsoft/CBL-Mariner/pull/6823" ] }, + "CONFIG_ARM_SMMU_QCOM": { + "value": [ + "y" + ], + "arch": [ + "ARM64" + ], + "comment": "Allow support of QCom SMMU, because why not?", + "PR": [ + "https://github.com/microsoft/CBL-Mariner/pull/6823" + ] + }, "CONFIG_ARM_SMMU_V3": { "value": [ "y"