lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LSU.2.11.1601181433590.26335@er-systems.de>
Date:	Mon, 18 Jan 2016 14:36:09 +0100 (CET)
From:	Thomas Voegtle <tv@...96.de>
To:	Borislav Petkov <bp@...e.de>
cc:	Michal Marek <mmarek@...e.cz>,
	Måns Rullgård <mans@...sr.com>,
	Markus Trippelsdorf <markus@...ppelsdorf.de>,
	linux-kernel@...r.kernel.org, x86-ml <x86@...nel.org>
Subject: Re: [RFC PATCH] x86/kconfig: Sanity-check config file during
 oldconfig

On Thu, 14 Jan 2016, Borislav Petkov wrote:

> From: Borislav Petkov <bp@...e.de>
>
> Thomas Voegtle reported that doing oldconfig with a .config which has
> CONFIG_MICROCODE enabled but BLK_DEV_INITRD disabled prevents the
> microcode loading mechanism from being built.
>
> Add a short script which hooks into the "make oldconfig" handling and
> sanity-checks the config file for that discrepancy. It issues a message
> which should hopefully sensitize the user to that issue and point her
> into the right direction.
>
> The other useful thing with this solution is that it can be extended to
> other config file sanity-checking, should the need arise.
>
> Reported-by: Thomas Voegtle <tv@...96.de>
> Cc: Markus Trippelsdorf <markus@...ppelsdorf.de>
> Cc: Måns Rullgård <mans@...sr.com>
> Signed-off-by: Borislav Petkov <bp@...e.de>
> ---
> arch/x86/scripts/check-configs.sh | 44 +++++++++++++++++++++++++++++++++++++++
> scripts/kconfig/Makefile          |  3 +++
> 2 files changed, 47 insertions(+)
> create mode 100644 arch/x86/scripts/check-configs.sh
>
> diff --git a/arch/x86/scripts/check-configs.sh b/arch/x86/scripts/check-configs.sh
> new file mode 100644
> index 000000000000..775d07e37df5
> --- /dev/null
> +++ b/arch/x86/scripts/check-configs.sh
> @@ -0,0 +1,44 @@
> +#!/bin/bash
> +
> +if [ "$1" != "oldconfig" ]; then
> +	exit 0
> +fi
> +
> +srctree=$2
> +ARCH="$3"
> +UNAME_RELEASE=$(uname -r)
> +
> +CONFIGS=".config /lib/modules/$UNAME_RELEASE/.config /etc/kernel-config /boot/config-$UNAME_RELEASE"
> +
> +if [ "$ARCH" = "X86_32" ]; then
> +	CONFIGS="$CONFIGS $srctree/arch/x86/configs/i386_defconfig"
> +else
> +	CONFIGS="$CONFIGS $srctree/arch/x86/configs/x86_64_defconfig"
> +fi
> +
> +for c in $CONFIGS;
> +do
> +	if [ -e $c ]; then
> +		OLD_CONFIG=$c
> +		break
> +	fi
> +done
> +
> +if [ -z "$OLD_CONFIG" ]; then exit 0; fi
> +
> +# Check optimal microcode loader .config settings
> +if ! grep -v "^#" $OLD_CONFIG | grep -q MICROCODE; then
> +	exit 0
> +fi
> +
> +MSG="\nYou have CONFIG_MICROCODE enabled without BLK_DEV_INITRD. The preferred\n\
> +way is to enable it and make sure microcode is added to your initrd as\n\
> +explained in Documentation/x86/early-microcode.txt. This is also the\n\
> +most tested method as the majority of distros do it. Alternatively, and\n\
> +if you don't want to enable modules, you should make sure the microcode\n\
> +is built into the kernel.\n"
> +
> +if ! grep -v "^#" $OLD_CONFIG | grep -q BLK_DEV_INITRD; then
> +	echo -e $MSG
> +	read -p "Press any key... "
> +fi
> diff --git a/scripts/kconfig/Makefile b/scripts/kconfig/Makefile
> index d79cba4ce3eb..136ae9744efc 100644
> --- a/scripts/kconfig/Makefile
> +++ b/scripts/kconfig/Makefile
> @@ -81,6 +81,9 @@ simple-targets := oldconfig allnoconfig allyesconfig allmodconfig \
> PHONY += $(simple-targets)
>
> $(simple-targets): $(obj)/conf
> +ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/scripts/check-configs.sh),)
> +	$(Q)$(CONFIG_SHELL) $(srctree)/arch/$(SRCARCH)/scripts/check-configs.sh $@ $(srctree) $(ARCH)
> +endif
> 	$< $(silent) --$@ $(Kconfig)
>
> PHONY += oldnoconfig savedefconfig defconfig
>


My problem was, CONFIG_MICROCODE got dropped silently, and yes that is
fixed for me with this patch.
But I think this is a little bit odd way to fix it, but I don't have a 
better idea.

What's with olddefconfig and silentoldconfig ?

btw that patch has to go to stable 4.4, too


   Thomas


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ