build: add option for building with stack-protector-all The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks. This option enhances the stack-smashing protection provided by -fstack-protector-strong. -fstack-protector-all option applies stack protection to all functions, regardless of their characteristics. While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact the performance of the program because every function call includes additional checks for stack integrity. This option can incur a performance penalty because of the extra checks added to every function call, but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code. It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable. Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
target: Make TARGET_SERIAL independent of GRUB configuration GRUB_SERIAL is also used for the default serial on the target and not only in grub. When no grub was build it was not available and the build fails. Rename GRUB_SERIAL to TARGET_SERIAL and make it always available on x86 and armsr targets. Fixes: #14063 Fixes: b10768476f9d ("x86,armsr: interpolate GRUB_SERIAL into /etc/inittab") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
build: add CycloneDX SBOM JSON support CycloneDX is an open source standard developed by the OWASP foundation. It supports a wide range of development ecosystems, a comprehensive set of use cases, and focuses on automation, ease of adoption, and progressive enhancement of SBOMs (Software Bill Of Materials) throughout build pipelines. So lets add support for CycloneDX SBOM for packages and images manifests. Signed-off-by: Petr Štetiar <ynezz@true.cz>
build: Add option KERNEL_KASAN_SW_TAGS and HW_TAGS Currently KASAN is supported but only the generic one. SW-tag and HW-tag based KASAN have less impact on memory footprint or performance, and are worth supporting. Add choice menu for software and hardware Tag-Based KASAN, in addition to the generic one. Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com> [Restructure commit message] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
config: add a knob to use the mold linker for packages Building it requires gcc >= 10.2 or clang >= 12. Using sstrip with its -z argument can produce non-working binaries, like a segfaulting `getrandom`, so don't allow that combination. Signed-off-by: Andre Heider <a.heider@gmail.com>
kernel: introduce KERNEL_WERROR config option In commit b2d1eb717b65 ("generic: 5.15: enable Werror by default for kernel compile") CONFIG_WERROR=y was enabled and all warnings/errors reported with GCC 12 were fixed. Keeping this in sync with past/future GCC versions is going to be uphill battle, so lets introduce new KERNEL_WERROR config option, enable it by default only for tested/known working combinations and on buildbots. References: #12687 Signed-off-by: Petr Štetiar <ynezz@true.cz>
ipq807x: rename target to qualcommax Currently, ipq807x only covers Qualcomm IPQ807x SoC-s. However, Qualcomm also has IPQ60xx and IPQ50xx SoC-s under the AX WiSoC-s and they share a lot of stuff with IPQ807x, especially IPQ60xx so to avoid duplicating kernel patches and everything lets make a common target with per SoC subtargets. Start doing that by renaming ipq807x to qualcommax so that dependencies on ipq807x target can be updated. Signed-off-by: Robert Marko <robimarko@gmail.com>
build: use 128MiB as the boot/kernel partition size on armvirt target The nominal partition type for EFI boot partitions is FAT32, which has a minimum size of 32MiB on a 512-byte-sector block device. To ensure that the boot partition is created as FAT32 set a size well above this minimum. A useful discussion about EFI partition sizes can be found here: https://superuser.com/questions/1310927/what-is-the-absolute-minimum-size-a-uefi-system-partition-can-be I have found 128MiB works pretty consistently across both tools (mkfs.fat) and firmwares (EDKII) Signed-off-by: Mathew McBride <matt@traverse.com.au>
grub2: enable EFI for armvirt This adds a separate package for EFI on Arm SystemReady compatible machines. 32-bit Arm UEFI is supported as well. It is very similar to x86-64 EFI setup, without the need for BIOS backward compatibility and slightly different default modules. Signed-off-by: Mathew McBride <matt@traverse.com.au>
kernel: add MODULE_ALLOW_BTF_MISMATCH option BTF mismatch can occur for a separately-built module even when the ABI is otherwise compatible and nothing else would prevent successfully loading. Add a new config to control how mismatches are handled. By default, preserve the current behavior of refusing to load the module. If MODULE_ALLOW_BTF_MISMATCH is enabled, load the module but ignore its BTF information. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
treewide: cleanup kernel symbol references We only use 5.15 kernel. So remove all those unnecessary symbols referencing 5.10 or 5.15 kernel. Can be found with: git grep -E 'LINUX_5_1(0|5)' Note that we remove the dependency from "sound-soc-chipdip-dac" instead of removing the complete kernel package. The 5.15 version bump forgot to delete the "@LINUX_5_10" dependency. The kernel package is still needed in 5.15 kernel. Signed-off-by: Nick Hainke <vincent@systemli.org>