aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-hardened/APKBUILD
blob: 792c32a25f6cd7830801afb02b97f298031d529e (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215

# Maintainer: Natanael Copa <ncopa@alpinelinux.org>

_mainflavor=hardened
pkgname=linux-$_mainflavor
pkgver=4.9.63
case $pkgver in
*.*.*)	_kernver=${pkgver%.*};;
*.*)	_kernver=${pkgver};;
esac
pkgrel=0
pkgdesc="Linux kernel with hardening patches"
url="http://alpinelinux.org"
depends="mkinitfs"
makedepends="perl sed installkernel bash gmp-dev bc linux-headers mpfr-dev
	mpc1-dev elfutils-dev"
options="!strip !check"
install=
source="https://kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
	https://kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz
	http://dev.alpinelinux.org/~ncopa/grsec/hardened-3.1-$pkgver-201704252333-alpine.patch
	0001-HID-apple-fix-Fn-key-Magic-Keyboard-on-bluetooth.patch
	zfs-fix.patch

	config-hardened.x86
	config-hardened.x86_64
	config-hardened.armhf

	config-virthardened.x86
	config-virthardened.x86_64
	"
subpackages="$pkgname-dev:_dev"
_flavors=
for _i in $source; do
	case $_i in
	config-*.$CARCH)
		_f=${_i%.$CARCH}
		_f=${_f#config-}
		_flavors="$_flavors ${_f}"
		if [ "linux-$_f" != "$pkgname" ]; then
			subpackages="$subpackages linux-${_f} linux-${_f}-dev:_dev"
		fi
		;;
	esac
done

arch="x86 x86_64 armhf"
license="GPL2"

prepare() {
	local _patch_failed=
	cd "$srcdir"/linux-$_kernver
	if [ "${pkgver%.0}" = "$pkgver" ]; then
		msg "Applying patch-$pkgver.xz"
		unxz -c < "$srcdir"/patch-$pkgver.xz | patch -p1 -N || return 1
	fi

	# first apply patches in specified order
	for i in $source; do
		local file=${i%::*}
		case $file in
		*.patch)
			msg "Applying $file..."
			if ! patch -s -p1 -N -i "$srcdir"/${file##*/}; then
				echo $file >>failed
				_patch_failed=1
			fi
			;;
		esac
	done

	if ! [ -z "$_patch_failed" ]; then
		error "The following patches failed:"
		cat failed
		return 1
	fi

	# remove localversion from patch if any
	rm -f localversion*

	for i in $_flavors; do
		local _config=config-$i.${CARCH}
		local _builddir="$srcdir"/build-$i
		mkdir -p "$_builddir"
		echo "-$pkgrel-$i" > "$srcdir"/build-$i/localversion-alpine \
			|| return 1

		cp "$srcdir"/$_config "$_builddir"/.config || return 1
		make -C "$srcdir"/linux-$_kernver \
			O="$_builddir" \
			HOSTCC="${CC:-gcc}" \
			silentoldconfig || return 1
	done
}

build() {
	for i in $_flavors; do
		cd "$srcdir"/build-$i
		make CC="${CC:-gcc}" \
			KBUILD_BUILD_VERSION="$((pkgrel + 1 ))-Alpine" \
			|| return 1
	done
}

_package() {
	local _buildflavor="$1" _outdir="$2"
	local _abi_release=${pkgver}-${pkgrel}-${_buildflavor}

	cd "$srcdir"/build-$_buildflavor || return 1

	mkdir -p "$_outdir"/boot "$_outdir"/lib/modules

	local _install
	case "$CARCH" in
	arm*)
		local _dtbdir="$_outdir"/usr/lib/linux-${_abi_release}
		mkdir -p "$_dtbdir"
		for i in arch/arm/boot/dts/*.dtb ; do
			install -m644 "$i" "$_dtbdir"
		done

		_install=zinstall
		;;
	*)
		_install=install
		;;
	esac

	make -j1 modules_install firmware_install $_install \
		INSTALL_MOD_PATH="$_outdir" \
		INSTALL_PATH="$_outdir"/boot \
		|| return 1

	rm -f "$_outdir"/lib/modules/${_abi_release}/build \
		"$_outdir"/lib/modules/${_abi_release}/source
	rm -rf "$_outdir"/lib/firmware

	install -D include/config/kernel.release \
		"$_outdir"/usr/share/kernel/$_buildflavor/kernel.release
}

# main flavor installs in $pkgdir
package() {
	depends="$depends linux-firmware"
	provides="linux-grsec=${pkgver}-r${pkgrel}"

	_package hardened "$pkgdir"
}

# subflavors install in $subpkgdir
virthardened() {
	provides="linux-virtgrsec=${pkgver}-r${pkgrel}"

	_package virthardened "$subpkgdir"
}

_dev() {
	local _flavor=$(echo $subpkgname | sed -E 's/(^linux-|-dev$)//g')
	local _abi_release=${pkgver}-${pkgrel}-$_flavor
	# copy the only the parts that we really need for build 3rd party
	# kernel modules and install those as /usr/src/linux-headers,
	# simlar to what ubuntu does
	#
	# this way you dont need to install the 300-400 kernel sources to
	# build a tiny kernel module
	#
	pkgdesc="Headers and script for third party modules for $_flavor kernel"
	depends="gmp-dev bash"
	local dir="$subpkgdir"/usr/src/linux-headers-${_abi_release}

	# first we import config, run prepare to set up for building
	# external modules, and create the scripts
	mkdir -p "$dir"
	cp "$srcdir"/config-$_flavor.${CARCH} "$dir"/.config
	echo "-$pkgrel-$_flavor" > "$dir"/localversion-alpine \
		|| return 1
	make -j1 -C "$srcdir"/linux-$_kernver O="$dir" HOSTCC="${CC:-gcc}" \
		silentoldconfig prepare modules_prepare scripts

	# remove the stuff that points to real sources. we want 3rd party
	# modules to believe this is the soruces
	rm "$dir"/Makefile "$dir"/source

	# copy the needed stuff from real sources
	#
	# this is taken from ubuntu kernel build script
	# http://kernel.ubuntu.com/git/ubuntu/ubuntu-zesty.git/tree/debian/rules.d/3-binary-indep.mk
	cd "$srcdir"/linux-$_kernver
	find .  -path './include/*' -prune \
		-o -path './scripts/*' -prune -o -type f \
		\( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
		   -name '*.sh' -o -name '*.pl' -o -name '*.lds' \) \
		-print | cpio -pdm "$dir" || return 1

	cp -a scripts include "$dir" || return 1
	find $(find arch -name include -type d -print) -type f \
		| cpio -pdm "$dir"

	install -Dm644 "$srcdir"/build-$_flavor/Module.symvers \
		"$dir"/Module.symvers

	mkdir -p "$subpkgdir"/lib/modules/${_abi_release}
	ln -sf /usr/src/linux-headers-${_abi_release} \
		"$subpkgdir"/lib/modules/${_abi_release}/build
}

sha512sums="bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a  linux-4.9.tar.xz
51fa0a5c19989be5326130421afe29aeb22bc7be65adbe882fc32b0b22c414e8631e3e7cefb6fecfc23545851a19211f5feddd7196934f5c84ec507b4f2984c0  patch-4.9.63.xz
8557995928225255c98c31e159d6557ff13ca71015bd5ea96528d96c8523fa6be397c32a585b88ba54b5a5b952e0ea1d6adea16e0074d4efa9532fc00b92f472  hardened-3.1-4.9.63-201704252333-alpine.patch
5373728be2b507c3db5e042e1d768740df7965078868afdc46418b1adc4cae3d8f9f1aedb59975a0f2acf8754340499354fcf97c503397a5d9886ccc9689b782  0001-HID-apple-fix-Fn-key-Magic-Keyboard-on-bluetooth.patch
5a0a78e6de11eb8180d96830b9faa9ac560586f7beb663c8196a16ac6232b5008b9181b3c9b94e2b13a444acba4b6e80a3408d34606432f92eb4d169c3953d5d  zfs-fix.patch
72ebda2e8f54047ff1884bcde9f2a0b02bbe5d2b210eff484b165963c53f22413d3513c36e00bc6114e9ee34bb1e3f289cdf82215a3685f2301f0e4deef62829  config-hardened.x86
8310cca535b7c80806ca30f2f43a46222ceb1f65a3570d06e8e3a64bd1917ec881faf6dc2c94910dcfd8ba0a61f82db36f5fe94f5b1b86e08bb36ff89e7986b9  config-hardened.x86_64
5f7c5f7f0f040c1d6e4bf9bba0febe1c3a874b9d1fa5285ab487940aa02b3909b28bae4939329e151373a58ea5deb2575439632c05e47ce817c37668a5b9eb58  config-hardened.armhf
04ace078cb37b2a352cdf42f560ce0d21e94658fecdc0a46cc506560d7149666698c1f16eea8bc2495b44042d4562b59c83dfd04f55f230283c07b45365df281  config-virthardened.x86
7693c05afe4fea17d8b31ea20954f31a47b3062b9de7c7d9270dd430443cadf5e7a7b2bf7f69274a9db2312346374f72151dcf4f44aeb2fcd4d69bbd0db0bfc2  config-virthardened.x86_64"
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 23:46:59 +0000