[Mellanox] Add new patches come along with hw-mgmt V.7.0000.3032 to buster #132
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Junchao-Mellanox
changed the title
sempervictus
pushed a commit
to sempervictus/sonic-linux-kernel
that referenced
this pull request
Apr 19, 2021
Network equipment is critical infrastructure with long uptimes and significant throughput/processing, especially in undercloud fabric. The OS kernel is responsible for managing raw system resources and the enforcement of security (privilege/access) boundaries. This set of responsibilities, and a number of technical reasons such as long-running memory layouts, and physical page table access, make the kernel a high-value target for attackers. Rebooting the system for upgrades can be problematic, and patches providing correct solutions for ring0 concerns may take some time to matriculate to stable release - leaving gaps in the security posture of systems. In order to reduce exposure during these gaps, and the impact or feasibility of 0-day attacks, this high-value target needs to be better protected with probabilistic, deterministic, and semantic defenses. While this effort is by no means a replacement for the professional-grade mitigations in Grsecurity/PaX, it does start down the path of elevated defensive posture by introducing the Linux Hardened kernel patchset from GrapheneOS, and the Linux Kernel Runtime Guard (LKRG) from OpenWall by Adam Zabrocki. The hardening patchset implements a number of C-level fixes, higher entropy ASLR, namespace protections, FS access restrictions to sensitive targets like /dev/mem, and syscall restrictions. Atop the basics, it adds GCC plugins or improves upon the upstream ones to randomize struct layouts, initify and initialize variables at compile-time, and provides a PRNG from the jitterentropy source. More info at https://www.whonix.org/wiki/Hardened-kernel as well as in the source repo https://github.com/anthraxx/linux-hardened. LKRG provides additional tiers of mitigation by actively hashing and validating kernel memory regions, further restricting access to common LPE and escape vectors, as well as mechanisms for modifying the running kernel commonly used to bypass LSMs. LKRG can be built directly into the kernel to provide enforcement from early-boot. Notes: While not in the scope of this pull request, the kernel-tier mechanisms provided here should be complemented by Daniel Micay's hardened-malloc to guard against userspace memory corruption, UAF, and other malfeasance. This effort parallels a similar pull request for VyOS - sonic-net#132. The added functionality provided there in regards to LVS, XTables, and other patches can be backported here on request. Testing: None on this branch, we maintain 5.4 and 5.10 branches in-house
sempervictus
pushed a commit
to sempervictus/sonic-linux-kernel
that referenced
this pull request
Apr 19, 2021
Network equipment is critical infrastructure with long uptimes and significant throughput/processing, especially in undercloud fabric. The OS kernel is responsible for managing raw system resources and the enforcement of security (privilege/access) boundaries. This set of responsibilities, and a number of technical reasons such as long-running memory layouts, and physical page table access, make the kernel a high-value target for attackers. Rebooting the system for upgrades can be problematic, and patches providing correct solutions for ring0 concerns may take some time to matriculate to stable release - leaving gaps in the security posture of systems. In order to reduce exposure during these gaps, and the impact or feasibility of 0-day attacks, this high-value target needs to be better protected with probabilistic, deterministic, and semantic defenses. While this effort is by no means a replacement for the professional-grade mitigations in Grsecurity/PaX, it does start down the path of elevated defensive posture by introducing the Linux Hardened kernel patchset from GrapheneOS by Daniel Micay and others. The hardening patchset implements a number of C-level fixes, higher entropy ASLR, namespace protections, FS access restrictions to sensitive targets like /dev/mem, and syscall restrictions. Atop the basics, it adds GCC plugins or improves upon the upstream ones to randomize struct layouts, initify and initialize variables at compile-time, and provides a PRNG from the jitterentropy source. More info at https://www.whonix.org/wiki/Hardened-kernel as well as in the source repo https://github.com/anthraxx/linux-hardened. Notes: While not in the scope of this pull request, the kernel-tier mechanisms provided here should be complemented by Daniel Micay's hardened-malloc to guard against userspace memory corruption, UAF, and other malfeasance. This effort parallels a similar pull request for VyOS - sonic-net#132. The added functionality provided there in regards to LVS, XTables, and other patches can be backported here on request. Testing: None on this branch, we maintain 5.4 and 5.10 branches in-house
sempervictus
pushed a commit
to sempervictus/sonic-linux-kernel
that referenced
this pull request
Apr 19, 2021
Network equipment is critical infrastructure with long uptimes and significant throughput/processing, especially in undercloud fabric. The OS kernel is responsible for managing raw system resources and the enforcement of security (privilege/access) boundaries. This set of responsibilities, and a number of technical reasons such as long-running memory layouts, and physical page table access, make the kernel a high-value target for attackers. Rebooting the system for upgrades can be problematic, and patches providing correct solutions for ring0 concerns may take some time to matriculate to stable release - leaving gaps in the security posture of systems. In order to reduce exposure during these gaps, and the impact or feasibility of 0-day attacks, this high-value target needs to be better protected with probabilistic, deterministic, and semantic defenses. While this effort is by no means a replacement for the professional-grade mitigations in Grsecurity/PaX, it does start down the path of elevated defensive posture by introducing the Linux Hardened kernel patchset from GrapheneOS by Daniel Micay and others. The hardening patchset implements a number of C-level fixes, higher entropy ASLR, namespace protections, FS access restrictions to sensitive targets like /dev/mem, and syscall restrictions. Atop the basics, it adds GCC plugins or improves upon the upstream ones to randomize struct layouts, initify and initialize variables at compile-time, and provides a PRNG from the jitterentropy source. More info at https://www.whonix.org/wiki/Hardened-kernel as well as in the source repo https://github.com/anthraxx/linux-hardened. Notes: While not in the scope of this pull request, the kernel-tier mechanisms provided here should be complemented by Daniel Micay's hardened-malloc to guard against userspace memory corruption, UAF, and other malfeasance. This effort parallels a similar pull request for VyOS - sonic-net#132. The added functionality provided there in regards to LVS, XTables, and other patches can be backported here on request. Testing: None on this branch, we maintain 5.4 and 5.10 branches in-house
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What I did:
Added four patches along with hw-mgmt V.7.0000.3032 to buster. They are:
0007-mlxsw-core-thermal-Set-default-thermal-trips-at-init.patch
0008-mlxsw-qsfp_sysfs-Remove-obsolete-code-for-QSFP-EEPRO.patch
0009-platform-mellanox-mlxreg-io-Add-support-for-compl.patch
0010-platform-mellanox-mlxreg-hotplug-Add-environmental-d.patch
How I verify:
Run platform regression test on spectrum 1, spectrum 2 and specturm 3. No new issue found.