pkd/debian: Update extra patches for LTS kernel

pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch

@@ -1 +0,0 @@
-../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch

pkg/debian/kernel-lts/0001-Add-secureboot-pre-signing-to-the-kernel.patch

@@ -0,0 +1,87 @@
+From c1384dfce8f7a364a73b69c18238db635454ec6a Mon Sep 17 00:00:00 2001
+From: Dorian Stoll <dorian.stoll@tmsp.io>
+Date: Sun, 22 Sep 2019 22:44:16 +0200
+Subject: [PATCH] Add secureboot pre-signing to the kernel
+
+If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
+the kernel Makefile will automatically sign the vmlinux / bzImage file that
+gets generated, and that is then used in packaging.
+
+By integrating it into the kernel build system directly, it is fully integrated
+with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
+and it gets added to every tree by the same mechanism that is used to apply the
+other surface patches anyways.
+
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
+---
+ .gitignore             |  3 +++
+ arch/x86/Makefile      |  1 +
+ scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
+ 3 files changed, 34 insertions(+)
+ create mode 100755 scripts/sign_kernel.sh
+
+diff --git a/.gitignore b/.gitignore
+index 97ba6b79834c..490f0526ed66 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -127,6 +127,9 @@ signing_key.priv
+ signing_key.x509
+ x509.genkey
+ 
++# Secureboot certificate
++/keys/
++
+ # Kconfig presets
+ all.config
+ 
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 65a8722e784c..68ddcd308384 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -296,6 +296,7 @@ endif
+ 	$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
+ 	$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
+ 	$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
++	$(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
+ 
+ $(BOOT_TARGETS): vmlinux
+ 	$(Q)$(MAKE) $(build)=$(boot) $@
+diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
+new file mode 100755
+index 000000000000..d2526a279254
+--- /dev/null
++++ b/scripts/sign_kernel.sh
+@@ -0,0 +1,30 @@
++#!/bin/sh
++# SPDX-License-Identifier: GPL-2.0
++
++# The path to the compiled kernel image is passed as the first argument
++BUILDDIR=$(dirname $(dirname $0))
++VMLINUX=$1
++
++# Keys are stored in a toplevel directory called keys
++# The following files need to be there:
++#     * MOK.priv  (private key)
++#     * MOK.pem   (public key)
++#
++# If the files don't exist, this script will do nothing.
++if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
++    exit 0
++fi
++if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
++    exit 0
++fi
++
++# Both required certificates were found. Check if sbsign is installed.
++echo "Keys for automatic secureboot signing found."
++if [ ! -x "$(command -v sbsign)" ]; then
++    echo "ERROR: sbsign not found!"
++    exit -2
++fi
++
++# Sign the kernel
++sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
++    --output $VMLINUX $VMLINUX
+-- 
+2.32.0
+

pkg/debian/kernel-lts/export-symbols-needed-by-android-drivers.patch → pkg/debian/kernel-lts/0001-Export-symbols-needed-by-Android-drivers.patch

@@ -1,7 +1,7 @@
+From 816b7fe4a492f9f49978e39a779a89992d8d4d32 Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Tue, 26 Jun 2018 16:59:01 +0100
-Subject: Export symbols needed by Android drivers
-Bug-Debian: https://bugs.debian.org/901492
+Subject: [PATCH 1/2] Export symbols needed by Android drivers
 
 We want to enable use of the Android ashmem and binder drivers to
 support Anbox, but they should not be built-in as that would waste
@@ -9,13 +9,22 @@ resources and increase security attack surface on systems that don't
 need them.
 
 Export the currently un-exported symbols they depend on.
-
 ---
-Index: linux/fs/file.c
-===================================================================
---- linux.orig/fs/file.c
-+++ linux/fs/file.c
-@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st
+ fs/file.c           | 4 ++++
+ kernel/fork.c       | 1 +
+ kernel/sched/core.c | 1 +
+ kernel/signal.c     | 1 +
+ mm/memory.c         | 1 +
+ mm/shmem.c          | 1 +
+ mm/vmalloc.c        | 2 ++
+ security/security.c | 4 ++++
+ 8 files changed, 15 insertions(+)
+
+diff --git a/fs/file.c b/fs/file.c
+index 3762a3f136fd..3e10be834458 100644
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(struct task_struct *task)
  
  	return files;
  }
@@ -23,7 +32,7 @@ Index: linux/fs/file.c
  
  void put_files_struct(struct files_struct *files)
  {
-@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc
+@@ -421,6 +422,7 @@ void put_files_struct(struct files_struct *files)
  		kmem_cache_free(files_cachep, files);
  	}
  }
@@ -31,7 +40,7 @@ Index: linux/fs/file.c
  
  void reset_files_struct(struct files_struct *files)
  {
-@@ -534,6 +536,7 @@ out:
+@@ -534,6 +536,7 @@ int __alloc_fd(struct files_struct *files,
  	spin_unlock(&files->file_lock);
  	return error;
  }
@@ -39,7 +48,7 @@ Index: linux/fs/file.c
  
  static int alloc_fd(unsigned start, unsigned flags)
  {
-@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *f
+@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *files, unsigned int fd,
  	rcu_assign_pointer(fdt->fd[fd], file);
  	rcu_read_unlock_sched();
  }
@@ -47,11 +56,11 @@ Index: linux/fs/file.c
  
  void fd_install(unsigned int fd, struct file *file)
  {
-Index: linux/kernel/fork.c
-===================================================================
---- linux.orig/kernel/fork.c
-+++ linux/kernel/fork.c
-@@ -1048,6 +1048,7 @@ void mmput_async(struct mm_struct *mm)
+diff --git a/kernel/fork.c b/kernel/fork.c
+index cf535b9d5db7..08f3ff948b2d 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1053,6 +1053,7 @@ void mmput_async(struct mm_struct *mm)
  		schedule_work(&mm->async_put_work);
  	}
  }
@@ -59,11 +68,23 @@ Index: linux/kernel/fork.c
  #endif
  
  /**
-Index: linux/kernel/signal.c
-===================================================================
---- linux.orig/kernel/signal.c
-+++ linux/kernel/signal.c
-@@ -1353,6 +1353,7 @@ struct sighand_struct *__lock_task_sigha
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 013b1c6cb4ed..962eef6a146c 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3976,6 +3976,7 @@ int can_nice(const struct task_struct *p, const int nice)
+ 	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
+ 		capable(CAP_SYS_NICE));
+ }
++EXPORT_SYMBOL_GPL(can_nice);
+ 
+ #ifdef __ARCH_WANT_SYS_NICE
+ 
+diff --git a/kernel/signal.c b/kernel/signal.c
+index a02a25acf205..ab8c2d4d0e6d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1368,6 +1368,7 @@ struct sighand_struct *__lock_task_sighand(struct task_struct *tsk,
  
  	return sighand;
  }
@@ -71,11 +92,11 @@ Index: linux/kernel/signal.c
  
  /*
   * send signal info to all the members of a group
-Index: linux/mm/memory.c
-===================================================================
---- linux.orig/mm/memory.c
-+++ linux/mm/memory.c
-@@ -1611,6 +1611,7 @@ void zap_page_range(struct vm_area_struc
+diff --git a/mm/memory.c b/mm/memory.c
+index 49b546cdce0d..753bb3a3df81 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1634,6 +1634,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start,
  	mmu_notifier_invalidate_range_end(mm, start, end);
  	tlb_finish_mmu(&tlb, start, end);
  }
@@ -83,11 +104,11 @@ Index: linux/mm/memory.c
  
  /**
   * zap_page_range_single - remove user pages in a given range
-Index: linux/mm/shmem.c
-===================================================================
---- linux.orig/mm/shmem.c
-+++ linux/mm/shmem.c
-@@ -4039,6 +4039,7 @@ int shmem_zero_setup(struct vm_area_stru
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 9fd0e72757cf..4440c837318d 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -4053,6 +4053,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
  
  	return 0;
  }
@@ -95,11 +116,11 @@ Index: linux/mm/shmem.c
  
  /**
   * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags.
-Index: linux/mm/vmalloc.c
-===================================================================
---- linux.orig/mm/vmalloc.c
-+++ linux/mm/vmalloc.c
-@@ -1299,6 +1299,7 @@ int map_kernel_range_noflush(unsigned lo
+diff --git a/mm/vmalloc.c b/mm/vmalloc.c
+index 1817871b0239..809d14e0b06e 100644
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -1300,6 +1300,7 @@ int map_kernel_range_noflush(unsigned long addr, unsigned long size,
  {
  	return vmap_page_range_noflush(addr, addr + size, prot, pages);
  }
@@ -107,7 +128,7 @@ Index: linux/mm/vmalloc.c
  
  /**
   * unmap_kernel_range_noflush - unmap kernel VM area
-@@ -1439,6 +1440,7 @@ struct vm_struct *get_vm_area(unsigned l
+@@ -1440,6 +1441,7 @@ struct vm_struct *get_vm_area(unsigned long size, unsigned long flags)
  				  NUMA_NO_NODE, GFP_KERNEL,
  				  __builtin_return_address(0));
  }
@@ -115,11 +136,11 @@ Index: linux/mm/vmalloc.c
  
  struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags,
  				const void *caller)
-Index: linux/security/security.c
-===================================================================
---- linux.orig/security/security.c
-+++ linux/security/security.c
-@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(stru
+diff --git a/security/security.c b/security/security.c
+index 9478444bf93f..9b06982fa2d4 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
  {
  	return call_int_hook(binder_set_context_mgr, 0, mgr);
  }
@@ -148,15 +169,6 @@ Index: linux/security/security.c
  
  int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
  {
-Index: linux/kernel/sched/core.c
-===================================================================
---- linux.orig/kernel/sched/core.c
-+++ linux/kernel/sched/core.c
-@@ -3973,6 +3973,7 @@ int can_nice(const struct task_struct *p
- 	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
- 		capable(CAP_SYS_NICE));
- }
-+EXPORT_SYMBOL_GPL(can_nice);
- 
- #ifdef __ARCH_WANT_SYS_NICE
- 
+-- 
+2.32.0
+

pkg/debian/kernel-lts/android-enable-building-ashmem-and-binder-as-modules.patch → pkg/debian/kernel-lts/0002-android-Enable-building-ashmem-and-binder-as-modules.patch

@@ -1,7 +1,7 @@
+From ea5f38dafdd4a0c5482e4b4dbce0aef647411c13 Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Fri, 22 Jun 2018 17:27:00 +0100
-Subject: android: Enable building ashmem and binder as modules
-Bug-Debian: https://bugs.debian.org/901492
+Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules
 
 We want to enable use of the Android ashmem and binder drivers to
 support Anbox, but they should not be built-in as that would waste
@@ -12,12 +12,19 @@ need them.
 - Change the Makefiles to build each driver as an object with the
   "_linux" suffix (which is what Anbox expects)
 - Change config symbol types to tristate
-
 ---
-Index: linux/drivers/android/Kconfig
-===================================================================
---- linux.orig/drivers/android/Kconfig
-+++ linux/drivers/android/Kconfig
+ drivers/android/Kconfig          | 2 +-
+ drivers/android/Makefile         | 5 +++--
+ drivers/android/binder_alloc.c   | 2 +-
+ drivers/staging/android/Kconfig  | 2 +-
+ drivers/staging/android/Makefile | 3 ++-
+ drivers/staging/android/ashmem.c | 3 +++
+ 6 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig
+index 432e9ad77070..5f054abd6a10 100644
+--- a/drivers/android/Kconfig
++++ b/drivers/android/Kconfig
 @@ -9,7 +9,7 @@ config ANDROID
  if ANDROID
  
@@ -27,10 +34,10 @@ Index: linux/drivers/android/Kconfig
  	depends on MMU
  	default n
  	---help---
-Index: linux/drivers/android/Makefile
-===================================================================
---- linux.orig/drivers/android/Makefile
-+++ linux/drivers/android/Makefile
+diff --git a/drivers/android/Makefile b/drivers/android/Makefile
+index a01254c43ee3..e42257997ba8 100644
+--- a/drivers/android/Makefile
++++ b/drivers/android/Makefile
 @@ -1,4 +1,5 @@
  ccflags-y += -I$(src)			# needed for trace events
  
@@ -39,10 +46,23 @@ Index: linux/drivers/android/Makefile
 +obj-$(CONFIG_ANDROID_BINDER_IPC)	+= binder_linux.o
 +binder_linux-y := binder.o binder_alloc.o
 +binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
-Index: linux/drivers/staging/android/Kconfig
-===================================================================
---- linux.orig/drivers/staging/android/Kconfig
-+++ linux/drivers/staging/android/Kconfig
+diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
+index 3371b986e3b4..b51dd2aaba90 100644
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -44,7 +44,7 @@ enum {
+ };
+ static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
+ 
+-module_param_named(debug_mask, binder_alloc_debug_mask,
++module_param_named(alloc_debug_mask, binder_alloc_debug_mask,
+ 		   uint, 0644);
+ 
+ #define binder_alloc_debug(mask, x...) \
+diff --git a/drivers/staging/android/Kconfig b/drivers/staging/android/Kconfig
+index 17c5587805f5..c46669f32bfa 100644
+--- a/drivers/staging/android/Kconfig
++++ b/drivers/staging/android/Kconfig
 @@ -3,7 +3,7 @@ menu "Android"
  if ANDROID
  
@@ -52,11 +72,11 @@ Index: linux/drivers/staging/android/Kconfig
  	default n
  	depends on SHMEM
  	help
-Index: linux/drivers/staging/android/Makefile
-===================================================================
---- linux.orig/drivers/staging/android/Makefile
-+++ linux/drivers/staging/android/Makefile
-@@ -2,5 +2,6 @@ ccflags-y += -I$(src)			# needed for tra
+diff --git a/drivers/staging/android/Makefile b/drivers/staging/android/Makefile
+index 90e6154f11a4..8202002bd72c 100644
+--- a/drivers/staging/android/Makefile
++++ b/drivers/staging/android/Makefile
+@@ -2,5 +2,6 @@ ccflags-y += -I$(src)			# needed for trace events
  
  obj-y					+= ion/
  
@@ -64,10 +84,10 @@ Index: linux/drivers/staging/android/Makefile
 +obj-$(CONFIG_ASHMEM)			+= ashmem_linux.o
 +ashmem_linux-y += ashmem.o
  obj-$(CONFIG_ANDROID_VSOC)		+= vsoc.o
-Index: linux/drivers/staging/android/ashmem.c
-===================================================================
---- linux.orig/drivers/staging/android/ashmem.c
-+++ linux/drivers/staging/android/ashmem.c
+diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
+index a97bbd89fae2..1f1f16c39b58 100644
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
 @@ -24,6 +24,7 @@
  #include <linux/bitops.h>
  #include <linux/mutex.h>
@@ -76,22 +96,12 @@ Index: linux/drivers/staging/android/ashmem.c
  #include "ashmem.h"
  
  #define ASHMEM_NAME_PREFIX "dev/ashmem/"
-@@ -924,3 +925,5 @@ out:
+@@ -964,3 +965,5 @@ static int __init ashmem_init(void)
  	return ret;
  }
  device_initcall(ashmem_init);
 +
 +MODULE_LICENSE("GPL v2");
-Index: linux/drivers/android/binder_alloc.c
-===================================================================
---- linux.orig/drivers/android/binder_alloc.c
-+++ linux/drivers/android/binder_alloc.c
-@@ -44,7 +44,7 @@ enum {
- };
- static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
- 
--module_param_named(debug_mask, binder_alloc_debug_mask,
-+module_param_named(alloc_debug_mask, binder_alloc_debug_mask,
- 		   uint, 0644);
- 
- #define binder_alloc_debug(mask, x...) \
+-- 
+2.32.0
+