sys-kernel/hardened-kernel: add v5.19.14

sys-kernel/hardened-kernel/Manifest

@@ -1,9 +1,15 @@
 AUX linux-5.10.amd64.config 151821 BLAKE2B ab79186a5f101301d50e74ad79a5eb4343fdbacdabcfdc414c2308e78afde3ad6facfc58867b3cd63d85f24b59133b7e4422eb1263913603cfa580f27940f5d8 SHA512 be691a565987ca2ba4f8ff73dee9b49d8e585e73b5a25cbeba77ee9496fec30704d484e813838f3b46c2356746dd284d6ae3d3d3cb6791a4f73e2334029435ac
 AUX linux-5.10/400-ath_regd.patch 6414 BLAKE2B 698c546f85e712feaa84ff3296bae2de35782676cf42677b8bb53b9f44314a25b1bd94b9ee6a66da12dbd016da1fe3bf0140c76eb61b37332294e637153fd31e SHA512 1db61a8d92ab35d7c72990e44c59039f60e356c67d693affcdb96cd0179b5e44abd3f029b4e6dd230b289451ac7d60daeaee0a5863fd344698d53cf3d3f1c618
 AUX linux-5.10/beacon_timeout.patch 4047 BLAKE2B b182c326d5d750bec5f73b263124323f10fd452c839d540f21caa7fff46ffa0acb90433bece36efc29056362090cc2512ad116c135402056db557b601e41ab26 SHA512 3dd7e7b83b451ccfbb6285ea04ebcc11f6f1b08c6c676baba7942aa87f62e7118d4e4ad23fa4ddecf61968af5904084a7091712b6a67044b238f2a3f24a4701b
+AUX linux-5.19.amd64.config 162196 BLAKE2B ec33b87ac120d2cfc6eae7e47248ec38ff465d303a9f2f15fed16100d1189f4fc81da69aa59b96e5fae8bf23f31996354038ca0c9790f4ac0cab8056d6a0a529 SHA512 7be07d99ea9a7b7c69dee1e37f2c4c847b7b245273166f4e959a616467796dae58bd4a2634ece1d5132c68975990d97ab9a21b0e033c725d727e1cf81242bfea
 DIST genpatches-5.10-155.base.tar.xz 4187452 BLAKE2B bfa7612befc96a338e411ae20536bed348b95c6a51d067dee15ed64d0dfdc4e5700d26473720923f1a6393fbab29b5731014d29ae5a98bcd3c0a0a6125a24b73 SHA512 6a01cbe8def4e387778d5abd5eefabd556ac1ca283c0cb9bcea7fb1bf2c2812996fae5416c2e88f7b55934686fac52d777af3fdf0ac6dbc8ae3c280934c664f2
 DIST genpatches-5.10-155.extras.tar.xz 3868 BLAKE2B 744b3272427213e9aeb1a10abc768b911587729101cb21b8b2be231e1b683cd22aae95ef9af9d09ecf585cf0422f242d3b49f81072cda336f719504fe2755a8a SHA512 092db0ae428c0b3ff7727d34c577ab0e928ef2632879b33057f037427836f7a4095de510cfc8b5ad87ef54d90d81518a2edf1e7ada439ce28f02645fea105427
+DIST genpatches-5.19-16.base.tar.xz 886340 BLAKE2B 1b0a22eef6f1cd4fb253301b31ded1113753b1747ae72ac7c3a2fef198d5e28365d3178ffe5bdb7b17e5d4b07066d9c8b4dfb5123e78211f3cc04a3d474daf5d SHA512 c98d8388ea0a494271f0b5601328893f46ed5ea36ee1ea1b020b8e3aa6541ed6141c9ebe20e38d02212a076d8a77d845f878cec8a3813d1c455f70c9be561304
+DIST genpatches-5.19-16.extras.tar.xz 3804 BLAKE2B c7c5132972abcdd38803412ee035b1630c20da683c8fbc7ef6e51441fe6f2b4b6d33ae085d257ab5b15133ad858be964ae97bf0ff9ff9a06bb2d91ee202bf23d SHA512 afcde123ca1152a76fd882886b5f7fbf630da0dd4a5b201221d6afe247c1e83997a691a2ffdbaa6c292343bbfd2676bcaa59fb118522c0dce46c956737a7ae74
 DIST linux-5.10.tar.xz 116606704 BLAKE2B b923d7b66309224f42f35f8a5fa219421b0a9362d2adacdadd8d96251f61f7230878ea297a269a7f3b3c56830f0b177e068691e1d7f88501a05653b0a13274d1 SHA512 95bc137d0cf9148da6a9d1f1a878698dc27b40f68e22c597544010a6c591ce1b256f083489d3ff45ff77753289b535135590194d88ef9f007d0ddab3d74de70e
+DIST linux-5.19.tar.xz 131581464 BLAKE2B 4db03a6830a3b3bbf0837e1912182a443d9a4aa8af20a12e6ec814ed708038452d3c0ccee1258cca671c464d76461536363a8adc56e9d098c9a44ae3484a297a SHA512 00313b2f9b82d2dc3fb8294007cf7d7599d254b717ed2de23c81fa7a1bbcbc2798ad286cb94e2f7f5bd54132d1d764facd90d30f79dbcc6616cc7f926adc2623
 DIST linux-hardened-5.10.146-hardened1.patch 111171 BLAKE2B 1b14d06db7e2b903f977d9c0db5672e451062230abcaa315f2b45611eeb6909b506f09e8ff528ca9f776050c6e5deacd8ad21a0494c36ddc1ceccf222f8cf572 SHA512 c8ce8a11b0e1c390982d172c3fee5a930e6b7fd4ade4106be62e3a23f5ceeca9155829531606441d1577a8545d511017fe6c358570f6636f90d76375c266b7e7
+DIST linux-hardened-5.19.14-hardened1.patch 99828 BLAKE2B 649857086ce59befc28c2abb9b0be68f97808d3a966332748dc174cc473090e6a9babee25b081293b3e11fb4b351c0aa60e95acd0242c120c759a8ea9859e014 SHA512 e0edd0efa0e0543b1ae9a0e753636d1605fabc7d0269394d2da22ac26fa18fccb84dc77d4461f42d570e9ccac348d2e4c730bb2a99c86c2946f060d1c61e108e
 EBUILD hardened-kernel-5.10.146.ebuild 3046 BLAKE2B e4f02387f4f7e0bb861c8eb358dca068114dfbd8ac8a83d0247ade338091121c6bf4e6c054e5f23f7fb1dd4b0703b053b33f94e812fde297371d3ea193899895 SHA512 71e48791dcb74fafd7a859c9ec90ba2bddf29f4770d3e39420ffa9e7de0c24e2c137ec7b41d356b5096b3d98dc15bf04cd799c01c10e23d40d6e2a052eddb080
+EBUILD hardened-kernel-5.19.14.ebuild 3046 BLAKE2B 7fa16956b551d248d83942bed3b6c52208e2f070b7ba2879888b9b1aba4d79dfc8e2a3d71899333d87643ca4b02cd7d3627db92da8c1b8c0aeab961fb8a034ef SHA512 b23ee5c7e771bd3a5e1109ac54d8c50592ef0576c41f9126b24b58fba04709377f1f4700968c8ae98d1f644965a21374b99414e6d58e16b917f83715ac9ad492
 MISC metadata.xml 345 BLAKE2B 4003222d76459210cbeba27d68bcef9b42f500dd3dafe53505dae42004c5224eeae395fb30d7582de614654d2fde19d118c8c31fbc35e5335c9150d93f42efc9 SHA512 994d288cd16858bad3177d383a279f0f549ddf40ef87c62683815540b331bd48d4afa4d0c6af947e409c58f8abb5e1da045bb98dc00a422ea724cdf0610d6619

sys-kernel/hardened-kernel/hardened-kernel-5.19.14.ebuild

@@ -0,0 +1,103 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit kernel-build
+
+MY_P=linux-${PV%.*}
+GENPATCHES_P=genpatches-${PV%.*}-$((${PV##*.}+2))
+HARDENED_PATCH_VER="${PV}-hardened1"
+GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
+	1510_fs-enable-link-security-restrictions-by-default.patch
+	2900_dev-root-proc-mount-fix.patch
+	4200_fbcondecor.patch
+	4400_alpha-sysctl-uac.patch
+	4567_distro-Gentoo-Kconfig.patch"
+
+
+DESCRIPTION="Linux kernel built with Gentoo patches"
+HOMEPAGE="https://www.kernel.org/"
+SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
+	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz
+	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz
+	https://github.com/anthraxx/linux-hardened/releases/download/${HARDENED_PATCH_VER}/linux-hardened-${HARDENED_PATCH_VER}.patch"
+
+S=${WORKDIR}/${MY_P}
+
+LICENSE="GPL-2"
+KEYWORDS="~amd64"
+IUSE="debug extra-hardened"
+
+REQUIRED_USE="extra-hardened? ( !debug )"
+
+BDEPEND="
+	!initramfs? ( sys-kernel/initramfs-image )
+	app-crypt/sbsigntools
+	sys-firmware/intel-microcode
+	debug? ( dev-util/dwarves )"
+RDEPEND="
+	!sys-kernel/gentoo-kernel:${SLOT}
+	!sys-kernel/gentoo-kernel-bin:${SLOT}
+	!sys-kernel/vanilla-kernel:${SLOT}
+	!sys-kernel/vanilla-kernel-bin:${SLOT}"
+
+RESTRICT="strip"
+
+src_prepare() {
+	# remove some genpatches causes conflicts with linux-hardened patch
+	for patch in ${GENPATCHES_EXCLUDE}; do
+		rm -f ${WORKDIR}/${patch}
+	done
+	# include linux-hardened patch with priority
+	cp ${DISTDIR}/linux-hardened-${HARDENED_PATCH_VER}.patch ${WORKDIR}/1199_linux-hardened-${HARDENED_PATCH_VER}.patch
+	# copy Clear Linux patches
+	if [ -d "${FILESDIR}"/${MY_P} ]; then
+		cp "${FILESDIR}"/${MY_P}/*.patch ${WORKDIR}/
+	fi
+
+	local PATCHES=(
+		# meh, genpatches have no directory
+		"${WORKDIR}"/*.patch
+	)
+	default
+
+	# prepare the default config
+	case ${ARCH} in
+		amd64)
+			cp "${FILESDIR}"/${MY_P}.amd64.config .config || die
+			;;
+		*)
+			die "Unsupported arch ${ARCH}"
+			;;
+	esac
+
+	local config_tweaks=(
+		# shove arch under the carpet!
+		-e 's:^CONFIG_DEFAULT_HOSTNAME=:&"gentoo":'
+		# disable compression to allow stripping
+		-e '/CONFIG_MODULE_COMPRESS/d'
+	)
+	use debug || config_tweaks+=(
+		-e '/CONFIG_DEBUG_INFO/d'
+	)
+	use extra-hardened || config_tweaks+=(
+        # disable signatures
+        -e '/CONFIG_MODULE_SIG/d'
+        -e '/CONFIG_SECURITY_LOCKDOWN/d'
+        # Reqired to be disabled for out of tree kernel modules
+        -e '/CONFIG_TRIM_UNUSED_KSYMS/d'
+	)
+	sed -i "${config_tweaks[@]}" .config || die
+	sed -i "s@\-hardened1@@g" Makefile || die
+}
+
+src_install() {
+	kernel-build_src_install
+
+	if [[ -n "${UEFI_SB_KEY}" && -n "${UEFI_SB_CRT}" ]] ;then
+		sbsign --key ${UEFI_SB_KEY} --cert ${UEFI_SB_CRT} --output ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage.signed \
+		  ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage && \
+		mv ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage.signed ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage
+	fi
+}