sys-kernel/hardened-kernel: bump v6.16.8

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2025-09-25 22:48:42 +03:00
parent fc8118e6c7
commit c84ae93c15
8 changed files with 95 additions and 31513 deletions
--- a/sys-kernel/hardened-kernel/hardened-kernel-6.16.8.ebuild
+++ b/sys-kernel/hardened-kernel/hardened-kernel-6.16.8.ebuild
@@ -0,0 +1,174 @@
+# Copyright 2020-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+KERNEL_IUSE_GENERIC_UKI=1
+KERNEL_IUSE_MODULES_SIGN=1
+
+inherit kernel-build toolchain-funcs verify-sig
+
+MY_P=linux-${PV%.*}
+PATCHSET=linux-gentoo-patches-6.16.8
+# https://koji.fedoraproject.org/koji/packageinfo?packageID=8
+# forked to https://github.com/projg2/fedora-kernel-config-for-gentoo
+CONFIG_VER=6.16.2-gentoo
+GENTOO_CONFIG_VER=g17
+SHA256SUM_DATE=20250919
+HARDENED_PATCH_VER="${PV}-hardened1"
+USER_PATCHSET=linux-user-patches-${PV}
+GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
+	0001-fs-Enable-link-security-restrictions-by-default.patch
+"
+
+DESCRIPTION="Linux kernel built with Gentoo patches"
+HOMEPAGE="
+	https://wiki.gentoo.org/wiki/Project:Distribution_Kernel
+	https://www.kernel.org/
+"
+SRC_URI+="
+    https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
+	https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/patch-${PV}.xz
+    https://dev.gentoo.org/~mgorny/dist/linux/${PATCHSET}.tar.xz
+	https://github.com/anthraxx/linux-hardened/releases/download/v${HARDENED_PATCH_VER}/linux-hardened-v${HARDENED_PATCH_VER}.patch
+	https://github.com/projg2/gentoo-kernel-config/archive/${GENTOO_CONFIG_VER}.tar.gz
+		-> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz
+    verify-sig? (
+        https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/sha256sums.asc
+            -> linux-$(ver_cut 1).x-sha256sums-${SHA256SUM_DATE}.asc
+    )
+	amd64? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-x86_64-fedora.config
+			-> kernel-x86_64-fedora.config.${CONFIG_VER}
+	)
+	arm64? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-aarch64-fedora.config
+			-> kernel-aarch64-fedora.config.${CONFIG_VER}
+	)
+	ppc64? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-ppc64le-fedora.config
+			-> kernel-ppc64le-fedora.config.${CONFIG_VER}
+	)
+	x86? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-i686-fedora.config
+			-> kernel-i686-fedora.config.${CONFIG_VER}
+	)
+"
+S=${WORKDIR}/${MY_P}
+
+KEYWORDS="amd64 ~arm arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~sparc x86"
+IUSE="+debug +experimental"
+REQUIRED_USE="
+	arm? ( savedconfig )
+	hppa? ( savedconfig )
+	riscv? ( savedconfig )
+	sparc? ( savedconfig )
+"
+
+RDEPEND="
+"
+BDEPEND="
+        debug? ( dev-util/pahole )
+        verify-sig? ( >=sec-keys/openpgp-keys-kernel-20250702 )
+"
+PDEPEND="
+	>=virtual/dist-kernel-${PV}
+"
+
+QA_FLAGS_IGNORED="
+	usr/src/linux-.*/scripts/gcc-plugins/.*.so
+	usr/src/linux-.*/vmlinux
+	usr/src/linux-.*/arch/powerpc/kernel/vdso.*/vdso.*.so.dbg
+"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/kernel.org.asc
+
+src_unpack() {
+        if use verify-sig; then
+                cd "${DISTDIR}" || die
+                verify-sig_verify_signed_checksums \
+                        "linux-$(ver_cut 1).x-sha256sums-${SHA256SUM_DATE}.asc" \
+                        sha256 "${MY_P}.tar.xz patch-${PV}.xz"
+                cd "${WORKDIR}" || die
+        fi
+
+        default
+}
+
+src_prepare() {
+	local patch
+
+	mkdir ${WORKDIR}/${USER_PATCHSET}
+	
+	# remove some genpatches causes conflicts with linux-hardened patch
+	for patch in ${GENPATCHES_EXCLUDE}; do
+		rm -f ${WORKDIR}/${PATCHSET}/${patch}
+	done
+	# Remove already exists changes in linux-hardened patch
+	sed -i '344,356d' "${WORKDIR}/${PATCHSET}/0010-Add-Gentoo-Linux-support-config-settings-and-default.patch"
+	# include linux-hardened patch with priority
+	cp ${DISTDIR}/linux-hardened-v${HARDENED_PATCH_VER}.patch ${WORKDIR}/${USER_PATCHSET}/1198_linux-hardened-${HARDENED_PATCH_VER}.patch
+
+    # copy pkg maintainer supplied patches
+    if [ -d "${FILESDIR}/${MY_P}" ]; then
+            cp "${FILESDIR}/${MY_P}"/*.patch ${WORKDIR}/${USER_PATCHSET}/
+    fi
+
+	eapply "${WORKDIR}/patch-${PV}"
+	for patch in "${WORKDIR}/${PATCHSET}"/*.patch; do
+	        eapply "${patch}"
+	        # non-experimental patches always finish with Gentoo Kconfig
+	        # when ! use experimental, stop applying after it
+	        if [[ ${patch} == *Add-Gentoo-Linux-support-config-settings* ]] &&
+	                ! use experimental
+	        then
+	                break
+	        fi
+	done
+
+	for patch in "${WORKDIR}/${USER_PATCHSET}"/*.patch; do
+	        eapply "${patch}"
+	done
+	
+	default
+
+	local biendian=false
+
+	# prepare the default config
+	case ${ARCH} in
+		amd64)
+			cp "${FILESDIR}/${MY_P}.amd64.config" .config || die
+			;;
+		*)
+			die "Unsupported arch ${ARCH}"
+			;;
+	esac
+
+	local myversion="-gentoo-dist"
+	echo "CONFIG_LOCALVERSION=\"${myversion}\"" > "${T}"/version.config || die
+	local dist_conf_path="${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"
+
+	local merge_configs=(
+		"${T}"/version.config
+	)
+	use debug || merge_configs+=(
+		"${dist_conf_path}"/no-debug.config
+	)
+
+	merge_configs+=( "${dist_conf_path}"/hardened-base.config )
+
+	tc-is-gcc && merge_configs+=( "${dist_conf_path}"/hardened-gcc-plugins.config )
+
+	if [[ -f "${dist_conf_path}/hardened-${ARCH}.config" ]]; then
+		merge_configs+=( "${dist_conf_path}/hardened-${ARCH}.config" )
+	fi
+
+	# this covers ppc64 and aarch64_be only for now
+	if [[ ${biendian} == true && $(tc-endian) == big ]]; then
+		merge_configs+=( "${dist_conf_path}/big-endian.config" )
+	fi
+
+	use secureboot && merge_configs+=( "${dist_conf_path}/secureboot.config" )
+
+	kernel-build_merge_configs "${merge_configs[@]}"
+}