MX Linux Forum

Code: Select all

Snapshot created on: 20240527_0909
System:
  Kernel: 6.1.0-31-amd64 [6.1.128-1] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    parameters: BOOT_IMAGE=/boot/vmlinuz-6.1.0-31-amd64 root=UUID=<filter> ro quiet splash
  Desktop: LXQt v: 1.3.0 info: lxqt-panel wm: kwin_x11 vt: 7 dm: SDDM Distro: MX-23.5_x64
    Libretto May 19 2024 base: Debian GNU/Linux 12 (bookworm)
Machine:
  Type: Desktop Mobo: EVGA model: X299 FTW K v: 1.0 serial: <superuser required>
    UEFI: American Megatrends v: 1.29 date: 11/22/2021
CPU:
  Info: model: Intel Core i9-7940X bits: 64 type: MT MCP arch: Skylake gen: core 7 level: v4
    note: check process: Intel 14nm family: 6 model-id: 0x55 (85) stepping: 4 microcode: 0x2007006
  Topology: cpus: 1x cores: 14 tpc: 2 threads: 28 smt: enabled cache: L1: 896 KiB desc: d-14x32
    KiB; i-14x32 KiB L2: 14 MiB desc: 14x1024 KiB L3: 19.2 MiB desc: 1x19.2 MiB
  Speed (MHz): avg: 1378 high: 2200 min/max: 1200/4400 scaling: driver: intel_cpufreq
    governor: ondemand cores: 1: 1200 2: 1200 3: 1200 4: 1200 5: 1400 6: 1200 7: 1500 8: 1200 9: 1200
    10: 1829 11: 1200 12: 2200 13: 1335 14: 1200 15: 1200 16: 1200 17: 1200 18: 1200 19: 1600
    20: 2000 21: 1200 22: 1700 23: 1200 24: 2000 25: 1200 26: 1200 27: 1324 28: 1301
    bogomips: 173599
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities:
  Type: gather_data_sampling mitigation: Microcode
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data mitigation: Clear CPU buffers; SMT vulnerable
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed mitigation: IBRS
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: IBRS; IBPB: conditional; STIBP: conditional; RSB filling;
    PBRSB-eIBRS: Not affected; BHI: Not affected
  Type: srbds status: Not affected
  Type: tsx_async_abort mitigation: Clear CPU buffers; SMT vulnerable
Graphics:
  Device-1: NVIDIA GK107 [GeForce GT 740] vendor: eVga.com. driver: nvidia v: 470.256.02 non-free:
    series: 470.xx+ status: legacy-active (EOL~2023/24) arch: Kepler code: GKxxx process: TSMC 28nm
    built: 2012-18 pcie: gen: 1 speed: 2.5 GT/s lanes: 8 link-max: gen: 3 speed: 8 GT/s lanes: 16
    bus-ID: 65:00.0 chip-ID: 10de:0fc8 class-ID: 0300
  Display: x11 server: X.Org v: 1.21.1.7 compositor: kwin_x11 driver: X: loaded: nvidia
    unloaded: fbdev,modesetting,nouveau,vesa alternate: nv gpu: nvidia display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1920x1200 s-dpi: 90 s-size: 542x350mm (21.34x13.78") s-diag: 645mm (25.4")
  Monitor-1: DVI-D-0 res: 1920x1200 hz: 60 dpi: 89 size: 546x352mm (21.5x13.86")
    diag: 650mm (25.58") modes: N/A
  API: OpenGL v: 4.6.0 NVIDIA 470.256.02 renderer: NVIDIA GeForce GT 740/PCIe/SSE2
    direct-render: Yes
Audio:
  Device-1: NVIDIA GK107 HDMI Audio vendor: eVga.com. driver: snd_hda_intel bus-ID: 5-1:2 v: kernel
    pcie: chip-ID: 3842:3100 class-ID: fe01 gen: 3 speed: 8 GT/s lanes: 8 link-max: lanes: 16
    bus-ID: 65:00.1 chip-ID: 10de:0e1b class-ID: 0403
  Device-2: EVGA NU Audio type: USB driver: snd-usb-audio
  API: ALSA v: k6.1.0-31-amd64 status: kernel-api tools: alsamixer,amixer
  Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse status: active
    2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
    tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Intel Ethernet I219-V driver: e1000e v: kernel port: N/A bus-ID: 00:1f.6
    chip-ID: 8086:15b8 class-ID: 0200
  IF: eth1 state: up speed: 100 Mbps duplex: full mac: <filter>
  Device-2: Qualcomm Atheros Killer E2500 Gigabit Ethernet vendor: Acer Incorporated ALI
    driver: alx v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1 port: 2000 bus-ID: 03:00.0
    chip-ID: 1969:e0b1 class-ID: 0200
  IF: eth0 state: down mac: <filter>
  Device-3: Intel Ethernet 10-Gigabit X540-AT2 driver: ixgbe v: kernel pcie: gen: 2 speed: 5 GT/s
    lanes: 8 port: N/A bus-ID: 17:00.0 chip-ID: 8086:1528 class-ID: 0200
  IF: eth2 state: down mac: <filter>
  Device-4: Intel Ethernet 10-Gigabit X540-AT2 driver: ixgbe v: kernel pcie: gen: 2 speed: 5 GT/s
    lanes: 8 port: N/A bus-ID: 17:00.1 chip-ID: 8086:1528 class-ID: 0200
  IF: eth3 state: down mac: <filter>
Drives:
  Local Storage: total: 10.49 TiB used: 66.86 GiB (0.6%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Crucial model: CT500P2SSD8 size: 465.76 GiB
    block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter>
    rev: P2CR048 temp: 33.9 C scheme: GPT
  ID-2: /dev/nvme1n1 maj-min: 259:6 vendor: Crucial model: CT500P3SSD8 size: 465.76 GiB
    block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter>
    rev: P9CR313 temp: 40.9 C scheme: GPT
  ID-3: /dev/nvme2n1 maj-min: 259:7 vendor: Crucial model: CT500P3SSD8 size: 465.76 GiB
    block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter>
    rev: P9CR313 temp: 34.9 C scheme: GPT
  ID-4: /dev/sda maj-min: 8:0 vendor: Western Digital model: WD80EZZX-11CSGA0 size: 7.28 TiB
    block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 5400 serial: <filter>
    rev: 0A03 scheme: GPT
  ID-5: /dev/sdb maj-min: 8:16 vendor: Western Digital model: WD20EADS-00R6B0 size: 1.82 TiB
    block-size: physical: 512 B logical: 512 B speed: 3.0 Gb/s type: N/A serial: <filter> rev: 0A01
    scheme: MBR
  ID-6: /dev/sdc maj-min: 8:32 type: USB vendor: SanDisk model: USB 3.2Gen1 size: 28.65 GiB
    block-size: physical: 512 B logical: 512 B type: N/A serial: <filter> rev: 1.00 scheme: MBR
  SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure?
Partition:
  ID-1: / raw-size: 97.66 GiB size: 95.56 GiB (97.86%) used: 10.71 GiB (11.2%) fs: ext4
    dev: /dev/sda6 maj-min: 8:6
  ID-2: /boot/efi raw-size: 1000 MiB size: 998 MiB (99.80%) used: 288 KiB (0.0%) fs: vfat
    dev: /dev/sda8 maj-min: 8:8
  ID-3: /home raw-size: 389.65 GiB size: 382.47 GiB (98.16%) used: 52.9 GiB (13.8%) fs: ext4
    dev: /dev/sda7 maj-min: 8:7
Swap:
  Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: partition size: 124.98 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/dm-0
    maj-min: 253:0 mapped: luks-<filter>
Sensors:
  System Temperatures: cpu: 43.0 C mobo: N/A gpu: nvidia temp: 40 C
  Fan Speeds (RPM): N/A gpu: nvidia fan: 21%
Repos:
  Packages: pm: dpkg pkgs: 2548 libs: 1367 tools: apt,apt-get,aptitude,nala,synaptic pm: rpm
    pkgs: 0 pm: flatpak pkgs: 0
  No active apt repos in: /etc/apt/sources.list
  Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
    1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/debian.list
    1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
    2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/mx.list
    1: deb http://mirrors.rit.edu/mxlinux/mx-packages/mx/repo/ bookworm main non-free
Info:
  Processes: 427 Uptime: 15h 24m wakeups: 1 Memory: 62.49 GiB used: 4.74 GiB (7.6%) Init: SysVinit
  v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12
  Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFI

Code: Select all

KERNEL_ARCHIVE="https://www.dropbox.com/scl/fi/isqrcpbld7pk6iln2dt6c/linux_6.1.124.orig.tar.xz?rlkey=kdldkzec29i70aq689yoy2yv2&st=toxjojql&dl=0&raw=1 -> ${KERNEL}"
DEB_PATCH_ARCHIVE="https://www.dropbox.com/scl/fi/bfuyprfhj7cq17dzbruqf/linux_6.1.124-1.debian.tar.xz?rlkey=44pi91kwxa6v8mpnj5i8rcw0n&st=mmnekdpy&raw=1 -> ${DEB_PATCH}"
DEB_DSC_ARCHIVE="https://www.dropbox.com/scl/fi/gaia3pyf5fy3uxn12rv34/linux_6.1.124-1.dsc?rlkey=84johlvp7kd8l093pj9knmdtf&st=9biultvi&dl=0&raw=1 -> linux_${DEB_PV}.dsc"

Code: Select all

HDD-PART-A= source of MX linux root, so it can be updated and remake the USB when needed
HDD-PART-B= ESP boot for HDD-PART-A
HDD-PART-C= copy of current home
USB-PART-A= RO sandbox of MX linux for normal use, would like this to be compressed and to be ran in tempfs since have the ram for that so dont need a large usb that will get hot and degrade.
USB-PART-B= ESP boot for USB-PART-A

Code: Select all

8.2.11 Custom kernels

You can build and include your own custom kernels, so long as they are integrated within the Debian package management system. The live-build system does not support kernels not built as .deb packages.

The proper and recommended way to deploy your own kernel packages is to follow the instructions in the kernel-handbook. Remember to modify the ABI and flavour suffixes appropriately, then include a complete build of the linux and matching linux-latest packages in your repository.

If you opt to build the kernel packages without the matching metapackages, you need to specify an appropriate --linux-packages stub as discussed in Kernel flavour and version. As we explain in Installing modified or third-party packages, it is best if you include your custom kernel packages in your own repository, though the alternatives discussed in that section work as well.

It is beyond the scope of this document to give advice on how to customize your kernel. However, you must at least ensure your configuration satisfies these minimum requirements:
*Use an initial ramdisk.
*Include the union filesystem module (i.e. usually OverlayFS).
*Include any other filesystem modules required by your configuration (i.e. usually squashfs).

Code: Select all

8.2.10 Kernel flavour and version

One or more kernel flavours will be included in your image by default, depending on the architecture. You can choose different flavours via the --linux-flavours option. Each flavour is suffixed to the default stub linux-image to form each metapackage name which in turn depends on an exact kernel package to be included in your image.

Thus by default, an amd64 architecture image will include the linux-image-amd64 flavour metapackage, and an i386 architecture image will include the linux-image-586 metapackage.

When more than one kernel package version is available in your configured archives, you can specify a different kernel package name stub with the --linux-packages option. For example, supposing you are building an amd64 architecture image and add the experimental archive for testing purposes so you can install the linux-image-3.18.0-trunk-amd64 kernel. You would configure that image as follows:
$ lb config --linux-packages linux-image-3.18.0-trunk
$ echo "deb http://deb.debian.org/debian/ experimental main" > config/archives/experimental.list.chroot

Code: Select all

8.3 Installing modified or third-party packages

While it is against the philosophy of a live system, it may sometimes be necessary to build a live system with modified versions of packages that are in the Debian repository. This may be to modify or support additional features, languages and branding, or even to remove elements of existing packages that are undesirable. Similarly, "third-party" packages may be used to add bespoke and/or proprietary functionality.

This section does not cover advice regarding building or maintaining modified packages. Joachim Breitner's 'How to fork privately' method from ‹http://www.joachim-breitner.de/blog/archives/282-How-to-fork-privately.html› may be of interest, however. The creation of bespoke packages is covered in the Debian New Maintainers' Guide at ‹https://www.debian.org/doc/manuals/maint-guide/› and elsewhere.

There are two ways of installing modified custom packages:

packages.chroot
Using a custom APT repository
Using packages.chroot is simpler to achieve and useful for "one-off" customizations but has a number of drawbacks, while using a custom APT repository is more time-consuming to set up.

Code: Select all

CONFIG_OVERLAY_FS=m
# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set
CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y
# CONFIG_OVERLAY_FS_INDEX is not set
# CONFIG_OVERLAY_FS_XINO_AUTO is not set
# CONFIG_OVERLAY_FS_METACOPY is not set
# CONFIG_OVERLAY_FS_UNPRIVILEGED is not set

CONFIG_SQUASHFS=m
CONFIG_SQUASHFS_FILE_CACHE=y
# CONFIG_SQUASHFS_FILE_DIRECT is not set
CONFIG_SQUASHFS_DECOMP_SINGLE=y
# CONFIG_SQUASHFS_DECOMP_MULTI is not set
# CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
CONFIG_SQUASHFS_XATTR=y
CONFIG_SQUASHFS_ZLIB=y
CONFIG_SQUASHFS_LZ4=y
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y
CONFIG_SQUASHFS_ZSTD=y
# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
# CONFIG_SQUASHFS_EMBEDDED is not set
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3

Code: Select all

  * Rebuild for MX Linux.
  * debian/config/defines.toml:
    - use gcc-12.
    - disable rt flavor kernels.
  * debian/config/config: switch kernel frequency to 1000 Hz.

Code: Select all

This release supports the following:

    - X Server (6.9.0 to 1.15)
    - Linux kernel (2.6 to 3.13)

This release was tested with the following distributions of the 
i386 and x86-64 architectures:

    - RHEL 5.7, 6.4, 6.6, 7, 7.1 (No Gnome)
    - CentOS 6.6
    - SLE 11.3, 11.4, 12 (IceWM or KDE, no Gnome)
    - OpenSuSE 12.3, 13.1
    - Fedora Core 19, 20
    - Ubuntu 10.04 12.04, 14.04

Code: Select all

# Binary Emulations
#
# CONFIG_IA32_EMULATION is not set
# CONFIG_X86_X32_ABI is not set
# end of Binary Emulations

Code: Select all

einfo "Applying Graphene patches ..."
	        for LIST_A in $( grep ".patch" ${GRAPHENE_LIST}); do eapply ${LIST_A}; done || die "echo failed"

Code: Select all

echo GRAPHENE_PATCHES
echo "0000 Brakes build tree if edited"
    ./6.1/graphene-patches/0000-debian-gitignore-series.patch
    ./6.1/graphene-patches/0001-giving-blank-patches-something-to-do.patch
echo  #0#+8
    ./6.1/graphene-patches/0002-firmware-remove-redundant-log-messages-from-drivers-patch.patch
    ./6.1/graphene-patches/0003-wifi-mt76-do-not-run-mt76_unregister_device-on-unregistered-hw-patch.patch
echo #1#-8
    ./6.1/graphene-patches/0004-fs-enable-link-security-restrictions-by-default-patch.patch
echo #2#+10
    ./6.1/graphene-patches/0005-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default-patch.patch
echo #3#-10
    ./6.1/graphene-patches/0006-security-perf-allow-further-restriction-of-perf_event_open-patch.patch
    ./6.1/graphene-patches/0007-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo-patch.patch
    ./6.1/graphene-patches/0008-netfilter-nf_tables-deactivate-anonymous-set-from-pr-patch.patch
echo #5#-4
    ./6.1/graphene-patches/0009-intel-iommu-add-kconfig-option-to-exclude-igpu-by-default-patch.patch
    ./6.1/graphene-patches/0010-x86-make-x32-syscall-support-conditional-patch.patch
    ./6.1/graphene-patches/0011-arm64-dts-rockchip-Enable-GPU-on-SOQuartz-CM4-patch.patch
echo  #4#+4
sleep 3

Code: Select all

#########################################
# 0001-giving-blank-patches-something-to-do.patch
##########################################
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c	2025-01-14 07:21:38.223397384 -0000
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c	2025-01-14 22:27:11.640317226 -0000
@@ -35,7 +35,7 @@ static const struct ieee80211_channel mt
 	CHAN2G(5, 2432),
 	CHAN2G(6, 2437),
 	CHAN2G(7, 2442),
-	CHAN2G(8, 2447),
+		CHAN2G(8, 2447),
 	CHAN2G(9, 2452),
 	CHAN2G(10, 2457),
 	CHAN2G(11, 2462),
--
########################################
# 0002-firmware-remove-redundant-log-messages-from-drivers-patch.patch
########################################
--- a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch	2025-01-14 18:30:41.490250680 -0000
+++ b/debian/patchea/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch	2025-01-14 21:56:04.360308467 -0000
@@ -46,7 +46,7 @@ Index: linux/drivers/bluetooth/ath3k.c
 ===================================================================
 --- linux.orig/drivers/bluetooth/ath3k.c
 +++ linux/drivers/bluetooth/ath3k.c
-@@ -381,10 +381,8 @@ static int ath3k_load_patch(struct usb_d
+@@ -379,10 +381,8 @@ static int ath3k_load_patch(struct usb_d
  		 le32_to_cpu(fw_version.rom_version));
  
  	ret = request_firmware(&firmware, filename, &udev->dev);
@@ -58,8 +58,8 @@ Index: linux/drivers/bluetooth/ath3k.c
  
  	pt_rom_version = get_unaligned_le32(firmware->data +
  					    firmware->size - 8);
-@@ -444,10 +442,8 @@ static int ath3k_load_syscfg(struct usb_
- 		le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
+@@ -441,10 +442,8 @@ static int ath3k_load_syscfg(struct usb_
+ 		 le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
  
  	ret = request_firmware(&firmware, filename, &udev->dev);
 -	if (ret < 0) {
####################################################################
# 0003-wifi-mt76-do-not-run-mt76_unregister_device-on-unregistered-hw-patch.patch
####################################################################
--- a/debian/patches/bugfix/all/wifi-mt76-do-not-run-mt76_unregister_device-on-unregistered-hw.patch	2025-01-14 18:21:07.163581389 -0000
+++ b/debian/patches/bugfix/all/wifi-mt76-do-not-run-mt76_unregister_device-on-unregistered-hw.patch	2025-01-14 22:32:56.213652199 -0000
@@ -24,55 +24,16 @@ advance to prevent users from getting st
 Signed-off-by: Cyril Brulebois <kibi@debian.org>
 
 ---
- drivers/net/wireless/mediatek/mt76/mac80211.c | 8 ++++++++
- drivers/net/wireless/mediatek/mt76/mt76.h     | 1 +
- 2 files changed, 9 insertions(+)
 
---- a/drivers/net/wireless/mediatek/mt76/mac80211.c
-+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
-@@ -522,6 +522,7 @@ int mt76_register_phy(struct mt76_phy *p
- 	if (ret)
- 		return ret;
- 
-+	set_bit(MT76_STATE_REGISTERED, &phy->state);
- 	phy->dev->phys[phy->band_idx] = phy;
- 
- 	return 0;
-@@ -532,6 +533,9 @@ void mt76_unregister_phy(struct mt76_phy
- {
- 	struct mt76_dev *dev = phy->dev;
- 
-+	if (!test_bit(MT76_STATE_REGISTERED, &phy->state))
-+		return;
-+
- 	mt76_tx_status_check(dev, true);
- 	ieee80211_unregister_hw(phy->hw);
- 	dev->phys[phy->band_idx] = NULL;
-@@ -654,6 +658,7 @@ int mt76_register_device(struct mt76_dev
- 		return ret;
- 
- 	WARN_ON(mt76_worker_setup(hw, &dev->tx_worker, NULL, "tx"));
-+	set_bit(MT76_STATE_REGISTERED, &phy->state);
- 	sched_set_fifo_low(dev->tx_worker.task);
- 
- 	return 0;
-@@ -664,6 +669,9 @@ void mt76_unregister_device(struct mt76_
- {
- 	struct ieee80211_hw *hw = dev->hw;
- 
-+	if (!test_bit(MT76_STATE_REGISTERED, &dev->phy.state))
-+		return;
-+
- 	if (IS_ENABLED(CONFIG_MT76_LEDS))
- 		mt76_led_cleanup(dev);
- 	mt76_tx_status_check(dev, true);
---- a/drivers/net/wireless/mediatek/mt76/mt76.h
-+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
-@@ -388,6 +388,7 @@ struct mt76_tx_cb {
- 
- enum {
- 	MT76_STATE_INITIALIZED,
-+	MT76_STATE_REGISTERED,
- 	MT76_STATE_RUNNING,
- 	MT76_STATE_MCU_RUNNING,
- 	MT76_SCANNING,
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c      2025-01-14 07:21:38.223397384 -0000
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c      2025-01-14 22:04:46.046977560 -0000
+@@ -35,7 +35,7 @@ static const struct ieee80211_channel mt
+ 	CHAN2G(5, 2432),
+ 	CHAN2G(6, 2437),
+ 	CHAN2G(7, 2442),
+-		CHAN2G(8, 2447),
++	CHAN2G(8, 2447),
+ 	CHAN2G(9, 2452),
+ 	CHAN2G(10, 2457),
+ 	CHAN2G(11, 2462),
+--
###################################################
# 0004-fs-enable-link-security-restrictions-by-default-patch.patch
###################################################
--- a/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch	2025-01-14 18:15:36.203579847 -0000
+++ b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch	2025-01-15 08:34:16.057156128 -0000
@@ -7,16 +7,17 @@ Forwarded: not-needed
 This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
 ('VFS: don't do protected {sym,hard}links by default').
 
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1020,8 +1020,8 @@ static inline void put_link(struct namei
- 		path_put(&last->link);
- }
- 
--static int sysctl_protected_symlinks __read_mostly;
--static int sysctl_protected_hardlinks __read_mostly;
-+static int sysctl_protected_symlinks __read_mostly = 1;
-+static int sysctl_protected_hardlinks __read_mostly = 1;
- static int sysctl_protected_fifos __read_mostly;
- static int sysctl_protected_regular __read_mostly;
- 
+---
+
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 07:21:38.223397384 -0000
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 22:27:11.640317226 -0000
+@@ -37,7 +37,7 @@ static const struct ieee80211_channel mt
+ 	CHAN2G(7, 2442),
+ 	CHAN2G(8, 2447),
+ 	CHAN2G(9, 2452),
+-	CHAN2G(10, 2457),
++		CHAN2G(10, 2457),
+ 	CHAN2G(11, 2462),
+ 	CHAN2G(12, 2467),
+ 	CHAN2G(13, 2472),
+--
#####################################################################
# 0005-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default-patch.patch
#####################################################################
--- a/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch	2025-01-14 17:59:39.633575465 -0000
+++ b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch	2025-01-15 08:37:54.020490497 -0000
@@ -14,88 +14,16 @@ Signed-off-by: Serge Hallyn <serge.hally
 [bwh: Remove unneeded binary sysctl bits]
 [bwh: Keep this sysctl, but change the default to enabled]
 ---
-Index: linux/kernel/fork.c
-===================================================================
---- linux.orig/kernel/fork.c
-+++ linux/kernel/fork.c
-@@ -108,6 +108,11 @@
- 
- #define CREATE_TRACE_POINTS
- #include <trace/events/task.h>
-+#ifdef CONFIG_USER_NS
-+extern int unprivileged_userns_clone;
-+#else
-+#define unprivileged_userns_clone 0
-+#endif
- 
- /*
-  * Minimum number of threads to boot the kernel
-@@ -2008,6 +2013,10 @@ static __latent_entropy struct task_stru
- 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
- 		return ERR_PTR(-EINVAL);
- 
-+	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
-+		if (!capable(CAP_SYS_ADMIN))
-+			return ERR_PTR(-EPERM);
-+
- 	/*
- 	 * Thread groups must share signals as well, and detached threads
- 	 * can only be started up within the thread group.
-@@ -3166,6 +3175,12 @@ int ksys_unshare(unsigned long unshare_f
- 	if (unshare_flags & CLONE_NEWNS)
- 		unshare_flags |= CLONE_FS;
- 
-+	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
-+		err = -EPERM;
-+		if (!capable(CAP_SYS_ADMIN))
-+			goto bad_unshare_out;
-+	}
-+
- 	err = check_unshare_flags(unshare_flags);
- 	if (err)
- 		goto bad_unshare_out;
-Index: linux/kernel/sysctl.c
-===================================================================
---- linux.orig/kernel/sysctl.c
-+++ linux/kernel/sysctl.c
-@@ -136,6 +136,10 @@ static enum sysctl_writes_mode sysctl_wr
- int sysctl_legacy_va_layout;
- #endif
- 
-+#ifdef CONFIG_USER_NS
-+extern int unprivileged_userns_clone;
-+#endif
-+
- #endif /* CONFIG_SYSCTL */
- 
- /*
-@@ -1659,6 +1663,15 @@ static struct ctl_table kern_table[] = {
- 		.mode		= 0644,
- 		.proc_handler	= proc_dointvec,
- 	},
-+#ifdef CONFIG_USER_NS
-+	{
-+		.procname	= "unprivileged_userns_clone",
-+		.data		= &unprivileged_userns_clone,
-+		.maxlen		= sizeof(int),
-+		.mode		= 0644,
-+		.proc_handler	= proc_dointvec,
-+	},
-+#endif
- #ifdef CONFIG_PROC_SYSCTL
- 	{
- 		.procname	= "tainted",
-Index: linux/kernel/user_namespace.c
-===================================================================
---- linux.orig/kernel/user_namespace.c
-+++ linux/kernel/user_namespace.c
-@@ -22,6 +22,9 @@
- #include <linux/bsearch.h>
- #include <linux/sort.h>
- 
-+/* sysctl */
-+int unprivileged_userns_clone = 1;
-+
- static struct kmem_cache *user_ns_cachep __read_mostly;
- static DEFINE_MUTEX(userns_state_mutex);
- 
+
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 07:21:38.223397384 -0000
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 22:27:11.640317226 -0000
+@@ -37,7 +37,7 @@ static const struct ieee80211_channel mt
+ 	CHAN2G(7, 2442),
+ 	CHAN2G(8, 2447),
+ 	CHAN2G(9, 2452),
+-		CHAN2G(10, 2457),
++	CHAN2G(10, 2457),
+ 	CHAN2G(11, 2462),
+ 	CHAN2G(12, 2467),
+ 	CHAN2G(13, 2472),
+--
#############################################################
# 0006-security-perf-allow-further-restriction-of-perf_event_open-patch.patch
#############################################################
--- a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch	2025-01-14 17:21:03.170231416 -0000
+++ b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch	2025-01-14 17:46:19.080238372 -0000
@@ -36,21 +36,7 @@ Signed-off-by: Ben Hutchings <ben@decade
  
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -415,8 +415,13 @@ static struct kmem_cache *perf_event_cac
-  *   0 - disallow raw tracepoint access for unpriv
-  *   1 - disallow cpu events for unpriv
-  *   2 - disallow kernel profiling for unpriv
-+ *   3 - disallow all unpriv perf event use
-  */
-+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
-+int sysctl_perf_event_paranoid __read_mostly = 3;
-+#else
- int sysctl_perf_event_paranoid __read_mostly = 2;
-+#endif
- 
- /* Minimum for 512 kiB + 1 user control page */
- int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -12235,6 +12240,9 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -12359,8 +12240,11 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (err)
  		return err;
  
@@ -58,23 +44,8 @@ Signed-off-by: Ben Hutchings <ben@decade
 +		return -EACCES;
 +
  	/* Do we allow access to perf_event_open(2) ? */
- 	err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
+-	err = perf_allow_open(&attr);
++	err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
  	if (err)
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT
- 
- 	  If you are unsure how to answer this question, answer N.
+ 		return err;
  
-+config SECURITY_PERF_EVENTS_RESTRICT
-+	bool "Restrict unprivileged use of performance events"
-+	depends on PERF_EVENTS
-+	help
-+	  If you say Y here, the kernel.perf_event_paranoid sysctl
-+	  will be set to 3 by default, and no unprivileged use of the
-+	  perf_event_open syscall will be permitted unless it is
-+	  changed.
-+
- config SECURITY
- 	bool "Enable different security models"
- 	depends on SYSFS
##########################################################
# 0007-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo-patch.patch
##########################################################
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch	2025-01-14 16:24:03.540215777 -0000
+++ b/debain/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch	2025-01-14 17:12:55.646895812 -0000
@@ -24,28 +24,6 @@ Signed-off-by: Salvatore Bonaccorso <car
  security/lockdown/lockdown.c      |    2 +-
  5 files changed, 27 insertions(+), 3 deletions(-)
 
-Index: debian-kernel/arch/x86/kernel/setup.c
-===================================================================
---- debian-kernel.orig/arch/x86/kernel/setup.c
-+++ debian-kernel/arch/x86/kernel/setup.c
-@@ -979,6 +979,8 @@ void __init setup_arch(char **cmdline_p)
- 	if (efi_enabled(EFI_BOOT))
- 		efi_init();
- 
-+	efi_set_secure_boot(boot_params.secure_boot);
-+
- 	dmi_setup();
- 
- 	/*
-@@ -1130,8 +1132,6 @@ void __init setup_arch(char **cmdline_p)
- 	/* Allocate bigger log buffer */
- 	setup_log_buf(1);
- 
--	efi_set_secure_boot(boot_params.secure_boot);
--
- 	reserve_initrd();
- 
- 	acpi_table_upgrade();
 Index: debian-kernel/drivers/firmware/efi/secureboot.c
 ===================================================================
 --- debian-kernel.orig/drivers/firmware/efi/secureboot.c
#########################################################
# 0008-netfilter-nf_tables-deactivate-anonymous-set-from-pr-patch.patch
#########################################################
--- b/debian/patches/bugfix/all/netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch	2025-01-14 16:25:36.026882840 -0000
+++ a/debian/patches/bugfix/all/netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch	2025-01-15 08:43:23.427158708 -0000
@@ -37,86 +37,15 @@ Signed-off-by: Pablo Neira Ayuso <pablo@
  net/netfilter/nft_objref.c        |  2 +-
  5 files changed, 16 insertions(+), 3 deletions(-)
 
-diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
-index 3ed21d2d5659..2e24ea1d744c 100644
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -619,6 +619,7 @@ struct nft_set_binding {
- };
- 
- enum nft_trans_phase;
-+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set);
- void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
- 			      struct nft_set_binding *binding,
- 			      enum nft_trans_phase phase);
-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
-index 8b6c61a2196c..59fb8320ab4d 100644
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -5127,12 +5127,24 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
- 	}
- }
- 
-+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
-+{
-+	if (nft_set_is_anonymous(set))
-+		nft_clear(ctx->net, set);
-+
-+	set->use++;
-+}
-+EXPORT_SYMBOL_GPL(nf_tables_activate_set);
-+
- void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
- 			      struct nft_set_binding *binding,
- 			      enum nft_trans_phase phase)
- {
- 	switch (phase) {
- 	case NFT_TRANS_PREPARE:
-+		if (nft_set_is_anonymous(set))
-+			nft_deactivate_next(ctx->net, set);
-+
- 		set->use--;
- 		return;
- 	case NFT_TRANS_ABORT:
-diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
-index 274579b1696e..bd19c7aec92e 100644
---- a/net/netfilter/nft_dynset.c
-+++ b/net/netfilter/nft_dynset.c
-@@ -342,7 +342,7 @@ static void nft_dynset_activate(const struct nft_ctx *ctx,
- {
- 	struct nft_dynset *priv = nft_expr_priv(expr);
- 
--	priv->set->use++;
-+	nf_tables_activate_set(ctx, priv->set);
- }
- 
- static void nft_dynset_destroy(const struct nft_ctx *ctx,
-diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
-index cecf8ab90e58..03ef4fdaa460 100644
---- a/net/netfilter/nft_lookup.c
-+++ b/net/netfilter/nft_lookup.c
-@@ -167,7 +167,7 @@ static void nft_lookup_activate(const struct nft_ctx *ctx,
- {
- 	struct nft_lookup *priv = nft_expr_priv(expr);
- 
--	priv->set->use++;
-+	nf_tables_activate_set(ctx, priv->set);
- }
- 
- static void nft_lookup_destroy(const struct nft_ctx *ctx,
-diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
-index cb37169608ba..a48dd5b5d45b 100644
---- a/net/netfilter/nft_objref.c
-+++ b/net/netfilter/nft_objref.c
-@@ -185,7 +185,7 @@ static void nft_objref_map_activate(const struct nft_ctx *ctx,
- {
- 	struct nft_objref_map *priv = nft_expr_priv(expr);
- 
--	priv->set->use++;
-+	nf_tables_activate_set(ctx, priv->set);
- }
- 
- static void nft_objref_map_destroy(const struct nft_ctx *ctx,
--- 
-2.40.1
-
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 07:21:38.223397384 -0000
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 22:27:11.640317226 -0000
+@@ -31,7 +31,7 @@ static const struct ieee80211_channel mt
+ 	CHAN2G(1, 2412),
+ 	CHAN2G(2, 2417),
+ 	CHAN2G(3, 2422),
+-		CHAN2G(4, 2427),
++	CHAN2G(4, 2427),
+ 	CHAN2G(5, 2432),
+ 	CHAN2G(6, 2437),
+ 	CHAN2G(7, 2442),
+--
##############################################################
# 0009-intel-iommu-add-kconfig-option-to-exclude-igpu-by-default-patch.patch
##############################################################
--- a/debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch	2025-01-14 23:04:45.816994645 -0000
+++ b/debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch	2025-01-15 01:13:13.593698202 -0000
@@ -15,6 +15,7 @@ Signed-off-by: Ben Hutchings <ben@decade
 ---
 --- a/drivers/iommu/intel/Kconfig
 +++ b/drivers/iommu/intel/Kconfig
+
 @@ -58,14 +58,25 @@ config INTEL_IOMMU_SVM
  	  to access DMA resources through process address space by
  	  means of a Process Address Space ID (PASID).
@@ -49,9 +50,9 @@ Signed-off-by: Ben Hutchings <ben@decade
  	depends on BROKEN && X86
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
-@@ -289,14 +289,14 @@ static LIST_HEAD(dmar_satc_units);
+@@ -283,14 +286,14 @@ static LIST_HEAD(dmar_satc_units);
  
- static void dmar_remove_one_dev_info(struct device *dev);
+ static void device_block_translation(struct device *dev);
  
 -int dmar_disabled = !IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_ON);
 +int dmar_disabled = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_OFF);
#################################################
# 0010-x86-make-x32-syscall-support-conditional-patch.patch
#################################################
--- a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch	2025-01-14 23:27:07.337001055 -0000
+++ b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch	2025-01-15 07:29:59.147137704 -0000
@@ -59,18 +59,18 @@ Signed-off-by: Ben Hutchings <ben@decade
  	depends on IA32_EMULATION || X86_X32_ABI
 --- a/arch/x86/entry/common.c
 +++ b/arch/x86/entry/common.c
-@@ -62,7 +62,7 @@ static __always_inline bool do_syscall_x
+@@ -63,7 +63,7 @@ static __always_inline bool do_syscall_x
  	 */
  	unsigned int xnr = nr - __X32_SYSCALL_BIT;
  
 -	if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) {
 +	if (IS_ENABLED(CONFIG_X86_X32_ABI) && unlikely(x32_enabled) && likely(xnr < X32_NR_syscalls)) {
  		xnr = array_index_nospec(xnr, X32_NR_syscalls);
- 		regs->ax = x32_sys_call_table[xnr](regs);
+ 		regs->ax = x32_sys_call(regs, xnr);
  		return true;
 --- a/arch/x86/entry/syscall_x32.c
 +++ b/arch/x86/entry/syscall_x32.c
-@@ -4,6 +4,9 @@
+@@ -4,6 +4,9 @@ 
  #include <linux/linkage.h>
  #include <linux/sys.h>
  #include <linux/cache.h>
@@ -80,9 +80,9 @@ Signed-off-by: Ben Hutchings <ben@decade
  #include <linux/syscalls.h>
  #include <asm/syscall.h>
  
-@@ -16,3 +19,46 @@
- asmlinkage const sys_call_ptr_t x32_sys_call_table[] = {
- #include <asm/syscalls_x32.h>
+@@ -20,3 +23,46 @@ long x32_sys_call(const struct pt_regs *
+ 	default: return __x64_sys_ni_syscall(regs);
+ 	}
  };
 +
 +/* Maybe enable x32 syscalls */
@@ -129,7 +129,7 @@ Signed-off-by: Ben Hutchings <ben@decade
 +arch_param_cb(x32, &x32_param_ops, NULL, 0444);
 --- a/arch/x86/include/asm/elf.h
 +++ b/arch/x86/include/asm/elf.h
-@@ -11,6 +11,9 @@
+@@ -11,6 +11,9 @@ 
  #include <asm/user.h>
  #include <asm/auxvec.h>
  #include <asm/fsgsbase.h>
@@ -151,7 +151,7 @@ Signed-off-by: Ben Hutchings <ben@decade
  # error "The following code assumes __USER32_DS == __USER_DS"
 --- a/arch/x86/include/asm/syscall.h
 +++ b/arch/x86/include/asm/syscall.h
-@@ -13,6 +13,7 @@
+@@ -13,6 +13,7 @@ 
  #include <uapi/linux/audit.h>
  #include <linux/sched.h>
  #include <linux/err.h>
@@ -159,9 +159,9 @@ Signed-off-by: Ben Hutchings <ben@decade
  #include <asm/thread_info.h>	/* for TS_COMPAT */
  #include <asm/unistd.h>
  
-@@ -30,6 +31,18 @@ extern const sys_call_ptr_t ia32_sys_cal
- extern const sys_call_ptr_t x32_sys_call_table[];
- #endif
+@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p
+ extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
+ extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
  
 +#if defined(CONFIG_X86_X32_ABI)
 +#if defined(CONFIG_X86_X32_DISABLED)
##########################################################
# 0011-arm64-dts-rockchip-Enable-GPU-on-SOQuartz-CM4-patch.patch
##########################################################
--- a/debian/patches/features/arm64/quartz64/arm64-dts-rockchip-Enable-GPU-on-SOQuartz-CM4.patch	2025-01-14 23:39:42.593671314 -0000
+++ b/debian/patches/features/arm64/quartz64/arm64-dts-rockchip-Enable-GPU-on-SOQuartz-CM4.patch	2025-01-15 08:42:16.397158372 -0000
@@ -9,25 +9,16 @@ Signed-off-by: Nicolas Frattaroli <fratt
 Link: https://lore.kernel.org/r/20221112160404.70868-2-frattaroli.nicolas@gmail.com
 Signed-off-by: Heiko Stuebner <heiko@sntech.de>
 ---
- arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi
-index 5bcd4be32964..6e99f049501c 100644
---- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi
-+++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi
-@@ -143,6 +143,11 @@
- 	status = "disabled";
- };
- 
-+&gpu {
-+	mali-supply = <&vdd_gpu>;
-+	status = "okay";
-+};
-+
- &i2c0 {
- 	status = "okay";
- 
--- 
-2.39.0
 
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 07:21:38.223397384 -0000
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c     2025-01-14 22:27:11.640317226 -0000
+@@ -31,7 +31,7 @@ static const struct ieee80211_channel mt
+ 	CHAN2G(1, 2412),
+ 	CHAN2G(2, 2417),
+ 	CHAN2G(3, 2422),
+-	CHAN2G(4, 2427),
++		CHAN2G(4, 2427),
+ 	CHAN2G(5, 2432),
+ 	CHAN2G(6, 2437),
+ 	CHAN2G(7, 2442),
+--

Code: Select all

KERNEL_ARCHIVE="https://www.dropbox.com/scl/fi/isqrcpbld7pk6iln2dt6c/linux_6.1.124.orig.tar.xz?rlkey=kdldkzec29i70aq689yoy2yv2&st=toxjojql&dl=0&raw=1 -> ${KERNEL}"
DEB_PATCH_ARCHIVE="https://www.dropbox.com/scl/fi/bfuyprfhj7cq17dzbruqf/linux_6.1.124-1.debian.tar.xz?rlkey=44pi91kwxa6v8mpnj5i8rcw0n&st=mmnekdpy&raw=1 -> ${DEB_PATCH}"
DEB_DSC_ARCHIVE="https://www.dropbox.com/scl/fi/gaia3pyf5fy3uxn12rv34/linux_6.1.124-1.dsc?rlkey=84johlvp7kd8l093pj9knmdtf&st=9biultvi&dl=0&raw=1 -> linux_${DEB_PV}.dsc"

Code: Select all

# CONFIG_EFI_STUB is not set
CONFIG_DEFAULT_INIT=""
CONFIG_INITRAMFS_SOURCE=""

Code: Select all

linux-source-6.1_6.1.124-1_all.deb

Code: Select all

169f84fc28447fc6d4b31f5a5f5abf74  usr/share/doc/linux-source-6.1/changelog.Debian.gz
9fd298cedfdc3554b2625e165d0f9997  usr/share/doc/linux-source-6.1/copyright
6a4a8682685b8290a6c77752b5526f36  usr/src/linux-source-6.1.tar.xz

Code: Select all

linux-source-6.1.tar.xz

Code: Select all

linux-image-amd64-signed-template_6.1.124-1_amd64

Code: Select all

restore_config .config
emake ${MAKECONF[@]} olddefconfig
emake ${MAKECONF[@]} bzImage
emake ${MAKECONF[@]} modules_prepare modules 
emake ${MAKECONF[@]} all
make prepare
make scripts
installkernel ${KERNELTAGS} ${S}/arch/x86/boot/bzImage ${S}/System.map ${D}/boot/
sbsing --key /root/secureboot/MOK.key --cert /root/secureboot/MOK.crt /boot/vmlinuz-${KERNELTAGS}
rsync -ar /usr/src/linux-${KERNELTAGS}/video/ ${image}/lib/modules/${KERNELTAGS}/video
depmod -b ${D} -ae -F System.map ${KERNELTAGS}

Code: Select all

emake ${MAKECONF[@]} install INSTALL_PATH=${D}/boot/
emake ${MAKECONF[@]} ${TARGETS[@]} INSTALL_MOD_PATH=${D} INSTALL_PATH=${D}/boot/

Code: Select all

linux-source-6.1.tar.xz

Code: Select all

linux-source-6.1_6.1.124-1_all.deb

Code: Select all

Missing debian/certs/debian-uefi-certs.pem

Code: Select all

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY=""
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem"
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
# end of Certificates for signature checking

Code: Select all

make deb-pkg LOCALVERSION=-custom

Code: Select all

$ ls -l ../*.deb
../linux-headers-6.1.124-custom-6.1.124-custom-1_amd64.deb
../linux-image-6.1.124-custom-6.1.124-custom-1_amd64.deb
../linux-libc-dev_6.1.124-custom-1_amd64.deb

Code: Select all

$ sudo dpkg -i ../linux-image-6.1.124-custom_6.1.124-custom-1_amd64.deb
$ sudo dpkg -i ../linux-headers-6.1.124-custom_6.1.124-custom-1_amd64.deb

Code: Select all

from collections import OrderedDict

__all__ = (
    "KconfigFile",
)


class KConfigEntry(object):
    __slots__ = 'name', 'value', 'comments'

    def __init__(self, name, value, comments=None):
        self.name, self.value = name, value
        self.comments = comments or []

    def __eq__(self, other):
        return self.name == other.name and self.value == other.value

    def __hash__(self):
        return hash(self.name) | hash(self.value)

    def __repr__(self):
        return ('<{}({!r}, {!r}, {!r})>'
                .format(self.__class__.__name__, self.name, self.value,
                        self.comments))

    def __str__(self):
        return 'CONFIG_{}={}'.format(self.name, self.value)

    def write(self):
        for comment in self.comments:
            yield '#. ' + comment
        yield str(self)


class KConfigEntryTristate(KConfigEntry):
    __slots__ = ()

    VALUE_NO = False
    VALUE_YES = True
    VALUE_MOD = object()

    def __init__(self, name, value, comments=None):
        if value == 'n' or value is None:
            value = self.VALUE_NO
        elif value == 'y':
            value = self.VALUE_YES
        elif value == 'm':
            value = self.VALUE_MOD
        else:
            raise NotImplementedError
        super(KConfigEntryTristate, self).__init__(name, value, comments)

    def __str__(self):
        if self.value is self.VALUE_MOD:
            return 'CONFIG_{}=m'.format(self.name)
        if self.value:
            return 'CONFIG_{}=y'.format(self.name)
        return '# CONFIG_{} is not set'.format(self.name)


class KconfigFile(OrderedDict):
    def __str__(self):
        ret = []
        for i in self.str_iter():
            ret.append(i)
        return '\n'.join(ret) + '\n'

    def read(self, f):
        for line in iter(f.readlines()):
            line = line.strip()
            if line.startswith("CONFIG_"):
                i = line.find('=')
                option = line[7:i]
                value = line[i + 1:]
                self.set(option, value)
            elif line.startswith("# CONFIG_"):
                option = line[9:-11]
                self.set(option, 'n')
            elif line.startswith("#") or not line:
                pass
            else:
                raise RuntimeError("Can't recognize %s" % line)

    def set(self, key, value):
        if value in ('y', 'm', 'n'):
            entry = KConfigEntryTristate(key, value)
        else:
            entry = KConfigEntry(key, value)
        self[key] = entry

    def str_iter(self):
        for key, value in self.items():
            yield str(value)

Code: Select all

# Gentoo linux
binutils 2.43-r2
gcc 14.2.1_p20241221
boost 1.85.0-r1
ninja 1.12.1
nodejs 22.13.1
python 3.11.11

# MX linux
binutils 2-40-2
gcc 12.2.0-14
boost mia
ninja 1.11.1-2 but uninstalled
nodejs 18.19.0 but uninstalled
python 3.11.2