From c5eec3efed85f4546b34417ac6794037db99491d Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Tue, 21 Oct 2025 19:45:49 +0400 Subject: [PATCH 1/9] backport: cherry-pick GCP-related patches from private repo --- Makefile | 15 +- base/debloat.sh | 12 +- base/mkosi.conf | 1 - bob-l1/mkosi.conf | 1 + buildernet/mkosi.conf | 3 +- flake.nix | 16 +- kernel/mkosi.build | 12 +- kernel/snippets/ubuntu.config | 1216 +++++++++++++++++ mkosi.profiles/devtools/mkosi.conf | 20 +- .../systemd/system}/serial-console.service | 0 mkosi.profiles/gcp/mkosi.conf | 4 + mkosi.profiles/gcp/mkosi.extra/etc/hosts | 4 + .../gcp/mkosi.extra/etc/resolv.conf | 2 + .../mkosi.extra/usr/lib/udev/google_nvme_id | 248 ++++ .../lib/udev/rules.d/65-gce-disk-naming.rules | 43 + mkosi.profiles/gcp/mkosi.postoutput | 35 +- scripts/make_git_package.sh | 25 +- services/chrony.conf | 33 + 18 files changed, 1659 insertions(+), 31 deletions(-) create mode 100644 kernel/snippets/ubuntu.config rename mkosi.profiles/devtools/{ => mkosi.extra/etc/systemd/system}/serial-console.service (100%) create mode 100644 mkosi.profiles/gcp/mkosi.conf create mode 100644 mkosi.profiles/gcp/mkosi.extra/etc/hosts create mode 100644 mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf create mode 100755 mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/google_nvme_id create mode 100644 mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/rules.d/65-gce-disk-naming.rules create mode 100644 services/chrony.conf diff --git a/Makefile b/Makefile index a41be0c..5154bc6 100644 --- a/Makefile +++ b/Makefile @@ -39,16 +39,15 @@ setup: ## Install dependencies (Linux only) # Build module build: check-perms setup ## Build the specified module - @$(WRAPPER) mkosi --force -I $(IMAGE).conf + $(WRAPPER) mkosi --force -I $(IMAGE).conf # Build module with devtools profile build-dev: check-perms setup ## Build module with development tools - @$(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf + $(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf ##@ Utilities -# Run measured-boot on the EFI file -measure: ## Export TDX measurements for the built image +measure: ## Export TDX measurements for the built EFI file @if [ ! -f build/tdx-debian.efi ]; then \ echo "Error: build/tdx-debian.efi not found. Run 'make build' first."; \ exit 1; \ @@ -56,6 +55,14 @@ measure: ## Export TDX measurements for the built image @$(WRAPPER) measured-boot build/tdx-debian.efi build/measurements.json --direct-uki echo "Measurements exported to build/measurements.json" +measure-gcp: ## Export TDX measurements for GCP + @if [ ! -f build/tdx-debian.efi ]; then \ + echo "Error: build/tdx-debian.efi not found. Run 'make build' first."; \ + exit 1; \ + fi + @$(WRAPPER) dstack-mr -uki build/tdx-debian.efi -json > build/gcp_measurements.json + echo "GCP Measurements exported to build/gcp_measurements.json" + # Clean build artifacts clean: ## Remove cache and build artifacts rm -rf build/ mkosi.builddir/ mkosi.cache/ lima-nix/ diff --git a/base/debloat.sh b/base/debloat.sh index c4364f5..89a3b10 100755 --- a/base/debloat.sh +++ b/base/debloat.sh @@ -23,7 +23,6 @@ debloat_paths=( "/usr/share/bug" "/usr/share/menu" "/usr/share/systemd" - "/usr/share/bash-completion" "/usr/share/zsh" "/usr/share/mime" "/usr/lib/modules" @@ -40,4 +39,13 @@ debloat_paths=( "/nix" ) -for p in "${debloat_paths[@]}"; do rm -rf $BUILDROOT$p; done +if [[ ! "$PROFILES" == *"devtools"* ]]; then + debloat_paths+=( + "/usr/share/bash-completion" + ) +fi + +for p in "${debloat_paths[@]}"; do + echo "Debloating $p" + rm -rf $BUILDROOT$p +done diff --git a/base/mkosi.conf b/base/mkosi.conf index 617a77e..edfc674 100644 --- a/base/mkosi.conf +++ b/base/mkosi.conf @@ -42,7 +42,6 @@ BuildPackages=build-essential cmake pkg-config clang - cargo flex bison elfutils diff --git a/bob-l1/mkosi.conf b/bob-l1/mkosi.conf index eb1b79f..95bc776 100644 --- a/bob-l1/mkosi.conf +++ b/bob-l1/mkosi.conf @@ -10,6 +10,7 @@ BuildScripts=bob-l1/mkosi.build BuildPackages=build-essential git gcc + cargo zlib1g-dev libzstd-dev libleveldb-dev diff --git a/buildernet/mkosi.conf b/buildernet/mkosi.conf index bd42339..8c84049 100644 --- a/buildernet/mkosi.conf +++ b/buildernet/mkosi.conf @@ -16,7 +16,8 @@ Packages=prometheus libsnappy1v5 netcat-openbsd bubblewrap -BuildPackages=libleveldb-dev +BuildPackages=cargo + libleveldb-dev libsnappy-dev zlib1g-dev libzstd-dev diff --git a/flake.nix b/flake.nix index 325e93e..1824d89 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,17 @@ }; vendorHash = "sha256-NrZjORe/MjfbRDcuYVOGjNMCo1JGWvJDNVEPojI3L/g="; }; + measured-boot-gcp = pkgs.buildGoModule { + pname = "measured-boot-gcp"; + version = "main"; + src = pkgs.fetchFromGitHub { + owner = "flashbots"; + repo = "dstack-mr-gcp"; + rev = "3d718ab28599ea0c05e65d0f742fdee9fc17a5c7"; + sha256 = "sha256-KFo9wcQuG98Hi4mlMr5VS6D6/STW7jzZ9y1DyqsI820="; + }; + vendorHash = "sha256-MxOQSXLAbWC1SOCPzPrNcU20WElbe7eUVdCLTutSYM8="; + }; mkosi = system: let pkgsForSystem = import nixpkgs {inherit system;}; mkosi-unwrapped = pkgsForSystem.mkosi.override { @@ -53,11 +64,14 @@ mtools mustache-go cryptsetup + gptfdisk + mtools util-linux zstd which qemu-utils parted + unzip ] ++ [reprepro]; }; @@ -76,7 +90,7 @@ devShells = builtins.listToAttrs (map (system: { name = system; value.default = pkgs.mkShell { - nativeBuildInputs = [(mkosi system) measured-boot]; + nativeBuildInputs = [(mkosi system) measured-boot measured-boot-gcp]; shellHook = '' mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi ''; diff --git a/kernel/mkosi.build b/kernel/mkosi.build index 51ac5a7..b9a641c 100755 --- a/kernel/mkosi.build +++ b/kernel/mkosi.build @@ -2,7 +2,7 @@ set -euo pipefail # Configuration -KERNEL_VERSION="6.13.12" +KERNEL_VERSION="6.15.8" KERNEL_REPO="https://github.com/gregkh/linux" BASE_CONFIG="$SRCDIR/kernel/kernel-yocto.config" @@ -30,19 +30,19 @@ if [[ -f "$kernel_file" ]]; then else echo "Building kernel from source..." build_dir="$BUILDROOT/build/kernel-${KERNEL_VERSION}" - + # Clone if needed [[ ! -d "$build_dir" ]] && git clone --depth 1 --branch "v${KERNEL_VERSION}" "$KERNEL_REPO" "$build_dir" - + # Build kernel cd "$build_dir" cp "$config_file" .config export KBUILD_BUILD_TIMESTAMP="$(date -u -d @${SOURCE_DATE_EPOCH:-$(date +%s)})" export KBUILD_BUILD_USER="mkosi" KBUILD_BUILD_HOST="mkosi-builder" - + mkosi-chroot --chdir "/build/kernel-${KERNEL_VERSION}" make olddefconfig mkosi-chroot --chdir "/build/kernel-${KERNEL_VERSION}" make -j "$(nproc 2>/dev/null || echo 2)" bzImage ARCH=x86_64 CONFIG_EFI_STUB=y - + # Cache result mkdir -p "$cache_dir" cp arch/x86_64/boot/bzImage "$cache_dir/" @@ -54,4 +54,4 @@ mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_VERSION" cp "$kernel_file" "$DESTDIR/usr/lib/modules/$KERNEL_VERSION/vmlinuz" rm -f "$config_file" -echo "Kernel installed successfully" \ No newline at end of file +echo "Kernel installed successfully" diff --git a/kernel/snippets/ubuntu.config b/kernel/snippets/ubuntu.config new file mode 100644 index 0000000..3bbf3f4 --- /dev/null +++ b/kernel/snippets/ubuntu.config @@ -0,0 +1,1216 @@ +CONFIG_ACCESSIBILITY=y +CONFIG_ACPI_AC=y +CONFIG_ACPI_APEI=y +CONFIG_ACPI_APEI_GHES=y +CONFIG_ACPI_APEI_MEMORY_FAILURE=y +CONFIG_ACPI_APEI_PCIEAER=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BGRT=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_CPPC_LIB=y +CONFIG_ACPI_DEBUG=y +CONFIG_ACPI_DEBUGGER=y +CONFIG_ACPI_DEBUGGER_USER=y +CONFIG_ACPI_DOCK=y +CONFIG_ACPI_DPTF=y +CONFIG_ACPI_EC=y +CONFIG_ACPI_FAN=y +CONFIG_ACPI_FFH=y +CONFIG_ACPI_FPDT=y +CONFIG_ACPI_HED=y +CONFIG_ACPI_HMAT=y +CONFIG_ACPI_HOTPLUG_MEMORY=y +CONFIG_ACPI_I2C_OPREGION=y +CONFIG_ACPI_MADT_WAKEUP=y +CONFIG_ACPI_MDIO=y +CONFIG_ACPI_NUMA=y +CONFIG_ACPI_PCC=y +CONFIG_ACPI_PCI_SLOT=y +CONFIG_ACPI_PRMT=y +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +CONFIG_ACPI_SLEEP=y +CONFIG_ACPI_SPCR_TABLE=y +CONFIG_ACPI_TABLE_UPGRADE=y +CONFIG_ACPI_THERMAL=y +CONFIG_ACPI_THERMAL_LIB=y +CONFIG_ACPI_VIOT=y +CONFIG_ACRN_GUEST=y +CONFIG_AGP_AMD64=y +CONFIG_AGP_VIA=y +CONFIG_AIX_PARTITION=y +CONFIG_AMD_IOMMU=y +CONFIG_AMD_MEM_ENCRYPT=y +CONFIG_AMD_NUMA=y +CONFIG_AMD_WBRF=y +CONFIG_AMIGA_PARTITION=y +CONFIG_ANON_VMA_NAME=y +CONFIG_APPLE_PROPERTIES=y +CONFIG_ARCH_DEFAULT_CRASH_DUMP=y +CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_ARCH_ENABLE_THP_MIGRATION=y +CONFIG_ARCH_HAS_CPU_PASID=y +CONFIG_ARCH_HAS_DMA_OPS=y +CONFIG_ARCH_HAS_EARLY_DEBUG=y +CONFIG_ARCH_HAS_GENERIC_CRASHKERNEL_RESERVATION=y +CONFIG_ARCH_HAS_HW_PTE_YOUNG=y +CONFIG_ARCH_HAS_KERNEL_FPU_SUPPORT=y +CONFIG_ARCH_HAS_PKEYS=y +CONFIG_ARCH_HAS_PREEMPT_LAZY=y +CONFIG_ARCH_HAS_UBSAN=y +CONFIG_ARCH_HAS_USER_SHADOW_STACK=y +CONFIG_ARCH_HAS_ZONE_DMA_SET=y +CONFIG_ARCH_HAVE_EXTRA_ELF_NOTES=y +CONFIG_ARCH_HIBERNATION_HEADER=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_SELECTS_KEXEC_FILE=y +CONFIG_ARCH_SUPPORTS_AUTOFDO_CLANG=y +CONFIG_ARCH_SUPPORTS_HUGE_PFNMAP=y +CONFIG_ARCH_SUPPORTS_PMD_PFNMAP=y +CONFIG_ARCH_SUPPORTS_PROPELLER_CLANG=y +CONFIG_ARCH_SUPPORTS_PUD_PFNMAP=y +CONFIG_ARCH_SUPPORTS_RT=y +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_USES_PG_ARCH_2=y +CONFIG_ARCH_WANT_PMD_MKWRITE=y +CONFIG_ASM_MODVERSIONS=y +CONFIG_ASN1_ENCODER=y +CONFIG_ASYNC_TX_DMA=y +CONFIG_AS_HAS_NON_CONST_ULEB128=y +CONFIG_AS_VAES=y +CONFIG_AS_VPCLMULQDQ=y +CONFIG_ATARI_PARTITION=y +CONFIG_ATA_GENERIC=y +CONFIG_ATA_VERBOSE_ERROR=y +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUXDISPLAY=y +CONFIG_BACKLIGHT_CLASS_DEVICE=y +CONFIG_BALLOON_COMPACTION=y +CONFIG_BATTERY_SAMSUNG_SDI=y +CONFIG_BCM84881_PHY=y +CONFIG_BLK_CGROUP_IOPRIO=y +CONFIG_BLK_DEBUG_FS=y +CONFIG_BLK_DEV_BSG=y +CONFIG_BLK_DEV_INTEGRITY=y +CONFIG_BLK_DEV_IO_TRACE=y +CONFIG_BLK_DEV_MD=y +CONFIG_BLK_DEV_WRITE_MOUNTED=y +CONFIG_BLK_DEV_ZONED=y +CONFIG_BLK_INLINE_ENCRYPTION=y +CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y +CONFIG_BLK_SED_OPAL=y +CONFIG_BLK_WBT=y +CONFIG_BLK_WBT_MQ=y +CONFIG_BLOCK_LEGACY_AUTOLOAD=y +CONFIG_BOOTTIME_TRACING=y +CONFIG_BOOT_CONFIG=y +CONFIG_BOOT_PRINTK_DELAY=y +CONFIG_BPF_EVENTS=y +CONFIG_BPF_JIT_ALWAYS_ON=y +CONFIG_BPF_KPROBE_OVERRIDE=y +CONFIG_BPF_LSM=y +CONFIG_BPF_STREAM_PARSER=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y +CONFIG_BRANCH_PROFILE_NONE=y +CONFIG_BSD_DISKLABEL=y +CONFIG_BTT=y +CONFIG_BUILDTIME_MCOUNT_SORT=y +CONFIG_BUILTIN_MODULE_RANGES=y +CONFIG_BYTCRC_PMIC_OPREGION=y +CONFIG_CALL_PADDING=y +CONFIG_CALL_THUNKS=y +CONFIG_CC_CAN_LINK=y +CONFIG_CC_CAN_LINK_STATIC=y +CONFIG_CC_HAS_COUNTED_BY=y +CONFIG_CC_HAS_KASAN_SW_TAGS=y +CONFIG_CC_HAS_MIN_FUNCTION_ALIGNMENT=y +CONFIG_CC_HAS_NAMED_AS=y +CONFIG_CC_HAS_NAMED_AS_FIXED_SANITIZERS=y +CONFIG_CC_HAS_SANE_FUNCTION_ALIGNMENT=y +CONFIG_CC_HAS_UBSAN_BOUNDS_STRICT=y +CONFIG_CC_NO_STRINGOP_OVERFLOW=y +CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_CGROUP_HUGETLB=y +CONFIG_CHARGER_MANAGER=y +CONFIG_CHARLCD_BL_FLASH=y +CONFIG_CHROME_PLATFORMS=y +CONFIG_CHR_DEV_SG=y +CONFIG_CHTCRC_PMIC_OPREGION=y +CONFIG_CHT_WC_PMIC_OPREGION=y +CONFIG_CMDLINE_PARTITION=y +CONFIG_COMPACTION=y +CONFIG_COMPAT_32BIT_TIME=y +CONFIG_CONFIGFS_FS=y +CONFIG_CONSOLE_POLL=y +CONFIG_CONTEXT_SWITCH_TRACER=y +CONFIG_CONTEXT_TRACKING_USER=y +CONFIG_CONTIG_ALLOC=y +CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y +CONFIG_CPUMASK_OFFSTACK=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_IDLE_GOV_HALTPOLL=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_TEO=y +CONFIG_CPU_ISOLATION=y +CONFIG_CPU_MITIGATIONS=y +CONFIG_CRASH_DUMP=y +CONFIG_CRASH_HOTPLUG=y +CONFIG_CRASH_RESERVE=y +CONFIG_CRC64=y +CONFIG_CRC64_ROCKSOFT=y +CONFIG_CRC_CCITT=y +CONFIG_CRC_T10DIF=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y +CONFIG_CRYPTO_BLAKE2S_X86=y +CONFIG_CRYPTO_CRC64_ROCKSOFT=y +CONFIG_CRYPTO_CRCT10DIF=y +CONFIG_CRYPTO_CTR=y +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_DEV_CCP=y +CONFIG_CRYPTO_DEV_PADLOCK=y +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_DH_RFC7919_GROUPS=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_GENIV=y +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_HW=y +CONFIG_CRYPTO_KDF800108_CTR=y +CONFIG_CRYPTO_LIB_GF128MUL=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_SHA1=y +CONFIG_DAX=y +CONFIG_DA_MON_EVENTS=y +CONFIG_DA_MON_EVENTS_ID=y +CONFIG_DCB=y +CONFIG_DEBUG_FS=y +CONFIG_DEBUG_FS_ALLOW_ALL=y +CONFIG_DEBUG_INFO_BTF=y +CONFIG_DEBUG_INFO_BTF_MODULES=y +CONFIG_DEBUG_INFO_DWARF5=y +CONFIG_DEBUG_MISC=y +CONFIG_DEBUG_WX=y +CONFIG_DECOMPRESS_BZIP2=y +CONFIG_DECOMPRESS_LZ4=y +CONFIG_DECOMPRESS_LZMA=y +CONFIG_DECOMPRESS_LZO=y +CONFIG_DECOMPRESS_XZ=y +CONFIG_DECOMPRESS_ZSTD=y +CONFIG_DEFAULT_CUBIC=y +CONFIG_DEFAULT_SECURITY_APPARMOR=y +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEVFREQ_GOV_PASSIVE=y +CONFIG_DEVFREQ_GOV_PERFORMANCE=y +CONFIG_DEVFREQ_GOV_POWERSAVE=y +CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=y +CONFIG_DEVFREQ_GOV_USERSPACE=y +CONFIG_DEVFREQ_THERMAL=y +CONFIG_DEVICE_MIGRATION=y +CONFIG_DEVICE_PRIVATE=y +CONFIG_DEVMEM=y +CONFIG_DEVPORT=y +CONFIG_DEVTMPFS_SAFE=y +CONFIG_DEV_COREDUMP=y +CONFIG_DMABUF_HEAPS=y +CONFIG_DMABUF_HEAPS_SYSTEM=y +CONFIG_DMABUF_MOVE_NOTIFY=y +CONFIG_DMADEVICES=y +CONFIG_DMAR_TABLE=y +CONFIG_DMA_ACPI=y +CONFIG_DMA_COHERENT_POOL=y +CONFIG_DMA_ENGINE=y +CONFIG_DMA_NEED_SYNC=y +CONFIG_DMA_OPS_HELPERS=y +CONFIG_DMA_VIRTUAL_CHANNELS=y +CONFIG_DMIID=y +CONFIG_DM_AUDIT=y +CONFIG_DM_INIT=y +CONFIG_DM_UEVENT=y +CONFIG_DRM_ACCEL=y +CONFIG_DRM_CLIENT=y +CONFIG_DRM_CLIENT_LIB=y +CONFIG_DRM_CLIENT_SELECTION=y +CONFIG_DRM_CLIENT_SETUP=y +CONFIG_DRM_FBDEV_EMULATION=y +CONFIG_DRM_LOAD_EDID_FIRMWARE=y +CONFIG_DRM_PANIC=y +CONFIG_DRM_SIMPLEDRM=y +CONFIG_DYNAMIC_DEBUG=y +CONFIG_DYNAMIC_DEBUG_CORE=y +CONFIG_DYNAMIC_EVENTS=y +CONFIG_DYNAMIC_FTRACE=y +CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y +CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y +CONFIG_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_DYNAMIC_MEMORY_LAYOUT=y +CONFIG_EARLY_PRINTK_DBGP=y +CONFIG_EARLY_PRINTK_USB=y +CONFIG_EARLY_PRINTK_USB_XDBC=y +CONFIG_ECRYPT_FS=y +CONFIG_ECRYPT_FS_MESSAGING=y +CONFIG_EDAC=y +CONFIG_EDAC_GHES=y +CONFIG_EDD=y +CONFIG_EDD_OFF=y +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y +CONFIG_EFI_DEV_PATH_PARSER=y +CONFIG_EFI_DXE_MEM_ATTRIBUTES=y +CONFIG_EFI_HANDOVER_PROTOCOL=y +CONFIG_EFI_MIXED=y +CONFIG_EFI_RCI2_TABLE=y +CONFIG_EFI_RUNTIME_MAP=y +CONFIG_EFI_SOFT_RESERVE=y +CONFIG_ENCRYPTED_KEYS=y +CONFIG_ENERGY_MODEL=y +CONFIG_ETHTOOL_NETLINK=y +CONFIG_EVENT_TRACING=y +CONFIG_EVM=y +CONFIG_EVM_ADD_XATTRS=y +CONFIG_EVM_ATTR_FSUUID=y +CONFIG_EVM_EXTRA_SMACK_XATTRS=y +CONFIG_EXECMEM=y +CONFIG_EXPERT=y +CONFIG_EXPORTFS_BLOCK_OPS=y +CONFIG_EXT4_USE_FOR_EXT2=y +CONFIG_EXTCON=y +CONFIG_EXT_GROUP_SCHED=y +CONFIG_EZX_PCAP=y +CONFIG_FANOTIFY=y +CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y +CONFIG_FB_ASILIANT=y +CONFIG_FB_DEVICE=y +CONFIG_FB_IMSTT=y +CONFIG_FB_SYSMEM_FOPS=y +CONFIG_FB_SYSMEM_HELPERS=y +CONFIG_FB_SYSMEM_HELPERS_DEFERRED=y +CONFIG_FB_SYS_COPYAREA=y +CONFIG_FB_SYS_FILLRECT=y +CONFIG_FB_SYS_IMAGEBLIT=y +CONFIG_FB_TILEBLITTING=y +CONFIG_FDDI=y +CONFIG_FIRMWARE_EDID=y +CONFIG_FIRMWARE_TABLE=y +CONFIG_FIXED_PHY=y +CONFIG_FONTS=y +CONFIG_FONT_6x10=y +CONFIG_FONT_ACORN_8x8=y +CONFIG_FONT_TER16x32=y +CONFIG_FORTIFY_SOURCE=y +CONFIG_FPROBE=y +CONFIG_FPROBE_EVENTS=y +CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y +CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y +CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y +CONFIG_FS_DAX=y +CONFIG_FS_DAX_PMD=y +CONFIG_FS_ENCRYPTION=y +CONFIG_FS_ENCRYPTION_ALGS=y +CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y +CONFIG_FS_STACK=y +CONFIG_FS_VERITY=y +CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y +CONFIG_FTRACE=y +CONFIG_FTRACE_MCOUNT_RECORD=y +CONFIG_FTRACE_MCOUNT_USE_CC=y +CONFIG_FTRACE_SYSCALLS=y +CONFIG_FUNCTION_ERROR_INJECTION=y +CONFIG_FUNCTION_GRAPH_RETADDR=y +CONFIG_FUNCTION_GRAPH_RETVAL=y +CONFIG_FUNCTION_GRAPH_TRACER=y +CONFIG_FUNCTION_PROFILER=y +CONFIG_FUNCTION_TRACER=y +CONFIG_FUSE_PASSTHROUGH=y +CONFIG_FUSION=y +CONFIG_FUSION_LOGGING=y +CONFIG_FWNODE_MDIO=y +CONFIG_FW_CACHE=y +CONFIG_FW_LOADER_COMPRESS=y +CONFIG_FW_LOADER_COMPRESS_XZ=y +CONFIG_FW_LOADER_COMPRESS_ZSTD=y +CONFIG_FW_LOADER_DEBUG=y +CONFIG_FW_LOADER_PAGED_BUF=y +CONFIG_FW_LOADER_SYSFS=y +CONFIG_FW_LOADER_USER_HELPER=y +CONFIG_FW_UPLOAD=y +CONFIG_GART_IOMMU=y +CONFIG_GCC_NO_STRINGOP_OVERFLOW=y +CONFIG_GCC_PLUGINS=y +CONFIG_GDB_SCRIPTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST_IDLE=y +CONFIG_GENERIC_CPU=y +CONFIG_GENERIC_CPU_DEVICES=y +CONFIG_GENERIC_PHY=y +CONFIG_GENERIC_PINCONF=y +CONFIG_GENERIC_TRACER=y +CONFIG_GENERIC_VDSO_OVERFLOW_PROTECT=y +CONFIG_GET_FREE_REGION=y +CONFIG_GPIOLIB=y +CONFIG_GPIOLIB_IRQCHIP=y +CONFIG_GPIO_ACPI=y +CONFIG_GPIO_CDEV=y +CONFIG_GPIO_CDEV_V1=y +CONFIG_GPIO_CRYSTAL_COVE=y +CONFIG_GPIO_GENERIC=y +CONFIG_GPIO_GENERIC_PLATFORM=y +CONFIG_GPIO_PALMAS=y +CONFIG_GPIO_RC5T583=y +CONFIG_GPIO_SYSFS=y +CONFIG_GPIO_TPS6586X=y +CONFIG_GPIO_TPS65910=y +CONFIG_GROUP_SCHED_WEIGHT=y +CONFIG_GUEST_PERF_EVENTS=y +CONFIG_HAMRADIO=y +CONFIG_HARDENED_USERCOPY=y +CONFIG_HARDLOCKUP_DETECTOR=y +CONFIG_HARDLOCKUP_DETECTOR_COUNTS_HRTIMER=y +CONFIG_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_ARCH_NODE_DEV_GROUP=y +CONFIG_HAVE_ARCH_USERFAULTFD_MINOR=y +CONFIG_HAVE_ARCH_USERFAULTFD_WP=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_HAVE_CALL_THUNKS=y +CONFIG_HAVE_FUNCTION_GRAPH_RETVAL=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_GUP_FAST=y +CONFIG_HAVE_IMA_KEXEC=y +CONFIG_HAVE_INTEL_TXT=y +CONFIG_HAVE_PAGE_SIZE_4KB=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +CONFIG_HAVE_TRUSTED_KEYS=y +CONFIG_HIBERNATE_CALLBACKS=y +CONFIG_HIBERNATION=y +CONFIG_HIBERNATION_COMP_LZO=y +CONFIG_HIBERNATION_SNAPSHOT_DEV=y +CONFIG_HID_PID=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_HIST_TRIGGERS=y +CONFIG_HMEM_REPORTING=y +CONFIG_HOTPLUG_PCI_ACPI=y +CONFIG_HOTPLUG_PCI_CPCI=y +CONFIG_HOTPLUG_PCI_OCTEONEP=y +CONFIG_HOTPLUG_PCI_PCIE=y +CONFIG_HOTPLUG_PCI_SHPC=y +CONFIG_HPET_MMAP_DEFAULT=y +CONFIG_HSU_DMA=y +CONFIG_HTE=y +CONFIG_HUGETLBFS=y +CONFIG_HUGETLB_PAGE=y +CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y +CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING=y +CONFIG_HVC_IRQ=y +CONFIG_HVC_XEN=y +CONFIG_HVC_XEN_FRONTEND=y +CONFIG_HWLAT_TRACER=y +CONFIG_HWMON=y +CONFIG_HWSPINLOCK=y +CONFIG_HW_RANDOM_TPM=y +CONFIG_I2C_CHARDEV=y +CONFIG_I2C_DESIGNWARE_BAYTRAIL=y +CONFIG_I2C_DESIGNWARE_CORE=y +CONFIG_I2C_DESIGNWARE_PLATFORM=y +CONFIG_I2C_SLAVE=y +CONFIG_IDLE_INJECT=y +CONFIG_IDLE_PAGE_TRACKING=y +CONFIG_IMA=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_APPRAISE_MODSIG=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA_DEFAULT_HASH_SHA256=y +CONFIG_IMA_KEXEC=y +CONFIG_IMA_LSM_RULES=y +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y +CONFIG_INITRAMFS_PRESERVE_MTIME=y +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INPUT_JOYSTICK=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_AUDIT=y +CONFIG_INTEGRITY_MACHINE_KEYRING=y +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_INTEL_HFI_THERMAL=y +CONFIG_INTEL_IOMMU=y +CONFIG_INTEL_IOMMU_DEFAULT_ON=y +CONFIG_INTEL_IOMMU_FLOPPY_WA=y +CONFIG_INTEL_IOMMU_PERF_EVENTS=y +CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y +CONFIG_INTEL_IOMMU_SVM=y +CONFIG_INTEL_LDMA=y +CONFIG_INTEL_SCU=y +CONFIG_INTEL_SCU_IPC=y +CONFIG_INTEL_SCU_PCI=y +CONFIG_INTEL_SOC_PMIC=y +CONFIG_INTEL_SOC_PMIC_CHTWC=y +CONFIG_INTEL_TURBO_MAX_3=y +CONFIG_INTEL_TXT=y +CONFIG_INTERCONNECT=y +CONFIG_IOMMU_HELPER=y +CONFIG_IOMMU_IOPF=y +CONFIG_IOMMU_IO_PGTABLE=y +CONFIG_IOMMU_MM_DATA=y +CONFIG_IOMMU_SVA=y +CONFIG_IOSF_MBI_DEBUG=y +CONFIG_IO_DELAY_0XED=y +CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING=y +CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING=y +CONFIG_IPE_PROP_FS_VERITY=y +CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y +CONFIG_IPV6_IOAM6_LWTUNNEL=y +CONFIG_IPV6_MROUTE=y +CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_PIMSM_V2=y +CONFIG_IPV6_ROUTER_PREF=y +CONFIG_IPV6_ROUTE_INFO=y +CONFIG_IPV6_SEG6_BPF=y +CONFIG_IPV6_SEG6_HMAC=y +CONFIG_IPV6_SEG6_LWTUNNEL=y +CONFIG_IPV6_SUBTREES=y +CONFIG_IP_FIB_TRIE_STATS=y +CONFIG_IP_MROUTE_MULTIPLE_TABLES=y +CONFIG_IRQ_POLL=y +CONFIG_ISA_BUS=y +CONFIG_JAILHOUSE_GUEST=y +CONFIG_JUMP_LABEL=y +CONFIG_KALLSYMS_ALL=y +CONFIG_KARMA_PARTITION=y +CONFIG_KDB_KEYBOARD=y +CONFIG_KEXEC=y +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y +CONFIG_KEXEC_CORE=y +CONFIG_KEXEC_FILE=y +CONFIG_KEXEC_JUMP=y +CONFIG_KEXEC_SIG=y +CONFIG_KEYS_REQUEST_CACHE=y +CONFIG_KEY_DH_OPERATIONS=y +CONFIG_KEY_NOTIFICATIONS=y +CONFIG_KFENCE=y +CONFIG_KGDB=y +CONFIG_KGDB_HONOUR_BLOCKLIST=y +CONFIG_KGDB_KDB=y +CONFIG_KGDB_LOW_LEVEL_TRAP=y +CONFIG_KGDB_SERIAL_CONSOLE=y +CONFIG_KPROBES=y +CONFIG_KPROBES_ON_FTRACE=y +CONFIG_KPROBE_EVENTS=y +CONFIG_KRETPROBES=y +CONFIG_KRETPROBE_ON_RETHOOK=y +CONFIG_KSM=y +CONFIG_LATENCYTOP=y +CONFIG_LDISC_AUTOLOAD=y +CONFIG_LDM_PARTITION=y +CONFIG_LEDS_BRIGHTNESS_HW_CHANGED=y +CONFIG_LEDS_TRIGGER_CPU=y +CONFIG_LEDS_TRIGGER_DISK=y +CONFIG_LEDS_TRIGGER_PANIC=y +CONFIG_LED_TRIGGER_PHY=y +CONFIG_LEGACY_PTYS=y +CONFIG_LIBNVDIMM=y +CONFIG_LINEAR_RANGES=y +CONFIG_LIVEPATCH=y +CONFIG_LOAD_UEFI_KEYS=y +CONFIG_LOCKUP_DETECTOR=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +CONFIG_LRU_GEN=y +CONFIG_LRU_GEN_ENABLED=y +CONFIG_LRU_GEN_WALKS_MMU=y +CONFIG_LWTUNNEL=y +CONFIG_LWTUNNEL_BPF=y +CONFIG_LZ4_DECOMPRESS=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_MACINTOSH_DRIVERS=y +CONFIG_MAC_PARTITION=y +CONFIG_MAGIC_SYSRQ_SERIAL=y +CONFIG_MAILBOX=y +CONFIG_MAXSMP=y +CONFIG_MCTP=y +CONFIG_MDIO_BUS=y +CONFIG_MDIO_DEVICE=y +CONFIG_MDIO_DEVRES=y +CONFIG_MD_AUTODETECT=y +CONFIG_MEDIA_CEC_SUPPORT=y +CONFIG_MEGARAID_NEWGEN=y +CONFIG_MELLANOX_PLATFORM=y +CONFIG_MEMORY=y +CONFIG_MEMORY_FAILURE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_MEMREGION=y +CONFIG_MEMTEST=y +CONFIG_MEM_SOFT_DIRTY=y +CONFIG_MFD_88PM860X=y +CONFIG_MFD_AAT2870_CORE=y +CONFIG_MFD_AS3711=y +CONFIG_MFD_CORE=y +CONFIG_MFD_DA9052_I2C=y +CONFIG_MFD_DA9052_SPI=y +CONFIG_MFD_DA9055=y +CONFIG_MFD_DA9063=y +CONFIG_MFD_LP8788=y +CONFIG_MFD_MAX14577=y +CONFIG_MFD_MAX77693=y +CONFIG_MFD_MAX77843=y +CONFIG_MFD_MAX8925=y +CONFIG_MFD_MAX8997=y +CONFIG_MFD_MAX8998=y +CONFIG_MFD_PALMAS=y +CONFIG_MFD_RC5T583=y +CONFIG_MFD_SYSCON=y +CONFIG_MFD_TPS65090=y +CONFIG_MFD_TPS6586X=y +CONFIG_MFD_TPS65910=y +CONFIG_MFD_TPS65912=y +CONFIG_MFD_TPS65912_I2C=y +CONFIG_MFD_TPS65912_SPI=y +CONFIG_MFD_TWL4030_AUDIO=y +CONFIG_MFD_WM831X=y +CONFIG_MFD_WM831X_I2C=y +CONFIG_MFD_WM831X_SPI=y +CONFIG_MFD_WM8350=y +CONFIG_MFD_WM8350_I2C=y +CONFIG_MFD_WM8400=y +CONFIG_MHP_MEMMAP_ON_MEMORY=y +CONFIG_MIGRATION=y +CONFIG_MINIX_SUBPARTITION=y +CONFIG_MISC_FILESYSTEMS=y +CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y +CONFIG_MITIGATION_IBPB_ENTRY=y +CONFIG_MITIGATION_IBRS_ENTRY=y +CONFIG_MITIGATION_L1TF=y +CONFIG_MITIGATION_MDS=y +CONFIG_MITIGATION_MMIO_STALE_DATA=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_RETBLEED=y +CONFIG_MITIGATION_RETHUNK=y +CONFIG_MITIGATION_RETPOLINE=y +CONFIG_MITIGATION_RFDS=y +CONFIG_MITIGATION_SLS=y +CONFIG_MITIGATION_SPECTRE_BHI=y +CONFIG_MITIGATION_SPECTRE_V1=y +CONFIG_MITIGATION_SPECTRE_V2=y +CONFIG_MITIGATION_SRBDS=y +CONFIG_MITIGATION_SRSO=y +CONFIG_MITIGATION_SSB=y +CONFIG_MITIGATION_TAA=y +CONFIG_MITIGATION_UNRET_ENTRY=y +CONFIG_MMCONF_FAM10H=y +CONFIG_MMC_CRYPTO=y +CONFIG_MMIOTRACE=y +CONFIG_MMU_NOTIFIER=y +CONFIG_MODULE_COMPRESS=y +CONFIG_MODULE_COMPRESS_ZSTD=y +CONFIG_MODULE_DECOMPRESS=y +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_ALL=y +CONFIG_MODULE_SIG_FORMAT=y +CONFIG_MODULE_SIG_KEY_TYPE_RSA=y +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SRCVERSION_ALL=y +CONFIG_MODVERSIONS=y +CONFIG_MPTCP=y +CONFIG_MPTCP_IPV6=y +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MTRR_SANITIZER=y +CONFIG_NCSI_OEM_CMD_GET_MAC=y +CONFIG_ND_CLAIM=y +CONFIG_NEED_TASKS_RCU=y +CONFIG_NETFILTER_EGRESS=y +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_SKIP_EGRESS=y +CONFIG_NETKIT=y +CONFIG_NETLABEL=y +CONFIG_NETWORK_PHY_TIMESTAMPING=y +CONFIG_NETWORK_SECMARK=y +CONFIG_NET_CLS=y +CONFIG_NET_CLS_ACT=y +CONFIG_NET_DEVMEM=y +CONFIG_NET_DROP_MONITOR=y +CONFIG_NET_EMATCH=y +CONFIG_NET_FC=y +CONFIG_NET_L3_MASTER_DEV=y +CONFIG_NET_NCSI=y +CONFIG_NET_PTP_CLASSIFY=y +CONFIG_NET_SCHED=y +CONFIG_NET_SCH_FIFO=y +CONFIG_NET_SELFTESTS=y +CONFIG_NET_SWITCHDEV=y +CONFIG_NET_TC_SKB_EXT=y +CONFIG_NET_TULIP=y +CONFIG_NET_VENDOR_8390=y +CONFIG_NET_VENDOR_ADAPTEC=y +CONFIG_NET_VENDOR_ADI=y +CONFIG_NET_VENDOR_AGERE=y +CONFIG_NET_VENDOR_ALACRITECH=y +CONFIG_NET_VENDOR_ALTEON=y +CONFIG_NET_VENDOR_AMAZON=y +CONFIG_NET_VENDOR_AQUANTIA=y +CONFIG_NET_VENDOR_ARC=y +CONFIG_NET_VENDOR_ASIX=y +CONFIG_NET_VENDOR_BROCADE=y +CONFIG_NET_VENDOR_CADENCE=y +CONFIG_NET_VENDOR_CAVIUM=y +CONFIG_NET_VENDOR_CHELSIO=y +CONFIG_NET_VENDOR_CISCO=y +CONFIG_NET_VENDOR_CORTINA=y +CONFIG_NET_VENDOR_DAVICOM=y +CONFIG_NET_VENDOR_DEC=y +CONFIG_NET_VENDOR_EMULEX=y +CONFIG_NET_VENDOR_ENGLEDER=y +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_FUNGIBLE=y +CONFIG_NET_VENDOR_HUAWEI=y +CONFIG_NET_VENDOR_I825XX=y +CONFIG_NET_VENDOR_LITEX=y +CONFIG_NET_VENDOR_MELLANOX=y +CONFIG_NET_VENDOR_META=y +CONFIG_NET_VENDOR_MICREL=y +CONFIG_NET_VENDOR_MICROCHIP=y +CONFIG_NET_VENDOR_MICROSEMI=y +CONFIG_NET_VENDOR_MICROSOFT=y +CONFIG_NET_VENDOR_MYRI=y +CONFIG_NET_VENDOR_NATSEMI=y +CONFIG_NET_VENDOR_NETERION=y +CONFIG_NET_VENDOR_NETRONOME=y +CONFIG_NET_VENDOR_NI=y +CONFIG_NET_VENDOR_NVIDIA=y +CONFIG_NET_VENDOR_OKI=y +CONFIG_NET_VENDOR_PACKET_ENGINES=y +CONFIG_NET_VENDOR_PENSANDO=y +CONFIG_NET_VENDOR_QLOGIC=y +CONFIG_NET_VENDOR_QUALCOMM=y +CONFIG_NET_VENDOR_RDC=y +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +CONFIG_NET_VENDOR_SIS=y +CONFIG_NET_VENDOR_SMSC=y +CONFIG_NET_VENDOR_SOCIONEXT=y +CONFIG_NET_VENDOR_SOLARFLARE=y +CONFIG_NET_VENDOR_STMICRO=y +CONFIG_NET_VENDOR_SUN=y +CONFIG_NET_VENDOR_SYNOPSYS=y +CONFIG_NET_VENDOR_TEHUTI=y +CONFIG_NET_VENDOR_TI=y +CONFIG_NET_VENDOR_VERTEXCOM=y +CONFIG_NET_VENDOR_VIA=y +CONFIG_NET_VENDOR_WANGXUN=y +CONFIG_NET_VENDOR_WIZNET=y +CONFIG_NET_VENDOR_XILINX=y +CONFIG_NMI_CHECK_CPU=y +CONFIG_NOP_TRACER=y +CONFIG_NO_HZ_FULL=y +CONFIG_NUMA=y +CONFIG_NUMA_BALANCING=y +CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y +CONFIG_NUMA_KEEP_MEMINFO=y +CONFIG_NUMA_MEMBLKS=y +CONFIG_NVDIMM_DAX=y +CONFIG_NVDIMM_KEYS=y +CONFIG_NVDIMM_PFN=y +CONFIG_OPTPROBES=y +CONFIG_OSF_PARTITION=y +CONFIG_OSNOISE_TRACER=y +CONFIG_PACKING=y +CONFIG_PADATA=y +CONFIG_PAGE_IDLE_FLAG=y +CONFIG_PAGE_POISONING=y +CONFIG_PAGE_POOL_STATS=y +CONFIG_PAGE_SIZE_4KB=y +CONFIG_PARAVIRT_XXL=y +CONFIG_PATA_SIS=y +CONFIG_PC104=y +CONFIG_PCC=y +CONFIG_PCIEAER=y +CONFIG_PCIE_BUS_DEFAULT=y +CONFIG_PCIE_DPC=y +CONFIG_PCIE_DW=y +CONFIG_PCIE_DW_EP=y +CONFIG_PCIE_DW_HOST=y +CONFIG_PCIE_DW_PLAT=y +CONFIG_PCIE_DW_PLAT_EP=y +CONFIG_PCIE_DW_PLAT_HOST=y +CONFIG_PCIE_EDR=y +CONFIG_PCIE_PTM=y +CONFIG_PCIE_THERMAL=y +CONFIG_PCIE_TPH=y +CONFIG_PCI_ENDPOINT=y +CONFIG_PCI_ENDPOINT_CONFIGFS=y +CONFIG_PCI_MMCONFIG=y +CONFIG_PCI_NPEM=y +CONFIG_PCI_P2PDMA=y +CONFIG_PCI_PASID=y +CONFIG_PCI_PRI=y +CONFIG_PCI_REALLOC_ENABLE_AUTO=y +CONFIG_PCI_XEN=y +CONFIG_PCPU_DEV_REFCNT=y +CONFIG_PERF_EVENTS_AMD_BRS=y +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERSISTENT_KEYRINGS=y +CONFIG_PGTABLE_HAS_HUGE_LEAVES=y +CONFIG_PHYLIB=y +CONFIG_PINCONF=y +CONFIG_PINCTRL_AMD=y +CONFIG_PINCTRL_BAYTRAIL=y +CONFIG_PINCTRL_CHERRYVIEW=y +CONFIG_PINCTRL_INTEL=y +CONFIG_PINCTRL_SX150X=y +CONFIG_PINMUX=y +CONFIG_PMIC_ADP5520=y +CONFIG_PMIC_DA903X=y +CONFIG_PMIC_DA9052=y +CONFIG_PMIC_OPREGION=y +CONFIG_PM_DEVFREQ=y +CONFIG_PM_DEVFREQ_EVENT=y +CONFIG_PM_OPP=y +CONFIG_PM_SLEEP=y +CONFIG_PM_SLEEP_DEBUG=y +CONFIG_PM_SLEEP_SMP=y +CONFIG_PM_TRACE=y +CONFIG_PM_TRACE_RTC=y +CONFIG_PM_WAKELOCKS=y +CONFIG_PM_WAKELOCKS_GC=y +CONFIG_POWERCAP=y +CONFIG_POWER_RESET=y +CONFIG_POWER_RESET_RESTART=y +CONFIG_POWER_SUPPLY_HWMON=y +CONFIG_PPP=y +CONFIG_PPP_FILTER=y +CONFIG_PPP_MULTILINK=y +CONFIG_PPS=y +CONFIG_PREEMPT_DYNAMIC=y +CONFIG_PREEMPT_VOLUNTARY=y +CONFIG_PREFIX_SYMBOLS=y +CONFIG_PROBE_EVENTS=y +CONFIG_PROBE_EVENTS_BTF_ARGS=y +CONFIG_PROCESSOR_SELECT=y +CONFIG_PROC_CPU_RESCTRL=y +CONFIG_PROC_EVENTS=y +CONFIG_PROC_MEM_ALWAYS_FORCE=y +CONFIG_PROC_VMCORE=y +CONFIG_PROC_VMCORE_DEVICE_DUMP=y +CONFIG_PROFILING=y +CONFIG_PSE_CONTROLLER=y +CONFIG_PSI=y +CONFIG_PSTORE=y +CONFIG_PSTORE_COMPRESS=y +CONFIG_PTDUMP_CORE=y +CONFIG_PTE_MARKER_UFFD_WP=y +CONFIG_PTP_1588_CLOCK=y +CONFIG_PVH=y +CONFIG_PVPANIC=y +CONFIG_PWM=y +CONFIG_PWM_CRC=y +CONFIG_PWM_LPSS=y +CONFIG_PWM_LPSS_PCI=y +CONFIG_PWM_LPSS_PLATFORM=y +CONFIG_QUOTA=y +CONFIG_QUOTACTL=y +CONFIG_QUOTA_NETLINK_INTERFACE=y +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y +CONFIG_RANDOMIZE_MEMORY=y +CONFIG_RANDOM_KMALLOC_CACHES=y +CONFIG_RAPIDIO=y +CONFIG_RAPIDIO_DMA_ENGINE=y +CONFIG_RAS=y +CONFIG_RAS_CEC=y +CONFIG_RCU_CPU_STALL_CPUTIME=y +CONFIG_RCU_LAZY=y +CONFIG_RCU_LAZY_DEFAULT_OFF=y +CONFIG_RCU_NOCB_CPU=y +CONFIG_RD_BZIP2=y +CONFIG_RD_LZ4=y +CONFIG_RD_LZMA=y +CONFIG_RD_LZO=y +CONFIG_RD_XZ=y +CONFIG_REGMAP_I2C=y +CONFIG_REGMAP_IRQ=y +CONFIG_REGMAP_MMIO=y +CONFIG_REGMAP_SPI=y +CONFIG_REGULATOR=y +CONFIG_REGULATOR_NETLINK_EVENTS=y +CONFIG_REMOTEPROC=y +CONFIG_REMOTEPROC_CDEV=y +CONFIG_RESET_ATTACK_MITIGATION=y +CONFIG_RESET_CONTROLLER=y +CONFIG_RESET_SIMPLE=y +CONFIG_RETHOOK=y +CONFIG_RFKILL=y +CONFIG_RFKILL_INPUT=y +CONFIG_RFKILL_LEDS=y +CONFIG_RING_BUFFER=y +CONFIG_RTC_HCTOSYS=y +CONFIG_RTC_INTF_DEV=y +CONFIG_RTC_INTF_PROC=y +CONFIG_RTC_INTF_SYSFS=y +CONFIG_RTC_NVMEM=y +CONFIG_RTC_SYSTOHC=y +CONFIG_RUNTIME_TESTING_MENU=y +CONFIG_RV=y +CONFIG_RV_MON_WWNR=y +CONFIG_RV_REACTORS=y +CONFIG_RV_REACT_PANIC=y +CONFIG_RV_REACT_PRINTK=y +CONFIG_SAMPLES=y +CONFIG_SATA_PMP=y +CONFIG_SATA_ZPODD=y +CONFIG_SCHEDSTATS=y +CONFIG_SCHED_AUTOGROUP=y +CONFIG_SCHED_CLASS_EXT=y +CONFIG_SCHED_CLUSTER=y +CONFIG_SCHED_CORE=y +CONFIG_SCHED_DEBUG=y +CONFIG_SCHED_HRTICK=y +CONFIG_SCHED_INFO=y +CONFIG_SCHED_MC=y +CONFIG_SCHED_MC_PRIO=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +CONFIG_SCHED_STACK_END_CHECK=y +CONFIG_SCHED_TRACER=y +CONFIG_SCREEN_INFO=y +CONFIG_SCSI_CONSTANTS=y +CONFIG_SCSI_DH=y +CONFIG_SCSI_LOGGING=y +CONFIG_SCSI_PROC_FS=y +CONFIG_SCSI_SCAN_ASYNC=y +CONFIG_SECONDARY_TRUSTED_KEYRING=y +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y +CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y +CONFIG_SECURITY_DMESG_RESTRICT=y +CONFIG_SECURITY_IPE=y +CONFIG_SECURITY_LANDLOCK=y +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_PATH=y +CONFIG_SECURITY_SAFESETID=y +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_AVC_STATS=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_DEVELOP=y +CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y +CONFIG_SECURITY_SMACK_NETFILTER=y +CONFIG_SECURITY_TOMOYO=y +CONFIG_SECURITY_YAMA=y +CONFIG_SERIAL_8250_16550A_VARIANTS=y +CONFIG_SERIAL_8250_DMA=y +CONFIG_SERIAL_8250_EXTENDED=y +CONFIG_SERIAL_8250_FINTEK=y +CONFIG_SERIAL_8250_MANY_PORTS=y +CONFIG_SERIAL_8250_MID=y +CONFIG_SERIAL_8250_RSA=y +CONFIG_SERIAL_8250_RT288X=y +CONFIG_SERIAL_8250_SHARE_IRQ=y +CONFIG_SERIAL_DEV_BUS=y +CONFIG_SERIAL_DEV_CTRL_TTYPORT=y +CONFIG_SERIAL_KGDB_NMI=y +CONFIG_SERIAL_MAX310X=y +CONFIG_SERIAL_MCTRL_GPIO=y +CONFIG_SERIAL_NONSTANDARD=y +CONFIG_SERIAL_SCCNXP=y +CONFIG_SERIAL_SCCNXP_CONSOLE=y +CONFIG_SGI_PARTITION=y +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +CONFIG_SIGNATURE=y +CONFIG_SIGNED_PE_FILE_VERIFICATION=y +CONFIG_SLAB_BUCKETS=y +CONFIG_SLAB_FREELIST_HARDENED=y +CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_SLAB_MERGE_DEFAULT=y +CONFIG_SLAB_OBJ_EXT=y +CONFIG_SLHC=y +CONFIG_SLUB_CPU_PARTIAL=y +CONFIG_SOC_TI=y +CONFIG_SOFTLOCKUP_DETECTOR=y +CONFIG_SOLARIS_X86_PARTITION=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_SPI=y +CONFIG_SPI_DYNAMIC=y +CONFIG_SPI_MASTER=y +CONFIG_SPI_MEM=y +CONFIG_SPI_SLAVE=y +CONFIG_SPLIT_PMD_PTLOCKS=y +CONFIG_SPLIT_PTE_PTLOCKS=y +CONFIG_SQUASHFS=y +CONFIG_SQUASHFS_CHOICE_DECOMP_BY_MOUNT=y +CONFIG_SQUASHFS_DECOMP_MULTI=y +CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU=y +CONFIG_SQUASHFS_DECOMP_SINGLE=y +CONFIG_SQUASHFS_FILE_DIRECT=y +CONFIG_SQUASHFS_LZ4=y +CONFIG_SQUASHFS_LZO=y +CONFIG_SQUASHFS_MOUNT_DECOMP_THREADS=y +CONFIG_SQUASHFS_XATTR=y +CONFIG_SQUASHFS_XZ=y +CONFIG_SQUASHFS_ZLIB=y +CONFIG_SQUASHFS_ZSTD=y +CONFIG_SRAM=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_STACK_TRACER=y +CONFIG_STACK_VALIDATION=y +CONFIG_STAGING=y +CONFIG_STAGING_MEDIA=y +CONFIG_STREAM_PARSER=y +CONFIG_STRICT_DEVMEM=y +CONFIG_SUN_PARTITION=y +CONFIG_SURFACE_PLATFORMS=y +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +CONFIG_SWIOTLB_DYNAMIC=y +CONFIG_SWIOTLB_XEN=y +CONFIG_SW_SYNC=y +CONFIG_SYMBOLIC_ERRNAME=y +CONFIG_SYNTH_EVENTS=y +CONFIG_SYSFB_SIMPLEFB=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_EXTRA_CERTIFICATE=y +CONFIG_SYSTEM_REVOCATION_LIST=y +CONFIG_SYSV68_PARTITION=y +CONFIG_SYS_HYPERVISOR=y +CONFIG_TASKSTATS=y +CONFIG_TASKS_RUDE_RCU=y +CONFIG_TASK_DELAY_ACCT=y +CONFIG_TASK_IO_ACCOUNTING=y +CONFIG_TASK_XACCT=y +CONFIG_TCP_AO=y +CONFIG_TCP_CONG_ADVANCED=y +CONFIG_TCP_MD5SIG=y +CONFIG_TCP_SIGPOOL=y +CONFIG_THERMAL_EMULATION=y +CONFIG_THERMAL_GOV_BANG_BANG=y +CONFIG_THERMAL_GOV_FAIR_SHARE=y +CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y +CONFIG_THERMAL_GOV_USER_SPACE=y +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_NETLINK=y +CONFIG_THERMAL_STATISTICS=y +CONFIG_THP_SWAP=y +CONFIG_TIMERLAT_TRACER=y +CONFIG_TMPFS_INODE64=y +CONFIG_TMPFS_POSIX_ACL=y +CONFIG_TMPFS_QUOTA=y +CONFIG_TOUCHSCREEN_ELAN=y +CONFIG_TRACEPOINTS=y +CONFIG_TRACER_MAX_TRACE=y +CONFIG_TRACER_SNAPSHOT=y +CONFIG_TRACE_CLOCK=y +CONFIG_TRACE_EVENT_INJECT=y +CONFIG_TRACING=y +CONFIG_TRACING_MAP=y +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y +CONFIG_TRUSTED_KEYS=y +CONFIG_TRUSTED_KEYS_TPM=y +CONFIG_TTY_PRINTK=y +CONFIG_TWL4030_CORE=y +CONFIG_TWL6040_CORE=y +CONFIG_UBSAN=y +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS_STRICT=y +CONFIG_UBSAN_ENUM=y +CONFIG_UBSAN_SHIFT=y +CONFIG_UBSAN_SIGNED_WRAP=y +CONFIG_UCLAMP_TASK=y +CONFIG_UCLAMP_TASK_GROUP=y +CONFIG_UDMABUF=y +CONFIG_UEFI_CPER=y +CONFIG_UEFI_CPER_X86=y +CONFIG_UEVENT_HELPER=y +CONFIG_ULTRIX_PARTITION=y +CONFIG_UNICODE=y +CONFIG_UNION_FIND=y +CONFIG_UNIXWARE_DISKLABEL=y +CONFIG_UPROBES=y +CONFIG_UPROBE_EVENTS=y +CONFIG_USB_ANNOUNCE_NEW_DEVICES=y +CONFIG_USB_DEFAULT_PERSIST=y +CONFIG_USB_DWC2=y +CONFIG_USB_DWC2_HOST=y +CONFIG_USB_DYNAMIC_MINORS=y +CONFIG_USB_EHCI_HCD_PLATFORM=y +CONFIG_USB_EHCI_PCI=y +CONFIG_USB_EHCI_TT_NEWSCHED=y +CONFIG_USB_LED_TRIG=y +CONFIG_USB_OHCI_HCD_PCI=y +CONFIG_USB_OHCI_HCD_PLATFORM=y +CONFIG_USB_PCI=y +CONFIG_USB_PCI_AMD=y +CONFIG_USB_ROLE_SWITCH=y +CONFIG_USB_UHCI_HCD=y +CONFIG_USB_XHCI_DBGCAP=y +CONFIG_USB_XHCI_PCI=y +CONFIG_USELIB=y +CONFIG_USERFAULTFD=y +CONFIG_USER_DECRYPTED_DATA=y +CONFIG_USER_EVENTS=y +CONFIG_USE_PERCPU_NUMA_NODE_ID=y +CONFIG_USE_X86_SEG_SUPPORT=y +CONFIG_VALIDATE_FS_PARSER=y +CONFIG_VCAP=y +CONFIG_VDSO_GETRANDOM=y +CONFIG_VGA_SWITCHEROO=y +CONFIG_VHOST_MENU=y +CONFIG_VIDEO=y +CONFIG_VIRTIO_IOMMU=y +CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y +CONFIG_VIRTIO_PCI_ADMIN_LEGACY=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_PCI_LIB_LEGACY=y +CONFIG_VIRTUALIZATION=y +CONFIG_VIRT_CPU_ACCOUNTING=y +CONFIG_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_VMAP_STACK=y +CONFIG_VMCORE_INFO=y +CONFIG_VME_BUS=y +CONFIG_VMLINUX_MAP=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_WAN=y +CONFIG_WANT_DEV_COREDUMP=y +CONFIG_WATCHDOG_CORE=y +CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y +CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP=y +CONFIG_WATCHDOG_PRETIMEOUT_GOV=y +CONFIG_WATCHDOG_PRETIMEOUT_GOV_NOOP=y +CONFIG_WATCHDOG_SYSFS=y +CONFIG_WATCH_QUEUE=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_MICROCHIP=y +CONFIG_WLAN_VENDOR_PURELIFI=y +CONFIG_WLAN_VENDOR_QUANTENNA=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_SILABS=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WQ_CPU_INTENSIVE_REPORT=y +CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y +CONFIG_X86_5LEVEL=y +CONFIG_X86_64_ACPI_NUMA=y +CONFIG_X86_ACPI_CPUFREQ_CPB=y +CONFIG_X86_AMD_PSTATE=y +CONFIG_X86_BUS_LOCK_DETECT=y +CONFIG_X86_CET=y +CONFIG_X86_CPU_RESCTRL=y +CONFIG_X86_DEBUG_FPU=y +CONFIG_X86_FRED=y +CONFIG_X86_HAVE_PAE=y +CONFIG_X86_INTEL_LPSS=y +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_X86_IOPL_IOPERM=y +CONFIG_X86_MCELOG_LEGACY=y +CONFIG_X86_MPPARSE=y +CONFIG_X86_NEED_RELOCS=y +CONFIG_X86_NUMACHIP=y +CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_PLATFORM_DRIVERS_DELL=y +CONFIG_X86_PLATFORM_DRIVERS_HP=y +CONFIG_X86_PMEM_LEGACY=y +CONFIG_X86_PMEM_LEGACY_DEVICE=y +CONFIG_X86_POWERNOW_K8=y +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y +CONFIG_X86_SGX=y +CONFIG_X86_SPEEDSTEP_CENTRINO=y +CONFIG_X86_USER_SHADOW_STACK=y +CONFIG_X86_UV=y +CONFIG_XARRAY_MULTI=y +CONFIG_XDP_SOCKETS=y +CONFIG_XEN=y +CONFIG_XEN_512GB=y +CONFIG_XEN_ACPI=y +CONFIG_XEN_ACPI_PROCESSOR=y +CONFIG_XEN_AUTO_XLATE=y +CONFIG_XEN_BACKEND=y +CONFIG_XEN_BALLOON=y +CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y +CONFIG_XEN_BLKDEV_FRONTEND=y +CONFIG_XEN_DOM0=y +CONFIG_XEN_EFI=y +CONFIG_XEN_GRANT_DMA_ALLOC=y +CONFIG_XEN_GRANT_DMA_OPS=y +CONFIG_XEN_HAVE_PVMMU=y +CONFIG_XEN_HAVE_VPMU=y +CONFIG_XEN_MCE_LOG=y +CONFIG_XEN_NETDEV_FRONTEND=y +CONFIG_XEN_PV=y +CONFIG_XEN_PVH=y +CONFIG_XEN_PVHVM=y +CONFIG_XEN_PVHVM_GUEST=y +CONFIG_XEN_PVHVM_SMP=y +CONFIG_XEN_PV_DOM0=y +CONFIG_XEN_PV_MSR_SAFE=y +CONFIG_XEN_PV_SMP=y +CONFIG_XEN_SAVE_RESTORE=y +CONFIG_XEN_SCRUB_PAGES_DEFAULT=y +CONFIG_XEN_SYS_HYPERVISOR=y +CONFIG_XEN_UNPOPULATED_ALLOC=y +CONFIG_XEN_VIRTIO=y +CONFIG_XEN_XENBUS_FRONTEND=y +CONFIG_XXHASH=y +CONFIG_XZ_DEC=y +CONFIG_XZ_DEC_ARM=y +CONFIG_XZ_DEC_ARM64=y +CONFIG_XZ_DEC_ARMTHUMB=y +CONFIG_XZ_DEC_BCJ=y +CONFIG_XZ_DEC_MICROLZMA=y +CONFIG_XZ_DEC_POWERPC=y +CONFIG_XZ_DEC_RISCV=y +CONFIG_XZ_DEC_SPARC=y +CONFIG_XZ_DEC_X86=y +CONFIG_ZBUD=y +CONFIG_ZERO_CALL_USED_REGS=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_ZONE_DEVICE=y +CONFIG_ZPOOL=y +CONFIG_ZSMALLOC=y +CONFIG_ZSTD_COMMON=y +CONFIG_ZSTD_COMPRESS=y +CONFIG_ZSTD_DECOMPRESS=y +CONFIG_ZSWAP=y +CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZO=y +CONFIG_ZSWAP_SHRINKER_DEFAULT_ON=y +CONFIG_ZSWAP_ZPOOL_DEFAULT_ZBUD=y + +# Summary: +# Ubuntu config has 2134 enabled parameters +# Yocto config has 1160 enabled parameters +# Need to add 1207 parameters to Yocto config +# +# Breakdown: +# - 551 parameters exist in Yocto but are disabled +# - 656 parameters are completely new to Yocto (likely introduced in 6.9-6.13) diff --git a/mkosi.profiles/devtools/mkosi.conf b/mkosi.profiles/devtools/mkosi.conf index 1ac61e0..c720603 100644 --- a/mkosi.profiles/devtools/mkosi.conf +++ b/mkosi.profiles/devtools/mkosi.conf @@ -1,13 +1,17 @@ [Content] -SkeletonTrees=serial-console.service:/etc/systemd/system/serial-console.service -Packages=socat - openssh-server - iputils-ping +ExtraTrees=mkosi.extra + +Packages=adjtimex + apt + bash-completion + curl dnsutils - strace + iputils-ping + net-tools netcat-openbsd + openssh-server + socat + strace tcpdump - net-tools - curl - apt + tcpflow vim diff --git a/mkosi.profiles/devtools/serial-console.service b/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service similarity index 100% rename from mkosi.profiles/devtools/serial-console.service rename to mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service diff --git a/mkosi.profiles/gcp/mkosi.conf b/mkosi.profiles/gcp/mkosi.conf new file mode 100644 index 0000000..c1ab042 --- /dev/null +++ b/mkosi.profiles/gcp/mkosi.conf @@ -0,0 +1,4 @@ +[Content] +ExtraTrees=mkosi.extra + +Packages=udev diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/hosts b/mkosi.profiles/gcp/mkosi.extra/etc/hosts new file mode 100644 index 0000000..cdc60f5 --- /dev/null +++ b/mkosi.profiles/gcp/mkosi.extra/etc/hosts @@ -0,0 +1,4 @@ +127.0.0.1 localhost + +169.254.169.254 metadata.google.internal +169.254.169.254 metadata diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf b/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf new file mode 100644 index 0000000..6c6486e --- /dev/null +++ b/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf @@ -0,0 +1,2 @@ +nameserver 169.254.169.254 +options edns0 trust-ad diff --git a/mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/google_nvme_id b/mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/google_nvme_id new file mode 100755 index 0000000..85ca3dd --- /dev/null +++ b/mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/google_nvme_id @@ -0,0 +1,248 @@ +#!/bin/bash +# Copyright 2020 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Used to generate symlinks for PD-NVMe devices using the disk names reported by +# the metadata server + +# Locations of the script's dependencies +readonly nvme_cli_bin=/usr/sbin/nvme + +# Bash regex to parse device paths and controller identification +readonly NAMESPACE_NUMBER_REGEX="/dev/nvme[[:digit:]]+n([[:digit:]]+).*" +readonly PARTITION_NUMBER_REGEX="/dev/nvme[[:digit:]]+n[[:digit:]]+p([[:digit:]]+)" + +# Globals used to generate the symlinks for a PD-NVMe disk. These are populated +# by the identify_pd_disk function and exported for consumption by udev rules. +ID_SERIAL='' +ID_SERIAL_SHORT='' + +####################################### +# Helper function to log an error message to stderr. +# Globals: +# None +# Arguments: +# String to print as the log message +# Outputs: +# Writes error to STDERR +####################################### +function err() { + echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')]: $*" >&2 +} + +####################################### +# Retrieves the device name for an NVMe namespace using nvme-cli. +# Globals: +# Uses nvme_cli_bin +# Arguments: +# The path to the nvme namespace (/dev/nvme0n?) +# Outputs: +# The device name parsed from the JSON in the vendor ext of the ns-id command. +# Returns: +# 0 if the device name for the namespace could be retrieved, 1 otherwise +####################################### +function get_namespace_device_name() { + local nvme_json + nvme_json="$("${nvme_cli_bin}" id-ns -b "$1" | xxd -p -seek 384 | xxd -p -r)" + if [[ $? -ne 0 ]]; then + return 1 + fi + + if [[ -z ${nvme_json} ]]; then + err "NVMe Vendor Extension disk information not present" + return 1 + fi + + local device_name + device_name="$(echo "${nvme_json}" | grep device_name | sed -e 's/.*"device_name":[ \t]*"\([a-zA-Z0-9_-]\+\)".*/\1/')" + + # Error if our device name is empty + if [[ -z ${device_name} ]]; then + err "Empty name" + return 1 + fi + + echo "${device_name}" + return 0 +} + +####################################### +# Retrieves the nsid for an NVMe namespace +# Globals: +# None +# Arguments: +# The path to the nvme namespace (/dev/nvme0n*) +# Outputs: +# The namespace number/id +# Returns: +# 0 if the namespace id could be retrieved, 1 otherwise +####################################### +function get_namespace_number() { + local dev_path="$1" + local namespace_number + if [[ ${dev_path} =~ ${NAMESPACE_NUMBER_REGEX} ]]; then + namespace_number="${BASH_REMATCH[1]}" + else + return 1 + fi + + echo "${namespace_number}" + return 0 +} + +####################################### +# Retrieves the partition number for a device path if it exists +# Globals: +# None +# Arguments: +# The path to the device partition (/dev/nvme0n*p*) +# Outputs: +# The value after 'p' in the device path, or an empty string if the path has +# no partition. +####################################### +function get_partition_number() { + local dev_path="$1" + local partition_number + if [[ ${dev_path} =~ ${PARTITION_NUMBER_REGEX} ]]; then + partition_number="${BASH_REMATCH[1]}" + echo "${partition_number}" + else + echo '' + fi + return 0 +} + +####################################### +# Generates a symlink for a PD-NVMe device using the metadata's disk name. +# Primarily used for testing but can be used if the script is directly invoked. +# Globals: +# Uses ID_SERIAL_SHORT (can be populated by identify_pd_disk) +# Arguments: +# The device path for the disk +####################################### +function gen_symlink() { + local dev_path="$1" + local partition_number + partition_number="$(get_partition_number "${dev_path}")" + + if [[ -n ${partition_number} ]]; then + ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}"-part"${partition_number}" > /dev/null 2>&1 + else + ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}" > /dev/null 2>&1 + fi + + return 0 +} + +####################################### +# Populates the ID_* global variables with a disk's device name and namespace +# Globals: +# Populates ID_SERIAL_SHORT, and ID_SERIAL +# Arguments: +# The device path for the disk +# Returns: +# 0 on success and 1 if an error occurrs +####################################### +function identify_pd_disk() { + local dev_path="$1" + local dev_name + dev_name="$(get_namespace_device_name "${dev_path}")" + if [[ $? -ne 0 ]]; then + return 1 + fi + + ID_SERIAL_SHORT="${dev_name}" + ID_SERIAL="Google_PersistentDisk_${ID_SERIAL_SHORT}" + return 0 +} + +function print_help_message() { + echo "Usage: google_nvme_id [-s] [-h] -d device_path" + echo " -d (Required): Specifies the path to generate a name" + echo " for. This needs to be a path to an nvme device or namespace" + echo " -s: Create symbolic link for the disk under /dev/disk/by-id." + echo " Otherwise, the disk name will be printed to STDOUT" + echo " -h: Print this help message" +} + +function main() { + local opt_gen_symlink='false' + local device_path='' + + while getopts :d:sh flag; do + case "${flag}" in + d) device_path="${OPTARG}" ;; + s) opt_gen_symlink='true' ;; + h) + print_help_message + return 0 + ;; + :) + echo "Invalid option: ${OPTARG} requires an argument" 1>&2 + return 1 + ;; + *) return 1 ;; + esac + done + + if [[ -z ${device_path} ]]; then + echo "Device path (-d) argument required. Use -h for full usage." 1>&2 + exit 1 + fi + + # Ensure the nvme-cli command is installed + command -v "${nvme_cli_bin}" > /dev/null 2>&1 + if [[ $? -ne 0 ]]; then + err "The nvme utility (/usr/sbin/nvme) was not found. You may need to run \ +with sudo or install nvme-cli." + return 1 + fi + + # Ensure the passed device is actually an NVMe device + "${nvme_cli_bin}" id-ctrl "${device_path}" &> /dev/null + if [[ $? -ne 0 ]]; then + err "Passed device was not an NVMe device. (You may need to run this \ +script as root/with sudo)." + return 1 + fi + + # Detect the type of attached nvme device + local controller_id + controller_id=$("${nvme_cli_bin}" id-ctrl "${device_path}") + if [[ ! ${controller_id} =~ nvme_card-pd ]]; then + err "Device is not a PD-NVMe device" + return 1 + fi + + # Fill the global variables for the id command for the given disk type + # Error messages will be printed closer to error, no need to reprint here + identify_pd_disk "${device_path}" + ret=$? + if [[ ${ret} -ne 0 ]]; then + return "${ret}" + fi + + # Gen symlinks or print out the globals set by the identify command + if [[ ${opt_gen_symlink} == 'true' ]]; then + gen_symlink "${device_path}" + else + # These will be consumed by udev + echo "ID_SERIAL_SHORT=${ID_SERIAL_SHORT}" + echo "ID_SERIAL=${ID_SERIAL}" + fi + + return $? + +} +main "$@" diff --git a/mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/rules.d/65-gce-disk-naming.rules b/mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/rules.d/65-gce-disk-naming.rules new file mode 100644 index 0000000..8303991 --- /dev/null +++ b/mkosi.profiles/gcp/mkosi.extra/usr/lib/udev/rules.d/65-gce-disk-naming.rules @@ -0,0 +1,43 @@ +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Name the attached disks as the specified by deviceName. + +ACTION!="add|change", GOTO="gce_disk_naming_end" +SUBSYSTEM!="block", GOTO="gce_disk_naming_end" + +# SCSI naming +KERNEL=="sd*|vd*", IMPORT{program}="scsi_id --export --whitelisted -d $tempnode" + +# Don't symlink if it's not our devices. +KERNEL=="sd*|vd*", ENV{ID_VENDOR}!="Google", GOTO="gce_disk_naming_end" +KERNEL=="nvme*", ATTRS{model}!="nvme_card*", GOTO="gce_disk_naming_end" + +# NVME Local SSD naming +KERNEL=="nvme*n*", ATTRS{model}=="nvme_card", PROGRAM="/bin/sh -c 'nsid=$$(echo %k|sed -re s/nvme[0-9]+n\([0-9]+\).\*/\\1/); echo $$((nsid-1))'", ENV{ID_SERIAL_SHORT}="local-nvme-ssd-%c" +KERNEL=="nvme*", ATTRS{model}=="nvme_card", ENV{ID_SERIAL}="Google_EphemeralDisk_$env{ID_SERIAL_SHORT}" +# Support for local SSD multi-controller +KERNEL=="nvme*n*", ATTRS{model}=="nvme_card[0-9]*", IMPORT{program}="google_nvme_id -d $tempnode" + +# NVME Persistent Disk IO Timeout +KERNEL=="nvme*n*", ENV{DEVTYPE}=="disk", ATTRS{model}=="nvme_card-pd", ATTR{queue/io_timeout}="4294967295" + +# NVME Persistent Disk Naming +KERNEL=="nvme*n*", ATTRS{model}=="nvme_card-pd", IMPORT{program}="google_nvme_id -d $tempnode" + +# Symlinks +KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}" +KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}-part%n" + +LABEL="gce_disk_naming_end" diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput index cdc3870..0294d53 100755 --- a/mkosi.profiles/gcp/mkosi.postoutput +++ b/mkosi.profiles/gcp/mkosi.postoutput @@ -9,16 +9,43 @@ TMP="${OUTPUTDIR}/gcp-tmp" mkdir -p "$TMP" +# Fixed GUIDs and IDs +DISK_GUID="12345678-1234-5678-1234-567812345678" +PARTITION_GUID="87654321-4321-8765-4321-876543218765" +FAT_SERIAL="12345678" + # Create 500MB ESP dd if=/dev/zero of="$TMP/esp.img" bs=1M count=500 -mformat -i "$TMP/esp.img" -F -v "ESP" :: + +# Format with fixed volume serial number and label +mformat -i "$TMP/esp.img" -F -v "ESP" -N "$FAT_SERIAL" :: + +# Create directory structure mmd -i "$TMP/esp.img" ::EFI ::EFI/BOOT -mcopy -i "$TMP/esp.img" "$EFI" ::EFI/BOOT/BOOTX64.EFI -# Create 1GB disk with GPT + ESP partition +# Copy files with deterministic timestamps +# -D o sets file times to 1980-01-01 (DOS epoch) +mcopy -D o -i "$TMP/esp.img" "$EFI" ::EFI/BOOT/BOOTX64.EFI + +# Create 1GB disk with GPT dd if=/dev/zero of="$TMP/disk.raw" bs=1M count=1024 -parted "$TMP/disk.raw" --script -- mklabel gpt mkpart ESP fat32 2048s 1026047s set 1 boot on +sgdisk --disk-guid="$DISK_GUID" "$TMP/disk.raw" + +# Create ESP partition +# -n creates partition (number:start:end) +# -t sets type (1:ef00 for ESP) +# -u sets partition GUID +# -c sets partition name +sgdisk -n 1:2048:1026047 \ + -t 1:ef00 \ + -u 1:"$PARTITION_GUID" \ + -c 1:"ESP" \ + -A 1:set:0 \ + "$TMP/disk.raw" + +# Write ESP image to partition area dd if="$TMP/esp.img" of="$TMP/disk.raw" bs=512 seek=2048 conv=notrunc +touch -d "2024-01-01 00:00:00 UTC" "$TMP/disk.raw" 2>/dev/null || true # Create GCP tar.gz tar --format=oldgnu -Sczf "$TAR" -C "$TMP" disk.raw diff --git a/scripts/make_git_package.sh b/scripts/make_git_package.sh index d04853d..5771e16 100644 --- a/scripts/make_git_package.sh +++ b/scripts/make_git_package.sh @@ -19,7 +19,13 @@ make_git_package() { local src="${artifact_map%%:*}" local dest="${artifact_map#*:}" mkdir -p "$(dirname "$DESTDIR$dest")" - cp "$cache_dir/$(echo "$src" | tr '/' '_')" "$DESTDIR$dest" + local cached_name="$(echo "$src" | tr '/' '_')" + if [ -d "$cache_dir/$cached_name" ]; then + mkdir -p "$DESTDIR$dest" + cp -r "$cache_dir/$cached_name"/* "$DESTDIR$dest/" + else + cp "$cache_dir/$cached_name" "$DESTDIR$dest" + fi done return 0 fi @@ -35,11 +41,22 @@ make_git_package() { local dest="${artifact_map#*:}" # Copy the built artifact to the destination - mkdir -p "$(dirname "$DESTDIR$dest")" - cp "$build_dir/$src" "$DESTDIR$dest" + if [ -d "$build_dir/$src" ]; then + mkdir -p "$DESTDIR$dest" + cp -r "$build_dir/$src"/* "$DESTDIR$dest/" + else + mkdir -p "$(dirname "$DESTDIR$dest")" + cp "$build_dir/$src" "$DESTDIR$dest" + fi # Cache artifact mkdir -p "$cache_dir" - cp "$build_dir/$src" "$cache_dir/$(echo "$src" | tr '/' '_')" + local cached_name="$(echo "$src" | tr '/' '_')" + if [ -d "$build_dir/$src" ]; then + mkdir -p "$cache_dir/$cached_name" + cp -r "$build_dir/$src"/* "$cache_dir/$cached_name/" + else + cp "$build_dir/$src" "$cache_dir/$cached_name" + fi done } \ No newline at end of file diff --git a/services/chrony.conf b/services/chrony.conf new file mode 100644 index 0000000..201472c --- /dev/null +++ b/services/chrony.conf @@ -0,0 +1,33 @@ +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usable directives. + +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for +# more information. +# servers +server metadata.google.internal iburst + +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. +keyfile /etc/chrony/chrony.keys + +# This directive specify the file into which chronyd will store the rate +# information. +driftfile /var/lib/chrony/chrony.drift + +# Uncomment the following line to turn logging on. +#log tracking measurements statistics + +# Log files location. +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. +rtcsync + +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, but only in the first three clock updates. +makestep 1 3 From 2bc30873bd7dcab798fa9073c1e5b3f6619322b1 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Fri, 24 Oct 2025 00:35:43 +0400 Subject: [PATCH 2/9] flake.nix: remove dup mtools --- flake.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/flake.nix b/flake.nix index 1824d89..31801ca 100644 --- a/flake.nix +++ b/flake.nix @@ -65,7 +65,6 @@ mustache-go cryptsetup gptfdisk - mtools util-linux zstd which From 4ad5cc566af6d8fd10a5625a9206f070bfff3b40 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Tue, 21 Oct 2025 23:10:28 +0400 Subject: [PATCH 3/9] kernel: allow version override --- bob-l1/mkosi.conf | 2 +- kernel/mkosi.build | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bob-l1/mkosi.conf b/bob-l1/mkosi.conf index 95bc776..b5c1b77 100644 --- a/bob-l1/mkosi.conf +++ b/bob-l1/mkosi.conf @@ -1,5 +1,5 @@ [Build] -Environment=LIGHTHOUSE_BINARY KERNEL_CONFIG_SNIPPETS=bob-l1/kernel.config +Environment=LIGHTHOUSE_BINARY KERNEL_CONFIG_SNIPPETS=bob-l1/kernel.config KERNEL_VERSION=6.13.12 WithNetwork=true [Content] diff --git a/kernel/mkosi.build b/kernel/mkosi.build index b9a641c..76875d9 100755 --- a/kernel/mkosi.build +++ b/kernel/mkosi.build @@ -2,7 +2,7 @@ set -euo pipefail # Configuration -KERNEL_VERSION="6.15.8" +KERNEL_VERSION="${KERNEL_VERSION:-6.15.8}" KERNEL_REPO="https://github.com/gregkh/linux" BASE_CONFIG="$SRCDIR/kernel/kernel-yocto.config" From ceae1d3fce59af10a210c77b4ef024686c46af88 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Tue, 21 Oct 2025 23:02:44 +0400 Subject: [PATCH 4/9] bob-common: move openntpd to bob-l1 --- bob-common/mkosi.conf | 1 - bob-common/mkosi.postinst | 1 - bob-l1/mkosi.conf | 2 ++ bob-l1/mkosi.postinst | 11 ++++++++--- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/bob-common/mkosi.conf b/bob-common/mkosi.conf index 8bbf43c..dcd3c41 100644 --- a/bob-common/mkosi.conf +++ b/bob-common/mkosi.conf @@ -15,7 +15,6 @@ Packages=podman iproute2 conntrack netfilter-persistent - openntpd curl jq logrotate diff --git a/bob-common/mkosi.postinst b/bob-common/mkosi.postinst index 95bdf81..59dcb73 100755 --- a/bob-common/mkosi.postinst +++ b/bob-common/mkosi.postinst @@ -22,7 +22,6 @@ mkdir "$BUILDROOT/etc/dropbear" mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants" for service in \ network-setup.service \ - openntpd.service \ logrotate.service \ fluent-bit.service \ wait-for-key.service \ diff --git a/bob-l1/mkosi.conf b/bob-l1/mkosi.conf index b5c1b77..2517779 100644 --- a/bob-l1/mkosi.conf +++ b/bob-l1/mkosi.conf @@ -7,6 +7,8 @@ ExtraTrees=bob-l1/mkosi.extra PostInstallationScripts=bob-l1/mkosi.postinst BuildScripts=bob-l1/mkosi.build +Packages=openntpd + BuildPackages=build-essential git gcc diff --git a/bob-l1/mkosi.postinst b/bob-l1/mkosi.postinst index dcb2b79..1f6278a 100755 --- a/bob-l1/mkosi.postinst +++ b/bob-l1/mkosi.postinst @@ -10,7 +10,12 @@ mkosi-chroot useradd -r -s /bin/false -G eth lighthouse # Install lighthouse install -m 755 services/bin/lighthouse-init "$BUILDROOT/usr/bin/" -# Enable lighthouse service +# Enable services mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants" -mkosi-chroot systemctl enable lighthouse.service -ln -sf /etc/systemd/system/lighthouse.service "$BUILDROOT/etc/systemd/system/minimal.target.wants/" +for service in \ + lighthouse.service \ + openntpd.service +do + mkosi-chroot systemctl enable "$service" + ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/" +done From bbbd47de864be6248c36a407fc7dafed69230906 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Wed, 22 Oct 2025 00:19:02 +0400 Subject: [PATCH 5/9] bob-common: move dropbear req of azure provision to bob-l1 --- .../mkosi.extra/etc/systemd/system/searcher-firewall.service | 4 ++-- .../searcher-firewall.service.d/require-azure-provision.conf | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 bob-l1/mkosi.extra/etc/systemd/system/searcher-firewall.service.d/require-azure-provision.conf diff --git a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service index 0eb7be4..3812c1e 100644 --- a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service +++ b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service @@ -1,7 +1,7 @@ [Unit] Description=Searcher Network and Firewall Rules -After=azure-complete-provisioning.service -Requires=azure-complete-provisioning.service +After=network.target network-setup.service +Requires=network-setup.service [Service] Type=oneshot diff --git a/bob-l1/mkosi.extra/etc/systemd/system/searcher-firewall.service.d/require-azure-provision.conf b/bob-l1/mkosi.extra/etc/systemd/system/searcher-firewall.service.d/require-azure-provision.conf new file mode 100644 index 0000000..cc6cb29 --- /dev/null +++ b/bob-l1/mkosi.extra/etc/systemd/system/searcher-firewall.service.d/require-azure-provision.conf @@ -0,0 +1,3 @@ +[Unit] +After=azure-complete-provisioning.service +Requires=azure-complete-provisioning.service From ba5911fbb21104b93fc7d189626324fd6832b810 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Fri, 24 Oct 2025 00:58:19 +0400 Subject: [PATCH 6/9] bob-common: add helper iptables func drop_dst_ip --- bob-common/mkosi.extra/usr/bin/init-firewall.sh | 8 ++++++++ bob-l1/mkosi.extra/etc/firewall-config | 4 +--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/bob-common/mkosi.extra/usr/bin/init-firewall.sh b/bob-common/mkosi.extra/usr/bin/init-firewall.sh index b690bb2..741b455 100755 --- a/bob-common/mkosi.extra/usr/bin/init-firewall.sh +++ b/bob-common/mkosi.extra/usr/bin/init-firewall.sh @@ -124,6 +124,14 @@ accept_dst_ip_port() { -m comment --comment "$comment" } +drop_dst_ip() { + chain="$1" + ip="$2" + comment="$3" + + iptables -A "$chain" -d "$ip" -j DROP \ + -m comment --comment "$comment" +} ########################################################################### # (5) Load firewall rules in {MAINTENANCE,PRODUCTION}_{IN,OUT} chains. diff --git a/bob-l1/mkosi.extra/etc/firewall-config b/bob-l1/mkosi.extra/etc/firewall-config index 14ef984..e7c1794 100644 --- a/bob-l1/mkosi.extra/etc/firewall-config +++ b/bob-l1/mkosi.extra/etc/firewall-config @@ -84,9 +84,7 @@ accept_dst_port $CHAIN_MAINTENANCE_IN udp $EL_P2P_PORT "EL P2P (UDP)" ########################################################################### # Block Flashbots protect tx endpoints during maintenance -iptables -A $CHAIN_MAINTENANCE_OUT \ - -d $FLASHBOTS_TX_STREAM_1,$FLASHBOTS_TX_STREAM_2 -j DROP \ - -m comment --comment "Flashbots Protect (DROP before accept-all 443)" +drop_dst_ip $CHAIN_MAINTENANCE_OUT $FLASHBOTS_TX_STREAM_1,$FLASHBOTS_TX_STREAM_2 "Flashbots Protect (DROP before accept-all rules)" accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)" From 54ef03ccf8564302b0823f7e36b5092df7cca44a Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Fri, 24 Oct 2025 15:41:20 +0400 Subject: [PATCH 7/9] bob-l1: revert lighthouse log rename this breaks backwards compatibility a bit --- bob-common/mkosi.extra/usr/bin/init-container.sh | 2 +- bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bob-common/mkosi.extra/usr/bin/init-container.sh b/bob-common/mkosi.extra/usr/bin/init-container.sh index c755eb4..d1e8f56 100755 --- a/bob-common/mkosi.extra/usr/bin/init-container.sh +++ b/bob-common/mkosi.extra/usr/bin/init-container.sh @@ -21,7 +21,7 @@ su -s /bin/sh searcher -c "cd ~ && podman run -d \ -v /persistent/searcher:/persistent:rw \ -v /etc/searcher/ssh_hostkey:/etc/searcher/ssh_hostkey:rw \ -v /persistent/searcher_logs:/var/log/searcher:rw \ - -v /persistent/cl_logs:/var/log/cl:ro \ + -v /persistent/lighthouse_logs:/var/log/lighthouse:ro \ -v /tmp/jwt.hex:/secrets/jwt.hex:ro \ -v /etc/searcher-logrotate.conf:/tmp/searcher.conf:ro \ docker.io/library/ubuntu:24.04 \ diff --git a/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service b/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service index c363ab9..37eb602 100644 --- a/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service +++ b/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service @@ -8,9 +8,9 @@ Type=exec User=lighthouse Group=eth ExecStartPre=+/usr/bin/lighthouse-init -ExecStartPre=+/bin/mkdir -p /persistent/cl_logs -ExecStartPre=+/bin/chown lighthouse:eth /persistent/cl_logs -ExecStartPre=+/bin/chmod 755 /persistent/cl_logs +ExecStartPre=+/bin/mkdir -p /persistent/lighthouse_logs +ExecStartPre=+/bin/chown lighthouse:eth /persistent/lighthouse_logs +ExecStartPre=+/bin/chmod 755 /persistent/lighthouse_logs ExecStart=/usr/bin/lighthouse bn \ --network mainnet \ --execution-endpoint http://localhost:8551 \ @@ -20,7 +20,7 @@ ExecStart=/usr/bin/lighthouse bn \ --datadir "/persistent/lighthouse" \ --disable-optimistic-finalized-sync \ --disable-quic \ - --logfile-dir /persistent/cl_logs \ + --logfile-dir /persistent/lighthouse_logs \ --logfile-format JSON \ --logfile-debug-level debug \ --logfile-max-number 5 \ From 33953b116d1b31c60b0848510b750a7e86c911b9 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Fri, 24 Oct 2025 01:45:54 +0400 Subject: [PATCH 8/9] bob-l1: move bob firewall into /etc/bob --- bob-common/mkosi.extra/usr/bin/init-firewall.sh | 8 ++++---- bob-l1/mkosi.extra/etc/{ => bob}/firewall-config | 0 2 files changed, 4 insertions(+), 4 deletions(-) rename bob-l1/mkosi.extra/etc/{ => bob}/firewall-config (100%) diff --git a/bob-common/mkosi.extra/usr/bin/init-firewall.sh b/bob-common/mkosi.extra/usr/bin/init-firewall.sh index 741b455..9f9516f 100755 --- a/bob-common/mkosi.extra/usr/bin/init-firewall.sh +++ b/bob-common/mkosi.extra/usr/bin/init-firewall.sh @@ -20,7 +20,7 @@ set -eu -o pipefail # ├(loopback?)─> ACCEPT # └─> default DROP # -# - There are no ports opened in this file, refer to bob*/mkosi.extra/etc/firewall-config +# - There are no ports opened in this file, refer to bob*/mkosi.extra/etc/bob/firewall-config # for actual chain rules. # - Mode-specific ESTABLISHED/RELATED connections are killed by # `conntrack -D ...` upon mode toggle. @@ -98,7 +98,7 @@ iptables -A OUTPUT ! -o lo -d 127.0.0.0/8 -j DROP ########################################################################### # -# Some helper functions to reduce boilerplate in /etc/firewall-config +# Some helper functions to reduce boilerplate in /etc/bob/firewall-config # ########################################################################### accept_dst_port() { @@ -135,11 +135,11 @@ drop_dst_ip() { ########################################################################### # (5) Load firewall rules in {MAINTENANCE,PRODUCTION}_{IN,OUT} chains. -# Those are customized per image, see bob*/mkosi.extra/etc/firewall-config +# Those are customized per image, see bob*/mkosi.extra/etc/bob/firewall-config # # `source` is not supported in dash ########################################################################### -. /etc/firewall-config +. /etc/bob/firewall-config ########################################################################### # (6) Start in Maintenance Mode diff --git a/bob-l1/mkosi.extra/etc/firewall-config b/bob-l1/mkosi.extra/etc/bob/firewall-config similarity index 100% rename from bob-l1/mkosi.extra/etc/firewall-config rename to bob-l1/mkosi.extra/etc/bob/firewall-config From 860db3599f1b345acd2954e02ba79e3578415798 Mon Sep 17 00:00:00 2001 From: Ilya Lukyanov Date: Thu, 23 Oct 2025 21:15:14 +0400 Subject: [PATCH 9/9] bob-l1: modularize init-container extra commands --- .../mkosi.extra/usr/bin/init-container.sh | 48 +++++++++++-------- .../etc/bob/searcher-container-after-init | 12 +++++ .../etc/bob/searcher-container-before-init | 10 ++++ 3 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 bob-l1/mkosi.extra/etc/bob/searcher-container-after-init create mode 100644 bob-l1/mkosi.extra/etc/bob/searcher-container-before-init diff --git a/bob-common/mkosi.extra/usr/bin/init-container.sh b/bob-common/mkosi.extra/usr/bin/init-container.sh index d1e8f56..5375ace 100755 --- a/bob-common/mkosi.extra/usr/bin/init-container.sh +++ b/bob-common/mkosi.extra/usr/bin/init-container.sh @@ -5,25 +5,30 @@ NAME=searcher-container # PORT FORWARDS SEARCHER_SSH_PORT=10022 -ENGINE_API_PORT=8551 EL_P2P_PORT=30303 SEARCHER_INPUT_CHANNEL=27017 +# Run extra commands which are customized per image, +# see bob*/mkosi.extra/etc/bob/searcher-container-before-init +# +# `source` is not supported in dash +. /etc/bob/searcher-container-before-init + +# BOB_SEARCHER_EXTRA_PODMAN_FLAGS is unescaped, it's sourced from trusted hardcoded file + echo "Starting $NAME..." su -s /bin/sh searcher -c "cd ~ && podman run -d \ --name $NAME --replace \ --init \ -p ${SEARCHER_SSH_PORT}:22 \ - -p ${ENGINE_API_PORT}:${ENGINE_API_PORT} \ -p ${EL_P2P_PORT}:${EL_P2P_PORT} \ -p ${EL_P2P_PORT}:${EL_P2P_PORT}/udp \ -p ${SEARCHER_INPUT_CHANNEL}:${SEARCHER_INPUT_CHANNEL}/udp \ -v /persistent/searcher:/persistent:rw \ -v /etc/searcher/ssh_hostkey:/etc/searcher/ssh_hostkey:rw \ -v /persistent/searcher_logs:/var/log/searcher:rw \ - -v /persistent/lighthouse_logs:/var/log/lighthouse:ro \ - -v /tmp/jwt.hex:/secrets/jwt.hex:ro \ -v /etc/searcher-logrotate.conf:/tmp/searcher.conf:ro \ + $BOB_SEARCHER_EXTRA_PODMAN_FLAGS \ docker.io/library/ubuntu:24.04 \ /bin/sh -c ' \ DEBIAN_FRONTEND=noninteractive apt-get update && \ @@ -41,7 +46,7 @@ su -s /bin/sh searcher -c "cd ~ && podman run -d \ while true; do /usr/sbin/sshd -D -e; sleep 5; done'" # Attempt a quick check that the container is running -for i in 1 2 3 4 5; do +for i in $(seq 1 5); do status=$(su -s /bin/sh - searcher -c "podman inspect --format '{{.State.Status}}' $NAME 2>/dev/null || true") if [ "$status" = "running" ]; then break @@ -63,24 +68,25 @@ if [ -z "$pid" ] || [ "$pid" = "0" ]; then fi echo "Applying iptables rules in $NAME (PID: $pid) network namespace..." +ns_iptables() { + nsenter --target "$pid" --net iptables "$@" +} + +ns_iptables -A OUTPUT -d 169.254.169.254 -j DROP -# Enter network namespace and apply DROP rules on port 9000 TCP/UDP -nsenter --target "$pid" --net iptables -A OUTPUT -p tcp --dport 9000 -j DROP -nsenter --target "$pid" --net iptables -A OUTPUT -p udp --dport 9000 -j DROP +ns_iptables -A OUTPUT -p tcp --dport 9000 -j DROP +ns_iptables -A OUTPUT -p udp --dport 9000 -j DROP -# Enter network namespace and apply DROP rule on port 123 UDP -nsenter --target "$pid" --net iptables -A OUTPUT -p udp --dport 123 -j DROP +ns_iptables -A OUTPUT -p udp --dport 123 -j DROP -# Drop outbound traffic from SEARCHER_INPUT_CHANNEL -nsenter --target "$pid" --net iptables -A OUTPUT -p udp --sport $SEARCHER_INPUT_CHANNEL -j DROP -nsenter --target "$pid" --net iptables -A OUTPUT -p tcp --sport $SEARCHER_INPUT_CHANNEL -j DROP +ns_iptables -A OUTPUT -p udp --sport $SEARCHER_INPUT_CHANNEL -j DROP +ns_iptables -A OUTPUT -p tcp --sport $SEARCHER_INPUT_CHANNEL -j DROP -echo "Injecting static hosts into $NAME..." +# Helper, only used in sourced script below +exec_in_container() { + su -s /bin/sh searcher -c "podman exec $NAME /bin/sh -c '$1'" +} -su -s /bin/sh searcher -c "podman exec $NAME /bin/sh -c ' - echo \"3.149.14.12 tx.tee-searcher.flashbots.net\" >> /etc/hosts && - echo \"3.136.107.142 tx.tee-searcher.flashbots.net\" >> /etc/hosts && - echo \"18.221.59.61 backruns.tee-searcher.flashbots.net\" >> /etc/hosts && - echo \"3.15.88.156 backruns.tee-searcher.flashbots.net\" >> /etc/hosts && - echo \"52.207.17.217 fbtee.titanbuilder.xyz\" >> /etc/hosts -'" +# Run extra commands which are customized per image, +# see bob*/mkosi.extra/etc/bob/searcher-container-after-init +. /etc/bob/searcher-container-after-init diff --git a/bob-l1/mkosi.extra/etc/bob/searcher-container-after-init b/bob-l1/mkosi.extra/etc/bob/searcher-container-after-init new file mode 100644 index 0000000..2da5aca --- /dev/null +++ b/bob-l1/mkosi.extra/etc/bob/searcher-container-after-init @@ -0,0 +1,12 @@ +# This script is sourced from init-container.sh and contains image-specific stuff +# See also: bob-common/mkosi.extra/usr/bin/init-container.sh + +echo "Injecting static hosts into searcher container..." +exec_in_container ' + cat <> /etc/hosts +3.149.14.12 tx.tee-searcher.flashbots.net +3.136.107.142 tx.tee-searcher.flashbots.net +18.221.59.61 backruns.tee-searcher.flashbots.net +3.15.88.156 backruns.tee-searcher.flashbots.net +52.207.17.217 fbtee.titanbuilder.xyz +EOF' diff --git a/bob-l1/mkosi.extra/etc/bob/searcher-container-before-init b/bob-l1/mkosi.extra/etc/bob/searcher-container-before-init new file mode 100644 index 0000000..254b741 --- /dev/null +++ b/bob-l1/mkosi.extra/etc/bob/searcher-container-before-init @@ -0,0 +1,10 @@ +# This script is sourced from init-container.sh and contains image-specific stuff +# See also: bob-common/mkosi.extra/usr/bin/init-container.sh + +ENGINE_API_PORT=8551 + +BOB_SEARCHER_EXTRA_PODMAN_FLAGS="\ + -p ${ENGINE_API_PORT}:${ENGINE_API_PORT} \ + -v /persistent/lighthouse_logs:/var/log/lighthouse:ro \ + -v /tmp/jwt.hex:/secrets/jwt.hex:ro \ +"