fix: kernel boot on arm64 metal

Enabling `CONFIG_EFI_DISABLE_PCI_DMA` brokes the kernel boot on ARM metal platforms without any messages during boot making it so hard to debug. This happened on an Ampere Altra ARM64 bare metal server. Reverts ARM64 Kconfig from 87eb013. Also update the KSPP script with per-arch violations denylist. Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Mar 26, 2024 · 5861223 · 5861223
1 parent 6364d99
commit 5861223
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
@@ -2080,7 +2080,7 @@ CONFIG_EFI_BOOTLOADER_CONTROL=y
 CONFIG_EFI_CAPSULE_LOADER=y
 CONFIG_EFI_TEST=y
 CONFIG_RESET_ATTACK_MITIGATION=y
-CONFIG_EFI_DISABLE_PCI_DMA=y
+# CONFIG_EFI_DISABLE_PCI_DMA is not set
 CONFIG_EFI_EARLYCON=y
 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
 # CONFIG_EFI_DISABLE_RUNTIME is not set

diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml
@@ -21,7 +21,7 @@ steps:
  {{ else }}
  - |
  cd /src
- python3 /toolchain/kernel-hardening-checker/bin/kernel-hardening-checker -c .config -m json | python3 /pkg/scripts/filter-hardened-check.py
+ python3 /toolchain/kernel-hardening-checker/bin/kernel-hardening-checker -c .config -m json | python3 /pkg/scripts/filter-hardened-check.py ${CARCH}
  - |
  cd /src
 

diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py
@@ -27,11 +27,28 @@
  'CONFIG_RANDSTRUCT_PERFORMANCE', # disabled due to performance reasons
  'CONFIG_UBSAN_TRAP', # disabled due to performance reasons
  'CONFIG_CFI_CLANG', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/918
- 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/918
- 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918
+ 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/91
+}
+
+"""
+Names of violations per arch we ignore for a good reason.
+"""
+IGNORE_VIOLATIONS_BY_ARCH = {
+ 'arm64': {
+ 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918
+ 'CONFIG_EFI_DISABLE_PCI_DMA', # for arm64, enabling this breaks boot with no visible error messages to debug.
+ },
+ 'amd64': {},
 }
 
 def main():
+ if len(sys.argv) != 2:
+ print("Usage: {} <arch>".format(sys.argv[0]))
+
+ sys.exit(1)
+
+ arch = sys.argv[1]
+
  violations = json.load(sys.stdin)
 
  # filter out non-failures
@@ -40,6 +57,9 @@ def main():
  # filter only failures in the groups we're interested in
  violations = [item for item in violations if item["decision"] in GROUPS]
 
+ # add violations we ignore per arch
+ IGNORE_VIOLATIONS.update(IGNORE_VIOLATIONS_BY_ARCH[arch])
+
  # filter out violations we ignore
  violations = [item for item in violations if item["option_name"] not in IGNORE_VIOLATIONS]