Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-05-02 06:26:20 -04:00
Code Issues Projects Releases Packages Wiki Activity

Many changes

Browse source 
- 17.1: Add Pixel 4/XL
- Promote klte to 17.1
- hardenBootArgs: don't run on klte
- hardenBootArgs: regorganize
- hardenDefconfig: enabler: drop unnecessary options (iommu)
- hardenDefconfig: disabler: comment diag options for now
- deblobber: comment dirac lines to fix cheeseburger headphone jack
- fixup Etar replacement
This commit is contained in:
Tad 2020-10-11 04:46:19 -04:00
parent 496fddb303
commit 115dd21832
11 changed files with 284 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Scripts/Common/Copy_Keys.sh
View file

@ -7,11 +7,13 @@ cat "$DOS_SIGNING_KEYS/bonito/verity.x509.pem" >> "kernel/google/bonito/certs/ve
cat "$DOS_SIGNING_KEYS/bonito/verity.x509.pem" >> "kernel/google/msm-4.9/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/cheeseburger/verity.x509.pem" >> "kernel/oneplus/msm8998/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/cheryl/verity.x509.pem" >> "kernel/razer/msm8998/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/coral/verity.x509.pem" >> "kernel/google/coral/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/crosshatch/verity.x509.pem" >> "kernel/google/crosshatch/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/crosshatch/verity.x509.pem" >> "kernel/google/msm-4.9/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/dumpling/verity.x509.pem" >> "kernel/oneplus/msm8998/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/enchilada/verity.x509.pem" >> "kernel/oneplus/sdm845/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/fajita/verity.x509.pem" >> "kernel/oneplus/sdm845/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/flame/verity.x509.pem" >> "kernel/google/coral/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/guacamoleb/verity.x509.pem" >> "kernel/oneplus/sm8150/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/guacamole/verity.x509.pem" >> "kernel/oneplus/sm8150/certs/verity.x509.pem";
cat "$DOS_SIGNING_KEYS/mata/verity.x509.pem" >> "kernel/essential/msm8998/certs/verity.x509.pem";
@ -30,11 +32,13 @@ cp -v "$DOS_SIGNING_KEYS/bonito/verifiedboot_relkeys.der.x509" "kernel/google/bo
cp -v "$DOS_SIGNING_KEYS/bonito/verifiedboot_relkeys.der.x509" "kernel/google/msm-4.9/verifiedboot_bonito_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/cheeseburger/verifiedboot_relkeys.der.x509" "kernel/oneplus/msm8998/verifiedboot_cheeseburger_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/cheryl/verifiedboot_relkeys.der.x509" "kernel/razer/msm8998/verifiedboot_cheryl_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/coral/verifiedboot_relkeys.der.x509" "kernel/google/coral/verifiedboot_coral_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/crosshatch/verifiedboot_relkeys.der.x509" "kernel/google/crosshatch/verifiedboot_crosshatch_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/crosshatch/verifiedboot_relkeys.der.x509" "kernel/google/msm-4.9/verifiedboot_crosshatch_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/dumpling/verifiedboot_relkeys.der.x509" "kernel/oneplus/msm8998/verifiedboot_dumpling_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/enchilada/verifiedboot_relkeys.der.x509" "kernel/oneplus/sdm845/verifiedboot_enchilada_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/fajita/verifiedboot_relkeys.der.x509" "kernel/oneplus/sdm845/verifiedboot_fajita_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/flame/verifiedboot_relkeys.der.x509" "kernel/google/coral/verifiedboot_flame_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/guacamoleb/verifiedboot_relkeys.der.x509" "kernel/oneplus/sm8150/verifiedboot_guacamoleb_dos_relkeys.der.x509";
cp -v "$DOS_SIGNING_KEYS/guacamole/verifiedboot_relkeys.der.x509" "kernel/oneplus/sm8150/verifiedboot_guacamole_dos_relkeys.der.x509";

8
Scripts/Common/Deblob.sh
View file

@ -103,10 +103,10 @@ echo "Deblobbing...";
ipcSec="4097:4294967295:2002:2950:3009:2901|4097:4294967295:3009";
#Dirac (Audio Codec + Effects) [Dirac]
if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
blobs=$blobs"|libDiracAPI_SHARED.so|.*dirac.*";
blobs=$blobs"|diracmobile.config";
fi;
#if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
#blobs=$blobs"|libDiracAPI_SHARED.so|.*dirac.*"; #XXX: Breaks headphone jack
#blobs=$blobs"|diracmobile.config";
#fi;
#Discretix (DRM/HDCP) [Discretix Technologies]
blobs=$blobs"|DxDrmServerIpc|discretix";

12
Scripts/Common/Functions.sh
View file

@ -474,7 +474,9 @@ export -f hardenUserdata;
hardenBootArgs() {
cd "$DOS_BUILD_BASE$1";
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := kpti=on pti=on init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 page_poison=1 slab_nomerge slub_debug=FZP lockdown=confidentiality /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
if [[ "$1" != *"device/samsung/klte"* ]] && [[ "$1" != *"device/samsung/msm8974-common"* ]]; then
sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := page_poison=1 slab_nomerge slub_debug=FZP kpti=on pti=on page_alloc.shuffle=1 init_on_alloc=1 init_on_free=1 lockdown=confidentiality /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
fi;
echo "Hardened kernel command line arguments for $1";
cd "$DOS_BUILD_BASE";
}
@ -623,7 +625,7 @@ hardenDefconfig() {
#Enable supported options
#Disabled: DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
declare -a optionsYes=("ARM64_PTR_AUTH" "ARM64_SW_TTBR0_PAN" "ARM64_UAO" "ARM_SMMU" "ASYMMETRIC_KEY_TYPE" "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "BUG" "BUG_ON_DATA_CORRUPTION" "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" "CPU_SW_DOMAIN_PAN" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "DEBUG_WX" "DM_ANDROID_VERITY" "DM_VERITY" "DM_VERITY_FEC" "EXYNOS_IOMMU" "FORTIFY_SOURCE" "HARDEN_BRANCH_PREDICTOR" "HARDENED_USERCOPY" "HARDEN_EL2_VECTORS" "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "INIT_STACK_ALL" "INTEL_IOMMU_DEFAULT_ON" "IOMMU_API" "IOMMU_HELPER" "IOMMU_PGTABLES_L2" "IOMMU_SUPPORT" "IO_STRICT_DEVMEM" "IPV6_PRIVACY" "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "LEGACY_VSYSCALL_NONE" "MMC_SECDISCARD" "MSM_IOMMU" "MSM_KGSL_MMU_PAGE_FAULT" "MSM_TZ_SMMU" "MTK_IOMMU" "OF_IOMMU" "OMAP_IOMMU" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY" "PAGE_POISONING_ZERO" "PAGE_TABLE_ISOLATION" "PANIC_ON_OOPS" "PKCS7_MESSAGE_PARSER" "QCOM_IOMMU" "RANDOMIZE_BASE" "RANDOMIZE_MEMORY" "REFCOUNT_FULL" "RETPOLINE" "RODATA_FULL_DEFAULT_ENABLED" "SCHED_STACK_END_CHECK" "SECCOMP" "SECCOMP_FILTER" "SECURITY" "SECURITY_DMESG_RESTRICT" "SECURITY_PERF_EVENTS_RESTRICT" "SECURITY_YAMA" "SECURITY_YAMA_STACKED" "SHUFFLE_PAGE_ALLOCATOR" "SLAB_FREELIST_HARDENED" "SLAB_FREELIST_RANDOM" "SLAB_HARDENED" "SLUB_DEBUG" "SLUB_HARDENED" "STACKPROTECTOR" "STACKPROTECTOR_PER_TASK" "STACKPROTECTOR_STRONG" "STATIC_USERMODEHELPER" "STRICT_DEVMEM" "STRICT_KERNEL_RWX" "STRICT_MEMORY_RWX" "STRICT_MODULE_RWX" "SYN_COOKIES" "SYSTEM_TRUSTED_KEYRING" "TEGRA_IOMMU_GART" "TEGRA_IOMMU_SMMU" "THREAD_INFO_IN_TASK" "UNMAP_KERNEL_AT_EL0" "VMAP_STACK" "X509_CERTIFICATE_PARSER")
declare -a optionsYes=("ARM64_PTR_AUTH" "ARM64_SW_TTBR0_PAN" "ARM64_UAO" "ASYMMETRIC_KEY_TYPE" "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "BUG" "BUG_ON_DATA_CORRUPTION" "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" "CPU_SW_DOMAIN_PAN" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "DEBUG_WX" "FORTIFY_SOURCE" "HARDEN_BRANCH_PREDICTOR" "HARDENED_USERCOPY" "HARDEN_EL2_VECTORS" "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "INIT_STACK_ALL" "IO_STRICT_DEVMEM" "IPV6_PRIVACY" "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "LEGACY_VSYSCALL_NONE" "MMC_SECDISCARD" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY" "PAGE_POISONING_ZERO" "PAGE_TABLE_ISOLATION" "PANIC_ON_OOPS" "PKCS7_MESSAGE_PARSER" "RANDOMIZE_BASE" "RANDOMIZE_MEMORY" "REFCOUNT_FULL" "RETPOLINE" "RODATA_FULL_DEFAULT_ENABLED" "SCHED_STACK_END_CHECK" "SECCOMP" "SECCOMP_FILTER" "SECURITY" "SECURITY_DMESG_RESTRICT" "SECURITY_PERF_EVENTS_RESTRICT" "SECURITY_YAMA" "SECURITY_YAMA_STACKED" "SHUFFLE_PAGE_ALLOCATOR" "SLAB_FREELIST_HARDENED" "SLAB_FREELIST_RANDOM" "SLAB_HARDENED" "SLUB_DEBUG" "SLUB_HARDENED" "STACKPROTECTOR" "STACKPROTECTOR_PER_TASK" "STACKPROTECTOR_STRONG" "STATIC_USERMODEHELPER" "STRICT_DEVMEM" "STRICT_KERNEL_RWX" "STRICT_MEMORY_RWX" "STRICT_MODULE_RWX" "SYN_COOKIES" "SYSTEM_TRUSTED_KEYRING" "THREAD_INFO_IN_TASK" "UNMAP_KERNEL_AT_EL0" "VMAP_STACK" "X509_CERTIFICATE_PARSER")
#optionsYes+="GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi;
@ -640,9 +642,9 @@ hardenDefconfig() {
#Disable supported options
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile on many kernels), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery)
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]] && [[ "$1" != *"msm899"* ]] && [[ "$1" != *"sdm8"* ]] && [[ "$1" != *"sdm6"* ]]; then
optionsNo+=("DIAG_CHAR" "DIAG_OVER_USB" "USB_QCOM_DIAG_BRIDGE" "DIAGFWD_BRIDGE_CODE" "DIAG_SDIO_PIPE" "DIAG_HSIC_PIPE");
fi;
#if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]] && [[ "$1" != *"msm899"* ]] && [[ "$1" != *"sdm8"* ]] && [[ "$1" != *"sdm6"* ]]; then
#optionsNo+=("DIAG_CHAR" "DIAG_OVER_USB" "USB_QCOM_DIAG_BRIDGE" "DIAGFWD_BRIDGE_CODE" "DIAG_SDIO_PIPE" "DIAG_HSIC_PIPE");
#fi;
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
for option in "${optionsNo[@]}"
do