diff options
Diffstat (limited to 'system/xen/patches')
-rw-r--r-- | system/xen/patches/edk2-ovmf-202105-werror.patch | 38 | ||||
-rw-r--r-- | system/xen/patches/edk2-ovmf-werror.diff | 34 | ||||
-rw-r--r-- | system/xen/patches/qemu-remove-password-option-for-spice.patch | 123 | ||||
-rw-r--r-- | system/xen/patches/symlinks_instead_of_hardlinks.diff | 21 |
4 files changed, 163 insertions, 53 deletions
diff --git a/system/xen/patches/edk2-ovmf-202105-werror.patch b/system/xen/patches/edk2-ovmf-202105-werror.patch deleted file mode 100644 index db71faed77..0000000000 --- a/system/xen/patches/edk2-ovmf-202105-werror.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template -index 498696e..8a360f4 100755 ---- a/BaseTools/Conf/tools_def.template -+++ b/BaseTools/Conf/tools_def.template -@@ -1863,7 +1863,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_N - *_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
- *_*_*_DTC_PATH = DEF(DTC_BIN)
-
--DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
-+DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Wno-array-bounds -include AutoGen.h -fno-common
- DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe
- DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe
- DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
-diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile -index 0df728f..49f9706 100644 ---- a/BaseTools/Source/C/Makefiles/header.makefile -+++ b/BaseTools/Source/C/Makefiles/header.makefile -@@ -82,17 +82,17 @@ BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS) -
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
-+BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall \
- -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
- else
- ifeq ($(CXX), llvm)
- BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
---fno-delete-null-pointer-checks -Wall -Werror \
-+-fno-delete-null-pointer-checks -Wall \
- -Wno-deprecated-declarations -Wno-self-assign \
- -Wno-unused-result -nostdlib -g
- else
- BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
---fno-delete-null-pointer-checks -Wall -Werror \
-+-fno-delete-null-pointer-checks -Wall \
- -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
- -Wno-unused-result -nostdlib -g
- endif
diff --git a/system/xen/patches/edk2-ovmf-werror.diff b/system/xen/patches/edk2-ovmf-werror.diff new file mode 100644 index 0000000000..49915c25c9 --- /dev/null +++ b/system/xen/patches/edk2-ovmf-werror.diff @@ -0,0 +1,34 @@ +--- xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Conf/tools_def.template.ORIG 2023-05-24 14:59:54.000000000 +0200 ++++ xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Conf/tools_def.template 2023-12-05 03:34:17.395390728 +0100 +@@ -739,7 +739,7 @@ + *_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
+ *_*_*_DTC_PATH = DEF(DTC_BIN)
+
+-DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
++DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Wno-array-bounds -include AutoGen.h -fno-common
+ DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie
+ DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -fno-plt -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
+ DEFINE GCC_ARM_CC_XIPFLAGS = -mno-unaligned-access
+--- xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/Makefiles/header.makefile.ORIG 2023-05-24 14:59:54.000000000 +0200 ++++ xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/Makefiles/header.makefile 2023-12-05 03:36:03.531794147 +0100 +@@ -89,17 +89,17 @@ +
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
++CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall \
+ -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
+ else
+ ifneq ($(CLANG),)
+ CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+--fno-delete-null-pointer-checks -Wall -Werror \
++-fno-delete-null-pointer-checks -Wall \
+ -Wno-deprecated-declarations -Wno-self-assign \
+ -Wno-unused-result -nostdlib -g
+ else
+ CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+--fno-delete-null-pointer-checks -Wall -Werror \
++-fno-delete-null-pointer-checks -Wall \
+ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
+ -Wno-unused-result -nostdlib -g
+ endif
diff --git a/system/xen/patches/qemu-remove-password-option-for-spice.patch b/system/xen/patches/qemu-remove-password-option-for-spice.patch new file mode 100644 index 0000000000..210d9d99f3 --- /dev/null +++ b/system/xen/patches/qemu-remove-password-option-for-spice.patch @@ -0,0 +1,123 @@ +From 36debafddd788066be10b33c5f11b984a08e5c85 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Thu, 1 Dec 2022 04:22:11 -0500 +Subject: [PATCH] ui: remove deprecated 'password' option for SPICE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This has been replaced by the 'password-secret' option, +which references a 'secret' object instance. + +Reviewed-by: Fabiano Rosas <farosas@suse.de> +Reviewed-by: Markus Armbruster <armbru@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +--- + docs/about/deprecated.rst | 8 -------- + docs/about/removed-features.rst | 7 +++++++ + qemu-options.hx | 9 +-------- + ui/spice-core.c | 15 --------------- + 4 files changed, 8 insertions(+), 31 deletions(-) + +diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst +index d31ffa86d40..2827b0c0beb 100644 +--- a/docs/about/deprecated.rst ++++ b/docs/about/deprecated.rst +@@ -66,14 +66,6 @@ and will cause a warning. + The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on`` + rather than ``delay=off``. + +-``-spice password=string`` (since 6.0) +-'''''''''''''''''''''''''''''''''''''' +- +-This option is insecure because the SPICE password remains visible in +-the process listing. This is replaced by the new ``password-secret`` +-option which lets the password be securely provided on the command +-line using a ``secret`` object instance. +- + ``-smp`` ("parameter=0" SMP configurations) (since 6.2) + ''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst +index 4a84e6174fe..e901637ce5f 100644 +--- a/docs/about/removed-features.rst ++++ b/docs/about/removed-features.rst +@@ -428,6 +428,13 @@ respectively. The actual backend names should be used instead. + Use ``-drive if=pflash`` to configure the OTP device of the sifive_u + RISC-V machine instead. + ++``-spice password=string`` (removed in 8.0) ++''''''''''''''''''''''''''''''''''''''''''' ++ ++This option was insecure because the SPICE password remained visible in ++the process listing. This was replaced by the new ``password-secret`` ++option which lets the password be securely provided on the command ++line using a ``secret`` object instance. + + QEMU Machine Protocol (QMP) commands + ------------------------------------ +diff --git a/qemu-options.hx b/qemu-options.hx +index e79ff4d8fb9..cafd8be8eda 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -2135,7 +2135,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice, + " [,tls-channel=[main|display|cursor|inputs|record|playback]]\n" + " [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n" + " [,sasl=on|off][,disable-ticketing=on|off]\n" +- " [,password=<string>][,password-secret=<secret-id>]\n" ++ " [,password-secret=<secret-id>]\n" + " [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n" + " [,jpeg-wan-compression=[auto|never|always]]\n" + " [,zlib-glz-wan-compression=[auto|never|always]]\n" +@@ -2161,13 +2161,6 @@ SRST + ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off`` + Force using the specified IP version. + +- ``password=<string>`` +- Set the password you need to authenticate. +- +- This option is deprecated and insecure because it leaves the +- password visible in the process listing. Use ``password-secret`` +- instead. +- + ``password-secret=<secret-id>`` + Set the ID of the ``secret`` object containing the password + you need to authenticate. +diff --git a/ui/spice-core.c b/ui/spice-core.c +index 72f8f1681c6..76f7c2bc3d1 100644 +--- a/ui/spice-core.c ++++ b/ui/spice-core.c +@@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = { + .name = "unix", + .type = QEMU_OPT_BOOL, + #endif +- },{ +- .name = "password", +- .type = QEMU_OPT_STRING, + },{ + .name = "password-secret", + .type = QEMU_OPT_STRING, +@@ -666,20 +663,8 @@ static void qemu_spice_init(void) + } + passwordSecret = qemu_opt_get(opts, "password-secret"); + if (passwordSecret) { +- if (qemu_opt_get(opts, "password")) { +- error_report("'password' option is mutually exclusive with " +- "'password-secret'"); +- exit(1); +- } + password = qcrypto_secret_lookup_as_utf8(passwordSecret, + &error_fatal); +- } else { +- str = qemu_opt_get(opts, "password"); +- if (str) { +- warn_report("'password' option is deprecated and insecure, " +- "use 'password-secret' instead"); +- password = g_strdup(str); +- } + } + + if (tls_port) { +-- +GitLab + diff --git a/system/xen/patches/symlinks_instead_of_hardlinks.diff b/system/xen/patches/symlinks_instead_of_hardlinks.diff index d7cbfb6544..c4a38e3bc0 100644 --- a/system/xen/patches/symlinks_instead_of_hardlinks.diff +++ b/system/xen/patches/symlinks_instead_of_hardlinks.diff @@ -1,15 +1,15 @@ ---- xen-4.15.0/tools/xenstore/Makefile.orig 2021-04-06 19:14:18.000000000 +0200 -+++ xen-4.15.0/tools/xenstore/Makefile 2021-04-09 20:43:12.613910598 +0200 -@@ -76,7 +76,7 @@ - $(AR) cr $@ $^ +--- xen-4.18.0/tools/xs-clients/Makefile.ORIG 2023-11-16 22:44:21.000000000 +0100 ++++ xen-4.18.0/tools/xs-clients/Makefile 2023-12-05 03:01:05.801759446 +0100 +@@ -29,7 +29,7 @@ + clients: xenstore $(CLIENTS) xenstore-control $(CLIENTS): xenstore - ln -f xenstore $@ + ln -sf xenstore $@ xenstore: xenstore_client.o - $(CC) $< $(LDFLAGS) $(LDLIBS_libxenstore) $(LDLIBS_libxentoolcore) $(SOCKET_LIBS) -o $@ $(APPEND_LDFLAGS) -@@ -117,7 +117,7 @@ + $(CC) $(LDFLAGS) $^ $(LDLIBS) -o $@ $(APPEND_LDFLAGS) +@@ -54,7 +54,7 @@ $(INSTALL_PROG) xenstore-control $(DESTDIR)$(bindir) $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir) set -e ; for c in $(CLIENTS) ; do \ @@ -18,12 +18,3 @@ done .PHONY: uninstall -@@ -144,7 +144,7 @@ - $(INSTALL_DIR) $(DESTDIR)$(bindir) - $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir) - set -e ; for c in $(CLIENTS) ; do \ -- ln -f $(DESTDIR)$(bindir)/xenstore $(DESTDIR)$(bindir)/$${c} ; \ -+ ln -sf xenstore $(DESTDIR)$(bindir)/$${c} ; \ - done - - -include $(DEPS_INCLUDE) |