kernelCTF: GHA: add mitigation-v3b release without nftables

Author: koczkatamas

kernelctf/build_release.sh

@@ -29,9 +29,12 @@ case $TARGET in
   mitigation)
     REPO="https://github.com/thejh/linux"
     case $VERSION in
-        v3-6.1.55)
+        v3-* | v3b-*)
             DEFAULT_BRANCH="mitigations-next"
-            CONFIG_FN="mitigation-v3.config"
+            case $VERSION in
+                v3-6.1.55) CONFIG_FN="mitigation-v3.config" ;;
+                v3b-6.1.55) CONFIG_FN="mitigation-v3b.config" ;;
+            esac
             CONFIG_FULL_FN="mitigation-v3-full.config"
             ;;
         6.1 | 6.1-v2)
@@ -57,6 +60,17 @@ CONFIGS_DIR="$BASEDIR/kernel_configs"
 
 if [ -d "$RELEASE_DIR" ]; then echo "Release directory already exists. Stopping."; exit 1; fi
 
+echo "GCC version"
+echo "================="
+gcc --version || true
+echo
+
+echo "Clang version"
+echo "================="
+clang --version || true
+echo "================="
+echo
+
 mkdir -p $BUILD_DIR 2>/dev/null || true
 cd $BUILD_DIR
 if [ ! -d ".git" ]; then git init && git remote add origin $REPO; fi

kernelctf/get_latest_kernel_versions.py

@@ -17,12 +17,12 @@ def add_release(release_id, branch=None):
     global releases
     releases.append({ "releaseId": release_id, "branch": branch })
 
-for lts_version in ["6.1", "6.6"]:
+for lts_version in ["6.6"]:
     latest_lts = run(f"git ls-remote --tags --sort='-v:refname' https://github.com/gregkh/linux 'v{lts_version}.*[0-9]'")[0].split("refs/tags/")[1]
     print(f"Latest LTS {lts_version}: {latest_lts}")
     add_release(f"lts-{latest_lts[1:]}")
 
-for cos_milestone in [97, 105, 109]:
+for cos_milestone in [105, 109]:
     release_notes = fetch(f"https://cloud.google.com/feeds/cos-{cos_milestone}-release-notes.xml")
     tree = etree.XML(release_notes.encode('utf-8'))
     entries = tree.xpath("//*[local-name() = 'content']/text()")

kernelctf/kernel_configs/mitigation-v3b.config

@@ -0,0 +1,27 @@
+# CONFIG_IO_URING is not set
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+
+## required by CONFIG_KMALLOC_SPLIT_VARSIZE
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+
+## turns on our mitigations
+CONFIG_KMALLOC_SPLIT_VARSIZE=y
+CONFIG_SLAB_VIRTUAL=y
+
+## turns on CONFIG_RANDOM_KMALLOC_CACHES
+CONFIG_RANDOM_KMALLOC_CACHES=y
+
+## turns on additional hardenings
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_DEBUG_WX=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_FUSE_FS is not set
+
+### Make the kernel less annoying to debug
+## Compile the kernel with debug info
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+# Have all symbols in kallsyms
+CONFIG_KALLSYMS_ALL=y
+
+# CONFIG_NF_TABLES is not set

kernelctf/server/server.py

@@ -49,7 +49,7 @@ def get_releases():
             del releases[release_id]
             continue
 
-        m = re.match(r'(?P<target>lts|mitigation(-v3)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
+        m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
         if m is None:
             warning(f'release {release_id} does not match regex')
             del releases[release_id]
@@ -102,7 +102,7 @@ def print_filtered(name, status_filter):
         print_filtered('Deprecated targets', 'deprecated')
     else:
         print_filtered('Current targets', 'latest')
-        print_filtered('Future targets', 'future')    
+        print_filtered('Future targets', 'future')
 
 def are_you_sure(prompt):
     print(prompt)