From 43a5a816c33d1e6f3ac63f968cb2af58e39887e9 Mon Sep 17 00:00:00 2001
From: Tamas Koczka <poprdi@google.com>
Date: Fri, 27 Sep 2024 21:09:33 +0000
Subject: [PATCH] kernelCTF: GHA: add mitigation-v3b release without nftables

---
 .../workflows/kernelctf-release-build.yaml    |  4 +--
 kernelctf/build_release.sh                    | 18 +++++++++++--
 kernelctf/get_latest_kernel_versions.py       |  4 +--
 .../kernel_configs/mitigation-v3b.config      | 27 +++++++++++++++++++
 kernelctf/server/server.py                    |  4 +--
 5 files changed, 49 insertions(+), 8 deletions(-)
 create mode 100644 kernelctf/kernel_configs/mitigation-v3b.config

diff --git a/.github/workflows/kernelctf-release-build.yaml b/.github/workflows/kernelctf-release-build.yaml
index 3fbe3fcc..fc207d0d 100644
--- a/.github/workflows/kernelctf-release-build.yaml
+++ b/.github/workflows/kernelctf-release-build.yaml
@@ -24,7 +24,7 @@ defaults:
     working-directory: kernelctf
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -50,7 +50,7 @@ jobs:
           include-hidden-files: true
 
   upload:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: build
     steps:
       - name: Download exploit
diff --git a/kernelctf/build_release.sh b/kernelctf/build_release.sh
index daee92fb..00728913 100755
--- a/kernelctf/build_release.sh
+++ b/kernelctf/build_release.sh
@@ -29,9 +29,12 @@ case $TARGET in
   mitigation)
     REPO="https://github.com/thejh/linux"
     case $VERSION in
-        v3-6.1.55)
+        v3-* | v3b-*)
             DEFAULT_BRANCH="mitigations-next"
-            CONFIG_FN="mitigation-v3.config"
+            case $VERSION in
+                v3-6.1.55) CONFIG_FN="mitigation-v3.config" ;;
+                v3b-6.1.55) CONFIG_FN="mitigation-v3b.config" ;;
+            esac
             CONFIG_FULL_FN="mitigation-v3-full.config"
             ;;
         6.1 | 6.1-v2)
@@ -57,6 +60,17 @@ CONFIGS_DIR="$BASEDIR/kernel_configs"
 
 if [ -d "$RELEASE_DIR" ]; then echo "Release directory already exists. Stopping."; exit 1; fi
 
+echo "GCC version"
+echo "================="
+gcc --version || true
+echo
+
+echo "Clang version"
+echo "================="
+clang --version || true
+echo "================="
+echo
+
 mkdir -p $BUILD_DIR 2>/dev/null || true
 cd $BUILD_DIR
 if [ ! -d ".git" ]; then git init && git remote add origin $REPO; fi
diff --git a/kernelctf/get_latest_kernel_versions.py b/kernelctf/get_latest_kernel_versions.py
index 82bdd778..25debb26 100755
--- a/kernelctf/get_latest_kernel_versions.py
+++ b/kernelctf/get_latest_kernel_versions.py
@@ -17,12 +17,12 @@ def add_release(release_id, branch=None):
     global releases
     releases.append({ "releaseId": release_id, "branch": branch })
 
-for lts_version in ["6.1", "6.6"]:
+for lts_version in ["6.6"]:
     latest_lts = run(f"git ls-remote --tags --sort='-v:refname' https://github.com/gregkh/linux 'v{lts_version}.*[0-9]'")[0].split("refs/tags/")[1]
     print(f"Latest LTS {lts_version}: {latest_lts}")
     add_release(f"lts-{latest_lts[1:]}")
 
-for cos_milestone in [97, 105, 109]:
+for cos_milestone in [105, 109]:
     release_notes = fetch(f"https://cloud.google.com/feeds/cos-{cos_milestone}-release-notes.xml")
     tree = etree.XML(release_notes.encode('utf-8'))
     entries = tree.xpath("//*[local-name() = 'content']/text()")
diff --git a/kernelctf/kernel_configs/mitigation-v3b.config b/kernelctf/kernel_configs/mitigation-v3b.config
new file mode 100644
index 00000000..b9d4eff7
--- /dev/null
+++ b/kernelctf/kernel_configs/mitigation-v3b.config
@@ -0,0 +1,27 @@
+# CONFIG_IO_URING is not set
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+
+## required by CONFIG_KMALLOC_SPLIT_VARSIZE
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+
+## turns on our mitigations
+CONFIG_KMALLOC_SPLIT_VARSIZE=y
+CONFIG_SLAB_VIRTUAL=y
+
+## turns on CONFIG_RANDOM_KMALLOC_CACHES
+CONFIG_RANDOM_KMALLOC_CACHES=y
+
+## turns on additional hardenings
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_DEBUG_WX=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_FUSE_FS is not set
+
+### Make the kernel less annoying to debug
+## Compile the kernel with debug info
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+# Have all symbols in kallsyms
+CONFIG_KALLSYMS_ALL=y
+
+# CONFIG_NF_TABLES is not set
diff --git a/kernelctf/server/server.py b/kernelctf/server/server.py
index 3460cf9a..6fc7d49e 100755
--- a/kernelctf/server/server.py
+++ b/kernelctf/server/server.py
@@ -49,7 +49,7 @@ def get_releases():
             del releases[release_id]
             continue
 
-        m = re.match(r'(?P<target>lts|mitigation(-v3)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
+        m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
         if m is None:
             warning(f'release {release_id} does not match regex')
             del releases[release_id]
@@ -102,7 +102,7 @@ def print_filtered(name, status_filter):
         print_filtered('Deprecated targets', 'deprecated')
     else:
         print_filtered('Current targets', 'latest')
-        print_filtered('Future targets', 'future')    
+        print_filtered('Future targets', 'future')
 
 def are_you_sure(prompt):
     print(prompt)