From a50180b75344e9539eb602aa3c5bc25d179ca08a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20Str=C3=B6ger?= <florian@florianstroeger.com>
Date: Tue, 17 Sep 2024 09:54:23 +0200
Subject: [PATCH 1/3] feat: enable INET_DIAG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: https://github.com/siderolabs/pkgs/issues/1028

INET_DIAG_DESTROY is used by CNIs such as Cilium to terminate
connections in other containers. KSPP recommends to disable it due to
"Prior to v4.1, assists heap memory attacks; best to keep interface
disabled.".

Linux 4.1 was almost 10 years ago and Cilium with their eBPF-based
kube-proxy replacement is widely used by the community and not having
this enabled leads to weird networking issues (e.g. when coredns pods
get a different IP due deployment restarts UDP dns clients keep sending
connections to the old IP)

Signed-off-by: Ströger Florian <florian@florianstroeger.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 79a4f92c5aa4b8288a927351209542c274724475)
---
 kernel/build/config-amd64                     | 8 +++++++-
 kernel/build/config-arm64                     | 7 ++++++-
 kernel/build/scripts/filter-hardened-check.py | 1 +
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
index f28de44d..addc568d 100644
--- a/kernel/build/config-amd64
+++ b/kernel/build/config-amd64
@@ -1163,7 +1163,11 @@ CONFIG_INET_IPCOMP=y
 CONFIG_INET_TABLE_PERTURB_ORDER=16
 CONFIG_INET_XFRM_TUNNEL=y
 CONFIG_INET_TUNNEL=y
-# CONFIG_INET_DIAG is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+CONFIG_INET_UDP_DIAG=y
+# CONFIG_INET_RAW_DIAG is not set
+CONFIG_INET_DIAG_DESTROY=y
 CONFIG_TCP_CONG_ADVANCED=y
 # CONFIG_TCP_CONG_BIC is not set
 CONFIG_TCP_CONG_CUBIC=y
@@ -1564,6 +1568,7 @@ CONFIG_BRIDGE_EBT_LOG=y
 CONFIG_BRIDGE_EBT_NFLOG=y
 # CONFIG_BPFILTER is not set
 CONFIG_IP_DCCP=y
+CONFIG_INET_DCCP_DIAG=y
 
 #
 # DCCP CCIDs Configuration
@@ -1587,6 +1592,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
 # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
+CONFIG_INET_SCTP_DIAG=y
 CONFIG_RDS=y
 # CONFIG_RDS_RDMA is not set
 # CONFIG_RDS_TCP is not set
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
index a2ad8ad1..13aa39de 100644
--- a/kernel/build/config-arm64
+++ b/kernel/build/config-arm64
@@ -1198,7 +1198,11 @@ CONFIG_INET_IPCOMP=y
 CONFIG_INET_TABLE_PERTURB_ORDER=16
 CONFIG_INET_XFRM_TUNNEL=y
 CONFIG_INET_TUNNEL=y
-# CONFIG_INET_DIAG is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+CONFIG_INET_UDP_DIAG=y
+# CONFIG_INET_RAW_DIAG is not set
+CONFIG_INET_DIAG_DESTROY=y
 CONFIG_TCP_CONG_ADVANCED=y
 # CONFIG_TCP_CONG_BIC is not set
 CONFIG_TCP_CONG_CUBIC=y
@@ -1606,6 +1610,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
 # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
+CONFIG_INET_SCTP_DIAG=y
 CONFIG_RDS=y
 # CONFIG_RDS_RDMA is not set
 # CONFIG_RDS_TCP is not set
diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py
index b13a5d48..7922dd66 100644
--- a/kernel/build/scripts/filter-hardened-check.py
+++ b/kernel/build/scripts/filter-hardened-check.py
@@ -31,6 +31,7 @@
     'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete
     'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS'
     'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743)
+    'CONFIG_INET_DIAG', # last vulnerability prior to v4.1. Required for CNIs such as Cilium to terminate sockets. (https://github.com/siderolabs/pkgs/issues/1028)
 }
 
 """

From c111c843a232fd11038f7fd4826639370bb4412e Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Tue, 17 Sep 2024 16:04:58 +0400
Subject: [PATCH 2/3] feat: update Linux firmware to 20240909

Latest Linux firmware.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit e90ae7ec316f1b9b4d15897f825d3c2c4cefde5e)
---
 Pkgfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Pkgfile b/Pkgfile
index d01e5800..a3e15719 100644
--- a/Pkgfile
+++ b/Pkgfile
@@ -114,9 +114,9 @@ vars:
   liburcu_sha512: 46137525854164df05326202909689b62f8f3aa6e04127eb9157a83aed8180f35a68332ec66e4e4fc9b0c046b64c64b492caed4b64f86f87a31579e4209ec345
 
   # renovate: datasource=git-tags depName=git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
-  linux_firmware_version: 20240811
-  linux_firmware_sha256: b1c672868e36c19d51f943898d0fdb5534759dc649af72fe51b04be47663d153
-  linux_firmware_sha512: d7067f38d6a0b59042438cb147f16b71e2334e46bfdc9fba58131a215b834dce07c8e808debf878f2eae28690a51121ba0b6b0f3734b0de0113c1b4ef6ccd9a9
+  linux_firmware_version: 20240909
+  linux_firmware_sha256: 93e9b6ae2240661639c874f5fc38f677d18afe365b17a13fee6b4fc4fba42c10
+  linux_firmware_sha512: 27df561de4612016e7f5e5cf1c200f0d84b376d790b5df372608a8896fb6387de2c2da41ef1178ee2bec2e065e811db7a00a7bb7800fb689c738004128b04dc9
 
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://sourceware.org/git/lvm2.git
   lvm2_version: 2_03_22

From 800cca0e354a372990e1715661e71321d1e0ca4c Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Thu, 19 Sep 2024 16:13:27 +0400
Subject: [PATCH 3/3] feat: update Linux to 6.6.52

Latest Linux LTS for Talos 1.8.0.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 6b334a68fbd988ca69d05142a639aa3bcfd16721)
---
 Pkgfile                   | 6 +++---
 kernel/build/config-amd64 | 2 +-
 kernel/build/config-arm64 | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Pkgfile b/Pkgfile
index a3e15719..15c3b463 100644
--- a/Pkgfile
+++ b/Pkgfile
@@ -68,9 +68,9 @@ vars:
   ipxe_sha512: 3f9fce7d9c78fcaff7663502cf797e4045c2593d1d23a4abf6db688e443173ca43cc5f960b69ecd9364591062dfde088f99aa3625cd87cbfffcab1fad1166a59
 
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
-  linux_version: 6.6.51
-  linux_sha256: 1c0c9a14650879c4913efdbac428ba31a540c3d987155ddf34d33e11eca008b3
-  linux_sha512: c79fcd957dbc855e101464a04b33921ab0dab7bf16201da0cd49b4c3dc9746f22a7f3411033035698ef98e8c9bcc6edf560e44c2b740235beac7cd59a4ea695c
+  linux_version: 6.6.52
+  linux_sha256: 1591ab348399d4aa53121158525056a69c8cf0fe0e90935b0095e9a58e37b4b8
+  linux_sha512: 3fb7b4e6e19e87c4012037ea32dc4e28a30b75fa4260530edb7686c39b0c6fb6c4e35550a97c0e40c604513a0ba5f26490a6a74da21de08226d54fda73d316a0
 
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git
   kmod_version: 33
diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
index addc568d..90d62c3e 100644
--- a/kernel/build/config-amd64
+++ b/kernel/build/config-amd64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.6.51 Kernel Configuration
+# Linux/x86 6.6.52 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.3.0"
 CONFIG_CC_IS_GCC=y
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
index 13aa39de..5167b3b3 100644
--- a/kernel/build/config-arm64
+++ b/kernel/build/config-arm64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.51 Kernel Configuration
+# Linux/arm64 6.6.52 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.3.0"
 CONFIG_CC_IS_GCC=y