diff options
author | Android Partner Docs <noreply@android.com> | 2017-08-11 13:26:19 -0700 |
---|---|---|
committer | Billy Lamberta <blamb@google.com> | 2017-08-14 10:09:36 -0700 |
commit | 9f85abff05908a7f8ba36f0dabb3dbe5601b8c25 (patch) | |
tree | 0ba454f0b7b00bff2785c65eb0fdcf6e9d43af18 /en/devices/architecture/kernel | |
parent | de85065c0ab515fa0d80e7456985ca4dd507732d (diff) | |
download | source.android.com-9f85abff05908a7f8ba36f0dabb3dbe5601b8c25.tar.gz |
Docs: Changes to source.android.com
- 165016926 Add clarifying language and patches for older versions by claym <claym@google.com>
- 165016381 Note AOSP master no longer requires separate JDK by claym <claym@google.com>
- 164881714 Update May 2017 bulletin with AOSP link for CVE-2017-0493 by daroberts <daroberts@google.com>
- 164871405 Devsite localized content from translation request 8581ba... by Android Partner Docs <noreply@android.com>
- 164655382 Add sections and move/redirect files in preparation for 8... by claym <claym@google.com>
- 164646767 Devsite localized content from translation request 101532... by Android Partner Docs <noreply@android.com>
- 164645091 Update home page to announce August security bulletin by daroberts <daroberts@google.com>
- 164645005 Update CTS/CTS-Verifier downloads for CTS-Aug-2017 Release by daroberts <daroberts@google.com>
- 164644767 Update August Security bulletin with AOSP links by daroberts <daroberts@google.com>
PiperOrigin-RevId: 165016926
Change-Id: I3d95a930619093dbeb0cdb4bbea52b6799c30bd3
Diffstat (limited to 'en/devices/architecture/kernel')
-rw-r--r-- | en/devices/architecture/kernel/config.html | 190 | ||||
-rw-r--r-- | en/devices/architecture/kernel/network_tests.html | 114 |
2 files changed, 304 insertions, 0 deletions
diff --git a/en/devices/architecture/kernel/config.html b/en/devices/architecture/kernel/config.html new file mode 100644 index 00000000..14d2ee17 --- /dev/null +++ b/en/devices/architecture/kernel/config.html @@ -0,0 +1,190 @@ +<html devsite> + <head> + <title>Kernel Configuration</title> + <meta name="project_path" value="/_project.yaml" /> + <meta name="book_path" value="/_book.yaml" /> + </head> + <body> + <!-- + Copyright 2017 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + + + +<p>Use the following configuration settings as a base for an Android kernel +configuration. Settings are organized into <code>android-base</code> and +<code>android-recommended</code> .cfg files: + +<ul> +<li><code>android-base</code>. These options enable core Android features and +should be enabled by all devices.</li> + +<li><code>android-recommended</code>. These options enable advanced Android +features and are optional for devices.</li> +</ul> + +<p>Both the android-base.cfg and android-recommended.cfg files are located in +the android-common kernel repo at +<a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/</a>. +<p>In version 4.8 of the upstream Linux kernel, a new location (kernel/configs) +was designated for kernel configuration fragments. The android base and +recommended config fragments are located in that directory for branches based on +4.8 or later. For kernel branches based on releases prior to 4.8, the config +fragments are located in the android/ directory.</p> + +<p>For details on controls already undertaken to strengthen the kernel on your +devices, see <a href="/security/overview/kernel-security.html">System +and Kernel Security</a>. For details on required settings, see the +<a href="/compatibility/cdd.html">Android Compatibility Definition +Document (CDD)</a>.</p> + +<h2 id="generating">Generating kernel config</h2> +<p>For devices that have a minimalist defconfig, you can use the following to +enable options:</p> + +<pre class="devsite-click-to-copy"> +ARCH=<em>arch</em> scripts/kconfig/merge_config.sh <em>path</em>/<em>device</em>_defconfig android/configs/android-base.cfg android/configs/android-recommended.cfg +</pre> + +<p>This generates a .config file you can use to save a new defconfig or +compile a new kernel with Android features enabled.</p> + +<h2 id="usb">Enabling USB host mode options</h2> + +<p>For USB host mode audio, enable the following options:</p> +<pre class="devsite-click-to-copy"> +CONFIG_SND_USB=y +CONFIG_SND_USB_AUDIO=y +# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver +</pre> + +<p>For USB host mode MIDI, enable the following option:</p> +<pre class="devsite-click-to-copy"> +CONFIG_SND_USB_MIDI=y +</pre> + +<h2 id="Seccomp-BPF-TSYNC">Seccomp-BPF with TSYNC</h2> +<p>Seccomp-BPF is a kernel security technology that enables the creation of +sandboxes to restrict the system calls a process is allowed to make. The TSYNC +feature enables the use of Seccomp-BPF from multithreaded programs. This ability +is limited to architectures that have seccomp support upstream: ARM, ARM64, x86, +and x86_64.</p> + +<h3 id="backport-ARM-32">Backporting for Kernel 3.10 for ARM-32, X86, X86_64</h3> + +<p>Ensure that <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the Kconfig +(verified as of the Android 5.0 CTS), then cherry-pick the following changes +from the AOSP kernel/common:android-3.10 repository: <a href="https://android. +googlesource.com/kernel/common/+log/9499cd23f9d05ba159 +fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28">9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28</a> +</p> + +<ul> +<li><a href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d">a03 +a242 arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter +Zijlstra</li> +<li><a href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11">987a0f +1 introduce for_each_thread() to replace the buggy while_each_thread()</a> by + Oleg Nesterov</li> + <li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 +seccomp: create internal mode-setting function</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+ +/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff +seccomp: extract check/assign mode helpers</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde +seccomp: split mode setting routines</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 seccomp: add +"seccomp" syscall</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9d0ff +694bc22fb458acb763811a677696c60725b">9d0ff69 +sched: move no_new_privs into new atomic flags</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf +seccomp: split filter prep from check and apply</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 +seccomp: introduce writer locking</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 +seccomp: allow mode setting across threads</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db +seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db +860a59bfd6ac82b31d6b6f76ebb52">9ac8600 +seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter +Roeck</li> +<li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd +seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li> +<li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 +ARM: add seccomp syscall</a> by Kees Cook</li> +</ul> + +<h3 id="backport-ARM-64">Backporting for Kernel 3.10 for ARM-64</h3> +<p>Ensure <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the Kconfig +(verified as of the Android 5.0 CTS), then cherry-pick the following changes +from the AOSP kernel/common:android-3.10 repository:</p> +<ul> +<li><a href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d">cfc7e99e9 +arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall</li> +<li><a href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3">bf11863 +arm64: Add audit support</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/3 +e21c0bb663a23436e0eb3f61860d4fedc233bab">3e21c0b +arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall</li> +<li><a href="https://android.googlesource.com/kernel +/common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76">9499cd2 +syscall_get_arch: remove useless function arguments</a> by Eric Paris</li> +<li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 +seccomp: create internal mode-setting function</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9 +cff seccomp: extract check/assign mode helpers</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde +seccomp: split mode setting routines</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 +seccomp: add "seccomp" syscall</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69 +sched: move no_new_privs into new atomic flags</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf +seccomp: split filter prep from check and apply</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 +seccomp: introduce writer locking</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 +seccomp: allow mode setting across threads</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db +seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600 +seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter +Roeck</li> +<li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd +seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li> +<li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 +ARM: add seccomp syscall</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad">4190090 +ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a> by +Will Deacon</li> +<li><a href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035">abbfed9 +arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122">feb2843 +arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8">dab1073 +asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI +Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b">4f1 +2b53 add seccomp syscall for compat task</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85">7722723 +arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929">210957c +arm64: add seccomp support</a> by AKASHI Takahiro</li> +</ul> + + </body> +</html> diff --git a/en/devices/architecture/kernel/network_tests.html b/en/devices/architecture/kernel/network_tests.html new file mode 100644 index 00000000..bc437ad2 --- /dev/null +++ b/en/devices/architecture/kernel/network_tests.html @@ -0,0 +1,114 @@ +<html devsite> + <head> + <title>Kernel Networking Unit Tests</title> + <meta name="project_path" value="/_project.yaml" /> + <meta name="book_path" value="/_book.yaml" /> + </head> + <body> + <!-- + Copyright 2017 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + + +<p>Since Android 5.0, proper operation of the Android networking stack on Linux +kernels requires a number of commits that were upstreamed relatively recently +or have not yet made it upstream. It is not easy to manually verify the +required kernel functionality or track the missing commits, so the Android team +is sharing the tests it uses to ensure the kernel behaves as expected.</p> + +<h2 id=purpose>Why run the tests?</h2> <p>These tests exist for three main +reasons:</p> <ol> <li>The exact version of the Linux kernel used on a device is +typically device-specific, and it is difficult to know whether any kernel will +work properly without running the tests.</li> <li>Forward-porting and +back-porting the kernel patches to different kernel versions or different +device trees may introduce subtle issues that can be impossible to spot without +running the tests. For example, during development the initial versions of +certain devices had UID routing patches forward-ported from android-3.4 instead +of cherry-picked from android-3.10, and did not behave correctly.</li> <li>New +networking features may require new kernel functionality or kernel bug +fixes.</li> </ol> <p>If the tests do not pass, the device's network stack will +behave incorrectly, causing user-visible connectivity bugs such as falling off +Wi-Fi networks. The device will likely also fail Android Compatibility Test +Suite (CTS) tests.</p> + +<h2 id=using>Using the tests</h2> <p>The tests use <a +href="http://user-mode-linux.sourceforge.net/">User-Mode Linux</a> to boot the +kernel as a process on a Linux host machine. See <a +href="https://source.android.com/source/initializing.html">Establishing a Build +Environment</a> for suitable operating system versions. The unit test framework +boots the kernel with an appropriate disk image and runs the tests from the +host file system. The tests are written in Python 2.x and use TAP interfaces to +exercise kernel behaviour and the socket API.</p> + +<h3 id=compiling>Compiling the kernel for ARCH=um</h3> <p>For the tests to run, +the kernel must compile for <code>ARCH=um SUBARCH=x86_64</code>. This is a +supported architecture upstream and in the common Android kernel trees (e.g., +<code>android-3.10</code>, <code>android-3.18</code>). But sometimes device +kernels do not compile in this mode because device trees contain +device-specific or hardware-specific code in common files (e.g., +<code>sys/exit.c</code>).</p> <p>In many cases, it's sufficient to ensure that +hardware-specific code is behind an <code>#ifdef</code>. Typically this should +be an <code>#ifdef</code> on a configuration option that controls the specific +feature relevant to the code. If there is no such configuration option, put +hardware-specific code inside <code>#ifndef CONFIG_UML</code> blocks.</p> <p>In +general, fixing this should be the responsibility of the kernel tree provider +(e.g., chipset or SoC vendor). We're working with OEMs and vendors to ensure +that current and future kernels will compile for <code>ARCH=um +SUBARCH=x86_64</code> without requiring any changes.</p> + +<h3 id=running>Running the tests</h3> <p>The tests are at <a +href="https://android.googlesource.com/kernel/tests/+/master/net/test"><code>kernel/tests/net/test</code></a>. +It is recommended that the tests <b>be run from AOSP master</b> because they +are the most up-to-date; in some cases, kernel features that are necessary for +proper operation in a given Android release do not yet have full test coverage +in the given release. For information on how to run the tests, see the <a +href="https://android.googlesource.com/kernel/tests/+/master/net/test/README">kernel +network test README file</a>. Basically, from the top of your kernel tree, run:</p> + +<pre class="devsite-click-to-copy"> +<var>ANDROID_TREE</var>/kernel/tests/net/test/run_net_test.sh all_tests.sh +</pre> + +<h3 id=passing>Passing the tests</h3> <p>The kernel network test Python +source files contain comments that specify kernel commits that are known to be +required to pass the tests. The tests should pass in the common kernel trees - +at least the <code>android-3.10</code> and <code>android-3.18</code> branches +in the <a +href="https://android-review.googlesource.com/#/q/project:kernel/common"><code>kernel/common</code></a> +project in AOSP. Therefore, passing the tests on a kernel tree that's derived +from 3.10 or 3.18 should mostly be a matter of cherry-picking the patches from +these trees.</p> + +<h2 id=contributing>Contributing</h2> + +<h3 id=reporting>Reporting issues</h3> <p>Please report any issues with +the kernel network tests in the <a +href="https://code.google.com/p/android/issues/entry?template=Developer%20bug%20report">Android +issue tracker</a> with the <a +href="https://code.google.com/p/android/issues/list?q=label%3AComponent-Networking">Component-Networking</a> +label.</p> + +<h3 id=documenting>Documenting commits and adding tests</h3> <p>Please report +issues as described above, and if possible upload a change to fix the issue, +if:</p> <ul> <li>The tests do not pass on the common kernel trees</li> <li>You +find a necessary commit that is not mentioned in the source comments,</li> +<li>Getting the tests to pass on upstream kernels requires major changes</li> +<li>You believe that the tests are overspecified, or the test fail on future +kernels</li> <li>You'd like to add more tests or more coverage to existing +tests.</li> +</ul> + + </body> +</html> |