Linux v3.8-9456-g309667e

2013-02-27 16:07:47 -05:00 · 2013-02-27 16:07:47 -05:00 · 0a85b3e682
commit 0a85b3e682
parent 0ace7eb5e6
3 changed files with 72 additions and 207 deletions
--- a/devel-pekey-secure-boot-20130227.patch
+++ b/devel-pekey-secure-boot-20130227.patch
@ -1,4 +1,4 @@
-From d8cfe24ede3c3d8ce48d9c8ea791984777d783fc Mon Sep 17 00:00:00 2001
+From f31ce451f73d8e68ab5c3dca068ef602bb9f1dfa Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 18 Jan 2013 13:53:35 +0000
 Subject: [PATCH 01/47] KEYS: Load *.x509 files into kernel keyring
@ -15,11 +15,11 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 2 files changed, 30 insertions(+), 8 deletions(-)
 diff --git a/kernel/Makefile b/kernel/Makefile
-index eceac38..2c83d21 100644
+index 05949c0..f6dbf33 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -134,17 +134,40 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
+@@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
- 	$(call if_changed,timeconst)
+ 	$(call if_changed,bc)
 ifeq ($(CONFIG_MODULE_SIG),y)
 +###############################################################################
@ -81,7 +81,7 @@ index 246b4c6..0a60203 100644
 1.8.1.2
-From 45078a904bc6488f2e3a69b71213950e0ff04db0 Mon Sep 17 00:00:00 2001
+From 01fb4a2a794782fc54d7ea8dc61c7b205a7748c1 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 18:39:54 +0000
 Subject: [PATCH 02/47] KEYS: Separate the kernel signature checking keyring
@ -95,16 +95,12 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 include/keys/system_keyring.h |  23 ++++++++++
 init/Kconfig                  |  13 ++++++
 kernel/Makefile               |  17 ++++---
 kernel/modsign_certificate.S  |  18 --------
 kernel/modsign_pubkey.c       | 104 ------------------------------------------
 kernel/module-internal.h      |   2 -
 kernel/module_signing.c       |   3 +-
 kernel/system_certificates.S  |  18 ++++++++
- kernel/system_keyring.c       | 101 ++++++++++++++++++++++++++++++++++++++++
+ kernel/system_keyring.c       | 101 ++++++++++++++++++++++++++++++++++++++++++
- 9 files changed, 168 insertions(+), 131 deletions(-)
+ 7 files changed, 168 insertions(+), 9 deletions(-)
 create mode 100644 include/keys/system_keyring.h
 delete mode 100644 kernel/modsign_certificate.S
 delete mode 100644 kernel/modsign_pubkey.c
 create mode 100644 kernel/system_certificates.S
 create mode 100644 kernel/system_keyring.c
@ -169,7 +165,7 @@ index 0a5e80f..053072f 100644
 	select CRYPTO
 	select ASYMMETRIC_KEY_TYPE
 diff --git a/kernel/Makefile b/kernel/Makefile
-index 2c83d21..454ce54 100644
+index f6dbf33..f273c0e 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
@@ -53,8 +53,9 @@ obj-$(CONFIG_SMP) += spinlock.o
@ -183,9 +179,9 @@ index 2c83d21..454ce54 100644
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
 obj-$(CONFIG_KEXEC) += kexec.o
-@@ -133,13 +134,14 @@ targets += timeconst.h
+@@ -141,13 +142,14 @@ targets += timeconst.h
- $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
+ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
- 	$(call if_changed,timeconst)
+ 	$(call if_changed,bc)
 -ifeq ($(CONFIG_MODULE_SIG),y)
 ###############################################################################
@ -201,7 +197,7 @@ index 2c83d21..454ce54 100644
 X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
 X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
 X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
-@@ -155,10 +157,11 @@ $(shell rm $(obj)/.x509.list)
+@@ -163,10 +165,11 @@ $(shell rm $(obj)/.x509.list)
 endif
 endif
@ -215,7 +211,7 @@ index 2c83d21..454ce54 100644
 targets += $(obj)/x509_certificate_list
 $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
 	$(call if_changed,x509certs)
-@@ -168,7 +171,9 @@ $(obj)/.x509.list:
+@@ -176,7 +179,9 @@ $(obj)/.x509.list:
 	@echo $(X509_CERTIFICATES) >$@
 clean-files := x509_certificate_list .x509.list
@ -225,140 +221,6 @@ index 2c83d21..454ce54 100644
 ###############################################################################
 #
 # If module signing is requested, say by allyesconfig, but a key has not been
 diff --git a/kernel/modsign_certificate.S b/kernel/modsign_certificate.S
 deleted file mode 100644
 index 0a60203..0000000
 --- a/kernel/modsign_certificate.S
 +++ /dev/null
@@ -1,18 +0,0 @@
 -/* SYMBOL_PREFIX defined on commandline from CONFIG_SYMBOL_PREFIX */
 -#ifndef SYMBOL_PREFIX
 -#define ASM_SYMBOL(sym) sym
 -#else
 -#define PASTE2(x,y) x##y
 -#define PASTE(x,y) PASTE2(x,y)
 -#define ASM_SYMBOL(sym) PASTE(SYMBOL_PREFIX, sym)
 -#endif
 -
 -#define GLOBAL(name)	\
 -	.globl ASM_SYMBOL(name);	\
 -	ASM_SYMBOL(name):
 -
 -	.section ".init.data","aw"
 -
 -GLOBAL(modsign_certificate_list)
 -	.incbin "kernel/x509_certificate_list"
 -GLOBAL(modsign_certificate_list_end)
 diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
 deleted file mode 100644
 index 2b6e699..0000000
 --- a/kernel/modsign_pubkey.c
 +++ /dev/null
@@ -1,104 +0,0 @@
 -/* Public keys for module signature verification
 - *
 - * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 - * Written by David Howells (dhowells@redhat.com)
 - *
 - * This program is free software; you can redistribute it and/or
 - * modify it under the terms of the GNU General Public Licence
 - * as published by the Free Software Foundation; either version
 - * 2 of the Licence, or (at your option) any later version.
 - */
 -
 -#include <linux/kernel.h>
 -#include <linux/sched.h>
 -#include <linux/cred.h>
 -#include <linux/err.h>
 -#include <keys/asymmetric-type.h>
 -#include "module-internal.h"
 -
 -struct key *modsign_keyring;
 -
 -extern __initdata const u8 modsign_certificate_list[];
 -extern __initdata const u8 modsign_certificate_list_end[];
 -
 -/*
 - * We need to make sure ccache doesn't cache the .o file as it doesn't notice
 - * if modsign.pub changes.
 - */
 -static __initdata const char annoy_ccache[] = __TIME__ "foo";
 -
 -/*
 - * Load the compiled-in keys
 - */
 -static __init int module_verify_init(void)
 -{
 -	pr_notice("Initialise module verification\n");
 -
 -	modsign_keyring = keyring_alloc(".module_sign",
 -					KUIDT_INIT(0), KGIDT_INIT(0),
 -					current_cred(),
 -					((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 -					 KEY_USR_VIEW | KEY_USR_READ),
 -					KEY_ALLOC_NOT_IN_QUOTA, NULL);
 -	if (IS_ERR(modsign_keyring))
 -		panic("Can't allocate module signing keyring\n");
 -
 -	return 0;
 -}
 -
 -/*
 - * Must be initialised before we try and load the keys into the keyring.
 - */
 -device_initcall(module_verify_init);
 -
 -/*
 - * Load the compiled-in keys
 - */
 -static __init int load_module_signing_keys(void)
 -{
 -	key_ref_t key;
 -	const u8 *p, *end;
 -	size_t plen;
 -
 -	pr_notice("Loading module verification certificates\n");
 -
 -	end = modsign_certificate_list_end;
 -	p = modsign_certificate_list;
 -	while (p < end) {
 -		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
 -		 * than 256 bytes in size.
 -		 */
 -		if (end - p < 4)
 -			goto dodgy_cert;
 -		if (p[0] != 0x30 &&
 -		    p[1] != 0x82)
 -			goto dodgy_cert;
 -		plen = (p[2] << 8) | p[3];
 -		plen += 4;
 -		if (plen > end - p)
 -			goto dodgy_cert;
 -
 -		key = key_create_or_update(make_key_ref(modsign_keyring, 1),
 -					   "asymmetric",
 -					   NULL,
 -					   p,
 -					   plen,
 -					   (KEY_POS_ALL & ~KEY_POS_SETATTR) |
 -					   KEY_USR_VIEW,
 -					   KEY_ALLOC_NOT_IN_QUOTA);
 -		if (IS_ERR(key))
 -			pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n",
 -			       PTR_ERR(key));
 -		else
 -			pr_notice("MODSIGN: Loaded cert '%s'\n",
 -				  key_ref_to_ptr(key)->description);
 -		p += plen;
 -	}
 -
 -	return 0;
 -
 -dodgy_cert:
 -	pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n");
 -	return 0;
 -}
 -late_initcall(load_module_signing_keys);
 diff --git a/kernel/module-internal.h b/kernel/module-internal.h
 index 24f9247..915e123 100644
 --- a/kernel/module-internal.h
@ -526,7 +388,7 @@ index 0000000..a3ca76f
 1.8.1.2
-From cde17a931bb2f8631cfd6576f07f77857a383248 Mon Sep 17 00:00:00 2001
+From a374634f4c6582740c91ccfb7cdc49aa26445090 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Thu, 17 Jan 2013 16:25:00 +0000
 Subject: [PATCH 03/47] KEYS: Add a 'trusted' flag and a 'trusted only' flag
@ -655,7 +517,7 @@ index 6ece7f2..f18d7ff 100644
 1.8.1.2
-From 2e5ee12060b914772094d038b7bd9c2e486d339f Mon Sep 17 00:00:00 2001
+From 654c4260b94ab07936e4e1a697eddb082b0915a1 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:32 +0000
 Subject: [PATCH 04/47] KEYS: Rename public key parameter name arrays
@ -810,7 +672,7 @@ index 0034e36..0b6b870 100644
 1.8.1.2
-From d823c31e932ecd1e1c24435b447b35bbe9e3ee9d Mon Sep 17 00:00:00 2001
+From a34e52cba48a0b78902a677bb15b927581021cc0 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:33 +0000
 Subject: [PATCH 05/47] KEYS: Move the algorithm pointer array from x509 to
@ -892,7 +754,7 @@ index 619d570..46bde25 100644
 1.8.1.2
-From cd2153b3e5b694e88fe4a136b9bae70c16b72fd0 Mon Sep 17 00:00:00 2001
+From 63aec95cc6af50218892f9b870a952a28de04665 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:33 +0000
 Subject: [PATCH 06/47] KEYS: Store public key algo ID in public_key struct
@ -977,7 +839,7 @@ index 46bde25..05778df 100644
 1.8.1.2
-From 120a94c9b259d1d19ab64c82737121dcc23e50ea Mon Sep 17 00:00:00 2001
+From bf77135946a15f3833928cdf9a97f481a4b7f29b Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:34 +0000
 Subject: [PATCH 07/47] KEYS: Split public_key_verify_signature() and make
@ -1093,7 +955,7 @@ index fac574c..8cb2f70 100644
 1.8.1.2
-From 2fc59e9f40053886e23c7bbed0841676472d0641 Mon Sep 17 00:00:00 2001
+From d05eeaba52cdd6ddff9620186aa3a221e5909430 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:35 +0000
 Subject: [PATCH 08/47] KEYS: Store public key algo ID in public_key_signature
@ -1126,7 +988,7 @@ index 05778df..b34fda4 100644
 1.8.1.2
-From 8de67c627dbfc895797320c82a3ebf87f5b8d446 Mon Sep 17 00:00:00 2001
+From 3e2fb1075b17dc005721b2d63ae6a3c146fa529a Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:35 +0000
 Subject: [PATCH 09/47] X.509: struct x509_certificate needs struct tm
@ -1158,7 +1020,7 @@ index e583ad0..2d01182 100644
 1.8.1.2
-From 074c5a12ea0152b2a3331174ad02f3ccc8ac9915 Mon Sep 17 00:00:00 2001
+From 5c9dbeecb8faff88eb009d329c37831b8ec112ba Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:35 +0000
 Subject: [PATCH 10/47] X.509: Add bits needed for PKCS#7
@ -1256,7 +1118,7 @@ index 2d01182..a6ce46f 100644
 1.8.1.2
-From 539f6dc3de1679495b7ce4f252e815d8373ffcef Mon Sep 17 00:00:00 2001
+From 11a3d86669eb5fd71c756777cff053221de851a2 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:36 +0000
 Subject: [PATCH 11/47] X.509: Embed public_key_signature struct and create
@ -1524,7 +1386,7 @@ index 8cb2f70..b7c81d8 100644
 1.8.1.2
-From 760bd4c7f0be3da4191b737a480af92df125431e Mon Sep 17 00:00:00 2001
+From 09ba17965bed337bfb88ef9dc2d0b8c918eb5c01 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:36 +0000
 Subject: [PATCH 12/47] X.509: Check the algorithm IDs obtained from parsing an
@ -1565,7 +1427,7 @@ index b7c81d8..eb368d4 100644
 1.8.1.2
-From 5f7f7268ce26dfdd754f9bcb081c380b5409b072 Mon Sep 17 00:00:00 2001
+From 293744b6e8bfb316b3d3545984eed2f4cb0b09bc Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:37 +0000
 Subject: [PATCH 13/47] X.509: Handle certificates that lack an
@ -1612,7 +1474,7 @@ index eb368d4..0f55e3b 100644
 1.8.1.2
-From e2d27f7dd12e2368b03a2007b435c5ae35020218 Mon Sep 17 00:00:00 2001
+From 176a9c3ef9b6b4faf0a82600e70e03b8446a2590 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:37 +0000
 Subject: [PATCH 14/47] X.509: Export certificate parse and free functions
@ -1658,7 +1520,7 @@ index 931f069..9cf0e16 100644
 1.8.1.2
-From b6c2806dcc10f6377cafcde2b74d49419266fba8 Mon Sep 17 00:00:00 2001
+From 962c8a1468e2ae96c417be0c85871218e542284d Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:38 +0000
 Subject: [PATCH 15/47] PKCS#7: Implement a parser [RFC 2315]
@ -2271,7 +2133,7 @@ index 6926db7..edeff85 100644
 1.8.1.2
-From 0aa7a27b37790e737bbd80f61ccc12184baed13c Mon Sep 17 00:00:00 2001
+From a6bd28571756d205a02bf45b1f92b481a5219418 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:38 +0000
 Subject: [PATCH 16/47] PKCS#7: Digest the data in a signed-data message
@ -2445,7 +2307,7 @@ index 0000000..2f9f26c
 1.8.1.2
-From e84f2d2018594d3b5c4ecbe45e29ca7eb0b50909 Mon Sep 17 00:00:00 2001
+From 2bf1ddcd0d3d9d4e578b1024252383d6bfa2e426 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:39 +0000
 Subject: [PATCH 17/47] PKCS#7: Find the right key in the PKCS#7 key list and
@ -2544,7 +2406,7 @@ index 2f9f26c..3f6f0e2 100644
 1.8.1.2
-From d64d4625334797a96891b93cffb0899f3dd6218d Mon Sep 17 00:00:00 2001
+From 88c5376101756187b5240a2ff2d87a3b9ab9b7ff Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:39 +0000
 Subject: [PATCH 18/47] PKCS#7: Verify internal certificate chain
@ -2660,7 +2522,7 @@ index 6b1d877..5e35fba 100644
 1.8.1.2
-From 051964867e90089bcd643cce929e1a6494abe20b Mon Sep 17 00:00:00 2001
+From 4b7bd5ef637b260f03d6ccf05d4f8cbe50a32302 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:42 +0000
 Subject: [PATCH 19/47] PKCS#7: Find intersection between PKCS#7 message and
@ -2867,7 +2729,7 @@ index 0000000..cc226f5
 1.8.1.2
-From 7cbe9a52ec426f2d1e2bdaefda34a16987114a98 Mon Sep 17 00:00:00 2001
+From 65da0a66d93e032f86253083074cf127a8a07ec8 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:39 +0000
 Subject: [PATCH 20/47] Provide PE binary definitions
@ -3340,7 +3202,7 @@ index 0000000..9234aef
 1.8.1.2
-From 63bfd5e0dbf914df3e39011ea0bc0e3fa056420b Mon Sep 17 00:00:00 2001
+From bef62c421fe0342e0d4132441a1ba7012d552c46 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:40 +0000
 Subject: [PATCH 21/47] pefile: Parse a PE binary to find a key and a signature
@ -3634,7 +3496,7 @@ index 0000000..82bcaf6
 1.8.1.2
-From 82101ad57553b695c00e1b1c686d61ae4be27ab2 Mon Sep 17 00:00:00 2001
+From e5328cdb361123e2126ec76844b1eccb1eccb2e2 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:40 +0000
 Subject: [PATCH 22/47] pefile: Strip the wrapper off of the cert data block
@ -3738,7 +3600,7 @@ index fb80cf0..f2d4df0 100644
 1.8.1.2
-From 1e9df8e0c3ac669a43ca856f15e377f3ac671ae0 Mon Sep 17 00:00:00 2001
+From 743500a93b4b74a7444d8cb8a3ff09f73e6440ee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:40 +0000
 Subject: [PATCH 23/47] pefile: Parse the presumed PKCS#7 content of the
@ -3792,7 +3654,7 @@ index f2d4df0..056500f 100644
 1.8.1.2
-From 99df31e182eafe3473eec9805d08847411527c79 Mon Sep 17 00:00:00 2001
+From 9432dceca505e7d9b8c420059ebcce7047c62375 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:41 +0000
 Subject: [PATCH 24/47] pefile: Parse the "Microsoft individual code signing"
@ -4035,7 +3897,7 @@ index edeff85..332dcf5 100644
 1.8.1.2
-From dcebe53a75f108c10ac0c429d2b63f3f1f02c109 Mon Sep 17 00:00:00 2001
+From f1be79950932727d4f1517a4ca2a6c8d8babdf6d Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:41 +0000
 Subject: [PATCH 25/47] pefile: Digest the PE binary and compare to the PKCS#7
@ -4271,7 +4133,7 @@ index f1c8cc1..dfdb85e 100644
 1.8.1.2
-From 3aa52815d5d27045e66b9a3970ff2af8b707bfa6 Mon Sep 17 00:00:00 2001
+From d11766cd96997c0c8dd8511939fa05485c0ba564 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 18 Jan 2013 13:58:35 +0000
 Subject: [PATCH 26/47] PEFILE: Validate PKCS#7 trust chain
@ -4323,7 +4185,7 @@ index dfdb85e..edad948 100644
 1.8.1.2
-From 125d3794df049a715905529e05b6400db1309ec5 Mon Sep 17 00:00:00 2001
+From 8247b08630ee7d8da1b82a1c52656e53b0698a5f Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 15 Jan 2013 15:33:42 +0000
 Subject: [PATCH 27/47] PEFILE: Load the contained key if we consider the
@ -4414,7 +4276,7 @@ index 0f55e3b..c3e5a6d 100644
 1.8.1.2
-From f8089a0ae1983d8a079510126d7f21bd01d3a971 Mon Sep 17 00:00:00 2001
+From e0de67120b1a027658c1195cbf9648a0ff97d082 Mon Sep 17 00:00:00 2001
 From: Chun-Yi Lee <joeyli.kernel@gmail.com>
 Date: Thu, 21 Feb 2013 19:23:49 +0800
 Subject: [PATCH 28/47] MODSIGN: Fix including certificate twice when the
@ -4450,10 +4312,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/kernel/Makefile b/kernel/Makefile
-index 454ce54..9824a86 100644
+index f273c0e..9777222 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -142,7 +142,10 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
+@@ -150,7 +150,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
 #
 ###############################################################################
 ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
@ -4469,7 +4331,7 @@ index 454ce54..9824a86 100644
 1.8.1.2
-From 26909a21e7274b6d9e04374e2a11e4fbc07713f3 Mon Sep 17 00:00:00 2001
+From 09f8eba451f2ddd3eb5b8ba2dfc5153087ebaa78 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:40:56 -0400
 Subject: [PATCH 29/47] Secure boot: Add new capability
@ -4506,7 +4368,7 @@ index ba478fa..7109e65 100644
 1.8.1.2
-From ea9b455fe0e2c2f133ab26e24cc3c1e83fd2a0e4 Mon Sep 17 00:00:00 2001
+From 75cab5d8cd111497c16a92a6d7060bff22b87c2b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:05 -0400
 Subject: [PATCH 30/47] SELinux: define mapping for new Secure Boot capability
@ -4539,7 +4401,7 @@ index 14d04e6..ed99a2d 100644
 1.8.1.2
-From f945b0d4c7653109a2cca48de11faa8c44e4c503 Mon Sep 17 00:00:00 2001
+From 69dc786f5679c66ad0afaa235ee52c59308281d2 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:02 -0400
 Subject: [PATCH 31/47] Secure boot: Add a dummy kernel parameter that will
@ -4605,7 +4467,7 @@ index e0573a4..c3f4e3e 100644
 1.8.1.2
-From eb90b28185e0a14b4d585713078229f1416fbf0c Mon Sep 17 00:00:00 2001
+From 1a22bfc73b9fddc1a4addb3d485f5473950d984a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:03 -0400
 Subject: [PATCH 32/47] efi: Enable secure boot lockdown automatically when
@ -4751,7 +4613,7 @@ index 9bf2f1f..1bf382b 100644
 1.8.1.2
-From 32e9fbbf1bc41283c3af2ed24044edff8fcf1c69 Mon Sep 17 00:00:00 2001
+From 5d18a80e7f10e03229d46ffa409ff82af034448b Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:30:54 -0400
 Subject: [PATCH 33/47] Add EFI signature data types
@ -4806,7 +4668,7 @@ index 1bf382b..8902faf 100644
 1.8.1.2
-From a040224f153348fa8df70f6c2cefd107d5ea004f Mon Sep 17 00:00:00 2001
+From 891ffe35209bd889a2c01d733f0b255cdf4e6ebe Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
 Subject: [PATCH 34/47] Add an EFI signature blob parser and key loader.
@ -4986,7 +4848,7 @@ index 8902faf..ff3c599 100644
 1.8.1.2
-From e096ebf28fdc1a96055a1e2a8b3a194c64560e77 Mon Sep 17 00:00:00 2001
+From 0f5c163a734890d86611bed2717457551c5a0b30 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Fri, 26 Oct 2012 12:36:24 -0400
 Subject: [PATCH 35/47] KEYS: Add a system blacklist keyring
@ -5101,7 +4963,7 @@ index dae8778..2913c70 100644
 1.8.1.2
-From 8ae4ff8d17e43538f4b5aca9758c461dbd4e26f3 Mon Sep 17 00:00:00 2001
+From 1fda98f6edb36b6713df3a7e4578c27c1aa03d89 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
 Subject: [PATCH 36/47] MODSIGN: Import certificates from UEFI Secure Boot
@ -5166,7 +5028,7 @@ index e82c950..e15c960 100644
 	prompt "Which hash algorithm should modules be signed with?"
 	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index 9824a86..ac803d0 100644
+index 9777222..2cbb45b 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o
@ -5287,7 +5149,7 @@ index 0000000..df831ff
 1.8.1.2
-From a7aa88c97e85e0a9fdd95b1a0ba3605b36f4313a Mon Sep 17 00:00:00 2001
+From 737ae51d4157b099037609127117102b56f196d1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:40:57 -0400
 Subject: [PATCH 37/47] PCI: Lock down BAR access in secure boot environments
@ -5339,7 +5201,7 @@ index 9c6e9bb..b966089 100644
 }
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 9b8505c..35580bc 100644
+index 0b00947..7639f68 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
@@ -139,6 +139,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
@ -5388,7 +5250,7 @@ index e1c1ec5..97e785f 100644
 1.8.1.2
-From 3ab26acbd1042405f65bf72f44c857511d953b83 Mon Sep 17 00:00:00 2001
+From 6cf45d0803d6d3f544e4033cf95c1357b34896f2 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:40:58 -0400
 Subject: [PATCH 38/47] x86: Lock down IO port access in secure boot
@ -5428,7 +5290,7 @@ index 4ddaf66..f505995 100644
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 6f6e92a..9362b9b 100644
+index 2c644af..7eee4d8 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
@ -5445,7 +5307,7 @@ index 6f6e92a..9362b9b 100644
 1.8.1.2
-From c05363da5dfcc35d9717c2cd6cc47690f92e9cdc Mon Sep 17 00:00:00 2001
+From ebb40a7c6dc438afd6050c20c0b5f81e9701d985 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:40:59 -0400
 Subject: [PATCH 39/47] ACPI: Limit access to custom_method
@ -5477,7 +5339,7 @@ index 12b62f2..edf0710 100644
 1.8.1.2
-From 47f48642c2e767b8f1219a6692a90262e2dfaee6 Mon Sep 17 00:00:00 2001
+From cb35d821b7591fe9fed20db28d50addfe00fb128 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:00 -0400
 Subject: [PATCH 40/47] asus-wmi: Restrict debugfs interface
@ -5530,7 +5392,7 @@ index f80ae4d..059195f 100644
 1.8.1.2
-From a18dec77f42e30d986a29f51d2f0933d2c30b9c3 Mon Sep 17 00:00:00 2001
+From 6bfdb84e12b802d4a31f1a7c238bb3e91421e3af Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:01 -0400
 Subject: [PATCH 41/47] Restrict /dev/mem and /dev/kmem in secure boot setups
@ -5544,7 +5406,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 1 file changed, 6 insertions(+)
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 9362b9b..3c55828 100644
+index 7eee4d8..772ee2b 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@ -5571,7 +5433,7 @@ index 9362b9b..3c55828 100644
 1.8.1.2
-From b03691364e9bee51a92a32887bdb783a8210364c Mon Sep 17 00:00:00 2001
+From 1f0241ccbc1a54954e66b8426b33cfdd49861208 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:04 -0400
 Subject: [PATCH 42/47] acpi: Ignore acpi_rsdp kernel parameter in a secure
@ -5606,7 +5468,7 @@ index 586e7e9..8950454 100644
 1.8.1.2
-From febf4b93d82db4e575014ff518f500ae988ef2aa Mon Sep 17 00:00:00 2001
+From 3d141f6e5ead9ec80412001f646c09dbef90827b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Tue, 4 Sep 2012 11:55:13 -0400
 Subject: [PATCH 43/47] kexec: Disable in a secure boot environment
@ -5638,7 +5500,7 @@ index 2436ffc..a78e71a 100644
 1.8.1.2
-From 99a767e78759ad32c78e79690f6aabd72caf5969 Mon Sep 17 00:00:00 2001
+From 8c6131a869a749322a94b578c99204353d3a3820 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Fri, 5 Oct 2012 10:12:48 -0400
 Subject: [PATCH 44/47] MODSIGN: Always enforce module signing in a Secure Boot
@ -5681,7 +5543,7 @@ index c3f4e3e..c5554e0 100644
 /* Dummy Secure Boot enable option to fake out UEFI SB=1 */
 diff --git a/kernel/module.c b/kernel/module.c
-index 921bed4..2ee8a7c 100644
+index 0925c9a..af4a476 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
@ -5700,7 +5562,7 @@ index 921bed4..2ee8a7c 100644
 1.8.1.2
-From 9a3364262073f8ae3f00a4bad626823811fedffa Mon Sep 17 00:00:00 2001
+From d1f48eaf24be97f7bd86f4680ed7d64c6238787f Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Fri, 26 Oct 2012 14:02:09 -0400
 Subject: [PATCH 45/47] hibernate: Disable in a Secure Boot environment
@ -5814,7 +5676,7 @@ index 4ed81e7..b11a0f4 100644
 1.8.1.2
-From 74bfbcb7c06c502b536d0d0e2eab3f4423452e11 Mon Sep 17 00:00:00 2001
+From 8816b7dc8421fb97a2423cb245c28eec978009fe Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 5 Feb 2013 19:25:05 -0500
 Subject: [PATCH 46/47] efi: Disable secure boot if shim is in insecure mode
@ -5873,7 +5735,7 @@ index 96bd86b..6e1331c 100644
 1.8.1.2
-From f472a81527c0f2efbb8f2ad9c799b3fd13a79806 Mon Sep 17 00:00:00 2001
+From af08e556b6c214021bda6d601fcc4a23f8cbd1a5 Mon Sep 17 00:00:00 2001
 From: Kees Cook <keescook@chromium.org>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
 Subject: [PATCH 47/47] x86: Lock down MSR writing in secure boot
--- a/kernel.spec
+++ b/kernel.spec
@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 10
+%define gitrev 11
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@ -667,7 +667,7 @@ Patch800: crash-driver.patch
 # crypto/
 # secure boot
-Patch1000: devel-pekey-secure-boot-20130226.patch
+Patch1000: devel-pekey-secure-boot-20130227.patch
 # virt + ksm patches
@ -1374,7 +1374,7 @@ ApplyPatch crash-driver.patch
 # crypto/
 # secure boot
-ApplyPatch devel-pekey-secure-boot-20130226.patch
+ApplyPatch devel-pekey-secure-boot-20130227.patch
 # Assorted Virt Fixes
@ -2296,6 +2296,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
 * Wed Feb 27 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git11.1
 - Linux v3.8-9456-g309667e
 * Wed Feb 27 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git10.1
 - Linux v3.8-9405-gd895cb1
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 1c738edfc54e7c65faeb90c436104e2f  linux-3.8.tar.xz
-bbe8c6f353b542e8220587f01b72009d  patch-3.8-git10.xz
+7bd46bc54ccefe22b8153f8e491ede8b  patch-3.8-git11.xz
`@ -1,2 +1,2 @@`
	`1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz`	`1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz`
	`bbe8c6f353b542e8220587f01b72009d patch-3.8-git10.xz`	`7bd46bc54ccefe22b8153f8e491ede8b patch-3.8-git11.xz`