forked from rpms/kernel
		
	Linux v3.16-rc1-215-g3c8fb5044583
This commit is contained in:
		
							parent
							
								
									3933c6f456
								
							
						
					
					
						commit
						7583b10c51
					
				| @ -418,6 +418,7 @@ CONFIG_SCHED_SMT=y | ||||
| CONFIG_CC_STACKPROTECTOR=y | ||||
| CONFIG_CC_STACKPROTECTOR_STRONG=y | ||||
| CONFIG_RELOCATABLE=y | ||||
| # CONFIG_RANDOMIZE_BASE is not set # revisit this | ||||
| 
 | ||||
| CONFIG_HYPERV=m | ||||
| CONFIG_HYPERV_UTILS=m | ||||
|  | ||||
| @ -67,7 +67,7 @@ Summary: The Linux kernel | ||||
| # The rc snapshot level | ||||
| %define rcrev 1 | ||||
| # The git snapshot level | ||||
| %define gitrev 3 | ||||
| %define gitrev 4 | ||||
| # Set rpm version accordingly | ||||
| %define rpmversion 3.%{upstream_sublevel}.0 | ||||
| %endif | ||||
| @ -564,7 +564,7 @@ Patch800: crash-driver.patch | ||||
| # secure boot | ||||
| Patch1000: secure-modules.patch | ||||
| Patch1001: modsign-uefi.patch | ||||
| Patch1002: sb-hibernate.patch | ||||
| # atch1002: sb-hibernate.patch | ||||
| Patch1003: sysrq-secure-boot.patch | ||||
| 
 | ||||
| # virt + ksm patches | ||||
| @ -1292,7 +1292,7 @@ ApplyPatch crash-driver.patch | ||||
| # secure boot | ||||
| ApplyPatch secure-modules.patch | ||||
| ApplyPatch modsign-uefi.patch | ||||
| ApplyPatch sb-hibernate.patch | ||||
| # pplyPatch sb-hibernate.patch | ||||
| ApplyPatch sysrq-secure-boot.patch | ||||
| 
 | ||||
| # Assorted Virt Fixes | ||||
| @ -2217,6 +2217,9 @@ fi | ||||
| #                                    ||----w | | ||||
| #                                    ||     || | ||||
| %changelog | ||||
| * Fri Jun 20 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc1.git4.1 | ||||
| - Linux v3.16-rc1-215-g3c8fb5044583 | ||||
| 
 | ||||
| * Thu Jun 19 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc1.git3.1 | ||||
| - Linux v3.16-rc1-112-g894e552cfaa3 | ||||
| 
 | ||||
|  | ||||
| @ -1,7 +1,8 @@ | ||||
| Bugzilla: N/A | ||||
| Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd | ||||
| 
 | ||||
| From 6da482d3452da480cce81a17768ef1a4f2971ddf Mon Sep 17 00:00:00 2001 | ||||
| 
 | ||||
| From 3b083aa4b42c6f2e814742b24e1948aced3a5e3f Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 9 Aug 2013 17:58:15 -0400 | ||||
| Subject: [PATCH 01/14] Add secure_modules() call | ||||
| @ -63,7 +64,7 @@ index 81e727cf6df9..fc14f48915dd 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 19aec8e433eee2ec74faf3fda2ab291d12622001 Mon Sep 17 00:00:00 2001 | ||||
| From 5c9708ebd7a52bf432745dc9b739c54666f2789d Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Thu, 8 Mar 2012 10:10:38 -0500 | ||||
| Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is | ||||
| @ -182,7 +183,7 @@ index b91c4da68365..98f5637304d1 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From a203421e39478f83f4f3ead677dacfe5648f123b Mon Sep 17 00:00:00 2001 | ||||
| From c5f35519151d28b1a3c3dee5cb67fd67befa7fb6 Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Thu, 8 Mar 2012 10:35:59 -0500 | ||||
| Subject: [PATCH 03/14] x86: Lock down IO port access when module security is | ||||
| @ -255,7 +256,7 @@ index 917403fe10da..cdf839f9defe 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 93f428743e53b76c65ca59d6f16a1f7f579b7a8a Mon Sep 17 00:00:00 2001 | ||||
| From 24b607adc80fdebbc3497efc4b997a62edc06280 Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 9 Mar 2012 08:39:37 -0500 | ||||
| Subject: [PATCH 04/14] ACPI: Limit access to custom_method | ||||
| @ -287,7 +288,7 @@ index c68e72414a67..4277938af700 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From ab75609a919bb7d2f6e02c74a14afc4c92dbae8b Mon Sep 17 00:00:00 2001 | ||||
| From 215559c7708671e85ceb42f6e25445b9b27f6c38 Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 9 Mar 2012 08:46:50 -0500 | ||||
| Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module | ||||
| @ -342,7 +343,7 @@ index 3c6ccedc82b6..960c46536c65 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 2ace39911e2d02f8abbc5fbdb9720574fbe4f2b7 Mon Sep 17 00:00:00 2001 | ||||
| From b709a5110b728b526063c6814413a8c0f0d01203 Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 9 Mar 2012 09:28:15 -0500 | ||||
| Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is | ||||
| @ -385,7 +386,7 @@ index cdf839f9defe..c63cf93b00eb 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 1b7976eeee94cdec273618844c85e863f83fd943 Mon Sep 17 00:00:00 2001 | ||||
| From 2896018a1c991e19691ab203a9e9010e898587e7 Mon Sep 17 00:00:00 2001 | ||||
| From: Josh Boyer <jwboyer@redhat.com> | ||||
| Date: Mon, 25 Jun 2012 19:57:30 -0400 | ||||
| Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module | ||||
| @ -401,7 +402,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> | ||||
|  1 file changed, 2 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
 | ||||
| index 3f2bdc812d23..d0cef744bfaf 100644
 | ||||
| index bad25b070fe0..0606585e8b93 100644
 | ||||
| --- a/drivers/acpi/osl.c
 | ||||
| +++ b/drivers/acpi/osl.c
 | ||||
| @@ -44,6 +44,7 @@
 | ||||
| @ -412,7 +413,7 @@ index 3f2bdc812d23..d0cef744bfaf 100644 | ||||
|   | ||||
|  #include <asm/io.h> | ||||
|  #include <asm/uaccess.h> | ||||
| @@ -244,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
 | ||||
| @@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
 | ||||
|  acpi_physical_address __init acpi_os_get_root_pointer(void) | ||||
|  { | ||||
|  #ifdef CONFIG_KEXEC | ||||
| @ -425,7 +426,7 @@ index 3f2bdc812d23..d0cef744bfaf 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From e23b6615575ac07b6923d8f38e79597889531850 Mon Sep 17 00:00:00 2001 | ||||
| From a9c7c2c5e39d3e687b3e90845a753673144a754b Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 9 Aug 2013 03:33:56 -0400 | ||||
| Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module | ||||
| @ -470,50 +471,10 @@ index 6748688813d0..d4d88984bf45 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From a51fbe78169ba5b557f8a94c48cfa8ab29cdf5df Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Tue, 3 Sep 2013 11:23:29 -0400 | ||||
| Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted | ||||
| 
 | ||||
| uswsusp allows a user process to dump and then restore kernel state, which | ||||
| makes it possible to avoid module loading restrictions. Prevent this when | ||||
| any restrictions have been imposed on loading modules. | ||||
| 
 | ||||
| Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| ---
 | ||||
|  kernel/power/user.c | 4 ++++ | ||||
|  1 file changed, 4 insertions(+) | ||||
| 
 | ||||
| diff --git a/kernel/power/user.c b/kernel/power/user.c
 | ||||
| index 98d357584cd6..efe99dee9510 100644
 | ||||
| --- a/kernel/power/user.c
 | ||||
| +++ b/kernel/power/user.c
 | ||||
| @@ -24,6 +24,7 @@
 | ||||
|  #include <linux/console.h> | ||||
|  #include <linux/cpu.h> | ||||
|  #include <linux/freezer.h> | ||||
| +#include <linux/module.h>
 | ||||
|   | ||||
|  #include <asm/uaccess.h> | ||||
|   | ||||
| @@ -49,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
 | ||||
|  	struct snapshot_data *data; | ||||
|  	int error; | ||||
|   | ||||
| +	if (secure_modules())
 | ||||
| +		return -EPERM;
 | ||||
| +
 | ||||
|  	lock_system_sleep(); | ||||
|   | ||||
|  	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { | ||||
| -- 
 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From c071e6ecf90736ba1a8da10eebdb830fa8a0c00d Mon Sep 17 00:00:00 2001 | ||||
| From 4ce6023b9f02d5397156976568b3aad88b2f5b95 Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 8 Feb 2013 11:12:13 -0800 | ||||
| Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is | ||||
| Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is | ||||
|  restricted | ||||
| 
 | ||||
| Writing to MSRs should not be allowed if module loading is restricted, | ||||
| @ -555,10 +516,10 @@ index c9603ac80de5..8bef43fc3f40 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 74792620f33710bff9913006f5c2fac455e85baa Mon Sep 17 00:00:00 2001 | ||||
| From c95290110f65724e58b7506281759c0bac59b9f5 Mon Sep 17 00:00:00 2001 | ||||
| From: Matthew Garrett <matthew.garrett@nebula.com> | ||||
| Date: Fri, 9 Aug 2013 18:36:30 -0400 | ||||
| Subject: [PATCH 11/14] Add option to automatically enforce module signatures | ||||
| Subject: [PATCH 10/14] Add option to automatically enforce module signatures | ||||
|  when in Secure Boot mode | ||||
| 
 | ||||
| UEFI Secure Boot provides a mechanism for ensuring that the firmware will | ||||
| @ -591,10 +552,10 @@ index 199f453cb4de..ec38acf00b40 100644 | ||||
|  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures | ||||
|  2D0/A00	ALL	e820_map	E820 memory map table | ||||
| diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
 | ||||
| index b660088c220d..b4229b168d4e 100644
 | ||||
| index a8f749ef0fdc..35bfd8259993 100644
 | ||||
| --- a/arch/x86/Kconfig
 | ||||
| +++ b/arch/x86/Kconfig
 | ||||
| @@ -1555,6 +1555,16 @@ config EFI_MIXED
 | ||||
| @@ -1556,6 +1556,16 @@ config EFI_MIXED
 | ||||
|   | ||||
|  	   If unsure, say N. | ||||
|   | ||||
| @ -742,10 +703,10 @@ index fc14f48915dd..2d68d276f3b6 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From c29fcddae7f39b49dd8593e12c52c3825c6d58db Mon Sep 17 00:00:00 2001 | ||||
| From f0baa6f34da3f151c059ca3043945837db0ca8d1 Mon Sep 17 00:00:00 2001 | ||||
| From: Josh Boyer <jwboyer@fedoraproject.org> | ||||
| Date: Tue, 5 Feb 2013 19:25:05 -0500 | ||||
| Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode | ||||
| Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode | ||||
| 
 | ||||
| A user can manually tell the shim boot loader to disable validation of | ||||
| images it loads.  When a user does this, it creates a UEFI variable called | ||||
| @ -801,10 +762,10 @@ index 85defaf5a27c..b4013a4ba005 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From ba3406d551ae04cb61661b682348b06a9683196a Mon Sep 17 00:00:00 2001 | ||||
| From 6bc90bfd4c13fd6cc4a536630807406c16395bf5 Mon Sep 17 00:00:00 2001 | ||||
| From: Josh Boyer <jwboyer@fedoraproject.org> | ||||
| Date: Tue, 27 Aug 2013 13:28:43 -0400 | ||||
| Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI | ||||
| Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI | ||||
| 
 | ||||
| The functionality of the config option is dependent upon the platform being | ||||
| UEFI based.  Reflect this in the config deps. | ||||
| @ -815,10 +776,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> | ||||
|  1 file changed, 2 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
 | ||||
| index b4229b168d4e..6b08f48417b0 100644
 | ||||
| index 35bfd8259993..746b1b63da8c 100644
 | ||||
| --- a/arch/x86/Kconfig
 | ||||
| +++ b/arch/x86/Kconfig
 | ||||
| @@ -1556,7 +1556,8 @@ config EFI_MIXED
 | ||||
| @@ -1557,7 +1557,8 @@ config EFI_MIXED
 | ||||
|  	   If unsure, say N. | ||||
|   | ||||
|  config EFI_SECURE_BOOT_SIG_ENFORCE | ||||
| @ -832,10 +793,10 @@ index b4229b168d4e..6b08f48417b0 100644 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 0f644a85b177728b6a9568e442d8538de0a4ac2f Mon Sep 17 00:00:00 2001 | ||||
| From 292f6faa86f44fe261c8da58cc2c7f65aa0acad6 Mon Sep 17 00:00:00 2001 | ||||
| From: Josh Boyer <jwboyer@fedoraproject.org> | ||||
| Date: Tue, 27 Aug 2013 13:33:03 -0400 | ||||
| Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit | ||||
| Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit | ||||
| 
 | ||||
| UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit | ||||
| for use with efi_enabled. | ||||
| @ -875,3 +836,43 @@ index 41bbf8ba4ba8..e73f391fd3c8 100644 | ||||
| -- 
 | ||||
| 1.9.3 | ||||
| 
 | ||||
| 
 | ||||
| From 594e605ee9589150919aa113e3e01163168ad041 Mon Sep 17 00:00:00 2001 | ||||
| From: Josh Boyer <jwboyer@fedoraproject.org> | ||||
| Date: Fri, 20 Jun 2014 08:53:24 -0400 | ||||
| Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment | ||||
| 
 | ||||
| There is currently no way to verify the resume image when returning | ||||
| from hibernate.  This might compromise the signed modules trust model, | ||||
| so until we can work with signed hibernate images we disable it in | ||||
| a secure modules environment. | ||||
| 
 | ||||
| Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> | ||||
| ---
 | ||||
|  kernel/power/hibernate.c | 3 ++- | ||||
|  1 file changed, 2 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
 | ||||
| index fcc2611d3f14..61711801a9c4 100644
 | ||||
| --- a/kernel/power/hibernate.c
 | ||||
| +++ b/kernel/power/hibernate.c
 | ||||
| @@ -28,6 +28,7 @@
 | ||||
|  #include <linux/syscore_ops.h> | ||||
|  #include <linux/ctype.h> | ||||
|  #include <linux/genhd.h> | ||||
| +#include <linux/module.h>
 | ||||
|  #include <trace/events/power.h> | ||||
|   | ||||
|  #include "power.h" | ||||
| @@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
 | ||||
|   | ||||
|  bool hibernation_available(void) | ||||
|  { | ||||
| -	return (nohibernate == 0);
 | ||||
| +	return ((nohibernate == 0) && !secure_modules());
 | ||||
|  } | ||||
|   | ||||
|  /** | ||||
| -- 
 | ||||
| 1.9.3 | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										2
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								sources
									
									
									
									
									
								
							| @ -1,4 +1,4 @@ | ||||
| 97ca1625bb40368dc41b9a7971549071  linux-3.15.tar.xz | ||||
| ef8f4db937f521a7e323ec589536ba25  perf-man-3.15.tar.gz | ||||
| 8edcef1e40ebea460ba0e43d913ff928  patch-3.16-rc1.xz | ||||
| 7ce0a784ea436cba2966fdfdccb63974  patch-3.16-rc1-git3.xz | ||||
| 3d7caaa5bbfb7f1227c11fc725fb2f9d  patch-3.16-rc1-git4.xz | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user