Linux v4.14-rc6-50-g567825502730

This commit is contained in:
Justin M. Forbes 2017-10-26 15:56:39 -05:00
parent d0030f2a56
commit 006f5ba402
4 changed files with 135 additions and 138 deletions

View File

@ -1,8 +1,8 @@
From ae255bb7a54aa44ae4ac1b7a38617f976bdb07db Mon Sep 17 00:00:00 2001 From 646ac5c07196bc3680e34188e55c8cc3565f65e7 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:00 +0100 Date: Wed, 24 May 2017 14:56:00 +0100
Subject: [PATCH] Add the ability to lock down access to the running kernel Subject: [PATCH 01/26] Add the ability to lock down access to the running
image kernel image
Provide a single call to allow kernel code to determine whether the system Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might should be locked down, thereby disallowing various accesses that might
@ -11,6 +11,7 @@ modules that aren't validly signed with a key we recognise, fiddling with
MSR registers and disallowing hibernation, MSR registers and disallowing hibernation,
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <james.l.morris@oracle.com>
--- ---
include/linux/kernel.h | 17 ++++++++++++++ include/linux/kernel.h | 17 ++++++++++++++
include/linux/security.h | 8 +++++++ include/linux/security.h | 8 +++++++
@ -163,12 +164,12 @@ index 000000000000..d8595c0e6673
+} +}
+EXPORT_SYMBOL(__kernel_is_locked_down); +EXPORT_SYMBOL(__kernel_is_locked_down);
-- --
2.13.5 2.13.6
From 0712c10c74f2a24592f0c54595c2f19ee847b209 Mon Sep 17 00:00:00 2001 From 2c46467f43bc54324de5474a8355f98c692309e4 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com> From: Kyle McMartin <kyle@redhat.com>
Date: Wed, 18 Oct 2017 14:02:25 +0100 Date: Wed, 18 Oct 2017 14:02:25 +0100
Subject: [PATCH 01/25] Add a SysRq option to lift kernel lockdown Subject: [PATCH 02/26] Add a SysRq option to lift kernel lockdown
Make an option to provide a sysrq key that will lift the kernel lockdown, Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified. thereby allowing the running kernel image to be accessed and modified.
@ -446,18 +447,19 @@ index d8595c0e6673..2c6b00f0c229 100644
+ +
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
-- --
2.13.5 2.13.6
From a77c5e9c49ac6458581e607a033e1e6a3928b21c Mon Sep 17 00:00:00 2001 From 4c389db9daee3a3a444339a7d789de1d9366f736 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:01 +0100 Date: Wed, 24 May 2017 14:56:01 +0100
Subject: [PATCH 02/25] Enforce module signatures if the kernel is locked down Subject: [PATCH 03/26] Enforce module signatures if the kernel is locked down
If the kernel is locked down, require that all modules have valid If the kernel is locked down, require that all modules have valid
signatures that we can verify. signatures that we can verify.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
--- ---
kernel/module.c | 3 ++- kernel/module.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
@ -477,56 +479,51 @@ index de66ec825992..3d9a3270c179 100644
return err; return err;
-- --
2.13.5 2.13.6
From 8ed6fd87e9e639955c0b9d864ea42dc7611670ca Mon Sep 17 00:00:00 2001 From 59312c44aa46939a14b3fbfeb510f94b4a73c8a1 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:02 +0100 Date: Wed, 24 May 2017 14:56:02 +0100
Subject: [PATCH 03/25] Restrict /dev/mem and /dev/kmem when the kernel is Subject: [PATCH 04/26] Restrict /dev/{mem,kmem,port} when the kernel is locked
locked down down
Allowing users to write to address space makes it possible for the kernel to Allowing users to read and write to core kernel memory makes it possible
be subverted, avoiding module loading restrictions. Prevent this when the for the kernel to be subverted, avoiding module loading restrictions, and
kernel has been locked down. also to steal cryptographic information.
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.
Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
--- ---
drivers/char/mem.c | 6 ++++++ drivers/char/mem.c | 2 ++
1 file changed, 6 insertions(+) 1 file changed, 2 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 593a8818aca9..b7c36898b689 100644 index 593a8818aca9..0ce5ac0a5c6b 100644
--- a/drivers/char/mem.c --- a/drivers/char/mem.c
+++ b/drivers/char/mem.c +++ b/drivers/char/mem.c
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
if (p != *ppos)
return -EFBIG;
+ if (kernel_is_locked_down("/dev/mem")) static int open_port(struct inode *inode, struct file *filp)
{
+ if (kernel_is_locked_down("/dev/mem,kmem,port"))
+ return -EPERM; + return -EPERM;
+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
if (!valid_phys_addr_range(p, count)) }
return -EFAULT;
@@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;
+ if (kernel_is_locked_down("/dev/kmem"))
+ return -EPERM;
+
if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
-- --
2.13.5 2.13.6
From befd1007b58e66dbcf7367f6ccc3d992c7262d3a Mon Sep 17 00:00:00 2001 From 6304f16efd61e66701f4b331e95da3cafb5f5f76 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:02 +0100 Date: Wed, 24 May 2017 14:56:02 +0100
Subject: [PATCH 04/25] kexec: Disable at runtime if the kernel is locked down Subject: [PATCH 05/26] kexec: Disable at runtime if the kernel is locked down
kexec permits the loading and execution of arbitrary code in ring 0, which kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable is something that lock-down is meant to prevent. It makes sense to disable
@ -539,6 +536,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: kexec@lists.infradead.org cc: kexec@lists.infradead.org
--- ---
kernel/kexec.c | 7 +++++++ kernel/kexec.c | 7 +++++++
@ -563,12 +561,12 @@ index e62ec4dc6620..7dadfed9b676 100644
* This leaves us room for future extensions. * This leaves us room for future extensions.
*/ */
-- --
2.13.5 2.13.6
From 845d8a124c5be487f29ab05cc69a45119a715184 Mon Sep 17 00:00:00 2001 From cd00079900870855cea3573253a95c331ccab523 Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com> From: Dave Young <dyoung@redhat.com>
Date: Wed, 24 May 2017 14:56:02 +0100 Date: Wed, 24 May 2017 14:56:02 +0100
Subject: [PATCH 05/25] Copy secure_boot flag in boot params across kexec Subject: [PATCH 06/26] Copy secure_boot flag in boot params across kexec
reboot reboot
Kexec reboot in case secure boot being enabled does not keep the secure Kexec reboot in case secure boot being enabled does not keep the secure
@ -603,16 +601,16 @@ index fb095ba0c02f..7d0fac5bcbbe 100644
ei->efi_systab = current_ei->efi_systab; ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi; ei->efi_systab_hi = current_ei->efi_systab_hi;
-- --
2.13.5 2.13.6
From d61c8a5a7719d363ef4213f1d1d99d1bde87f78b Mon Sep 17 00:00:00 2001 From de2ac5da82fc55156134820ba32095710b935ad5 Mon Sep 17 00:00:00 2001
From: Chun-Yi Lee <joeyli.kernel@gmail.com> From: Chun-Yi Lee <joeyli.kernel@gmail.com>
Date: Wed, 24 May 2017 14:56:03 +0100 Date: Wed, 24 May 2017 14:56:03 +0100
Subject: [PATCH 06/25] kexec_file: Disable at runtime if securelevel has been Subject: [PATCH 07/26] kexec_file: Disable at runtime if the kernel is locked
set down
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image When KEXEC_VERIFY_SIG is not enabled, kernel should not load images
through kexec_file systemcall if securelevel has been set. through kexec_file systemcall if the kernel is locked down.
This code was showed in Matthew's patch but not in git: This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778 https://lkml.org/lkml/2015/3/13/778
@ -620,6 +618,7 @@ https://lkml.org/lkml/2015/3/13/778
Cc: Matthew Garrett <mjg59@srcf.ucam.org> Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <jlee@suse.com> Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: kexec@lists.infradead.org cc: kexec@lists.infradead.org
--- ---
kernel/kexec_file.c | 7 +++++++ kernel/kexec_file.c | 7 +++++++
@ -644,12 +643,12 @@ index 9f48f4412297..ff6523f2dcc2 100644
if (flags != (flags & KEXEC_FILE_FLAGS)) if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL; return -EINVAL;
-- --
2.13.5 2.13.6
From 18eab166de1f6e89ca75e6d6056cdbb10cce9b1a Mon Sep 17 00:00:00 2001 From ba823f2b5125605fcbac150fe27e622fd224ea61 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Wed, 24 May 2017 14:56:03 +0100 Date: Wed, 24 May 2017 14:56:03 +0100
Subject: [PATCH 07/25] hibernate: Disable when the kernel is locked down Subject: [PATCH 08/26] hibernate: Disable when the kernel is locked down
There is currently no way to verify the resume image when returning There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model, from hibernate. This might compromise the signed modules trust model,
@ -678,12 +677,12 @@ index a5c36e9c56a6..f2eafefeec50 100644
/** /**
-- --
2.13.5 2.13.6
From 0faef5cb3afb04f0c33ffcc923d86e49353b36da Mon Sep 17 00:00:00 2001 From 9e78666a6153d72c3e50160a30ead699ba508d8f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org> From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Wed, 24 May 2017 14:56:03 +0100 Date: Wed, 24 May 2017 14:56:03 +0100
Subject: [PATCH 08/25] uswsusp: Disable when the kernel is locked down Subject: [PATCH 09/26] uswsusp: Disable when the kernel is locked down
uswsusp allows a user process to dump and then restore kernel state, which uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel makes it possible to modify the running kernel. Disable this if the kernel
@ -692,6 +691,7 @@ is locked down.
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: linux-pm@vger.kernel.org cc: linux-pm@vger.kernel.org
--- ---
kernel/power/user.c | 3 +++ kernel/power/user.c | 3 +++
@ -712,12 +712,12 @@ index 22df9f7ff672..678ade9decfe 100644
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
-- --
2.13.5 2.13.6
From 2aa540f7f43590b14e01327c631bbe42ba3e8baf Mon Sep 17 00:00:00 2001 From 334fa071b01ced7f48b2920208addfb1eab5d0fe Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:03 +0100 Date: Wed, 24 May 2017 14:56:03 +0100
Subject: [PATCH 09/25] PCI: Lock down BAR access when the kernel is locked Subject: [PATCH 10/26] PCI: Lock down BAR access when the kernel is locked
down down
Any hardware that can potentially generate DMA has to be locked down in Any hardware that can potentially generate DMA has to be locked down in
@ -820,12 +820,12 @@ index 9bf993e1f71e..afa01cc3ceec 100644
dev = pci_get_bus_and_slot(bus, dfn); dev = pci_get_bus_and_slot(bus, dfn);
-- --
2.13.5 2.13.6
From 9dd0a9e68cf8e066e101a4fabd1ec62f6c22de2f Mon Sep 17 00:00:00 2001 From 7e608c45ac2ab6c8e125aaf3993b8257352ac631 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:04 +0100 Date: Wed, 24 May 2017 14:56:04 +0100
Subject: [PATCH 10/25] x86: Lock down IO port access when the kernel is locked Subject: [PATCH 11/26] x86: Lock down IO port access when the kernel is locked
down down
IO port access would permit users to gain access to PCI configuration IO port access would permit users to gain access to PCI configuration
@ -843,8 +843,7 @@ Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org cc: x86@kernel.org
--- ---
arch/x86/kernel/ioport.c | 6 ++++-- arch/x86/kernel/ioport.c | 6 ++++--
drivers/char/mem.c | 2 ++ 1 file changed, 4 insertions(+), 2 deletions(-)
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 9c3cf0944bce..2c0f058651c5 100644 index 9c3cf0944bce..2c0f058651c5 100644
@ -870,32 +869,22 @@ index 9c3cf0944bce..2c0f058651c5 100644
return -EPERM; return -EPERM;
} }
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index b7c36898b689..0875b3d47773 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
static int open_port(struct inode *inode, struct file *filp)
{
+ if (kernel_is_locked_down("Direct ioport access"))
+ return -EPERM;
return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
}
-- --
2.13.5 2.13.6
From ecec11fa386fc7c8f6865b4721eaa46360b89622 Mon Sep 17 00:00:00 2001 From 2644bf492568e3733bc841112c6e8628a6e01b8e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:04 +0100 Date: Wed, 24 May 2017 14:56:04 +0100
Subject: [PATCH 11/25] x86/msr: Restrict MSR access when the kernel is locked Subject: [PATCH 12/26] x86/msr: Restrict MSR access when the kernel is locked
down down
Writing to MSRs should not be allowed if the kernel is locked down, since Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook. patch by Kees Cook.
MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Kees Cook <keescook@chromium.org>
@ -903,41 +892,44 @@ Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org cc: x86@kernel.org
--- ---
arch/x86/kernel/msr.c | 7 +++++++ arch/x86/kernel/msr.c | 10 ++++++++++
1 file changed, 7 insertions(+) 1 file changed, 10 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index ef688804f80d..a05a97863286 100644 index ef688804f80d..dfb61d358196 100644
--- a/arch/x86/kernel/msr.c --- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0; int err = 0;
ssize_t bytes = 0; ssize_t bytes = 0;
+ if (kernel_is_locked_down("Direct MSR access")) + if (kernel_is_locked_down("Direct MSR access")) {
+ pr_info("Direct access to MSR %x\n", reg);
+ return -EPERM; + return -EPERM;
+ }
+ +
if (count % 8) if (count % 8)
return -EINVAL; /* Invalid chunk size */ return -EINVAL; /* Invalid chunk size */
@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) @@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF; err = -EFAULT;
break; break;
} }
+ if (kernel_is_locked_down("Direct MSR access")) { + if (kernel_is_locked_down("Direct MSR access")) {
+ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
+ err = -EPERM; + err = -EPERM;
+ break; + break;
+ } + }
if (copy_from_user(&regs, uregs, sizeof regs)) { err = wrmsr_safe_regs_on_cpu(cpu, regs);
err = -EFAULT; if (err)
break; break;
-- --
2.13.5 2.13.6
From 09e16301455c0a8a4ee405ad531c231b70610b5b Mon Sep 17 00:00:00 2001 From e6850fffe186e252cc94e8747e589076e215ca1a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:04 +0100 Date: Wed, 24 May 2017 14:56:04 +0100
Subject: [PATCH 12/25] asus-wmi: Restrict debugfs interface when the kernel is Subject: [PATCH 13/26] asus-wmi: Restrict debugfs interface when the kernel is
locked down locked down
We have no way of validating what all of the Asus WMI methods do on a given We have no way of validating what all of the Asus WMI methods do on a given
@ -990,12 +982,12 @@ index 48e1541dc8d4..ef5587469337 100644
0, asus->debug.method_id, 0, asus->debug.method_id,
&input, &output); &input, &output);
-- --
2.13.5 2.13.6
From 2f2199e407b1e0b3254a61236cd3e6a6efff170a Mon Sep 17 00:00:00 2001 From 6dda2a4dbc8bb80efaa55aba6d54382e986305c5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 24 May 2017 14:56:04 +0100 Date: Wed, 24 May 2017 14:56:04 +0100
Subject: [PATCH 13/25] ACPI: Limit access to custom_method when the kernel is Subject: [PATCH 14/26] ACPI: Limit access to custom_method when the kernel is
locked down locked down
custom_method effectively allows arbitrary access to system memory, making custom_method effectively allows arbitrary access to system memory, making
@ -1025,12 +1017,12 @@ index c68e72414a67..b33fba70ec51 100644
/* parse the table header to get the table length */ /* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header)) if (count <= sizeof(struct acpi_table_header))
-- --
2.13.5 2.13.6
From a71db99ed6004cdc5fa9d91cc964712103a606a0 Mon Sep 17 00:00:00 2001 From 64caa33410f85663cf0a65e4c09b8b8d28a219ad Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com> From: Josh Boyer <jwboyer@redhat.com>
Date: Wed, 24 May 2017 14:56:05 +0100 Date: Wed, 24 May 2017 14:56:05 +0100
Subject: [PATCH 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has Subject: [PATCH 15/26] acpi: Ignore acpi_rsdp kernel param when the kernel has
been locked down been locked down
This option allows userspace to pass the RSDP address to the kernel, which This option allows userspace to pass the RSDP address to the kernel, which
@ -1060,12 +1052,12 @@ index db78d353bab1..36c6527c1b0a 100644
#endif #endif
-- --
2.13.5 2.13.6
From 23cf57806ecd304a5f25e50f3292b0dfeb5a33b1 Mon Sep 17 00:00:00 2001 From d87ce06969f2d4da0c864e8a4cf6c820d950cd1f Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com> From: Linn Crosetto <linn@hpe.com>
Date: Wed, 24 May 2017 14:56:05 +0100 Date: Wed, 24 May 2017 14:56:05 +0100
Subject: [PATCH 15/25] acpi: Disable ACPI table override if the kernel is Subject: [PATCH 16/26] acpi: Disable ACPI table override if the kernel is
locked down locked down
From the kernel documentation (initrd_table_override.txt): From the kernel documentation (initrd_table_override.txt):
@ -1103,12 +1095,12 @@ index 80ce2a7d224b..5cc13c42daf9 100644
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
all_tables_size, PAGE_SIZE); all_tables_size, PAGE_SIZE);
-- --
2.13.5 2.13.6
From a0d24f5ce005a299a2d8ff31350fe9415648c732 Mon Sep 17 00:00:00 2001 From 547e2ca9cbfd420a15dd70e1c1c24b7040f88058 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com> From: Linn Crosetto <linn@hpe.com>
Date: Wed, 24 May 2017 14:56:05 +0100 Date: Wed, 24 May 2017 14:56:05 +0100
Subject: [PATCH 16/25] acpi: Disable APEI error injection if the kernel is Subject: [PATCH 17/26] acpi: Disable APEI error injection if the kernel is
locked down locked down
ACPI provides an error injection mechanism, EINJ, for debugging and testing ACPI provides an error injection mechanism, EINJ, for debugging and testing
@ -1149,12 +1141,12 @@ index b38737c83a24..6d71e1e97b20 100644
if (flags && (flags & if (flags && (flags &
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
-- --
2.13.5 2.13.6
From bfb5183f23fa4369b1c0897bb0afcb73540a7de2 Mon Sep 17 00:00:00 2001 From abbf8de44feab5f50b316d6491926d8d9029cb49 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:06 +0100 Date: Wed, 24 May 2017 14:56:06 +0100
Subject: [PATCH 17/25] scsi: Lock down the eata driver Subject: [PATCH 18/26] scsi: Lock down the eata driver
When the kernel is running in secure boot mode, we lock down the kernel to When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this prevent userspace from modifying the running kernel image. Whilst this
@ -1194,12 +1186,12 @@ index 6501c330d8c8..72fceaa8f3da 100644
#if defined(MODULE) #if defined(MODULE)
/* io_port could have been modified when loading as a module */ /* io_port could have been modified when loading as a module */
-- --
2.13.5 2.13.6
From 0f263953a98b222cc942e1cbba977fc1a351272f Mon Sep 17 00:00:00 2001 From 116b02dff661d497c10099862b8b86e6cd2262ae Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:06 +0100 Date: Wed, 24 May 2017 14:56:06 +0100
Subject: [PATCH 18/25] Prohibit PCMCIA CIS storage when the kernel is locked Subject: [PATCH 19/26] Prohibit PCMCIA CIS storage when the kernel is locked
down down
Prohibit replacement of the PCMCIA Card Information Structure when the Prohibit replacement of the PCMCIA Card Information Structure when the
@ -1227,12 +1219,12 @@ index 55ef7d1fd8da..b7a0e42eeb25 100644
if (off) if (off)
-- --
2.13.5 2.13.6
From 17c75715372a9d913b7396c1f5c1db9627988cb7 Mon Sep 17 00:00:00 2001 From f3dc03aa368cfde123bc1b60bda287091c9d43b4 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:06 +0100 Date: Wed, 24 May 2017 14:56:06 +0100
Subject: [PATCH 19/25] Lock down TIOCSSERIAL Subject: [PATCH 20/26] Lock down TIOCSSERIAL
Lock down TIOCSSERIAL as that can be used to change the ioport and irq Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port. This only appears to be an issue for the serial settings on a serial port. This only appears to be an issue for the serial
@ -1264,12 +1256,12 @@ index 3a14cccbd7ff..41f0922ad842 100644
retval = -EPERM; retval = -EPERM;
if (change_irq || change_port || if (change_irq || change_port ||
-- --
2.13.5 2.13.6
From f2b94788dc56591fb3b422187de511bfc7039468 Mon Sep 17 00:00:00 2001 From 9d266defc89a73c6dcca3b67ad70b95ac99b8e53 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:06 +0100 Date: Wed, 24 May 2017 14:56:06 +0100
Subject: [PATCH 20/25] Lock down module params that specify hardware Subject: [PATCH 21/26] Lock down module params that specify hardware
parameters (eg. ioport) parameters (eg. ioport)
Provided an annotation for module parameters that specify hardware Provided an annotation for module parameters that specify hardware
@ -1347,12 +1339,12 @@ index 60b2d8101355..422979adb60a 100644
if (!err) if (!err)
return len; return len;
-- --
2.13.5 2.13.6
From a07442e78c95f0169e18198cd5be997aa6db6b7d Mon Sep 17 00:00:00 2001 From 17a8caed6507846edd0a7016cdcd97fe46cca263 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 24 May 2017 14:56:07 +0100 Date: Wed, 24 May 2017 14:56:07 +0100
Subject: [PATCH 21/25] x86/mmiotrace: Lock down the testmmiotrace module Subject: [PATCH 22/26] x86/mmiotrace: Lock down the testmmiotrace module
The testmmiotrace module shouldn't be permitted when the kernel is locked The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space. down as it can be used to arbitrarily read and write MMIO space.
@ -1383,12 +1375,12 @@ index f6ae6830b341..bbaad357f5d7 100644
pr_err("you have to use the module argument mmio_address.\n"); pr_err("you have to use the module argument mmio_address.\n");
pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
-- --
2.13.5 2.13.6
From 1f3edea46a5e15484369bbda67bcee1b91c269a0 Mon Sep 17 00:00:00 2001 From 79ae67bf5f7eda526abaa80b01b19e08c1ed3558 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Oct 2017 17:28:02 +0100 Date: Wed, 18 Oct 2017 17:28:02 +0100
Subject: [PATCH 22/25] debugfs: Disallow use of debugfs files when the kernel Subject: [PATCH 23/26] debugfs: Disallow use of debugfs files when the kernel
is locked down is locked down
Disallow opening of debugfs files when the kernel is locked down as various Disallow opening of debugfs files when the kernel is locked down as various
@ -1438,17 +1430,18 @@ index 6dabc4a10396..32b5168a7e91 100644
if (r) { if (r) {
r = -ENOENT; r = -ENOENT;
-- --
2.13.5 2.13.6
From e54bd739a12f56ca39cf106bae995f59c5e40447 Mon Sep 17 00:00:00 2001 From 87ed5c02f0946c855730420cbf1daa6a2dfc54d7 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Thu, 19 Oct 2017 13:58:19 +0100 Date: Thu, 19 Oct 2017 13:58:19 +0100
Subject: [PATCH 23/25] Lock down /proc/kcore Subject: [PATCH 24/26] Lock down /proc/kcore
Disallow access to /proc/kcore when the kernel is locked down to prevent Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data. access to cryptographic data.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
--- ---
fs/proc/kcore.c | 2 ++ fs/proc/kcore.c | 2 ++
1 file changed, 2 insertions(+) 1 file changed, 2 insertions(+)
@ -1467,12 +1460,12 @@ index 45629f4b5402..176cf749e650 100644
return -EPERM; return -EPERM;
-- --
2.13.5 2.13.6
From 8294fa5b470e1736f0f54f97154d83883522e09a Mon Sep 17 00:00:00 2001 From 2bce9ca3a24e0b35dcf665e6ba082f0a796c6aad Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Thu, 19 Oct 2017 14:18:53 +0100 Date: Thu, 19 Oct 2017 14:18:53 +0100
Subject: [PATCH 24/25] efi: Add an EFI_SECURE_BOOT flag to indicate secure Subject: [PATCH 25/26] efi: Add an EFI_SECURE_BOOT flag to indicate secure
boot mode boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
@ -1489,9 +1482,9 @@ cc: linux-efi@vger.kernel.org
--- ---
arch/x86/kernel/setup.c | 14 +------------- arch/x86/kernel/setup.c | 14 +-------------
drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/secureboot.c | 37 +++++++++++++++++++++++++++++++++++++ drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 16 ++++++++++------ include/linux/efi.h | 16 ++++++++++------
4 files changed, 49 insertions(+), 19 deletions(-) 4 files changed, 50 insertions(+), 19 deletions(-)
create mode 100644 drivers/firmware/efi/secureboot.c create mode 100644 drivers/firmware/efi/secureboot.c
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
@ -1533,10 +1526,10 @@ index 0329d319d89a..883f9f7eefc6 100644
arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
new file mode 100644 new file mode 100644
index 000000000000..674dcc01bb0b index 000000000000..9070055de0a1
--- /dev/null --- /dev/null
+++ b/drivers/firmware/efi/secureboot.c +++ b/drivers/firmware/efi/secureboot.c
@@ -0,0 +1,37 @@ @@ -0,0 +1,38 @@
+/* Core kernel secure boot support. +/* Core kernel secure boot support.
+ * + *
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. + * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
@ -1569,7 +1562,8 @@ index 000000000000..674dcc01bb0b
+ pr_info("Secure boot enabled\n"); + pr_info("Secure boot enabled\n");
+ break; + break;
+ default: + default:
+ pr_info("Secure boot could not be determined\n"); + pr_warning("Secure boot could not be determined (mode %u)\n",
+ mode);
+ break; + break;
+ } + }
+ } + }
@ -1623,12 +1617,12 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644
#ifdef CONFIG_RESET_ATTACK_MITIGATION #ifdef CONFIG_RESET_ATTACK_MITIGATION
-- --
2.13.5 2.13.6
From 49f2160cce8c14a53eb09f052064921a93eb9fb5 Mon Sep 17 00:00:00 2001 From 163d6a313399a4d50c5c7e42e3dd642ca8d495d7 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Thu, 19 Oct 2017 14:05:02 +0100 Date: Thu, 19 Oct 2017 14:05:02 +0100
Subject: [PATCH 25/25] efi: Lock down the kernel if booted in secure boot mode Subject: [PATCH 26/26] efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also only load signed bootloaders and kernels. Certain use cases may also
@ -1714,5 +1708,5 @@ index 2c6b00f0c229..527f7e51dc8d 100644
#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
-- --
2.13.5 2.13.6

2
gitrev
View File

@ -1 +1 @@
f34157878d3b17641ad2366988600c23c89d98b2 567825502730b6bc108f926bdb1cf2de7ae436ca

View File

@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level # The rc snapshot level
%global rcrev 6 %global rcrev 6
# The git snapshot level # The git snapshot level
%define gitrev 2 %define gitrev 3
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0 %define rpmversion 4.%{upstream_sublevel}.0
%endif %endif
@ -2212,6 +2212,9 @@ fi
# #
# #
%changelog %changelog
* Thu Oct 26 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.0-0.rc6.git3.1
- Linux v4.14-rc6-50-g567825502730
* Wed Oct 25 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.0-0.rc6.git2.1 * Wed Oct 25 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.0-0.rc6.git2.1
- Linux v4.14-rc6-21-gf34157878d3b - Linux v4.14-rc6-21-gf34157878d3b

View File

@ -1,4 +1,4 @@
SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
SHA512 (patch-4.14-rc6.xz) = f10d13b0bd4f5e3bf295d4ef779cf358011e05c124b06277fef8afcf1a591b147f62717f0128866412fdd7ddddd660c0ae4b82b02b95702f10aabf50292c0ae7 SHA512 (patch-4.14-rc6.xz) = f10d13b0bd4f5e3bf295d4ef779cf358011e05c124b06277fef8afcf1a591b147f62717f0128866412fdd7ddddd660c0ae4b82b02b95702f10aabf50292c0ae7
SHA512 (patch-4.14-rc6-git2.xz) = 3cc8177ac31f1ac1d12522a8da7c05e25ccc630e5468ea267151acf5291ee9cf6196abb790bee742319bdbbe5180c6bbaad24245bb55f4eb315e6b179a19621b SHA512 (patch-4.14-rc6-git3.xz) = 033e71a1f44a827f83fbb300da648aae6f557c0017e697b9799f907bbe99f581dd51cb4ea43469dc9b8719bfaacd0543487e65b66a3f34adb8054b27cd93741d