From 306dfccc03842b8b0238c2c4ec13198f8b8ea2a3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 24 Jul 2012 11:22:32 -0400 Subject: [PATCH] Update modsign and include secure boot - Update modsign patch to latest upstream - Add initial UEFI Secure Boot patchset. Work in progress. --- kernel.spec | 16 +- ...n-20120718.patch => modsign-20120724.patch | 632 ++++----- secure-boot-20120724.patch | 1161 +++++++++++++++++ 3 files changed, 1493 insertions(+), 316 deletions(-) rename modsign-20120718.patch => modsign-20120724.patch (94%) create mode 100644 secure-boot-20120724.patch diff --git a/kernel.spec b/kernel.spec index fe8ba5e1b..6f3a9c6f9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -672,7 +672,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch Patch800: linux-2.6-crash-driver.patch # crypto/ -Patch900: modsign-20120718.patch +Patch900: modsign-20120724.patch + +# secure boot +Patch1000: secure-boot-20120724.patch # virt + ksm patches Patch1555: fix_xen_guest_on_old_EC2.patch @@ -1374,7 +1377,10 @@ ApplyPatch linux-2.6-crash-driver.patch ApplyPatch linux-2.6-e1000-ich9-montevina.patch # crypto/ -ApplyPatch modsign-20120718.patch +ApplyPatch modsign-20120724.patch + +# secure boot +ApplyPatch secure-boot-20120724.patch # Assorted Virt Fixes ApplyPatch fix_xen_guest_on_old_EC2.patch @@ -2295,6 +2301,10 @@ fi # ||----w | # || || %changelog +* Tue Jul 24 2012 Josh Boyer +- Update modsign patch to latest upstream +- Add initial UEFI Secure Boot patchset. Work in progress. + * Tue Jul 24 2012 Justin M. Forbes - 3.6.0-0.rc0.git1.1 - Linux v3.5-1643-gf0a08fc diff --git a/modsign-20120718.patch b/modsign-20120724.patch similarity index 94% rename from modsign-20120718.patch rename to modsign-20120724.patch index 0630014db..d37497d69 100644 --- a/modsign-20120718.patch +++ b/modsign-20120724.patch @@ -1,6 +1,6 @@ -From d1ff3781d12ad616073b4f1f3b04cef22d8c7c21 Mon Sep 17 00:00:00 2001 +From d012ed16fd7eff5498ddd9be8ad9960a644db518 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 13:12:20 +0100 +Date: Tue, 24 Jul 2012 13:59:15 +0100 Subject: [PATCH 01/27] MPILIB: Provide count_leading/trailing_zeros() based on arch functions @@ -17,14 +17,11 @@ Cc: David S. Miller Cc: Dmitry Kasatkin Cc: Arnd Bergmann --- - include/asm-generic/bitops/count_zeros.h | 57 ++++++++++++ - lib/mpi/longlong.h | 138 +----------------------------- - lib/mpi/mpi-bit.c | 2 +- - lib/mpi/mpi-div.c | 2 +- - lib/mpi/mpi-pow.c | 4 +- - lib/mpi/mpi-scan.c | 2 +- - lib/mpi/mpih-div.c | 8 +- - 7 files changed, 68 insertions(+), 145 deletions(-) + include/asm-generic/bitops/count_zeros.h | 57 +++++++++++++ + lib/mpi/longlong.h | 138 +------------------------------ + lib/mpi/mpi-bit.c | 2 +- + lib/mpi/mpi-pow.c | 4 +- + 4 files changed, 62 insertions(+), 139 deletions(-) create mode 100644 include/asm-generic/bitops/count_zeros.h diff --git a/include/asm-generic/bitops/count_zeros.h b/include/asm-generic/bitops/count_zeros.h @@ -324,7 +321,7 @@ index 29f9862..678ce4f 100644 #define UDIV_NEEDS_NORMALIZATION 0 #endif diff --git a/lib/mpi/mpi-bit.c b/lib/mpi/mpi-bit.c -index 0c50536..3fc00bf 100644 +index 5687248..503537e 100644 --- a/lib/mpi/mpi-bit.c +++ b/lib/mpi/mpi-bit.c @@ -45,7 +45,7 @@ unsigned mpi_get_nbits(MPI a) @@ -336,19 +333,6 @@ index 0c50536..3fc00bf 100644 else n = BITS_PER_MPI_LIMB; n = BITS_PER_MPI_LIMB - n + (a->nlimbs - 1) * BITS_PER_MPI_LIMB; -diff --git a/lib/mpi/mpi-div.c b/lib/mpi/mpi-div.c -index f68cbbb..51f105c 100644 ---- a/lib/mpi/mpi-div.c -+++ b/lib/mpi/mpi-div.c -@@ -217,7 +217,7 @@ int mpi_tdiv_qr(MPI quot, MPI rem, MPI num, MPI den) - } else /* Put quotient at top of remainder. */ - qp = rp + dsize; - -- count_leading_zeros(normalization_steps, dp[dsize - 1]); -+ normalization_steps = count_leading_zeros(dp[dsize - 1]); - - /* Normalize the denominator, i.e. make its most significant bit set by - * shifting it NORMALIZATION_STEPS bits to the left. Also shift the diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c index 67f3e79..5464c87 100644 --- a/lib/mpi/mpi-pow.c @@ -371,66 +355,13 @@ index 67f3e79..5464c87 100644 e = (e << c) << 1; /* shift the exp bits to the left, lose msb */ c = BITS_PER_MPI_LIMB - 1 - c; -diff --git a/lib/mpi/mpi-scan.c b/lib/mpi/mpi-scan.c -index b2da5ad..58556b5 100644 ---- a/lib/mpi/mpi-scan.c -+++ b/lib/mpi/mpi-scan.c -@@ -125,7 +125,7 @@ unsigned mpi_trailing_zeros(const MPI a) - unsigned nn; - mpi_limb_t alimb = a->d[n]; - -- count_trailing_zeros(nn, alimb); -+ nn = count_trailing_zeros(alimb); - count += nn; - break; - } -diff --git a/lib/mpi/mpih-div.c b/lib/mpi/mpih-div.c -index cde1aae..d6483792 100644 ---- a/lib/mpi/mpih-div.c -+++ b/lib/mpi/mpih-div.c -@@ -65,7 +65,7 @@ mpihelp_mod_1(mpi_ptr_t dividend_ptr, mpi_size_t dividend_size, - && (UDIV_TIME - (2 * UMUL_TIME + 6)) * dividend_size > UDIV_TIME) { - int normalization_steps; - -- count_leading_zeros(normalization_steps, divisor_limb); -+ normalization_steps = count_leading_zeros(divisor_limb); - if (normalization_steps) { - mpi_limb_t divisor_limb_inverted; - -@@ -142,7 +142,7 @@ mpihelp_mod_1(mpi_ptr_t dividend_ptr, mpi_size_t dividend_size, - if (UDIV_NEEDS_NORMALIZATION) { - int normalization_steps; - -- count_leading_zeros(normalization_steps, divisor_limb); -+ normalization_steps = count_leading_zeros(divisor_limb); - if (normalization_steps) { - divisor_limb <<= normalization_steps; - -@@ -421,7 +421,7 @@ mpihelp_divmod_1(mpi_ptr_t quot_ptr, - && (UDIV_TIME - (2 * UMUL_TIME + 6)) * dividend_size > UDIV_TIME) { - int normalization_steps; - -- count_leading_zeros(normalization_steps, divisor_limb); -+ normalization_steps = count_leading_zeros(divisor_limb); - if (normalization_steps) { - mpi_limb_t divisor_limb_inverted; - -@@ -496,7 +496,7 @@ mpihelp_divmod_1(mpi_ptr_t quot_ptr, - if (UDIV_NEEDS_NORMALIZATION) { - int normalization_steps; - -- count_leading_zeros(normalization_steps, divisor_limb); -+ normalization_steps = count_leading_zeros(divisor_limb); - if (normalization_steps) { - divisor_limb <<= normalization_steps; - -- -1.7.10.4 +1.7.11.2 -From 7611bb8e543cb2255c69bfb5edd85ed0d2cdb9e9 Mon Sep 17 00:00:00 2001 +From e2faf6ee3cc2f8cfe1c18e8d31eaf01fa653fd79 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 13:12:20 +0100 +Date: Tue, 24 Jul 2012 13:59:51 +0100 Subject: [PATCH 02/27] KEYS: Create a key type that can be used for general cryptographic operations @@ -442,15 +373,15 @@ algorithms. Signed-off-by: David Howells --- - Documentation/security/keys-crypto.txt | 181 +++++++++++++++++++++++++ - include/keys/crypto-subtype.h | 56 ++++++++ - include/keys/crypto-type.h | 25 ++++ - security/keys/Kconfig | 2 + - security/keys/Makefile | 1 + - security/keys/crypto/Kconfig | 7 + - security/keys/crypto/Makefile | 7 + - security/keys/crypto/crypto_keys.h | 28 ++++ - security/keys/crypto/crypto_type.c | 228 ++++++++++++++++++++++++++++++++ + Documentation/security/keys-crypto.txt | 181 ++++++++++++++++++++++++++ + include/keys/crypto-subtype.h | 56 ++++++++ + include/keys/crypto-type.h | 25 ++++ + security/keys/Kconfig | 2 + + security/keys/Makefile | 1 + + security/keys/crypto/Kconfig | 7 + + security/keys/crypto/Makefile | 7 + + security/keys/crypto/crypto_keys.h | 28 ++++ + security/keys/crypto/crypto_type.c | 228 +++++++++++++++++++++++++++++++++ 9 files changed, 535 insertions(+) create mode 100644 Documentation/security/keys-crypto.txt create mode 100644 include/keys/crypto-subtype.h @@ -1054,12 +985,12 @@ index 0000000..33d279b +module_init(crypto_key_init); +module_exit(crypto_key_cleanup); -- -1.7.10.4 +1.7.11.2 -From 23d7c6d8927420846af94823a90de1c24120bfea Mon Sep 17 00:00:00 2001 +From f7b41b16f3c6d24b46100b259a83c50615be5a23 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 13:12:20 +0100 +Date: Tue, 24 Jul 2012 13:59:51 +0100 Subject: [PATCH 03/27] KEYS: Add signature verification facility Add a facility whereby a key subtype may be asked to verify a signature against @@ -1092,11 +1023,11 @@ This adds four routines: Signed-off-by: David Howells --- - Documentation/security/keys-crypto.txt | 101 ++++++++++++++++++++++++++++ - include/keys/crypto-subtype.h | 21 ++++++ - include/keys/crypto-type.h | 9 +++ - security/keys/crypto/Makefile | 2 +- - security/keys/crypto/crypto_verify.c | 112 ++++++++++++++++++++++++++++++++ + Documentation/security/keys-crypto.txt | 101 +++++++++++++++++++++++++++++ + include/keys/crypto-subtype.h | 21 +++++++ + include/keys/crypto-type.h | 9 +++ + security/keys/crypto/Makefile | 2 +- + security/keys/crypto/crypto_verify.c | 112 +++++++++++++++++++++++++++++++++ 5 files changed, 244 insertions(+), 1 deletion(-) create mode 100644 security/keys/crypto/crypto_verify.c @@ -1428,12 +1359,12 @@ index 0000000..3f2964b +} +EXPORT_SYMBOL_GPL(verify_sig_cancel); -- -1.7.10.4 +1.7.11.2 -From 2fd136dec4682c1fa2609a7a94cf0353c334615c Mon Sep 17 00:00:00 2001 +From dfa8292f4527f46cabbbd64bd89766ac1dbe6546 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 13:12:20 +0100 +Date: Tue, 24 Jul 2012 13:59:52 +0100 Subject: [PATCH 04/27] KEYS: Asymmetric public-key algorithm crypto key subtype @@ -1442,10 +1373,10 @@ as DSA (FIPS-186) and RSA (PKCS#1 / RFC1337). Signed-off-by: David Howells --- - security/keys/crypto/Kconfig | 10 ++++ - security/keys/crypto/Makefile | 3 +- - security/keys/crypto/public_key.c | 55 +++++++++++++++++++ - security/keys/crypto/public_key.h | 106 +++++++++++++++++++++++++++++++++++++ + security/keys/crypto/Kconfig | 10 ++++ + security/keys/crypto/Makefile | 3 +- + security/keys/crypto/public_key.c | 55 ++++++++++++++++++++ + security/keys/crypto/public_key.h | 106 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 173 insertions(+), 1 deletion(-) create mode 100644 security/keys/crypto/public_key.c create mode 100644 security/keys/crypto/public_key.h @@ -1654,45 +1585,120 @@ index 0000000..81ed603 + +#endif /* _LINUX_PUBLIC_KEY_H */ -- -1.7.10.4 +1.7.11.2 -From ba785b97c90fc4403b2124dc2cecc842ba49be54 Mon Sep 17 00:00:00 2001 +From 0a8e7f4cc41d3cddf8a2367b1f0ed2bb1f6ccc91 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 13:12:21 +0100 -Subject: [PATCH 05/27] KEYS: RSA: Add exports from MPILIB +Date: Tue, 24 Jul 2012 14:10:37 +0100 +Subject: [PATCH 05/27] MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA + signature verification -Export mpi_cmp() and mpi_cmp_ui() from the MPI library for use by RSA. +Reinstate and export mpi_cmp() and mpi_cmp_ui() from the MPI library for use by +RSA signature verification as per RFC3447 section 5.2.2 step 1. Signed-off-by: David Howells --- - lib/mpi/mpi-cmp.c | 2 ++ - 1 file changed, 2 insertions(+) + lib/mpi/Makefile | 1 + + lib/mpi/mpi-cmp.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 71 insertions(+) + create mode 100644 lib/mpi/mpi-cmp.c +diff --git a/lib/mpi/Makefile b/lib/mpi/Makefile +index 45ca90a..019a68c 100644 +--- a/lib/mpi/Makefile ++++ b/lib/mpi/Makefile +@@ -14,6 +14,7 @@ mpi-y = \ + generic_mpih-add1.o \ + mpicoder.o \ + mpi-bit.o \ ++ mpi-cmp.o \ + mpih-cmp.o \ + mpih-div.o \ + mpih-mul.o \ diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c -index 914bc42..1871e7b 100644 ---- a/lib/mpi/mpi-cmp.c +new file mode 100644 +index 0000000..1871e7b +--- /dev/null +++ b/lib/mpi/mpi-cmp.c -@@ -39,6 +39,7 @@ int mpi_cmp_ui(MPI u, unsigned long v) - else - return -1; - } +@@ -0,0 +1,70 @@ ++/* mpi-cmp.c - MPI functions ++ * Copyright (C) 1998, 1999 Free Software Foundation, Inc. ++ * ++ * This file is part of GnuPG. ++ * ++ * GnuPG is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuPG is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA ++ */ ++ ++#include "mpi-internal.h" ++ ++int mpi_cmp_ui(MPI u, unsigned long v) ++{ ++ mpi_limb_t limb = v; ++ ++ mpi_normalize(u); ++ if (!u->nlimbs && !limb) ++ return 0; ++ if (u->sign) ++ return -1; ++ if (u->nlimbs > 1) ++ return 1; ++ ++ if (u->d[0] == limb) ++ return 0; ++ else if (u->d[0] > limb) ++ return 1; ++ else ++ return -1; ++} +EXPORT_SYMBOL_GPL(mpi_cmp_ui); - - int mpi_cmp(MPI u, MPI v) - { -@@ -66,3 +67,4 @@ int mpi_cmp(MPI u, MPI v) - return 1; - return -1; - } ++ ++int mpi_cmp(MPI u, MPI v) ++{ ++ mpi_size_t usize, vsize; ++ int cmp; ++ ++ mpi_normalize(u); ++ mpi_normalize(v); ++ usize = u->nlimbs; ++ vsize = v->nlimbs; ++ if (!u->sign && v->sign) ++ return 1; ++ if (u->sign && !v->sign) ++ return -1; ++ if (usize != vsize && !u->sign && !v->sign) ++ return usize - vsize; ++ if (usize != vsize && u->sign && v->sign) ++ return vsize + usize; ++ if (!usize) ++ return 0; ++ cmp = mpihelp_cmp(u->d, v->d, usize); ++ if (!cmp) ++ return 0; ++ if ((cmp < 0 ? 1 : 0) == (u->sign ? 1 : 0)) ++ return 1; ++ return -1; ++} +EXPORT_SYMBOL_GPL(mpi_cmp); -- -1.7.10.4 +1.7.11.2 -From 650edd748b92eea0622ecb26a5ee81c7b582d04c Mon Sep 17 00:00:00 2001 +From de86fda3085f6586bfd28517c07a2cd8cd4f9893 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:15:36 +0100 +Date: Tue, 24 Jul 2012 14:10:39 +0100 Subject: [PATCH 06/27] KEYS: RSA: Implement signature verification algorithm [PKCS#1 / RFC3447] @@ -1702,10 +1708,10 @@ public key subtype to hold its key data. Signed-off-by: David Howells --- - security/keys/crypto/Kconfig | 7 + - security/keys/crypto/Makefile | 1 + - security/keys/crypto/crypto_rsa.c | 264 +++++++++++++++++++++++++++++++++++++ - security/keys/crypto/public_key.h | 2 + + security/keys/crypto/Kconfig | 7 + + security/keys/crypto/Makefile | 1 + + security/keys/crypto/crypto_rsa.c | 264 ++++++++++++++++++++++++++++++++++++++ + security/keys/crypto/public_key.h | 2 + 4 files changed, 274 insertions(+) create mode 100644 security/keys/crypto/crypto_rsa.c @@ -2017,12 +2023,12 @@ index 81ed603..7913615 100644 * Asymmetric public key data */ -- -1.7.10.4 +1.7.11.2 -From 7da10c257377762e1a6ac747b48791cf610ba4c5 Mon Sep 17 00:00:00 2001 +From 2363851f3eeae9ec32ee6d5f868085eb11afa717 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:15:39 +0100 +Date: Tue, 24 Jul 2012 14:11:19 +0100 Subject: [PATCH 07/27] KEYS: RSA: Fix signature verification for shorter signatures @@ -2038,7 +2044,7 @@ Thanks to Tomas Mraz and Miloslav Trmac for help. Signed-off-by: Milan Broz Signed-off-by: David Howells --- - security/keys/crypto/crypto_rsa.c | 14 +++++++++++--- + security/keys/crypto/crypto_rsa.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/security/keys/crypto/crypto_rsa.c b/security/keys/crypto/crypto_rsa.c @@ -2073,12 +2079,12 @@ index 845285c..a4a63be 100644 ret = RSAVP1(key, sig->rsa.s, &m); if (ret < 0) -- -1.7.10.4 +1.7.11.2 -From 4366c59a624398d1aba4d6651191ba880da9e694 Mon Sep 17 00:00:00 2001 +From edfd057d757164e207edfb3d3affa87cf0b126e6 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:15:52 +0100 +Date: Tue, 24 Jul 2012 14:11:19 +0100 Subject: [PATCH 08/27] PGPLIB: PGP definitions (RFC 4880) Provide some useful PGP definitions from RFC 4880. These describe details of @@ -2087,7 +2093,7 @@ verification. Signed-off-by: David Howells --- - include/linux/pgp.h | 206 +++++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/pgp.h | 206 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 206 insertions(+) create mode 100644 include/linux/pgp.h @@ -2304,12 +2310,12 @@ index 0000000..1359f64 + +#endif /* _LINUX_PGP_H */ -- -1.7.10.4 +1.7.11.2 -From 0409a338e01de5025cec2a1b291442651163aafd Mon Sep 17 00:00:00 2001 +From 36f2b76a6ee5c6d86f6d7725ead9e5252b1d29a6 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:17:46 +0100 +Date: Tue, 24 Jul 2012 14:11:20 +0100 Subject: [PATCH 09/27] PGPLIB: Basic packet parser Provide a simple parser that extracts the packets from a PGP packet blob and @@ -2331,10 +2337,10 @@ This is configured on with CONFIG_PGP_LIBRARY. Signed-off-by: David Howells --- - include/linux/pgplib.h | 47 +++++++ - security/keys/crypto/Kconfig | 6 + - security/keys/crypto/Makefile | 1 + - security/keys/crypto/pgp_library.c | 268 ++++++++++++++++++++++++++++++++++++ + include/linux/pgplib.h | 47 +++++++ + security/keys/crypto/Kconfig | 6 + + security/keys/crypto/Makefile | 1 + + security/keys/crypto/pgp_library.c | 268 +++++++++++++++++++++++++++++++++++++ 4 files changed, 322 insertions(+) create mode 100644 include/linux/pgplib.h create mode 100644 security/keys/crypto/pgp_library.c @@ -2690,12 +2696,12 @@ index 0000000..af396d6 +} +EXPORT_SYMBOL_GPL(pgp_parse_public_key); -- -1.7.10.4 +1.7.11.2 -From 2a76433139dbdc6d57d38da6ceb79ce05ab603a4 Mon Sep 17 00:00:00 2001 +From 6f830b85b1e32e44291c2bdff6b936025c48b40d Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:21:24 +0100 +Date: Tue, 24 Jul 2012 14:11:20 +0100 Subject: [PATCH 10/27] PGPLIB: Signature parser Provide some PGP signature parsing helpers: @@ -2714,8 +2720,8 @@ Provide some PGP signature parsing helpers: Signed-off-by: David Howells --- - include/linux/pgplib.h | 25 ++++ - security/keys/crypto/pgp_library.c | 280 ++++++++++++++++++++++++++++++++++++ + include/linux/pgplib.h | 25 ++++ + security/keys/crypto/pgp_library.c | 280 +++++++++++++++++++++++++++++++++++++ 2 files changed, 305 insertions(+) diff --git a/include/linux/pgplib.h b/include/linux/pgplib.h @@ -3043,12 +3049,12 @@ index af396d6..c9218df 100644 +} +EXPORT_SYMBOL_GPL(pgp_parse_sig_params); -- -1.7.10.4 +1.7.11.2 -From 91a05bc308c1e177410882a119f388d3b6b53c22 Mon Sep 17 00:00:00 2001 +From c0e901a1ce72ddf259de219506327271cf3bb700 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:21:26 +0100 +Date: Tue, 24 Jul 2012 14:11:21 +0100 Subject: [PATCH 11/27] KEYS: PGP data parser Implement a PGP data parser for the crypto key type to use when instantiating a @@ -3066,10 +3072,10 @@ some errors. Signed-off-by: David Howells --- - security/keys/crypto/Kconfig | 12 ++ - security/keys/crypto/Makefile | 4 + - security/keys/crypto/pgp_parser.h | 23 +++ - security/keys/crypto/pgp_public_key.c | 348 +++++++++++++++++++++++++++++++++ + security/keys/crypto/Kconfig | 12 ++ + security/keys/crypto/Makefile | 4 + + security/keys/crypto/pgp_parser.h | 23 +++ + security/keys/crypto/pgp_public_key.c | 348 ++++++++++++++++++++++++++++++++++ 4 files changed, 387 insertions(+) create mode 100644 security/keys/crypto/pgp_parser.h create mode 100644 security/keys/crypto/pgp_public_key.c @@ -3490,12 +3496,12 @@ index 0000000..8a8b7c0 +module_init(pgp_key_init); +module_exit(pgp_key_exit); -- -1.7.10.4 +1.7.11.2 -From 14191eaae2f9ccba2563a4bf9c30ffcbf153f521 Mon Sep 17 00:00:00 2001 +From b830627f3b864530540ad88df21d2ceefcba7459 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:22:19 +0100 +Date: Tue, 24 Jul 2012 14:11:21 +0100 Subject: [PATCH 12/27] KEYS: PGP-based public key signature verification Provide handlers for PGP-based public-key algorithm signature verification. @@ -3508,9 +3514,9 @@ patch provides. Signed-off-by: David Howells --- - security/keys/crypto/Makefile | 3 +- - security/keys/crypto/pgp_parser.h | 6 + - security/keys/crypto/pgp_sig_verify.c | 325 +++++++++++++++++++++++++++++++++ + security/keys/crypto/Makefile | 3 +- + security/keys/crypto/pgp_parser.h | 6 + + security/keys/crypto/pgp_sig_verify.c | 325 ++++++++++++++++++++++++++++++++++ 3 files changed, 333 insertions(+), 1 deletion(-) create mode 100644 security/keys/crypto/pgp_sig_verify.c @@ -3871,12 +3877,12 @@ index 0000000..82c89da + kleave(""); +} -- -1.7.10.4 +1.7.11.2 -From 3ca6d54c9bbd0633b7f8e1b033c7d8b2ebe85489 Mon Sep 17 00:00:00 2001 +From fbd1b578b58a197da42428fda49654d38c794f31 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:22:40 +0100 +Date: Tue, 24 Jul 2012 14:11:21 +0100 Subject: [PATCH 13/27] KEYS: PGP format signature parser Implement a signature parser that will attempt to parse a signature blob as a @@ -3885,10 +3891,10 @@ and set the public-key algorithm according to the data in the signature. Signed-off-by: David Howells --- - security/keys/crypto/Makefile | 1 + - security/keys/crypto/pgp_parser.h | 6 ++ - security/keys/crypto/pgp_public_key.c | 1 + - security/keys/crypto/pgp_sig_parser.c | 114 +++++++++++++++++++++++++++++++++ + security/keys/crypto/Makefile | 1 + + security/keys/crypto/pgp_parser.h | 6 ++ + security/keys/crypto/pgp_public_key.c | 1 + + security/keys/crypto/pgp_sig_parser.c | 114 ++++++++++++++++++++++++++++++++++ 4 files changed, 122 insertions(+) create mode 100644 security/keys/crypto/pgp_sig_parser.c @@ -4052,12 +4058,12 @@ index 0000000..f5feb2b + return ctx; +} -- -1.7.10.4 +1.7.11.2 -From 30a028f485bd476ef3ad73fbb042a55b4851c966 Mon Sep 17 00:00:00 2001 +From a04615b5ce4ae2e6e0f1932cd697b6a3d41cb9f8 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:22:59 +0100 +Date: Tue, 24 Jul 2012 14:11:21 +0100 Subject: [PATCH 14/27] KEYS: Provide a function to load keys from a PGP keyring blob @@ -4083,11 +4089,11 @@ out some errors. Signed-off-by: David Howells --- - Documentation/security/keys-crypto.txt | 20 +++++++ - include/keys/crypto-type.h | 3 + - security/keys/crypto/Kconfig | 9 +++ - security/keys/crypto/Makefile | 1 + - security/keys/crypto/pgp_preload.c | 96 ++++++++++++++++++++++++++++++++ + Documentation/security/keys-crypto.txt | 20 +++++++ + include/keys/crypto-type.h | 3 ++ + security/keys/crypto/Kconfig | 9 ++++ + security/keys/crypto/Makefile | 1 + + security/keys/crypto/pgp_preload.c | 96 ++++++++++++++++++++++++++++++++++ 5 files changed, 129 insertions(+) create mode 100644 security/keys/crypto/pgp_preload.c @@ -4270,12 +4276,12 @@ index 0000000..9028788 + return pgp_parse_packets(pgpdata, pgpdatalen, &ctx.pgp); +} -- -1.7.10.4 +1.7.11.2 -From 13b8bd0afb58d1000c74741f176862efb6d1bcc9 Mon Sep 17 00:00:00 2001 +From d0e5635f09c91ca12fa5a508c2ba5197372d7487 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:25:41 +0100 +Date: Tue, 24 Jul 2012 14:13:56 +0100 Subject: [PATCH 15/27] Make most arch asm/module.h files use asm-generic/module.h @@ -4315,62 +4321,62 @@ unsupported type of relocation record as that's now handled centrally. Signed-off-by: David Howells --- - arch/Kconfig | 19 +++++++++++++++++ - arch/alpha/Kconfig | 2 ++ - arch/alpha/include/asm/module.h | 10 ++------- - arch/arm/Kconfig | 2 ++ - arch/arm/include/asm/module.h | 8 ++------ - arch/avr32/Kconfig | 2 ++ - arch/avr32/include/asm/module.h | 6 ++---- - arch/blackfin/Kconfig | 2 ++ - arch/blackfin/include/asm/module.h | 4 +--- - arch/c6x/Kconfig | 1 + - arch/c6x/include/asm/module.h | 12 +---------- - arch/cris/Kconfig | 1 + - arch/cris/include/asm/Kbuild | 2 ++ - arch/cris/include/asm/module.h | 9 -------- - arch/frv/include/asm/module.h | 8 +------- - arch/h8300/Kconfig | 1 + - arch/h8300/include/asm/Kbuild | 2 ++ - arch/h8300/include/asm/module.h | 11 ---------- - arch/hexagon/Kconfig | 1 + - arch/ia64/Kconfig | 2 ++ - arch/ia64/include/asm/module.h | 6 ++---- - arch/m32r/Kconfig | 1 + - arch/m32r/include/asm/Kbuild | 2 ++ - arch/m32r/include/asm/module.h | 10 --------- - arch/m32r/kernel/module.c | 15 -------------- - arch/m68k/Kconfig | 3 +++ - arch/m68k/include/asm/module.h | 6 ++---- - arch/microblaze/Kconfig | 1 + - arch/mips/Kconfig | 3 +++ - arch/mips/include/asm/module.h | 10 +++++++-- - arch/mips/kernel/module.c | 2 ++ - arch/mn10300/Kconfig | 1 + - arch/mn10300/include/asm/module.h | 7 +------ - arch/openrisc/Kconfig | 1 + - arch/parisc/Kconfig | 2 ++ - arch/parisc/include/asm/module.h | 16 +++------------ - arch/powerpc/Kconfig | 2 ++ - arch/powerpc/include/asm/module.h | 7 +------ - arch/s390/Kconfig | 2 ++ - arch/s390/include/asm/module.h | 18 +++------------- - arch/score/Kconfig | 2 ++ - arch/score/include/asm/module.h | 6 +----- - arch/score/kernel/module.c | 10 --------- - arch/sh/Kconfig | 2 ++ - arch/sh/include/asm/module.h | 14 +++---------- - arch/sparc/Kconfig | 1 + - arch/sparc/include/asm/Kbuild | 1 + - arch/sparc/include/asm/module.h | 24 ---------------------- - arch/tile/Kconfig | 1 + - arch/unicore32/Kconfig | 1 + - arch/x86/Kconfig | 2 ++ - arch/xtensa/Kconfig | 1 + - arch/xtensa/include/asm/module.h | 9 +------- - include/asm-generic/module.h | 40 +++++++++++++++++++++++++++++------- - include/linux/moduleloader.h | 36 ++++++++++++++++++++++++++++---- - kernel/module.c | 20 ------------------ + arch/Kconfig | 19 ++++++++++++++++++ + arch/alpha/Kconfig | 2 ++ + arch/alpha/include/asm/module.h | 10 ++-------- + arch/arm/Kconfig | 2 ++ + arch/arm/include/asm/module.h | 8 ++------ + arch/avr32/Kconfig | 2 ++ + arch/avr32/include/asm/module.h | 6 ++---- + arch/blackfin/Kconfig | 2 ++ + arch/blackfin/include/asm/module.h | 4 +--- + arch/c6x/Kconfig | 1 + + arch/c6x/include/asm/module.h | 12 +----------- + arch/cris/Kconfig | 1 + + arch/cris/include/asm/Kbuild | 2 ++ + arch/cris/include/asm/module.h | 9 --------- + arch/frv/include/asm/module.h | 8 +------- + arch/h8300/Kconfig | 1 + + arch/h8300/include/asm/Kbuild | 2 ++ + arch/h8300/include/asm/module.h | 11 ----------- + arch/hexagon/Kconfig | 1 + + arch/ia64/Kconfig | 2 ++ + arch/ia64/include/asm/module.h | 6 ++---- + arch/m32r/Kconfig | 1 + + arch/m32r/include/asm/Kbuild | 2 ++ + arch/m32r/include/asm/module.h | 10 ---------- + arch/m32r/kernel/module.c | 15 -------------- + arch/m68k/Kconfig | 3 +++ + arch/m68k/include/asm/module.h | 6 ++---- + arch/microblaze/Kconfig | 1 + + arch/mips/Kconfig | 3 +++ + arch/mips/include/asm/module.h | 10 ++++++++-- + arch/mips/kernel/module.c | 2 ++ + arch/mn10300/Kconfig | 1 + + arch/mn10300/include/asm/module.h | 7 +------ + arch/openrisc/Kconfig | 1 + + arch/parisc/Kconfig | 2 ++ + arch/parisc/include/asm/module.h | 16 +++------------ + arch/powerpc/Kconfig | 2 ++ + arch/powerpc/include/asm/module.h | 7 +------ + arch/s390/Kconfig | 2 ++ + arch/s390/include/asm/module.h | 18 +++-------------- + arch/score/Kconfig | 2 ++ + arch/score/include/asm/module.h | 6 +----- + arch/score/kernel/module.c | 10 ---------- + arch/sh/Kconfig | 2 ++ + arch/sh/include/asm/module.h | 14 +++---------- + arch/sparc/Kconfig | 1 + + arch/sparc/include/asm/Kbuild | 1 + + arch/sparc/include/asm/module.h | 24 ----------------------- + arch/tile/Kconfig | 1 + + arch/unicore32/Kconfig | 1 + + arch/x86/Kconfig | 2 ++ + arch/xtensa/Kconfig | 1 + + arch/xtensa/include/asm/module.h | 9 +-------- + include/asm-generic/module.h | 40 +++++++++++++++++++++++++++++++------- + include/linux/moduleloader.h | 36 ++++++++++++++++++++++++++++++---- + kernel/module.c | 20 ------------------- 56 files changed, 167 insertions(+), 223 deletions(-) delete mode 100644 arch/cris/include/asm/module.h delete mode 100644 arch/h8300/include/asm/module.h @@ -4445,7 +4451,7 @@ index 7b63743..9cd13b5 100644 #ifdef MODULE diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index a91009c..af8bf36 100644 +index c7e6d20..5fc742e 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -45,6 +45,8 @@ config ARM @@ -4837,7 +4843,7 @@ index 0bf4423..ee395d3 100644 config SWAP def_bool n diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig -index 09ab87e..2901b41 100644 +index b3e10fd..5972ebd 100644 --- a/arch/mips/Kconfig +++ b/arch/mips/Kconfig @@ -34,6 +34,9 @@ config MIPS @@ -4991,7 +4997,7 @@ index 1f41234..bab37e9 100644 struct unwind_table; diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig -index 050cb37..17d3267 100644 +index 9a5d3cd..5a91b5b 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -137,6 +137,8 @@ config PPC @@ -5137,7 +5143,7 @@ index 469e3b6..1378d99 100644 const struct exception_table_entry *search_module_dbetables(unsigned long addr) { diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig -index 31d9db7..22c02bb 100644 +index a24595d..365ecf5 100644 --- a/arch/sh/Kconfig +++ b/arch/sh/Kconfig @@ -34,6 +34,8 @@ config SUPERH @@ -5231,10 +5237,10 @@ index ff8e02d..0000000 - -#endif /* __SPARC_MODULE_H */ diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig -index fe12881..2d8bc27 100644 +index 932e443..1603f30 100644 --- a/arch/tile/Kconfig +++ b/arch/tile/Kconfig -@@ -15,6 +15,7 @@ config TILE +@@ -17,6 +17,7 @@ config TILE select SYS_HYPERVISOR select ARCH_HAVE_NMI_SAFE_CMPXCHG select GENERIC_CLOCKEVENTS @@ -5357,7 +5363,7 @@ index ed5b44d..14dc41d 100644 #endif /* __ASM_GENERIC_MODULE_H */ diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h -index b2be02e..b85dda8 100644 +index b2be02e..560ca53 100644 --- a/include/linux/moduleloader.h +++ b/include/linux/moduleloader.h @@ -28,21 +28,49 @@ void *module_alloc(unsigned long size); @@ -5383,7 +5389,7 @@ index b2be02e..b85dda8 100644 + unsigned int relsec, + struct module *me) +{ -+ pr_err("module %s: REL relocation unsupported\n", me->name); ++ printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name); + return -ENOEXEC; +} +#endif @@ -5407,7 +5413,7 @@ index b2be02e..b85dda8 100644 + unsigned int relsec, + struct module *me) +{ -+ pr_err("module %s: RELA relocation unsupported\n", me->name); ++ printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name); + return -ENOEXEC; +} +#endif @@ -5446,12 +5452,12 @@ index 4edbd9c..087aeed 100644 { unsigned int i; -- -1.7.10.4 +1.7.11.2 -From 69bdeeb86f28489efa7d5f414867bd07b9516c10 Mon Sep 17 00:00:00 2001 +From 3ad621a6fe31c4b1e73675facc39b2b34eaba3a3 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:26:33 +0100 +Date: Tue, 24 Jul 2012 14:13:57 +0100 Subject: [PATCH 16/27] Provide macros for forming the name of an ELF note and its section @@ -5460,7 +5466,7 @@ appropriately so that the macro can be used in both C and assembly. Signed-off-by: David Howells --- - include/linux/elfnote.h | 4 ++++ + include/linux/elfnote.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/elfnote.h b/include/linux/elfnote.h @@ -5486,12 +5492,12 @@ index 278e3ef..949d494 100644 #endif /* _LINUX_ELFNOTE_H */ -- -1.7.10.4 +1.7.11.2 -From 5191f0bcbe03426b90b0a53c9ea960fafba7c269 Mon Sep 17 00:00:00 2001 +From ebd84cbe7656bb091c8101af3d302ea7c14e7ecf Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:27:05 +0100 +Date: Tue, 24 Jul 2012 14:14:00 +0100 Subject: [PATCH 17/27] MODSIGN: Provide gitignore and make clean rules for extra files @@ -5502,9 +5508,9 @@ to be signed. Signed-off-by: David Howells --- - .gitignore | 12 ++++++++++++ - Makefile | 1 + - scripts/mod/.gitignore | 1 + + .gitignore | 12 ++++++++++++ + Makefile | 1 + + scripts/mod/.gitignore | 1 + 3 files changed, 14 insertions(+) diff --git a/.gitignore b/.gitignore @@ -5535,7 +5541,7 @@ index 57af07c..7948eeb 100644 +random_seed +trustdb.gpg diff --git a/Makefile b/Makefile -index aa8e315..4a4a11f 100644 +index 4bb09e1..5afb466 100644 --- a/Makefile +++ b/Makefile @@ -1239,6 +1239,7 @@ clean: $(clean-dirs) @@ -5557,12 +5563,12 @@ index e9b7abe..223dfd6 100644 +mod-extract -- -1.7.10.4 +1.7.11.2 -From bf067003ae6304d90c278118b5d65d905be16e53 Mon Sep 17 00:00:00 2001 +From 5071caadfaf48a29826bb0fb934bf8046878ca00 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:27:16 +0100 +Date: Tue, 24 Jul 2012 14:14:01 +0100 Subject: [PATCH 18/27] MODSIGN: Provide Documentation and Kconfig options Provide documentation and kernel configuration options for module signing. @@ -5596,9 +5602,9 @@ The following configuration options are added: Signed-off-by: David Howells --- - Documentation/module-signing.txt | 194 ++++++++++++++++++++++++++++++++++++++ - include/linux/modsign.h | 27 ++++++ - init/Kconfig | 54 +++++++++++ + Documentation/module-signing.txt | 194 +++++++++++++++++++++++++++++++++++++++ + include/linux/modsign.h | 27 ++++++ + init/Kconfig | 54 +++++++++++ 3 files changed, 275 insertions(+) create mode 100644 Documentation/module-signing.txt create mode 100644 include/linux/modsign.h @@ -5902,12 +5908,12 @@ index d07dcf9..1d1a056 100644 config INIT_ALL_POSSIBLE -- -1.7.10.4 +1.7.11.2 -From 19c2fd74747b84e445b0a4eb7f7308a238267aec Mon Sep 17 00:00:00 2001 +From 506ebdd9cc53b7e1fe5c1a1351bf1e42cce4c856 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:27:38 +0100 +Date: Tue, 24 Jul 2012 14:14:01 +0100 Subject: [PATCH 19/27] MODSIGN: Sign modules during the build process If CONFIG_MODULE_SIG is set, then this patch will cause the module to get a @@ -5947,10 +5953,10 @@ will appear in the build log. If it is skipped, the following will be seen: Signed-off-by: David Howells --- - scripts/Makefile.modpost | 87 ++++- - scripts/mod/Makefile | 2 +- - scripts/mod/mod-extract.c | 913 +++++++++++++++++++++++++++++++++++++++++++ - scripts/mod/modsign-note.sh | 16 + + scripts/Makefile.modpost | 87 ++++- + scripts/mod/Makefile | 2 +- + scripts/mod/mod-extract.c | 913 ++++++++++++++++++++++++++++++++++++++++++++ + scripts/mod/modsign-note.sh | 16 + 4 files changed, 1016 insertions(+), 2 deletions(-) create mode 100644 scripts/mod/mod-extract.c create mode 100644 scripts/mod/modsign-note.sh @@ -7027,12 +7033,12 @@ index 0000000..bca67c0 + +exit 0 -- -1.7.10.4 +1.7.11.2 -From 05f68f1852611dd7f2f7d28c677b1205b66d4337 Mon Sep 17 00:00:00 2001 +From c075a55ef7dd94b37406e09c542f69994e73424c Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:27:49 +0100 +Date: Tue, 24 Jul 2012 14:14:01 +0100 Subject: [PATCH 20/27] MODSIGN: Module signature verification stub Create a stub for the module signature verifier and link it into module.c so @@ -7063,12 +7069,12 @@ This table indicates the behaviours in the various situations: Signed-off-by: David Howells --- - include/linux/module.h | 3 ++ - kernel/Makefile | 1 + - kernel/module-verify-defs.h | 77 ++++++++++++++++++++++++++++++ - kernel/module-verify.c | 110 +++++++++++++++++++++++++++++++++++++++++++ - kernel/module-verify.h | 20 ++++++++ - kernel/module.c | 26 ++++++++-- + include/linux/module.h | 3 ++ + kernel/Makefile | 1 + + kernel/module-verify-defs.h | 77 +++++++++++++++++++++++++++++++ + kernel/module-verify.c | 110 ++++++++++++++++++++++++++++++++++++++++++++ + kernel/module-verify.h | 20 ++++++++ + kernel/module.c | 26 +++++++++-- 6 files changed, 232 insertions(+), 5 deletions(-) create mode 100644 kernel/module-verify-defs.h create mode 100644 kernel/module-verify.c @@ -7415,12 +7421,12 @@ index 087aeed..a59a9da 100644 if (last_unloaded_module[0]) printk(" [last unloaded: %s]", last_unloaded_module); -- -1.7.10.4 +1.7.11.2 -From a8622506bccd42aecd271d2735f6734e539125ac Mon Sep 17 00:00:00 2001 +From 632507c5c70caad4ac7000d573b60236e405247b Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:28:33 +0100 +Date: Tue, 24 Jul 2012 14:14:02 +0100 Subject: [PATCH 21/27] MODSIGN: Automatically generate module signing keys if missing @@ -7436,7 +7442,7 @@ if the keyrings change. Signed-off-by: David Howells --- - kernel/Makefile | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ + kernel/Makefile | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/kernel/Makefile b/kernel/Makefile @@ -7497,12 +7503,12 @@ index cec222a..28cd248 100644 +endif +CLEAN_FILES += modsign.pub modsign.sec genkey random_seed -- -1.7.10.4 +1.7.11.2 -From 2bde4c453e0b5ec52fe95c3fb800af86fdc38546 Mon Sep 17 00:00:00 2001 +From bbbe230903a8c8f1d3aa7d2cc7f850930ff1539f Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:28:41 +0100 +Date: Tue, 24 Jul 2012 14:14:02 +0100 Subject: [PATCH 22/27] MODSIGN: Provide module signing public keys to the kernel @@ -7523,10 +7529,10 @@ their removal and preventing further modules from being loaded with that key. Signed-off-by: David Howells --- - kernel/Makefile | 25 ++++++++------- - kernel/modsign-pubkey.c | 75 +++++++++++++++++++++++++++++++++++++++++++ - kernel/module-verify-defs.h | 4 +++ - kernel/module-verify.c | 2 -- + kernel/Makefile | 25 ++++++++------- + kernel/modsign-pubkey.c | 75 +++++++++++++++++++++++++++++++++++++++++++++ + kernel/module-verify-defs.h | 4 +++ + kernel/module-verify.c | 2 -- 4 files changed, 93 insertions(+), 13 deletions(-) create mode 100644 kernel/modsign-pubkey.c @@ -7683,12 +7689,12 @@ index 4bf857e..05473e6 100644 #include #include -- -1.7.10.4 +1.7.11.2 -From 689ea2a8739a5d61b7c55cd9084dd3096585c6de Mon Sep 17 00:00:00 2001 +From e4f50fd14864d574dfa77002da3bc51bbb0046bc Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:29:17 +0100 +Date: Tue, 24 Jul 2012 14:14:02 +0100 Subject: [PATCH 23/27] MODSIGN: Check the ELF container Check the ELF container of the kernel module to prevent the kernel from @@ -7767,7 +7773,7 @@ code, presumably because some local variables can be discarded. Signed-off-by: David Howells --- - kernel/module-verify.c | 230 ++++++++++++++++++++++++++++++++++++++++++++++++ + kernel/module-verify.c | 230 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) diff --git a/kernel/module-verify.c b/kernel/module-verify.c @@ -8019,12 +8025,12 @@ index 05473e6..2161d11 100644 /* Deal with an unsigned module */ if (modsign_signedonly) { -- -1.7.10.4 +1.7.11.2 -From 4e90f1f1f04b2efb070f15211e644a8a86a2142e Mon Sep 17 00:00:00 2001 +From b9e2653685ab246ee774d4ea0d178f9d43b003f8 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:29:43 +0100 +Date: Tue, 24 Jul 2012 14:14:02 +0100 Subject: [PATCH 24/27] MODSIGN: Produce a filtered and canonicalised section list @@ -8040,7 +8046,7 @@ Canonicalisation is done by sorting the filtered list in order of section name. Signed-off-by: David Howells --- - kernel/module-verify.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++ + kernel/module-verify.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/kernel/module-verify.c b/kernel/module-verify.c @@ -8143,12 +8149,12 @@ index 2161d11..646b104 100644 out: switch (ret) { -- -1.7.10.4 +1.7.11.2 -From 5f48916c06318abb0821b41bc06f457248ed87eb Mon Sep 17 00:00:00 2001 +From 425b80d71cb3d29ad9a5d1573b1ba62e8acc9846 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:30:02 +0100 +Date: Tue, 24 Jul 2012 14:14:03 +0100 Subject: [PATCH 25/27] MODSIGN: Create digest of module content and check signature @@ -8192,8 +8198,8 @@ somewhat smaller code. Signed-off-by: David Howells --- - kernel/module-verify-defs.h | 11 +- - kernel/module-verify.c | 332 ++++++++++++++++++++++++++++++++++++++++++- + kernel/module-verify-defs.h | 11 +- + kernel/module-verify.c | 332 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 337 insertions(+), 6 deletions(-) diff --git a/kernel/module-verify-defs.h b/kernel/module-verify-defs.h @@ -8580,12 +8586,12 @@ index 646b104..e275759 100644 out: -- -1.7.10.4 +1.7.11.2 -From 25841b75e473511f1dbe84cfb333ef2b748d2ec6 Mon Sep 17 00:00:00 2001 +From 83b8771f504bdb2d75df57697445211ca312a08b Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:30:22 +0100 +Date: Tue, 24 Jul 2012 14:14:03 +0100 Subject: [PATCH 26/27] MODSIGN: Suppress some redundant ELF checks Suppress some redundant ELF checks in module_verify_elf() that are also done @@ -8594,7 +8600,7 @@ module_verify(). Signed-off-by: David Howells --- - kernel/module-verify.c | 6 +++--- + kernel/module-verify.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/module-verify.c b/kernel/module-verify.c @@ -8617,12 +8623,12 @@ index e275759..bfd1286 100644 /* Validate the section table contents */ mvdata->nsects = hdr->e_shnum; -- -1.7.10.4 +1.7.11.2 -From 3ac2defabc1996584fac06b76070138fe56753e6 Mon Sep 17 00:00:00 2001 +From a7ec988440e9c8b0deaf769c79b4b3cfe45eb411 Mon Sep 17 00:00:00 2001 From: David Howells -Date: Wed, 18 Jul 2012 16:30:40 +0100 +Date: Tue, 24 Jul 2012 14:14:03 +0100 Subject: [PATCH 27/27] MODSIGN: Panic the kernel if FIPS is enabled upon module signing failure @@ -8633,7 +8639,7 @@ shouldn't happen on cases like ENOMEM. Reported-by: Stephan Mueller Signed-off-by: David Howells --- - kernel/module-verify.c | 5 +++++ + kernel/module-verify.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/module-verify.c b/kernel/module-verify.c @@ -8660,5 +8666,5 @@ index bfd1286..b9c3955 100644 case 0: /* Good signature */ *_gpgsig_ok = true; -- -1.7.10.4 +1.7.11.2 diff --git a/secure-boot-20120724.patch b/secure-boot-20120724.patch new file mode 100644 index 000000000..862e7e0d1 --- /dev/null +++ b/secure-boot-20120724.patch @@ -0,0 +1,1161 @@ +From 56ce13afe1b17cd2817c596b3a9e25e51937a328 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Thu, 19 Jul 2012 10:23:48 +0100 +Subject: [PATCH 01/14] x86, efi: Handover Protocol + +As things currently stand, traditional EFI boot loaders and the EFI +boot stub are carrying essentially the same initialisation code +required to setup an EFI machine for booting a kernel. There's really +no need to have this code in two places and the hope is that, with +this new protocol, initialisation and booting of the kernel can be +left solely to the kernel's EFI boot stub. The responsibilities of the +boot loader then become, + + o Loading the kernel image from boot media + +File system code still needs to be carried by boot loaders for the +scenario where the kernel and initrd files reside on a file system +that the EFI firmware doesn't natively understand, such as ext4, etc. + + o Providing a user interface + +Boot loaders still need to display any menus/interfaces, for example +to allow the user to select from a list of kernels. + +Bump the boot protocol number because we added the 'handover_offset' +field to indicate the location of the handover protocol entry point. + +Cc: H. Peter Anvin +Cc: Matthew Garrett +Cc: Peter Jones +Cc: Ingo Molnar +Signed-off-by: Matt Fleming +--- + Documentation/x86/boot.txt | 41 ++++++++ + arch/x86/boot/compressed/eboot.c | 198 ++++++++++++++++++++++--------------- + arch/x86/boot/compressed/head_32.S | 10 ++ + arch/x86/boot/compressed/head_64.S | 10 ++ + arch/x86/boot/header.S | 4 +- + arch/x86/include/asm/bootparam.h | 1 + + 6 files changed, 185 insertions(+), 79 deletions(-) + +diff --git a/Documentation/x86/boot.txt b/Documentation/x86/boot.txt +index 7c3a880..c6539a4 100644 +--- a/Documentation/x86/boot.txt ++++ b/Documentation/x86/boot.txt +@@ -54,6 +54,9 @@ Protocol 2.10: (Kernel 2.6.31) Added a protocol for relaxed alignment + beyond the kernel_alignment added, new init_size and + pref_address fields. Added extended boot loader IDs. + ++Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover ++ protocol entry point. ++ + **** MEMORY LAYOUT + + The traditional memory map for the kernel loader, used for Image or +@@ -189,6 +192,7 @@ Offset Proto Name Meaning + of struct setup_data + 0258/8 2.10+ pref_address Preferred loading address + 0260/4 2.10+ init_size Linear memory required during initialization ++0264/4 2.11+ handover_offset Offset of handover entry point + + (1) For backwards compatibility, if the setup_sects field contains 0, the + real value is 4. +@@ -690,6 +694,16 @@ Offset/size: 0x260/4 + else + runtime_start = pref_address + ++Field name: handover_offset ++Type: read ++Offset/size: 0x264/4 ++ ++ This field is the offset from the beginning of the kernel image to ++ the EFI handover protocol entry point. Boot loaders using the EFI ++ handover protocol to boot the kernel should jump to this offset. ++ ++ See EFI HANDOVER PROTOCOL below for more details. ++ + + **** THE IMAGE CHECKSUM + +@@ -1010,3 +1024,30 @@ segment; __BOOS_CS must have execute/read permission, and __BOOT_DS + must have read/write permission; CS must be __BOOT_CS and DS, ES, SS + must be __BOOT_DS; interrupt must be disabled; %esi must hold the base + address of the struct boot_params; %ebp, %edi and %ebx must be zero. ++ ++**** EFI HANDOVER PROTOCOL ++ ++This protocol allows boot loaders to defer initialisation to the EFI ++boot stub. The boot loader is required to load the kernel/initrd(s) ++from the boot media and jump to the EFI handover protocol entry point ++which is hdr->handover_offset bytes from the beginning of ++startup_{32,64}. ++ ++The function prototype for the handover entry point looks like this, ++ ++ efi_main(void *handle, efi_system_table_t *table, struct boot_params *bp) ++ ++'handle' is the EFI image handle passed to the boot loader by the EFI ++firmware, 'table' is the EFI system table - these are the first two ++arguments of the "handoff state" as described in section 2.3 of the ++UEFI specification. 'bp' is the boot loader-allocated boot params. ++ ++The boot loader *must* fill out the following fields in bp, ++ ++ o hdr.code32_start ++ o hdr.cmd_line_ptr ++ o hdr.cmdline_size ++ o hdr.ramdisk_image (if applicable) ++ o hdr.ramdisk_size (if applicable) ++ ++All other fields should be zero. +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 4e85f5f..b3e0227 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -729,32 +729,68 @@ fail: + * need to create one ourselves (usually the bootloader would create + * one for us). + */ +-static efi_status_t make_boot_params(struct boot_params *boot_params, +- efi_loaded_image_t *image, +- void *handle) ++struct boot_params *make_boot_params(void *handle, efi_system_table_t *_table) + { +- struct efi_info *efi = &boot_params->efi_info; +- struct apm_bios_info *bi = &boot_params->apm_bios_info; +- struct sys_desc_table *sdt = &boot_params->sys_desc_table; +- struct e820entry *e820_map = &boot_params->e820_map[0]; +- struct e820entry *prev = NULL; +- struct setup_header *hdr = &boot_params->hdr; +- unsigned long size, key, desc_size, _size; +- efi_memory_desc_t *mem_map; +- void *options = image->load_options; +- u32 load_options_size = image->load_options_size / 2; /* ASCII */ ++ struct boot_params *boot_params; ++ struct sys_desc_table *sdt; ++ struct apm_bios_info *bi; ++ struct setup_header *hdr; ++ struct efi_info *efi; ++ efi_loaded_image_t *image; ++ void *options; ++ u32 load_options_size; ++ efi_guid_t proto = LOADED_IMAGE_PROTOCOL_GUID; + int options_size = 0; + efi_status_t status; +- __u32 desc_version; + unsigned long cmdline; +- u8 nr_entries; + u16 *s2; + u8 *s1; + int i; + ++ sys_table = _table; ++ ++ /* Check if we were booted by the EFI firmware */ ++ if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) ++ return NULL; ++ ++ status = efi_call_phys3(sys_table->boottime->handle_protocol, ++ handle, &proto, (void *)&image); ++ if (status != EFI_SUCCESS) { ++ efi_printk("Failed to get handle for LOADED_IMAGE_PROTOCOL\n"); ++ return NULL; ++ } ++ ++ status = low_alloc(0x4000, 1, (unsigned long *)&boot_params); ++ if (status != EFI_SUCCESS) { ++ efi_printk("Failed to alloc lowmem for boot params\n"); ++ return NULL; ++ } ++ ++ memset(boot_params, 0x0, 0x4000); ++ ++ hdr = &boot_params->hdr; ++ efi = &boot_params->efi_info; ++ bi = &boot_params->apm_bios_info; ++ sdt = &boot_params->sys_desc_table; ++ ++ /* Copy the second sector to boot_params */ ++ memcpy(&hdr->jump, image->image_base + 512, 512); ++ ++ /* ++ * Fill out some of the header fields ourselves because the ++ * EFI firmware loader doesn't load the first sector. ++ */ ++ hdr->root_flags = 1; ++ hdr->vid_mode = 0xffff; ++ hdr->boot_flag = 0xAA55; ++ ++ hdr->code32_start = (__u64)(unsigned long)image->image_base; ++ + hdr->type_of_loader = 0x21; + + /* Convert unicode cmdline to ascii */ ++ options = image->load_options; ++ load_options_size = image->load_options_size / 2; /* ASCII */ + cmdline = 0; + s2 = (u16 *)options; + +@@ -791,18 +827,36 @@ static efi_status_t make_boot_params(struct boot_params *boot_params, + hdr->ramdisk_image = 0; + hdr->ramdisk_size = 0; + +- status = handle_ramdisks(image, hdr); +- if (status != EFI_SUCCESS) +- goto free_cmdline; +- +- setup_graphics(boot_params); +- + /* Clear APM BIOS info */ + memset(bi, 0, sizeof(*bi)); + + memset(sdt, 0, sizeof(*sdt)); + +- memcpy(&efi->efi_loader_signature, EFI_LOADER_SIGNATURE, sizeof(__u32)); ++ status = handle_ramdisks(image, hdr); ++ if (status != EFI_SUCCESS) ++ goto fail2; ++ ++ return boot_params; ++fail2: ++ if (options_size) ++ low_free(options_size, hdr->cmd_line_ptr); ++fail: ++ low_free(0x4000, (unsigned long)boot_params); ++ return NULL; ++} ++ ++static efi_status_t exit_boot(struct boot_params *boot_params, ++ void *handle) ++{ ++ struct efi_info *efi = &boot_params->efi_info; ++ struct e820entry *e820_map = &boot_params->e820_map[0]; ++ struct e820entry *prev = NULL; ++ unsigned long size, key, desc_size, _size; ++ efi_memory_desc_t *mem_map; ++ efi_status_t status; ++ __u32 desc_version; ++ u8 nr_entries; ++ int i; + + size = sizeof(*mem_map) * 32; + +@@ -811,7 +865,7 @@ again: + _size = size; + status = low_alloc(size, 1, (unsigned long *)&mem_map); + if (status != EFI_SUCCESS) +- goto free_cmdline; ++ return status; + + status = efi_call_phys5(sys_table->boottime->get_memory_map, &size, + mem_map, &key, &desc_size, &desc_version); +@@ -823,6 +877,7 @@ again: + if (status != EFI_SUCCESS) + goto free_mem_map; + ++ memcpy(&efi->efi_loader_signature, EFI_LOADER_SIGNATURE, sizeof(__u32)); + efi->efi_systab = (unsigned long)sys_table; + efi->efi_memdesc_size = desc_size; + efi->efi_memdesc_version = desc_version; +@@ -906,61 +961,13 @@ again: + + free_mem_map: + low_free(_size, (unsigned long)mem_map); +-free_cmdline: +- if (options_size) +- low_free(options_size, hdr->cmd_line_ptr); +-fail: + return status; + } + +-/* +- * On success we return a pointer to a boot_params structure, and NULL +- * on failure. +- */ +-struct boot_params *efi_main(void *handle, efi_system_table_t *_table) ++static efi_status_t relocate_kernel(struct setup_header *hdr) + { +- struct boot_params *boot_params; + unsigned long start, nr_pages; +- struct desc_ptr *gdt, *idt; +- efi_loaded_image_t *image; +- struct setup_header *hdr; + efi_status_t status; +- efi_guid_t proto = LOADED_IMAGE_PROTOCOL_GUID; +- struct desc_struct *desc; +- +- sys_table = _table; +- +- /* Check if we were booted by the EFI firmware */ +- if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) +- goto fail; +- +- status = efi_call_phys3(sys_table->boottime->handle_protocol, +- handle, &proto, (void *)&image); +- if (status != EFI_SUCCESS) { +- efi_printk("Failed to get handle for LOADED_IMAGE_PROTOCOL\n"); +- goto fail; +- } +- +- status = low_alloc(0x4000, 1, (unsigned long *)&boot_params); +- if (status != EFI_SUCCESS) { +- efi_printk("Failed to alloc lowmem for boot params\n"); +- goto fail; +- } +- +- memset(boot_params, 0x0, 0x4000); +- +- hdr = &boot_params->hdr; +- +- /* Copy the second sector to boot_params */ +- memcpy(&hdr->jump, image->image_base + 512, 512); +- +- /* +- * Fill out some of the header fields ourselves because the +- * EFI firmware loader doesn't load the first sector. +- */ +- hdr->root_flags = 1; +- hdr->vid_mode = 0xffff; +- hdr->boot_flag = 0xAA55; + + /* + * The EFI firmware loader could have placed the kernel image +@@ -978,16 +985,40 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table) + if (status != EFI_SUCCESS) { + status = low_alloc(hdr->init_size, hdr->kernel_alignment, + &start); +- if (status != EFI_SUCCESS) { ++ if (status != EFI_SUCCESS) + efi_printk("Failed to alloc mem for kernel\n"); +- goto fail; +- } + } + ++ if (status == EFI_SUCCESS) ++ memcpy((void *)start, (void *)(unsigned long)hdr->code32_start, ++ hdr->init_size); ++ ++ hdr->pref_address = hdr->code32_start; + hdr->code32_start = (__u32)start; +- hdr->pref_address = (__u64)(unsigned long)image->image_base; + +- memcpy((void *)start, image->image_base, image->image_size); ++ return status; ++} ++ ++/* ++ * On success we return a pointer to a boot_params structure, and NULL ++ * on failure. ++ */ ++struct boot_params *efi_main(void *handle, efi_system_table_t *_table, ++ struct boot_params *boot_params) ++{ ++ struct desc_ptr *gdt, *idt; ++ efi_loaded_image_t *image; ++ struct setup_header *hdr = &boot_params->hdr; ++ efi_status_t status; ++ struct desc_struct *desc; ++ ++ sys_table = _table; ++ ++ /* Check if we were booted by the EFI firmware */ ++ if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) ++ goto fail; ++ ++ setup_graphics(boot_params); + + status = efi_call_phys3(sys_table->boottime->allocate_pool, + EFI_LOADER_DATA, sizeof(*gdt), +@@ -1015,7 +1046,18 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table) + idt->size = 0; + idt->address = 0; + +- status = make_boot_params(boot_params, image, handle); ++ /* ++ * If the kernel isn't already loaded at the preferred load ++ * address, relocate it. ++ */ ++ if (hdr->pref_address != hdr->code32_start) { ++ status = relocate_kernel(hdr); ++ ++ if (status != EFI_SUCCESS) ++ goto fail; ++ } ++ ++ status = exit_boot(boot_params, handle); + if (status != EFI_SUCCESS) + goto fail; + +diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S +index c85e3ac..aa4aaf1 100644 +--- a/arch/x86/boot/compressed/head_32.S ++++ b/arch/x86/boot/compressed/head_32.S +@@ -42,6 +42,16 @@ ENTRY(startup_32) + */ + add $0x4, %esp + ++ call make_boot_params ++ cmpl $0, %eax ++ je 1f ++ movl 0x4(%esp), %esi ++ movl (%esp), %ecx ++ pushl %eax ++ pushl %esi ++ pushl %ecx ++ ++ .org 0x30,0x90 + call efi_main + cmpl $0, %eax + movl %eax, %esi +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index 87e03a1..2c4b171 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -209,6 +209,16 @@ ENTRY(startup_64) + .org 0x210 + mov %rcx, %rdi + mov %rdx, %rsi ++ pushq %rdi ++ pushq %rsi ++ call make_boot_params ++ cmpq $0,%rax ++ je 1f ++ mov %rax, %rdx ++ popq %rsi ++ popq %rdi ++ ++ .org 0x230,0x90 + call efi_main + movq %rax,%rsi + cmpq $0,%rax +diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S +index efe5acf..cd921fe 100644 +--- a/arch/x86/boot/header.S ++++ b/arch/x86/boot/header.S +@@ -283,7 +283,7 @@ _start: + # Part 2 of the header, from the old setup.S + + .ascii "HdrS" # header signature +- .word 0x020a # header version number (>= 0x0105) ++ .word 0x020b # header version number (>= 0x0105) + # or else old loadlin-1.5 will fail) + .globl realmode_swtch + realmode_swtch: .word 0, 0 # default_switch, SETUPSEG +@@ -401,6 +401,8 @@ pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr + #define INIT_SIZE VO_INIT_SIZE + #endif + init_size: .long INIT_SIZE # kernel initialization size ++handover_offset: .long 0x30 # offset to the handover ++ # protocol entry point + + # End of setup header ##################################################### + +diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h +index eb45aa6..2ad874c 100644 +--- a/arch/x86/include/asm/bootparam.h ++++ b/arch/x86/include/asm/bootparam.h +@@ -66,6 +66,7 @@ struct setup_header { + __u64 setup_data; + __u64 pref_address; + __u32 init_size; ++ __u32 handover_offset; + } __attribute__((packed)); + + struct sys_desc_table { +-- +1.7.11.2 + + +From 948fbe310f85f3a51a101ea23f38c59c70792832 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 09:56:33 -0500 +Subject: [PATCH 02/14] Secure boot: Add new capability + +Secure boot adds certain policy requirements, including that root must not +be able to do anything that could cause the kernel to execute arbitrary code. +The simplest way to handle this would seem to be to add a new capability +and gate various functionality on that. We'll then strip it from the initial +capability set if required. + +Signed-off-by: Matthew Garrett +--- + include/linux/capability.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/linux/capability.h b/include/linux/capability.h +index d10b7ed..6a39163 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -364,7 +364,11 @@ struct cpu_vfs_cap_data { + + #define CAP_BLOCK_SUSPEND 36 + +-#define CAP_LAST_CAP CAP_BLOCK_SUSPEND ++/* Allow things that are dangerous under secure boot */ ++ ++#define CAP_SECURE_FIRMWARE 37 ++ ++#define CAP_LAST_CAP CAP_SECURE_FIRMWARE + + #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) + +-- +1.7.11.2 + + +From 56150c6ad369f31e34e438744d34c505751a8b78 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 10:10:38 -0500 +Subject: [PATCH 03/14] PCI: Lock down BAR access in secure boot environments + +Any hardware that can potentially generate DMA has to be locked down from +userspace in order to avoid it being possible for an attacker to cause +arbitrary kernel behaviour. Default to paranoid - in future we can +potentially relax this for sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett +--- + drivers/pci/pci-sysfs.c | 9 +++++++++ + drivers/pci/proc.c | 8 +++++++- + drivers/pci/syscall.c | 2 +- + 3 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 86c63fe..d3adb7b 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -513,6 +513,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8*) buf; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -815,6 +818,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + resource_size_t start, end; + int i; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + for (i = 0; i < PCI_ROM_RESOURCE; i++) + if (res == &pdev->resource[i]) + break; +@@ -922,6 +928,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index 27911b5..01d4753 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -135,6 +135,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof + int size = dp->size; + int cnt; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -211,6 +214,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -251,7 +257,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE)) + return -EPERM; + + /* Make sure the caller is mapping a real resource for this device */ +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index e1c1ec5..a778ba9 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SECURE_FIRMWARE)) + return -EPERM; + + dev = pci_get_bus_and_slot(bus, dfn); +-- +1.7.11.2 + + +From 888347d81b1ddcdcd5989cba1c212aed549928eb Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 10:35:59 -0500 +Subject: [PATCH 04/14] x86: Lock down IO port access in secure boot + environments + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO register +space. This would potentially permit root to trigger arbitrary DMA, so lock +it down by default. + +Signed-off-by: Matthew Garrett +--- + arch/x86/kernel/ioport.c | 4 ++-- + drivers/char/mem.c | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 8c96897..c3a1bb2 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))) + return -EPERM; + + /* +@@ -102,7 +102,7 @@ long sys_iopl(unsigned int level, struct pt_regs *regs) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE)) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index e5eedfa..8f5f872 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, + unsigned long i = *ppos; + const char __user * tmp = buf; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + if (!access_ok(VERIFY_READ, buf, count)) + return -EFAULT; + while (count-- > 0 && i < 65536) { +-- +1.7.11.2 + + +From a02e91ca8639c6a3a43c684892e2802973c02efc Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:39:37 -0500 +Subject: [PATCH 05/14] ACPI: Limit access to custom_method + +It must be impossible for even root to get code executed in kernel context +under a secure boot environment. custom_method effectively allows arbitrary +access to system memory, so it needs to have a capability check here. + +Signed-off-by: Matthew Garrett +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index 5d42c24..3e78014 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +1.7.11.2 + + +From c523e4918f56e5c17e39c0a5997cc1e741c0f42b Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:46:50 -0500 +Subject: [PATCH 06/14] asus-wmi: Restrict debugfs interface + +We have no way of validating what all of the Asus WMI methods do on a +given machine, and there's a risk that some will allow hardware state to +be manipulated in such a way that arbitrary code can be executed in the +kernel. Add a capability check to prevent that. + +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 77aadde..ba715c0 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1504,6 +1504,9 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1520,6 +1523,9 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1544,6 +1550,9 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 1, asus->debug.method_id, + &input, &output); +-- +1.7.11.2 + + +From 5dc9f0a45d092e5aec177eac1e5e19b62fb28cb2 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 09:28:15 -0500 +Subject: [PATCH 07/14] Restrict /dev/mem and /dev/kmem in secure boot setups + +Allowing users to write to address space makes it possible for the kernel +to be subverted. Restrict this when we need to protect the kernel. + +Signed-off-by: Matthew Garrett +--- + drivers/char/mem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 8f5f872..c1de8e1 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, + unsigned long copied; + void *ptr; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + if (!valid_phys_addr_range(p, count)) + return -EFAULT; + +@@ -530,6 +533,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; + ++ if (!capable(CAP_SECURE_FIRMWARE)) ++ return -EPERM; ++ + if (p < (unsigned long) high_memory) { + unsigned long to_write = min_t(unsigned long, count, + (unsigned long)high_memory - p); +-- +1.7.11.2 + + +From 16a693dde4c4dca871d920e15fe9dda01000ef86 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 11:47:56 -0500 +Subject: [PATCH 08/14] kexec: Disable in a secure boot environment + +kexec could be used as a vector for a malicious user to use a signed kernel +to circumvent the secure boot trust model. In the long run we'll want to +support signed kexec payloads, but for the moment we should just disable +loading entirely in that situation. + +Signed-off-by: Matthew Garrett +--- + kernel/kexec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 4e2e472..35051f9 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -944,7 +944,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + int result; + + /* We only trust the superuser with rebooting the system. */ +- if (!capable(CAP_SYS_BOOT)) ++ if (!capable(CAP_SYS_BOOT) || !capable(CAP_SECURE_FIRMWARE)) + return -EPERM; + + /* +-- +1.7.11.2 + + +From 82fe599f1192ba0bae968a8e05d8cddbbadd57bc Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 25 Jun 2012 19:45:15 -0400 +Subject: [PATCH 09/14] Secure boot: Add a dummy kernel parameter that will + switch on Secure Boot mode + +This forcibly drops CAP_SECURE_FIRMWARE from both cap_permitted and cap_bset +in the init_cred struct, which everything else inherits from. This works on +any machine and can be used to develop even if the box doesn't have UEFI. + +Signed-off-by: Josh Boyer +--- + kernel/cred.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/kernel/cred.c b/kernel/cred.c +index de728ac..0d71d02 100644 +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -623,6 +623,20 @@ void __init cred_init(void) + 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); + } + ++/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ ++static int __init secureboot_enable(char *str) ++{ ++ ++ int sb_enable = !!simple_strtol(str, NULL, 0); ++ pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled")); ++ if (sb_enable) { ++ cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE); ++ cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE); ++ } ++ return 1; ++} ++__setup("secureboot_enable=", secureboot_enable); ++ + /** + * prepare_kernel_cred - Prepare a set of credentials for a kernel service + * @daemon: A userspace daemon to be used as a reference +-- +1.7.11.2 + + +From 5aa21bbaad50af58a54cc339f6ab7bf5c163d64f Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 18 Jul 2012 11:28:00 -0400 +Subject: [PATCH 10/14] efi: Enable secure boot lockdown automatically when + enabled in firmware + +The firmware has a set of flags that indicate whether secure boot is enabled +and enforcing. Use them to indicate whether the kernel should lock itself +down. + +Signed-off-by: Matthew Garrett +--- + arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++ + arch/x86/include/asm/bootparam.h | 3 ++- + arch/x86/kernel/setup.c | 3 +++ + include/linux/cred.h | 2 ++ + kernel/cred.c | 18 +++++++++++------- + 5 files changed, 50 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index b3e0227..3789356 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -724,6 +724,36 @@ fail: + return status; + } + ++static int get_secure_boot(efi_system_table_t *_table) ++{ ++ u8 sb, setup; ++ unsigned long datasize = sizeof(sb); ++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; ++ efi_status_t status; ++ ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"SecureBoot", &var_guid, NULL, &datasize, &sb); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (sb == 0) ++ return 0; ++ ++ ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"SetupMode", &var_guid, NULL, &datasize, ++ &setup); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (setup == 1) ++ return 0; ++ ++ return 1; ++} ++ + /* + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create +@@ -1018,6 +1048,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, + if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) + goto fail; + ++ boot_params->secure_boot = get_secure_boot(sys_table); ++ + setup_graphics(boot_params); + + status = efi_call_phys3(sys_table->boottime->allocate_pool, +diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h +index 2ad874c..c7338e0 100644 +--- a/arch/x86/include/asm/bootparam.h ++++ b/arch/x86/include/asm/bootparam.h +@@ -114,7 +114,8 @@ struct boot_params { + __u8 eddbuf_entries; /* 0x1e9 */ + __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ + __u8 kbd_status; /* 0x1eb */ +- __u8 _pad6[5]; /* 0x1ec */ ++ __u8 secure_boot; /* 0x1ec */ ++ __u8 _pad6[4]; /* 0x1ed */ + struct setup_header hdr; /* setup header */ /* 0x1f1 */ + __u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)]; + __u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */ +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index f4b9b80..239bf2a 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -947,6 +947,9 @@ void __init setup_arch(char **cmdline_p) + + io_delay_init(); + ++ if (boot_params.secure_boot) ++ secureboot_enable(); ++ + /* + * Parse the ACPI tables for possible boot-time SMP configuration. + */ +diff --git a/include/linux/cred.h b/include/linux/cred.h +index ebbed2c..a24faf1 100644 +--- a/include/linux/cred.h ++++ b/include/linux/cred.h +@@ -170,6 +170,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *); + extern int set_create_files_as(struct cred *, struct inode *); + extern void __init cred_init(void); + ++extern void secureboot_enable(void); ++ + /* + * check for validity of credentials + */ +diff --git a/kernel/cred.c b/kernel/cred.c +index 0d71d02..c43e2b0 100644 +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -623,19 +623,23 @@ void __init cred_init(void) + 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); + } + ++void __init secureboot_enable() ++{ ++ pr_info("Secure boot enabled\n"); ++ cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE); ++ cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE); ++} ++ + /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +-static int __init secureboot_enable(char *str) ++static int __init secureboot_enable_opt(char *str) + { + + int sb_enable = !!simple_strtol(str, NULL, 0); +- pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled")); +- if (sb_enable) { +- cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE); +- cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE); +- } ++ if (sb_enable) ++ secureboot_enable(); + return 1; + } +-__setup("secureboot_enable=", secureboot_enable); ++__setup("secureboot_enable=", secureboot_enable_opt); + + /** + * prepare_kernel_cred - Prepare a set of credentials for a kernel service +-- +1.7.11.2 + + +From 7b875c254033d29fa05b0c026b8097f8e5e1b96c Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 25 Jun 2012 19:57:30 -0400 +Subject: [PATCH 11/14] acpi: Ignore acpi_rsdp kernel parameter in a secure + boot environment + +This option allows userspace to pass the RSDP address to the kernel. This +could potentially be used to circumvent the secure boot trust model. +We ignore the setting if we don't have the CAP_SECURE_FIRMWARE capability. + +Signed-off-by: Josh Boyer +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index c3881b2..fb84388 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); + acpi_physical_address __init acpi_os_get_root_pointer(void) + { + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && capable(CAP_SECURE_FIRMWARE)) + return acpi_rsdp; + #endif + +-- +1.7.11.2 + + +From 5ba183ef3e556bf11bbe73abd2cba50dc097881d Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 25 Jun 2012 21:29:46 -0400 +Subject: [PATCH 12/14] Documentation: kernel-parameters.txt remove + capability.disable + +Remove the documentation for capability.disable. The code supporting this +parameter was removed with: + + commit 5915eb53861c5776cfec33ca4fcc1fd20d66dd27 + Author: Miklos Szeredi + Date: Thu Jul 3 20:56:05 2008 +0200 + + security: remove dummy module + +Signed-off-by: Josh Boyer +--- + Documentation/kernel-parameters.txt | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index 12783fa..cec4bf2 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -446,12 +446,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + possible to determine what the correct size should be. + This option provides an override for these situations. + +- capability.disable= +- [SECURITY] Disable capabilities. This would normally +- be used only if an alternative security model is to be +- configured. Potentially dangerous and should only be +- used if you are entirely sure of the consequences. +- + ccw_timeout_log [S390] + See Documentation/s390/CommonIO for details. + +-- +1.7.11.2 + + +From 220f3a8cc351d220156e4903bf03c28ab44db6e3 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 26 Jun 2012 14:15:51 -0400 +Subject: [PATCH 13/14] SELinux: define mapping for new Secure Boot capability + +Add the name of the new Secure Boot capability. This allows SELinux +policies to properly map CAP_SECURE_FIRMWARE to the appropriate +capability class. + +Signed-off-by: Josh Boyer +--- + security/selinux/include/classmap.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h +index df2de54..0a1e348 100644 +--- a/security/selinux/include/classmap.h ++++ b/security/selinux/include/classmap.h +@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = { + { "memprotect", { "mmap_zero", NULL } }, + { "peer", { "recv", NULL } }, + { "capability2", +- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", +- NULL } }, ++ { "mac_override", "mac_admin", "syslog", "wake_alarm", ++ "block_suspend", "secure_firmware", NULL } }, + { "kernel_service", { "use_as_override", "create_files_as", NULL } }, + { "tun_socket", + { COMMON_SOCK_PERMS, NULL } }, +-- +1.7.11.2 + + +From e5df15082c685dbf5c6917b891af73106342c0bb Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 26 Jun 2012 16:27:26 -0400 +Subject: [PATCH 14/14] modsign: Reject unsigned modules in a Secure Boot + environment + +If a machine is booted into a Secure Boot environment, we need to +protect the trust model. This requires that all modules be signed +with a key that is in the kernel's _modsign keyring. We add a +capability check and reject modules that are not signed. + +Signed-off-by: Josh Boyer +--- + kernel/module-verify.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/module-verify.c b/kernel/module-verify.c +index b9c3955..f35532a 100644 +--- a/kernel/module-verify.c ++++ b/kernel/module-verify.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include "module-verify.h" + #include "module-verify-defs.h" +@@ -699,7 +700,7 @@ int module_verify(const Elf_Ehdr *hdr, size_t size, bool *_gpgsig_ok) + /* The ELF checker found the sig for us if it exists */ + if (mvdata.sig_index <= 0) { + /* Deal with an unsigned module */ +- if (modsign_signedonly) { ++ if (modsign_signedonly || !capable(CAP_SECURE_FIRMWARE)) { + pr_err("An attempt to load unsigned module was rejected\n"); + return -EKEYREJECTED; + } else { +-- +1.7.11.2 +