rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

Update modsign and include secure boot

Browse Source 
- Update modsign patch to latest upstream
- Add initial UEFI Secure Boot patchset.  Work in progress.
This commit is contained in:
Josh Boyer 2012-07-24 11:22:32 -04:00
parent e5daab5438
commit 306dfccc03
3 changed files with 1493 additions and 316 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
kernel.spec
View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 1
%global baserelease 2
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -672,7 +672,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch
# crypto/
Patch900: modsign-20120718.patch
Patch900: modsign-20120724.patch
# secure boot
Patch1000: secure-boot-20120724.patch
# virt + ksm patches
Patch1555: fix_xen_guest_on_old_EC2.patch
@ -1374,7 +1377,10 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# crypto/
ApplyPatch modsign-20120718.patch
ApplyPatch modsign-20120724.patch
# secure boot
ApplyPatch secure-boot-20120724.patch
# Assorted Virt Fixes
ApplyPatch fix_xen_guest_on_old_EC2.patch
@ -2295,6 +2301,10 @@ fi
# ||----w |
# || ||
%changelog
* Tue Jul 24 2012 Josh Boyer <jwboyer@redhat.com>
- Update modsign patch to latest upstream
- Add initial UEFI Secure Boot patchset. Work in progress.
* Tue Jul 24 2012 Justin M. Forbes <jforbes@redhat.com> - 3.6.0-0.rc0.git1.1
- Linux v3.5-1643-gf0a08fc

448
modsign-20120718.patch → modsign-20120724.patch
View File

@ -1,6 +1,6 @@
From d1ff3781d12ad616073b4f1f3b04cef22d8c7c21 Mon Sep 17 00:00:00 2001
From d012ed16fd7eff5498ddd9be8ad9960a644db518 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 13:12:20 +0100
Date: Tue, 24 Jul 2012 13:59:15 +0100
Subject: [PATCH 01/27] MPILIB: Provide count_leading/trailing_zeros() based
on arch functions
@ -17,14 +17,11 @@ Cc: David S. Miller <davem@davemloft.net>
Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Cc: Arnd Bergmann <arnd@arndb.com>
---
include/asm-generic/bitops/count_zeros.h | 57 ++++++++++++
lib/mpi/longlong.h | 138 +-----------------------------
include/asm-generic/bitops/count_zeros.h | 57 +++++++++++++
lib/mpi/longlong.h | 138 +------------------------------
lib/mpi/mpi-bit.c | 2 +-
lib/mpi/mpi-div.c | 2 +-
lib/mpi/mpi-pow.c | 4 +-
lib/mpi/mpi-scan.c | 2 +-
lib/mpi/mpih-div.c | 8 +-
7 files changed, 68 insertions(+), 145 deletions(-)
4 files changed, 62 insertions(+), 139 deletions(-)
create mode 100644 include/asm-generic/bitops/count_zeros.h
diff --git a/include/asm-generic/bitops/count_zeros.h b/include/asm-generic/bitops/count_zeros.h
@ -324,7 +321,7 @@ index 29f9862..678ce4f 100644
#define UDIV_NEEDS_NORMALIZATION 0
#endif
diff --git a/lib/mpi/mpi-bit.c b/lib/mpi/mpi-bit.c
index 0c50536..3fc00bf 100644
index 5687248..503537e 100644
--- a/lib/mpi/mpi-bit.c
+++ b/lib/mpi/mpi-bit.c
@@ -45,7 +45,7 @@ unsigned mpi_get_nbits(MPI a)
@ -336,19 +333,6 @@ index 0c50536..3fc00bf 100644
else
n = BITS_PER_MPI_LIMB;
n = BITS_PER_MPI_LIMB - n + (a->nlimbs - 1) * BITS_PER_MPI_LIMB;
diff --git a/lib/mpi/mpi-div.c b/lib/mpi/mpi-div.c
index f68cbbb..51f105c 100644
--- a/lib/mpi/mpi-div.c
+++ b/lib/mpi/mpi-div.c
@@ -217,7 +217,7 @@ int mpi_tdiv_qr(MPI quot, MPI rem, MPI num, MPI den)
} else /* Put quotient at top of remainder. */
qp = rp + dsize;
- count_leading_zeros(normalization_steps, dp[dsize - 1]);
+ normalization_steps = count_leading_zeros(dp[dsize - 1]);
/* Normalize the denominator, i.e. make its most significant bit set by
* shifting it NORMALIZATION_STEPS bits to the left. Also shift the
diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
index 67f3e79..5464c87 100644
--- a/lib/mpi/mpi-pow.c
@ -371,66 +355,13 @@ index 67f3e79..5464c87 100644
e = (e << c) << 1; /* shift the exp bits to the left, lose msb */
c = BITS_PER_MPI_LIMB - 1 - c;
diff --git a/lib/mpi/mpi-scan.c b/lib/mpi/mpi-scan.c
index b2da5ad..58556b5 100644
--- a/lib/mpi/mpi-scan.c
+++ b/lib/mpi/mpi-scan.c
@@ -125,7 +125,7 @@ unsigned mpi_trailing_zeros(const MPI a)
unsigned nn;
mpi_limb_t alimb = a->d[n];
- count_trailing_zeros(nn, alimb);
+ nn = count_trailing_zeros(alimb);
count += nn;
break;
}
diff --git a/lib/mpi/mpih-div.c b/lib/mpi/mpih-div.c
index cde1aae..d6483792 100644
--- a/lib/mpi/mpih-div.c
+++ b/lib/mpi/mpih-div.c
@@ -65,7 +65,7 @@ mpihelp_mod_1(mpi_ptr_t dividend_ptr, mpi_size_t dividend_size,
&& (UDIV_TIME - (2 * UMUL_TIME + 6)) * dividend_size > UDIV_TIME) {
int normalization_steps;
- count_leading_zeros(normalization_steps, divisor_limb);
+ normalization_steps = count_leading_zeros(divisor_limb);
if (normalization_steps) {
mpi_limb_t divisor_limb_inverted;
@@ -142,7 +142,7 @@ mpihelp_mod_1(mpi_ptr_t dividend_ptr, mpi_size_t dividend_size,
if (UDIV_NEEDS_NORMALIZATION) {
int normalization_steps;
- count_leading_zeros(normalization_steps, divisor_limb);
+ normalization_steps = count_leading_zeros(divisor_limb);
if (normalization_steps) {
divisor_limb <<= normalization_steps;
@@ -421,7 +421,7 @@ mpihelp_divmod_1(mpi_ptr_t quot_ptr,
&& (UDIV_TIME - (2 * UMUL_TIME + 6)) * dividend_size > UDIV_TIME) {
int normalization_steps;
- count_leading_zeros(normalization_steps, divisor_limb);
+ normalization_steps = count_leading_zeros(divisor_limb);
if (normalization_steps) {
mpi_limb_t divisor_limb_inverted;
@@ -496,7 +496,7 @@ mpihelp_divmod_1(mpi_ptr_t quot_ptr,
if (UDIV_NEEDS_NORMALIZATION) {
int normalization_steps;
- count_leading_zeros(normalization_steps, divisor_limb);
+ normalization_steps = count_leading_zeros(divisor_limb);
if (normalization_steps) {
divisor_limb <<= normalization_steps;
--
1.7.10.4
1.7.11.2
From 7611bb8e543cb2255c69bfb5edd85ed0d2cdb9e9 Mon Sep 17 00:00:00 2001
From e2faf6ee3cc2f8cfe1c18e8d31eaf01fa653fd79 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 13:12:20 +0100
Date: Tue, 24 Jul 2012 13:59:51 +0100
Subject: [PATCH 02/27] KEYS: Create a key type that can be used for general
cryptographic operations
@ -442,7 +373,7 @@ algorithms.
Signed-off-by: David Howells <dhowells@redhat.com>
---
Documentation/security/keys-crypto.txt | 181 +++++++++++++++++++++++++
Documentation/security/keys-crypto.txt | 181 ++++++++++++++++++++++++++
include/keys/crypto-subtype.h | 56 ++++++++
include/keys/crypto-type.h | 25 ++++
security/keys/Kconfig | 2 +
@ -450,7 +381,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
security/keys/crypto/Kconfig | 7 +
security/keys/crypto/Makefile | 7 +
security/keys/crypto/crypto_keys.h | 28 ++++
security/keys/crypto/crypto_type.c | 228 ++++++++++++++++++++++++++++++++
security/keys/crypto/crypto_type.c | 228 +++++++++++++++++++++++++++++++++
9 files changed, 535 insertions(+)
create mode 100644 Documentation/security/keys-crypto.txt
create mode 100644 include/keys/crypto-subtype.h
@ -1054,12 +985,12 @@ index 0000000..33d279b
+module_init(crypto_key_init);
+module_exit(crypto_key_cleanup);
--
1.7.10.4
1.7.11.2
From 23d7c6d8927420846af94823a90de1c24120bfea Mon Sep 17 00:00:00 2001
From f7b41b16f3c6d24b46100b259a83c50615be5a23 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 13:12:20 +0100
Date: Tue, 24 Jul 2012 13:59:51 +0100
Subject: [PATCH 03/27] KEYS: Add signature verification facility
Add a facility whereby a key subtype may be asked to verify a signature against
@ -1092,11 +1023,11 @@ This adds four routines:
Signed-off-by: David Howells <dhowells@redhat.com>
---
Documentation/security/keys-crypto.txt | 101 ++++++++++++++++++++++++++++
include/keys/crypto-subtype.h | 21 ++++++
Documentation/security/keys-crypto.txt | 101 +++++++++++++++++++++++++++++
include/keys/crypto-subtype.h | 21 +++++++
include/keys/crypto-type.h | 9 +++
security/keys/crypto/Makefile | 2 +-
security/keys/crypto/crypto_verify.c | 112 ++++++++++++++++++++++++++++++++
security/keys/crypto/crypto_verify.c | 112 +++++++++++++++++++++++++++++++++
5 files changed, 244 insertions(+), 1 deletion(-)
create mode 100644 security/keys/crypto/crypto_verify.c
@ -1428,12 +1359,12 @@ index 0000000..3f2964b
+}
+EXPORT_SYMBOL_GPL(verify_sig_cancel);
--
1.7.10.4
1.7.11.2
From 2fd136dec4682c1fa2609a7a94cf0353c334615c Mon Sep 17 00:00:00 2001
From dfa8292f4527f46cabbbd64bd89766ac1dbe6546 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 13:12:20 +0100
Date: Tue, 24 Jul 2012 13:59:52 +0100
Subject: [PATCH 04/27] KEYS: Asymmetric public-key algorithm crypto key
subtype
@ -1444,8 +1375,8 @@ Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/crypto/Kconfig | 10 ++++
security/keys/crypto/Makefile | 3 +-
security/keys/crypto/public_key.c | 55 +++++++++++++++++++
security/keys/crypto/public_key.h | 106 +++++++++++++++++++++++++++++++++++++
security/keys/crypto/public_key.c | 55 ++++++++++++++++++++
security/keys/crypto/public_key.h | 106 ++++++++++++++++++++++++++++++++++++++
4 files changed, 173 insertions(+), 1 deletion(-)
create mode 100644 security/keys/crypto/public_key.c
create mode 100644 security/keys/crypto/public_key.h
@ -1654,45 +1585,120 @@ index 0000000..81ed603
+
+#endif /* _LINUX_PUBLIC_KEY_H */
--
1.7.10.4
1.7.11.2
From ba785b97c90fc4403b2124dc2cecc842ba49be54 Mon Sep 17 00:00:00 2001
From 0a8e7f4cc41d3cddf8a2367b1f0ed2bb1f6ccc91 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 13:12:21 +0100
Subject: [PATCH 05/27] KEYS: RSA: Add exports from MPILIB
Date: Tue, 24 Jul 2012 14:10:37 +0100
Subject: [PATCH 05/27] MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA
signature verification
Export mpi_cmp() and mpi_cmp_ui() from the MPI library for use by RSA.
Reinstate and export mpi_cmp() and mpi_cmp_ui() from the MPI library for use by
RSA signature verification as per RFC3447 section 5.2.2 step 1.
Signed-off-by: David Howells <dhowells@redhat.com>
---
lib/mpi/mpi-cmp.c | 2 ++
1 file changed, 2 insertions(+)
lib/mpi/Makefile | 1 +
lib/mpi/mpi-cmp.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 71 insertions(+)
create mode 100644 lib/mpi/mpi-cmp.c
diff --git a/lib/mpi/Makefile b/lib/mpi/Makefile
index 45ca90a..019a68c 100644
--- a/lib/mpi/Makefile
+++ b/lib/mpi/Makefile
@@ -14,6 +14,7 @@ mpi-y = \
generic_mpih-add1.o \
mpicoder.o \
mpi-bit.o \
+ mpi-cmp.o \
mpih-cmp.o \
mpih-div.o \
mpih-mul.o \
diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c
index 914bc42..1871e7b 100644
--- a/lib/mpi/mpi-cmp.c
new file mode 100644
index 0000000..1871e7b
--- /dev/null
+++ b/lib/mpi/mpi-cmp.c
@@ -39,6 +39,7 @@ int mpi_cmp_ui(MPI u, unsigned long v)
else
return -1;
}
@@ -0,0 +1,70 @@
+/* mpi-cmp.c - MPI functions
+ * Copyright (C) 1998, 1999 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#include "mpi-internal.h"
+
+int mpi_cmp_ui(MPI u, unsigned long v)
+{
+ mpi_limb_t limb = v;
+
+ mpi_normalize(u);
+ if (!u->nlimbs && !limb)
+ return 0;
+ if (u->sign)
+ return -1;
+ if (u->nlimbs > 1)
+ return 1;
+
+ if (u->d[0] == limb)
+ return 0;
+ else if (u->d[0] > limb)
+ return 1;
+ else
+ return -1;
+}
+EXPORT_SYMBOL_GPL(mpi_cmp_ui);
int mpi_cmp(MPI u, MPI v)
{
@@ -66,3 +67,4 @@ int mpi_cmp(MPI u, MPI v)
return 1;
return -1;
}
+
+int mpi_cmp(MPI u, MPI v)
+{
+ mpi_size_t usize, vsize;
+ int cmp;
+
+ mpi_normalize(u);
+ mpi_normalize(v);
+ usize = u->nlimbs;
+ vsize = v->nlimbs;
+ if (!u->sign && v->sign)
+ return 1;
+ if (u->sign && !v->sign)
+ return -1;
+ if (usize != vsize && !u->sign && !v->sign)
+ return usize - vsize;
+ if (usize != vsize && u->sign && v->sign)
+ return vsize + usize;
+ if (!usize)
+ return 0;
+ cmp = mpihelp_cmp(u->d, v->d, usize);
+ if (!cmp)
+ return 0;
+ if ((cmp < 0 ? 1 : 0) == (u->sign ? 1 : 0))
+ return 1;
+ return -1;
+}
+EXPORT_SYMBOL_GPL(mpi_cmp);
--
1.7.10.4
1.7.11.2
From 650edd748b92eea0622ecb26a5ee81c7b582d04c Mon Sep 17 00:00:00 2001
From de86fda3085f6586bfd28517c07a2cd8cd4f9893 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:15:36 +0100
Date: Tue, 24 Jul 2012 14:10:39 +0100
Subject: [PATCH 06/27] KEYS: RSA: Implement signature verification algorithm
[PKCS#1 / RFC3447]
@ -1704,7 +1710,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/crypto/Kconfig | 7 +
security/keys/crypto/Makefile | 1 +
security/keys/crypto/crypto_rsa.c | 264 +++++++++++++++++++++++++++++++++++++
security/keys/crypto/crypto_rsa.c | 264 ++++++++++++++++++++++++++++++++++++++
security/keys/crypto/public_key.h | 2 +
4 files changed, 274 insertions(+)
create mode 100644 security/keys/crypto/crypto_rsa.c
@ -2017,12 +2023,12 @@ index 81ed603..7913615 100644
* Asymmetric public key data
*/
--
1.7.10.4
1.7.11.2
From 7da10c257377762e1a6ac747b48791cf610ba4c5 Mon Sep 17 00:00:00 2001
From 2363851f3eeae9ec32ee6d5f868085eb11afa717 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:15:39 +0100
Date: Tue, 24 Jul 2012 14:11:19 +0100
Subject: [PATCH 07/27] KEYS: RSA: Fix signature verification for shorter
signatures
@ -2073,12 +2079,12 @@ index 845285c..a4a63be 100644
ret = RSAVP1(key, sig->rsa.s, &m);
if (ret < 0)
--
1.7.10.4
1.7.11.2
From 4366c59a624398d1aba4d6651191ba880da9e694 Mon Sep 17 00:00:00 2001
From edfd057d757164e207edfb3d3affa87cf0b126e6 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:15:52 +0100
Date: Tue, 24 Jul 2012 14:11:19 +0100
Subject: [PATCH 08/27] PGPLIB: PGP definitions (RFC 4880)
Provide some useful PGP definitions from RFC 4880. These describe details of
@ -2087,7 +2093,7 @@ verification.
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/pgp.h | 206 +++++++++++++++++++++++++++++++++++++++++++++++++++
include/linux/pgp.h | 206 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 206 insertions(+)
create mode 100644 include/linux/pgp.h
@ -2304,12 +2310,12 @@ index 0000000..1359f64
+
+#endif /* _LINUX_PGP_H */
--
1.7.10.4
1.7.11.2
From 0409a338e01de5025cec2a1b291442651163aafd Mon Sep 17 00:00:00 2001
From 36f2b76a6ee5c6d86f6d7725ead9e5252b1d29a6 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:17:46 +0100
Date: Tue, 24 Jul 2012 14:11:20 +0100
Subject: [PATCH 09/27] PGPLIB: Basic packet parser
Provide a simple parser that extracts the packets from a PGP packet blob and
@ -2334,7 +2340,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
include/linux/pgplib.h | 47 +++++++
security/keys/crypto/Kconfig | 6 +
security/keys/crypto/Makefile | 1 +
security/keys/crypto/pgp_library.c | 268 ++++++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_library.c | 268 +++++++++++++++++++++++++++++++++++++
4 files changed, 322 insertions(+)
create mode 100644 include/linux/pgplib.h
create mode 100644 security/keys/crypto/pgp_library.c
@ -2690,12 +2696,12 @@ index 0000000..af396d6
+}
+EXPORT_SYMBOL_GPL(pgp_parse_public_key);
--
1.7.10.4
1.7.11.2
From 2a76433139dbdc6d57d38da6ceb79ce05ab603a4 Mon Sep 17 00:00:00 2001
From 6f830b85b1e32e44291c2bdff6b936025c48b40d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:21:24 +0100
Date: Tue, 24 Jul 2012 14:11:20 +0100
Subject: [PATCH 10/27] PGPLIB: Signature parser
Provide some PGP signature parsing helpers:
@ -2715,7 +2721,7 @@ Provide some PGP signature parsing helpers:
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/pgplib.h | 25 ++++
security/keys/crypto/pgp_library.c | 280 ++++++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_library.c | 280 +++++++++++++++++++++++++++++++++++++
2 files changed, 305 insertions(+)
diff --git a/include/linux/pgplib.h b/include/linux/pgplib.h
@ -3043,12 +3049,12 @@ index af396d6..c9218df 100644
+}
+EXPORT_SYMBOL_GPL(pgp_parse_sig_params);
--
1.7.10.4
1.7.11.2
From 91a05bc308c1e177410882a119f388d3b6b53c22 Mon Sep 17 00:00:00 2001
From c0e901a1ce72ddf259de219506327271cf3bb700 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:21:26 +0100
Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 11/27] KEYS: PGP data parser
Implement a PGP data parser for the crypto key type to use when instantiating a
@ -3069,7 +3075,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
security/keys/crypto/Kconfig | 12 ++
security/keys/crypto/Makefile | 4 +
security/keys/crypto/pgp_parser.h | 23 +++
security/keys/crypto/pgp_public_key.c | 348 +++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_public_key.c | 348 ++++++++++++++++++++++++++++++++++
4 files changed, 387 insertions(+)
create mode 100644 security/keys/crypto/pgp_parser.h
create mode 100644 security/keys/crypto/pgp_public_key.c
@ -3490,12 +3496,12 @@ index 0000000..8a8b7c0
+module_init(pgp_key_init);
+module_exit(pgp_key_exit);
--
1.7.10.4
1.7.11.2
From 14191eaae2f9ccba2563a4bf9c30ffcbf153f521 Mon Sep 17 00:00:00 2001
From b830627f3b864530540ad88df21d2ceefcba7459 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:22:19 +0100
Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 12/27] KEYS: PGP-based public key signature verification
Provide handlers for PGP-based public-key algorithm signature verification.
@ -3510,7 +3516,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/crypto/Makefile | 3 +-
security/keys/crypto/pgp_parser.h | 6 +
security/keys/crypto/pgp_sig_verify.c | 325 +++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_sig_verify.c | 325 ++++++++++++++++++++++++++++++++++
3 files changed, 333 insertions(+), 1 deletion(-)
create mode 100644 security/keys/crypto/pgp_sig_verify.c
@ -3871,12 +3877,12 @@ index 0000000..82c89da
+ kleave("");
+}
--
1.7.10.4
1.7.11.2
From 3ca6d54c9bbd0633b7f8e1b033c7d8b2ebe85489 Mon Sep 17 00:00:00 2001
From fbd1b578b58a197da42428fda49654d38c794f31 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:22:40 +0100
Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 13/27] KEYS: PGP format signature parser
Implement a signature parser that will attempt to parse a signature blob as a
@ -3888,7 +3894,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
security/keys/crypto/Makefile | 1 +
security/keys/crypto/pgp_parser.h | 6 ++
security/keys/crypto/pgp_public_key.c | 1 +
security/keys/crypto/pgp_sig_parser.c | 114 +++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_sig_parser.c | 114 ++++++++++++++++++++++++++++++++++
4 files changed, 122 insertions(+)
create mode 100644 security/keys/crypto/pgp_sig_parser.c
@ -4052,12 +4058,12 @@ index 0000000..f5feb2b
+ return ctx;
+}
--
1.7.10.4
1.7.11.2
From 30a028f485bd476ef3ad73fbb042a55b4851c966 Mon Sep 17 00:00:00 2001
From a04615b5ce4ae2e6e0f1932cd697b6a3d41cb9f8 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:22:59 +0100
Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 14/27] KEYS: Provide a function to load keys from a PGP
keyring blob
@ -4084,10 +4090,10 @@ out some errors.
Signed-off-by: David Howells <dhowells@redhat.com>
---
Documentation/security/keys-crypto.txt | 20 +++++++
include/keys/crypto-type.h | 3 +
security/keys/crypto/Kconfig | 9 +++
include/keys/crypto-type.h | 3 ++
security/keys/crypto/Kconfig | 9 ++++
security/keys/crypto/Makefile | 1 +
security/keys/crypto/pgp_preload.c | 96 ++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_preload.c | 96 ++++++++++++++++++++++++++++++++++
5 files changed, 129 insertions(+)
create mode 100644 security/keys/crypto/pgp_preload.c
@ -4270,12 +4276,12 @@ index 0000000..9028788
+ return pgp_parse_packets(pgpdata, pgpdatalen, &ctx.pgp);
+}
--
1.7.10.4
1.7.11.2
From 13b8bd0afb58d1000c74741f176862efb6d1bcc9 Mon Sep 17 00:00:00 2001
From d0e5635f09c91ca12fa5a508c2ba5197372d7487 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:25:41 +0100
Date: Tue, 24 Jul 2012 14:13:56 +0100
Subject: [PATCH 15/27] Make most arch asm/module.h files use
asm-generic/module.h
@ -4315,9 +4321,9 @@ unsupported type of relocation record as that's now handled centrally.
Signed-off-by: David Howells <dhowells@redhat.com>
---
arch/Kconfig | 19 +++++++++++++++++
arch/Kconfig | 19 ++++++++++++++++++
arch/alpha/Kconfig | 2 ++
arch/alpha/include/asm/module.h | 10 ++-------
arch/alpha/include/asm/module.h | 10 ++--------
arch/arm/Kconfig | 2 ++
arch/arm/include/asm/module.h | 8 ++------
arch/avr32/Kconfig | 2 ++
@ -4325,26 +4331,26 @@ Signed-off-by: David Howells <dhowells@redhat.com>
arch/blackfin/Kconfig | 2 ++
arch/blackfin/include/asm/module.h | 4 +---
arch/c6x/Kconfig | 1 +
arch/c6x/include/asm/module.h | 12 +----------
arch/c6x/include/asm/module.h | 12 +-----------
arch/cris/Kconfig | 1 +
arch/cris/include/asm/Kbuild | 2 ++
arch/cris/include/asm/module.h | 9 --------
arch/cris/include/asm/module.h | 9 ---------
arch/frv/include/asm/module.h | 8 +-------
arch/h8300/Kconfig | 1 +
arch/h8300/include/asm/Kbuild | 2 ++
arch/h8300/include/asm/module.h | 11 ----------
arch/h8300/include/asm/module.h | 11 -----------
arch/hexagon/Kconfig | 1 +
arch/ia64/Kconfig | 2 ++
arch/ia64/include/asm/module.h | 6 ++----
arch/m32r/Kconfig | 1 +
arch/m32r/include/asm/Kbuild | 2 ++
arch/m32r/include/asm/module.h | 10 ---------
arch/m32r/include/asm/module.h | 10 ----------
arch/m32r/kernel/module.c | 15 --------------
arch/m68k/Kconfig | 3 +++
arch/m68k/include/asm/module.h | 6 ++----
arch/microblaze/Kconfig | 1 +
arch/mips/Kconfig | 3 +++
arch/mips/include/asm/module.h | 10 +++++++--
arch/mips/include/asm/module.h | 10 ++++++++--
arch/mips/kernel/module.c | 2 ++
arch/mn10300/Kconfig | 1 +
arch/mn10300/include/asm/module.h | 7 +------
@ -4354,23 +4360,23 @@ Signed-off-by: David Howells <dhowells@redhat.com>
arch/powerpc/Kconfig | 2 ++
arch/powerpc/include/asm/module.h | 7 +------
arch/s390/Kconfig | 2 ++
arch/s390/include/asm/module.h | 18 +++-------------
arch/s390/include/asm/module.h | 18 +++--------------
arch/score/Kconfig | 2 ++
arch/score/include/asm/module.h | 6 +-----
arch/score/kernel/module.c | 10 ---------
arch/score/kernel/module.c | 10 ----------
arch/sh/Kconfig | 2 ++
arch/sh/include/asm/module.h | 14 +++----------
arch/sparc/Kconfig | 1 +
arch/sparc/include/asm/Kbuild | 1 +
arch/sparc/include/asm/module.h | 24 ----------------------
arch/sparc/include/asm/module.h | 24 -----------------------
arch/tile/Kconfig | 1 +
arch/unicore32/Kconfig | 1 +
arch/x86/Kconfig | 2 ++
arch/xtensa/Kconfig | 1 +
arch/xtensa/include/asm/module.h | 9 +-------
include/asm-generic/module.h | 40 +++++++++++++++++++++++++++++-------
include/linux/moduleloader.h | 36 ++++++++++++++++++++++++++++----
kernel/module.c | 20 ------------------
arch/xtensa/include/asm/module.h | 9 +--------
include/asm-generic/module.h | 40 +++++++++++++++++++++++++++++++-------
include/linux/moduleloader.h | 36 ++++++++++++++++++++++++++++++----
kernel/module.c | 20 -------------------
56 files changed, 167 insertions(+), 223 deletions(-)
delete mode 100644 arch/cris/include/asm/module.h
delete mode 100644 arch/h8300/include/asm/module.h
@ -4445,7 +4451,7 @@ index 7b63743..9cd13b5 100644
#ifdef MODULE
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index a91009c..af8bf36 100644
index c7e6d20..5fc742e 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -45,6 +45,8 @@ config ARM
@ -4837,7 +4843,7 @@ index 0bf4423..ee395d3 100644
config SWAP
def_bool n
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index 09ab87e..2901b41 100644
index b3e10fd..5972ebd 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -34,6 +34,9 @@ config MIPS
@ -4991,7 +4997,7 @@ index 1f41234..bab37e9 100644
struct unwind_table;
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 050cb37..17d3267 100644
index 9a5d3cd..5a91b5b 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -137,6 +137,8 @@ config PPC
@ -5137,7 +5143,7 @@ index 469e3b6..1378d99 100644
const struct exception_table_entry *search_module_dbetables(unsigned long addr)
{
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 31d9db7..22c02bb 100644
index a24595d..365ecf5 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -34,6 +34,8 @@ config SUPERH
@ -5231,10 +5237,10 @@ index ff8e02d..0000000
-
-#endif /* __SPARC_MODULE_H */
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
index fe12881..2d8bc27 100644
index 932e443..1603f30 100644
--- a/arch/tile/Kconfig
+++ b/arch/tile/Kconfig
@@ -15,6 +15,7 @@ config TILE
@@ -17,6 +17,7 @@ config TILE
select SYS_HYPERVISOR
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select GENERIC_CLOCKEVENTS
@ -5357,7 +5363,7 @@ index ed5b44d..14dc41d 100644
#endif /* __ASM_GENERIC_MODULE_H */
diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
index b2be02e..b85dda8 100644
index b2be02e..560ca53 100644
--- a/include/linux/moduleloader.h
+++ b/include/linux/moduleloader.h
@@ -28,21 +28,49 @@ void *module_alloc(unsigned long size);
@ -5383,7 +5389,7 @@ index b2be02e..b85dda8 100644
+ unsigned int relsec,
+ struct module *me)
+{
+ pr_err("module %s: REL relocation unsupported\n", me->name);
+ printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name);
+ return -ENOEXEC;
+}
+#endif
@ -5407,7 +5413,7 @@ index b2be02e..b85dda8 100644
+ unsigned int relsec,
+ struct module *me)
+{
+ pr_err("module %s: RELA relocation unsupported\n", me->name);
+ printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name);
+ return -ENOEXEC;
+}
+#endif
@ -5446,12 +5452,12 @@ index 4edbd9c..087aeed 100644
{
unsigned int i;
--
1.7.10.4
1.7.11.2
From 69bdeeb86f28489efa7d5f414867bd07b9516c10 Mon Sep 17 00:00:00 2001
From 3ad621a6fe31c4b1e73675facc39b2b34eaba3a3 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:26:33 +0100
Date: Tue, 24 Jul 2012 14:13:57 +0100
Subject: [PATCH 16/27] Provide macros for forming the name of an ELF note and
its section
@ -5486,12 +5492,12 @@ index 278e3ef..949d494 100644
#endif /* _LINUX_ELFNOTE_H */
--
1.7.10.4
1.7.11.2
From 5191f0bcbe03426b90b0a53c9ea960fafba7c269 Mon Sep 17 00:00:00 2001
From ebd84cbe7656bb091c8101af3d302ea7c14e7ecf Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:27:05 +0100
Date: Tue, 24 Jul 2012 14:14:00 +0100
Subject: [PATCH 17/27] MODSIGN: Provide gitignore and make clean rules for
extra files
@ -5535,7 +5541,7 @@ index 57af07c..7948eeb 100644
+random_seed
+trustdb.gpg
diff --git a/Makefile b/Makefile
index aa8e315..4a4a11f 100644
index 4bb09e1..5afb466 100644
--- a/Makefile
+++ b/Makefile
@@ -1239,6 +1239,7 @@ clean: $(clean-dirs)
@ -5557,12 +5563,12 @@ index e9b7abe..223dfd6 100644
+mod-extract
--
1.7.10.4
1.7.11.2
From bf067003ae6304d90c278118b5d65d905be16e53 Mon Sep 17 00:00:00 2001
From 5071caadfaf48a29826bb0fb934bf8046878ca00 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:27:16 +0100
Date: Tue, 24 Jul 2012 14:14:01 +0100
Subject: [PATCH 18/27] MODSIGN: Provide Documentation and Kconfig options
Provide documentation and kernel configuration options for module signing.
@ -5596,7 +5602,7 @@ The following configuration options are added:
Signed-off-by: David Howells <dhowells@redhat.com>
---
Documentation/module-signing.txt | 194 ++++++++++++++++++++++++++++++++++++++
Documentation/module-signing.txt | 194 +++++++++++++++++++++++++++++++++++++++
include/linux/modsign.h | 27 ++++++
init/Kconfig | 54 +++++++++++
3 files changed, 275 insertions(+)
@ -5902,12 +5908,12 @@ index d07dcf9..1d1a056 100644
config INIT_ALL_POSSIBLE
--
1.7.10.4
1.7.11.2
From 19c2fd74747b84e445b0a4eb7f7308a238267aec Mon Sep 17 00:00:00 2001
From 506ebdd9cc53b7e1fe5c1a1351bf1e42cce4c856 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:27:38 +0100
Date: Tue, 24 Jul 2012 14:14:01 +0100
Subject: [PATCH 19/27] MODSIGN: Sign modules during the build process
If CONFIG_MODULE_SIG is set, then this patch will cause the module to get a
@ -5949,7 +5955,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
---
scripts/Makefile.modpost | 87 ++++-
scripts/mod/Makefile | 2 +-
scripts/mod/mod-extract.c | 913 +++++++++++++++++++++++++++++++++++++++++++
scripts/mod/mod-extract.c | 913 ++++++++++++++++++++++++++++++++++++++++++++
scripts/mod/modsign-note.sh | 16 +
4 files changed, 1016 insertions(+), 2 deletions(-)
create mode 100644 scripts/mod/mod-extract.c
@ -7027,12 +7033,12 @@ index 0000000..bca67c0
+
+exit 0
--
1.7.10.4
1.7.11.2
From 05f68f1852611dd7f2f7d28c677b1205b66d4337 Mon Sep 17 00:00:00 2001
From c075a55ef7dd94b37406e09c542f69994e73424c Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:27:49 +0100
Date: Tue, 24 Jul 2012 14:14:01 +0100
Subject: [PATCH 20/27] MODSIGN: Module signature verification stub
Create a stub for the module signature verifier and link it into module.c so
@ -7065,10 +7071,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/module.h | 3 ++
kernel/Makefile | 1 +
kernel/module-verify-defs.h | 77 ++++++++++++++++++++++++++++++
kernel/module-verify.c | 110 +++++++++++++++++++++++++++++++++++++++++++
kernel/module-verify-defs.h | 77 +++++++++++++++++++++++++++++++
kernel/module-verify.c | 110 ++++++++++++++++++++++++++++++++++++++++++++
kernel/module-verify.h | 20 ++++++++
kernel/module.c | 26 ++++++++--
kernel/module.c | 26 +++++++++--
6 files changed, 232 insertions(+), 5 deletions(-)
create mode 100644 kernel/module-verify-defs.h
create mode 100644 kernel/module-verify.c
@ -7415,12 +7421,12 @@ index 087aeed..a59a9da 100644
if (last_unloaded_module[0])
printk(" [last unloaded: %s]", last_unloaded_module);
--
1.7.10.4
1.7.11.2
From a8622506bccd42aecd271d2735f6734e539125ac Mon Sep 17 00:00:00 2001
From 632507c5c70caad4ac7000d573b60236e405247b Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:28:33 +0100
Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 21/27] MODSIGN: Automatically generate module signing keys if
missing
@ -7497,12 +7503,12 @@ index cec222a..28cd248 100644
+endif
+CLEAN_FILES += modsign.pub modsign.sec genkey random_seed
--
1.7.10.4
1.7.11.2
From 2bde4c453e0b5ec52fe95c3fb800af86fdc38546 Mon Sep 17 00:00:00 2001
From bbbe230903a8c8f1d3aa7d2cc7f850930ff1539f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:28:41 +0100
Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 22/27] MODSIGN: Provide module signing public keys to the
kernel
@ -7524,7 +7530,7 @@ their removal and preventing further modules from being loaded with that key.
Signed-off-by: David Howells <dhowells@redhat.com>
---
kernel/Makefile | 25 ++++++++-------
kernel/modsign-pubkey.c | 75 +++++++++++++++++++++++++++++++++++++++++++
kernel/modsign-pubkey.c | 75 +++++++++++++++++++++++++++++++++++++++++++++
kernel/module-verify-defs.h | 4 +++
kernel/module-verify.c | 2 --
4 files changed, 93 insertions(+), 13 deletions(-)
@ -7683,12 +7689,12 @@ index 4bf857e..05473e6 100644
#include <linux/moduleparam.h>
#include <keys/crypto-type.h>
--
1.7.10.4
1.7.11.2
From 689ea2a8739a5d61b7c55cd9084dd3096585c6de Mon Sep 17 00:00:00 2001
From e4f50fd14864d574dfa77002da3bc51bbb0046bc Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:29:17 +0100
Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 23/27] MODSIGN: Check the ELF container
Check the ELF container of the kernel module to prevent the kernel from
@ -7767,7 +7773,7 @@ code, presumably because some local variables can be discarded.
Signed-off-by: David Howells <dhowells@redhat.com>
---
kernel/module-verify.c | 230 ++++++++++++++++++++++++++++++++++++++++++++++++
kernel/module-verify.c | 230 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 230 insertions(+)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
@ -8019,12 +8025,12 @@ index 05473e6..2161d11 100644
/* Deal with an unsigned module */
if (modsign_signedonly) {
--
1.7.10.4
1.7.11.2
From 4e90f1f1f04b2efb070f15211e644a8a86a2142e Mon Sep 17 00:00:00 2001
From b9e2653685ab246ee774d4ea0d178f9d43b003f8 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:29:43 +0100
Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 24/27] MODSIGN: Produce a filtered and canonicalised section
list
@ -8040,7 +8046,7 @@ Canonicalisation is done by sorting the filtered list in order of section name.
Signed-off-by: David Howells <dhowells@redhat.com>
---
kernel/module-verify.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++
kernel/module-verify.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
@ -8143,12 +8149,12 @@ index 2161d11..646b104 100644
out:
switch (ret) {
--
1.7.10.4
1.7.11.2
From 5f48916c06318abb0821b41bc06f457248ed87eb Mon Sep 17 00:00:00 2001
From 425b80d71cb3d29ad9a5d1573b1ba62e8acc9846 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:30:02 +0100
Date: Tue, 24 Jul 2012 14:14:03 +0100
Subject: [PATCH 25/27] MODSIGN: Create digest of module content and check
signature
@ -8193,7 +8199,7 @@ somewhat smaller code.
Signed-off-by: David Howells <dhowells@redhat.com>
---
kernel/module-verify-defs.h | 11 +-
kernel/module-verify.c | 332 ++++++++++++++++++++++++++++++++++++++++++-
kernel/module-verify.c | 332 +++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 337 insertions(+), 6 deletions(-)
diff --git a/kernel/module-verify-defs.h b/kernel/module-verify-defs.h
@ -8580,12 +8586,12 @@ index 646b104..e275759 100644
out:
--
1.7.10.4
1.7.11.2
From 25841b75e473511f1dbe84cfb333ef2b748d2ec6 Mon Sep 17 00:00:00 2001
From 83b8771f504bdb2d75df57697445211ca312a08b Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:30:22 +0100
Date: Tue, 24 Jul 2012 14:14:03 +0100
Subject: [PATCH 26/27] MODSIGN: Suppress some redundant ELF checks
Suppress some redundant ELF checks in module_verify_elf() that are also done
@ -8617,12 +8623,12 @@ index e275759..bfd1286 100644
/* Validate the section table contents */
mvdata->nsects = hdr->e_shnum;
--
1.7.10.4
1.7.11.2
From 3ac2defabc1996584fac06b76070138fe56753e6 Mon Sep 17 00:00:00 2001
From a7ec988440e9c8b0deaf769c79b4b3cfe45eb411 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 18 Jul 2012 16:30:40 +0100
Date: Tue, 24 Jul 2012 14:14:03 +0100
Subject: [PATCH 27/27] MODSIGN: Panic the kernel if FIPS is enabled upon
module signing failure
@ -8660,5 +8666,5 @@ index bfd1286..b9c3955 100644
case 0: /* Good signature */
*_gpgsig_ok = true;
--
1.7.10.4
1.7.11.2

1161
secure-boot-20120724.patch Normal file
View File

File diff suppressed because it is too large Load Diff