Linux v4.6-10203-g84787c572d40
- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281) - Fixup SB patchset to work with upstream changes
This commit is contained in:
parent
cfaea7dc72
commit
42d2805cbe
@ -1,7 +1,7 @@
|
||||
From 6fb2a60e6bfb5ce2d3a4964e7b47ac5c7ecd6f82 Mon Sep 17 00:00:00 2001
|
||||
From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
||||
Subject: [PATCH] Add EFI signature data types
|
||||
Subject: [PATCH 4/9] Add EFI signature data types
|
||||
|
||||
Add the data types that are used for containing hashes, keys and certificates
|
||||
for cryptographic verification.
|
||||
@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index fb0734f..b80227a 100644
|
||||
index 8cb38cfcba74..8c274b4ea8e6 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -653,6 +653,12 @@ void efi_native_runtime_setup(void);
|
||||
@@ -647,6 +647,12 @@ void efi_native_runtime_setup(void);
|
||||
EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, \
|
||||
0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
|
||||
|
||||
@ -31,7 +31,7 @@ index fb0734f..b80227a 100644
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u64 table;
|
||||
@@ -885,6 +891,20 @@ typedef struct {
|
||||
@@ -879,6 +885,20 @@ typedef struct {
|
||||
efi_memory_desc_t entry[0];
|
||||
} efi_memory_attributes_table_t;
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
|
||||
From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||
Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
|
||||
Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
|
||||
|
||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||
keys.
|
||||
@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
create mode 100644 crypto/asymmetric_keys/efi_parser.c
|
||||
|
||||
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
|
||||
index e28e912..94024e8 100644
|
||||
index e28e912000a7..94024e8aedaa 100644
|
||||
--- a/crypto/asymmetric_keys/Kconfig
|
||||
+++ b/crypto/asymmetric_keys/Kconfig
|
||||
@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
@ -34,7 +34,7 @@ index e28e912..94024e8 100644
|
||||
+
|
||||
endif # ASYMMETRIC_KEY_TYPE
|
||||
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
|
||||
index 6516855..c099fe1 100644
|
||||
index 6516855bec18..c099fe15ed6d 100644
|
||||
--- a/crypto/asymmetric_keys/Makefile
|
||||
+++ b/crypto/asymmetric_keys/Makefile
|
||||
@@ -10,6 +10,7 @@ asymmetric_keys-y := \
|
||||
@ -47,7 +47,7 @@ index 6516855..c099fe1 100644
|
||||
# X.509 Certificate handling
|
||||
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
|
||||
new file mode 100644
|
||||
index 0000000..636feb1
|
||||
index 000000000000..636feb18b733
|
||||
--- /dev/null
|
||||
+++ b/crypto/asymmetric_keys/efi_parser.c
|
||||
@@ -0,0 +1,108 @@
|
||||
@ -160,10 +160,10 @@ index 0000000..636feb1
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index b80227a..18443e3 100644
|
||||
index 8c274b4ea8e6..ff1877145aa4 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
|
||||
@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
|
||||
char * __init efi_md_typeattr_format(char *buf, size_t size,
|
||||
const efi_memory_desc_t *md);
|
||||
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 8802c7e62531b3867580068ee8b50415b966d22c Mon Sep 17 00:00:00 2001
|
||||
From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode
|
||||
Subject: [PATCH] Add option to automatically enforce module signatures when in
|
||||
Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
@ -11,16 +12,16 @@ that enforces this automatically when enabled.
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
Documentation/x86/zero-page.txt | 2 ++
|
||||
arch/x86/Kconfig | 10 ++++++
|
||||
arch/x86/Kconfig | 11 ++++++
|
||||
arch/x86/boot/compressed/eboot.c | 66 +++++++++++++++++++++++++++++++++++
|
||||
arch/x86/include/uapi/asm/bootparam.h | 3 +-
|
||||
arch/x86/kernel/setup.c | 6 ++++
|
||||
include/linux/module.h | 6 ++++
|
||||
kernel/module.c | 7 ++++
|
||||
7 files changed, 99 insertions(+), 1 deletion(-)
|
||||
7 files changed, 100 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||
index 95a4d34..b8527c6 100644
|
||||
index 95a4d34af3fd..b8527c6b7646 100644
|
||||
--- a/Documentation/x86/zero-page.txt
|
||||
+++ b/Documentation/x86/zero-page.txt
|
||||
@@ -31,6 +31,8 @@ Offset Proto Name Meaning
|
||||
@ -33,15 +34,16 @@ index 95a4d34..b8527c6 100644
|
||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||
2D0/A00 ALL e820_map E820 memory map table
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 2dc18605..a701d09 100644
|
||||
index 0a7b885964ba..29b8ba9ae713 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1785,6 +1785,16 @@ config EFI_MIXED
|
||||
@@ -1776,6 +1776,17 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
+config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ def_bool n
|
||||
+ def_bool n
|
||||
+ depends on EFI
|
||||
+ prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
+ ---help---
|
||||
+ UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
@ -54,7 +56,7 @@ index 2dc18605..a701d09 100644
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 52fef60..6b8b9a7 100644
|
||||
index 52fef606bc54..6b8b9a775b46 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -12,6 +12,7 @@
|
||||
@ -145,7 +147,7 @@ index 52fef60..6b8b9a7 100644
|
||||
|
||||
setup_efi_pci(boot_params);
|
||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||
index 3292543..b61f853 100644
|
||||
index c18ce67495fa..2b3e5427097b 100644
|
||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||
@@ -134,7 +134,8 @@ struct boot_params {
|
||||
@ -159,10 +161,10 @@ index 3292543..b61f853 100644
|
||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||
*
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 2367ae0..1a78bf7 100644
|
||||
index c4e7b3991b60..bdb9881c7afd 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
io_delay_init();
|
||||
|
||||
@ -176,7 +178,7 @@ index 2367ae0..1a78bf7 100644
|
||||
* Parse the ACPI tables for possible boot-time SMP configuration.
|
||||
*/
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index ab13009..e072b84 100644
|
||||
index 082298a09df1..38d0597f7615 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
|
||||
@ -193,10 +195,10 @@ index ab13009..e072b84 100644
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 392ac8c..676c578 100644
|
||||
index 3c384968f553..ea484f3a35b2 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
|
||||
From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kyle@redhat.com>
|
||||
Date: Fri, 30 Aug 2013 09:28:51 -0400
|
||||
Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
|
||||
Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
|
||||
7 files changed, 64 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index f93826b8522c..41679b1aca83 100644
|
||||
index a666b6c29c77..7732c769937b 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -70,6 +70,11 @@
|
||||
@ -31,7 +31,7 @@ index f93826b8522c..41679b1aca83 100644
|
||||
#include <video/edid.h>
|
||||
|
||||
#include <asm/mtrr.h>
|
||||
@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
|
||||
@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
|
||||
|
||||
#endif /* CONFIG_X86_32 */
|
||||
|
||||
@ -70,10 +70,10 @@ index f93826b8522c..41679b1aca83 100644
|
||||
.notifier_call = dump_kernel_offset
|
||||
};
|
||||
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
|
||||
index 345df9b03aed..dea6a6c4a39b 100644
|
||||
index abe1a927b332..f4126fcec10c 100644
|
||||
--- a/drivers/input/misc/uinput.c
|
||||
+++ b/drivers/input/misc/uinput.c
|
||||
@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
|
||||
@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
|
||||
if (!udev->dev)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -82,10 +82,10 @@ index 345df9b03aed..dea6a6c4a39b 100644
|
||||
input_set_drvdata(udev->dev, udev);
|
||||
|
||||
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
|
||||
index 95b330a9ea98..dfa3e154a719 100644
|
||||
index e5139402e7f8..5ef2e04a03ad 100644
|
||||
--- a/drivers/tty/sysrq.c
|
||||
+++ b/drivers/tty/sysrq.c
|
||||
@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
|
||||
@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
|
||||
/* x: May be registered on mips for TLB dump */
|
||||
/* x: May be registered on ppc/powerpc for xmon */
|
||||
/* x: May be registered on sparc64 for global PMU dump */
|
||||
@ -93,7 +93,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
NULL, /* x */
|
||||
/* y: May be registered on sparc64 for global register dump */
|
||||
NULL, /* y */
|
||||
@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
|
||||
@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
|
||||
sysrq_key_table[i] = op_p;
|
||||
}
|
||||
|
||||
@ -102,7 +102,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
{
|
||||
struct sysrq_key_op *op_p;
|
||||
int orig_log_level;
|
||||
@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
|
||||
op_p = __sysrq_get_key_op(key);
|
||||
if (op_p) {
|
||||
@ -119,7 +119,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
pr_cont("%s\n", op_p->action_msg);
|
||||
console_loglevel = orig_log_level;
|
||||
op_p->handler(key);
|
||||
@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
void handle_sysrq(int key)
|
||||
{
|
||||
if (sysrq_on())
|
||||
@ -128,7 +128,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
}
|
||||
EXPORT_SYMBOL(handle_sysrq);
|
||||
|
||||
@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
|
||||
@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
|
||||
static void sysrq_handle_reset_request(struct sysrq_state *state)
|
||||
{
|
||||
if (state->reset_requested)
|
||||
@ -137,7 +137,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
|
||||
if (sysrq_reset_downtime_ms)
|
||||
mod_timer(&state->keyreset_timer,
|
||||
@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
|
||||
@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
|
||||
|
||||
default:
|
||||
if (sysrq->active && value && value != 2) {
|
||||
@ -149,7 +149,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
|
||||
@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
|
||||
|
||||
if (get_user(c, buf))
|
||||
return -EFAULT;
|
||||
@ -159,7 +159,7 @@ index 95b330a9ea98..dfa3e154a719 100644
|
||||
|
||||
return count;
|
||||
diff --git a/include/linux/input.h b/include/linux/input.h
|
||||
index 82ce323b9986..9e534f228945 100644
|
||||
index 1e967694e9a5..2b56c6f9673c 100644
|
||||
--- a/include/linux/input.h
|
||||
+++ b/include/linux/input.h
|
||||
@@ -42,6 +42,7 @@ struct input_value {
|
||||
@ -216,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644
|
||||
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
|
||||
struct sysrq_key_op *__sysrq_get_key_op(int key);
|
||||
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
|
||||
index 4121345498e0..0ff3cef5df96 100644
|
||||
index 2a20c0dfdafc..3d17205dab77 100644
|
||||
--- a/kernel/debug/kdb/kdb_main.c
|
||||
+++ b/kernel/debug/kdb/kdb_main.c
|
||||
@@ -1968,7 +1968,7 @@ static int kdb_sr(int argc, const char **argv)
|
||||
@ -229,10 +229,10 @@ index 4121345498e0..0ff3cef5df96 100644
|
||||
|
||||
return 0;
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 2b403ab0ef29..7818c110e95c 100644
|
||||
index ea484f3a35b2..84b00659b0ee 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
|
||||
@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -242,5 +242,5 @@ index 2b403ab0ef29..7818c110e95c 100644
|
||||
module_param(sig_enforce, bool_enable_only, 0644);
|
||||
#endif /* !CONFIG_MODULE_SIG_FORCE */
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
|
||||
From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
||||
Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
|
||||
Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
|
||||
|
||||
This adds an additional keyring that is used to store certificates that
|
||||
are blacklisted. This keyring is searched first when loading signed modules
|
||||
@ -10,52 +10,48 @@ useful in cases where third party certificates are used for module signing.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
certs/system_keyring.c | 27 +++++++++++++++++++++++++++
|
||||
certs/system_keyring.c | 22 ++++++++++++++++++++++
|
||||
include/keys/system_keyring.h | 4 ++++
|
||||
init/Kconfig | 9 +++++++++
|
||||
3 files changed, 40 insertions(+)
|
||||
3 files changed, 35 insertions(+)
|
||||
|
||||
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
||||
index 2570598b784d..53733822993f 100644
|
||||
index 50979d6dcecd..787eeead2f57 100644
|
||||
--- a/certs/system_keyring.c
|
||||
+++ b/certs/system_keyring.c
|
||||
@@ -20,6 +20,9 @@
|
||||
|
||||
struct key *system_trusted_keyring;
|
||||
EXPORT_SYMBOL_GPL(system_trusted_keyring);
|
||||
@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
|
||||
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||
static struct key *secondary_trusted_keys;
|
||||
#endif
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+struct key *system_blacklist_keyring;
|
||||
+#endif
|
||||
|
||||
extern __initconst const u8 system_certificate_list[];
|
||||
extern __initconst const unsigned long system_certificate_list_size;
|
||||
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
|
||||
panic("Can't allocate system trusted keyring\n");
|
||||
|
||||
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
|
||||
+
|
||||
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)
|
||||
if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
|
||||
panic("Can't link trusted keyrings\n");
|
||||
#endif
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
|
||||
+ KUIDT_INIT(0), KGIDT_INIT(0),
|
||||
+ current_cred(),
|
||||
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW | KEY_USR_READ,
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
||||
+ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
|
||||
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA,
|
||||
+ NULL, NULL);
|
||||
+ if (IS_ERR(system_blacklist_keyring))
|
||||
+ panic("Can't allocate system blacklist keyring\n");
|
||||
+
|
||||
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
|
||||
+#endif
|
||||
+
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
|
||||
if (ret < 0)
|
||||
goto error;
|
||||
|
||||
@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
|
||||
trusted_keys = builtin_trusted_keys;
|
||||
#endif
|
||||
}
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
|
||||
+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
|
||||
+ if (!ret) {
|
||||
+ /* module is signed with a cert in the blacklist. reject */
|
||||
+ pr_err("Module key is in the blacklist\n");
|
||||
@ -63,30 +59,29 @@ index 2570598b784d..53733822993f 100644
|
||||
+ goto error;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
|
||||
if (ret < 0)
|
||||
goto error;
|
||||
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
|
||||
if (ret < 0) {
|
||||
if (ret == -ENOKEY)
|
||||
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
||||
index b20cd885c1fd..51d8ddc60e0f 100644
|
||||
index fbd4647767e9..5bc291a3d261 100644
|
||||
--- a/include/keys/system_keyring.h
|
||||
+++ b/include/keys/system_keyring.h
|
||||
@@ -35,6 +35,10 @@ extern int system_verify_data(const void *data, unsigned long len,
|
||||
enum key_being_used_for usage);
|
||||
@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
|
||||
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
|
||||
#endif
|
||||
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+extern struct key *system_blacklist_keyring;
|
||||
+#endif
|
||||
+
|
||||
#ifdef CONFIG_IMA_MOK_KEYRING
|
||||
extern struct key *ima_mok_keyring;
|
||||
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
||||
extern struct key *ima_blacklist_keyring;
|
||||
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index 02da9f1fd9df..782d26f02885 100644
|
||||
index a9c4aefd5436..e5449d5aeff9 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
|
||||
@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
|
||||
module verification, kexec image verification and firmware blob
|
||||
verification.
|
||||
|
||||
@ -103,5 +98,5 @@ index 02da9f1fd9df..782d26f02885 100644
|
||||
bool "Profiling support"
|
||||
help
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
|
||||
From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
@ -18,18 +18,56 @@ signed with those from loading.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/linux/efi.h | 6 ++++
|
||||
init/Kconfig | 9 +++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 110 insertions(+)
|
||||
certs/system_keyring.c | 13 ++++++
|
||||
include/keys/system_keyring.h | 1 +
|
||||
include/linux/efi.h | 6 +++
|
||||
init/Kconfig | 9 ++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
|
||||
6 files changed, 131 insertions(+)
|
||||
create mode 100644 kernel/modsign_uefi.c
|
||||
|
||||
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
||||
index 787eeead2f57..4d9123ed5c07 100644
|
||||
--- a/certs/system_keyring.c
|
||||
+++ b/certs/system_keyring.c
|
||||
@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
|
||||
extern __initconst const unsigned long system_certificate_list_size;
|
||||
|
||||
/**
|
||||
+ * get_system_keyring - Return a pointer to the system keyring
|
||||
+ *
|
||||
+ */
|
||||
+struct key *get_system_keyring(void)
|
||||
+{
|
||||
+ struct key *system_keyring = NULL;
|
||||
+
|
||||
+ system_keyring = builtin_trusted_keys;
|
||||
+ return system_keyring;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(get_system_keyring);
|
||||
+
|
||||
+/**
|
||||
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
|
||||
*
|
||||
* Restrict the addition of keys into a keyring based on the key-to-be-added
|
||||
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
||||
index 5bc291a3d261..56ff5715ab67 100644
|
||||
--- a/include/keys/system_keyring.h
|
||||
+++ b/include/keys/system_keyring.h
|
||||
@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
|
||||
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
extern struct key *system_blacklist_keyring;
|
||||
#endif
|
||||
+extern struct key *get_system_keyring(void);
|
||||
|
||||
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
||||
extern struct key *ima_blacklist_keyring;
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 85ef051ac6fb..a042b2ece788 100644
|
||||
index ff1877145aa4..2483de19c719 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -600,6 +600,12 @@ typedef struct {
|
||||
@@ -658,6 +658,12 @@ typedef struct {
|
||||
u64 table;
|
||||
} efi_config_table_64_t;
|
||||
|
||||
@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644
|
||||
efi_guid_t guid;
|
||||
u32 table;
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index 02da9f1fd9df..90c73a0564b1 100644
|
||||
index e5449d5aeff9..5408c96f6604 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
|
||||
@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
|
||||
comment "Do not forget to sign required modules with scripts/sign-file"
|
||||
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
||||
|
||||
@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644
|
||||
prompt "Which hash algorithm should modules be signed with?"
|
||||
depends on MODULE_SIG
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index d4988410b410..55e886239e7e 100644
|
||||
index e2ec54e2b952..8dab549985d8 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -47,6 +47,7 @@ endif
|
||||
@@ -57,6 +57,7 @@ endif
|
||||
obj-$(CONFIG_UID16) += uid16.o
|
||||
obj-$(CONFIG_MODULES) += module.o
|
||||
obj-$(CONFIG_MODULE_SIG) += module_signing.o
|
||||
@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644
|
||||
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
||||
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
|
||||
obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
|
||||
@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
|
||||
@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
|
||||
|
||||
obj-$(CONFIG_HAS_IOMEM) += memremap.o
|
||||
|
||||
@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644
|
||||
# config_data.h contains the same information as ikconfig.h but gzipped.
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
new file mode 100644
|
||||
index 000000000000..94b0eb38a284
|
||||
index 000000000000..fe4a6f2bf10a
|
||||
--- /dev/null
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -0,0 +1,92 @@
|
||||
@@ -0,0 +1,99 @@
|
||||
+#include <linux/kernel.h>
|
||||
+#include <linux/sched.h>
|
||||
+#include <linux/cred.h>
|
||||
@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284
|
||||
+ void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
+ int rc = 0;
|
||||
+ struct key *keyring = NULL;
|
||||
+
|
||||
+ /* Check if SB is enabled and just return if not */
|
||||
+ if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
+ return 0;
|
||||
+
|
||||
+ keyring = get_system_keyring();
|
||||
+ if (!keyring) {
|
||||
+ pr_err("MODSIGN: Couldn't get system keyring\n");
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
||||
+ * an error if we can't get them.
|
||||
+ */
|
||||
@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284
|
||||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ rc = parse_efi_signature_list(db, dbsize, keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284
|
||||
+ if (!mok) {
|
||||
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
|
||||
+ rc = parse_efi_signature_list(mok, moksize, keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
||||
+ kfree(mok);
|
||||
@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284
|
||||
+}
|
||||
+late_initcall(load_uefi_certs);
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
|
||||
From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
||||
Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
|
||||
Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
|
||||
|
||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
index 94b0eb38a284..ae28b974d49a 100644
|
||||
index 03f601a0052c..321c79a3b282 100644
|
||||
--- a/kernel/modsign_uefi.c
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -8,6 +8,23 @@
|
||||
@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
|
||||
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
||||
{
|
||||
efi_status_t status;
|
||||
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
|
||||
@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
|
||||
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||
void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
- int rc = 0;
|
||||
+ int ignore_db, rc = 0;
|
||||
struct key *keyring = NULL;
|
||||
|
||||
/* Check if SB is enabled and just return if not */
|
||||
if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
return 0;
|
||||
@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
+ /* See if the user has setup Ignore DB mode */
|
||||
+ ignore_db = check_ignore_db();
|
||||
@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
|
||||
- if (!db) {
|
||||
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
- } else {
|
||||
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
- rc = parse_efi_signature_list(db, dbsize, keyring);
|
||||
- if (rc)
|
||||
- pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
- kfree(db);
|
||||
@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
|
||||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ rc = parse_efi_signature_list(db, dbsize, keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
|
||||
|
||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
@ -116,6 +116,7 @@ CONFIG_ROCKCHIP_SARADC=m
|
||||
CONFIG_ROCKCHIP_IOMMU=y
|
||||
CONFIG_ROCKCHIP_THERMAL=m
|
||||
CONFIG_DRM_ROCKCHIP=m
|
||||
CONFIG_ROCKCHIP_ANALOGIX_DP=m
|
||||
CONFIG_ROCKCHIP_DW_HDMI=m
|
||||
CONFIG_ROCKCHIP_DW_MIPI_DSI=y
|
||||
CONFIG_ROCKCHIP_INNO_HDMI=m
|
||||
|
@ -159,6 +159,8 @@ CONFIG_PHY_HI6220_USB=m
|
||||
CONFIG_COMMON_RESET_HI6220=m
|
||||
CONFIG_HI6220_MBOX=m
|
||||
# CONFIG_RESET_HISI is not set
|
||||
CONFIG_DRM_HISI_KIRIN=m
|
||||
CONFIG_HISI_KIRIN_DW_DSI=m
|
||||
|
||||
# Tegra
|
||||
CONFIG_ARCH_TEGRA_132_SOC=y
|
||||
|
@ -318,6 +318,8 @@ CONFIG_PHY_QCOM_IPQ806X_SATA=m
|
||||
CONFIG_DWMAC_IPQ806X=m
|
||||
CONFIG_CRYPTO_DEV_QCE=m
|
||||
CONFIG_DRM_MSM=m
|
||||
# CONFIG_DRM_MSM_REGISTER_LOGGING is not set
|
||||
CONFIG_DRM_MSM_HDMI_HDCP=y
|
||||
CONFIG_USB_EHCI_MSM=m
|
||||
CONFIG_MFD_PM8XXX=m
|
||||
CONFIG_KEYBOARD_PMIC8XXX=m
|
||||
@ -325,7 +327,6 @@ CONFIG_INPUT_PM8XXX_VIBRATOR=m
|
||||
CONFIG_INPUT_PMIC8XXX_PWRKEY=m
|
||||
CONFIG_INPUT_PM8941_PWRKEY=m
|
||||
CONFIG_RTC_DRV_PM8XXX=m
|
||||
# CONFIG_DRM_MSM_REGISTER_LOGGING is not set
|
||||
CONFIG_QCOM_WDT=m
|
||||
CONFIG_MFD_SPMI_PMIC=m
|
||||
CONFIG_SPMI=m
|
||||
|
@ -206,6 +206,7 @@ CONFIG_MACH_SUN8I=y
|
||||
CONFIG_SUNXI_SRAM=y
|
||||
CONFIG_DMA_SUN4I=m
|
||||
CONFIG_DMA_SUN6I=m
|
||||
CONFIG_DRM_SUN4I=m
|
||||
CONFIG_SUNXI_WATCHDOG=m
|
||||
CONFIG_NET_VENDOR_ALLWINNER=y
|
||||
CONFIG_RTC_DRV_SUNXI=m
|
||||
|
@ -598,6 +598,7 @@ CONFIG_ATA_BMDMA=y
|
||||
CONFIG_ATA_VERBOSE_ERROR=y
|
||||
CONFIG_ATA_SFF=y
|
||||
CONFIG_ATA_PIIX=y
|
||||
# CONFIG_SATA_DWC is not set
|
||||
# CONFIG_SATA_HIGHBANK is not set
|
||||
CONFIG_ATA_ACPI=y
|
||||
CONFIG_BLK_DEV_SX8=m
|
||||
@ -3346,6 +3347,8 @@ CONFIG_VGA_ARB_MAX_GPUS=16
|
||||
|
||||
|
||||
CONFIG_DRM=m
|
||||
CONFIG_DRM_ANALOGIX_ANX78XX=m
|
||||
# CONFIG_DRM_ARCPGU is not set
|
||||
CONFIG_DRM_DP_AUX_CHARDEV=y
|
||||
CONFIG_DRM_FBDEV_EMULATION=y
|
||||
CONFIG_DRM_LOAD_EDID_FIRMWARE=y
|
||||
@ -3359,6 +3362,7 @@ CONFIG_DRM_AMDGPU=m
|
||||
CONFIG_DRM_AMD_ACP=y
|
||||
# CONFIG_DRM_AMDGPU_CIK is not set
|
||||
CONFIG_DRM_AMDGPU_USERPTR=y
|
||||
# CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
|
||||
CONFIG_DRM_AMD_POWERPLAY=y
|
||||
# CONFIG_DRM_I810 is not set
|
||||
# CONFIG_DRM_MGA is not set
|
||||
|
@ -56,7 +56,7 @@ CONFIG_PPC_64K_PAGES=y
|
||||
CONFIG_PPC_SUBPAGE_PROT=y
|
||||
CONFIG_SCHED_SMT=y
|
||||
CONFIG_MEMORY_HOTPLUG=y
|
||||
# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
|
||||
CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
|
||||
CONFIG_MEMORY_HOTREMOVE=y
|
||||
CONFIG_PPC64_SUPPORTS_MEMORY_FAILURE=y
|
||||
|
||||
|
@ -183,7 +183,7 @@ CONFIG_VIRTIO_CONSOLE=y
|
||||
|
||||
CONFIG_MEMORY_HOTPLUG=y
|
||||
CONFIG_MEMORY_HOTREMOVE=y
|
||||
# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
|
||||
CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
|
||||
CONFIG_CHSC_SCH=m
|
||||
|
||||
# drivers/isdn/hardware/mISDN/hfcmulti.c:5255:2: error: #error "not running on big endian machines now"
|
||||
|
@ -361,7 +361,6 @@ CONFIG_DMI_SYSFS=y
|
||||
CONFIG_ISCSI_IBFT_FIND=y
|
||||
CONFIG_ISCSI_IBFT=m
|
||||
|
||||
CONFIG_DMADEVICES=y
|
||||
CONFIG_INTEL_IOATDMA=m
|
||||
CONFIG_INTEL_IDMA64=m
|
||||
|
||||
|
@ -117,7 +117,7 @@ CONFIG_SPARSEMEM_EXTREME=y
|
||||
CONFIG_SPARSEMEM_VMEMMAP=y
|
||||
# CONFIG_MOVABLE_NODE is not set
|
||||
CONFIG_MEMORY_HOTPLUG=y
|
||||
# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
|
||||
CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
|
||||
# CONFIG_ARCH_MEMORY_PROBE is not set
|
||||
CONFIG_MEMORY_HOTREMOVE=y
|
||||
# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
|
||||
@ -223,8 +223,12 @@ CONFIG_CMA_AREAS=7
|
||||
CONFIG_ZONE_DMA=y
|
||||
CONFIG_ZONE_DEVICE=y
|
||||
CONFIG_NVDIMM_PFN=y
|
||||
CONFIG_NVDIMM_DAX=y
|
||||
CONFIG_ND_PFN=m
|
||||
|
||||
CONFIG_DEV_DAX=m
|
||||
CONFIG_DEV_DAX_PMEM=m
|
||||
|
||||
# Staging
|
||||
CONFIG_STAGING_RDMA=y
|
||||
CONFIG_INFINIBAND_HFI1=m
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001
|
||||
From 5550f20b5f9becb485fb3a67bf0193025d40bc6f Mon Sep 17 00:00:00 2001
|
||||
From: Adam Jackson <ajax@redhat.com>
|
||||
Date: Wed, 13 Nov 2013 10:17:24 -0500
|
||||
Subject: [PATCH] drm/i915: hush check crtc state
|
||||
@ -15,18 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
|
||||
index ca9278be49f7..308ac0539a87 100644
|
||||
index 46f9be3ad5a2..ad2e62e4cdba 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_display.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_display.c
|
||||
@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state)
|
||||
sw_config = to_intel_crtc_state(crtc->state);
|
||||
if (!intel_pipe_config_compare(dev, sw_config,
|
||||
pipe_config, false)) {
|
||||
- I915_STATE_WARN(1, "pipe state doesn't match!\n");
|
||||
+ DRM_DEBUG_KMS("pipe state doesn't match!\n");
|
||||
intel_dump_pipe_config(intel_crtc, pipe_config,
|
||||
"[hw state]");
|
||||
intel_dump_pipe_config(intel_crtc, sw_config,
|
||||
@@ -12970,7 +12970,7 @@ verify_crtc_state(struct drm_crtc *crtc,
|
||||
sw_config = to_intel_crtc_state(crtc->state);
|
||||
if (!intel_pipe_config_compare(dev, sw_config,
|
||||
pipe_config, false)) {
|
||||
- I915_STATE_WARN(1, "pipe state doesn't match!\n");
|
||||
+ DRM_DEBUG_KMS("pipe state doesn't match!\n");
|
||||
intel_dump_pipe_config(intel_crtc, pipe_config,
|
||||
"[hw state]");
|
||||
intel_dump_pipe_config(intel_crtc, sw_config,
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From c01ff700ea4192ae04b306fef725d62189550236 Mon Sep 17 00:00:00 2001
|
||||
From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index f3b804f..a401ff8 100644
|
||||
index bdb9881c7afd..a666b6c29c77 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
if (boot_params.secure_boot) {
|
||||
@ -27,10 +27,10 @@ index f3b804f..a401ff8 100644
|
||||
#endif
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 569b5a8..4dc970e 100644
|
||||
index c2db3ca22217..8cb38cfcba74 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_ARCH_1 7 /* First arch-specific bit */
|
||||
#define EFI_DBG 8 /* Print additional debug info at runtime */
|
||||
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
|
||||
@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.5.0
|
||||
2.5.5
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
|
||||
From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
||||
Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
|
||||
Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
|
||||
|
||||
A user can manually tell the shim boot loader to disable validation of
|
||||
images it loads. When a user does this, it creates a UEFI variable called
|
||||
@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index b4de3faa3f29..5cc2ef570390 100644
|
||||
index 6b8b9a775b46..b3a5364d31c6 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -830,8 +830,9 @@ out:
|
||||
@@ -574,8 +574,9 @@ free_handle:
|
||||
|
||||
static int get_secure_boot(void)
|
||||
{
|
||||
@ -29,7 +29,7 @@ index b4de3faa3f29..5cc2ef570390 100644
|
||||
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
efi_status_t status;
|
||||
|
||||
@@ -855,6 +856,23 @@ static int get_secure_boot(void)
|
||||
@@ -599,6 +600,23 @@ static int get_secure_boot(void)
|
||||
if (setup == 1)
|
||||
return 0;
|
||||
|
||||
@ -54,5 +54,5 @@ index b4de3faa3f29..5cc2ef570390 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
2
gitrev
2
gitrev
@ -1 +1 @@
|
||||
7639dad93a5564579987abded4ec05e3db13659d
|
||||
84787c572d402644dca4874aba73324d9f8e3948
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
|
||||
From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
|
||||
Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index 690f78f210f2..037303a1cba9 100644
|
||||
index fca9254280ee..ffd8644078b2 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -29,6 +29,7 @@
|
||||
@ -35,5 +35,5 @@ index 690f78f210f2..037303a1cba9 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
11
kernel.spec
11
kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
|
||||
# The rc snapshot level
|
||||
%define rcrev 0
|
||||
# The git snapshot level
|
||||
%define gitrev 6
|
||||
%define gitrev 7
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 4.%{upstream_sublevel}.0
|
||||
%endif
|
||||
@ -553,8 +553,6 @@ Patch482: Add-option-to-automatically-enforce-module-signature.patch
|
||||
|
||||
Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
|
||||
|
||||
Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
|
||||
|
||||
Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
|
||||
|
||||
Patch486: hibernate-Disable-in-a-signed-modules-environment.patch
|
||||
@ -566,7 +564,7 @@ Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
|
||||
# This doesn't apply. It seems like it could be replaced by
|
||||
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
|
||||
# which has an explicit line about blacklisting
|
||||
# Patch489: KEYS-Add-a-system-blacklist-keyring.patch
|
||||
Patch489: KEYS-Add-a-system-blacklist-keyring.patch
|
||||
|
||||
Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
|
||||
|
||||
@ -2135,6 +2133,11 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue May 24 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.7.0-0.rc0.git7.1
|
||||
- Linux v4.6-10203-g84787c572d40
|
||||
- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281)
|
||||
- Fixup SB patchset to work with upstream changes
|
||||
|
||||
* Mon May 23 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git6.1
|
||||
- Linux v4.6-8907-g7639dad
|
||||
- trace, f2fs, btrfs, rtc, mailbox, akpm, staging, driver core, char, usb,
|
||||
|
Loading…
Reference in New Issue
Block a user