Patch file cleanup
Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before
This commit is contained in:
parent
a99be7d4cf
commit
6a91557e4c
31
ACPI-Limit-access-to-custom_method.patch
Normal file
31
ACPI-Limit-access-to-custom_method.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 534706023a5b169f0d85c92c00c4a658346704f5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH] ACPI: Limit access to custom_method
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
it possible for an attacker to circumvent restrictions on module loading.
|
||||
Disable it if any such restrictions have been enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/acpi/custom_method.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
|
||||
index c68e72414a67..4277938af700 100644
|
||||
--- a/drivers/acpi/custom_method.c
|
||||
+++ b/drivers/acpi/custom_method.c
|
||||
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
|
||||
struct acpi_table_header table;
|
||||
acpi_status status;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!(*ppos)) {
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
1.9.3
|
||||
|
32
ARM-tegra-usb-no-reset.patch
Normal file
32
ARM-tegra-usb-no-reset.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 8820ddd6eefc70f2780b8fc06741de6e05ccd019 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Robinson <pbrobinson@gmail.com>
|
||||
Date: Thu, 3 May 2012 20:27:11 +0100
|
||||
Subject: [PATCH] ARM: tegra: usb no reset
|
||||
|
||||
Patch for disconnect issues with storage attached to a
|
||||
tegra-ehci controller
|
||||
---
|
||||
drivers/usb/core/hub.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
|
||||
index 8a4dcbc7a75f..8ab01fbcc6a9 100644
|
||||
--- a/drivers/usb/core/hub.c
|
||||
+++ b/drivers/usb/core/hub.c
|
||||
@@ -5031,6 +5031,13 @@ static void hub_events(void)
|
||||
(u16) hub->change_bits[0],
|
||||
(u16) hub->event_bits[0]);
|
||||
|
||||
+ /* Don't disconnect USB-SATA on TrimSlice */
|
||||
+ if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) {
|
||||
+ if ((hdev->state == 7) && (hub->change_bits[0] == 0) &&
|
||||
+ (hub->event_bits[0] == 0x2))
|
||||
+ hub->event_bits[0] = 0;
|
||||
+ }
|
||||
+
|
||||
/* Lock the device, then check to see if we were
|
||||
* disconnected while waiting for the lock to succeed. */
|
||||
usb_lock_device(hdev);
|
||||
--
|
||||
1.9.3
|
||||
|
57
Add-EFI-signature-data-types.patch
Normal file
57
Add-EFI-signature-data-types.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 319b6d06b46f630629fcaaa6532f62dc1aae945a Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
||||
Subject: [PATCH] Add EFI signature data types
|
||||
|
||||
Add the data types that are used for containing hashes, keys and certificates
|
||||
for cryptographic verification.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard for now
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
include/linux/efi.h | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index ebe6a24cc1e1..5ce40e215f15 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -581,6 +581,12 @@ void efi_native_runtime_setup(void);
|
||||
#define DEVICE_TREE_GUID \
|
||||
EFI_GUID( 0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 )
|
||||
|
||||
+#define EFI_CERT_SHA256_GUID \
|
||||
+ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 )
|
||||
+
|
||||
+#define EFI_CERT_X509_GUID \
|
||||
+ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
|
||||
+
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u64 table;
|
||||
@@ -796,6 +802,20 @@ typedef struct _efi_file_io_interface {
|
||||
|
||||
#define EFI_INVALID_TABLE_ADDR (~0UL)
|
||||
|
||||
+typedef struct {
|
||||
+ efi_guid_t signature_owner;
|
||||
+ u8 signature_data[];
|
||||
+} efi_signature_data_t;
|
||||
+
|
||||
+typedef struct {
|
||||
+ efi_guid_t signature_type;
|
||||
+ u32 signature_list_size;
|
||||
+ u32 signature_header_size;
|
||||
+ u32 signature_size;
|
||||
+ u8 signature_header[];
|
||||
+ /* efi_signature_data_t signatures[][] */
|
||||
+} efi_signature_list_t;
|
||||
+
|
||||
/*
|
||||
* All runtime access to EFI goes through this structure:
|
||||
*/
|
||||
--
|
||||
1.9.3
|
||||
|
179
Add-an-EFI-signature-blob-parser-and-key-loader.patch
Normal file
179
Add-an-EFI-signature-blob-parser-and-key-loader.patch
Normal file
@ -0,0 +1,179 @@
|
||||
From 30f41111b3e9ec5087a5bf7ac1ffc8982fb7db59 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||
Subject: [PATCH] Add an EFI signature blob parser and key loader.
|
||||
|
||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||
keys.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
crypto/asymmetric_keys/Kconfig | 8 +++
|
||||
crypto/asymmetric_keys/Makefile | 1 +
|
||||
crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
|
||||
include/linux/efi.h | 4 ++
|
||||
4 files changed, 122 insertions(+)
|
||||
create mode 100644 crypto/asymmetric_keys/efi_parser.c
|
||||
|
||||
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
|
||||
index 4870f28403f5..4a1b50d73b80 100644
|
||||
--- a/crypto/asymmetric_keys/Kconfig
|
||||
+++ b/crypto/asymmetric_keys/Kconfig
|
||||
@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
This option provides support for verifying the signature(s) on a
|
||||
signed PE binary.
|
||||
|
||||
+config EFI_SIGNATURE_LIST_PARSER
|
||||
+ bool "EFI signature list parser"
|
||||
+ depends on EFI
|
||||
+ select X509_CERTIFICATE_PARSER
|
||||
+ help
|
||||
+ This option provides support for parsing EFI signature lists for
|
||||
+ X.509 certificates and turning them into keys.
|
||||
+
|
||||
endif # ASYMMETRIC_KEY_TYPE
|
||||
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
|
||||
index e47fcd9ac5e8..6512f6596785 100644
|
||||
--- a/crypto/asymmetric_keys/Makefile
|
||||
+++ b/crypto/asymmetric_keys/Makefile
|
||||
@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o
|
||||
|
||||
obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
|
||||
obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o
|
||||
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
|
||||
|
||||
#
|
||||
# X.509 Certificate handling
|
||||
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
|
||||
new file mode 100644
|
||||
index 000000000000..424896a0b169
|
||||
--- /dev/null
|
||||
+++ b/crypto/asymmetric_keys/efi_parser.c
|
||||
@@ -0,0 +1,109 @@
|
||||
+/* EFI signature/key/certificate list parser
|
||||
+ *
|
||||
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
||||
+ * Written by David Howells (dhowells@redhat.com)
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public Licence
|
||||
+ * as published by the Free Software Foundation; either version
|
||||
+ * 2 of the Licence, or (at your option) any later version.
|
||||
+ */
|
||||
+
|
||||
+#define pr_fmt(fmt) "EFI: "fmt
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/printk.h>
|
||||
+#include <linux/err.h>
|
||||
+#include <linux/efi.h>
|
||||
+#include <keys/asymmetric-type.h>
|
||||
+
|
||||
+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID;
|
||||
+
|
||||
+/**
|
||||
+ * parse_efi_signature_list - Parse an EFI signature list for certificates
|
||||
+ * @data: The data blob to parse
|
||||
+ * @size: The size of the data blob
|
||||
+ * @keyring: The keyring to add extracted keys to
|
||||
+ */
|
||||
+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring)
|
||||
+{
|
||||
+ unsigned offs = 0;
|
||||
+ size_t lsize, esize, hsize, elsize;
|
||||
+
|
||||
+ pr_devel("-->%s(,%zu)\n", __func__, size);
|
||||
+
|
||||
+ while (size > 0) {
|
||||
+ efi_signature_list_t list;
|
||||
+ const efi_signature_data_t *elem;
|
||||
+ key_ref_t key;
|
||||
+
|
||||
+ if (size < sizeof(list))
|
||||
+ return -EBADMSG;
|
||||
+
|
||||
+ memcpy(&list, data, sizeof(list));
|
||||
+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n",
|
||||
+ offs,
|
||||
+ list.signature_type.b, list.signature_list_size,
|
||||
+ list.signature_header_size, list.signature_size);
|
||||
+
|
||||
+ lsize = list.signature_list_size;
|
||||
+ hsize = list.signature_header_size;
|
||||
+ esize = list.signature_size;
|
||||
+ elsize = lsize - sizeof(list) - hsize;
|
||||
+
|
||||
+ if (lsize > size) {
|
||||
+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n",
|
||||
+ __func__, offs);
|
||||
+ return -EBADMSG;
|
||||
+ }
|
||||
+ if (lsize < sizeof(list) ||
|
||||
+ lsize - sizeof(list) < hsize ||
|
||||
+ esize < sizeof(*elem) ||
|
||||
+ elsize < esize ||
|
||||
+ elsize % esize != 0) {
|
||||
+ pr_devel("- bad size combo @%x\n", offs);
|
||||
+ return -EBADMSG;
|
||||
+ }
|
||||
+
|
||||
+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) {
|
||||
+ data += lsize;
|
||||
+ size -= lsize;
|
||||
+ offs += lsize;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ data += sizeof(list) + hsize;
|
||||
+ size -= sizeof(list) + hsize;
|
||||
+ offs += sizeof(list) + hsize;
|
||||
+
|
||||
+ for (; elsize > 0; elsize -= esize) {
|
||||
+ elem = data;
|
||||
+
|
||||
+ pr_devel("ELEM[%04x]\n", offs);
|
||||
+
|
||||
+ key = key_create_or_update(
|
||||
+ make_key_ref(keyring, 1),
|
||||
+ "asymmetric",
|
||||
+ NULL,
|
||||
+ &elem->signature_data,
|
||||
+ esize - sizeof(*elem),
|
||||
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW,
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA |
|
||||
+ KEY_ALLOC_TRUSTED);
|
||||
+
|
||||
+ if (IS_ERR(key))
|
||||
+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
|
||||
+ PTR_ERR(key));
|
||||
+ else
|
||||
+ pr_notice("Loaded cert '%s' linked to '%s'\n",
|
||||
+ key_ref_to_ptr(key)->description,
|
||||
+ keyring->description);
|
||||
+
|
||||
+ data += esize;
|
||||
+ size -= esize;
|
||||
+ offs += esize;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 5ce40e215f15..41359e548bcb 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -906,6 +906,10 @@ extern bool efi_poweroff_required(void);
|
||||
(md) <= (efi_memory_desc_t *)((m)->map_end - (m)->desc_size); \
|
||||
(md) = (void *)(md) + (m)->desc_size)
|
||||
|
||||
+struct key;
|
||||
+extern int __init parse_efi_signature_list(const void *data, size_t size,
|
||||
+ struct key *keyring);
|
||||
+
|
||||
/**
|
||||
* efi_range_is_wc - check the WC bit on an address range
|
||||
* @start: starting kvirt address
|
||||
--
|
||||
1.9.3
|
||||
|
186
Add-option-to-automatically-enforce-module-signature.patch
Normal file
186
Add-option-to-automatically-enforce-module-signature.patch
Normal file
@ -0,0 +1,186 @@
|
||||
From acfbe6c8714da667ad980b9847edefe947f7e67e Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH] Add option to automatically enforce module signatures when in
|
||||
Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
require that all kernel modules also be signed. Add a configuration option
|
||||
that enforces this automatically when enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
Documentation/x86/zero-page.txt | 2 ++
|
||||
arch/x86/Kconfig | 10 ++++++++++
|
||||
arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++
|
||||
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
|
||||
arch/x86/kernel/setup.c | 6 ++++++
|
||||
include/linux/module.h | 6 ++++++
|
||||
kernel/module.c | 7 +++++++
|
||||
7 files changed, 69 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||
index 199f453cb4de..ec38acf00b40 100644
|
||||
--- a/Documentation/x86/zero-page.txt
|
||||
+++ b/Documentation/x86/zero-page.txt
|
||||
@@ -30,6 +30,8 @@ Offset Proto Name Meaning
|
||||
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
|
||||
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
|
||||
(below)
|
||||
+1EB/001 ALL kbd_status Numlock is enabled
|
||||
+1EC/001 ALL secure_boot Secure boot is enabled in the firmware
|
||||
1EF/001 ALL sentinel Used to detect broken bootloaders
|
||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||
2D0/A00 ALL e820_map E820 memory map table
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 5d0bf1aa9dcb..46392bfab57e 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1565,6 +1565,16 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
+config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ def_bool n
|
||||
+ prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
+ ---help---
|
||||
+ UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
+ firmware will only load signed bootloaders and kernels. Certain
|
||||
+ use cases may also require that all kernel modules also be signed.
|
||||
+ Say Y here to automatically enable module signature enforcement
|
||||
+ when a system boots with UEFI Secure Boot enabled.
|
||||
+
|
||||
config SECCOMP
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index f277184e2ac1..88edd48f03e9 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <asm/efi.h>
|
||||
#include <asm/setup.h>
|
||||
#include <asm/desc.h>
|
||||
+#include <asm/bootparam_utils.h>
|
||||
|
||||
#undef memcpy /* Use memcpy from misc.c */
|
||||
|
||||
@@ -803,6 +804,37 @@ out:
|
||||
return status;
|
||||
}
|
||||
|
||||
+static int get_secure_boot(void)
|
||||
+{
|
||||
+ u8 sb, setup;
|
||||
+ unsigned long datasize = sizeof(sb);
|
||||
+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
+ efi_status_t status;
|
||||
+
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"SecureBoot", &var_guid, NULL, &datasize, &sb);
|
||||
+
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (sb == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"SetupMode", &var_guid, NULL, &datasize,
|
||||
+ &setup);
|
||||
+
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (setup == 1)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
/*
|
||||
* See if we have Graphics Output Protocol
|
||||
*/
|
||||
@@ -1374,6 +1406,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
else
|
||||
setup_boot_services32(efi_early);
|
||||
|
||||
+ sanitize_boot_params(boot_params);
|
||||
+
|
||||
+ boot_params->secure_boot = get_secure_boot();
|
||||
+
|
||||
setup_graphics(boot_params);
|
||||
|
||||
status = setup_efi_pci(boot_params);
|
||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||
index 225b0988043a..90dbfb73e11f 100644
|
||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||
@@ -133,7 +133,8 @@ struct boot_params {
|
||||
__u8 eddbuf_entries; /* 0x1e9 */
|
||||
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
|
||||
__u8 kbd_status; /* 0x1eb */
|
||||
- __u8 _pad5[3]; /* 0x1ec */
|
||||
+ __u8 secure_boot; /* 0x1ec */
|
||||
+ __u8 _pad5[2]; /* 0x1ed */
|
||||
/*
|
||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||
*
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 41ead8d3bc0b..5a5cf7395724 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
io_delay_init();
|
||||
|
||||
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ if (boot_params.secure_boot) {
|
||||
+ enforce_signed_modules();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Parse the ACPI tables for possible boot-time SMP configuration.
|
||||
*/
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index 341a73ecea2e..cca08ac450e2 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
|
||||
|
||||
struct notifier_block;
|
||||
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+extern void enforce_signed_modules(void);
|
||||
+#else
|
||||
+static inline void enforce_signed_modules(void) {};
|
||||
+#endif
|
||||
+
|
||||
#ifdef CONFIG_MODULES
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 1f7b4664300e..866417ecc76a 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -3843,6 +3843,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+void enforce_signed_modules(void)
|
||||
+{
|
||||
+ sig_enforce = true;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
bool secure_modules(void)
|
||||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
1.9.3
|
||||
|
64
Add-secure_modules-call.patch
Normal file
64
Add-secure_modules-call.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 2b10c8cae99674ce201497dda8830d13291f46b5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH] Add secure_modules() call
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
has been configured to either disable module loading entirely or to load
|
||||
only modules signed with a trusted key.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
include/linux/module.h | 7 +++++++
|
||||
kernel/module.c | 10 ++++++++++
|
||||
2 files changed, 17 insertions(+)
|
||||
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index 71f282a4e307..341a73ecea2e 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -516,6 +516,8 @@ int unregister_module_notifier(struct notifier_block *nb);
|
||||
|
||||
extern void print_modules(void);
|
||||
|
||||
+extern bool secure_modules(void);
|
||||
+
|
||||
#else /* !CONFIG_MODULES... */
|
||||
|
||||
/* Given an address, look for it in the exception tables. */
|
||||
@@ -626,6 +628,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
|
||||
static inline void print_modules(void)
|
||||
{
|
||||
}
|
||||
+
|
||||
+static inline bool secure_modules(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
#endif /* CONFIG_MODULES */
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 03214bd288e9..1f7b4664300e 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -3842,3 +3842,13 @@ void module_layout(struct module *mod,
|
||||
}
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
+
|
||||
+bool secure_modules(void)
|
||||
+{
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+ return (sig_enforce || modules_disabled);
|
||||
+#else
|
||||
+ return modules_disabled;
|
||||
+#endif
|
||||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,11 +1,10 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
From 603230771bdbca78e6530d29dbe8b239cdcc8473 Mon Sep 17 00:00:00 2001
|
||||
From fa99247d0a0867fdaa29a3a2df56d388e605f543 Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kyle@redhat.com>
|
||||
Date: Fri, 30 Aug 2013 09:28:51 -0400
|
||||
Subject: [PATCH] Add sysrq option to disable secure boot mode
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
|
||||
drivers/input/misc/uinput.c | 1 +
|
||||
@ -17,7 +16,7 @@ Subject: [PATCH] Add sysrq option to disable secure boot mode
|
||||
7 files changed, 65 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 5ce785fc9f05..2024cbb7169b 100644
|
||||
index fb282ff6a802..d291d16ba257 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -70,6 +70,11 @@
|
||||
@ -71,10 +70,10 @@ index 5ce785fc9f05..2024cbb7169b 100644
|
||||
.notifier_call = dump_kernel_offset
|
||||
};
|
||||
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
|
||||
index 856936247500..1e87a1ea704b 100644
|
||||
index 421e29e4cd81..61c1eb97806c 100644
|
||||
--- a/drivers/input/misc/uinput.c
|
||||
+++ b/drivers/input/misc/uinput.c
|
||||
@@ -353,6 +353,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
|
||||
@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
|
||||
if (!udev->dev)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -83,7 +82,7 @@ index 856936247500..1e87a1ea704b 100644
|
||||
input_set_drvdata(udev->dev, udev);
|
||||
|
||||
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
|
||||
index 454b65898e2c..19d67594a3b8 100644
|
||||
index 42bad18c66c9..496e073b09d7 100644
|
||||
--- a/drivers/tty/sysrq.c
|
||||
+++ b/drivers/tty/sysrq.c
|
||||
@@ -463,6 +463,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
|
||||
@ -217,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644
|
||||
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
|
||||
struct sysrq_key_op *__sysrq_get_key_op(int key);
|
||||
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
|
||||
index 2f7c760305ca..abb29d9811af 100644
|
||||
index 379650b984f8..070f29fefdc2 100644
|
||||
--- a/kernel/debug/kdb/kdb_main.c
|
||||
+++ b/kernel/debug/kdb/kdb_main.c
|
||||
@@ -1924,7 +1924,7 @@ static int kdb_sr(int argc, const char **argv)
|
||||
@ -230,10 +229,10 @@ index 2f7c760305ca..abb29d9811af 100644
|
||||
|
||||
return 0;
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 452079124fb7..37dabbc1e902 100644
|
||||
index 866417ecc76a..d7ca95c5a349 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
|
||||
@@ -108,9 +108,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
|
||||
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
#ifdef CONFIG_MODULE_SIG_FORCE
|
112
KEYS-Add-a-system-blacklist-keyring.patch
Normal file
112
KEYS-Add-a-system-blacklist-keyring.patch
Normal file
@ -0,0 +1,112 @@
|
||||
From 8d5fa1114c4c28e39636d5ff11979e42450a4480 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
||||
Subject: [PATCH] KEYS: Add a system blacklist keyring
|
||||
|
||||
This adds an additional keyring that is used to store certificates that
|
||||
are blacklisted. This keyring is searched first when loading signed modules
|
||||
and if the module's certificate is found, it will refuse to load. This is
|
||||
useful in cases where third party certificates are used for module signing.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/keys/system_keyring.h | 4 ++++
|
||||
init/Kconfig | 9 +++++++++
|
||||
kernel/module_signing.c | 12 ++++++++++++
|
||||
kernel/system_keyring.c | 17 +++++++++++++++++
|
||||
4 files changed, 42 insertions(+)
|
||||
|
||||
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
||||
index 72665eb80692..2c7b80d31366 100644
|
||||
--- a/include/keys/system_keyring.h
|
||||
+++ b/include/keys/system_keyring.h
|
||||
@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+extern struct key *system_blacklist_keyring;
|
||||
+#endif
|
||||
+
|
||||
#endif /* _KEYS_SYSTEM_KEYRING_H */
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index e84c6423a2e5..223b1a32bbcb 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1720,6 +1720,15 @@ config SYSTEM_TRUSTED_KEYRING
|
||||
|
||||
Keys in this keyring are used by module signature checking.
|
||||
|
||||
+config SYSTEM_BLACKLIST_KEYRING
|
||||
+ bool "Provide system-wide ring of blacklisted keys"
|
||||
+ depends on KEYS
|
||||
+ help
|
||||
+ Provide a system keyring to which blacklisted keys can be added.
|
||||
+ Keys in the keyring are considered entirely untrusted. Keys in this
|
||||
+ keyring are used by the module signature checking to reject loading
|
||||
+ of modules signed with a blacklisted key.
|
||||
+
|
||||
config PROFILING
|
||||
bool "Profiling support"
|
||||
help
|
||||
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
|
||||
index be5b8fac4bd0..fed815fcdaf2 100644
|
||||
--- a/kernel/module_signing.c
|
||||
+++ b/kernel/module_signing.c
|
||||
@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
|
||||
|
||||
pr_debug("Look up: \"%s\"\n", id);
|
||||
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
|
||||
+ &key_type_asymmetric, id);
|
||||
+ if (!IS_ERR(key)) {
|
||||
+ /* module is signed with a cert in the blacklist. reject */
|
||||
+ pr_err("Module key '%s' is in blacklist\n", id);
|
||||
+ key_ref_put(key);
|
||||
+ kfree(id);
|
||||
+ return ERR_PTR(-EKEYREJECTED);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
key = keyring_search(make_key_ref(system_trusted_keyring, 1),
|
||||
&key_type_asymmetric, id);
|
||||
if (IS_ERR(key))
|
||||
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
|
||||
index 875f64e8935b..c15e93f5a418 100644
|
||||
--- a/kernel/system_keyring.c
|
||||
+++ b/kernel/system_keyring.c
|
||||
@@ -20,6 +20,9 @@
|
||||
|
||||
struct key *system_trusted_keyring;
|
||||
EXPORT_SYMBOL_GPL(system_trusted_keyring);
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+struct key *system_blacklist_keyring;
|
||||
+#endif
|
||||
|
||||
extern __initconst const u8 system_certificate_list[];
|
||||
extern __initconst const unsigned long system_certificate_list_size;
|
||||
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
|
||||
panic("Can't allocate system trusted keyring\n");
|
||||
|
||||
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
|
||||
+
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
|
||||
+ KUIDT_INIT(0), KGIDT_INIT(0),
|
||||
+ current_cred(),
|
||||
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW | KEY_USR_READ,
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
||||
+ if (IS_ERR(system_blacklist_keyring))
|
||||
+ panic("Can't allocate system blacklist keyring\n");
|
||||
+
|
||||
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
|
||||
+#endif
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
186
MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
Normal file
186
MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
Normal file
@ -0,0 +1,186 @@
|
||||
From f06dd05414175619d0083fe4236705755f4692bd Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
|
||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||
This imports those certificates into the system trusted keyring. This
|
||||
allows for a third party signing certificate to be used in conjunction
|
||||
with signed modules. By importing the public certificate into the 'db'
|
||||
variable, a user can allow a module signed with that certificate to
|
||||
load. The shim UEFI bootloader has a similar certificate list stored
|
||||
in the 'MokListRT' variable. We import those as well.
|
||||
|
||||
In the opposite case, Secure Boot maintains a list of disallowed
|
||||
certificates in the 'dbx' variable. We load those certificates into
|
||||
the newly introduced system blacklist keyring and forbid any module
|
||||
signed with those from loading.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/linux/efi.h | 6 ++++
|
||||
init/Kconfig | 9 +++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 110 insertions(+)
|
||||
create mode 100644 kernel/modsign_uefi.c
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 41359e548bcb..db9e6118575e 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -587,6 +587,12 @@ void efi_native_runtime_setup(void);
|
||||
#define EFI_CERT_X509_GUID \
|
||||
EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
|
||||
|
||||
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||||
+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )
|
||||
+
|
||||
+#define EFI_SHIM_LOCK_GUID \
|
||||
+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
|
||||
+
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u64 table;
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index 223b1a32bbcb..3bad458f1c68 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1874,6 +1874,15 @@ config MODULE_SIG_ALL
|
||||
comment "Do not forget to sign required modules with scripts/sign-file"
|
||||
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
||||
|
||||
+config MODULE_SIG_UEFI
|
||||
+ bool "Allow modules signed with certs stored in UEFI"
|
||||
+ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI
|
||||
+ select EFI_SIGNATURE_LIST_PARSER
|
||||
+ help
|
||||
+ This will import certificates stored in UEFI and allow modules
|
||||
+ signed with those to be loaded. It will also disallow loading
|
||||
+ of modules stored in the UEFI dbx variable.
|
||||
+
|
||||
choice
|
||||
prompt "Which hash algorithm should modules be signed with?"
|
||||
depends on MODULE_SIG
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index dc5c77544fd6..95bdf3398880 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -45,6 +45,7 @@ obj-$(CONFIG_UID16) += uid16.o
|
||||
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
|
||||
obj-$(CONFIG_MODULES) += module.o
|
||||
obj-$(CONFIG_MODULE_SIG) += module_signing.o
|
||||
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
|
||||
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
||||
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
|
||||
obj-$(CONFIG_KEXEC) += kexec.o
|
||||
@@ -99,6 +100,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
|
||||
|
||||
$(obj)/configs.o: $(obj)/config_data.h
|
||||
|
||||
+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar
|
||||
+
|
||||
# config_data.h contains the same information as ikconfig.h but gzipped.
|
||||
# Info from config_data can be extracted from /proc/config*
|
||||
targets += config_data.gz
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
new file mode 100644
|
||||
index 000000000000..94b0eb38a284
|
||||
--- /dev/null
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -0,0 +1,92 @@
|
||||
+#include <linux/kernel.h>
|
||||
+#include <linux/sched.h>
|
||||
+#include <linux/cred.h>
|
||||
+#include <linux/err.h>
|
||||
+#include <linux/efi.h>
|
||||
+#include <linux/slab.h>
|
||||
+#include <keys/asymmetric-type.h>
|
||||
+#include <keys/system_keyring.h>
|
||||
+#include "module-internal.h"
|
||||
+
|
||||
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
||||
+{
|
||||
+ efi_status_t status;
|
||||
+ unsigned long lsize = 4;
|
||||
+ unsigned long tmpdb[4];
|
||||
+ void *db = NULL;
|
||||
+
|
||||
+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
|
||||
+ if (status != EFI_BUFFER_TOO_SMALL) {
|
||||
+ pr_err("Couldn't get size: 0x%lx\n", status);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ db = kmalloc(lsize, GFP_KERNEL);
|
||||
+ if (!db) {
|
||||
+ pr_err("Couldn't allocate memory for uefi cert list\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ status = efi.get_variable(name, guid, NULL, &lsize, db);
|
||||
+ if (status != EFI_SUCCESS) {
|
||||
+ kfree(db);
|
||||
+ db = NULL;
|
||||
+ pr_err("Error reading db var: 0x%lx\n", status);
|
||||
+ }
|
||||
+out:
|
||||
+ *size = lsize;
|
||||
+ return db;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * * Load the certs contained in the UEFI databases
|
||||
+ * */
|
||||
+static int __init load_uefi_certs(void)
|
||||
+{
|
||||
+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
|
||||
+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||
+ void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
+ int rc = 0;
|
||||
+
|
||||
+ /* Check if SB is enabled and just return if not */
|
||||
+ if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
||||
+ * an error if we can't get them.
|
||||
+ */
|
||||
+ db = get_cert_list(L"db", &secure_var, &dbsize);
|
||||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
+ }
|
||||
+
|
||||
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
+ if (!mok) {
|
||||
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
||||
+ kfree(mok);
|
||||
+ }
|
||||
+
|
||||
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
|
||||
+ if (!dbx) {
|
||||
+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(dbx, dbxsize,
|
||||
+ system_blacklist_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
|
||||
+ kfree(dbx);
|
||||
+ }
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+late_initcall(load_uefi_certs);
|
||||
--
|
||||
1.9.3
|
||||
|
84
MODSIGN-Support-not-importing-certs-from-db.patch
Normal file
84
MODSIGN-Support-not-importing-certs-from-db.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From 97810ad51fb090a759a7c56cd860e0a886675945 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
||||
Subject: [PATCH] MODSIGN: Support not importing certs from db
|
||||
|
||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
||||
Have the uefi import code look for this and not import things from the db
|
||||
variable.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
|
||||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
index 94b0eb38a284..ae28b974d49a 100644
|
||||
--- a/kernel/modsign_uefi.c
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -8,6 +8,23 @@
|
||||
#include <keys/system_keyring.h>
|
||||
#include "module-internal.h"
|
||||
|
||||
+static __init int check_ignore_db(void)
|
||||
+{
|
||||
+ efi_status_t status;
|
||||
+ unsigned int db = 0;
|
||||
+ unsigned long size = sizeof(db);
|
||||
+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
|
||||
+
|
||||
+ /* Check and see if the MokIgnoreDB variable exists. If that fails
|
||||
+ * then we don't ignore DB. If it succeeds, we do.
|
||||
+ */
|
||||
+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
||||
{
|
||||
efi_status_t status;
|
||||
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
|
||||
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||
void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
- int rc = 0;
|
||||
+ int ignore_db, rc = 0;
|
||||
|
||||
/* Check if SB is enabled and just return if not */
|
||||
if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
return 0;
|
||||
|
||||
+ /* See if the user has setup Ignore DB mode */
|
||||
+ ignore_db = check_ignore_db();
|
||||
+
|
||||
/* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
||||
* an error if we can't get them.
|
||||
*/
|
||||
- db = get_cert_list(L"db", &secure_var, &dbsize);
|
||||
- if (!db) {
|
||||
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
- } else {
|
||||
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
- if (rc)
|
||||
- pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
- kfree(db);
|
||||
+ if (!ignore_db) {
|
||||
+ db = get_cert_list(L"db", &secure_var, &dbsize);
|
||||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
+ }
|
||||
}
|
||||
|
||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
--
|
||||
1.9.3
|
||||
|
117
PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
Normal file
117
PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
Normal file
@ -0,0 +1,117 @@
|
||||
From ba3b2c51e65b95125e4c29725d6c7180d4dea061 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down from
|
||||
userspace in order to avoid it being possible for an attacker to modify
|
||||
kernel code, allowing them to circumvent disabled module loading or module
|
||||
signing. Default to paranoid - in future we can potentially relax this for
|
||||
sufficiently IOMMU-isolated devices.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/pci/pci-sysfs.c | 10 ++++++++++
|
||||
drivers/pci/proc.c | 8 +++++++-
|
||||
drivers/pci/syscall.c | 3 ++-
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
||||
index 9ff0a901ecf7..8d0d5d92b8d9 100644
|
||||
--- a/drivers/pci/pci-sysfs.c
|
||||
+++ b/drivers/pci/pci-sysfs.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <linux/vgaarb.h>
|
||||
#include <linux/pm_runtime.h>
|
||||
#include <linux/of.h>
|
||||
+#include <linux/module.h>
|
||||
#include "pci.h"
|
||||
|
||||
static int sysfs_initialized; /* = 0 */
|
||||
@@ -704,6 +705,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
|
||||
loff_t init_off = off;
|
||||
u8 *data = (u8 *) buf;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (off > dev->cfg_size)
|
||||
return 0;
|
||||
if (off + count > dev->cfg_size) {
|
||||
@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
|
||||
resource_size_t start, end;
|
||||
int i;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
for (i = 0; i < PCI_ROM_RESOURCE; i++)
|
||||
if (res == &pdev->resource[i])
|
||||
break;
|
||||
@@ -1099,6 +1106,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
struct bin_attribute *attr, char *buf,
|
||||
loff_t off, size_t count)
|
||||
{
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
return pci_resource_io(filp, kobj, attr, buf, off, count, true);
|
||||
}
|
||||
|
||||
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
|
||||
index 3f155e78513f..4265ea07e3b0 100644
|
||||
--- a/drivers/pci/proc.c
|
||||
+++ b/drivers/pci/proc.c
|
||||
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
|
||||
int size = dev->cfg_size;
|
||||
int cnt;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (pos >= size)
|
||||
return 0;
|
||||
if (nbytes >= size)
|
||||
@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
|
||||
#endif /* HAVE_PCI_MMAP */
|
||||
int ret = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
switch (cmd) {
|
||||
case PCIIOC_CONTROLLER:
|
||||
ret = pci_domain_nr(dev->bus);
|
||||
@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
|
||||
struct pci_filp_private *fpriv = file->private_data;
|
||||
int i, ret;
|
||||
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
return -EPERM;
|
||||
|
||||
/* Make sure the caller is mapping a real resource for this device */
|
||||
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
|
||||
index b91c4da68365..98f5637304d1 100644
|
||||
--- a/drivers/pci/syscall.c
|
||||
+++ b/drivers/pci/syscall.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <linux/errno.h>
|
||||
#include <linux/pci.h>
|
||||
#include <linux/syscalls.h>
|
||||
+#include <linux/module.h>
|
||||
#include <asm/uaccess.h>
|
||||
#include "pci.h"
|
||||
|
||||
@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
|
||||
u32 dword;
|
||||
int err = 0;
|
||||
|
||||
- if (!capable(CAP_SYS_ADMIN))
|
||||
+ if (!capable(CAP_SYS_ADMIN) || secure_modules())
|
||||
return -EPERM;
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
1.9.3
|
||||
|
42
Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
Normal file
42
Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From b5eb26c8283e04ddc93419c4403442a3dae1c581 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
restricted
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel
|
||||
to be subverted, avoiding module loading restrictions. Prevent this when
|
||||
any restrictions have been imposed on loading modules.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/char/mem.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index cdf839f9defe..c63cf93b00eb 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
|
||||
if (p != *ppos)
|
||||
return -EFBIG;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!valid_phys_addr_range(p, count))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
|
||||
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
|
||||
int err = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (p < (unsigned long) high_memory) {
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,23 +1,25 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Sigh. We almost got to drop this.
|
||||
|
||||
From 20e3f1e1b9341d233a11734c07c076caac9936ef Mon Sep 17 00:00:00 2001
|
||||
From 303ffc5057887b2589b946df891506f7acadaa6f Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 28 Jul 2014 12:59:48 -0400
|
||||
Subject: [PATCH] Revert "Revert "ACPI / video: change acpi-video
|
||||
brightness_switch_enabled default to 0""
|
||||
|
||||
This reverts commit 2843768b701971ab10e62c77d5c75ad7c306f1bd.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Sigh. We almost got to drop this.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
Documentation/kernel-parameters.txt | 2 +-
|
||||
drivers/acpi/video.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
|
||||
index b7fa2f599459..e8db409a7e3a 100644
|
||||
index 5ae8608ca9f5..8ffa8f91eeb2 100644
|
||||
--- a/Documentation/kernel-parameters.txt
|
||||
+++ b/Documentation/kernel-parameters.txt
|
||||
@@ -3532,7 +3532,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
|
||||
@@ -3595,7 +3595,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
|
||||
the allocated input device; If set to 0, video driver
|
||||
will only send out the event without touching backlight
|
||||
brightness level.
|
||||
@ -27,7 +29,7 @@ index b7fa2f599459..e8db409a7e3a 100644
|
||||
virtio_mmio.device=
|
||||
[VMMIO] Memory mapped virtio (platform) device.
|
||||
diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
|
||||
index 350d52a8f781..44c89f705018 100644
|
||||
index 826884392e6b..a9fa83829ee4 100644
|
||||
--- a/drivers/acpi/video.c
|
||||
+++ b/drivers/acpi/video.c
|
||||
@@ -68,7 +68,7 @@ MODULE_AUTHOR("Bruno Ducrot");
|
||||
|
@ -1,7 +1,4 @@
|
||||
Bugzilla: 917708
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
|
||||
From 6401611f6bd360109394b46051107f2e0f55c9da Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Wed, 13 Nov 2013 10:21:18 -0500
|
||||
Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
|
||||
@ -9,6 +6,11 @@ Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
|
||||
|
||||
This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
|
||||
|
||||
Bugzilla: 917708
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
|
||||
Conflicts:
|
||||
kernel/fork.c
|
||||
---
|
||||
@ -16,10 +18,10 @@ Conflicts:
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/kernel/fork.c b/kernel/fork.c
|
||||
index f6d11fc..e04c9a7 100644
|
||||
index 0cf9cdb6e491..31d3a9763887 100644
|
||||
--- a/kernel/fork.c
|
||||
+++ b/kernel/fork.c
|
||||
@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
|
||||
@@ -1624,6 +1624,19 @@ long do_fork(unsigned long clone_flags,
|
||||
long nr;
|
||||
|
||||
/*
|
||||
@ -40,5 +42,5 @@ index f6d11fc..e04c9a7 100644
|
||||
* called from kernel_thread or CLONE_UNTRACED is explicitly
|
||||
* requested, no event is reported; otherwise, report if the event
|
||||
--
|
||||
1.8.3.1
|
||||
1.9.3
|
||||
|
||||
|
39
acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
Normal file
39
acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 0eca3e79748fdc9ac4491a85dc6c2d306077c749 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading
|
||||
is restricted
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
makes it possible for a user to circumvent any restrictions imposed on
|
||||
loading modules. Disable it in that case.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
---
|
||||
drivers/acpi/osl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
||||
index 3abe9b223ba7..ee8f11cf65da 100644
|
||||
--- a/drivers/acpi/osl.c
|
||||
+++ b/drivers/acpi/osl.c
|
||||
@@ -44,6 +44,7 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/jiffies.h>
|
||||
#include <linux/semaphore.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/io.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
|
||||
acpi_physical_address __init acpi_os_get_root_pointer(void)
|
||||
{
|
||||
#ifdef CONFIG_KEXEC
|
||||
- if (acpi_rsdp)
|
||||
+ if (acpi_rsdp && !secure_modules())
|
||||
return acpi_rsdp;
|
||||
#endif
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 5573624261ab5d54f2dea2a3e09a98729db9ecd9 Mon Sep 17 00:00:00 2001
|
||||
From 1313c37c6a3223b837d39e97d49c5372157641cb Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Wed, 30 Apr 2014 15:24:19 +0200
|
||||
Subject: [PATCH 1/2] acpi-video: Add 4 new models to the use_native_backlight
|
||||
dmi list
|
||||
Subject: [PATCH] acpi-video: Add 4 new models to the use_native_backlight dmi
|
||||
list
|
||||
|
||||
Acer Aspire V5-171
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=983342
|
||||
@ -21,10 +21,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
1 file changed, 32 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
|
||||
index 8b6990e..48146fc 100644
|
||||
index a9fa83829ee4..bef6c393e8a0 100644
|
||||
--- a/drivers/acpi/video.c
|
||||
+++ b/drivers/acpi/video.c
|
||||
@@ -488,6 +488,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
@@ -550,6 +550,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -39,7 +39,7 @@ index 8b6990e..48146fc 100644
|
||||
.callback = video_set_use_native_backlight,
|
||||
.ident = "Thinkpad Helix",
|
||||
.matches = {
|
||||
@@ -513,6 +521,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
@@ -591,6 +599,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
},
|
||||
{
|
||||
.callback = video_set_use_native_backlight,
|
||||
@ -54,7 +54,7 @@ index 8b6990e..48146fc 100644
|
||||
.ident = "Acer Aspire V5-431",
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
|
||||
@@ -520,6 +536,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
@@ -638,6 +654,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -69,7 +69,7 @@ index 8b6990e..48146fc 100644
|
||||
.callback = video_set_use_native_backlight,
|
||||
.ident = "HP ProBook 4340s",
|
||||
.matches = {
|
||||
@@ -571,6 +595,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
@@ -714,6 +738,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
},
|
||||
{
|
||||
.callback = video_set_use_native_backlight,
|
||||
@ -85,5 +85,5 @@ index 8b6990e..48146fc 100644
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
|
||||
--
|
||||
1.9.0
|
||||
1.9.3
|
||||
|
@ -1,11 +1,8 @@
|
||||
Bugzilla: 1093171
|
||||
Upstream-status: Queued for 3.16
|
||||
|
||||
From 7ac976d0109433d1ad0812f4f6889a904d9a0c40 Mon Sep 17 00:00:00 2001
|
||||
From 5189e67f2e7236c8c808837e342e4f19b3389735 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Mon, 2 Jun 2014 17:41:10 +0200
|
||||
Subject: [PATCH 13/14] acpi-video: Add use native backlight quirk for the
|
||||
ThinkPad W530
|
||||
Subject: [PATCH] acpi-video: Add use native backlight quirk for the ThinkPad
|
||||
W530
|
||||
|
||||
Like all of the other *30 ThinkPad models, the W530 has a broken acpi-video
|
||||
backlight control. Note in order for this to actually fix things on the
|
||||
@ -15,6 +12,9 @@ is also needed.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1093171
|
||||
|
||||
Bugzilla: 1093171
|
||||
Upstream-status: Queued for 3.16
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
@ -22,10 +22,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
|
||||
index ab7cd65ce21e..dcb0ef4c22f6 100644
|
||||
index bef6c393e8a0..eb82264d9ef9 100644
|
||||
--- a/drivers/acpi/video.c
|
||||
+++ b/drivers/acpi/video.c
|
||||
@@ -468,6 +468,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
@@ -463,6 +463,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
},
|
||||
{
|
||||
.callback = video_set_use_native_backlight,
|
||||
@ -41,5 +41,5 @@ index ab7cd65ce21e..dcb0ef4c22f6 100644
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
|
||||
--
|
||||
1.9.0
|
||||
1.9.3
|
||||
|
||||
|
@ -1,16 +1,16 @@
|
||||
Bugzilla: 1025690
|
||||
Upstream-status: Waiting for feedback from reporter
|
||||
|
||||
From dfe2c6722a6f6cb45f6b336b094b26a77acd8393 Mon Sep 17 00:00:00 2001
|
||||
From 44227606cebb34bf7429aab843181ea2992efc20 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Mon, 2 Jun 2014 17:41:11 +0200
|
||||
Subject: [PATCH 14/14] acpi-video: Add use_native_backlight quirk for HP
|
||||
ProBook 4540s
|
||||
Subject: [PATCH] acpi-video: Add use_native_backlight quirk for HP ProBook
|
||||
4540s
|
||||
|
||||
As reported here:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1025690
|
||||
This is yet another model which needs this quirk.
|
||||
|
||||
Bugzilla: 1025690
|
||||
Upstream-status: Waiting for feedback from reporter
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
@ -18,10 +18,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
|
||||
index dcb0ef4c22f6..3db16753f88a 100644
|
||||
index eb82264d9ef9..34da76ffc59a 100644
|
||||
--- a/drivers/acpi/video.c
|
||||
+++ b/drivers/acpi/video.c
|
||||
@@ -548,6 +548,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
@@ -687,6 +687,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
||||
},
|
||||
{
|
||||
.callback = video_set_use_native_backlight,
|
||||
@ -37,5 +37,5 @@ index dcb0ef4c22f6..3db16753f88a 100644
|
||||
.matches = {
|
||||
DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
|
||||
--
|
||||
1.9.0
|
||||
1.9.3
|
||||
|
||||
|
460
arm-beagle.patch
460
arm-beagle.patch
@ -1,460 +0,0 @@
|
||||
Bugzilla: 1012025
|
||||
Upstream-status: In beagle github repository https://github.com/beagleboard/kernel
|
||||
|
||||
From b5a2528c89fc8049b2a6a750634c14983e33d00f Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Fri, 27 Dec 2013 13:05:09 -0600
|
||||
Subject: [PATCH] arm: dts: am335x-boneblack: lcdc add panel-info
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-boneblack.dts | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
index 6b71ad9..09ffbd8 100644
|
||||
--- a/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
+++ b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
@@ -74,5 +74,18 @@
|
||||
pinctrl-0 = <&nxp_hdmi_bonelt_pins>;
|
||||
pinctrl-1 = <&nxp_hdmi_bonelt_off_pins>;
|
||||
status = "okay";
|
||||
+
|
||||
+ panel-info {
|
||||
+ bpp = <16>;
|
||||
+ ac-bias = <255>;
|
||||
+ ac-bias-intrpt = <0>;
|
||||
+ dma-burst-sz = <16>;
|
||||
+ fdd = <16>;
|
||||
+ sync-edge = <1>;
|
||||
+ sync-ctrl = <1>;
|
||||
+ raster-order = <0>;
|
||||
+ fifo-th = <0>;
|
||||
+ invert-pxl-clk;
|
||||
+ };
|
||||
};
|
||||
};
|
||||
--
|
||||
1.8.5.1
|
||||
|
||||
From 1da083a002581520dd358b8b8e097078000d12b9 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Fri, 27 Dec 2013 13:14:19 -0600
|
||||
Subject: [PATCH 2/2] arm: dts: am335x-boneblack: add cpu0 opp points
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-boneblack.dts | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
index 09ffbd8..f213ccd 100644
|
||||
--- a/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
+++ b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
@@ -67,6 +67,24 @@
|
||||
};
|
||||
|
||||
/ {
|
||||
+ cpus {
|
||||
+ cpu@0 {
|
||||
+ cpu0-supply = <&dcdc2_reg>;
|
||||
+ /*
|
||||
+ * To consider voltage drop between PMIC and SoC,
|
||||
+ * tolerance value is reduced to 2% from 4% and
|
||||
+ * voltage value is increased as a precaution.
|
||||
+ */
|
||||
+ operating-points = <
|
||||
+ /* kHz uV */
|
||||
+ 1000000 1325000
|
||||
+ 800000 1300000
|
||||
+ 600000 1112000
|
||||
+ 300000 969000
|
||||
+ >;
|
||||
+ };
|
||||
+ };
|
||||
+
|
||||
hdmi {
|
||||
compatible = "ti,tilcdc,slave";
|
||||
i2c = <&i2c0>;
|
||||
--
|
||||
1.8.5.1
|
||||
|
||||
From 8551d8aa7d3e002da2097e7e902fb96fceb8694e Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Tue, 31 Dec 2013 11:17:45 -0600
|
||||
Subject: [PATCH 3/3] arm: dts: am335x-bone-common: enable and use i2c2
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 39 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 39 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index e3f27ec..54366b6 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -84,6 +84,13 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ i2c2_pins: pinmux_i2c2_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x178 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_ctsn.i2c2_sda */
|
||||
+ 0x17c 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_rtsn.i2c2_scl */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
uart0_pins: pinmux_uart0_pins {
|
||||
pinctrl-single,pins = <
|
||||
0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */
|
||||
@@ -220,6 +227,38 @@
|
||||
reg = <0x24>;
|
||||
};
|
||||
|
||||
+ baseboard_eeprom: baseboard_eeprom@50 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x50>;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&i2c2 {
|
||||
+ status = "okay";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&i2c2_pins>;
|
||||
+
|
||||
+ clock-frequency = <100000>;
|
||||
+
|
||||
+ cape_eeprom0: cape_eeprom0@54 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x54>;
|
||||
+ };
|
||||
+
|
||||
+ cape_eeprom1: cape_eeprom1@55 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x55>;
|
||||
+ };
|
||||
+
|
||||
+ cape_eeprom2: cape_eeprom2@56 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x56>;
|
||||
+ };
|
||||
+
|
||||
+ cape_eeprom3: cape_eeprom3@57 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x57>;
|
||||
+ };
|
||||
};
|
||||
|
||||
/include/ "tps65217.dtsi"
|
||||
--
|
||||
1.8.5.2
|
||||
|
||||
From a3099dc53a47d1694a5b575580ec3406dc429bf8 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Tue, 31 Dec 2013 14:18:00 -0600
|
||||
Subject: [PATCH 4/4] arm: dts: am335x-bone-common: setup default pinmux
|
||||
http://elinux.org/Basic_Proto_Cape
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 130 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 130 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index e4571af..f85cabc 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -98,6 +98,13 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ uart1_pins: pinmux_uart1_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x180 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart1_rxd.uart1_rxd */
|
||||
+ 0x184 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart1_txd.uart1_txd */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
clkout2_pin: pinmux_clkout2_pin {
|
||||
pinctrl-single,pins = <
|
||||
0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */
|
||||
@@ -178,6 +185,33 @@
|
||||
0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */
|
||||
>;
|
||||
};
|
||||
+
|
||||
+ spi0_pins: pinmux_spi0_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x150 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_sclk.spi0_sclk */
|
||||
+ 0x154 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d0.spi0_d0 */
|
||||
+ 0x158 (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_d1.spi0_d1 */
|
||||
+ 0x15c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_cs0.spi0_cs0 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ ehrpwm1_pin_p9_14: pinmux_ehrpwm1_pin_p9_14 {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x048 0x6 /* P9_14 (ZCZ ball U14) | MODE 6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ ehrpwm1_pin_p9_16: pinmux_ehrpwm1_pin_p9_16 {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x04c 0x6 /* P9_16 (ZCZ ball T14) | MODE 6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ ecap0_pin_p9_42: pinmux_ecap0_pin_p9_42 {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x164 0x0 /* P9_42 (ZCZ ball C18) | MODE 0 */
|
||||
+ >;
|
||||
+ };
|
||||
};
|
||||
|
||||
&uart0 {
|
||||
@@ -187,6 +221,13 @@
|
||||
status = "okay";
|
||||
};
|
||||
|
||||
+&uart1 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&uart1_pins>;
|
||||
+
|
||||
+ status = "okay";
|
||||
+};
|
||||
+
|
||||
&usb {
|
||||
status = "okay";
|
||||
|
||||
@@ -261,6 +302,56 @@
|
||||
};
|
||||
};
|
||||
|
||||
+&epwmss0 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ecap0_pin_p9_42>;
|
||||
+ status = "okay";
|
||||
+
|
||||
+ ecap@48300100 {
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&epwmss1 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <
|
||||
+ &ehrpwm1_pin_p9_14
|
||||
+ &ehrpwm1_pin_p9_16
|
||||
+ >;
|
||||
+
|
||||
+ status = "okay";
|
||||
+
|
||||
+ ehrpwm@48302200 {
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&spi0 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&spi0_pins>;
|
||||
+ status = "okay";
|
||||
+
|
||||
+ spidev0: spi@0 {
|
||||
+ compatible = "spidev";
|
||||
+ reg = <0>;
|
||||
+ spi-max-frequency = <16000000>;
|
||||
+ spi-cpha;
|
||||
+ };
|
||||
+
|
||||
+ spidev1: spi@1 {
|
||||
+ compatible = "spidev";
|
||||
+ reg = <1>;
|
||||
+ spi-max-frequency = <16000000>;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&tscadc {
|
||||
+ status = "okay";
|
||||
+ adc {
|
||||
+ ti,adc-channels = <4 5 6>;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
/include/ "tps65217.dtsi"
|
||||
|
||||
&tps {
|
||||
@@ -336,3 +427,42 @@
|
||||
cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
|
||||
cd-inverted;
|
||||
};
|
||||
+
|
||||
+/ {
|
||||
+ ocp {
|
||||
+ //FIXME: these pwm's still need work, this guild isn't working..
|
||||
+ //http://elinux.org/EBC_Exercise_13_Pulse_Width_Modulation
|
||||
+ pwm_test_P9_14@0 {
|
||||
+ compatible = "pwm_test";
|
||||
+ pwms = <&ehrpwm1 0 500000 1>;
|
||||
+ pwm-names = "PWM_P9_14";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ehrpwm1_pin_p9_14>;
|
||||
+ enabled = <1>;
|
||||
+ duty = <0>;
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+
|
||||
+ pwm_test_P9_16@0 {
|
||||
+ compatible = "pwm_test";
|
||||
+ pwms = <&ehrpwm1 0 500000 1>;
|
||||
+ pwm-names = "PWM_P9_16";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ehrpwm1_pin_p9_16>;
|
||||
+ enabled = <1>;
|
||||
+ duty = <0>;
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+
|
||||
+ pwm_test_P9_42 {
|
||||
+ compatible = "pwm_test";
|
||||
+ pwms = <&ecap0 0 500000 1>;
|
||||
+ pwm-names = "PWM_P9_42";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ecap0_pin_p9_42>;
|
||||
+ enabled = <1>;
|
||||
+ duty = <0>;
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+ };
|
||||
+};
|
||||
--
|
||||
1.8.5.2
|
||||
|
||||
From b6e2c817edfc6d73874cf833daffe1be6c7ed8bb Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Thu, 13 Mar 2014 14:18:52 -0500
|
||||
Subject: [PATCH] arm: dts: am335x-bone-common: add
|
||||
uart2_pins/uart4_pins/uart5_pins
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index f85cabc..5270d18 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -105,6 +105,27 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ uart2_pins: pinmux_uart2_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x150 0x21 /* spi0_sclk.uart2_rxd | MODE1 */
|
||||
+ 0x154 0x01 /* spi0_d0.uart2_txd | MODE1 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ uart4_pins: pinmux_uart4_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x070 0x26 /* gpmc_wait0.uart4_rxd | MODE6 */
|
||||
+ 0x074 0x06 /* gpmc_wpn.uart4_txd | MODE6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ uart5_pins: pinmux_uart5_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x0C4 0x24 /* lcd_data9.uart5_rxd | MODE4 */
|
||||
+ 0x0C0 0x04 /* lcd_data8.uart5_txd | MODE4 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
clkout2_pin: pinmux_clkout2_pin {
|
||||
pinctrl-single,pins = <
|
||||
0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */
|
||||
--
|
||||
1.9.0
|
||||
|
||||
From 72567452d5d6007010597158f6afd00e2bf07579 Mon Sep 17 00:00:00 2001
|
||||
From: Pantelis Antoniou <panto@antoniou-consulting.com>
|
||||
Date: Sat, 15 Sep 2012 12:00:41 +0300
|
||||
Subject: [PATCH] pinctrl: pinctrl-single must be initialized early.
|
||||
|
||||
When using pinctrl-single to handle i2c initialization, it has
|
||||
to be done early. Whether this is the best way to do so, is an
|
||||
exercise left to the reader.
|
||||
---
|
||||
drivers/pinctrl/pinctrl-single.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
|
||||
index 829b98c..5107dcf 100644
|
||||
--- a/drivers/pinctrl/pinctrl-single.c
|
||||
+++ b/drivers/pinctrl/pinctrl-single.c
|
||||
@@ -2039,7 +2039,17 @@ static struct platform_driver pcs_driver = {
|
||||
#endif
|
||||
};
|
||||
|
||||
-module_platform_driver(pcs_driver);
|
||||
+static int __init pcs_init(void)
|
||||
+{
|
||||
+ return platform_driver_register(&pcs_driver);
|
||||
+}
|
||||
+postcore_initcall(pcs_init);
|
||||
+
|
||||
+static void __exit pcs_exit(void)
|
||||
+{
|
||||
+ platform_driver_unregister(&pcs_driver);
|
||||
+}
|
||||
+module_exit(pcs_exit);
|
||||
|
||||
MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>");
|
||||
MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver");
|
||||
--
|
||||
1.8.5.2
|
||||
|
||||
From b6e2c817edfc6d73874cf833daffe1be6c7ed8bb Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Thu, 13 Mar 2014 14:18:52 -0500
|
||||
Subject: [PATCH] arm: dts: am335x-bone-common: add
|
||||
uart2_pins/uart4_pins/uart5_pins
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index f85cabc..5270d18 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -105,6 +105,27 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ uart2_pins: pinmux_uart2_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x150 0x21 /* spi0_sclk.uart2_rxd | MODE1 */
|
||||
+ 0x154 0x01 /* spi0_d0.uart2_txd | MODE1 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ uart4_pins: pinmux_uart4_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x070 0x26 /* gpmc_wait0.uart4_rxd | MODE6 */
|
||||
+ 0x074 0x06 /* gpmc_wpn.uart4_txd | MODE6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ uart5_pins: pinmux_uart5_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x0C4 0x24 /* lcd_data9.uart5_rxd | MODE4 */
|
||||
+ 0x0C0 0x04 /* lcd_data8.uart5_txd | MODE4 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
clkout2_pin: pinmux_clkout2_pin {
|
||||
pinctrl-single,pins = <
|
||||
0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */
|
||||
--
|
||||
1.9.0
|
46
arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
Normal file
46
arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From e2106f3eff00baedfe05e5e334731bd80465292e Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Thu, 13 Mar 2014 14:18:52 -0500
|
||||
Subject: [PATCH] arm: dts: am335x-bone-common: add
|
||||
uart2_pins/uart4_pins/uart5_pins
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index db4518ef755d..c983caab7d9b 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -126,6 +126,27 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ uart2_pins: pinmux_uart2_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x150 0x21 /* spi0_sclk.uart2_rxd | MODE1 */
|
||||
+ 0x154 0x01 /* spi0_d0.uart2_txd | MODE1 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ uart4_pins: pinmux_uart4_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x070 0x26 /* gpmc_wait0.uart4_rxd | MODE6 */
|
||||
+ 0x074 0x06 /* gpmc_wpn.uart4_txd | MODE6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ uart5_pins: pinmux_uart5_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x0C4 0x24 /* lcd_data9.uart5_rxd | MODE4 */
|
||||
+ 0x0C0 0x04 /* lcd_data8.uart5_txd | MODE4 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
clkout2_pin: pinmux_clkout2_pin {
|
||||
pinctrl-single,pins = <
|
||||
0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */
|
||||
--
|
||||
1.9.3
|
||||
|
70
arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
Normal file
70
arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From 8f78a0f9c488620f58532e69c8b632b75ee11907 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Tue, 31 Dec 2013 11:17:45 -0600
|
||||
Subject: [PATCH] arm: dts: am335x-bone-common: enable and use i2c2
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 39 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 39 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index bde1777b62be..c7357bcc7d5c 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -84,6 +84,13 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ i2c2_pins: pinmux_i2c2_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x178 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_ctsn.i2c2_sda */
|
||||
+ 0x17c 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_rtsn.i2c2_scl */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
uart0_pins: pinmux_uart0_pins {
|
||||
pinctrl-single,pins = <
|
||||
0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */
|
||||
@@ -220,6 +227,38 @@
|
||||
reg = <0x24>;
|
||||
};
|
||||
|
||||
+ baseboard_eeprom: baseboard_eeprom@50 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x50>;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&i2c2 {
|
||||
+ status = "okay";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&i2c2_pins>;
|
||||
+
|
||||
+ clock-frequency = <100000>;
|
||||
+
|
||||
+ cape_eeprom0: cape_eeprom0@54 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x54>;
|
||||
+ };
|
||||
+
|
||||
+ cape_eeprom1: cape_eeprom1@55 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x55>;
|
||||
+ };
|
||||
+
|
||||
+ cape_eeprom2: cape_eeprom2@56 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x56>;
|
||||
+ };
|
||||
+
|
||||
+ cape_eeprom3: cape_eeprom3@57 {
|
||||
+ compatible = "at,24c256";
|
||||
+ reg = <0x57>;
|
||||
+ };
|
||||
};
|
||||
|
||||
/include/ "tps65217.dtsi"
|
||||
--
|
||||
1.9.3
|
||||
|
180
arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
Normal file
180
arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
Normal file
@ -0,0 +1,180 @@
|
||||
From 4546ddeebfc63fcb8ea157d6d730be0e4f122344 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Tue, 31 Dec 2013 14:18:00 -0600
|
||||
Subject: [PATCH] arm: dts: am335x-bone-common: setup default pinmux
|
||||
http://elinux.org/Basic_Proto_Cape
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-bone-common.dtsi | 130 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 130 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index c7357bcc7d5c..86cdb52dbf8a 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -98,6 +98,13 @@
|
||||
>;
|
||||
};
|
||||
|
||||
+ uart1_pins: pinmux_uart1_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x180 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart1_rxd.uart1_rxd */
|
||||
+ 0x184 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart1_txd.uart1_txd */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
clkout2_pin: pinmux_clkout2_pin {
|
||||
pinctrl-single,pins = <
|
||||
0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */
|
||||
@@ -178,6 +185,33 @@
|
||||
0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */
|
||||
>;
|
||||
};
|
||||
+
|
||||
+ spi0_pins: pinmux_spi0_pins {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x150 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_sclk.spi0_sclk */
|
||||
+ 0x154 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d0.spi0_d0 */
|
||||
+ 0x158 (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_d1.spi0_d1 */
|
||||
+ 0x15c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_cs0.spi0_cs0 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ ehrpwm1_pin_p9_14: pinmux_ehrpwm1_pin_p9_14 {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x048 0x6 /* P9_14 (ZCZ ball U14) | MODE 6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ ehrpwm1_pin_p9_16: pinmux_ehrpwm1_pin_p9_16 {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x04c 0x6 /* P9_16 (ZCZ ball T14) | MODE 6 */
|
||||
+ >;
|
||||
+ };
|
||||
+
|
||||
+ ecap0_pin_p9_42: pinmux_ecap0_pin_p9_42 {
|
||||
+ pinctrl-single,pins = <
|
||||
+ 0x164 0x0 /* P9_42 (ZCZ ball C18) | MODE 0 */
|
||||
+ >;
|
||||
+ };
|
||||
};
|
||||
|
||||
&uart0 {
|
||||
@@ -187,6 +221,13 @@
|
||||
status = "okay";
|
||||
};
|
||||
|
||||
+&uart1 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&uart1_pins>;
|
||||
+
|
||||
+ status = "okay";
|
||||
+};
|
||||
+
|
||||
&usb {
|
||||
status = "okay";
|
||||
};
|
||||
@@ -261,6 +302,56 @@
|
||||
};
|
||||
};
|
||||
|
||||
+&epwmss0 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ecap0_pin_p9_42>;
|
||||
+ status = "okay";
|
||||
+
|
||||
+ ecap@48300100 {
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&epwmss1 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <
|
||||
+ &ehrpwm1_pin_p9_14
|
||||
+ &ehrpwm1_pin_p9_16
|
||||
+ >;
|
||||
+
|
||||
+ status = "okay";
|
||||
+
|
||||
+ ehrpwm@48302200 {
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&spi0 {
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&spi0_pins>;
|
||||
+ status = "okay";
|
||||
+
|
||||
+ spidev0: spi@0 {
|
||||
+ compatible = "spidev";
|
||||
+ reg = <0>;
|
||||
+ spi-max-frequency = <16000000>;
|
||||
+ spi-cpha;
|
||||
+ };
|
||||
+
|
||||
+ spidev1: spi@1 {
|
||||
+ compatible = "spidev";
|
||||
+ reg = <1>;
|
||||
+ spi-max-frequency = <16000000>;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+&tscadc {
|
||||
+ status = "okay";
|
||||
+ adc {
|
||||
+ ti,adc-channels = <4 5 6>;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
/include/ "tps65217.dtsi"
|
||||
|
||||
&tps {
|
||||
@@ -337,3 +428,42 @@
|
||||
cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
|
||||
cd-inverted;
|
||||
};
|
||||
+
|
||||
+/ {
|
||||
+ ocp {
|
||||
+ //FIXME: these pwm's still need work, this guild isn't working..
|
||||
+ //http://elinux.org/EBC_Exercise_13_Pulse_Width_Modulation
|
||||
+ pwm_test_P9_14@0 {
|
||||
+ compatible = "pwm_test";
|
||||
+ pwms = <&ehrpwm1 0 500000 1>;
|
||||
+ pwm-names = "PWM_P9_14";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ehrpwm1_pin_p9_14>;
|
||||
+ enabled = <1>;
|
||||
+ duty = <0>;
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+
|
||||
+ pwm_test_P9_16@0 {
|
||||
+ compatible = "pwm_test";
|
||||
+ pwms = <&ehrpwm1 0 500000 1>;
|
||||
+ pwm-names = "PWM_P9_16";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ehrpwm1_pin_p9_16>;
|
||||
+ enabled = <1>;
|
||||
+ duty = <0>;
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+
|
||||
+ pwm_test_P9_42 {
|
||||
+ compatible = "pwm_test";
|
||||
+ pwms = <&ecap0 0 500000 1>;
|
||||
+ pwm-names = "PWM_P9_42";
|
||||
+ pinctrl-names = "default";
|
||||
+ pinctrl-0 = <&ecap0_pin_p9_42>;
|
||||
+ enabled = <1>;
|
||||
+ duty = <0>;
|
||||
+ status = "okay";
|
||||
+ };
|
||||
+ };
|
||||
+};
|
||||
--
|
||||
1.9.3
|
||||
|
42
arm-dts-am335x-boneblack-add-cpu0-opp-points.patch
Normal file
42
arm-dts-am335x-boneblack-add-cpu0-opp-points.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From ff97bcb64690196202be14fcb99c428075e6d373 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Fri, 27 Dec 2013 13:14:19 -0600
|
||||
Subject: [PATCH] arm: dts: am335x-boneblack: add cpu0 opp points
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-boneblack.dts | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
index bf5349165542..acfff3befff5 100644
|
||||
--- a/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
+++ b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
@@ -66,6 +66,24 @@
|
||||
};
|
||||
|
||||
/ {
|
||||
+ cpus {
|
||||
+ cpu@0 {
|
||||
+ cpu0-supply = <&dcdc2_reg>;
|
||||
+ /*
|
||||
+ * To consider voltage drop between PMIC and SoC,
|
||||
+ * tolerance value is reduced to 2% from 4% and
|
||||
+ * voltage value is increased as a precaution.
|
||||
+ */
|
||||
+ operating-points = <
|
||||
+ /* kHz uV */
|
||||
+ 1000000 1325000
|
||||
+ 800000 1300000
|
||||
+ 600000 1112000
|
||||
+ 300000 969000
|
||||
+ >;
|
||||
+ };
|
||||
+ };
|
||||
+
|
||||
hdmi {
|
||||
compatible = "ti,tilcdc,slave";
|
||||
i2c = <&i2c0>;
|
||||
--
|
||||
1.9.3
|
||||
|
39
arm-dts-am335x-boneblack-lcdc-add-panel-info.patch
Normal file
39
arm-dts-am335x-boneblack-lcdc-add-panel-info.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 686c0fbe0b0758420728e99fbbc9898856c61a65 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Nelson <robertcnelson@gmail.com>
|
||||
Date: Fri, 27 Dec 2013 13:05:09 -0600
|
||||
Subject: [PATCH] arm: dts: am335x-boneblack: lcdc add panel-info
|
||||
|
||||
Bugzilla: 1012025
|
||||
Upstream-status: In beagle github repository https://github.com/beagleboard/kernel
|
||||
|
||||
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
||||
---
|
||||
arch/arm/boot/dts/am335x-boneblack.dts | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
index 305975d3f531..bf5349165542 100644
|
||||
--- a/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
+++ b/arch/arm/boot/dts/am335x-boneblack.dts
|
||||
@@ -73,5 +73,18 @@
|
||||
pinctrl-0 = <&nxp_hdmi_bonelt_pins>;
|
||||
pinctrl-1 = <&nxp_hdmi_bonelt_off_pins>;
|
||||
status = "okay";
|
||||
+
|
||||
+ panel-info {
|
||||
+ bpp = <16>;
|
||||
+ ac-bias = <255>;
|
||||
+ ac-bias-intrpt = <0>;
|
||||
+ dma-burst-sz = <16>;
|
||||
+ fdd = <16>;
|
||||
+ sync-edge = <1>;
|
||||
+ sync-ctrl = <1>;
|
||||
+ raster-order = <0>;
|
||||
+ fifo-th = <0>;
|
||||
+ invert-pxl-clk;
|
||||
+ };
|
||||
};
|
||||
};
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,5 +1,14 @@
|
||||
From 4c556949693ab7de84984559735bdd1b33cb77b5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Robinson <pbrobinson@gmail.com>
|
||||
Date: Fri, 11 Jul 2014 00:10:56 +0100
|
||||
Subject: [PATCH] arm: i.MX6 Utilite device dtb
|
||||
|
||||
---
|
||||
arch/arm/boot/dts/imx6q-cm-fx6.dts | 38 ++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 38 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/imx6q-cm-fx6.dts b/arch/arm/boot/dts/imx6q-cm-fx6.dts
|
||||
index 99b46f8..8b6ddd1 100644
|
||||
index 99b46f8030ad..8b6ddd16dcc5 100644
|
||||
--- a/arch/arm/boot/dts/imx6q-cm-fx6.dts
|
||||
+++ b/arch/arm/boot/dts/imx6q-cm-fx6.dts
|
||||
@@ -97,11 +97,49 @@
|
||||
@ -52,3 +61,6 @@ index 99b46f8..8b6ddd1 100644
|
||||
+ pinctrl-0 = <&pinctrl_usdhc3>;
|
||||
+ status = "okay";
|
||||
+};
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,16 +0,0 @@
|
||||
--- linux-3.3.4-3.fc17.x86_64_orig/drivers/usb/core/hub.c 2012-05-02 20:08:18.421685932 -0400
|
||||
+++ linux-3.3.4-3.fc17.x86_64/drivers/usb/core/hub.c 2012-05-02 20:30:36.565865425 -0400
|
||||
@@ -3484,6 +3484,13 @@ static void hub_events(void)
|
||||
(u16) hub->change_bits[0],
|
||||
(u16) hub->event_bits[0]);
|
||||
|
||||
+ /* Don't disconnect USB-SATA on TrimSlice */
|
||||
+ if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) {
|
||||
+ if ((hdev->state == 7) && (hub->change_bits[0] == 0) &&
|
||||
+ (hub->event_bits[0] == 0x2))
|
||||
+ hub->event_bits[0] = 0;
|
||||
+ }
|
||||
+
|
||||
/* Lock the device, then check to see if we were
|
||||
* disconnected while waiting for the lock to succeed. */
|
||||
usb_lock_device(hdev);
|
54
asus-wmi-Restrict-debugfs-interface-when-module-load.patch
Normal file
54
asus-wmi-Restrict-debugfs-interface-when-module-load.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From ed8fc77bea869c0277b035b2b79470ba350c31e0 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is
|
||||
restricted
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a
|
||||
given machine, and there's a risk that some will allow hardware state to
|
||||
be manipulated in such a way that arbitrary code can be executed in the
|
||||
kernel, circumventing module loading restrictions. Prevent that if any of
|
||||
these features are enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/platform/x86/asus-wmi.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index 21fc932da3a1..c6d42ad95c08 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -1590,6 +1590,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
|
||||
|
||||
if (err < 0)
|
||||
@@ -1606,6 +1609,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
|
||||
&retval);
|
||||
|
||||
@@ -1630,6 +1636,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
union acpi_object *obj;
|
||||
acpi_status status;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,6 +1,17 @@
|
||||
From dfc1afd652976a77e8fcfb57866ad0f29b50d042 Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Wed, 6 Feb 2013 09:57:47 -0500
|
||||
Subject: [PATCH] ath9k: rx dma stop check
|
||||
|
||||
---
|
||||
drivers/net/wireless/ath/ath9k/mac.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c
|
||||
index 275205ab5f15..bb842623bdf6 100644
|
||||
--- a/drivers/net/wireless/ath/ath9k/mac.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/mac.c
|
||||
@@ -689,7 +689,7 @@ bool ath9k_hw_stopdmarecv(struct ath_hw
|
||||
@@ -700,7 +700,7 @@ bool ath9k_hw_stopdmarecv(struct ath_hw *ah, bool *reset)
|
||||
{
|
||||
#define AH_RX_STOP_DMA_TIMEOUT 10000 /* usec */
|
||||
struct ath_common *common = ath9k_hw_common(ah);
|
||||
@ -9,7 +20,7 @@
|
||||
int i;
|
||||
|
||||
/* Enable access to the DMA observation bus */
|
||||
@@ -719,6 +719,16 @@ bool ath9k_hw_stopdmarecv(struct ath_hw
|
||||
@@ -730,6 +730,16 @@ bool ath9k_hw_stopdmarecv(struct ath_hw *ah, bool *reset)
|
||||
}
|
||||
|
||||
if (i == 0) {
|
||||
@ -26,3 +37,6 @@
|
||||
ath_err(common,
|
||||
"DMA failed to stop in %d ms AR_CR=0x%08x AR_DIAG_SW=0x%08x DMADBG_7=0x%08x\n",
|
||||
AH_RX_STOP_DMA_TIMEOUT / 1000,
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,24 +1,23 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
From 1786bc697d34af944e29437ce44337b0eb8b6799 Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kyle@dreadnought.bos.jkkm.org>
|
||||
From 35f42a829ac374b0085015e29e73b44d227a83b1 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Anderson <anderson@redhat.com>
|
||||
Date: Tue, 26 Nov 2013 12:42:46 -0500
|
||||
Subject: [PATCH] crash-driver
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
arch/arm/include/asm/crash-driver.h | 6 ++
|
||||
arch/arm64/include/asm/crash-driver.h | 6 ++
|
||||
arch/ia64/include/asm/crash-driver.h | 90 +++++++++++++++++++++++++++
|
||||
arch/ia64/include/asm/crash-driver.h | 90 ++++++++++++++++++++++
|
||||
arch/ia64/kernel/ia64_ksyms.c | 3 +
|
||||
arch/powerpc/include/asm/crash-driver.h | 6 ++
|
||||
arch/s390/include/asm/crash-driver.h | 60 ++++++++++++++++++
|
||||
arch/s390/include/asm/crash-driver.h | 60 +++++++++++++++
|
||||
arch/s390/mm/maccess.c | 2 +
|
||||
arch/x86/include/asm/crash-driver.h | 6 ++
|
||||
drivers/char/Kconfig | 3 +
|
||||
drivers/char/Makefile | 2 +
|
||||
drivers/char/crash.c | 128 +++++++++++++++++++++++++++++++++++++++
|
||||
include/asm-generic/crash-driver.h | 72 ++++++++++++++++++++++
|
||||
drivers/char/crash.c | 128 ++++++++++++++++++++++++++++++++
|
||||
include/asm-generic/crash-driver.h | 72 ++++++++++++++++++
|
||||
12 files changed, 384 insertions(+)
|
||||
create mode 100644 arch/arm/include/asm/crash-driver.h
|
||||
create mode 100644 arch/arm64/include/asm/crash-driver.h
|
||||
@ -31,7 +30,7 @@ Subject: [PATCH] crash-driver
|
||||
|
||||
diff --git a/arch/arm/include/asm/crash-driver.h b/arch/arm/include/asm/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..1d2e537
|
||||
index 000000000000..06e7ae916601
|
||||
--- /dev/null
|
||||
+++ b/arch/arm/include/asm/crash-driver.h
|
||||
@@ -0,0 +1,6 @@
|
||||
@ -43,7 +42,7 @@ index 0000000..1d2e537
|
||||
+#endif /* _ARM_CRASH_H */
|
||||
diff --git a/arch/arm64/include/asm/crash-driver.h b/arch/arm64/include/asm/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..a7fcc28
|
||||
index 000000000000..43b26da0c5d6
|
||||
--- /dev/null
|
||||
+++ b/arch/arm64/include/asm/crash-driver.h
|
||||
@@ -0,0 +1,6 @@
|
||||
@ -55,7 +54,7 @@ index 0000000..a7fcc28
|
||||
+#endif /* _ARM64_CRASH_H */
|
||||
diff --git a/arch/ia64/include/asm/crash-driver.h b/arch/ia64/include/asm/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..28bd955
|
||||
index 000000000000..404bcb93c112
|
||||
--- /dev/null
|
||||
+++ b/arch/ia64/include/asm/crash-driver.h
|
||||
@@ -0,0 +1,90 @@
|
||||
@ -150,7 +149,7 @@ index 0000000..28bd955
|
||||
+
|
||||
+#endif /* _ASM_IA64_CRASH_H */
|
||||
diff --git a/arch/ia64/kernel/ia64_ksyms.c b/arch/ia64/kernel/ia64_ksyms.c
|
||||
index 5b7791d..aee4b87 100644
|
||||
index 5b7791dd3965..aee4b870c763 100644
|
||||
--- a/arch/ia64/kernel/ia64_ksyms.c
|
||||
+++ b/arch/ia64/kernel/ia64_ksyms.c
|
||||
@@ -84,6 +84,9 @@ EXPORT_SYMBOL(ia64_save_scratch_fpregs);
|
||||
@ -165,7 +164,7 @@ index 5b7791d..aee4b87 100644
|
||||
EXPORT_SYMBOL_GPL(esi_call_phys);
|
||||
diff --git a/arch/powerpc/include/asm/crash-driver.h b/arch/powerpc/include/asm/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..daa8c4d
|
||||
index 000000000000..50092d965dc5
|
||||
--- /dev/null
|
||||
+++ b/arch/powerpc/include/asm/crash-driver.h
|
||||
@@ -0,0 +1,6 @@
|
||||
@ -177,7 +176,7 @@ index 0000000..daa8c4d
|
||||
+#endif /* _PPC64_CRASH_H */
|
||||
diff --git a/arch/s390/include/asm/crash-driver.h b/arch/s390/include/asm/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..552be5e
|
||||
index 000000000000..552be5e2c571
|
||||
--- /dev/null
|
||||
+++ b/arch/s390/include/asm/crash-driver.h
|
||||
@@ -0,0 +1,60 @@
|
||||
@ -242,10 +241,10 @@ index 0000000..552be5e
|
||||
+
|
||||
+#endif /* _S390_CRASH_H */
|
||||
diff --git a/arch/s390/mm/maccess.c b/arch/s390/mm/maccess.c
|
||||
index d1e0e0c..a2be459 100644
|
||||
index 2a2e35416d2f..a529181429bb 100644
|
||||
--- a/arch/s390/mm/maccess.c
|
||||
+++ b/arch/s390/mm/maccess.c
|
||||
@@ -219,6 +219,7 @@ void *xlate_dev_mem_ptr(unsigned long addr)
|
||||
@@ -193,6 +193,7 @@ void *xlate_dev_mem_ptr(unsigned long addr)
|
||||
put_online_cpus();
|
||||
return bounce;
|
||||
}
|
||||
@ -253,14 +252,14 @@ index d1e0e0c..a2be459 100644
|
||||
|
||||
/*
|
||||
* Free converted buffer for /dev/mem access (if necessary)
|
||||
@@ -228,3 +229,4 @@ void unxlate_dev_mem_ptr(unsigned long addr, void *buf)
|
||||
@@ -202,3 +203,4 @@ void unxlate_dev_mem_ptr(unsigned long addr, void *buf)
|
||||
if ((void *) addr != buf)
|
||||
free_page((unsigned long) buf);
|
||||
}
|
||||
+EXPORT_SYMBOL_GPL(unxlate_dev_mem_ptr);
|
||||
diff --git a/arch/x86/include/asm/crash-driver.h b/arch/x86/include/asm/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..27a4156
|
||||
index 000000000000..fd4736ec99f5
|
||||
--- /dev/null
|
||||
+++ b/arch/x86/include/asm/crash-driver.h
|
||||
@@ -0,0 +1,6 @@
|
||||
@ -271,7 +270,7 @@ index 0000000..27a4156
|
||||
+
|
||||
+#endif /* _X86_CRASH_H */
|
||||
diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
|
||||
index fa3243d..83643e5b 100644
|
||||
index 6e9f74a5c095..ee6bae16b04c 100644
|
||||
--- a/drivers/char/Kconfig
|
||||
+++ b/drivers/char/Kconfig
|
||||
@@ -4,6 +4,9 @@
|
||||
@ -285,10 +284,10 @@ index fa3243d..83643e5b 100644
|
||||
|
||||
config DEVKMEM
|
||||
diff --git a/drivers/char/Makefile b/drivers/char/Makefile
|
||||
index 7ff1d0d..3ed67af 100644
|
||||
index a324f9303e36..33ce2fb1d0a3 100644
|
||||
--- a/drivers/char/Makefile
|
||||
+++ b/drivers/char/Makefile
|
||||
@@ -62,3 +62,5 @@ obj-$(CONFIG_JS_RTC) += js-rtc.o
|
||||
@@ -61,3 +61,5 @@ obj-$(CONFIG_JS_RTC) += js-rtc.o
|
||||
js-rtc-y = rtc.o
|
||||
|
||||
obj-$(CONFIG_TILE_SROM) += tile-srom.o
|
||||
@ -296,7 +295,7 @@ index 7ff1d0d..3ed67af 100644
|
||||
+obj-$(CONFIG_CRASH) += crash.o
|
||||
diff --git a/drivers/char/crash.c b/drivers/char/crash.c
|
||||
new file mode 100644
|
||||
index 0000000..a142bb3
|
||||
index 000000000000..085378a1d539
|
||||
--- /dev/null
|
||||
+++ b/drivers/char/crash.c
|
||||
@@ -0,0 +1,128 @@
|
||||
@ -430,7 +429,7 @@ index 0000000..a142bb3
|
||||
+MODULE_LICENSE("GPL");
|
||||
diff --git a/include/asm-generic/crash-driver.h b/include/asm-generic/crash-driver.h
|
||||
new file mode 100644
|
||||
index 0000000..8a0a69a
|
||||
index 000000000000..25ab9869d566
|
||||
--- /dev/null
|
||||
+++ b/include/asm-generic/crash-driver.h
|
||||
@@ -0,0 +1,72 @@
|
||||
@ -507,5 +506,5 @@ index 0000000..8a0a69a
|
||||
+
|
||||
+#endif /* __CRASH_H__ */
|
||||
--
|
||||
1.8.3.1
|
||||
1.9.3
|
||||
|
||||
|
@ -1,11 +1,19 @@
|
||||
From cb32e566a709fd6a7e36ef7a41b2047fcdfb921d Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Wed, 30 Jan 2013 10:55:31 -0500
|
||||
Subject: [PATCH] criu: no expert
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
init/Kconfig | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index be8b7f5..7461760 100644
|
||||
index 3bad458f1c68..aee58b9fedfc 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -989,7 +989,7 @@ config DEBUG_BLK_CGROUP
|
||||
@@ -1147,7 +1147,7 @@ config DEBUG_BLK_CGROUP
|
||||
endif # CGROUPS
|
||||
|
||||
config CHECKPOINT_RESTORE
|
||||
@ -14,7 +22,7 @@ index be8b7f5..7461760 100644
|
||||
default n
|
||||
help
|
||||
Enables additional kernel features in a sake of checkpoint/restore.
|
||||
@@ -1000,7 +1000,7 @@ config CHECKPOINT_RESTORE
|
||||
@@ -1158,7 +1158,7 @@ config CHECKPOINT_RESTORE
|
||||
If unsure, say N here.
|
||||
|
||||
menuconfig NAMESPACES
|
||||
@ -23,3 +31,6 @@ index be8b7f5..7461760 100644
|
||||
default !EXPERT
|
||||
help
|
||||
Provides the way to make tasks work with different objects using
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,24 +1,24 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
From 4ff58b642f80dedb20533978123d89b5ac9b1ed5 Mon Sep 17 00:00:00 2001
|
||||
From c6f9176d4c916dba021a44a2ad9de1756fc6c5ad Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kyle@phobos.i.jkkm.org>
|
||||
Date: Tue, 30 Mar 2010 00:04:29 -0400
|
||||
Subject: die-floppy-die
|
||||
Subject: [PATCH] die-floppy-die
|
||||
|
||||
Kill the floppy.ko pnp modalias. We were surviving just fine without
|
||||
autoloading floppy drivers, tyvm.
|
||||
|
||||
Please feel free to register all complaints in the wastepaper bin.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
drivers/block/floppy.c | 3 +--
|
||||
1 files changed, 1 insertions(+), 2 deletions(-)
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
||||
index 90c4038..f4a0b90 100644
|
||||
index 56d46ffb08e1..1c8db250df88 100644
|
||||
--- a/drivers/block/floppy.c
|
||||
+++ b/drivers/block/floppy.c
|
||||
@@ -4619,8 +4619,7 @@ static const struct pnp_device_id floppy_pnpids[] = {
|
||||
@@ -4634,8 +4634,7 @@ static const struct pnp_device_id floppy_pnpids[] = {
|
||||
{"PNP0700", 0},
|
||||
{}
|
||||
};
|
||||
@ -29,5 +29,5 @@ index 90c4038..f4a0b90 100644
|
||||
#else
|
||||
|
||||
--
|
||||
1.7.0.1
|
||||
1.9.3
|
||||
|
||||
|
@ -1,10 +1,7 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: http://lkml.indiana.edu/hypermail/linux/kernel/1005.0/00938.html (and pinged on Dec 17, 2013)
|
||||
|
||||
From 2a79554c864ac58fa2ad982f0fcee2cc2aa33eb5 Mon Sep 17 00:00:00 2001
|
||||
From a2e5f724a7e33329651ead92d4122907bdfdb208 Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Thu, 20 May 2010 10:30:31 -0400
|
||||
Subject: Disable i8042 checks on Intel Apple Macs
|
||||
Subject: [PATCH] disable i8042 check on apple mac
|
||||
|
||||
As those computers never had any i8042 controllers, and the
|
||||
current lookup code could potentially lock up/hang/wait for
|
||||
@ -12,16 +9,19 @@ timeout for long periods of time.
|
||||
|
||||
Fixes intermittent hangs on boot on a MacbookAir1,1
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: http://lkml.indiana.edu/hypermail/linux/kernel/1005.0/00938.html (and pinged on Dec 17, 2013)
|
||||
|
||||
Signed-off-by: Bastien Nocera <hadess@hadess.net>
|
||||
---
|
||||
drivers/input/serio/i8042.c | 22 ++++++++++++++++++++++
|
||||
1 files changed, 22 insertions(+), 0 deletions(-)
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
|
||||
index 6440a8f..4d7cf98 100644
|
||||
index 612f855c340f..f1aeb0240d6e 100644
|
||||
--- a/drivers/input/serio/i8042.c
|
||||
+++ b/drivers/input/serio/i8042.c
|
||||
@@ -1451,6 +1451,22 @@ static struct platform_driver i8042_driver = {
|
||||
@@ -1469,6 +1469,22 @@ static struct platform_driver i8042_driver = {
|
||||
.shutdown = i8042_shutdown,
|
||||
};
|
||||
|
||||
@ -44,7 +44,7 @@ index 6440a8f..4d7cf98 100644
|
||||
static int __init i8042_init(void)
|
||||
{
|
||||
struct platform_device *pdev;
|
||||
@@ -1458,6 +1474,12 @@ static int __init i8042_init(void)
|
||||
@@ -1476,6 +1492,12 @@ static int __init i8042_init(void)
|
||||
|
||||
dbg_init();
|
||||
|
||||
@ -58,5 +58,5 @@ index 6440a8f..4d7cf98 100644
|
||||
if (err)
|
||||
return err;
|
||||
--
|
||||
1.7.0.1
|
||||
1.9.3
|
||||
|
||||
|
@ -1,9 +1,20 @@
|
||||
From 5a8e4c7cafd99ce849d75c86409b822ac1da18e4 Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Fri, 18 Apr 2014 06:58:29 -0400
|
||||
Subject: [PATCH] disable libdw unwind on non-x86
|
||||
|
||||
Bugzilla: 1025603
|
||||
Upstream-status: ??
|
||||
---
|
||||
tools/perf/config/Makefile | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile
|
||||
index ee21fa9..19ee413 100644
|
||||
index 1f67aa02d240..86c21a24da46 100644
|
||||
--- a/tools/perf/config/Makefile
|
||||
+++ b/tools/perf/config/Makefile
|
||||
@@ -34,6 +34,10 @@ ifeq ($(ARCH),arm)
|
||||
LIBUNWIND_LIBS = -lunwind -lunwind-arm
|
||||
@@ -52,6 +52,10 @@ ifeq ($(ARCH),powerpc)
|
||||
CFLAGS += -DHAVE_SKIP_CALLCHAIN_IDX
|
||||
endif
|
||||
|
||||
+ifneq ($(ARCH),x86)
|
||||
@ -13,3 +24,6 @@ index ee21fa9..19ee413 100644
|
||||
ifeq ($(LIBUNWIND_LIBS),)
|
||||
NO_LIBUNWIND := 1
|
||||
else
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,15 +1,24 @@
|
||||
Bugzilla: 1027037 1028785
|
||||
Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/035948.html
|
||||
From e2d0333d3dc0c63e79a94f08d3770cd2a7d6a667 Mon Sep 17 00:00:00 2001
|
||||
From: Adam Jackson <ajax@redhat.com>
|
||||
Date: Wed, 13 Nov 2013 10:17:24 -0500
|
||||
Subject: [PATCH] drm/i915: hush check crtc state
|
||||
|
||||
This is _by far_ the most common backtrace for i915 on retrace.fp.o, and
|
||||
it's mostly useless noise. There's not enough context when it's generated
|
||||
to know if something actually went wrong. Downgrade the message to
|
||||
KMS debugging so we can still get it if we want it.
|
||||
|
||||
diff -up linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c.jx linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c
|
||||
--- linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c.jx 2013-11-03 18:41:51.000000000 -0500
|
||||
+++ linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c 2013-11-13 10:12:05.781301624 -0500
|
||||
@@ -8803,7 +8803,7 @@ check_crtc_state(struct drm_device *dev)
|
||||
Bugzilla: 1027037 1028785
|
||||
Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/035948.html
|
||||
---
|
||||
drivers/gpu/drm/i915/intel_display.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
|
||||
index 018fb7222f60..922818d16e93 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_display.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_display.c
|
||||
@@ -10640,7 +10640,7 @@ check_crtc_state(struct drm_device *dev)
|
||||
|
||||
if (active &&
|
||||
!intel_pipe_config_compare(dev, &crtc->config, &pipe_config)) {
|
||||
@ -18,3 +27,6 @@ diff -up linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_displa
|
||||
intel_dump_pipe_config(crtc, &pipe_config,
|
||||
"[hw state]");
|
||||
intel_dump_pipe_config(crtc, &crtc->config,
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
43
efi-Add-EFI_SECURE_BOOT-bit.patch
Normal file
43
efi-Add-EFI_SECURE_BOOT-bit.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From a2ebe652ed2e730d4a7fc2699c39a8736b823480 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/kernel/setup.c | 2 ++
|
||||
include/linux/efi.h | 1 +
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 5a5cf7395724..fb282ff6a802 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
if (boot_params.secure_boot) {
|
||||
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
|
||||
enforce_signed_modules();
|
||||
+ pr_info("Secure boot enabled\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 45cb4ffdea62..ebe6a24cc1e1 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -923,6 +923,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_64BIT 5 /* Is the firmware 64-bit? */
|
||||
#define EFI_PARAVIRT 6 /* Access is via a paravirt interface */
|
||||
#define EFI_ARCH_1 7 /* First arch-specific bit */
|
||||
+#define EFI_SECURE_BOOT 8 /* Are we in Secure Boot mode? */
|
||||
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
1.9.3
|
||||
|
58
efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
Normal file
58
efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 3d2fbfb0264c8286432026e152d7561975506ffc Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
||||
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
|
||||
|
||||
A user can manually tell the shim boot loader to disable validation of
|
||||
images it loads. When a user does this, it creates a UEFI variable called
|
||||
MokSBState that does not have the runtime attribute set. Given that the
|
||||
user explicitly disabled validation, we can honor that and not enable
|
||||
secure boot mode if that variable is set.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 88edd48f03e9..3b18ef2b534c 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -806,8 +806,9 @@ out:
|
||||
|
||||
static int get_secure_boot(void)
|
||||
{
|
||||
- u8 sb, setup;
|
||||
+ u8 sb, setup, moksbstate;
|
||||
unsigned long datasize = sizeof(sb);
|
||||
+ u32 attr;
|
||||
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
efi_status_t status;
|
||||
|
||||
@@ -831,6 +832,23 @@ static int get_secure_boot(void)
|
||||
if (setup == 1)
|
||||
return 0;
|
||||
|
||||
+ /* See if a user has put shim into insecure_mode. If so, and the variable
|
||||
+ * doesn't have the runtime attribute set, we might as well honor that.
|
||||
+ */
|
||||
+ var_guid = EFI_SHIM_LOCK_GUID;
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"MokSBState", &var_guid, &attr, &datasize,
|
||||
+ &moksbstate);
|
||||
+
|
||||
+ /* If it fails, we don't care why. Default to secure */
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 1;
|
||||
+
|
||||
+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
|
||||
+ if (moksbstate == 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
30
efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
Normal file
30
efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 2850989c51158efb074313d4e3aeb2665f978ed4 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
|
||||
The functionality of the config option is dependent upon the platform being
|
||||
UEFI based. Reflect this in the config deps.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/Kconfig | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 46392bfab57e..5bb9b06573a3 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1566,7 +1566,8 @@ config EFI_MIXED
|
||||
If unsure, say N.
|
||||
|
||||
config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
- def_bool n
|
||||
+ def_bool n
|
||||
+ depends on EFI
|
||||
prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
---help---
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
--
|
||||
1.9.3
|
||||
|
39
hibernate-Disable-in-a-signed-modules-environment.patch
Normal file
39
hibernate-Disable-in-a-signed-modules-environment.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From f32db30954f67a233bbb6d56f48143698f44e5bc Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
so until we can work with signed hibernate images we disable it in
|
||||
a secure modules environment.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
kernel/power/hibernate.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index a9dfa79b6bab..14c7356ff53a 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <linux/syscore_ops.h>
|
||||
#include <linux/ctype.h>
|
||||
#include <linux/genhd.h>
|
||||
+#include <linux/module.h>
|
||||
#include <trace/events/power.h>
|
||||
|
||||
#include "power.h"
|
||||
@@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
|
||||
|
||||
bool hibernation_available(void)
|
||||
{
|
||||
- return (nohibernate == 0);
|
||||
+ return ((nohibernate == 0) && !secure_modules());
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,11 +1,19 @@
|
||||
From 0115cafe4d9a93deef3259b18b5b9cdafd60fbef Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Thu, 29 Jul 2010 16:46:31 -0700
|
||||
Subject: [PATCH] input: kill stupid messages
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
drivers/input/keyboard/atkbd.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c
|
||||
index add5ffd..5eb2f03 100644
|
||||
index 2dd1d0dd4f7d..7116b70074bf 100644
|
||||
--- a/drivers/input/keyboard/atkbd.c
|
||||
+++ b/drivers/input/keyboard/atkbd.c
|
||||
@@ -430,11 +430,15 @@ static irqreturn_t atkbd_interrupt(struct serio *serio, unsigned char data,
|
||||
@@ -436,11 +436,15 @@ static irqreturn_t atkbd_interrupt(struct serio *serio, unsigned char data,
|
||||
goto out;
|
||||
case ATKBD_RET_ACK:
|
||||
case ATKBD_RET_NAK:
|
||||
@ -21,3 +29,6 @@ index add5ffd..5eb2f03 100644
|
||||
goto out;
|
||||
case ATKBD_RET_ERR:
|
||||
atkbd->err_count++;
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,20 +1,39 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
From b4e96f34c17e5a79cd28774cc722bb33e7e02c6e Mon Sep 17 00:00:00 2001
|
||||
From 10da76f4101b3dd43dcf9cbb6c9c7b6d6f92c829 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 25 Sep 2008 16:23:33 -0400
|
||||
Subject: [PATCH] Don't print an error message just because there's no i8042 chip.
|
||||
Subject: [PATCH] input: silence i8042 noise
|
||||
|
||||
Don't print an error message just because there's no i8042 chip.
|
||||
Some systems, such as EFI-based Apple systems, won't necessarily have an
|
||||
i8042 to initialize. We shouldn't be printing an error message in this
|
||||
case, since not detecting the chip is the correct behavior.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
drivers/base/power/main.c | 2 --
|
||||
drivers/input/serio/i8042.c | 1 -
|
||||
net/can/af_can.c | 8 ++------
|
||||
3 files changed, 2 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
|
||||
index b67d9aef9fe4..dd58b0fdaafd 100644
|
||||
--- a/drivers/base/power/main.c
|
||||
+++ b/drivers/base/power/main.c
|
||||
@@ -122,8 +122,6 @@ void device_pm_unlock(void)
|
||||
*/
|
||||
void device_pm_add(struct device *dev)
|
||||
{
|
||||
- pr_debug("PM: Adding info for %s:%s\n",
|
||||
- dev->bus ? dev->bus->name : "No Bus", dev_name(dev));
|
||||
mutex_lock(&dpm_list_mtx);
|
||||
if (dev->parent && dev->parent->power.is_prepared)
|
||||
dev_warn(dev, "parent %s should not be sleeping\n",
|
||||
diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
|
||||
index 52c9ebf..c374a96 100644
|
||||
index 3807c3e971cc..612f855c340f 100644
|
||||
--- a/drivers/input/serio/i8042.c
|
||||
+++ b/drivers/input/serio/i8042.c
|
||||
@@ -855,7 +855,6 @@ static int __init i8042_check_aux(void)
|
||||
@@ -857,7 +857,6 @@ static int __init i8042_check_aux(void)
|
||||
static int i8042_controller_check(void)
|
||||
{
|
||||
if (i8042_flush()) {
|
||||
@ -22,16 +41,11 @@ index 52c9ebf..c374a96 100644
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
--
|
||||
|
||||
Socket fuzzers like sfuzz will trigger this printk a lot, even though it's
|
||||
ratelimited. It isn't particularly useful, so just remove it.
|
||||
|
||||
Signed-off-by: Dave Jones <davej@redhat.com>
|
||||
|
||||
diff --git a/net/can/af_can.c b/net/can/af_can.c
|
||||
index ce82337521f6..a3fee4becc93 100644
|
||||
--- a/net/can/af_can.c
|
||||
+++ b/net/can/af_can.c
|
||||
@@ -157,13 +157,9 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
|
||||
@@ -158,13 +158,9 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
|
||||
err = request_module("can-proto-%d", protocol);
|
||||
|
||||
/*
|
||||
@ -47,22 +61,6 @@ Signed-off-by: Dave Jones <davej@redhat.com>
|
||||
|
||||
cp = can_get_proto(protocol);
|
||||
}
|
||||
--
|
||||
1.9.3
|
||||
|
||||
This was removed in revision 1.6 of linux-2.6-silence-noise.patch
|
||||
in ye olde CVS tree. I have no idea why. Originally the pr_debug in
|
||||
device_pm_remove was nuked as well, but that seems to have gotten lost in
|
||||
the r1.634 of kernel.spec (2.6.26-rc2-git5.)
|
||||
|
||||
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
|
||||
index 2a52270..bacbdd2 100644
|
||||
--- a/drivers/base/power/main.c
|
||||
+++ b/drivers/base/power/main.c
|
||||
@@ -87,8 +87,6 @@ void device_pm_unlock(void)
|
||||
*/
|
||||
void device_pm_add(struct device *dev)
|
||||
{
|
||||
- pr_debug("PM: Adding info for %s:%s\n",
|
||||
- dev->bus ? dev->bus->name : "No Bus", dev_name(dev));
|
||||
mutex_lock(&dpm_list_mtx);
|
||||
if (dev->parent && dev->parent->power.is_prepared)
|
||||
dev_warn(dev, "parent %s should not be sleeping\n",
|
@ -1,7 +1,4 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: ??
|
||||
|
||||
From fd4e7f06ecc891474dea3a93df083de5f8c50cdc Mon Sep 17 00:00:00 2001
|
||||
From 4df7d687b12092b4ae94415cc528bc09a0437624 Mon Sep 17 00:00:00 2001
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Mon, 6 Oct 2008 23:03:03 -0700
|
||||
Subject: [PATCH] kbuild: AFTER_LINK
|
||||
@ -9,6 +6,9 @@ Subject: [PATCH] kbuild: AFTER_LINK
|
||||
If the make variable AFTER_LINK is set, it is a command line to run
|
||||
after each final link. This includes vmlinux itself and vDSO images.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: ??
|
||||
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
---
|
||||
arch/arm64/kernel/vdso/Makefile | 3 ++-
|
||||
@ -121,3 +121,6 @@ index 86a4fe75f453..161637ed5611 100644
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
108
kernel.spec
108
kernel.spec
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -537,7 +537,7 @@ Patch00: patch-3.%{base_sublevel}-git%{gitrev}.xz
|
||||
Patch04: compile-fixes.patch
|
||||
|
||||
# build tweak for build ID magic, even for -vanilla
|
||||
Patch05: makefile-after_link.patch
|
||||
Patch05: kbuild-AFTER_LINK.patch
|
||||
|
||||
%if !%{nopatches}
|
||||
|
||||
@ -555,10 +555,10 @@ Patch470: die-floppy-die.patch
|
||||
|
||||
Patch500: Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch
|
||||
|
||||
Patch510: silence-noise.patch
|
||||
Patch510: input-silence-i8042-noise.patch
|
||||
Patch530: silence-fbcon-logo.patch
|
||||
|
||||
Patch600: 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
|
||||
Patch600: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
|
||||
|
||||
#rhbz 917708
|
||||
Patch700: Revert-userns-Allow-unprivileged-users-to-create-use.patch
|
||||
@ -568,10 +568,28 @@ Patch800: crash-driver.patch
|
||||
# crypto/
|
||||
|
||||
# secure boot
|
||||
Patch1000: secure-modules.patch
|
||||
Patch1001: modsign-uefi.patch
|
||||
# atch1002: sb-hibernate.patch
|
||||
Patch1003: sysrq-secure-boot.patch
|
||||
Patch1000: Add-secure_modules-call.patch
|
||||
Patch1001: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
|
||||
Patch1002: x86-Lock-down-IO-port-access-when-module-security-is.patch
|
||||
Patch1003: ACPI-Limit-access-to-custom_method.patch
|
||||
Patch1004: asus-wmi-Restrict-debugfs-interface-when-module-load.patch
|
||||
Patch1005: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
|
||||
Patch1006: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
|
||||
Patch1007: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
|
||||
Patch1008: x86-Restrict-MSR-access-when-module-loading-is-restr.patch
|
||||
Patch1009: Add-option-to-automatically-enforce-module-signature.patch
|
||||
Patch1010: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
|
||||
Patch1011: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
|
||||
Patch1012: efi-Add-EFI_SECURE_BOOT-bit.patch
|
||||
Patch1013: hibernate-Disable-in-a-signed-modules-environment.patch
|
||||
|
||||
Patch1014: Add-EFI-signature-data-types.patch
|
||||
Patch1015: Add-an-EFI-signature-blob-parser-and-key-loader.patch
|
||||
Patch1016: KEYS-Add-a-system-blacklist-keyring.patch
|
||||
Patch1017: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
|
||||
Patch1018: MODSIGN-Support-not-importing-certs-from-db.patch
|
||||
|
||||
Patch1019: Add-sysrq-option-to-disable-secure-boot-mode.patch
|
||||
|
||||
# virt + ksm patches
|
||||
|
||||
@ -594,14 +612,21 @@ Patch14000: hibernate-freeze-filesystems.patch
|
||||
|
||||
Patch14010: lis3-improve-handling-of-null-rate.patch
|
||||
|
||||
Patch15000: nowatchdog-on-virt.patch
|
||||
Patch15000: watchdog-Disable-watchdog-on-virtual-machines.patch
|
||||
|
||||
# ARM64
|
||||
|
||||
# ARMv7
|
||||
Patch21020: arm-tegra-usb-no-reset-linux33.patch
|
||||
Patch21021: arm-beagle.patch
|
||||
Patch21022: arm-imx6-utilite.patch
|
||||
Patch21020: ARM-tegra-usb-no-reset.patch
|
||||
Patch21021: arm-dts-am335x-boneblack-lcdc-add-panel-info.patch
|
||||
Patch21022: arm-dts-am335x-boneblack-add-cpu0-opp-points.patch
|
||||
Patch21023: arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
|
||||
Patch21024: arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
|
||||
Patch21025: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
|
||||
Patch21026: pinctrl-pinctrl-single-must-be-initialized-early.patch
|
||||
Patch21027: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
|
||||
|
||||
Patch21028: arm-i.MX6-Utilite-device-dtb.patch
|
||||
|
||||
#rhbz 754518
|
||||
Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
|
||||
@ -610,7 +635,7 @@ Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
|
||||
Patch21242: criu-no-expert.patch
|
||||
|
||||
#rhbz 892811
|
||||
Patch21247: ath9k_rx_dma_stop_check.patch
|
||||
Patch21247: ath9k-rx-dma-stop-check.patch
|
||||
|
||||
Patch22000: weird-root-dentry-name-debug.patch
|
||||
|
||||
@ -618,9 +643,9 @@ Patch22000: weird-root-dentry-name-debug.patch
|
||||
Patch25063: disable-libdw-unwind-on-non-x86.patch
|
||||
|
||||
#rhbz 983342 1093120
|
||||
Patch25069: 0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch
|
||||
Patch25069: acpi-video-Add-4-new-models-to-the-use_native_backli.patch
|
||||
|
||||
Patch26000: perf-lib64.patch
|
||||
Patch26000: perf-install-trace-event-plugins.patch
|
||||
|
||||
# Patch series from Hans for various backlight and platform driver fixes
|
||||
Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
||||
@ -1203,7 +1228,7 @@ do
|
||||
done
|
||||
%endif
|
||||
|
||||
ApplyPatch makefile-after_link.patch
|
||||
ApplyPatch kbuild-AFTER_LINK.patch
|
||||
|
||||
#
|
||||
# misc small stuff to make things compile
|
||||
@ -1217,16 +1242,23 @@ ApplyOptionalPatch upstream-reverts.patch -R
|
||||
|
||||
# Architecture patches
|
||||
# x86(-64)
|
||||
ApplyPatch 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
|
||||
ApplyPatch lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
|
||||
|
||||
# ARM64
|
||||
|
||||
#
|
||||
# ARM
|
||||
#
|
||||
ApplyPatch arm-tegra-usb-no-reset-linux33.patch
|
||||
ApplyPatch arm-beagle.patch
|
||||
ApplyPatch arm-imx6-utilite.patch
|
||||
ApplyPatch ARM-tegra-usb-no-reset.patch
|
||||
ApplyPatch arm-dts-am335x-boneblack-lcdc-add-panel-info.patch
|
||||
ApplyPatch arm-dts-am335x-boneblack-add-cpu0-opp-points.patch
|
||||
ApplyPatch arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
|
||||
ApplyPatch arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
|
||||
ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
|
||||
ApplyPatch pinctrl-pinctrl-single-must-be-initialized-early.patch
|
||||
ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
|
||||
|
||||
ApplyPatch arm-i.MX6-Utilite-device-dtb.patch
|
||||
|
||||
#
|
||||
# bugfixes to drivers and filesystems
|
||||
@ -1274,7 +1306,7 @@ ApplyPatch die-floppy-die.patch
|
||||
ApplyPatch no-pcspkr-modalias.patch
|
||||
|
||||
# Silence some useless messages that still get printed with 'quiet'
|
||||
ApplyPatch silence-noise.patch
|
||||
ApplyPatch input-silence-i8042-noise.patch
|
||||
|
||||
# Make fbcon not show the penguins with 'quiet'
|
||||
ApplyPatch silence-fbcon-logo.patch
|
||||
@ -1290,10 +1322,28 @@ ApplyPatch crash-driver.patch
|
||||
# crypto/
|
||||
|
||||
# secure boot
|
||||
ApplyPatch secure-modules.patch
|
||||
ApplyPatch modsign-uefi.patch
|
||||
# pplyPatch sb-hibernate.patch
|
||||
ApplyPatch sysrq-secure-boot.patch
|
||||
ApplyPatch Add-secure_modules-call.patch
|
||||
ApplyPatch PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
|
||||
ApplyPatch x86-Lock-down-IO-port-access-when-module-security-is.patch
|
||||
ApplyPatch ACPI-Limit-access-to-custom_method.patch
|
||||
ApplyPatch asus-wmi-Restrict-debugfs-interface-when-module-load.patch
|
||||
ApplyPatch Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
|
||||
ApplyPatch acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
|
||||
ApplyPatch kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
|
||||
ApplyPatch x86-Restrict-MSR-access-when-module-loading-is-restr.patch
|
||||
ApplyPatch Add-option-to-automatically-enforce-module-signature.patch
|
||||
ApplyPatch efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
|
||||
ApplyPatch efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
|
||||
ApplyPatch efi-Add-EFI_SECURE_BOOT-bit.patch
|
||||
ApplyPatch hibernate-Disable-in-a-signed-modules-environment.patch
|
||||
|
||||
ApplyPatch Add-EFI-signature-data-types.patch
|
||||
ApplyPatch Add-an-EFI-signature-blob-parser-and-key-loader.patch
|
||||
ApplyPatch KEYS-Add-a-system-blacklist-keyring.patch
|
||||
ApplyPatch MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
|
||||
ApplyPatch MODSIGN-Support-not-importing-certs-from-db.patch
|
||||
|
||||
ApplyPatch Add-sysrq-option-to-disable-secure-boot-mode.patch
|
||||
|
||||
# Assorted Virt Fixes
|
||||
|
||||
@ -1315,7 +1365,7 @@ ApplyPatch disable-i8042-check-on-apple-mac.patch
|
||||
ApplyPatch lis3-improve-handling-of-null-rate.patch
|
||||
|
||||
# Disable watchdog on virtual machines.
|
||||
ApplyPatch nowatchdog-on-virt.patch
|
||||
ApplyPatch watchdog-Disable-watchdog-on-virtual-machines.patch
|
||||
|
||||
#rhbz 754518
|
||||
ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
|
||||
@ -1326,15 +1376,15 @@ ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
|
||||
ApplyPatch criu-no-expert.patch
|
||||
|
||||
#rhbz 892811
|
||||
ApplyPatch ath9k_rx_dma_stop_check.patch
|
||||
ApplyPatch ath9k-rx-dma-stop-check.patch
|
||||
|
||||
#rhbz 1025603
|
||||
ApplyPatch disable-libdw-unwind-on-non-x86.patch
|
||||
|
||||
#rhbz 983342 1093120
|
||||
ApplyPatch 0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch
|
||||
ApplyPatch acpi-video-Add-4-new-models-to-the-use_native_backli.patch
|
||||
|
||||
ApplyPatch perf-lib64.patch
|
||||
ApplyPatch perf-install-trace-event-plugins.patch
|
||||
|
||||
# Patch series from Hans for various backlight and platform driver fixes
|
||||
ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
||||
|
44
kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
Normal file
44
kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 8633ed1850c24ea2e52c7c64c293186946935e8a Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 03:33:56 -0400
|
||||
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
|
||||
loading restrictions
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that module signing enforcement is meant to prevent. It makes
|
||||
sense to disable kexec in this situation.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
kernel/kexec.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index 0b49a0a58102..8e649f7c22e1 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -36,6 +36,7 @@
|
||||
#include <linux/syscore_ops.h>
|
||||
#include <linux/compiler.h>
|
||||
#include <linux/hugetlb.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/page.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -1245,6 +1246,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
+ * kexec can be used to circumvent module loading restrictions, so
|
||||
+ * prevent loading in that case
|
||||
+ */
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
+ /*
|
||||
* Verify we have a legal set of flags
|
||||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,7 +1,4 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Nak'd, supposedly replacement coming to auto-select
|
||||
|
||||
From 0f3f5c5b4ca2eb1f41947c50bedb9b17aa1a1f80 Mon Sep 17 00:00:00 2001
|
||||
From d53e8bbf853e6de66ac48e15794d722edf7877b4 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 11 Nov 2013 08:39:16 -0500
|
||||
Subject: [PATCH] lib/cpumask: Make CPUMASK_OFFSTACK usable without debug
|
||||
@ -14,16 +11,19 @@ operation of the feature, and we need CPUMASK_OFFSTACK to increase the
|
||||
NR_CPUS value beyond 512 on x86. We drop the current dependency and make
|
||||
sure SMP is set.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Nak'd, supposedly replacement coming to auto-select
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
lib/Kconfig | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/Kconfig b/lib/Kconfig
|
||||
index b3c8be0..50b47cd 100644
|
||||
index a5ce0c7f6c30..54cef46c99d7 100644
|
||||
--- a/lib/Kconfig
|
||||
+++ b/lib/Kconfig
|
||||
@@ -342,7 +342,8 @@ config CHECK_SIGNATURE
|
||||
@@ -379,7 +379,8 @@ config CHECK_SIGNATURE
|
||||
bool
|
||||
|
||||
config CPUMASK_OFFSTACK
|
||||
@ -34,5 +34,5 @@ index b3c8be0..50b47cd 100644
|
||||
Use dynamic allocation for cpumask_var_t, instead of putting
|
||||
them on the stack. This is a bit more expensive, but avoids
|
||||
--
|
||||
1.8.3.1
|
||||
1.9.3
|
||||
|
@ -1,13 +1,7 @@
|
||||
Bugzilla: 785814
|
||||
Upstream-status: ??
|
||||
|
||||
>From 56fb161a9ca0129f8e266e4dbe79346552ff8089 Mon Sep 17 00:00:00 2001
|
||||
From 77389d33a694cf99c965e009ccf2a49fb27157c9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C3=89ric=20Piel?= <eric.piel@tremplin-utc.net>
|
||||
Date: Thu, 3 Nov 2011 16:22:40 +0100
|
||||
Subject: [PATCH] lis3: Improve handling of null rate
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Subject: [PATCH] lis3: improve handling of null rate
|
||||
|
||||
When obtaining a rate of 0, we would disable the device supposely
|
||||
because it seems to behave incorectly. It actually only comes from the
|
||||
@ -15,16 +9,19 @@ fact that the device is off and on lis3dc it's reflected in the rate.
|
||||
So handle this nicely by just waiting a safe time, and then using the
|
||||
device as normally.
|
||||
|
||||
Bugzilla: 785814
|
||||
Upstream-status: ??
|
||||
|
||||
Signed-off-by: ??ric Piel <eric.piel@tremplin-utc.net>
|
||||
---
|
||||
drivers/misc/lis3lv02d/lis3lv02d.c | 16 ++++++++--------
|
||||
1 files changed, 8 insertions(+), 8 deletions(-)
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c
|
||||
index 35c67e0..42dce2a 100644
|
||||
index 3ef4627f9cb1..2b2d2e8e5eeb 100644
|
||||
--- a/drivers/misc/lis3lv02d/lis3lv02d.c
|
||||
+++ b/drivers/misc/lis3lv02d/lis3lv02d.c
|
||||
@@ -188,7 +188,8 @@ static void lis3lv02d_get_xyz(struct lis3lv02d *lis3, int *x, int *y, int *z)
|
||||
@@ -216,7 +216,8 @@ static void lis3lv02d_get_xyz(struct lis3lv02d *lis3, int *x, int *y, int *z)
|
||||
/* conversion btw sampling rate and the register values */
|
||||
static int lis3_12_rates[4] = {40, 160, 640, 2560};
|
||||
static int lis3_8_rates[2] = {100, 400};
|
||||
@ -34,7 +31,7 @@ index 35c67e0..42dce2a 100644
|
||||
static int lis3_3dlh_rates[4] = {50, 100, 400, 1000};
|
||||
|
||||
/* ODR is Output Data Rate */
|
||||
@@ -202,12 +203,11 @@ static int lis3lv02d_get_odr(struct lis3lv02d *lis3)
|
||||
@@ -231,12 +232,11 @@ static int lis3lv02d_get_odr(struct lis3lv02d *lis3)
|
||||
return lis3->odrs[(ctrl >> shift)];
|
||||
}
|
||||
|
||||
@ -50,7 +47,7 @@ index 35c67e0..42dce2a 100644
|
||||
|
||||
/* LIS3 power on delay is quite long */
|
||||
msleep(lis3->pwron_delay / div);
|
||||
@@ -274,7 +274,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3])
|
||||
@@ -303,7 +303,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3])
|
||||
|
||||
lis3->read(lis3, ctlreg, ®);
|
||||
lis3->write(lis3, ctlreg, (reg | selftest));
|
||||
@ -59,7 +56,7 @@ index 35c67e0..42dce2a 100644
|
||||
if (ret)
|
||||
goto fail;
|
||||
|
||||
@@ -285,7 +285,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3])
|
||||
@@ -314,7 +314,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3])
|
||||
|
||||
/* back to normal settings */
|
||||
lis3->write(lis3, ctlreg, reg);
|
||||
@ -68,8 +65,8 @@ index 35c67e0..42dce2a 100644
|
||||
if (ret)
|
||||
goto fail;
|
||||
|
||||
@@ -397,7 +397,7 @@ int lis3lv02d_poweron(struct lis3lv02d *lis3)
|
||||
lis3->write(lis3, CTRL_REG2, reg);
|
||||
@@ -434,7 +434,7 @@ int lis3lv02d_poweron(struct lis3lv02d *lis3)
|
||||
}
|
||||
}
|
||||
|
||||
- err = lis3lv02d_get_pwron_wait(lis3);
|
||||
@ -78,5 +75,5 @@ index 35c67e0..42dce2a 100644
|
||||
return err;
|
||||
|
||||
--
|
||||
1.7.7.1
|
||||
1.9.3
|
||||
|
||||
|
@ -1,623 +0,0 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard for now
|
||||
|
||||
|
||||
From ca81c32a62c0330afedb506324ace85cc0116eaf Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
||||
Subject: [PATCH 1/5] Add EFI signature data types
|
||||
|
||||
Add the data types that are used for containing hashes, keys and certificates
|
||||
for cryptographic verification.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
include/linux/efi.h | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 3f683a13d7aa..27aae6eb65d8 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -581,6 +581,12 @@ void efi_native_runtime_setup(void);
|
||||
#define DEVICE_TREE_GUID \
|
||||
EFI_GUID( 0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 )
|
||||
|
||||
+#define EFI_CERT_SHA256_GUID \
|
||||
+ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 )
|
||||
+
|
||||
+#define EFI_CERT_X509_GUID \
|
||||
+ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
|
||||
+
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u64 table;
|
||||
@@ -796,6 +802,20 @@ typedef struct _efi_file_io_interface {
|
||||
|
||||
#define EFI_INVALID_TABLE_ADDR (~0UL)
|
||||
|
||||
+typedef struct {
|
||||
+ efi_guid_t signature_owner;
|
||||
+ u8 signature_data[];
|
||||
+} efi_signature_data_t;
|
||||
+
|
||||
+typedef struct {
|
||||
+ efi_guid_t signature_type;
|
||||
+ u32 signature_list_size;
|
||||
+ u32 signature_header_size;
|
||||
+ u32 signature_size;
|
||||
+ u8 signature_header[];
|
||||
+ /* efi_signature_data_t signatures[][] */
|
||||
+} efi_signature_list_t;
|
||||
+
|
||||
/*
|
||||
* All runtime access to EFI goes through this structure:
|
||||
*/
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 8662475501e4f68f872c86f5e915c204ccae0cb2 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||
Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader.
|
||||
|
||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||
keys.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
crypto/asymmetric_keys/Kconfig | 8 +++
|
||||
crypto/asymmetric_keys/Makefile | 1 +
|
||||
crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
|
||||
include/linux/efi.h | 4 ++
|
||||
4 files changed, 122 insertions(+)
|
||||
create mode 100644 crypto/asymmetric_keys/efi_parser.c
|
||||
|
||||
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
|
||||
index 4870f28403f5..4a1b50d73b80 100644
|
||||
--- a/crypto/asymmetric_keys/Kconfig
|
||||
+++ b/crypto/asymmetric_keys/Kconfig
|
||||
@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
This option provides support for verifying the signature(s) on a
|
||||
signed PE binary.
|
||||
|
||||
+config EFI_SIGNATURE_LIST_PARSER
|
||||
+ bool "EFI signature list parser"
|
||||
+ depends on EFI
|
||||
+ select X509_CERTIFICATE_PARSER
|
||||
+ help
|
||||
+ This option provides support for parsing EFI signature lists for
|
||||
+ X.509 certificates and turning them into keys.
|
||||
+
|
||||
endif # ASYMMETRIC_KEY_TYPE
|
||||
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
|
||||
index e47fcd9ac5e8..6512f6596785 100644
|
||||
--- a/crypto/asymmetric_keys/Makefile
|
||||
+++ b/crypto/asymmetric_keys/Makefile
|
||||
@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o
|
||||
|
||||
obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
|
||||
obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o
|
||||
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
|
||||
|
||||
#
|
||||
# X.509 Certificate handling
|
||||
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
|
||||
new file mode 100644
|
||||
index 000000000000..424896a0b169
|
||||
--- /dev/null
|
||||
+++ b/crypto/asymmetric_keys/efi_parser.c
|
||||
@@ -0,0 +1,109 @@
|
||||
+/* EFI signature/key/certificate list parser
|
||||
+ *
|
||||
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
||||
+ * Written by David Howells (dhowells@redhat.com)
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public Licence
|
||||
+ * as published by the Free Software Foundation; either version
|
||||
+ * 2 of the Licence, or (at your option) any later version.
|
||||
+ */
|
||||
+
|
||||
+#define pr_fmt(fmt) "EFI: "fmt
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/printk.h>
|
||||
+#include <linux/err.h>
|
||||
+#include <linux/efi.h>
|
||||
+#include <keys/asymmetric-type.h>
|
||||
+
|
||||
+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID;
|
||||
+
|
||||
+/**
|
||||
+ * parse_efi_signature_list - Parse an EFI signature list for certificates
|
||||
+ * @data: The data blob to parse
|
||||
+ * @size: The size of the data blob
|
||||
+ * @keyring: The keyring to add extracted keys to
|
||||
+ */
|
||||
+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring)
|
||||
+{
|
||||
+ unsigned offs = 0;
|
||||
+ size_t lsize, esize, hsize, elsize;
|
||||
+
|
||||
+ pr_devel("-->%s(,%zu)\n", __func__, size);
|
||||
+
|
||||
+ while (size > 0) {
|
||||
+ efi_signature_list_t list;
|
||||
+ const efi_signature_data_t *elem;
|
||||
+ key_ref_t key;
|
||||
+
|
||||
+ if (size < sizeof(list))
|
||||
+ return -EBADMSG;
|
||||
+
|
||||
+ memcpy(&list, data, sizeof(list));
|
||||
+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n",
|
||||
+ offs,
|
||||
+ list.signature_type.b, list.signature_list_size,
|
||||
+ list.signature_header_size, list.signature_size);
|
||||
+
|
||||
+ lsize = list.signature_list_size;
|
||||
+ hsize = list.signature_header_size;
|
||||
+ esize = list.signature_size;
|
||||
+ elsize = lsize - sizeof(list) - hsize;
|
||||
+
|
||||
+ if (lsize > size) {
|
||||
+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n",
|
||||
+ __func__, offs);
|
||||
+ return -EBADMSG;
|
||||
+ }
|
||||
+ if (lsize < sizeof(list) ||
|
||||
+ lsize - sizeof(list) < hsize ||
|
||||
+ esize < sizeof(*elem) ||
|
||||
+ elsize < esize ||
|
||||
+ elsize % esize != 0) {
|
||||
+ pr_devel("- bad size combo @%x\n", offs);
|
||||
+ return -EBADMSG;
|
||||
+ }
|
||||
+
|
||||
+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) {
|
||||
+ data += lsize;
|
||||
+ size -= lsize;
|
||||
+ offs += lsize;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ data += sizeof(list) + hsize;
|
||||
+ size -= sizeof(list) + hsize;
|
||||
+ offs += sizeof(list) + hsize;
|
||||
+
|
||||
+ for (; elsize > 0; elsize -= esize) {
|
||||
+ elem = data;
|
||||
+
|
||||
+ pr_devel("ELEM[%04x]\n", offs);
|
||||
+
|
||||
+ key = key_create_or_update(
|
||||
+ make_key_ref(keyring, 1),
|
||||
+ "asymmetric",
|
||||
+ NULL,
|
||||
+ &elem->signature_data,
|
||||
+ esize - sizeof(*elem),
|
||||
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW,
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA |
|
||||
+ KEY_ALLOC_TRUSTED);
|
||||
+
|
||||
+ if (IS_ERR(key))
|
||||
+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
|
||||
+ PTR_ERR(key));
|
||||
+ else
|
||||
+ pr_notice("Loaded cert '%s' linked to '%s'\n",
|
||||
+ key_ref_to_ptr(key)->description,
|
||||
+ keyring->description);
|
||||
+
|
||||
+ data += esize;
|
||||
+ size -= esize;
|
||||
+ offs += esize;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 27aae6eb65d8..353dd105533e 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -906,6 +906,10 @@ extern bool efi_poweroff_required(void);
|
||||
(md) <= (efi_memory_desc_t *)((m)->map_end - (m)->desc_size); \
|
||||
(md) = (void *)(md) + (m)->desc_size)
|
||||
|
||||
+struct key;
|
||||
+extern int __init parse_efi_signature_list(const void *data, size_t size,
|
||||
+ struct key *keyring);
|
||||
+
|
||||
/**
|
||||
* efi_range_is_wc - check the WC bit on an address range
|
||||
* @start: starting kvirt address
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From d5bc057ec6b984222b76622b2222485bef771ceb Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
||||
Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring
|
||||
|
||||
This adds an additional keyring that is used to store certificates that
|
||||
are blacklisted. This keyring is searched first when loading signed modules
|
||||
and if the module's certificate is found, it will refuse to load. This is
|
||||
useful in cases where third party certificates are used for module signing.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/keys/system_keyring.h | 4 ++++
|
||||
init/Kconfig | 9 +++++++++
|
||||
kernel/module_signing.c | 12 ++++++++++++
|
||||
kernel/system_keyring.c | 17 +++++++++++++++++
|
||||
4 files changed, 42 insertions(+)
|
||||
|
||||
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
||||
index 72665eb80692..2c7b80d31366 100644
|
||||
--- a/include/keys/system_keyring.h
|
||||
+++ b/include/keys/system_keyring.h
|
||||
@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+extern struct key *system_blacklist_keyring;
|
||||
+#endif
|
||||
+
|
||||
#endif /* _KEYS_SYSTEM_KEYRING_H */
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index a291b7ef4738..7c199415ee28 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1715,6 +1715,15 @@ config SYSTEM_TRUSTED_KEYRING
|
||||
|
||||
Keys in this keyring are used by module signature checking.
|
||||
|
||||
+config SYSTEM_BLACKLIST_KEYRING
|
||||
+ bool "Provide system-wide ring of blacklisted keys"
|
||||
+ depends on KEYS
|
||||
+ help
|
||||
+ Provide a system keyring to which blacklisted keys can be added.
|
||||
+ Keys in the keyring are considered entirely untrusted. Keys in this
|
||||
+ keyring are used by the module signature checking to reject loading
|
||||
+ of modules signed with a blacklisted key.
|
||||
+
|
||||
config PROFILING
|
||||
bool "Profiling support"
|
||||
help
|
||||
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
|
||||
index be5b8fac4bd0..fed815fcdaf2 100644
|
||||
--- a/kernel/module_signing.c
|
||||
+++ b/kernel/module_signing.c
|
||||
@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
|
||||
|
||||
pr_debug("Look up: \"%s\"\n", id);
|
||||
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
|
||||
+ &key_type_asymmetric, id);
|
||||
+ if (!IS_ERR(key)) {
|
||||
+ /* module is signed with a cert in the blacklist. reject */
|
||||
+ pr_err("Module key '%s' is in blacklist\n", id);
|
||||
+ key_ref_put(key);
|
||||
+ kfree(id);
|
||||
+ return ERR_PTR(-EKEYREJECTED);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
key = keyring_search(make_key_ref(system_trusted_keyring, 1),
|
||||
&key_type_asymmetric, id);
|
||||
if (IS_ERR(key))
|
||||
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
|
||||
index 875f64e8935b..c15e93f5a418 100644
|
||||
--- a/kernel/system_keyring.c
|
||||
+++ b/kernel/system_keyring.c
|
||||
@@ -20,6 +20,9 @@
|
||||
|
||||
struct key *system_trusted_keyring;
|
||||
EXPORT_SYMBOL_GPL(system_trusted_keyring);
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+struct key *system_blacklist_keyring;
|
||||
+#endif
|
||||
|
||||
extern __initconst const u8 system_certificate_list[];
|
||||
extern __initconst const unsigned long system_certificate_list_size;
|
||||
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
|
||||
panic("Can't allocate system trusted keyring\n");
|
||||
|
||||
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
|
||||
+
|
||||
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
|
||||
+ KUIDT_INIT(0), KGIDT_INIT(0),
|
||||
+ current_cred(),
|
||||
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW | KEY_USR_READ,
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
||||
+ if (IS_ERR(system_blacklist_keyring))
|
||||
+ panic("Can't allocate system blacklist keyring\n");
|
||||
+
|
||||
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
|
||||
+#endif
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 2f1892982340c8219cb07e38ca06275e67f7caf2 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||
Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
|
||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||
This imports those certificates into the system trusted keyring. This
|
||||
allows for a third party signing certificate to be used in conjunction
|
||||
with signed modules. By importing the public certificate into the 'db'
|
||||
variable, a user can allow a module signed with that certificate to
|
||||
load. The shim UEFI bootloader has a similar certificate list stored
|
||||
in the 'MokListRT' variable. We import those as well.
|
||||
|
||||
In the opposite case, Secure Boot maintains a list of disallowed
|
||||
certificates in the 'dbx' variable. We load those certificates into
|
||||
the newly introduced system blacklist keyring and forbid any module
|
||||
signed with those from loading.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/linux/efi.h | 6 ++++
|
||||
init/Kconfig | 9 +++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 110 insertions(+)
|
||||
create mode 100644 kernel/modsign_uefi.c
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 353dd105533e..f89c9a427dd4 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -587,6 +587,12 @@ void efi_native_runtime_setup(void);
|
||||
#define EFI_CERT_X509_GUID \
|
||||
EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
|
||||
|
||||
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||||
+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )
|
||||
+
|
||||
+#define EFI_SHIM_LOCK_GUID \
|
||||
+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
|
||||
+
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u64 table;
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index 7c199415ee28..673796afbf7d 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1869,6 +1869,15 @@ config MODULE_SIG_ALL
|
||||
comment "Do not forget to sign required modules with scripts/sign-file"
|
||||
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
||||
|
||||
+config MODULE_SIG_UEFI
|
||||
+ bool "Allow modules signed with certs stored in UEFI"
|
||||
+ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI
|
||||
+ select EFI_SIGNATURE_LIST_PARSER
|
||||
+ help
|
||||
+ This will import certificates stored in UEFI and allow modules
|
||||
+ signed with those to be loaded. It will also disallow loading
|
||||
+ of modules stored in the UEFI dbx variable.
|
||||
+
|
||||
choice
|
||||
prompt "Which hash algorithm should modules be signed with?"
|
||||
depends on MODULE_SIG
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index 0026cf531769..63f3d0023798 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -45,6 +45,7 @@ obj-$(CONFIG_UID16) += uid16.o
|
||||
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
|
||||
obj-$(CONFIG_MODULES) += module.o
|
||||
obj-$(CONFIG_MODULE_SIG) += module_signing.o
|
||||
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
|
||||
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
||||
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
|
||||
obj-$(CONFIG_KEXEC) += kexec.o
|
||||
@@ -99,6 +100,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
|
||||
|
||||
$(obj)/configs.o: $(obj)/config_data.h
|
||||
|
||||
+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar
|
||||
+
|
||||
# config_data.h contains the same information as ikconfig.h but gzipped.
|
||||
# Info from config_data can be extracted from /proc/config*
|
||||
targets += config_data.gz
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
new file mode 100644
|
||||
index 000000000000..94b0eb38a284
|
||||
--- /dev/null
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -0,0 +1,92 @@
|
||||
+#include <linux/kernel.h>
|
||||
+#include <linux/sched.h>
|
||||
+#include <linux/cred.h>
|
||||
+#include <linux/err.h>
|
||||
+#include <linux/efi.h>
|
||||
+#include <linux/slab.h>
|
||||
+#include <keys/asymmetric-type.h>
|
||||
+#include <keys/system_keyring.h>
|
||||
+#include "module-internal.h"
|
||||
+
|
||||
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
||||
+{
|
||||
+ efi_status_t status;
|
||||
+ unsigned long lsize = 4;
|
||||
+ unsigned long tmpdb[4];
|
||||
+ void *db = NULL;
|
||||
+
|
||||
+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
|
||||
+ if (status != EFI_BUFFER_TOO_SMALL) {
|
||||
+ pr_err("Couldn't get size: 0x%lx\n", status);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ db = kmalloc(lsize, GFP_KERNEL);
|
||||
+ if (!db) {
|
||||
+ pr_err("Couldn't allocate memory for uefi cert list\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ status = efi.get_variable(name, guid, NULL, &lsize, db);
|
||||
+ if (status != EFI_SUCCESS) {
|
||||
+ kfree(db);
|
||||
+ db = NULL;
|
||||
+ pr_err("Error reading db var: 0x%lx\n", status);
|
||||
+ }
|
||||
+out:
|
||||
+ *size = lsize;
|
||||
+ return db;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * * Load the certs contained in the UEFI databases
|
||||
+ * */
|
||||
+static int __init load_uefi_certs(void)
|
||||
+{
|
||||
+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
|
||||
+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||
+ void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
+ int rc = 0;
|
||||
+
|
||||
+ /* Check if SB is enabled and just return if not */
|
||||
+ if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
||||
+ * an error if we can't get them.
|
||||
+ */
|
||||
+ db = get_cert_list(L"db", &secure_var, &dbsize);
|
||||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
+ }
|
||||
+
|
||||
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
+ if (!mok) {
|
||||
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
||||
+ kfree(mok);
|
||||
+ }
|
||||
+
|
||||
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
|
||||
+ if (!dbx) {
|
||||
+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(dbx, dbxsize,
|
||||
+ system_blacklist_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
|
||||
+ kfree(dbx);
|
||||
+ }
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+late_initcall(load_uefi_certs);
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 396b99487836b7e5bb37422f4ffb32e722b9f794 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
||||
Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db
|
||||
|
||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
||||
Have the uefi import code look for this and not import things from the db
|
||||
variable.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
|
||||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
index 94b0eb38a284..ae28b974d49a 100644
|
||||
--- a/kernel/modsign_uefi.c
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -8,6 +8,23 @@
|
||||
#include <keys/system_keyring.h>
|
||||
#include "module-internal.h"
|
||||
|
||||
+static __init int check_ignore_db(void)
|
||||
+{
|
||||
+ efi_status_t status;
|
||||
+ unsigned int db = 0;
|
||||
+ unsigned long size = sizeof(db);
|
||||
+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
|
||||
+
|
||||
+ /* Check and see if the MokIgnoreDB variable exists. If that fails
|
||||
+ * then we don't ignore DB. If it succeeds, we do.
|
||||
+ */
|
||||
+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
||||
{
|
||||
efi_status_t status;
|
||||
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
|
||||
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||
void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
- int rc = 0;
|
||||
+ int ignore_db, rc = 0;
|
||||
|
||||
/* Check if SB is enabled and just return if not */
|
||||
if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
return 0;
|
||||
|
||||
+ /* See if the user has setup Ignore DB mode */
|
||||
+ ignore_db = check_ignore_db();
|
||||
+
|
||||
/* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
||||
* an error if we can't get them.
|
||||
*/
|
||||
- db = get_cert_list(L"db", &secure_var, &dbsize);
|
||||
- if (!db) {
|
||||
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
- } else {
|
||||
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
- if (rc)
|
||||
- pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
- kfree(db);
|
||||
+ if (!ignore_db) {
|
||||
+ db = get_cert_list(L"db", &secure_var, &dbsize);
|
||||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
+ }
|
||||
}
|
||||
|
||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
--
|
||||
2.0.4
|
||||
|
@ -1,11 +1,19 @@
|
||||
From 782885a741ad73ca03683ddec92b04399c6eae24 Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Thu, 29 Jul 2010 16:46:31 -0700
|
||||
Subject: [PATCH] no pcspkr modalias
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
drivers/input/misc/pcspkr.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/misc/pcspkr.c b/drivers/input/misc/pcspkr.c
|
||||
index 34f4d2e..3e40c70 100644
|
||||
index 674a2cfc3c0e..9a2807227c69 100644
|
||||
--- a/drivers/input/misc/pcspkr.c
|
||||
+++ b/drivers/input/misc/pcspkr.c
|
||||
@@ -24,7 +24,6 @@
|
||||
@@ -23,7 +23,6 @@
|
||||
MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>");
|
||||
MODULE_DESCRIPTION("PC Speaker beeper driver");
|
||||
MODULE_LICENSE("GPL");
|
||||
@ -13,3 +21,6 @@ index 34f4d2e..3e40c70 100644
|
||||
|
||||
static int pcspkr_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
|
||||
{
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
31
perf-install-trace-event-plugins.patch
Normal file
31
perf-install-trace-event-plugins.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 0abf5980c420adf5846fc25fd5c5a907d131afcc Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kmcmarti@redhat.com>
|
||||
Date: Mon, 2 Jun 2014 15:11:01 -0400
|
||||
Subject: [PATCH] perf: install trace-event plugins
|
||||
|
||||
perf hardcodes $libdir to be lib for all but x86_64, so kludge around it
|
||||
until upstream gets their act together.
|
||||
---
|
||||
tools/perf/config/Makefile | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile
|
||||
index 86c21a24da46..bf0fe97bd358 100644
|
||||
--- a/tools/perf/config/Makefile
|
||||
+++ b/tools/perf/config/Makefile
|
||||
@@ -642,8 +642,12 @@ endif
|
||||
ifeq ($(IS_X86_64),1)
|
||||
lib = lib64
|
||||
else
|
||||
+ifdef MULTILIBDIR
|
||||
+lib = $(MULTILIBDIR)
|
||||
+else
|
||||
lib = lib
|
||||
endif
|
||||
+endif
|
||||
libdir = $(prefix)/$(lib)
|
||||
|
||||
# Shell quote (do not use $(call) to accommodate ancient setups);
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,17 +0,0 @@
|
||||
diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile
|
||||
index 802cf54..7f30bfa 100644
|
||||
--- a/tools/perf/config/Makefile
|
||||
+++ b/tools/perf/config/Makefile
|
||||
@@ -621,8 +621,12 @@ endif
|
||||
ifeq ($(IS_X86_64),1)
|
||||
lib = lib64
|
||||
else
|
||||
+ifdef MULTILIBDIR
|
||||
+lib = $(MULTILIBDIR)
|
||||
+else
|
||||
lib = lib
|
||||
endif
|
||||
+endif
|
||||
libdir = $(prefix)/$(lib)
|
||||
|
||||
# Shell quote (do not use $(call) to accommodate ancient setups);
|
38
pinctrl-pinctrl-single-must-be-initialized-early.patch
Normal file
38
pinctrl-pinctrl-single-must-be-initialized-early.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 8946fa3addc278d256c2f687381be65d3ad3a7b1 Mon Sep 17 00:00:00 2001
|
||||
From: Pantelis Antoniou <panto@antoniou-consulting.com>
|
||||
Date: Sat, 15 Sep 2012 12:00:41 +0300
|
||||
Subject: [PATCH] pinctrl: pinctrl-single must be initialized early.
|
||||
|
||||
When using pinctrl-single to handle i2c initialization, it has
|
||||
to be done early. Whether this is the best way to do so, is an
|
||||
exercise left to the reader.
|
||||
---
|
||||
drivers/pinctrl/pinctrl-single.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
|
||||
index 95dd9cf55cb3..800fc34d7ea9 100644
|
||||
--- a/drivers/pinctrl/pinctrl-single.c
|
||||
+++ b/drivers/pinctrl/pinctrl-single.c
|
||||
@@ -2012,7 +2012,17 @@ static struct platform_driver pcs_driver = {
|
||||
#endif
|
||||
};
|
||||
|
||||
-module_platform_driver(pcs_driver);
|
||||
+static int __init pcs_init(void)
|
||||
+{
|
||||
+ return platform_driver_register(&pcs_driver);
|
||||
+}
|
||||
+postcore_initcall(pcs_init);
|
||||
+
|
||||
+static void __exit pcs_exit(void)
|
||||
+{
|
||||
+ platform_driver_unregister(&pcs_driver);
|
||||
+}
|
||||
+module_exit(pcs_exit);
|
||||
|
||||
MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>");
|
||||
MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver");
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,21 +1,19 @@
|
||||
Bugzilla: 861573
|
||||
Upstream-status: Waiting for feedback from reporter
|
||||
|
||||
From 2fa2078cdd4198b49c02cb03087158d398476463 Mon Sep 17 00:00:00 2001
|
||||
From 6a7fb976264a8b7bd05daa8db9d58338ef6b3632 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Mon, 2 Jun 2014 17:40:59 +0200
|
||||
Subject: [PATCH 02/14] samsung-laptop: Add broken-acpi-video quirk for
|
||||
NC210/NC110
|
||||
Subject: [PATCH] samsung-laptop: Add broken-acpi-video quirk for NC210/NC110
|
||||
|
||||
Reported (and tested) here:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=861573
|
||||
|
||||
Bugzilla: 861573
|
||||
Upstream-status: Waiting for feedback from reporter
|
||||
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/platform/x86/samsung-laptop.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
|
||||
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
|
||||
index 5a5966512277..0d7954e0fc74 100644
|
||||
--- a/drivers/platform/x86/samsung-laptop.c
|
||||
@ -37,3 +35,6 @@ index 5a5966512277..0d7954e0fc74 100644
|
||||
{ },
|
||||
};
|
||||
MODULE_DEVICE_TABLE(dmi, samsung_dmi_table);
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,115 +0,0 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
|
||||
From 9cdffb6980a2c573844b4b87f907da24d68fb916 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 14:02:09 -0400
|
||||
Subject: [PATCH] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
so until we can work with signed hibernate images we disable it in
|
||||
a secure modules environment.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com>
|
||||
---
|
||||
kernel/power/hibernate.c | 16 +++++++++++++++-
|
||||
kernel/power/main.c | 7 ++++++-
|
||||
kernel/power/user.c | 1 +
|
||||
3 files changed, 22 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index 49e0a20fd010..777eff68e8ef 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -29,6 +29,8 @@
|
||||
#include <linux/ctype.h>
|
||||
#include <linux/genhd.h>
|
||||
#include <trace/events/power.h>
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/efi.h>
|
||||
|
||||
#include "power.h"
|
||||
|
||||
@@ -642,6 +644,10 @@ int hibernate(void)
|
||||
{
|
||||
int error;
|
||||
|
||||
+ if (secure_modules()) {
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
+
|
||||
lock_system_sleep();
|
||||
/* The snapshot device should not be opened while we're running */
|
||||
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
||||
@@ -734,7 +740,7 @@ static int software_resume(void)
|
||||
/*
|
||||
* If the user said "noresume".. bail out early.
|
||||
*/
|
||||
- if (noresume)
|
||||
+ if (noresume || secure_modules())
|
||||
return 0;
|
||||
|
||||
/*
|
||||
@@ -900,6 +906,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
|
||||
int i;
|
||||
char *start = buf;
|
||||
|
||||
+ if (efi_enabled(EFI_SECURE_BOOT)) {
|
||||
+ buf += sprintf(buf, "[%s]\n", "disabled");
|
||||
+ return buf-start;
|
||||
+ }
|
||||
+
|
||||
for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
|
||||
if (!hibernation_modes[i])
|
||||
continue;
|
||||
@@ -934,6 +945,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
|
||||
char *p;
|
||||
int mode = HIBERNATION_INVALID;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
p = memchr(buf, '\n', n);
|
||||
len = p ? p - buf : n;
|
||||
|
||||
diff --git a/kernel/power/main.c b/kernel/power/main.c
|
||||
index 573410d6647e..f5201093adc4 100644
|
||||
--- a/kernel/power/main.c
|
||||
+++ b/kernel/power/main.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <linux/workqueue.h>
|
||||
#include <linux/debugfs.h>
|
||||
#include <linux/seq_file.h>
|
||||
+#include <linux/efi.h>
|
||||
|
||||
#include "power.h"
|
||||
|
||||
@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr,
|
||||
|
||||
#endif
|
||||
#ifdef CONFIG_HIBERNATION
|
||||
- s += sprintf(s, "%s\n", "disk");
|
||||
+ if (!efi_enabled(EFI_SECURE_BOOT)) {
|
||||
+ s += sprintf(s, "%s\n", "disk");
|
||||
+ } else {
|
||||
+ s += sprintf(s, "\n");
|
||||
+ }
|
||||
#else
|
||||
if (s != buf)
|
||||
/* convert the last space to a newline */
|
||||
diff --git a/kernel/power/user.c b/kernel/power/user.c
|
||||
index efe99dee9510..5f5d1026f1e2 100644
|
||||
--- a/kernel/power/user.c
|
||||
+++ b/kernel/power/user.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include <linux/cpu.h>
|
||||
#include <linux/freezer.h>
|
||||
#include <linux/module.h>
|
||||
+#include <linux/efi.h>
|
||||
|
||||
#include <asm/uaccess.h>
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,6 +1,13 @@
|
||||
From 26fcec7a2c92ad6d31d858d2bd357511ab79ea7c Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Fri, 10 Feb 2012 14:56:13 -0500
|
||||
Subject: [PATCH] scsi: sd_revalidate_disk prevent NULL ptr deref
|
||||
|
||||
Bugzilla: 754518
|
||||
Upstream-status: Fedora mustard (might be worth dropping...)
|
||||
|
||||
---
|
||||
drivers/scsi/sd.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
|
||||
index 2c2041ca4b70..e10812d985af 100644
|
||||
@ -26,3 +33,6 @@ index 2c2041ca4b70..e10812d985af 100644
|
||||
/*
|
||||
* If the device is offline, don't try and read capacity or any
|
||||
* of the other niceties.
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,877 +0,0 @@
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd
|
||||
|
||||
From c66361cce3b23ea9c7fa8010f55e1fe31c23d5b1 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH 01/14] Add secure_modules() call
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
has been configured to either disable module loading entirely or to load
|
||||
only modules signed with a trusted key.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
include/linux/module.h | 7 +++++++
|
||||
kernel/module.c | 10 ++++++++++
|
||||
2 files changed, 17 insertions(+)
|
||||
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index f520a767c86c..fc9b54eb779e 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block *nb);
|
||||
|
||||
extern void print_modules(void);
|
||||
|
||||
+extern bool secure_modules(void);
|
||||
+
|
||||
#else /* !CONFIG_MODULES... */
|
||||
|
||||
/* Given an address, look for it in the exception tables. */
|
||||
@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
|
||||
static inline void print_modules(void)
|
||||
{
|
||||
}
|
||||
+
|
||||
+static inline bool secure_modules(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
#endif /* CONFIG_MODULES */
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index ae79ce615cb9..e8909e2a8b96 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -3839,3 +3839,13 @@ void module_layout(struct module *mod,
|
||||
}
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
+
|
||||
+bool secure_modules(void)
|
||||
+{
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+ return (sig_enforce || modules_disabled);
|
||||
+#else
|
||||
+ return modules_disabled;
|
||||
+#endif
|
||||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From eb614212bd2ad9acb2a279c669624a174899e0d5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
|
||||
enabled
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down from
|
||||
userspace in order to avoid it being possible for an attacker to modify
|
||||
kernel code, allowing them to circumvent disabled module loading or module
|
||||
signing. Default to paranoid - in future we can potentially relax this for
|
||||
sufficiently IOMMU-isolated devices.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/pci/pci-sysfs.c | 10 ++++++++++
|
||||
drivers/pci/proc.c | 8 +++++++-
|
||||
drivers/pci/syscall.c | 3 ++-
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
||||
index 9ff0a901ecf7..8d0d5d92b8d9 100644
|
||||
--- a/drivers/pci/pci-sysfs.c
|
||||
+++ b/drivers/pci/pci-sysfs.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <linux/vgaarb.h>
|
||||
#include <linux/pm_runtime.h>
|
||||
#include <linux/of.h>
|
||||
+#include <linux/module.h>
|
||||
#include "pci.h"
|
||||
|
||||
static int sysfs_initialized; /* = 0 */
|
||||
@@ -704,6 +705,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
|
||||
loff_t init_off = off;
|
||||
u8 *data = (u8 *) buf;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (off > dev->cfg_size)
|
||||
return 0;
|
||||
if (off + count > dev->cfg_size) {
|
||||
@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
|
||||
resource_size_t start, end;
|
||||
int i;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
for (i = 0; i < PCI_ROM_RESOURCE; i++)
|
||||
if (res == &pdev->resource[i])
|
||||
break;
|
||||
@@ -1099,6 +1106,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
struct bin_attribute *attr, char *buf,
|
||||
loff_t off, size_t count)
|
||||
{
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
return pci_resource_io(filp, kobj, attr, buf, off, count, true);
|
||||
}
|
||||
|
||||
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
|
||||
index 3f155e78513f..4265ea07e3b0 100644
|
||||
--- a/drivers/pci/proc.c
|
||||
+++ b/drivers/pci/proc.c
|
||||
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
|
||||
int size = dev->cfg_size;
|
||||
int cnt;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (pos >= size)
|
||||
return 0;
|
||||
if (nbytes >= size)
|
||||
@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
|
||||
#endif /* HAVE_PCI_MMAP */
|
||||
int ret = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
switch (cmd) {
|
||||
case PCIIOC_CONTROLLER:
|
||||
ret = pci_domain_nr(dev->bus);
|
||||
@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
|
||||
struct pci_filp_private *fpriv = file->private_data;
|
||||
int i, ret;
|
||||
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
return -EPERM;
|
||||
|
||||
/* Make sure the caller is mapping a real resource for this device */
|
||||
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
|
||||
index b91c4da68365..98f5637304d1 100644
|
||||
--- a/drivers/pci/syscall.c
|
||||
+++ b/drivers/pci/syscall.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <linux/errno.h>
|
||||
#include <linux/pci.h>
|
||||
#include <linux/syscalls.h>
|
||||
+#include <linux/module.h>
|
||||
#include <asm/uaccess.h>
|
||||
#include "pci.h"
|
||||
|
||||
@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
|
||||
u32 dword;
|
||||
int err = 0;
|
||||
|
||||
- if (!capable(CAP_SYS_ADMIN))
|
||||
+ if (!capable(CAP_SYS_ADMIN) || secure_modules())
|
||||
return -EPERM;
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 6774235b4571f527a2a101c291434f43fc8b668c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
|
||||
enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
registers, which in turn (on a lot of hardware) give access to MMIO register
|
||||
space. This would potentially permit root to trigger arbitrary DMA, so lock
|
||||
it down by default.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
arch/x86/kernel/ioport.c | 5 +++--
|
||||
drivers/char/mem.c | 4 ++++
|
||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
|
||||
index 4ddaf66ea35f..00b440307419 100644
|
||||
--- a/arch/x86/kernel/ioport.c
|
||||
+++ b/arch/x86/kernel/ioport.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <linux/thread_info.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/bitmap.h>
|
||||
+#include <linux/module.h>
|
||||
#include <asm/syscalls.h>
|
||||
|
||||
/*
|
||||
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
|
||||
|
||||
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
|
||||
return -EINVAL;
|
||||
- if (turn_on && !capable(CAP_SYS_RAWIO))
|
||||
+ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
|
||||
return -EINVAL;
|
||||
/* Trying to gain more privileges? */
|
||||
if (level > old) {
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
return -EPERM;
|
||||
}
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 917403fe10da..cdf839f9defe 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <linux/export.h>
|
||||
#include <linux/io.h>
|
||||
#include <linux/aio.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/uaccess.h>
|
||||
|
||||
@@ -568,6 +569,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
|
||||
unsigned long i = *ppos;
|
||||
const char __user *tmp = buf;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!access_ok(VERIFY_READ, buf, count))
|
||||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 8693d39f3b0d3f43dbc45f9a1961e695e8a21373 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 04/14] ACPI: Limit access to custom_method
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
it possible for an attacker to circumvent restrictions on module loading.
|
||||
Disable it if any such restrictions have been enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/acpi/custom_method.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
|
||||
index c68e72414a67..4277938af700 100644
|
||||
--- a/drivers/acpi/custom_method.c
|
||||
+++ b/drivers/acpi/custom_method.c
|
||||
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
|
||||
struct acpi_table_header table;
|
||||
acpi_status status;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!(*ppos)) {
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 7e5fa9a5109284bcd70c8ae2fc82265e2617a31c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
|
||||
loading is restricted
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a
|
||||
given machine, and there's a risk that some will allow hardware state to
|
||||
be manipulated in such a way that arbitrary code can be executed in the
|
||||
kernel, circumventing module loading restrictions. Prevent that if any of
|
||||
these features are enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/platform/x86/asus-wmi.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index 3c6ccedc82b6..960c46536c65 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -1592,6 +1592,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
|
||||
|
||||
if (err < 0)
|
||||
@@ -1608,6 +1611,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
|
||||
&retval);
|
||||
|
||||
@@ -1632,6 +1638,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
union acpi_object *obj;
|
||||
acpi_status status;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 7ed379a80612df99b1220869003522211d23bd96 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
restricted
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel
|
||||
to be subverted, avoiding module loading restrictions. Prevent this when
|
||||
any restrictions have been imposed on loading modules.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
drivers/char/mem.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index cdf839f9defe..c63cf93b00eb 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
|
||||
if (p != *ppos)
|
||||
return -EFBIG;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!valid_phys_addr_range(p, count))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
|
||||
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
|
||||
int err = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (p < (unsigned long) high_memory) {
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From c46f20cad9d85bbf467162dddb56759e7b02e0f2 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
loading is restricted
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
makes it possible for a user to circumvent any restrictions imposed on
|
||||
loading modules. Disable it in that case.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
---
|
||||
drivers/acpi/osl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
||||
index bad25b070fe0..0606585e8b93 100644
|
||||
--- a/drivers/acpi/osl.c
|
||||
+++ b/drivers/acpi/osl.c
|
||||
@@ -44,6 +44,7 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/jiffies.h>
|
||||
#include <linux/semaphore.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/io.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
|
||||
acpi_physical_address __init acpi_os_get_root_pointer(void)
|
||||
{
|
||||
#ifdef CONFIG_KEXEC
|
||||
- if (acpi_rsdp)
|
||||
+ if (acpi_rsdp && !secure_modules())
|
||||
return acpi_rsdp;
|
||||
#endif
|
||||
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 8cb020222a1602bd196163d132b95bb1f69925b2 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 03:33:56 -0400
|
||||
Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
|
||||
loading restrictions
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that module signing enforcement is meant to prevent. It makes
|
||||
sense to disable kexec in this situation.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
kernel/kexec.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index 4b8f0c925884..df14daa323a9 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <linux/syscore_ops.h>
|
||||
#include <linux/compiler.h>
|
||||
#include <linux/hugetlb.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/page.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -947,6 +948,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
+ * kexec can be used to circumvent module loading restrictions, so
|
||||
+ * prevent loading in that case
|
||||
+ */
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
+ /*
|
||||
* Verify we have a legal set of flags
|
||||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 2e30f7a56dcccf68c9c62dfdc791664f07737e94 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is
|
||||
restricted
|
||||
|
||||
Writing to MSRs should not be allowed if module loading is restricted,
|
||||
since it could lead to execution of arbitrary code in kernel mode. Based
|
||||
on a patch by Kees Cook.
|
||||
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
arch/x86/kernel/msr.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||||
index c9603ac80de5..8bef43fc3f40 100644
|
||||
--- a/arch/x86/kernel/msr.c
|
||||
+++ b/arch/x86/kernel/msr.c
|
||||
@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
|
||||
int err = 0;
|
||||
ssize_t bytes = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (count % 8)
|
||||
return -EINVAL; /* Invalid chunk size */
|
||||
|
||||
@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
|
||||
err = -EBADF;
|
||||
break;
|
||||
}
|
||||
+ if (secure_modules()) {
|
||||
+ err = -EPERM;
|
||||
+ break;
|
||||
+ }
|
||||
if (copy_from_user(®s, uregs, sizeof regs)) {
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From f3437ca79d1ddd12ebdff439c4c3931ba0081a1e Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 10/14] Add option to automatically enforce module signatures
|
||||
when in Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
require that all kernel modules also be signed. Add a configuration option
|
||||
that enforces this automatically when enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
Documentation/x86/zero-page.txt | 2 ++
|
||||
arch/x86/Kconfig | 10 ++++++++++
|
||||
arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++
|
||||
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
|
||||
arch/x86/kernel/setup.c | 6 ++++++
|
||||
include/linux/module.h | 6 ++++++
|
||||
kernel/module.c | 7 +++++++
|
||||
7 files changed, 69 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||
index 199f453cb4de..ec38acf00b40 100644
|
||||
--- a/Documentation/x86/zero-page.txt
|
||||
+++ b/Documentation/x86/zero-page.txt
|
||||
@@ -30,6 +30,8 @@ Offset Proto Name Meaning
|
||||
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
|
||||
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
|
||||
(below)
|
||||
+1EB/001 ALL kbd_status Numlock is enabled
|
||||
+1EC/001 ALL secure_boot Secure boot is enabled in the firmware
|
||||
1EF/001 ALL sentinel Used to detect broken bootloaders
|
||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||
2D0/A00 ALL e820_map E820 memory map table
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 6b71f0417293..67e25e3c8583 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1559,6 +1559,16 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
+config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ def_bool n
|
||||
+ prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
+ ---help---
|
||||
+ UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
+ firmware will only load signed bootloaders and kernels. Certain
|
||||
+ use cases may also require that all kernel modules also be signed.
|
||||
+ Say Y here to automatically enable module signature enforcement
|
||||
+ when a system boots with UEFI Secure Boot enabled.
|
||||
+
|
||||
config SECCOMP
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index f277184e2ac1..88edd48f03e9 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <asm/efi.h>
|
||||
#include <asm/setup.h>
|
||||
#include <asm/desc.h>
|
||||
+#include <asm/bootparam_utils.h>
|
||||
|
||||
#undef memcpy /* Use memcpy from misc.c */
|
||||
|
||||
@@ -803,6 +804,37 @@ out:
|
||||
return status;
|
||||
}
|
||||
|
||||
+static int get_secure_boot(void)
|
||||
+{
|
||||
+ u8 sb, setup;
|
||||
+ unsigned long datasize = sizeof(sb);
|
||||
+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
+ efi_status_t status;
|
||||
+
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"SecureBoot", &var_guid, NULL, &datasize, &sb);
|
||||
+
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (sb == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"SetupMode", &var_guid, NULL, &datasize,
|
||||
+ &setup);
|
||||
+
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (setup == 1)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
/*
|
||||
* See if we have Graphics Output Protocol
|
||||
*/
|
||||
@@ -1374,6 +1406,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
else
|
||||
setup_boot_services32(efi_early);
|
||||
|
||||
+ sanitize_boot_params(boot_params);
|
||||
+
|
||||
+ boot_params->secure_boot = get_secure_boot();
|
||||
+
|
||||
setup_graphics(boot_params);
|
||||
|
||||
status = setup_efi_pci(boot_params);
|
||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||
index 225b0988043a..90dbfb73e11f 100644
|
||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||
@@ -133,7 +133,8 @@ struct boot_params {
|
||||
__u8 eddbuf_entries; /* 0x1e9 */
|
||||
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
|
||||
__u8 kbd_status; /* 0x1eb */
|
||||
- __u8 _pad5[3]; /* 0x1ec */
|
||||
+ __u8 secure_boot; /* 0x1ec */
|
||||
+ __u8 _pad5[2]; /* 0x1ed */
|
||||
/*
|
||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||
*
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 41ead8d3bc0b..5a5cf7395724 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
io_delay_init();
|
||||
|
||||
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ if (boot_params.secure_boot) {
|
||||
+ enforce_signed_modules();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Parse the ACPI tables for possible boot-time SMP configuration.
|
||||
*/
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index fc9b54eb779e..7377bc851461 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
|
||||
|
||||
struct notifier_block;
|
||||
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+extern void enforce_signed_modules(void);
|
||||
+#else
|
||||
+static inline void enforce_signed_modules(void) {};
|
||||
+#endif
|
||||
+
|
||||
#ifdef CONFIG_MODULES
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index e8909e2a8b96..7d5b301efa01 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -3840,6 +3840,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+void enforce_signed_modules(void)
|
||||
+{
|
||||
+ sig_enforce = true;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
bool secure_modules(void)
|
||||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From ad56618c3851b102d59bab12d946bcce41caa48f Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
||||
Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode
|
||||
|
||||
A user can manually tell the shim boot loader to disable validation of
|
||||
images it loads. When a user does this, it creates a UEFI variable called
|
||||
MokSBState that does not have the runtime attribute set. Given that the
|
||||
user explicitly disabled validation, we can honor that and not enable
|
||||
secure boot mode if that variable is set.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 88edd48f03e9..3b18ef2b534c 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -806,8 +806,9 @@ out:
|
||||
|
||||
static int get_secure_boot(void)
|
||||
{
|
||||
- u8 sb, setup;
|
||||
+ u8 sb, setup, moksbstate;
|
||||
unsigned long datasize = sizeof(sb);
|
||||
+ u32 attr;
|
||||
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
efi_status_t status;
|
||||
|
||||
@@ -831,6 +832,23 @@ static int get_secure_boot(void)
|
||||
if (setup == 1)
|
||||
return 0;
|
||||
|
||||
+ /* See if a user has put shim into insecure_mode. If so, and the variable
|
||||
+ * doesn't have the runtime attribute set, we might as well honor that.
|
||||
+ */
|
||||
+ var_guid = EFI_SHIM_LOCK_GUID;
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"MokSBState", &var_guid, &attr, &datasize,
|
||||
+ &moksbstate);
|
||||
+
|
||||
+ /* If it fails, we don't care why. Default to secure */
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 1;
|
||||
+
|
||||
+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
|
||||
+ if (moksbstate == 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From d3bcd51e1e47252afa3b2bb4da781b358da7d3d0 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
|
||||
The functionality of the config option is dependent upon the platform being
|
||||
UEFI based. Reflect this in the config deps.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/Kconfig | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 67e25e3c8583..a46be2f21b95 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1560,7 +1560,8 @@ config EFI_MIXED
|
||||
If unsure, say N.
|
||||
|
||||
config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
- def_bool n
|
||||
+ def_bool n
|
||||
+ depends on EFI
|
||||
prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
---help---
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From 3d30f2c07daac85befa76ac44b4dc4db3d64a018 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/kernel/setup.c | 2 ++
|
||||
include/linux/efi.h | 1 +
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 5a5cf7395724..fb282ff6a802 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
if (boot_params.secure_boot) {
|
||||
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
|
||||
enforce_signed_modules();
|
||||
+ pr_info("Secure boot enabled\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index efc681fd5895..3f683a13d7aa 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -923,6 +923,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_64BIT 5 /* Is the firmware 64-bit? */
|
||||
#define EFI_PARAVIRT 6 /* Access is via a paravirt interface */
|
||||
#define EFI_ARCH_1 7 /* First arch-specific bit */
|
||||
+#define EFI_SECURE_BOOT 8 /* Are we in Secure Boot mode? */
|
||||
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.0.4
|
||||
|
||||
|
||||
From f19107379dbcfced86458de8ad9cf8a6443567e9 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
so until we can work with signed hibernate images we disable it in
|
||||
a secure modules environment.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
kernel/power/hibernate.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index a9dfa79b6bab..14c7356ff53a 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <linux/syscore_ops.h>
|
||||
#include <linux/ctype.h>
|
||||
#include <linux/genhd.h>
|
||||
+#include <linux/module.h>
|
||||
#include <trace/events/power.h>
|
||||
|
||||
#include "power.h"
|
||||
@@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
|
||||
|
||||
bool hibernation_available(void)
|
||||
{
|
||||
- return (nohibernate == 0);
|
||||
+ return ((nohibernate == 0) && !secure_modules());
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.0.4
|
||||
|
@ -1,11 +1,19 @@
|
||||
From b0c75b1839a0ccf645329a0ee2b268109300c2b0 Mon Sep 17 00:00:00 2001
|
||||
From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org>
|
||||
Date: Thu, 29 Jul 2010 16:46:31 -0700
|
||||
Subject: [PATCH] silence fbcon logo
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
---
|
||||
drivers/video/console/fbcon.c | 24 +++++++++++++++++-------
|
||||
1 file changed, 17 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
|
||||
index 1657b96..4c5c2be 100644
|
||||
index 57b1d44acbfe..31048a85713d 100644
|
||||
--- a/drivers/video/console/fbcon.c
|
||||
+++ b/drivers/video/console/fbcon.c
|
||||
@@ -631,13 +631,15 @@ static void fbcon_prepare_logo(struct vc_data *vc, struct fb_info *info,
|
||||
@@ -638,13 +638,15 @@ static void fbcon_prepare_logo(struct vc_data *vc, struct fb_info *info,
|
||||
kfree(save);
|
||||
}
|
||||
|
||||
@ -28,7 +36,7 @@ index 1657b96..4c5c2be 100644
|
||||
}
|
||||
}
|
||||
#endif /* MODULE */
|
||||
@@ -3489,6 +3491,14 @@ static int __init fb_console_init(void)
|
||||
@@ -3625,6 +3627,14 @@ static int __init fb_console_init(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -43,3 +51,6 @@ index 1657b96..4c5c2be 100644
|
||||
module_init(fb_console_init);
|
||||
|
||||
#ifdef MODULE
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,5 +1,15 @@
|
||||
From fff8a8a8830bc36b093ba123b136fd1ec6bf4fa3 Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kmcmarti@redhat.com>
|
||||
Date: Tue, 12 Aug 2014 15:28:06 -0400
|
||||
Subject: [PATCH] tegra-powergate: header move
|
||||
|
||||
deal with armv7hl breakage
|
||||
---
|
||||
drivers/ata/ahci_tegra.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/ata/ahci_tegra.c b/drivers/ata/ahci_tegra.c
|
||||
index fc3df47..4392190 100644
|
||||
index fc3df47fca35..7194835bc316 100644
|
||||
--- a/drivers/ata/ahci_tegra.c
|
||||
+++ b/drivers/ata/ahci_tegra.c
|
||||
@@ -24,7 +24,7 @@
|
||||
@ -11,3 +21,6 @@ index fc3df47..4392190 100644
|
||||
#include <linux/regulator/consumer.h>
|
||||
#include "ahci.h"
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
||||
|
@ -1,10 +1,7 @@
|
||||
Bugzilla: 971139
|
||||
Upstream-status: Fedora mustard for now
|
||||
|
||||
From 17109685bfce322c73a816e097b137458fbd55ae Mon Sep 17 00:00:00 2001
|
||||
From bfe8bae33c1a3ce1695ac83052f1c48d1757079c Mon Sep 17 00:00:00 2001
|
||||
From: Dave Jones <davej@redhat.com>
|
||||
Date: Tue, 24 Jun 2014 08:43:34 -0400
|
||||
Subject: [PATCH] Disable watchdog on virtual machines.
|
||||
Subject: [PATCH] watchdog: Disable watchdog on virtual machines.
|
||||
|
||||
For various reasons, VMs seem to trigger the soft lockup detector a lot,
|
||||
in cases where it's just not possible for a lockup to occur.
|
||||
@ -15,13 +12,16 @@ the VM for a very long time (Could be the host was under heavy load).
|
||||
|
||||
Just disable the detector on VMs.
|
||||
|
||||
Bugzilla: 971139
|
||||
Upstream-status: Fedora mustard for now
|
||||
|
||||
Signed-off-by: Dave Jones <davej@redhat.com>
|
||||
---
|
||||
kernel/watchdog.c | 29 +++++++++++++++++++++++++++++
|
||||
1 file changed, 29 insertions(+)
|
||||
|
||||
diff --git a/kernel/watchdog.c b/kernel/watchdog.c
|
||||
index c3319bd1b040..0e3687675aaa 100644
|
||||
index a8d6914030fe..d0a8c308170d 100644
|
||||
--- a/kernel/watchdog.c
|
||||
+++ b/kernel/watchdog.c
|
||||
@@ -24,6 +24,7 @@
|
||||
@ -65,7 +65,7 @@ index c3319bd1b040..0e3687675aaa 100644
|
||||
/*
|
||||
* Hard-lockup warnings should be triggered after just a few seconds. Soft-
|
||||
* lockups can have false positives under extreme conditions. So we generally
|
||||
@@ -641,6 +668,8 @@ out:
|
||||
@@ -644,6 +671,8 @@ out:
|
||||
|
||||
void __init lockup_detector_init(void)
|
||||
{
|
71
x86-Lock-down-IO-port-access-when-module-security-is.patch
Normal file
71
x86-Lock-down-IO-port-access-when-module-security-is.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From d27eea3ac26af4673f829ab50c90f8879715d739 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH] x86: Lock down IO port access when module security is enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
registers, which in turn (on a lot of hardware) give access to MMIO register
|
||||
space. This would potentially permit root to trigger arbitrary DMA, so lock
|
||||
it down by default.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
arch/x86/kernel/ioport.c | 5 +++--
|
||||
drivers/char/mem.c | 4 ++++
|
||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
|
||||
index 4ddaf66ea35f..00b440307419 100644
|
||||
--- a/arch/x86/kernel/ioport.c
|
||||
+++ b/arch/x86/kernel/ioport.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <linux/thread_info.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/bitmap.h>
|
||||
+#include <linux/module.h>
|
||||
#include <asm/syscalls.h>
|
||||
|
||||
/*
|
||||
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
|
||||
|
||||
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
|
||||
return -EINVAL;
|
||||
- if (turn_on && !capable(CAP_SYS_RAWIO))
|
||||
+ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
|
||||
return -EINVAL;
|
||||
/* Trying to gain more privileges? */
|
||||
if (level > old) {
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
return -EPERM;
|
||||
}
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 917403fe10da..cdf839f9defe 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <linux/export.h>
|
||||
#include <linux/io.h>
|
||||
#include <linux/aio.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/uaccess.h>
|
||||
|
||||
@@ -568,6 +569,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
|
||||
unsigned long i = *ppos;
|
||||
const char __user *tmp = buf;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!access_ok(VERIFY_READ, buf, count))
|
||||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
1.9.3
|
||||
|
43
x86-Restrict-MSR-access-when-module-loading-is-restr.patch
Normal file
43
x86-Restrict-MSR-access-when-module-loading-is-restr.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 81f5d112eeb6998c51c7c0410bf277bf49e66a8a Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH] x86: Restrict MSR access when module loading is restricted
|
||||
|
||||
Writing to MSRs should not be allowed if module loading is restricted,
|
||||
since it could lead to execution of arbitrary code in kernel mode. Based
|
||||
on a patch by Kees Cook.
|
||||
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
arch/x86/kernel/msr.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||||
index c9603ac80de5..8bef43fc3f40 100644
|
||||
--- a/arch/x86/kernel/msr.c
|
||||
+++ b/arch/x86/kernel/msr.c
|
||||
@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
|
||||
int err = 0;
|
||||
ssize_t bytes = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (count % 8)
|
||||
return -EINVAL; /* Invalid chunk size */
|
||||
|
||||
@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
|
||||
err = -EBADF;
|
||||
break;
|
||||
}
|
||||
+ if (secure_modules()) {
|
||||
+ err = -EPERM;
|
||||
+ break;
|
||||
+ }
|
||||
if (copy_from_user(®s, uregs, sizeof regs)) {
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
1.9.3
|
||||
|
Loading…
Reference in New Issue
Block a user