Linux v3.16-rc1-215-g3c8fb5044583

This commit is contained in:
Josh Boyer 2014-06-20 10:22:00 -04:00
parent 3933c6f456
commit 7583b10c51
4 changed files with 73 additions and 68 deletions

View File

@ -418,6 +418,7 @@ CONFIG_SCHED_SMT=y
CONFIG_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_RELOCATABLE=y CONFIG_RELOCATABLE=y
# CONFIG_RANDOMIZE_BASE is not set # revisit this
CONFIG_HYPERV=m CONFIG_HYPERV=m
CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_UTILS=m

View File

@ -67,7 +67,7 @@ Summary: The Linux kernel
# The rc snapshot level # The rc snapshot level
%define rcrev 1 %define rcrev 1
# The git snapshot level # The git snapshot level
%define gitrev 3 %define gitrev 4
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0 %define rpmversion 3.%{upstream_sublevel}.0
%endif %endif
@ -564,7 +564,7 @@ Patch800: crash-driver.patch
# secure boot # secure boot
Patch1000: secure-modules.patch Patch1000: secure-modules.patch
Patch1001: modsign-uefi.patch Patch1001: modsign-uefi.patch
Patch1002: sb-hibernate.patch # atch1002: sb-hibernate.patch
Patch1003: sysrq-secure-boot.patch Patch1003: sysrq-secure-boot.patch
# virt + ksm patches # virt + ksm patches
@ -1292,7 +1292,7 @@ ApplyPatch crash-driver.patch
# secure boot # secure boot
ApplyPatch secure-modules.patch ApplyPatch secure-modules.patch
ApplyPatch modsign-uefi.patch ApplyPatch modsign-uefi.patch
ApplyPatch sb-hibernate.patch # pplyPatch sb-hibernate.patch
ApplyPatch sysrq-secure-boot.patch ApplyPatch sysrq-secure-boot.patch
# Assorted Virt Fixes # Assorted Virt Fixes
@ -2217,6 +2217,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Fri Jun 20 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc1.git4.1
- Linux v3.16-rc1-215-g3c8fb5044583
* Thu Jun 19 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc1.git3.1 * Thu Jun 19 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc1.git3.1
- Linux v3.16-rc1-112-g894e552cfaa3 - Linux v3.16-rc1-112-g894e552cfaa3

View File

@ -1,7 +1,8 @@
Bugzilla: N/A Bugzilla: N/A
Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd
From 6da482d3452da480cce81a17768ef1a4f2971ddf Mon Sep 17 00:00:00 2001
From 3b083aa4b42c6f2e814742b24e1948aced3a5e3f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 17:58:15 -0400 Date: Fri, 9 Aug 2013 17:58:15 -0400
Subject: [PATCH 01/14] Add secure_modules() call Subject: [PATCH 01/14] Add secure_modules() call
@ -63,7 +64,7 @@ index 81e727cf6df9..fc14f48915dd 100644
1.9.3 1.9.3
From 19aec8e433eee2ec74faf3fda2ab291d12622001 Mon Sep 17 00:00:00 2001 From 5c9708ebd7a52bf432745dc9b739c54666f2789d Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500 Date: Thu, 8 Mar 2012 10:10:38 -0500
Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
@ -182,7 +183,7 @@ index b91c4da68365..98f5637304d1 100644
1.9.3 1.9.3
From a203421e39478f83f4f3ead677dacfe5648f123b Mon Sep 17 00:00:00 2001 From c5f35519151d28b1a3c3dee5cb67fd67befa7fb6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500 Date: Thu, 8 Mar 2012 10:35:59 -0500
Subject: [PATCH 03/14] x86: Lock down IO port access when module security is Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
@ -255,7 +256,7 @@ index 917403fe10da..cdf839f9defe 100644
1.9.3 1.9.3
From 93f428743e53b76c65ca59d6f16a1f7f579b7a8a Mon Sep 17 00:00:00 2001 From 24b607adc80fdebbc3497efc4b997a62edc06280 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500 Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH 04/14] ACPI: Limit access to custom_method Subject: [PATCH 04/14] ACPI: Limit access to custom_method
@ -287,7 +288,7 @@ index c68e72414a67..4277938af700 100644
1.9.3 1.9.3
From ab75609a919bb7d2f6e02c74a14afc4c92dbae8b Mon Sep 17 00:00:00 2001 From 215559c7708671e85ceb42f6e25445b9b27f6c38 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500 Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
@ -342,7 +343,7 @@ index 3c6ccedc82b6..960c46536c65 100644
1.9.3 1.9.3
From 2ace39911e2d02f8abbc5fbdb9720574fbe4f2b7 Mon Sep 17 00:00:00 2001 From b709a5110b728b526063c6814413a8c0f0d01203 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500 Date: Fri, 9 Mar 2012 09:28:15 -0500
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
@ -385,7 +386,7 @@ index cdf839f9defe..c63cf93b00eb 100644
1.9.3 1.9.3
From 1b7976eeee94cdec273618844c85e863f83fd943 Mon Sep 17 00:00:00 2001 From 2896018a1c991e19691ab203a9e9010e898587e7 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com> From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400 Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
@ -401,7 +402,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 3f2bdc812d23..d0cef744bfaf 100644 index bad25b070fe0..0606585e8b93 100644
--- a/drivers/acpi/osl.c --- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c
@@ -44,6 +44,7 @@ @@ -44,6 +44,7 @@
@ -412,7 +413,7 @@ index 3f2bdc812d23..d0cef744bfaf 100644
#include <asm/io.h> #include <asm/io.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
@@ -244,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); @@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void) acpi_physical_address __init acpi_os_get_root_pointer(void)
{ {
#ifdef CONFIG_KEXEC #ifdef CONFIG_KEXEC
@ -425,7 +426,7 @@ index 3f2bdc812d23..d0cef744bfaf 100644
1.9.3 1.9.3
From e23b6615575ac07b6923d8f38e79597889531850 Mon Sep 17 00:00:00 2001 From a9c7c2c5e39d3e687b3e90845a753673144a754b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 03:33:56 -0400 Date: Fri, 9 Aug 2013 03:33:56 -0400
Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
@ -470,50 +471,10 @@ index 6748688813d0..d4d88984bf45 100644
1.9.3 1.9.3
From a51fbe78169ba5b557f8a94c48cfa8ab29cdf5df Mon Sep 17 00:00:00 2001 From 4ce6023b9f02d5397156976568b3aad88b2f5b95 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 3 Sep 2013 11:23:29 -0400
Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to avoid module loading restrictions. Prevent this when
any restrictions have been imposed on loading modules.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
kernel/power/user.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 98d357584cd6..efe99dee9510 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
#include <linux/console.h>
#include <linux/cpu.h>
#include <linux/freezer.h>
+#include <linux/module.h>
#include <asm/uaccess.h>
@@ -49,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
struct snapshot_data *data;
int error;
+ if (secure_modules())
+ return -EPERM;
+
lock_system_sleep();
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--
1.9.3
From c071e6ecf90736ba1a8da10eebdb830fa8a0c00d Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800 Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is
restricted restricted
Writing to MSRs should not be allowed if module loading is restricted, Writing to MSRs should not be allowed if module loading is restricted,
@ -555,10 +516,10 @@ index c9603ac80de5..8bef43fc3f40 100644
1.9.3 1.9.3
From 74792620f33710bff9913006f5c2fac455e85baa Mon Sep 17 00:00:00 2001 From c95290110f65724e58b7506281759c0bac59b9f5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com> From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400 Date: Fri, 9 Aug 2013 18:36:30 -0400
Subject: [PATCH 11/14] Add option to automatically enforce module signatures Subject: [PATCH 10/14] Add option to automatically enforce module signatures
when in Secure Boot mode when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@ -591,10 +552,10 @@ index 199f453cb4de..ec38acf00b40 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table 2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index b660088c220d..b4229b168d4e 100644 index a8f749ef0fdc..35bfd8259993 100644
--- a/arch/x86/Kconfig --- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig +++ b/arch/x86/Kconfig
@@ -1555,6 +1555,16 @@ config EFI_MIXED @@ -1556,6 +1556,16 @@ config EFI_MIXED
If unsure, say N. If unsure, say N.
@ -742,10 +703,10 @@ index fc14f48915dd..2d68d276f3b6 100644
1.9.3 1.9.3
From c29fcddae7f39b49dd8593e12c52c3825c6d58db Mon Sep 17 00:00:00 2001 From f0baa6f34da3f151c059ca3043945837db0ca8d1 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500 Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called images it loads. When a user does this, it creates a UEFI variable called
@ -801,10 +762,10 @@ index 85defaf5a27c..b4013a4ba005 100644
1.9.3 1.9.3
From ba3406d551ae04cb61661b682348b06a9683196a Mon Sep 17 00:00:00 2001 From 6bc90bfd4c13fd6cc4a536630807406c16395bf5 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:28:43 -0400 Date: Tue, 27 Aug 2013 13:28:43 -0400
Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
The functionality of the config option is dependent upon the platform being The functionality of the config option is dependent upon the platform being
UEFI based. Reflect this in the config deps. UEFI based. Reflect this in the config deps.
@ -815,10 +776,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index b4229b168d4e..6b08f48417b0 100644 index 35bfd8259993..746b1b63da8c 100644
--- a/arch/x86/Kconfig --- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig +++ b/arch/x86/Kconfig
@@ -1556,7 +1556,8 @@ config EFI_MIXED @@ -1557,7 +1557,8 @@ config EFI_MIXED
If unsure, say N. If unsure, say N.
config EFI_SECURE_BOOT_SIG_ENFORCE config EFI_SECURE_BOOT_SIG_ENFORCE
@ -832,10 +793,10 @@ index b4229b168d4e..6b08f48417b0 100644
1.9.3 1.9.3
From 0f644a85b177728b6a9568e442d8538de0a4ac2f Mon Sep 17 00:00:00 2001 From 292f6faa86f44fe261c8da58cc2c7f65aa0acad6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400 Date: Tue, 27 Aug 2013 13:33:03 -0400
Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled. for use with efi_enabled.
@ -875,3 +836,43 @@ index 41bbf8ba4ba8..e73f391fd3c8 100644
-- --
1.9.3 1.9.3
From 594e605ee9589150919aa113e3e01163168ad041 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it in
a secure modules environment.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
kernel/power/hibernate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index fcc2611d3f14..61711801a9c4 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -28,6 +28,7 @@
#include <linux/syscore_ops.h>
#include <linux/ctype.h>
#include <linux/genhd.h>
+#include <linux/module.h>
#include <trace/events/power.h>
#include "power.h"
@@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
bool hibernation_available(void)
{
- return (nohibernate == 0);
+ return ((nohibernate == 0) && !secure_modules());
}
/**
--
1.9.3

View File

@ -1,4 +1,4 @@
97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz 97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz
ef8f4db937f521a7e323ec589536ba25 perf-man-3.15.tar.gz ef8f4db937f521a7e323ec589536ba25 perf-man-3.15.tar.gz
8edcef1e40ebea460ba0e43d913ff928 patch-3.16-rc1.xz 8edcef1e40ebea460ba0e43d913ff928 patch-3.16-rc1.xz
7ce0a784ea436cba2966fdfdccb63974 patch-3.16-rc1-git3.xz 3d7caaa5bbfb7f1227c11fc725fb2f9d patch-3.16-rc1-git4.xz