Linux v3.8
- Fix build with CONFIG_EFI disabled, reported by Peter Bowey (rhbz 911833) - Disable debugging options.
This commit is contained in:
parent
b8330c9705
commit
b1b2d34318
@ -1535,13 +1535,13 @@ CONFIG_B43_SDIO=y
|
|||||||
CONFIG_B43_BCMA=y
|
CONFIG_B43_BCMA=y
|
||||||
# CONFIG_B43_BCMA_EXTRA is not set
|
# CONFIG_B43_BCMA_EXTRA is not set
|
||||||
CONFIG_B43_BCMA_PIO=y
|
CONFIG_B43_BCMA_PIO=y
|
||||||
CONFIG_B43_DEBUG=y
|
# CONFIG_B43_DEBUG is not set
|
||||||
CONFIG_B43_PHY_LP=y
|
CONFIG_B43_PHY_LP=y
|
||||||
CONFIG_B43_PHY_N=y
|
CONFIG_B43_PHY_N=y
|
||||||
CONFIG_B43_PHY_HT=y
|
CONFIG_B43_PHY_HT=y
|
||||||
# CONFIG_B43_FORCE_PIO is not set
|
# CONFIG_B43_FORCE_PIO is not set
|
||||||
CONFIG_B43LEGACY=m
|
CONFIG_B43LEGACY=m
|
||||||
CONFIG_B43LEGACY_DEBUG=y
|
# CONFIG_B43LEGACY_DEBUG is not set
|
||||||
CONFIG_B43LEGACY_DMA=y
|
CONFIG_B43LEGACY_DMA=y
|
||||||
CONFIG_B43LEGACY_PIO=y
|
CONFIG_B43LEGACY_PIO=y
|
||||||
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
|
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
|
||||||
@ -3155,7 +3155,7 @@ CONFIG_USB_STORAGE_REALTEK=m
|
|||||||
CONFIG_REALTEK_AUTOPM=y
|
CONFIG_REALTEK_AUTOPM=y
|
||||||
CONFIG_USB_STORAGE_ENE_UB6250=m
|
CONFIG_USB_STORAGE_ENE_UB6250=m
|
||||||
# CONFIG_USB_LIBUSUAL is not set
|
# CONFIG_USB_LIBUSUAL is not set
|
||||||
CONFIG_USB_UAS=m
|
# CONFIG_USB_UAS is not set
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -4137,7 +4137,7 @@ CONFIG_IBMASR=m
|
|||||||
CONFIG_PM_DEBUG=y
|
CONFIG_PM_DEBUG=y
|
||||||
CONFIG_PM_TRACE=y
|
CONFIG_PM_TRACE=y
|
||||||
CONFIG_PM_TRACE_RTC=y
|
CONFIG_PM_TRACE_RTC=y
|
||||||
CONFIG_PM_TEST_SUSPEND=y
|
# CONFIG_PM_TEST_SUSPEND is not set
|
||||||
CONFIG_PM_RUNTIME=y
|
CONFIG_PM_RUNTIME=y
|
||||||
# CONFIG_PM_OPP is not set
|
# CONFIG_PM_OPP is not set
|
||||||
# CONFIG_PM_AUTOSLEEP is not set
|
# CONFIG_PM_AUTOSLEEP is not set
|
||||||
|
110
config-nodebug
110
config-nodebug
@ -2,111 +2,111 @@ CONFIG_SND_VERBOSE_PRINTK=y
|
|||||||
CONFIG_SND_DEBUG=y
|
CONFIG_SND_DEBUG=y
|
||||||
CONFIG_SND_PCM_XRUN_DEBUG=y
|
CONFIG_SND_PCM_XRUN_DEBUG=y
|
||||||
|
|
||||||
CONFIG_DEBUG_ATOMIC_SLEEP=y
|
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_MUTEXES=y
|
# CONFIG_DEBUG_MUTEXES is not set
|
||||||
CONFIG_DEBUG_RT_MUTEXES=y
|
# CONFIG_DEBUG_RT_MUTEXES is not set
|
||||||
CONFIG_DEBUG_LOCK_ALLOC=y
|
# CONFIG_DEBUG_LOCK_ALLOC is not set
|
||||||
CONFIG_PROVE_LOCKING=y
|
# CONFIG_PROVE_LOCKING is not set
|
||||||
CONFIG_DEBUG_SPINLOCK=y
|
# CONFIG_DEBUG_SPINLOCK is not set
|
||||||
CONFIG_PROVE_RCU=y
|
# CONFIG_PROVE_RCU is not set
|
||||||
# CONFIG_PROVE_RCU_REPEATEDLY is not set
|
# CONFIG_PROVE_RCU_REPEATEDLY is not set
|
||||||
CONFIG_DEBUG_PER_CPU_MAPS=y
|
# CONFIG_DEBUG_PER_CPU_MAPS is not set
|
||||||
CONFIG_CPUMASK_OFFSTACK=y
|
CONFIG_CPUMASK_OFFSTACK=y
|
||||||
|
|
||||||
CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
|
# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
|
||||||
|
|
||||||
CONFIG_FAULT_INJECTION=y
|
# CONFIG_FAULT_INJECTION is not set
|
||||||
CONFIG_FAILSLAB=y
|
# CONFIG_FAILSLAB is not set
|
||||||
CONFIG_FAIL_PAGE_ALLOC=y
|
# CONFIG_FAIL_PAGE_ALLOC is not set
|
||||||
CONFIG_FAIL_MAKE_REQUEST=y
|
# CONFIG_FAIL_MAKE_REQUEST is not set
|
||||||
CONFIG_FAULT_INJECTION_DEBUG_FS=y
|
# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
|
||||||
CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
|
# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
|
||||||
CONFIG_FAIL_IO_TIMEOUT=y
|
# CONFIG_FAIL_IO_TIMEOUT is not set
|
||||||
CONFIG_FAIL_MMC_REQUEST=y
|
# CONFIG_FAIL_MMC_REQUEST is not set
|
||||||
|
|
||||||
CONFIG_SLUB_DEBUG_ON=y
|
# CONFIG_SLUB_DEBUG_ON is not set
|
||||||
|
|
||||||
CONFIG_LOCK_STAT=y
|
# CONFIG_LOCK_STAT is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_STACK_USAGE=y
|
# CONFIG_DEBUG_STACK_USAGE is not set
|
||||||
|
|
||||||
CONFIG_ACPI_DEBUG=y
|
# CONFIG_ACPI_DEBUG is not set
|
||||||
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
|
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_SG=y
|
# CONFIG_DEBUG_SG is not set
|
||||||
|
|
||||||
# CONFIG_DEBUG_PAGEALLOC is not set
|
# CONFIG_DEBUG_PAGEALLOC is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_WRITECOUNT=y
|
# CONFIG_DEBUG_WRITECOUNT is not set
|
||||||
CONFIG_DEBUG_OBJECTS=y
|
# CONFIG_DEBUG_OBJECTS is not set
|
||||||
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
|
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
|
||||||
CONFIG_DEBUG_OBJECTS_FREE=y
|
# CONFIG_DEBUG_OBJECTS_FREE is not set
|
||||||
CONFIG_DEBUG_OBJECTS_TIMERS=y
|
# CONFIG_DEBUG_OBJECTS_TIMERS is not set
|
||||||
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
|
# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
|
||||||
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
|
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
|
||||||
|
|
||||||
CONFIG_X86_PTDUMP=y
|
# CONFIG_X86_PTDUMP is not set
|
||||||
|
|
||||||
CONFIG_CAN_DEBUG_DEVICES=y
|
# CONFIG_CAN_DEBUG_DEVICES is not set
|
||||||
|
|
||||||
CONFIG_MODULE_FORCE_UNLOAD=y
|
# CONFIG_MODULE_FORCE_UNLOAD is not set
|
||||||
|
|
||||||
CONFIG_SYSCTL_SYSCALL_CHECK=y
|
# CONFIG_SYSCTL_SYSCALL_CHECK is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_NOTIFIERS=y
|
# CONFIG_DEBUG_NOTIFIERS is not set
|
||||||
|
|
||||||
CONFIG_DMA_API_DEBUG=y
|
# CONFIG_DMA_API_DEBUG is not set
|
||||||
|
|
||||||
CONFIG_MMIOTRACE=y
|
# CONFIG_MMIOTRACE is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_CREDENTIALS=y
|
# CONFIG_DEBUG_CREDENTIALS is not set
|
||||||
|
|
||||||
# off in both production debug and nodebug builds,
|
# off in both production debug and nodebug builds,
|
||||||
# on in rawhide nodebug builds
|
# on in rawhide nodebug builds
|
||||||
CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
|
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
|
||||||
|
|
||||||
CONFIG_EXT4_DEBUG=y
|
# CONFIG_EXT4_DEBUG is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_PERF_USE_VMALLOC=y
|
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
|
||||||
|
|
||||||
CONFIG_JBD2_DEBUG=y
|
# CONFIG_JBD2_DEBUG is not set
|
||||||
|
|
||||||
CONFIG_NFSD_FAULT_INJECTION=y
|
# CONFIG_NFSD_FAULT_INJECTION is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_BLK_CGROUP=y
|
# CONFIG_DEBUG_BLK_CGROUP is not set
|
||||||
|
|
||||||
CONFIG_DRBD_FAULT_INJECTION=y
|
# CONFIG_DRBD_FAULT_INJECTION is not set
|
||||||
|
|
||||||
CONFIG_ATH_DEBUG=y
|
# CONFIG_ATH_DEBUG is not set
|
||||||
CONFIG_CARL9170_DEBUGFS=y
|
# CONFIG_CARL9170_DEBUGFS is not set
|
||||||
CONFIG_IWLWIFI_DEVICE_TRACING=y
|
# CONFIG_IWLWIFI_DEVICE_TRACING is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_OBJECTS_WORK=y
|
# CONFIG_DEBUG_OBJECTS_WORK is not set
|
||||||
|
|
||||||
CONFIG_DMADEVICES_DEBUG=y
|
# CONFIG_DMADEVICES_DEBUG is not set
|
||||||
CONFIG_DMADEVICES_VDEBUG=y
|
# CONFIG_DMADEVICES_VDEBUG is not set
|
||||||
|
|
||||||
CONFIG_PM_ADVANCED_DEBUG=y
|
CONFIG_PM_ADVANCED_DEBUG=y
|
||||||
|
|
||||||
CONFIG_CEPH_LIB_PRETTYDEBUG=y
|
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
|
||||||
CONFIG_QUOTA_DEBUG=y
|
# CONFIG_QUOTA_DEBUG is not set
|
||||||
|
|
||||||
CONFIG_PCI_DEFAULT_USE_CRS=y
|
CONFIG_PCI_DEFAULT_USE_CRS=y
|
||||||
|
|
||||||
CONFIG_KGDB_KDB=y
|
CONFIG_KGDB_KDB=y
|
||||||
CONFIG_KDB_KEYBOARD=y
|
CONFIG_KDB_KEYBOARD=y
|
||||||
|
|
||||||
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
|
# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
|
||||||
CONFIG_TEST_LIST_SORT=y
|
# CONFIG_TEST_LIST_SORT is not set
|
||||||
|
|
||||||
CONFIG_DETECT_HUNG_TASK=y
|
# CONFIG_DETECT_HUNG_TASK is not set
|
||||||
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
|
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
|
||||||
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
|
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
|
||||||
|
|
||||||
CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
|
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
|
||||||
|
|
||||||
CONFIG_DEBUG_KMEMLEAK=y
|
# CONFIG_DEBUG_KMEMLEAK is not set
|
||||||
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
|
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
|
||||||
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
|
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
|
||||||
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
|
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
|
||||||
|
@ -322,7 +322,7 @@ CONFIG_STRICT_DEVMEM=y
|
|||||||
|
|
||||||
# CONFIG_MEMTEST is not set
|
# CONFIG_MEMTEST is not set
|
||||||
# CONFIG_DEBUG_TLBFLUSH is not set
|
# CONFIG_DEBUG_TLBFLUSH is not set
|
||||||
CONFIG_MAXSMP=y
|
# CONFIG_MAXSMP is not set
|
||||||
|
|
||||||
|
|
||||||
CONFIG_HP_ILO=m
|
CONFIG_HP_ILO=m
|
||||||
|
@ -1,43 +0,0 @@
|
|||||||
uapi/linux/irqnr.h was emitted by the UAPI disintegration script as an empty
|
|
||||||
file because the parent linux/irqnr.h had no UAPI stuff in it, despite being
|
|
||||||
marked with "header-y".
|
|
||||||
|
|
||||||
Unfortunately, it patch deletes the empty file when applying a kernel patch.
|
|
||||||
|
|
||||||
It's not clear why this file is part of the UAPI at all. Looking in:
|
|
||||||
|
|
||||||
/usr/include/linux/irqnr.h
|
|
||||||
|
|
||||||
there's nothing there but a header reinclusion guard and a comment.
|
|
||||||
|
|
||||||
So just stick a comment in there as a placeholder.
|
|
||||||
|
|
||||||
Without this, if the kernel is fabricated from, say, a tarball and a patch, you
|
|
||||||
can get this error when building x86_64 or usermode Linux (and probably
|
|
||||||
others):
|
|
||||||
|
|
||||||
include/linux/irqnr.h:4:30: fatal error: uapi/linux/irqnr.h: No such file or directory
|
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
||||||
cc: Randy Dunlap <rdunlap@xenotime.net>
|
|
||||||
cc: Alessandro Suardi <alessandro.suardi@gmail.com>
|
|
||||||
---
|
|
||||||
|
|
||||||
include/uapi/linux/irqnr.h | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/include/uapi/linux/irqnr.h b/include/uapi/linux/irqnr.h
|
|
||||||
index e69de29..ae5704f 100644
|
|
||||||
--- a/include/uapi/linux/irqnr.h
|
|
||||||
+++ b/include/uapi/linux/irqnr.h
|
|
||||||
@@ -0,0 +1,4 @@
|
|
||||||
+/*
|
|
||||||
+ * There isn't anything here anymore, but the file must not be empty or patch
|
|
||||||
+ * will delete it.
|
|
||||||
+ */
|
|
||||||
|
|
||||||
--
|
|
||||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
|
||||||
the body of a message to majordomo@vger.kernel.org
|
|
||||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
||||||
Please read the FAQ at http://www.tux.org/lkml/
|
|
27
kernel.spec
27
kernel.spec
@ -6,7 +6,7 @@ Summary: The Linux kernel
|
|||||||
# For a stable, released kernel, released_kernel should be 1. For rawhide
|
# For a stable, released kernel, released_kernel should be 1. For rawhide
|
||||||
# and/or a kernel built from an rc or git snapshot, released_kernel should
|
# and/or a kernel built from an rc or git snapshot, released_kernel should
|
||||||
# be 0.
|
# be 0.
|
||||||
%global released_kernel 0
|
%global released_kernel 1
|
||||||
|
|
||||||
# Sign modules on x86. Make sure the config files match this setting if more
|
# Sign modules on x86. Make sure the config files match this setting if more
|
||||||
# architectures are added.
|
# architectures are added.
|
||||||
@ -68,7 +68,7 @@ Summary: The Linux kernel
|
|||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
# on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
|
# on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
|
||||||
# which yields a base_sublevel of 0.
|
# which yields a base_sublevel of 0.
|
||||||
%define base_sublevel 7
|
%define base_sublevel 8
|
||||||
|
|
||||||
## If this is a released kernel ##
|
## If this is a released kernel ##
|
||||||
%if 0%{?released_kernel}
|
%if 0%{?released_kernel}
|
||||||
@ -93,9 +93,9 @@ Summary: The Linux kernel
|
|||||||
# The next upstream release sublevel (base_sublevel+1)
|
# The next upstream release sublevel (base_sublevel+1)
|
||||||
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
|
||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 7
|
%define rcrev 0
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 4
|
%define gitrev 0
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%define rpmversion 3.%{upstream_sublevel}.0
|
%define rpmversion 3.%{upstream_sublevel}.0
|
||||||
%endif
|
%endif
|
||||||
@ -159,7 +159,7 @@ Summary: The Linux kernel
|
|||||||
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
|
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
|
||||||
# and 0 for rawhide (all kernels are debug kernels).
|
# and 0 for rawhide (all kernels are debug kernels).
|
||||||
# See also 'make debug' and 'make release'.
|
# See also 'make debug' and 'make release'.
|
||||||
%define debugbuildsenabled 0
|
%define debugbuildsenabled 1
|
||||||
|
|
||||||
# Want to build a vanilla kernel build without any non-upstream patches?
|
# Want to build a vanilla kernel build without any non-upstream patches?
|
||||||
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
|
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
|
||||||
@ -172,7 +172,7 @@ Summary: The Linux kernel
|
|||||||
%define doc_build_fail true
|
%define doc_build_fail true
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%define rawhide_skip_docs 1
|
%define rawhide_skip_docs 0
|
||||||
%if 0%{?rawhide_skip_docs}
|
%if 0%{?rawhide_skip_docs}
|
||||||
%define with_doc 0
|
%define with_doc 0
|
||||||
%define doc_build_fail true
|
%define doc_build_fail true
|
||||||
@ -669,7 +669,7 @@ Patch800: crash-driver.patch
|
|||||||
# crypto/
|
# crypto/
|
||||||
|
|
||||||
# secure boot
|
# secure boot
|
||||||
Patch1000: secure-boot-20130206.patch
|
Patch1000: secure-boot-20130218.patch
|
||||||
|
|
||||||
# virt + ksm patches
|
# virt + ksm patches
|
||||||
|
|
||||||
@ -753,9 +753,6 @@ Patch22000: weird-root-dentry-name-debug.patch
|
|||||||
#selinux ptrace child permissions
|
#selinux ptrace child permissions
|
||||||
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
||||||
|
|
||||||
# Build patch, should go away
|
|
||||||
Patch22070: irqnr-build.patch
|
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1388,7 +1385,7 @@ ApplyPatch crash-driver.patch
|
|||||||
# crypto/
|
# crypto/
|
||||||
|
|
||||||
# secure boot
|
# secure boot
|
||||||
ApplyPatch secure-boot-20130206.patch
|
ApplyPatch secure-boot-20130218.patch
|
||||||
|
|
||||||
# Assorted Virt Fixes
|
# Assorted Virt Fixes
|
||||||
|
|
||||||
@ -1435,9 +1432,6 @@ ApplyPatch weird-root-dentry-name-debug.patch
|
|||||||
#selinux ptrace child permissions
|
#selinux ptrace child permissions
|
||||||
ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
|
ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
|
||||||
|
|
||||||
#Build patch, should go away
|
|
||||||
ApplyPatch irqnr-build.patch
|
|
||||||
|
|
||||||
#rhbz 859485
|
#rhbz 859485
|
||||||
ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch
|
ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch
|
||||||
|
|
||||||
@ -2316,6 +2310,11 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 19 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-1
|
||||||
|
- Linux v3.8
|
||||||
|
- Fix build with CONFIG_EFI disabled, reported by Peter Bowey (rhbz 911833)
|
||||||
|
- Disable debugging options.
|
||||||
|
|
||||||
* Mon Feb 18 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc7.git4.1
|
* Mon Feb 18 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc7.git4.1
|
||||||
- Linux v3.8-rc7-93-gf741656
|
- Linux v3.8-rc7-93-gf741656
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 6fb120959c4578023de0af1af9c887ddf6859671 Mon Sep 17 00:00:00 2001
|
From 0c5837031a4e996877930fd023a5877dd1d615ba Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:56 -0400
|
Date: Thu, 20 Sep 2012 10:40:56 -0400
|
||||||
Subject: [PATCH 01/17] Secure boot: Add new capability
|
Subject: [PATCH 01/19] Secure boot: Add new capability
|
||||||
|
|
||||||
Secure boot adds certain policy requirements, including that root must not
|
Secure boot adds certain policy requirements, including that root must not
|
||||||
be able to do anything that could cause the kernel to execute arbitrary code.
|
be able to do anything that could cause the kernel to execute arbitrary code.
|
||||||
@ -32,13 +32,13 @@ index ba478fa..7109e65 100644
|
|||||||
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
|
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
|
||||||
|
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 7aa8eb6a4b228db7e2920f323f1ba97063163de1 Mon Sep 17 00:00:00 2001
|
From 87c8fddbcb3042fc4174b53763adbf66045a12be Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:05 -0400
|
Date: Thu, 20 Sep 2012 10:41:05 -0400
|
||||||
Subject: [PATCH 02/17] SELinux: define mapping for new Secure Boot capability
|
Subject: [PATCH 02/19] SELinux: define mapping for new Secure Boot capability
|
||||||
|
|
||||||
Add the name of the new Secure Boot capability. This allows SELinux
|
Add the name of the new Secure Boot capability. This allows SELinux
|
||||||
policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
|
policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
|
||||||
@ -65,13 +65,13 @@ index 14d04e6..ed99a2d 100644
|
|||||||
{ "tun_socket",
|
{ "tun_socket",
|
||||||
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
|
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 10ed514ecac144034eba27bf9436ef111ac2ebd2 Mon Sep 17 00:00:00 2001
|
From df14b5319bf3ed2110839e233ac61e6136745be8 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:02 -0400
|
Date: Thu, 20 Sep 2012 10:41:02 -0400
|
||||||
Subject: [PATCH 03/17] Secure boot: Add a dummy kernel parameter that will
|
Subject: [PATCH 03/19] Secure boot: Add a dummy kernel parameter that will
|
||||||
switch on Secure Boot mode
|
switch on Secure Boot mode
|
||||||
|
|
||||||
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
|
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
|
||||||
@ -85,7 +85,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
|||||||
2 files changed, 24 insertions(+)
|
2 files changed, 24 insertions(+)
|
||||||
|
|
||||||
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
|
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
|
||||||
index 363e348..832b39b 100644
|
index 6c72381..7dffdd5 100644
|
||||||
--- a/Documentation/kernel-parameters.txt
|
--- a/Documentation/kernel-parameters.txt
|
||||||
+++ b/Documentation/kernel-parameters.txt
|
+++ b/Documentation/kernel-parameters.txt
|
||||||
@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
|
@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
|
||||||
@ -131,13 +131,13 @@ index e0573a4..c3f4e3e 100644
|
|||||||
* prepare_kernel_cred - Prepare a set of credentials for a kernel service
|
* prepare_kernel_cred - Prepare a set of credentials for a kernel service
|
||||||
* @daemon: A userspace daemon to be used as a reference
|
* @daemon: A userspace daemon to be used as a reference
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 066b811cd05432ef91473cd349d20fa856d5ab18 Mon Sep 17 00:00:00 2001
|
From 49c76a665e8a09da48cbe271ea40266ca1a226c0 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:03 -0400
|
Date: Thu, 20 Sep 2012 10:41:03 -0400
|
||||||
Subject: [PATCH 04/17] efi: Enable secure boot lockdown automatically when
|
Subject: [PATCH 04/19] efi: Enable secure boot lockdown automatically when
|
||||||
enabled in firmware
|
enabled in firmware
|
||||||
|
|
||||||
The firmware has a set of flags that indicate whether secure boot is enabled
|
The firmware has a set of flags that indicate whether secure boot is enabled
|
||||||
@ -151,10 +151,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
|||||||
Documentation/x86/zero-page.txt | 2 ++
|
Documentation/x86/zero-page.txt | 2 ++
|
||||||
arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
|
arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
|
||||||
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
|
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
|
||||||
arch/x86/kernel/setup.c | 5 +++++
|
arch/x86/kernel/setup.c | 7 +++++++
|
||||||
include/linux/cred.h | 2 ++
|
include/linux/cred.h | 2 ++
|
||||||
include/linux/efi.h | 1 +
|
include/linux/efi.h | 1 +
|
||||||
6 files changed, 44 insertions(+), 1 deletion(-)
|
6 files changed, 46 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||||
index 199f453..ff651d3 100644
|
index 199f453..ff651d3 100644
|
||||||
@ -234,15 +234,17 @@ index c15ddaf..85d7685 100644
|
|||||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||||
*
|
*
|
||||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||||
index 8b24289..5355a54 100644
|
index 8b24289..d74b441 100644
|
||||||
--- a/arch/x86/kernel/setup.c
|
--- a/arch/x86/kernel/setup.c
|
||||||
+++ b/arch/x86/kernel/setup.c
|
+++ b/arch/x86/kernel/setup.c
|
||||||
@@ -1042,6 +1042,11 @@ void __init setup_arch(char **cmdline_p)
|
@@ -1042,6 +1042,13 @@ void __init setup_arch(char **cmdline_p)
|
||||||
|
|
||||||
io_delay_init();
|
io_delay_init();
|
||||||
|
|
||||||
+ if (boot_params.secure_boot) {
|
+ if (boot_params.secure_boot) {
|
||||||
|
+#ifdef CONFIG_EFI
|
||||||
+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility);
|
+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility);
|
||||||
|
+#endif
|
||||||
+ secureboot_enable();
|
+ secureboot_enable();
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -275,13 +277,13 @@ index 7a9498a..1ae16b6 100644
|
|||||||
#ifdef CONFIG_EFI
|
#ifdef CONFIG_EFI
|
||||||
# ifdef CONFIG_X86
|
# ifdef CONFIG_X86
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 8d8349396e90630e2617c5a855682a6c87a7ae4d Mon Sep 17 00:00:00 2001
|
From d4d1b3ad3e1a553c807b4ecafcbde4bf816e4db2 Mon Sep 17 00:00:00 2001
|
||||||
From: Dave Howells <dhowells@redhat.com>
|
From: Dave Howells <dhowells@redhat.com>
|
||||||
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
||||||
Subject: [PATCH 05/17] Add EFI signature data types
|
Subject: [PATCH 05/19] Add EFI signature data types
|
||||||
|
|
||||||
Add the data types that are used for containing hashes, keys and certificates
|
Add the data types that are used for containing hashes, keys and certificates
|
||||||
for cryptographic verification.
|
for cryptographic verification.
|
||||||
@ -330,13 +332,13 @@ index 1ae16b6..de7021d 100644
|
|||||||
* All runtime access to EFI goes through this structure:
|
* All runtime access to EFI goes through this structure:
|
||||||
*/
|
*/
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From a221d71dd4487a5ee2b337540d0258512b7c8dba Mon Sep 17 00:00:00 2001
|
From 3cffca89eadf7e0f0a266c370f8034f33723831a Mon Sep 17 00:00:00 2001
|
||||||
From: Dave Howells <dhowells@redhat.com>
|
From: Dave Howells <dhowells@redhat.com>
|
||||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||||
Subject: [PATCH 06/17] Add an EFI signature blob parser and key loader.
|
Subject: [PATCH 06/19] Add an EFI signature blob parser and key loader.
|
||||||
|
|
||||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||||
keys.
|
keys.
|
||||||
@ -509,13 +511,13 @@ index de7021d..64b3e55 100644
|
|||||||
* efi_range_is_wc - check the WC bit on an address range
|
* efi_range_is_wc - check the WC bit on an address range
|
||||||
* @start: starting kvirt address
|
* @start: starting kvirt address
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 9c9d291a605d1d0864d047cff75724ad1cb8b97d Mon Sep 17 00:00:00 2001
|
From 89ea7424726ae4f7265ab84e703cf2da77acda57 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
||||||
Subject: [PATCH 07/17] MODSIGN: Add module certificate blacklist keyring
|
Subject: [PATCH 07/19] MODSIGN: Add module certificate blacklist keyring
|
||||||
|
|
||||||
This adds an additional keyring that is used to store certificates that
|
This adds an additional keyring that is used to store certificates that
|
||||||
are blacklisted. This keyring is searched first when loading signed modules
|
are blacklisted. This keyring is searched first when loading signed modules
|
||||||
@ -618,13 +620,13 @@ index f2970bd..5423195 100644
|
|||||||
&key_type_asymmetric, id);
|
&key_type_asymmetric, id);
|
||||||
if (IS_ERR(key))
|
if (IS_ERR(key))
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 4b85122267e2ac07833e20f0cac71c5c8c9ac65c Mon Sep 17 00:00:00 2001
|
From 733a5c25b896d8d5fa0051825a671911b50cb47d Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||||
Subject: [PATCH 08/17] MODSIGN: Import certificates from UEFI Secure Boot
|
Subject: [PATCH 08/19] MODSIGN: Import certificates from UEFI Secure Boot
|
||||||
|
|
||||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||||
This imports those certificates into the module signing keyring. This
|
This imports those certificates into the module signing keyring. This
|
||||||
@ -803,13 +805,13 @@ index 0000000..b9237d7
|
|||||||
+}
|
+}
|
||||||
+late_initcall(load_uefi_certs);
|
+late_initcall(load_uefi_certs);
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From e6f51e0b73bdaf0bb8d6ebc07e041ce3b6126e9c Mon Sep 17 00:00:00 2001
|
From 16027d676baed34a9de804dac68d48096a688b39 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:57 -0400
|
Date: Thu, 20 Sep 2012 10:40:57 -0400
|
||||||
Subject: [PATCH 09/17] PCI: Lock down BAR access in secure boot environments
|
Subject: [PATCH 09/19] PCI: Lock down BAR access in secure boot environments
|
||||||
|
|
||||||
Any hardware that can potentially generate DMA has to be locked down from
|
Any hardware that can potentially generate DMA has to be locked down from
|
||||||
userspace in order to avoid it being possible for an attacker to cause
|
userspace in order to avoid it being possible for an attacker to cause
|
||||||
@ -904,13 +906,13 @@ index e1c1ec5..97e785f 100644
|
|||||||
|
|
||||||
dev = pci_get_bus_and_slot(bus, dfn);
|
dev = pci_get_bus_and_slot(bus, dfn);
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From c4399308a252ca147971bd6d2f1f56557f279201 Mon Sep 17 00:00:00 2001
|
From 9ff1537bbe8c22bbf7f992027da43d4fe8da0860 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:58 -0400
|
Date: Thu, 20 Sep 2012 10:40:58 -0400
|
||||||
Subject: [PATCH 10/17] x86: Lock down IO port access in secure boot
|
Subject: [PATCH 10/19] x86: Lock down IO port access in secure boot
|
||||||
environments
|
environments
|
||||||
|
|
||||||
IO port access would permit users to gain access to PCI configuration
|
IO port access would permit users to gain access to PCI configuration
|
||||||
@ -961,13 +963,13 @@ index c6fa3bc..fc28099 100644
|
|||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
while (count-- > 0 && i < 65536) {
|
while (count-- > 0 && i < 65536) {
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From b3e2bb87699c1b0aa235c772c1c5ae376b63ea49 Mon Sep 17 00:00:00 2001
|
From 3b27408b1ced1ec83a3ce27f9d51161dbf7cea9a Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:59 -0400
|
Date: Thu, 20 Sep 2012 10:40:59 -0400
|
||||||
Subject: [PATCH 11/17] ACPI: Limit access to custom_method
|
Subject: [PATCH 11/19] ACPI: Limit access to custom_method
|
||||||
|
|
||||||
It must be impossible for even root to get code executed in kernel context
|
It must be impossible for even root to get code executed in kernel context
|
||||||
under a secure boot environment. custom_method effectively allows arbitrary
|
under a secure boot environment. custom_method effectively allows arbitrary
|
||||||
@ -993,13 +995,13 @@ index 5d42c24..247d58b 100644
|
|||||||
/* parse the table header to get the table length */
|
/* parse the table header to get the table length */
|
||||||
if (count <= sizeof(struct acpi_table_header))
|
if (count <= sizeof(struct acpi_table_header))
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 300b9cc9e0833d66b0ea49c259c1e2f7dfe7de12 Mon Sep 17 00:00:00 2001
|
From fb618a04089d454b7ade68c00a2b9c7dbac013f9 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:00 -0400
|
Date: Thu, 20 Sep 2012 10:41:00 -0400
|
||||||
Subject: [PATCH 12/17] asus-wmi: Restrict debugfs interface
|
Subject: [PATCH 12/19] asus-wmi: Restrict debugfs interface
|
||||||
|
|
||||||
We have no way of validating what all of the Asus WMI methods do on a
|
We have no way of validating what all of the Asus WMI methods do on a
|
||||||
given machine, and there's a risk that some will allow hardware state to
|
given machine, and there's a risk that some will allow hardware state to
|
||||||
@ -1046,13 +1048,13 @@ index f80ae4d..059195f 100644
|
|||||||
1, asus->debug.method_id,
|
1, asus->debug.method_id,
|
||||||
&input, &output);
|
&input, &output);
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 690713487cf5ac3949cf915e28a75a1270e2c2a6 Mon Sep 17 00:00:00 2001
|
From e515bbd5410d00835390fd8981aa9029e7b22b73 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:01 -0400
|
Date: Thu, 20 Sep 2012 10:41:01 -0400
|
||||||
Subject: [PATCH 13/17] Restrict /dev/mem and /dev/kmem in secure boot setups
|
Subject: [PATCH 13/19] Restrict /dev/mem and /dev/kmem in secure boot setups
|
||||||
|
|
||||||
Allowing users to write to address space makes it possible for the kernel
|
Allowing users to write to address space makes it possible for the kernel
|
||||||
to be subverted. Restrict this when we need to protect the kernel.
|
to be subverted. Restrict this when we need to protect the kernel.
|
||||||
@ -1087,13 +1089,13 @@ index fc28099..b5df7a8 100644
|
|||||||
unsigned long to_write = min_t(unsigned long, count,
|
unsigned long to_write = min_t(unsigned long, count,
|
||||||
(unsigned long)high_memory - p);
|
(unsigned long)high_memory - p);
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From 170cc9e113785b6f38cbd4bf5d8bbd42d844d119 Mon Sep 17 00:00:00 2001
|
From fe27dd192ef250abcbaba973a14d43b21d7be497 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:04 -0400
|
Date: Thu, 20 Sep 2012 10:41:04 -0400
|
||||||
Subject: [PATCH 14/17] acpi: Ignore acpi_rsdp kernel parameter in a secure
|
Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
|
||||||
boot environment
|
boot environment
|
||||||
|
|
||||||
This option allows userspace to pass the RSDP address to the kernel. This
|
This option allows userspace to pass the RSDP address to the kernel. This
|
||||||
@ -1119,13 +1121,13 @@ index bd22f86..88251d2 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From eb021ca148e35633480ece4b472807a621ca9a5f Mon Sep 17 00:00:00 2001
|
From c937b2c8e179bfdadb6617c0028f558e4d701e46 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Tue, 4 Sep 2012 11:55:13 -0400
|
Date: Tue, 4 Sep 2012 11:55:13 -0400
|
||||||
Subject: [PATCH 15/17] kexec: Disable in a secure boot environment
|
Subject: [PATCH 15/19] kexec: Disable in a secure boot environment
|
||||||
|
|
||||||
kexec could be used as a vector for a malicious user to use a signed kernel
|
kexec could be used as a vector for a malicious user to use a signed kernel
|
||||||
to circumvent the secure boot trust model. In the long run we'll want to
|
to circumvent the secure boot trust model. In the long run we'll want to
|
||||||
@ -1151,13 +1153,13 @@ index 5e4bd78..dd464e0 100644
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From f170b22efeffede02664836a24604febd85ca061 Mon Sep 17 00:00:00 2001
|
From f08e390045266d53543a55afa16ca4be5a1c6316 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 5 Oct 2012 10:12:48 -0400
|
Date: Fri, 5 Oct 2012 10:12:48 -0400
|
||||||
Subject: [PATCH 16/17] MODSIGN: Always enforce module signing in a Secure Boot
|
Subject: [PATCH 16/19] MODSIGN: Always enforce module signing in a Secure Boot
|
||||||
environment
|
environment
|
||||||
|
|
||||||
If a machine is booted into a Secure Boot environment, we need to
|
If a machine is booted into a Secure Boot environment, we need to
|
||||||
@ -1213,13 +1215,13 @@ index eab0827..93a16dc 100644
|
|||||||
static int param_set_bool_enable_only(const char *val,
|
static int param_set_bool_enable_only(const char *val,
|
||||||
const struct kernel_param *kp)
|
const struct kernel_param *kp)
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
From c44db6a096f11bd19182cb52c70fbd2f3de3dc6a Mon Sep 17 00:00:00 2001
|
From 54ba1eec5847d964b1d458a240b50271b9a356a4 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 26 Oct 2012 14:02:09 -0400
|
Date: Fri, 26 Oct 2012 14:02:09 -0400
|
||||||
Subject: [PATCH 17/17] hibernate: Disable in a Secure Boot environment
|
Subject: [PATCH 17/19] hibernate: Disable in a Secure Boot environment
|
||||||
|
|
||||||
There is currently no way to verify the resume image when returning
|
There is currently no way to verify the resume image when returning
|
||||||
from hibernate. This might compromise the secure boot trust model,
|
from hibernate. This might compromise the secure boot trust model,
|
||||||
@ -1327,12 +1329,13 @@ index 4ed81e7..b11a0f4 100644
|
|||||||
|
|
||||||
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
From 04a46ceeb9eb2dca0364ce836614de722e988c81 Mon Sep 17 00:00:00 2001
|
|
||||||
|
From 686090054f6c3784218b318c7adcc3c1f0ca5069 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
||||||
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
|
Subject: [PATCH 18/19] efi: Disable secure boot if shim is in insecure mode
|
||||||
|
|
||||||
A user can manually tell the shim boot loader to disable validation of
|
A user can manually tell the shim boot loader to disable validation of
|
||||||
images it loads. When a user does this, it creates a UEFI variable called
|
images it loads. When a user does this, it creates a UEFI variable called
|
||||||
@ -1385,61 +1388,20 @@ index 96bd86b..6e1331c 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
Delivered-To: jwboyer@gmail.com
|
From df607d2d5061b04f8a686cd74edd72c1f2836d8c Mon Sep 17 00:00:00 2001
|
||||||
Received: by 10.76.99.210 with SMTP id es18csp140114oab;
|
From: Kees Cook <keescook@chromium.org>
|
||||||
Fri, 8 Feb 2013 11:12:52 -0800 (PST)
|
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||||
X-Received: by 10.66.86.71 with SMTP id n7mr19917975paz.77.1360350771724;
|
Subject: [PATCH 19/19] x86: Lock down MSR writing in secure boot
|
||||||
Fri, 08 Feb 2013 11:12:51 -0800 (PST)
|
|
||||||
Return-Path: <linux-efi-owner@vger.kernel.org>
|
|
||||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
|
||||||
by mx.google.com with ESMTP id e5si41603022pax.261.2013.02.08.11.12.50;
|
|
||||||
Fri, 08 Feb 2013 11:12:51 -0800 (PST)
|
|
||||||
Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
|
||||||
Authentication-Results: mx.google.com;
|
|
||||||
spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-efi-owner@vger.kernel.org
|
|
||||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
||||||
id S1760288Ab3BHTM0 (ORCPT <rfc822;sangshuduo@gmail.com>
|
|
||||||
+ 14 others); Fri, 8 Feb 2013 14:12:26 -0500
|
|
||||||
Received: from smtp.outflux.net ([198.145.64.163]:49396 "EHLO smtp.outflux.net"
|
|
||||||
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
|
||||||
id S1760349Ab3BHTMY (ORCPT <rfc822;linux-efi@vger.kernel.org>);
|
|
||||||
Fri, 8 Feb 2013 14:12:24 -0500
|
|
||||||
Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
|
|
||||||
by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r18JCEtT006197;
|
|
||||||
Fri, 8 Feb 2013 11:12:14 -0800
|
|
||||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
To: linux-kernel@vger.kernel.org
|
|
||||||
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
|
|
||||||
"H. Peter Anvin" <hpa@zytor.com>,
|
|
||||||
Thomas Gleixner <tglx@linutronix.de>,
|
|
||||||
Ingo Molnar <mingo@redhat.com>, x86@kernel.org,
|
|
||||||
linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org
|
|
||||||
Subject: [PATCH] x86: Lock down MSR writing in secure boot
|
|
||||||
Message-ID: <20130208191213.GA25081@www.outflux.net>
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=us-ascii
|
|
||||||
Content-Disposition: inline
|
|
||||||
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
|
|
||||||
X-HELO: www.outflux.net
|
|
||||||
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
|
|
||||||
Sender: linux-efi-owner@vger.kernel.org
|
|
||||||
Precedence: bulk
|
|
||||||
List-ID: <linux-efi.vger.kernel.org>
|
|
||||||
X-Mailing-List: linux-efi@vger.kernel.org
|
|
||||||
|
|
||||||
Writing to MSRs should not be allowed unless CAP_COMPROMISE_KERNEL is
|
Writing to MSRs should not be allowed unless CAP_COMPROMISE_KERNEL is
|
||||||
set since it could lead to execution of arbitrary code in kernel mode.
|
set since it could lead to execution of arbitrary code in kernel mode.
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
---
|
---
|
||||||
This would be used on top of Matthew Garrett's existing "Secure boot
|
arch/x86/kernel/msr.c | 7 +++++++
|
||||||
policy support" patch series.
|
|
||||||
---
|
|
||||||
arch/x86/kernel/msr.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||||||
@ -1468,13 +1430,5 @@ index 4929502..adaab3d 100644
|
|||||||
err = -EFAULT;
|
err = -EFAULT;
|
||||||
break;
|
break;
|
||||||
--
|
--
|
||||||
1.7.9.5
|
1.8.1.2
|
||||||
|
|
||||||
|
|
||||||
--
|
|
||||||
Kees Cook
|
|
||||||
Chrome OS Security
|
|
||||||
--
|
|
||||||
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
|
|
||||||
the body of a message to majordomo@vger.kernel.org
|
|
||||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
Loading…
Reference in New Issue
Block a user