Merge branch 'master' of ssh://pkgs.fedoraproject.org/kernel

This commit is contained in:
Peter Robinson 2013-01-31 23:17:54 +00:00
commit cb71575bc5
5 changed files with 58 additions and 623 deletions

View File

@ -29,7 +29,7 @@ CONFIG_SLUB_DEBUG_ON=y
# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_STACK_USAGE is not set
CONFIG_DEBUG_STACK_USAGE=y
# CONFIG_ACPI_DEBUG is not set
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set

View File

@ -1,24 +0,0 @@
efivarfs_unlink() should drop the file's link count, not the directory's.
Tested-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Lingzhu Xiang <lxiang@redhat.com>
---
drivers/firmware/efivars.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
index d6b8d2f..60f5324 100644
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -995,7 +995,7 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry)
list_del(&var->list);
spin_unlock(&efivars->lock);
efivar_unregister(var);
- drop_nlink(dir);
+ drop_nlink(dentry->d_inode);
dput(dentry);
return 0;
}
--
1.7.7.6

View File

@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 5
# The git snapshot level
%define gitrev 2
%define gitrev 3
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -669,8 +669,7 @@ Patch800: crash-driver.patch
# crypto/
# secure boot
Patch1000: secure-boot-20130124.patch
Patch1001: efivarfs-nlink-fix.patch
Patch1000: secure-boot-20130131.patch
# virt + ksm patches
@ -1381,8 +1380,7 @@ ApplyPatch crash-driver.patch
# crypto/
# secure boot
ApplyPatch secure-boot-20130124.patch
ApplyPatch efivarfs-nlink-fix.patch
ApplyPatch secure-boot-20130131.patch
# Assorted Virt Fixes
@ -2303,6 +2301,10 @@ fi
# ||----w |
# || ||
%changelog
* Thu Jan 31 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc5.git3.1
- Linux v3.8-rc5-245-g04c2eee
- Enable CONFIG_DEBUG_STACK_USAGE
* Wed Jan 30 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc5.git2.1
- Linux v3.8-rc5-218-ga56e160
- Enable NAMESPACES and CHECKPOINT_RESTORE on x86_64 for F19 CRIU feature

View File

@ -1,551 +1,7 @@
From 10271230f790bda30cd4f6767fce25ad6da4a9cf Mon Sep 17 00:00:00 2001
From: Matt Fleming <matt.fleming@intel.com>
Date: Wed, 14 Nov 2012 09:42:35 +0000
Subject: [PATCH 1/2] efi: Make 'efi_enabled' a function to query EFI
facilities
Originally 'efi_enabled' indicated whether a kernel was booted from
EFI firmware. Over time its semantics have changed, and it now
indicates whether or not we are booted on an EFI machine with
bit-native firmware, e.g. 64-bit kernel with 64-bit firmware.
The immediate motivation for this patch is the bug report at,
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557
which details how running a platform driver on an EFI machine that is
designed to run under BIOS can cause the machine to become
bricked. Also, the following report,
https://bugzilla.kernel.org/show_bug.cgi?id=47121
details how running said driver can also cause Machine Check
Exceptions. Drivers need a new means of detecting whether they're
running on an EFI machine, as sadly the expression,
if (!efi_enabled)
hasn't been a sufficient condition for quite some time.
Users actually want to query 'efi_enabled' for different reasons -
what they really want access to is the list of available EFI
facilities.
For instance, the x86 reboot code needs to know whether it can invoke
the ResetSystem() function provided by the EFI runtime services, while
the ACPI OSL code wants to know whether the EFI config tables were
mapped successfully. There are also checks in some of the platform
driver code to simply see if they're running on an EFI machine (which
would make it a bad idea to do BIOS-y things).
Cc: David Airlie <airlied@linux.ie>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Corentin Chary <corentincj@iksaif.net>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Olof Johansson <olof@lixom.net>
Cc: Peter Jones <pjones@redhat.com>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Steve Langasek <steve.langasek@canonical.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Konrad Rzeszutek Wilk <konrad@kernel.org>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Cc: stable@vger.kernel.org
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
---
arch/x86/include/asm/efi.h | 1 +
arch/x86/kernel/reboot.c | 2 +-
arch/x86/kernel/setup.c | 28 ++++++++---------
arch/x86/platform/efi/efi.c | 57 ++++++++++++++++++++--------------
drivers/acpi/osl.c | 2 +-
drivers/firmware/dmi_scan.c | 2 +-
drivers/firmware/efivars.c | 4 +--
drivers/firmware/iscsi_ibft_find.c | 2 +-
drivers/gpu/drm/radeon/radeon_device.c | 3 +-
drivers/platform/x86/ibm_rtl.c | 2 +-
drivers/scsi/isci/init.c | 2 +-
include/linux/efi.h | 24 ++++++++++----
init/main.c | 4 +--
13 files changed, 79 insertions(+), 54 deletions(-)
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
index 6e8fdf5..28677c5 100644
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -94,6 +94,7 @@ extern void __iomem *efi_ioremap(unsigned long addr, unsigned long size,
#endif /* CONFIG_X86_32 */
extern int add_efi_memmap;
+extern unsigned long x86_efi_facility;
extern void efi_set_executable(efi_memory_desc_t *md, bool executable);
extern int efi_memblock_x86_reserve_range(void);
extern void efi_call_phys_prelog(void);
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
index 4e8ba39..76fa1e9 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -584,7 +584,7 @@ static void native_machine_emergency_restart(void)
break;
case BOOT_EFI:
- if (efi_enabled)
+ if (efi_enabled(EFI_RUNTIME_SERVICES))
efi.reset_system(reboot_mode ?
EFI_RESET_WARM :
EFI_RESET_COLD,
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 23ddd55..dbc7369 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -729,15 +729,15 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_EFI
if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
"EL32", 4)) {
- efi_enabled = 1;
- efi_64bit = false;
+ set_bit(EFI_BOOT, &x86_efi_facility);
} else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
"EL64", 4)) {
- efi_enabled = 1;
- efi_64bit = true;
+ set_bit(EFI_BOOT, &x86_efi_facility);
+ set_bit(EFI_64BIT, &x86_efi_facility);
}
- if (efi_enabled && efi_memblock_x86_reserve_range())
- efi_enabled = 0;
+
+ if (efi_enabled(EFI_BOOT))
+ efi_memblock_x86_reserve_range();
#endif
x86_init.oem.arch_setup();
@@ -810,7 +810,7 @@ void __init setup_arch(char **cmdline_p)
finish_e820_parsing();
- if (efi_enabled)
+ if (efi_enabled(EFI_BOOT))
efi_init();
dmi_scan_machine();
@@ -893,7 +893,7 @@ void __init setup_arch(char **cmdline_p)
* The EFI specification says that boot service code won't be called
* after ExitBootServices(). This is, in fact, a lie.
*/
- if (efi_enabled)
+ if (efi_enabled(EFI_MEMMAP))
efi_reserve_boot_services();
/* preallocate 4k for mptable mpc */
@@ -1034,7 +1034,7 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_VT
#if defined(CONFIG_VGA_CONSOLE)
- if (!efi_enabled || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY))
+ if (!efi_enabled(EFI_BOOT) || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY))
conswitchp = &vga_con;
#elif defined(CONFIG_DUMMY_CONSOLE)
conswitchp = &dummy_con;
@@ -1051,14 +1051,14 @@ void __init setup_arch(char **cmdline_p)
register_refined_jiffies(CLOCK_TICK_RATE);
#ifdef CONFIG_EFI
- /* Once setup is done above, disable efi_enabled on mismatched
- * firmware/kernel archtectures since there is no support for
- * runtime services.
+ /* Once setup is done above, unmap the EFI memory map on
+ * mismatched firmware/kernel archtectures since there is no
+ * support for runtime services.
*/
- if (efi_enabled && IS_ENABLED(CONFIG_X86_64) != efi_64bit) {
+ if (efi_enabled(EFI_BOOT) &&
+ IS_ENABLED(CONFIG_X86_64) != efi_enabled(EFI_64BIT)) {
pr_info("efi: Setup done, disabling due to 32/64-bit mismatch\n");
efi_unmap_memmap();
- efi_enabled = 0;
}
#endif
}
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index ad44391..5426e48 100644
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -51,9 +51,6 @@
#define EFI_DEBUG 1
-int efi_enabled;
-EXPORT_SYMBOL(efi_enabled);
-
struct efi __read_mostly efi = {
.mps = EFI_INVALID_TABLE_ADDR,
.acpi = EFI_INVALID_TABLE_ADDR,
@@ -69,19 +66,28 @@ EXPORT_SYMBOL(efi);
struct efi_memory_map memmap;
-bool efi_64bit;
-
static struct efi efi_phys __initdata;
static efi_system_table_t efi_systab __initdata;
static inline bool efi_is_native(void)
{
- return IS_ENABLED(CONFIG_X86_64) == efi_64bit;
+ return IS_ENABLED(CONFIG_X86_64) == efi_enabled(EFI_64BIT);
+}
+
+unsigned long x86_efi_facility;
+
+/*
+ * Returns 1 if 'facility' is enabled, 0 otherwise.
+ */
+int efi_enabled(int facility)
+{
+ return test_bit(facility, &x86_efi_facility) != 0;
}
+EXPORT_SYMBOL(efi_enabled);
static int __init setup_noefi(char *arg)
{
- efi_enabled = 0;
+ clear_bit(EFI_BOOT, &x86_efi_facility);
return 0;
}
early_param("noefi", setup_noefi);
@@ -426,6 +432,7 @@ void __init efi_reserve_boot_services(void)
void __init efi_unmap_memmap(void)
{
+ clear_bit(EFI_MEMMAP, &x86_efi_facility);
if (memmap.map) {
early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size);
memmap.map = NULL;
@@ -460,7 +467,7 @@ void __init efi_free_boot_services(void)
static int __init efi_systab_init(void *phys)
{
- if (efi_64bit) {
+ if (efi_enabled(EFI_64BIT)) {
efi_system_table_64_t *systab64;
u64 tmp = 0;
@@ -552,7 +559,7 @@ static int __init efi_config_init(u64 tables, int nr_tables)
void *config_tables, *tablep;
int i, sz;
- if (efi_64bit)
+ if (efi_enabled(EFI_64BIT))
sz = sizeof(efi_config_table_64_t);
else
sz = sizeof(efi_config_table_32_t);
@@ -572,7 +579,7 @@ static int __init efi_config_init(u64 tables, int nr_tables)
efi_guid_t guid;
unsigned long table;
- if (efi_64bit) {
+ if (efi_enabled(EFI_64BIT)) {
u64 table64;
guid = ((efi_config_table_64_t *)tablep)->guid;
table64 = ((efi_config_table_64_t *)tablep)->table;
@@ -684,7 +691,6 @@ void __init efi_init(void)
if (boot_params.efi_info.efi_systab_hi ||
boot_params.efi_info.efi_memmap_hi) {
pr_info("Table located above 4GB, disabling EFI.\n");
- efi_enabled = 0;
return;
}
efi_phys.systab = (efi_system_table_t *)boot_params.efi_info.efi_systab;
@@ -694,10 +700,10 @@ void __init efi_init(void)
((__u64)boot_params.efi_info.efi_systab_hi<<32));
#endif
- if (efi_systab_init(efi_phys.systab)) {
- efi_enabled = 0;
+ if (efi_systab_init(efi_phys.systab))
return;
- }
+
+ set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
/*
* Show what we know for posterity
@@ -715,10 +721,10 @@ void __init efi_init(void)
efi.systab->hdr.revision >> 16,
efi.systab->hdr.revision & 0xffff, vendor);
- if (efi_config_init(efi.systab->tables, efi.systab->nr_tables)) {
- efi_enabled = 0;
+ if (efi_config_init(efi.systab->tables, efi.systab->nr_tables))
return;
- }
+
+ set_bit(EFI_CONFIG_TABLES, &x86_efi_facility);
/*
* Note: We currently don't support runtime services on an EFI
@@ -727,15 +733,17 @@ void __init efi_init(void)
if (!efi_is_native())
pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n");
- else if (efi_runtime_init()) {
- efi_enabled = 0;
- return;
+ else {
+ if (efi_runtime_init())
+ return;
+ set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility);
}
- if (efi_memmap_init()) {
- efi_enabled = 0;
+ if (efi_memmap_init())
return;
- }
+
+ set_bit(EFI_MEMMAP, &x86_efi_facility);
+
#ifdef CONFIG_X86_32
if (efi_is_native()) {
x86_platform.get_wallclock = efi_get_time;
@@ -969,6 +977,9 @@ u32 efi_mem_type(unsigned long phys_addr)
efi_memory_desc_t *md;
void *p;
+ if (!efi_enabled(EFI_MEMMAP))
+ return 0;
+
for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) {
md = p;
if ((md->phys_addr <= phys_addr) &&
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 3ff2678..bd22f86 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -250,7 +250,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
return acpi_rsdp;
#endif
- if (efi_enabled) {
+ if (efi_enabled(EFI_CONFIG_TABLES)) {
if (efi.acpi20 != EFI_INVALID_TABLE_ADDR)
return efi.acpi20;
else if (efi.acpi != EFI_INVALID_TABLE_ADDR)
diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
index fd3ae62..982f1f5 100644
--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
@@ -471,7 +471,7 @@ void __init dmi_scan_machine(void)
char __iomem *p, *q;
int rc;
- if (efi_enabled) {
+ if (efi_enabled(EFI_CONFIG_TABLES)) {
if (efi.smbios == EFI_INVALID_TABLE_ADDR)
goto error;
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
index 7b1c374..1065119 100644
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -1782,7 +1782,7 @@ efivars_init(void)
printk(KERN_INFO "EFI Variables Facility v%s %s\n", EFIVARS_VERSION,
EFIVARS_DATE);
- if (!efi_enabled)
+ if (!efi_enabled(EFI_RUNTIME_SERVICES))
return 0;
/* For now we'll register the efi directory at /sys/firmware/efi */
@@ -1822,7 +1822,7 @@ err_put:
static void __exit
efivars_exit(void)
{
- if (efi_enabled) {
+ if (efi_enabled(EFI_RUNTIME_SERVICES)) {
unregister_efivars(&__efivars);
kobject_put(efi_kobj);
}
diff --git a/drivers/firmware/iscsi_ibft_find.c b/drivers/firmware/iscsi_ibft_find.c
index 4da4eb9..2224f1d 100644
--- a/drivers/firmware/iscsi_ibft_find.c
+++ b/drivers/firmware/iscsi_ibft_find.c
@@ -99,7 +99,7 @@ unsigned long __init find_ibft_region(unsigned long *sizep)
/* iBFT 1.03 section 1.4.3.1 mandates that UEFI machines will
* only use ACPI for this */
- if (!efi_enabled)
+ if (!efi_enabled(EFI_BOOT))
find_ibft_in_mem();
if (ibft_addr) {
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
index cd75626..9a68174 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -429,7 +429,8 @@ bool radeon_card_posted(struct radeon_device *rdev)
{
uint32_t reg;
- if (efi_enabled && rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE)
+ if (efi_enabled(EFI_BOOT) &&
+ rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE)
return false;
/* first check CRTCs */
diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
index 7481146..97c2be1 100644
--- a/drivers/platform/x86/ibm_rtl.c
+++ b/drivers/platform/x86/ibm_rtl.c
@@ -244,7 +244,7 @@ static int __init ibm_rtl_init(void) {
if (force)
pr_warn("module loaded by force\n");
/* first ensure that we are running on IBM HW */
- else if (efi_enabled || !dmi_check_system(ibm_rtl_dmi_table))
+ else if (efi_enabled(EFI_BOOT) || !dmi_check_system(ibm_rtl_dmi_table))
return -ENODEV;
/* Get the address for the Extended BIOS Data Area */
diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c
index b74050b..9ac1e9d 100644
--- a/drivers/scsi/isci/init.c
+++ b/drivers/scsi/isci/init.c
@@ -633,7 +633,7 @@ static int __devinit isci_pci_probe(struct pci_dev *pdev, const struct pci_devic
return -ENOMEM;
pci_set_drvdata(pdev, pci_info);
- if (efi_enabled)
+ if (efi_enabled(EFI_RUNTIME_SERVICES))
orom = isci_get_efi_var(pdev);
if (!orom)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 8b84916..7a9498a 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -618,18 +618,30 @@ extern int __init efi_setup_pcdp_console(char *);
#endif
/*
- * We play games with efi_enabled so that the compiler will, if possible, remove
- * EFI-related code altogether.
+ * We play games with efi_enabled so that the compiler will, if
+ * possible, remove EFI-related code altogether.
*/
+#define EFI_BOOT 0 /* Were we booted from EFI? */
+#define EFI_SYSTEM_TABLES 1 /* Can we use EFI system tables? */
+#define EFI_CONFIG_TABLES 2 /* Can we use EFI config tables? */
+#define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */
+#define EFI_MEMMAP 4 /* Can we use EFI memory map? */
+#define EFI_64BIT 5 /* Is the firmware 64-bit? */
+
#ifdef CONFIG_EFI
# ifdef CONFIG_X86
- extern int efi_enabled;
- extern bool efi_64bit;
+extern int efi_enabled(int facility);
# else
-# define efi_enabled 1
+static inline int efi_enabled(int facility)
+{
+ return 1;
+}
# endif
#else
-# define efi_enabled 0
+static inline int efi_enabled(int facility)
+{
+ return 0;
+}
#endif
/*
diff --git a/init/main.c b/init/main.c
index 85d69df..cd30179 100644
--- a/init/main.c
+++ b/init/main.c
@@ -604,7 +604,7 @@ asmlinkage void __init start_kernel(void)
pidmap_init();
anon_vma_init();
#ifdef CONFIG_X86
- if (efi_enabled)
+ if (efi_enabled(EFI_RUNTIME_SERVICES))
efi_enter_virtual_mode();
#endif
thread_info_cache_init();
@@ -632,7 +632,7 @@ asmlinkage void __init start_kernel(void)
acpi_early_init(); /* before LAPIC and SMP init */
sfi_init_late();
- if (efi_enabled) {
+ if (efi_enabled(EFI_RUNTIME_SERVICES)) {
efi_late_init();
efi_free_boot_services();
}
--
1.8.1
From 87123c25437f0da326b2f63cae8ab9aabac6fd6c Mon Sep 17 00:00:00 2001
From: Matt Fleming <matt.fleming@intel.com>
Date: Thu, 3 Jan 2013 09:02:37 +0000
Subject: [PATCH 2/2] samsung-laptop: Disable on EFI hardware
It has been reported that running this driver on some Samsung laptops
with EFI can cause those machines to become bricked as detailed in the
following report,
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557
There have also been reports of this driver causing Machine Check
Exceptions on recent EFI-enabled Samsung laptops,
https://bugzilla.kernel.org/show_bug.cgi?id=47121
So disable it if booting from EFI since this driver relies on
grovelling around in the BIOS memory map which isn't going to work.
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: Corentin Chary <corentincj@iksaif.net>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Steve Langasek <steve.langasek@canonical.com>
Cc: platform-driver-x86@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
---
drivers/platform/x86/samsung-laptop.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
index dd90d15..5a89ca1 100644
--- a/drivers/platform/x86/samsung-laptop.c
+++ b/drivers/platform/x86/samsung-laptop.c
@@ -26,6 +26,7 @@
#include <linux/seq_file.h>
#include <linux/debugfs.h>
#include <linux/ctype.h>
+#include <linux/efi.h>
#include <acpi/video.h>
/*
@@ -1534,6 +1535,9 @@ static int __init samsung_init(void)
struct samsung_laptop *samsung;
int ret;
+ if (efi_enabled(EFI_BOOT))
+ return -ENODEV;
+
quirks = &samsung_unknown;
if (!force && !dmi_check_system(samsung_dmi_table))
return -ENODEV;
--
1.8.1
From 078aac950b94287072864fe8db0c690b8343f364 Mon Sep 17 00:00:00 2001
From 6fb120959c4578023de0af1af9c887ddf6859671 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:56 -0400
Subject: [PATCH 03/19] Secure boot: Add new capability
Subject: [PATCH 01/17] Secure boot: Add new capability
Secure boot adds certain policy requirements, including that root must not
be able to do anything that could cause the kernel to execute arbitrary code.
@ -579,10 +35,10 @@ index ba478fa..7109e65 100644
1.8.1
From b3f043c11522faad4a0a2ed54bc204af9157f4cf Mon Sep 17 00:00:00 2001
From 7aa8eb6a4b228db7e2920f323f1ba97063163de1 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:05 -0400
Subject: [PATCH 04/19] SELinux: define mapping for new Secure Boot capability
Subject: [PATCH 02/17] SELinux: define mapping for new Secure Boot capability
Add the name of the new Secure Boot capability. This allows SELinux
policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
@ -594,7 +50,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index df2de54..70e2834 100644
index 14d04e6..ed99a2d 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
@ -607,15 +63,15 @@ index df2de54..70e2834 100644
+ "block_suspend", "compromise_kernel", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
--
1.8.1
From 91a1c56865bb3c8caf452df78af91bb8c2bdee57 Mon Sep 17 00:00:00 2001
From 10ed514ecac144034eba27bf9436ef111ac2ebd2 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:02 -0400
Subject: [PATCH 05/19] Secure boot: Add a dummy kernel parameter that will
Subject: [PATCH 03/17] Secure boot: Add a dummy kernel parameter that will
switch on Secure Boot mode
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
@ -678,10 +134,10 @@ index e0573a4..c3f4e3e 100644
1.8.1
From 39585d1c3c7fa8878889d88e00a3aa5a647c024f Mon Sep 17 00:00:00 2001
From 066b811cd05432ef91473cd349d20fa856d5ab18 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:03 -0400
Subject: [PATCH 06/19] efi: Enable secure boot lockdown automatically when
Subject: [PATCH 04/17] efi: Enable secure boot lockdown automatically when
enabled in firmware
The firmware has a set of flags that indicate whether secure boot is enabled
@ -701,23 +157,23 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
6 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
index cf5437d..7f9ed48 100644
index 199f453..ff651d3 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -27,6 +27,8 @@ Offset Proto Name Meaning
@@ -30,6 +30,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
+1EB/001 ALL kbd_status Numlock is enabled
+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns
1EF/001 ALL sentinel Used to detect broken bootloaders
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
(array of struct e820entry)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 18e329c..f44adce 100644
index f8fa411..96bd86b 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -848,6 +848,36 @@ fail:
@@ -849,6 +849,36 @@ fail:
return status;
}
@ -754,7 +210,7 @@ index 18e329c..f44adce 100644
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
@@ -1142,6 +1172,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
goto fail;
@ -764,19 +220,19 @@ index 18e329c..f44adce 100644
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
index 92862cd..422e056 100644
index c15ddaf..85d7685 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -115,7 +115,8 @@ struct boot_params {
@@ -131,7 +131,8 @@ struct boot_params {
__u8 eddbuf_entries; /* 0x1e9 */
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
__u8 kbd_status; /* 0x1eb */
- __u8 _pad6[5]; /* 0x1ec */
- __u8 _pad5[3]; /* 0x1ec */
+ __u8 secure_boot; /* 0x1ec */
+ __u8 _pad6[4]; /* 0x1ed */
struct setup_header hdr; /* setup header */ /* 0x1f1 */
__u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)];
__u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */
+ __u8 _pad5[2]; /* 0x1ed */
/*
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 8b24289..5355a54 100644
--- a/arch/x86/kernel/setup.c
@ -822,10 +278,10 @@ index 7a9498a..1ae16b6 100644
1.8.1
From c4913bd0af536c2e752da503e34cfdbdef2ca427 Mon Sep 17 00:00:00 2001
From 8d8349396e90630e2617c5a855682a6c87a7ae4d Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 07/19] Add EFI signature data types
Subject: [PATCH 05/17] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
@ -877,10 +333,10 @@ index 1ae16b6..de7021d 100644
1.8.1
From 714ab7855166f5cf453817de90b80ea8f132715d Mon Sep 17 00:00:00 2001
From a221d71dd4487a5ee2b337540d0258512b7c8dba Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 08/19] Add an EFI signature blob parser and key loader.
Subject: [PATCH 06/17] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
@ -1056,10 +512,10 @@ index de7021d..64b3e55 100644
1.8.1
From e485260e14c366644a44d2fea05fc3e7dc02a8c3 Mon Sep 17 00:00:00 2001
From 9c9d291a605d1d0864d047cff75724ad1cb8b97d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 09/19] MODSIGN: Add module certificate blacklist keyring
Subject: [PATCH 07/17] MODSIGN: Add module certificate blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@ -1165,10 +621,10 @@ index f2970bd..5423195 100644
1.8.1
From 2015a3299fb6029de0c1e4da3e06bfa74e1075df Mon Sep 17 00:00:00 2001
From 4b85122267e2ac07833e20f0cac71c5c8c9ac65c Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 10/19] MODSIGN: Import certificates from UEFI Secure Boot
Subject: [PATCH 08/17] MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the module signing keyring. This
@ -1350,10 +806,10 @@ index 0000000..b9237d7
1.8.1
From b9003fd1d1ec55049db258832fed7736c3d72703 Mon Sep 17 00:00:00 2001
From e6f51e0b73bdaf0bb8d6ebc07e041ce3b6126e9c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:57 -0400
Subject: [PATCH 11/19] PCI: Lock down BAR access in secure boot environments
Subject: [PATCH 09/17] PCI: Lock down BAR access in secure boot environments
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to cause
@ -1451,10 +907,10 @@ index e1c1ec5..97e785f 100644
1.8.1
From 66b86238391bae88f1da0fd82f2516d58aa544b9 Mon Sep 17 00:00:00 2001
From c4399308a252ca147971bd6d2f1f56557f279201 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:58 -0400
Subject: [PATCH 12/19] x86: Lock down IO port access in secure boot
Subject: [PATCH 10/17] x86: Lock down IO port access in secure boot
environments
IO port access would permit users to gain access to PCI configuration
@ -1508,10 +964,10 @@ index c6fa3bc..fc28099 100644
1.8.1
From 2bae7bb333fb916824efaa8ebfff296be6b474aa Mon Sep 17 00:00:00 2001
From b3e2bb87699c1b0aa235c772c1c5ae376b63ea49 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:59 -0400
Subject: [PATCH 13/19] ACPI: Limit access to custom_method
Subject: [PATCH 11/17] ACPI: Limit access to custom_method
It must be impossible for even root to get code executed in kernel context
under a secure boot environment. custom_method effectively allows arbitrary
@ -1540,10 +996,10 @@ index 5d42c24..247d58b 100644
1.8.1
From 1020b65305173afb24a9411a9555468a5184a73d Mon Sep 17 00:00:00 2001
From 300b9cc9e0833d66b0ea49c259c1e2f7dfe7de12 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:00 -0400
Subject: [PATCH 14/19] asus-wmi: Restrict debugfs interface
Subject: [PATCH 12/17] asus-wmi: Restrict debugfs interface
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
@ -1593,10 +1049,10 @@ index f80ae4d..059195f 100644
1.8.1
From 5e940dba25d3d2614a3a745ef7c3057e058c876a Mon Sep 17 00:00:00 2001
From 690713487cf5ac3949cf915e28a75a1270e2c2a6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:01 -0400
Subject: [PATCH 15/19] Restrict /dev/mem and /dev/kmem in secure boot setups
Subject: [PATCH 13/17] Restrict /dev/mem and /dev/kmem in secure boot setups
Allowing users to write to address space makes it possible for the kernel
to be subverted. Restrict this when we need to protect the kernel.
@ -1634,10 +1090,10 @@ index fc28099..b5df7a8 100644
1.8.1
From b6264c3ed7a36a7a8d9c504d20a9a639850ace3b Mon Sep 17 00:00:00 2001
From 170cc9e113785b6f38cbd4bf5d8bbd42d844d119 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:04 -0400
Subject: [PATCH 16/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
Subject: [PATCH 14/17] acpi: Ignore acpi_rsdp kernel parameter in a secure
boot environment
This option allows userspace to pass the RSDP address to the kernel. This
@ -1666,10 +1122,10 @@ index bd22f86..88251d2 100644
1.8.1
From 4f1614d3aae4e924ad8b8d56c66a23a469b1c3d0 Mon Sep 17 00:00:00 2001
From eb021ca148e35633480ece4b472807a621ca9a5f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Tue, 4 Sep 2012 11:55:13 -0400
Subject: [PATCH 17/19] kexec: Disable in a secure boot environment
Subject: [PATCH 15/17] kexec: Disable in a secure boot environment
kexec could be used as a vector for a malicious user to use a signed kernel
to circumvent the secure boot trust model. In the long run we'll want to
@ -1698,10 +1154,10 @@ index 5e4bd78..dd464e0 100644
1.8.1
From 9760ba180b98ff6e6a6e40dfe82973fc6bfcb194 Mon Sep 17 00:00:00 2001
From f170b22efeffede02664836a24604febd85ca061 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 5 Oct 2012 10:12:48 -0400
Subject: [PATCH 18/19] MODSIGN: Always enforce module signing in a Secure Boot
Subject: [PATCH 16/17] MODSIGN: Always enforce module signing in a Secure Boot
environment
If a machine is booted into a Secure Boot environment, we need to
@ -1760,10 +1216,10 @@ index eab0827..93a16dc 100644
1.8.1
From 1c6cd63017f3c745eaf4d8705f44ba5f4af1aef7 Mon Sep 17 00:00:00 2001
From c44db6a096f11bd19182cb52c70fbd2f3de3dc6a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 14:02:09 -0400
Subject: [PATCH 19/19] hibernate: Disable in a Secure Boot environment
Subject: [PATCH 17/17] hibernate: Disable in a Secure Boot environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the secure boot trust model,

View File

@ -1,3 +1,4 @@
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
714424b01630b141bbee02d0ea9d5633 patch-3.8-rc5.xz
bbee7c088c5023d79b661a9547379ff7 patch-3.8-rc5-git2.xz
d9ec7011118bf762447b4357252151a3 patch-3.8-rc5-git3.xz