Merge branch 'master' of ssh://pkgs.fedoraproject.org/kernel
This commit is contained in:
commit
cb71575bc5
@ -29,7 +29,7 @@ CONFIG_SLUB_DEBUG_ON=y
|
|||||||
|
|
||||||
# CONFIG_LOCK_STAT is not set
|
# CONFIG_LOCK_STAT is not set
|
||||||
|
|
||||||
# CONFIG_DEBUG_STACK_USAGE is not set
|
CONFIG_DEBUG_STACK_USAGE=y
|
||||||
|
|
||||||
# CONFIG_ACPI_DEBUG is not set
|
# CONFIG_ACPI_DEBUG is not set
|
||||||
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
|
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
|
||||||
|
@ -1,24 +0,0 @@
|
|||||||
efivarfs_unlink() should drop the file's link count, not the directory's.
|
|
||||||
|
|
||||||
Tested-by: Lee, Chun-Yi <jlee@suse.com>
|
|
||||||
Signed-off-by: Lingzhu Xiang <lxiang@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/firmware/efivars.c | 2 +-
|
|
||||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
|
|
||||||
index d6b8d2f..60f5324 100644
|
|
||||||
--- a/drivers/firmware/efivars.c
|
|
||||||
+++ b/drivers/firmware/efivars.c
|
|
||||||
@@ -995,7 +995,7 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry)
|
|
||||||
list_del(&var->list);
|
|
||||||
spin_unlock(&efivars->lock);
|
|
||||||
efivar_unregister(var);
|
|
||||||
- drop_nlink(dir);
|
|
||||||
+ drop_nlink(dentry->d_inode);
|
|
||||||
dput(dentry);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.7.7.6
|
|
||||||
|
|
12
kernel.spec
12
kernel.spec
@ -95,7 +95,7 @@ Summary: The Linux kernel
|
|||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 5
|
%define rcrev 5
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 2
|
%define gitrev 3
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%define rpmversion 3.%{upstream_sublevel}.0
|
%define rpmversion 3.%{upstream_sublevel}.0
|
||||||
%endif
|
%endif
|
||||||
@ -669,8 +669,7 @@ Patch800: crash-driver.patch
|
|||||||
# crypto/
|
# crypto/
|
||||||
|
|
||||||
# secure boot
|
# secure boot
|
||||||
Patch1000: secure-boot-20130124.patch
|
Patch1000: secure-boot-20130131.patch
|
||||||
Patch1001: efivarfs-nlink-fix.patch
|
|
||||||
|
|
||||||
# virt + ksm patches
|
# virt + ksm patches
|
||||||
|
|
||||||
@ -1381,8 +1380,7 @@ ApplyPatch crash-driver.patch
|
|||||||
# crypto/
|
# crypto/
|
||||||
|
|
||||||
# secure boot
|
# secure boot
|
||||||
ApplyPatch secure-boot-20130124.patch
|
ApplyPatch secure-boot-20130131.patch
|
||||||
ApplyPatch efivarfs-nlink-fix.patch
|
|
||||||
|
|
||||||
# Assorted Virt Fixes
|
# Assorted Virt Fixes
|
||||||
|
|
||||||
@ -2303,6 +2301,10 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 31 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc5.git3.1
|
||||||
|
- Linux v3.8-rc5-245-g04c2eee
|
||||||
|
- Enable CONFIG_DEBUG_STACK_USAGE
|
||||||
|
|
||||||
* Wed Jan 30 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc5.git2.1
|
* Wed Jan 30 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc5.git2.1
|
||||||
- Linux v3.8-rc5-218-ga56e160
|
- Linux v3.8-rc5-218-ga56e160
|
||||||
- Enable NAMESPACES and CHECKPOINT_RESTORE on x86_64 for F19 CRIU feature
|
- Enable NAMESPACES and CHECKPOINT_RESTORE on x86_64 for F19 CRIU feature
|
||||||
|
@ -1,551 +1,7 @@
|
|||||||
From 10271230f790bda30cd4f6767fce25ad6da4a9cf Mon Sep 17 00:00:00 2001
|
From 6fb120959c4578023de0af1af9c887ddf6859671 Mon Sep 17 00:00:00 2001
|
||||||
From: Matt Fleming <matt.fleming@intel.com>
|
|
||||||
Date: Wed, 14 Nov 2012 09:42:35 +0000
|
|
||||||
Subject: [PATCH 1/2] efi: Make 'efi_enabled' a function to query EFI
|
|
||||||
facilities
|
|
||||||
|
|
||||||
Originally 'efi_enabled' indicated whether a kernel was booted from
|
|
||||||
EFI firmware. Over time its semantics have changed, and it now
|
|
||||||
indicates whether or not we are booted on an EFI machine with
|
|
||||||
bit-native firmware, e.g. 64-bit kernel with 64-bit firmware.
|
|
||||||
|
|
||||||
The immediate motivation for this patch is the bug report at,
|
|
||||||
|
|
||||||
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557
|
|
||||||
|
|
||||||
which details how running a platform driver on an EFI machine that is
|
|
||||||
designed to run under BIOS can cause the machine to become
|
|
||||||
bricked. Also, the following report,
|
|
||||||
|
|
||||||
https://bugzilla.kernel.org/show_bug.cgi?id=47121
|
|
||||||
|
|
||||||
details how running said driver can also cause Machine Check
|
|
||||||
Exceptions. Drivers need a new means of detecting whether they're
|
|
||||||
running on an EFI machine, as sadly the expression,
|
|
||||||
|
|
||||||
if (!efi_enabled)
|
|
||||||
|
|
||||||
hasn't been a sufficient condition for quite some time.
|
|
||||||
|
|
||||||
Users actually want to query 'efi_enabled' for different reasons -
|
|
||||||
what they really want access to is the list of available EFI
|
|
||||||
facilities.
|
|
||||||
|
|
||||||
For instance, the x86 reboot code needs to know whether it can invoke
|
|
||||||
the ResetSystem() function provided by the EFI runtime services, while
|
|
||||||
the ACPI OSL code wants to know whether the EFI config tables were
|
|
||||||
mapped successfully. There are also checks in some of the platform
|
|
||||||
driver code to simply see if they're running on an EFI machine (which
|
|
||||||
would make it a bad idea to do BIOS-y things).
|
|
||||||
|
|
||||||
Cc: David Airlie <airlied@linux.ie>
|
|
||||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
|
||||||
Cc: Corentin Chary <corentincj@iksaif.net>
|
|
||||||
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
|
|
||||||
Cc: Dave Jiang <dave.jiang@intel.com>
|
|
||||||
Cc: Olof Johansson <olof@lixom.net>
|
|
||||||
Cc: Peter Jones <pjones@redhat.com>
|
|
||||||
Cc: Colin Ian King <colin.king@canonical.com>
|
|
||||||
Cc: Steve Langasek <steve.langasek@canonical.com>
|
|
||||||
Cc: Tony Luck <tony.luck@intel.com>
|
|
||||||
Cc: Konrad Rzeszutek Wilk <konrad@kernel.org>
|
|
||||||
Cc: Rafael J. Wysocki <rjw@sisk.pl>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/efi.h | 1 +
|
|
||||||
arch/x86/kernel/reboot.c | 2 +-
|
|
||||||
arch/x86/kernel/setup.c | 28 ++++++++---------
|
|
||||||
arch/x86/platform/efi/efi.c | 57 ++++++++++++++++++++--------------
|
|
||||||
drivers/acpi/osl.c | 2 +-
|
|
||||||
drivers/firmware/dmi_scan.c | 2 +-
|
|
||||||
drivers/firmware/efivars.c | 4 +--
|
|
||||||
drivers/firmware/iscsi_ibft_find.c | 2 +-
|
|
||||||
drivers/gpu/drm/radeon/radeon_device.c | 3 +-
|
|
||||||
drivers/platform/x86/ibm_rtl.c | 2 +-
|
|
||||||
drivers/scsi/isci/init.c | 2 +-
|
|
||||||
include/linux/efi.h | 24 ++++++++++----
|
|
||||||
init/main.c | 4 +--
|
|
||||||
13 files changed, 79 insertions(+), 54 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
|
|
||||||
index 6e8fdf5..28677c5 100644
|
|
||||||
--- a/arch/x86/include/asm/efi.h
|
|
||||||
+++ b/arch/x86/include/asm/efi.h
|
|
||||||
@@ -94,6 +94,7 @@ extern void __iomem *efi_ioremap(unsigned long addr, unsigned long size,
|
|
||||||
#endif /* CONFIG_X86_32 */
|
|
||||||
|
|
||||||
extern int add_efi_memmap;
|
|
||||||
+extern unsigned long x86_efi_facility;
|
|
||||||
extern void efi_set_executable(efi_memory_desc_t *md, bool executable);
|
|
||||||
extern int efi_memblock_x86_reserve_range(void);
|
|
||||||
extern void efi_call_phys_prelog(void);
|
|
||||||
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
|
|
||||||
index 4e8ba39..76fa1e9 100644
|
|
||||||
--- a/arch/x86/kernel/reboot.c
|
|
||||||
+++ b/arch/x86/kernel/reboot.c
|
|
||||||
@@ -584,7 +584,7 @@ static void native_machine_emergency_restart(void)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case BOOT_EFI:
|
|
||||||
- if (efi_enabled)
|
|
||||||
+ if (efi_enabled(EFI_RUNTIME_SERVICES))
|
|
||||||
efi.reset_system(reboot_mode ?
|
|
||||||
EFI_RESET_WARM :
|
|
||||||
EFI_RESET_COLD,
|
|
||||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
|
||||||
index 23ddd55..dbc7369 100644
|
|
||||||
--- a/arch/x86/kernel/setup.c
|
|
||||||
+++ b/arch/x86/kernel/setup.c
|
|
||||||
@@ -729,15 +729,15 @@ void __init setup_arch(char **cmdline_p)
|
|
||||||
#ifdef CONFIG_EFI
|
|
||||||
if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
|
|
||||||
"EL32", 4)) {
|
|
||||||
- efi_enabled = 1;
|
|
||||||
- efi_64bit = false;
|
|
||||||
+ set_bit(EFI_BOOT, &x86_efi_facility);
|
|
||||||
} else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
|
|
||||||
"EL64", 4)) {
|
|
||||||
- efi_enabled = 1;
|
|
||||||
- efi_64bit = true;
|
|
||||||
+ set_bit(EFI_BOOT, &x86_efi_facility);
|
|
||||||
+ set_bit(EFI_64BIT, &x86_efi_facility);
|
|
||||||
}
|
|
||||||
- if (efi_enabled && efi_memblock_x86_reserve_range())
|
|
||||||
- efi_enabled = 0;
|
|
||||||
+
|
|
||||||
+ if (efi_enabled(EFI_BOOT))
|
|
||||||
+ efi_memblock_x86_reserve_range();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
x86_init.oem.arch_setup();
|
|
||||||
@@ -810,7 +810,7 @@ void __init setup_arch(char **cmdline_p)
|
|
||||||
|
|
||||||
finish_e820_parsing();
|
|
||||||
|
|
||||||
- if (efi_enabled)
|
|
||||||
+ if (efi_enabled(EFI_BOOT))
|
|
||||||
efi_init();
|
|
||||||
|
|
||||||
dmi_scan_machine();
|
|
||||||
@@ -893,7 +893,7 @@ void __init setup_arch(char **cmdline_p)
|
|
||||||
* The EFI specification says that boot service code won't be called
|
|
||||||
* after ExitBootServices(). This is, in fact, a lie.
|
|
||||||
*/
|
|
||||||
- if (efi_enabled)
|
|
||||||
+ if (efi_enabled(EFI_MEMMAP))
|
|
||||||
efi_reserve_boot_services();
|
|
||||||
|
|
||||||
/* preallocate 4k for mptable mpc */
|
|
||||||
@@ -1034,7 +1034,7 @@ void __init setup_arch(char **cmdline_p)
|
|
||||||
|
|
||||||
#ifdef CONFIG_VT
|
|
||||||
#if defined(CONFIG_VGA_CONSOLE)
|
|
||||||
- if (!efi_enabled || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY))
|
|
||||||
+ if (!efi_enabled(EFI_BOOT) || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY))
|
|
||||||
conswitchp = &vga_con;
|
|
||||||
#elif defined(CONFIG_DUMMY_CONSOLE)
|
|
||||||
conswitchp = &dummy_con;
|
|
||||||
@@ -1051,14 +1051,14 @@ void __init setup_arch(char **cmdline_p)
|
|
||||||
register_refined_jiffies(CLOCK_TICK_RATE);
|
|
||||||
|
|
||||||
#ifdef CONFIG_EFI
|
|
||||||
- /* Once setup is done above, disable efi_enabled on mismatched
|
|
||||||
- * firmware/kernel archtectures since there is no support for
|
|
||||||
- * runtime services.
|
|
||||||
+ /* Once setup is done above, unmap the EFI memory map on
|
|
||||||
+ * mismatched firmware/kernel archtectures since there is no
|
|
||||||
+ * support for runtime services.
|
|
||||||
*/
|
|
||||||
- if (efi_enabled && IS_ENABLED(CONFIG_X86_64) != efi_64bit) {
|
|
||||||
+ if (efi_enabled(EFI_BOOT) &&
|
|
||||||
+ IS_ENABLED(CONFIG_X86_64) != efi_enabled(EFI_64BIT)) {
|
|
||||||
pr_info("efi: Setup done, disabling due to 32/64-bit mismatch\n");
|
|
||||||
efi_unmap_memmap();
|
|
||||||
- efi_enabled = 0;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
|
|
||||||
index ad44391..5426e48 100644
|
|
||||||
--- a/arch/x86/platform/efi/efi.c
|
|
||||||
+++ b/arch/x86/platform/efi/efi.c
|
|
||||||
@@ -51,9 +51,6 @@
|
|
||||||
|
|
||||||
#define EFI_DEBUG 1
|
|
||||||
|
|
||||||
-int efi_enabled;
|
|
||||||
-EXPORT_SYMBOL(efi_enabled);
|
|
||||||
-
|
|
||||||
struct efi __read_mostly efi = {
|
|
||||||
.mps = EFI_INVALID_TABLE_ADDR,
|
|
||||||
.acpi = EFI_INVALID_TABLE_ADDR,
|
|
||||||
@@ -69,19 +66,28 @@ EXPORT_SYMBOL(efi);
|
|
||||||
|
|
||||||
struct efi_memory_map memmap;
|
|
||||||
|
|
||||||
-bool efi_64bit;
|
|
||||||
-
|
|
||||||
static struct efi efi_phys __initdata;
|
|
||||||
static efi_system_table_t efi_systab __initdata;
|
|
||||||
|
|
||||||
static inline bool efi_is_native(void)
|
|
||||||
{
|
|
||||||
- return IS_ENABLED(CONFIG_X86_64) == efi_64bit;
|
|
||||||
+ return IS_ENABLED(CONFIG_X86_64) == efi_enabled(EFI_64BIT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+unsigned long x86_efi_facility;
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Returns 1 if 'facility' is enabled, 0 otherwise.
|
|
||||||
+ */
|
|
||||||
+int efi_enabled(int facility)
|
|
||||||
+{
|
|
||||||
+ return test_bit(facility, &x86_efi_facility) != 0;
|
|
||||||
}
|
|
||||||
+EXPORT_SYMBOL(efi_enabled);
|
|
||||||
|
|
||||||
static int __init setup_noefi(char *arg)
|
|
||||||
{
|
|
||||||
- efi_enabled = 0;
|
|
||||||
+ clear_bit(EFI_BOOT, &x86_efi_facility);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
early_param("noefi", setup_noefi);
|
|
||||||
@@ -426,6 +432,7 @@ void __init efi_reserve_boot_services(void)
|
|
||||||
|
|
||||||
void __init efi_unmap_memmap(void)
|
|
||||||
{
|
|
||||||
+ clear_bit(EFI_MEMMAP, &x86_efi_facility);
|
|
||||||
if (memmap.map) {
|
|
||||||
early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size);
|
|
||||||
memmap.map = NULL;
|
|
||||||
@@ -460,7 +467,7 @@ void __init efi_free_boot_services(void)
|
|
||||||
|
|
||||||
static int __init efi_systab_init(void *phys)
|
|
||||||
{
|
|
||||||
- if (efi_64bit) {
|
|
||||||
+ if (efi_enabled(EFI_64BIT)) {
|
|
||||||
efi_system_table_64_t *systab64;
|
|
||||||
u64 tmp = 0;
|
|
||||||
|
|
||||||
@@ -552,7 +559,7 @@ static int __init efi_config_init(u64 tables, int nr_tables)
|
|
||||||
void *config_tables, *tablep;
|
|
||||||
int i, sz;
|
|
||||||
|
|
||||||
- if (efi_64bit)
|
|
||||||
+ if (efi_enabled(EFI_64BIT))
|
|
||||||
sz = sizeof(efi_config_table_64_t);
|
|
||||||
else
|
|
||||||
sz = sizeof(efi_config_table_32_t);
|
|
||||||
@@ -572,7 +579,7 @@ static int __init efi_config_init(u64 tables, int nr_tables)
|
|
||||||
efi_guid_t guid;
|
|
||||||
unsigned long table;
|
|
||||||
|
|
||||||
- if (efi_64bit) {
|
|
||||||
+ if (efi_enabled(EFI_64BIT)) {
|
|
||||||
u64 table64;
|
|
||||||
guid = ((efi_config_table_64_t *)tablep)->guid;
|
|
||||||
table64 = ((efi_config_table_64_t *)tablep)->table;
|
|
||||||
@@ -684,7 +691,6 @@ void __init efi_init(void)
|
|
||||||
if (boot_params.efi_info.efi_systab_hi ||
|
|
||||||
boot_params.efi_info.efi_memmap_hi) {
|
|
||||||
pr_info("Table located above 4GB, disabling EFI.\n");
|
|
||||||
- efi_enabled = 0;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
efi_phys.systab = (efi_system_table_t *)boot_params.efi_info.efi_systab;
|
|
||||||
@@ -694,10 +700,10 @@ void __init efi_init(void)
|
|
||||||
((__u64)boot_params.efi_info.efi_systab_hi<<32));
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if (efi_systab_init(efi_phys.systab)) {
|
|
||||||
- efi_enabled = 0;
|
|
||||||
+ if (efi_systab_init(efi_phys.systab))
|
|
||||||
return;
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
+ set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Show what we know for posterity
|
|
||||||
@@ -715,10 +721,10 @@ void __init efi_init(void)
|
|
||||||
efi.systab->hdr.revision >> 16,
|
|
||||||
efi.systab->hdr.revision & 0xffff, vendor);
|
|
||||||
|
|
||||||
- if (efi_config_init(efi.systab->tables, efi.systab->nr_tables)) {
|
|
||||||
- efi_enabled = 0;
|
|
||||||
+ if (efi_config_init(efi.systab->tables, efi.systab->nr_tables))
|
|
||||||
return;
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
+ set_bit(EFI_CONFIG_TABLES, &x86_efi_facility);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Note: We currently don't support runtime services on an EFI
|
|
||||||
@@ -727,15 +733,17 @@ void __init efi_init(void)
|
|
||||||
|
|
||||||
if (!efi_is_native())
|
|
||||||
pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n");
|
|
||||||
- else if (efi_runtime_init()) {
|
|
||||||
- efi_enabled = 0;
|
|
||||||
- return;
|
|
||||||
+ else {
|
|
||||||
+ if (efi_runtime_init())
|
|
||||||
+ return;
|
|
||||||
+ set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (efi_memmap_init()) {
|
|
||||||
- efi_enabled = 0;
|
|
||||||
+ if (efi_memmap_init())
|
|
||||||
return;
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
+ set_bit(EFI_MEMMAP, &x86_efi_facility);
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
if (efi_is_native()) {
|
|
||||||
x86_platform.get_wallclock = efi_get_time;
|
|
||||||
@@ -969,6 +977,9 @@ u32 efi_mem_type(unsigned long phys_addr)
|
|
||||||
efi_memory_desc_t *md;
|
|
||||||
void *p;
|
|
||||||
|
|
||||||
+ if (!efi_enabled(EFI_MEMMAP))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) {
|
|
||||||
md = p;
|
|
||||||
if ((md->phys_addr <= phys_addr) &&
|
|
||||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
|
||||||
index 3ff2678..bd22f86 100644
|
|
||||||
--- a/drivers/acpi/osl.c
|
|
||||||
+++ b/drivers/acpi/osl.c
|
|
||||||
@@ -250,7 +250,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
|
|
||||||
return acpi_rsdp;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if (efi_enabled) {
|
|
||||||
+ if (efi_enabled(EFI_CONFIG_TABLES)) {
|
|
||||||
if (efi.acpi20 != EFI_INVALID_TABLE_ADDR)
|
|
||||||
return efi.acpi20;
|
|
||||||
else if (efi.acpi != EFI_INVALID_TABLE_ADDR)
|
|
||||||
diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
|
|
||||||
index fd3ae62..982f1f5 100644
|
|
||||||
--- a/drivers/firmware/dmi_scan.c
|
|
||||||
+++ b/drivers/firmware/dmi_scan.c
|
|
||||||
@@ -471,7 +471,7 @@ void __init dmi_scan_machine(void)
|
|
||||||
char __iomem *p, *q;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- if (efi_enabled) {
|
|
||||||
+ if (efi_enabled(EFI_CONFIG_TABLES)) {
|
|
||||||
if (efi.smbios == EFI_INVALID_TABLE_ADDR)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
|
|
||||||
index 7b1c374..1065119 100644
|
|
||||||
--- a/drivers/firmware/efivars.c
|
|
||||||
+++ b/drivers/firmware/efivars.c
|
|
||||||
@@ -1782,7 +1782,7 @@ efivars_init(void)
|
|
||||||
printk(KERN_INFO "EFI Variables Facility v%s %s\n", EFIVARS_VERSION,
|
|
||||||
EFIVARS_DATE);
|
|
||||||
|
|
||||||
- if (!efi_enabled)
|
|
||||||
+ if (!efi_enabled(EFI_RUNTIME_SERVICES))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* For now we'll register the efi directory at /sys/firmware/efi */
|
|
||||||
@@ -1822,7 +1822,7 @@ err_put:
|
|
||||||
static void __exit
|
|
||||||
efivars_exit(void)
|
|
||||||
{
|
|
||||||
- if (efi_enabled) {
|
|
||||||
+ if (efi_enabled(EFI_RUNTIME_SERVICES)) {
|
|
||||||
unregister_efivars(&__efivars);
|
|
||||||
kobject_put(efi_kobj);
|
|
||||||
}
|
|
||||||
diff --git a/drivers/firmware/iscsi_ibft_find.c b/drivers/firmware/iscsi_ibft_find.c
|
|
||||||
index 4da4eb9..2224f1d 100644
|
|
||||||
--- a/drivers/firmware/iscsi_ibft_find.c
|
|
||||||
+++ b/drivers/firmware/iscsi_ibft_find.c
|
|
||||||
@@ -99,7 +99,7 @@ unsigned long __init find_ibft_region(unsigned long *sizep)
|
|
||||||
/* iBFT 1.03 section 1.4.3.1 mandates that UEFI machines will
|
|
||||||
* only use ACPI for this */
|
|
||||||
|
|
||||||
- if (!efi_enabled)
|
|
||||||
+ if (!efi_enabled(EFI_BOOT))
|
|
||||||
find_ibft_in_mem();
|
|
||||||
|
|
||||||
if (ibft_addr) {
|
|
||||||
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
|
|
||||||
index cd75626..9a68174 100644
|
|
||||||
--- a/drivers/gpu/drm/radeon/radeon_device.c
|
|
||||||
+++ b/drivers/gpu/drm/radeon/radeon_device.c
|
|
||||||
@@ -429,7 +429,8 @@ bool radeon_card_posted(struct radeon_device *rdev)
|
|
||||||
{
|
|
||||||
uint32_t reg;
|
|
||||||
|
|
||||||
- if (efi_enabled && rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE)
|
|
||||||
+ if (efi_enabled(EFI_BOOT) &&
|
|
||||||
+ rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
/* first check CRTCs */
|
|
||||||
diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
|
|
||||||
index 7481146..97c2be1 100644
|
|
||||||
--- a/drivers/platform/x86/ibm_rtl.c
|
|
||||||
+++ b/drivers/platform/x86/ibm_rtl.c
|
|
||||||
@@ -244,7 +244,7 @@ static int __init ibm_rtl_init(void) {
|
|
||||||
if (force)
|
|
||||||
pr_warn("module loaded by force\n");
|
|
||||||
/* first ensure that we are running on IBM HW */
|
|
||||||
- else if (efi_enabled || !dmi_check_system(ibm_rtl_dmi_table))
|
|
||||||
+ else if (efi_enabled(EFI_BOOT) || !dmi_check_system(ibm_rtl_dmi_table))
|
|
||||||
return -ENODEV;
|
|
||||||
|
|
||||||
/* Get the address for the Extended BIOS Data Area */
|
|
||||||
diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c
|
|
||||||
index b74050b..9ac1e9d 100644
|
|
||||||
--- a/drivers/scsi/isci/init.c
|
|
||||||
+++ b/drivers/scsi/isci/init.c
|
|
||||||
@@ -633,7 +633,7 @@ static int __devinit isci_pci_probe(struct pci_dev *pdev, const struct pci_devic
|
|
||||||
return -ENOMEM;
|
|
||||||
pci_set_drvdata(pdev, pci_info);
|
|
||||||
|
|
||||||
- if (efi_enabled)
|
|
||||||
+ if (efi_enabled(EFI_RUNTIME_SERVICES))
|
|
||||||
orom = isci_get_efi_var(pdev);
|
|
||||||
|
|
||||||
if (!orom)
|
|
||||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
|
||||||
index 8b84916..7a9498a 100644
|
|
||||||
--- a/include/linux/efi.h
|
|
||||||
+++ b/include/linux/efi.h
|
|
||||||
@@ -618,18 +618,30 @@ extern int __init efi_setup_pcdp_console(char *);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * We play games with efi_enabled so that the compiler will, if possible, remove
|
|
||||||
- * EFI-related code altogether.
|
|
||||||
+ * We play games with efi_enabled so that the compiler will, if
|
|
||||||
+ * possible, remove EFI-related code altogether.
|
|
||||||
*/
|
|
||||||
+#define EFI_BOOT 0 /* Were we booted from EFI? */
|
|
||||||
+#define EFI_SYSTEM_TABLES 1 /* Can we use EFI system tables? */
|
|
||||||
+#define EFI_CONFIG_TABLES 2 /* Can we use EFI config tables? */
|
|
||||||
+#define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */
|
|
||||||
+#define EFI_MEMMAP 4 /* Can we use EFI memory map? */
|
|
||||||
+#define EFI_64BIT 5 /* Is the firmware 64-bit? */
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_EFI
|
|
||||||
# ifdef CONFIG_X86
|
|
||||||
- extern int efi_enabled;
|
|
||||||
- extern bool efi_64bit;
|
|
||||||
+extern int efi_enabled(int facility);
|
|
||||||
# else
|
|
||||||
-# define efi_enabled 1
|
|
||||||
+static inline int efi_enabled(int facility)
|
|
||||||
+{
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
# endif
|
|
||||||
#else
|
|
||||||
-# define efi_enabled 0
|
|
||||||
+static inline int efi_enabled(int facility)
|
|
||||||
+{
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/init/main.c b/init/main.c
|
|
||||||
index 85d69df..cd30179 100644
|
|
||||||
--- a/init/main.c
|
|
||||||
+++ b/init/main.c
|
|
||||||
@@ -604,7 +604,7 @@ asmlinkage void __init start_kernel(void)
|
|
||||||
pidmap_init();
|
|
||||||
anon_vma_init();
|
|
||||||
#ifdef CONFIG_X86
|
|
||||||
- if (efi_enabled)
|
|
||||||
+ if (efi_enabled(EFI_RUNTIME_SERVICES))
|
|
||||||
efi_enter_virtual_mode();
|
|
||||||
#endif
|
|
||||||
thread_info_cache_init();
|
|
||||||
@@ -632,7 +632,7 @@ asmlinkage void __init start_kernel(void)
|
|
||||||
acpi_early_init(); /* before LAPIC and SMP init */
|
|
||||||
sfi_init_late();
|
|
||||||
|
|
||||||
- if (efi_enabled) {
|
|
||||||
+ if (efi_enabled(EFI_RUNTIME_SERVICES)) {
|
|
||||||
efi_late_init();
|
|
||||||
efi_free_boot_services();
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.8.1
|
|
||||||
|
|
||||||
From 87123c25437f0da326b2f63cae8ab9aabac6fd6c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Fleming <matt.fleming@intel.com>
|
|
||||||
Date: Thu, 3 Jan 2013 09:02:37 +0000
|
|
||||||
Subject: [PATCH 2/2] samsung-laptop: Disable on EFI hardware
|
|
||||||
|
|
||||||
It has been reported that running this driver on some Samsung laptops
|
|
||||||
with EFI can cause those machines to become bricked as detailed in the
|
|
||||||
following report,
|
|
||||||
|
|
||||||
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557
|
|
||||||
|
|
||||||
There have also been reports of this driver causing Machine Check
|
|
||||||
Exceptions on recent EFI-enabled Samsung laptops,
|
|
||||||
|
|
||||||
https://bugzilla.kernel.org/show_bug.cgi?id=47121
|
|
||||||
|
|
||||||
So disable it if booting from EFI since this driver relies on
|
|
||||||
grovelling around in the BIOS memory map which isn't going to work.
|
|
||||||
|
|
||||||
Acked-by: H. Peter Anvin <hpa@zytor.com>
|
|
||||||
Cc: Corentin Chary <corentincj@iksaif.net>
|
|
||||||
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
|
|
||||||
Cc: Colin Ian King <colin.king@canonical.com>
|
|
||||||
Cc: Steve Langasek <steve.langasek@canonical.com>
|
|
||||||
Cc: platform-driver-x86@vger.kernel.org
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
|
|
||||||
---
|
|
||||||
drivers/platform/x86/samsung-laptop.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
|
|
||||||
index dd90d15..5a89ca1 100644
|
|
||||||
--- a/drivers/platform/x86/samsung-laptop.c
|
|
||||||
+++ b/drivers/platform/x86/samsung-laptop.c
|
|
||||||
@@ -26,6 +26,7 @@
|
|
||||||
#include <linux/seq_file.h>
|
|
||||||
#include <linux/debugfs.h>
|
|
||||||
#include <linux/ctype.h>
|
|
||||||
+#include <linux/efi.h>
|
|
||||||
#include <acpi/video.h>
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1534,6 +1535,9 @@ static int __init samsung_init(void)
|
|
||||||
struct samsung_laptop *samsung;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
+ if (efi_enabled(EFI_BOOT))
|
|
||||||
+ return -ENODEV;
|
|
||||||
+
|
|
||||||
quirks = &samsung_unknown;
|
|
||||||
if (!force && !dmi_check_system(samsung_dmi_table))
|
|
||||||
return -ENODEV;
|
|
||||||
--
|
|
||||||
1.8.1
|
|
||||||
|
|
||||||
|
|
||||||
From 078aac950b94287072864fe8db0c690b8343f364 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:56 -0400
|
Date: Thu, 20 Sep 2012 10:40:56 -0400
|
||||||
Subject: [PATCH 03/19] Secure boot: Add new capability
|
Subject: [PATCH 01/17] Secure boot: Add new capability
|
||||||
|
|
||||||
Secure boot adds certain policy requirements, including that root must not
|
Secure boot adds certain policy requirements, including that root must not
|
||||||
be able to do anything that could cause the kernel to execute arbitrary code.
|
be able to do anything that could cause the kernel to execute arbitrary code.
|
||||||
@ -579,10 +35,10 @@ index ba478fa..7109e65 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From b3f043c11522faad4a0a2ed54bc204af9157f4cf Mon Sep 17 00:00:00 2001
|
From 7aa8eb6a4b228db7e2920f323f1ba97063163de1 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:05 -0400
|
Date: Thu, 20 Sep 2012 10:41:05 -0400
|
||||||
Subject: [PATCH 04/19] SELinux: define mapping for new Secure Boot capability
|
Subject: [PATCH 02/17] SELinux: define mapping for new Secure Boot capability
|
||||||
|
|
||||||
Add the name of the new Secure Boot capability. This allows SELinux
|
Add the name of the new Secure Boot capability. This allows SELinux
|
||||||
policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
|
policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
|
||||||
@ -594,7 +50,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
|||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
|
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
|
||||||
index df2de54..70e2834 100644
|
index 14d04e6..ed99a2d 100644
|
||||||
--- a/security/selinux/include/classmap.h
|
--- a/security/selinux/include/classmap.h
|
||||||
+++ b/security/selinux/include/classmap.h
|
+++ b/security/selinux/include/classmap.h
|
||||||
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
|
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
|
||||||
@ -607,15 +63,15 @@ index df2de54..70e2834 100644
|
|||||||
+ "block_suspend", "compromise_kernel", NULL } },
|
+ "block_suspend", "compromise_kernel", NULL } },
|
||||||
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
|
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
|
||||||
{ "tun_socket",
|
{ "tun_socket",
|
||||||
{ COMMON_SOCK_PERMS, NULL } },
|
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
|
||||||
--
|
--
|
||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 91a1c56865bb3c8caf452df78af91bb8c2bdee57 Mon Sep 17 00:00:00 2001
|
From 10ed514ecac144034eba27bf9436ef111ac2ebd2 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:02 -0400
|
Date: Thu, 20 Sep 2012 10:41:02 -0400
|
||||||
Subject: [PATCH 05/19] Secure boot: Add a dummy kernel parameter that will
|
Subject: [PATCH 03/17] Secure boot: Add a dummy kernel parameter that will
|
||||||
switch on Secure Boot mode
|
switch on Secure Boot mode
|
||||||
|
|
||||||
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
|
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
|
||||||
@ -678,10 +134,10 @@ index e0573a4..c3f4e3e 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 39585d1c3c7fa8878889d88e00a3aa5a647c024f Mon Sep 17 00:00:00 2001
|
From 066b811cd05432ef91473cd349d20fa856d5ab18 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:03 -0400
|
Date: Thu, 20 Sep 2012 10:41:03 -0400
|
||||||
Subject: [PATCH 06/19] efi: Enable secure boot lockdown automatically when
|
Subject: [PATCH 04/17] efi: Enable secure boot lockdown automatically when
|
||||||
enabled in firmware
|
enabled in firmware
|
||||||
|
|
||||||
The firmware has a set of flags that indicate whether secure boot is enabled
|
The firmware has a set of flags that indicate whether secure boot is enabled
|
||||||
@ -701,23 +157,23 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
|||||||
6 files changed, 44 insertions(+), 1 deletion(-)
|
6 files changed, 44 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||||
index cf5437d..7f9ed48 100644
|
index 199f453..ff651d3 100644
|
||||||
--- a/Documentation/x86/zero-page.txt
|
--- a/Documentation/x86/zero-page.txt
|
||||||
+++ b/Documentation/x86/zero-page.txt
|
+++ b/Documentation/x86/zero-page.txt
|
||||||
@@ -27,6 +27,8 @@ Offset Proto Name Meaning
|
@@ -30,6 +30,8 @@ Offset Proto Name Meaning
|
||||||
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
|
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
|
||||||
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
|
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
|
||||||
(below)
|
(below)
|
||||||
+1EB/001 ALL kbd_status Numlock is enabled
|
+1EB/001 ALL kbd_status Numlock is enabled
|
||||||
+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns
|
+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns
|
||||||
|
1EF/001 ALL sentinel Used to detect broken bootloaders
|
||||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||||
2D0/A00 ALL e820_map E820 memory map table
|
2D0/A00 ALL e820_map E820 memory map table
|
||||||
(array of struct e820entry)
|
|
||||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||||
index 18e329c..f44adce 100644
|
index f8fa411..96bd86b 100644
|
||||||
--- a/arch/x86/boot/compressed/eboot.c
|
--- a/arch/x86/boot/compressed/eboot.c
|
||||||
+++ b/arch/x86/boot/compressed/eboot.c
|
+++ b/arch/x86/boot/compressed/eboot.c
|
||||||
@@ -848,6 +848,36 @@ fail:
|
@@ -849,6 +849,36 @@ fail:
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -754,7 +210,7 @@ index 18e329c..f44adce 100644
|
|||||||
/*
|
/*
|
||||||
* Because the x86 boot code expects to be passed a boot_params we
|
* Because the x86 boot code expects to be passed a boot_params we
|
||||||
* need to create one ourselves (usually the bootloader would create
|
* need to create one ourselves (usually the bootloader would create
|
||||||
@@ -1142,6 +1172,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
|
@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
|
||||||
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
|
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
@ -764,19 +220,19 @@ index 18e329c..f44adce 100644
|
|||||||
|
|
||||||
setup_efi_pci(boot_params);
|
setup_efi_pci(boot_params);
|
||||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||||
index 92862cd..422e056 100644
|
index c15ddaf..85d7685 100644
|
||||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||||
@@ -115,7 +115,8 @@ struct boot_params {
|
@@ -131,7 +131,8 @@ struct boot_params {
|
||||||
__u8 eddbuf_entries; /* 0x1e9 */
|
__u8 eddbuf_entries; /* 0x1e9 */
|
||||||
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
|
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
|
||||||
__u8 kbd_status; /* 0x1eb */
|
__u8 kbd_status; /* 0x1eb */
|
||||||
- __u8 _pad6[5]; /* 0x1ec */
|
- __u8 _pad5[3]; /* 0x1ec */
|
||||||
+ __u8 secure_boot; /* 0x1ec */
|
+ __u8 secure_boot; /* 0x1ec */
|
||||||
+ __u8 _pad6[4]; /* 0x1ed */
|
+ __u8 _pad5[2]; /* 0x1ed */
|
||||||
struct setup_header hdr; /* setup header */ /* 0x1f1 */
|
/*
|
||||||
__u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)];
|
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||||
__u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */
|
*
|
||||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||||
index 8b24289..5355a54 100644
|
index 8b24289..5355a54 100644
|
||||||
--- a/arch/x86/kernel/setup.c
|
--- a/arch/x86/kernel/setup.c
|
||||||
@ -822,10 +278,10 @@ index 7a9498a..1ae16b6 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From c4913bd0af536c2e752da503e34cfdbdef2ca427 Mon Sep 17 00:00:00 2001
|
From 8d8349396e90630e2617c5a855682a6c87a7ae4d Mon Sep 17 00:00:00 2001
|
||||||
From: Dave Howells <dhowells@redhat.com>
|
From: Dave Howells <dhowells@redhat.com>
|
||||||
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
||||||
Subject: [PATCH 07/19] Add EFI signature data types
|
Subject: [PATCH 05/17] Add EFI signature data types
|
||||||
|
|
||||||
Add the data types that are used for containing hashes, keys and certificates
|
Add the data types that are used for containing hashes, keys and certificates
|
||||||
for cryptographic verification.
|
for cryptographic verification.
|
||||||
@ -877,10 +333,10 @@ index 1ae16b6..de7021d 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 714ab7855166f5cf453817de90b80ea8f132715d Mon Sep 17 00:00:00 2001
|
From a221d71dd4487a5ee2b337540d0258512b7c8dba Mon Sep 17 00:00:00 2001
|
||||||
From: Dave Howells <dhowells@redhat.com>
|
From: Dave Howells <dhowells@redhat.com>
|
||||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||||
Subject: [PATCH 08/19] Add an EFI signature blob parser and key loader.
|
Subject: [PATCH 06/17] Add an EFI signature blob parser and key loader.
|
||||||
|
|
||||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||||
keys.
|
keys.
|
||||||
@ -1056,10 +512,10 @@ index de7021d..64b3e55 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From e485260e14c366644a44d2fea05fc3e7dc02a8c3 Mon Sep 17 00:00:00 2001
|
From 9c9d291a605d1d0864d047cff75724ad1cb8b97d Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
||||||
Subject: [PATCH 09/19] MODSIGN: Add module certificate blacklist keyring
|
Subject: [PATCH 07/17] MODSIGN: Add module certificate blacklist keyring
|
||||||
|
|
||||||
This adds an additional keyring that is used to store certificates that
|
This adds an additional keyring that is used to store certificates that
|
||||||
are blacklisted. This keyring is searched first when loading signed modules
|
are blacklisted. This keyring is searched first when loading signed modules
|
||||||
@ -1165,10 +621,10 @@ index f2970bd..5423195 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 2015a3299fb6029de0c1e4da3e06bfa74e1075df Mon Sep 17 00:00:00 2001
|
From 4b85122267e2ac07833e20f0cac71c5c8c9ac65c Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||||
Subject: [PATCH 10/19] MODSIGN: Import certificates from UEFI Secure Boot
|
Subject: [PATCH 08/17] MODSIGN: Import certificates from UEFI Secure Boot
|
||||||
|
|
||||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||||
This imports those certificates into the module signing keyring. This
|
This imports those certificates into the module signing keyring. This
|
||||||
@ -1350,10 +806,10 @@ index 0000000..b9237d7
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From b9003fd1d1ec55049db258832fed7736c3d72703 Mon Sep 17 00:00:00 2001
|
From e6f51e0b73bdaf0bb8d6ebc07e041ce3b6126e9c Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:57 -0400
|
Date: Thu, 20 Sep 2012 10:40:57 -0400
|
||||||
Subject: [PATCH 11/19] PCI: Lock down BAR access in secure boot environments
|
Subject: [PATCH 09/17] PCI: Lock down BAR access in secure boot environments
|
||||||
|
|
||||||
Any hardware that can potentially generate DMA has to be locked down from
|
Any hardware that can potentially generate DMA has to be locked down from
|
||||||
userspace in order to avoid it being possible for an attacker to cause
|
userspace in order to avoid it being possible for an attacker to cause
|
||||||
@ -1451,10 +907,10 @@ index e1c1ec5..97e785f 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 66b86238391bae88f1da0fd82f2516d58aa544b9 Mon Sep 17 00:00:00 2001
|
From c4399308a252ca147971bd6d2f1f56557f279201 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:58 -0400
|
Date: Thu, 20 Sep 2012 10:40:58 -0400
|
||||||
Subject: [PATCH 12/19] x86: Lock down IO port access in secure boot
|
Subject: [PATCH 10/17] x86: Lock down IO port access in secure boot
|
||||||
environments
|
environments
|
||||||
|
|
||||||
IO port access would permit users to gain access to PCI configuration
|
IO port access would permit users to gain access to PCI configuration
|
||||||
@ -1508,10 +964,10 @@ index c6fa3bc..fc28099 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 2bae7bb333fb916824efaa8ebfff296be6b474aa Mon Sep 17 00:00:00 2001
|
From b3e2bb87699c1b0aa235c772c1c5ae376b63ea49 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:40:59 -0400
|
Date: Thu, 20 Sep 2012 10:40:59 -0400
|
||||||
Subject: [PATCH 13/19] ACPI: Limit access to custom_method
|
Subject: [PATCH 11/17] ACPI: Limit access to custom_method
|
||||||
|
|
||||||
It must be impossible for even root to get code executed in kernel context
|
It must be impossible for even root to get code executed in kernel context
|
||||||
under a secure boot environment. custom_method effectively allows arbitrary
|
under a secure boot environment. custom_method effectively allows arbitrary
|
||||||
@ -1540,10 +996,10 @@ index 5d42c24..247d58b 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 1020b65305173afb24a9411a9555468a5184a73d Mon Sep 17 00:00:00 2001
|
From 300b9cc9e0833d66b0ea49c259c1e2f7dfe7de12 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:00 -0400
|
Date: Thu, 20 Sep 2012 10:41:00 -0400
|
||||||
Subject: [PATCH 14/19] asus-wmi: Restrict debugfs interface
|
Subject: [PATCH 12/17] asus-wmi: Restrict debugfs interface
|
||||||
|
|
||||||
We have no way of validating what all of the Asus WMI methods do on a
|
We have no way of validating what all of the Asus WMI methods do on a
|
||||||
given machine, and there's a risk that some will allow hardware state to
|
given machine, and there's a risk that some will allow hardware state to
|
||||||
@ -1593,10 +1049,10 @@ index f80ae4d..059195f 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 5e940dba25d3d2614a3a745ef7c3057e058c876a Mon Sep 17 00:00:00 2001
|
From 690713487cf5ac3949cf915e28a75a1270e2c2a6 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:01 -0400
|
Date: Thu, 20 Sep 2012 10:41:01 -0400
|
||||||
Subject: [PATCH 15/19] Restrict /dev/mem and /dev/kmem in secure boot setups
|
Subject: [PATCH 13/17] Restrict /dev/mem and /dev/kmem in secure boot setups
|
||||||
|
|
||||||
Allowing users to write to address space makes it possible for the kernel
|
Allowing users to write to address space makes it possible for the kernel
|
||||||
to be subverted. Restrict this when we need to protect the kernel.
|
to be subverted. Restrict this when we need to protect the kernel.
|
||||||
@ -1634,10 +1090,10 @@ index fc28099..b5df7a8 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From b6264c3ed7a36a7a8d9c504d20a9a639850ace3b Mon Sep 17 00:00:00 2001
|
From 170cc9e113785b6f38cbd4bf5d8bbd42d844d119 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Thu, 20 Sep 2012 10:41:04 -0400
|
Date: Thu, 20 Sep 2012 10:41:04 -0400
|
||||||
Subject: [PATCH 16/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
|
Subject: [PATCH 14/17] acpi: Ignore acpi_rsdp kernel parameter in a secure
|
||||||
boot environment
|
boot environment
|
||||||
|
|
||||||
This option allows userspace to pass the RSDP address to the kernel. This
|
This option allows userspace to pass the RSDP address to the kernel. This
|
||||||
@ -1666,10 +1122,10 @@ index bd22f86..88251d2 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 4f1614d3aae4e924ad8b8d56c66a23a469b1c3d0 Mon Sep 17 00:00:00 2001
|
From eb021ca148e35633480ece4b472807a621ca9a5f Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Matthew Garrett <mjg@redhat.com>
|
||||||
Date: Tue, 4 Sep 2012 11:55:13 -0400
|
Date: Tue, 4 Sep 2012 11:55:13 -0400
|
||||||
Subject: [PATCH 17/19] kexec: Disable in a secure boot environment
|
Subject: [PATCH 15/17] kexec: Disable in a secure boot environment
|
||||||
|
|
||||||
kexec could be used as a vector for a malicious user to use a signed kernel
|
kexec could be used as a vector for a malicious user to use a signed kernel
|
||||||
to circumvent the secure boot trust model. In the long run we'll want to
|
to circumvent the secure boot trust model. In the long run we'll want to
|
||||||
@ -1698,10 +1154,10 @@ index 5e4bd78..dd464e0 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 9760ba180b98ff6e6a6e40dfe82973fc6bfcb194 Mon Sep 17 00:00:00 2001
|
From f170b22efeffede02664836a24604febd85ca061 Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 5 Oct 2012 10:12:48 -0400
|
Date: Fri, 5 Oct 2012 10:12:48 -0400
|
||||||
Subject: [PATCH 18/19] MODSIGN: Always enforce module signing in a Secure Boot
|
Subject: [PATCH 16/17] MODSIGN: Always enforce module signing in a Secure Boot
|
||||||
environment
|
environment
|
||||||
|
|
||||||
If a machine is booted into a Secure Boot environment, we need to
|
If a machine is booted into a Secure Boot environment, we need to
|
||||||
@ -1760,10 +1216,10 @@ index eab0827..93a16dc 100644
|
|||||||
1.8.1
|
1.8.1
|
||||||
|
|
||||||
|
|
||||||
From 1c6cd63017f3c745eaf4d8705f44ba5f4af1aef7 Mon Sep 17 00:00:00 2001
|
From c44db6a096f11bd19182cb52c70fbd2f3de3dc6a Mon Sep 17 00:00:00 2001
|
||||||
From: Josh Boyer <jwboyer@redhat.com>
|
From: Josh Boyer <jwboyer@redhat.com>
|
||||||
Date: Fri, 26 Oct 2012 14:02:09 -0400
|
Date: Fri, 26 Oct 2012 14:02:09 -0400
|
||||||
Subject: [PATCH 19/19] hibernate: Disable in a Secure Boot environment
|
Subject: [PATCH 17/17] hibernate: Disable in a Secure Boot environment
|
||||||
|
|
||||||
There is currently no way to verify the resume image when returning
|
There is currently no way to verify the resume image when returning
|
||||||
from hibernate. This might compromise the secure boot trust model,
|
from hibernate. This might compromise the secure boot trust model,
|
1
sources
1
sources
@ -1,3 +1,4 @@
|
|||||||
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
|
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
|
||||||
714424b01630b141bbee02d0ea9d5633 patch-3.8-rc5.xz
|
714424b01630b141bbee02d0ea9d5633 patch-3.8-rc5.xz
|
||||||
bbee7c088c5023d79b661a9547379ff7 patch-3.8-rc5-git2.xz
|
bbee7c088c5023d79b661a9547379ff7 patch-3.8-rc5-git2.xz
|
||||||
|
d9ec7011118bf762447b4357252151a3 patch-3.8-rc5-git3.xz
|
||||||
|
Loading…
Reference in New Issue
Block a user