Add system_keyring patches back in

2013-09-03 17:26:36 -04:00 · 2013-09-03 17:26:36 -04:00 · d7ee6f3b0e
commit d7ee6f3b0e
parent 663b7fc9c8
6 changed files with 1853 additions and 246 deletions
--- a/3
+++ b/3
@ -441,12 +441,13 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m
 CONFIG_XZ_DEC_X86=y
 CONFIG_MPILIB=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_MODULE_SIG=y
 CONFIG_MODULE_SIG_ALL=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_BLACKLIST=y
 CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
 CONFIG_EFI_SIGNATURE_LIST_PARSER=y
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 3
 %global fedora_build %{baserelease}
 # base_sublevel is the kernel version we're starting with and patching
@ -651,6 +651,7 @@ Patch800: crash-driver.patch
 # keys
 Patch900: keys-expand-keyring.patch
 Patch901: keys-krb-support.patch
 Patch902: keys-x509-improv.patch
 # secure boot
 Patch1000: secure-modules.patch
@ -1394,6 +1395,7 @@ ApplyPatch crash-driver.patch
 # keys
 ApplyPatch keys-expand-keyring.patch
 ApplyPatch keys-krb-support.patch
 ApplyPatch keys-x509-improv.patch
 # secure boot
 ApplyPatch secure-modules.patch
@ -2280,6 +2282,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
 * Tue Sep 03 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-3
 - Add system_keyring patches back in
 * Tue Sep 03 2013 Kyle McMartin <kyle@redhat.com>
 - Pull in some Calxeda highbank fixes that are destined for 3.12
 - Add a %with_extra twiddle to disable building kernel-modules-extra
--- a/keys-x509-improv.patch
+++ b/keys-x509-improv.patch
--- a/modsign-uefi.patch
+++ b/modsign-uefi.patch
@ -1,4 +1,4 @@
-From cff9d37c9529fca5ff853f0050c7f0de0e819ea7 Mon Sep 17 00:00:00 2001
+From 725d7e7fb9ca1065102e640cf8af606169e63075 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:30:54 -0400
 Subject: [PATCH 1/4] Add EFI signature data types
@ -53,7 +53,7 @@ index eed2202..1da1b3c 100644
 1.8.3.1
-From 2ce1c1d0d7110c4b06d65e4c8506f6c54aa72628 Mon Sep 17 00:00:00 2001
+From f204253a34b477c5d68df711326a694b58e51c76 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
 Subject: [PATCH 2/4] Add an EFI signature blob parser and key loader.
@ -65,9 +65,9 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 ---
 crypto/asymmetric_keys/Kconfig      |   8 +++
 crypto/asymmetric_keys/Makefile     |   1 +
- crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
+ crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
 include/linux/efi.h                 |   4 ++
- 4 files changed, 121 insertions(+)
+ 4 files changed, 122 insertions(+)
 create mode 100644 crypto/asymmetric_keys/efi_parser.c
 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
@ -101,10 +101,10 @@ index 0727204..cd8388e 100644
 # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 0000000..636feb1
+index 0000000..424896a
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,109 @@
 +/* EFI signature/key/certificate list parser
 + *
 + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
@ -195,7 +195,8 @@ index 0000000..636feb1
 +				esize - sizeof(*elem),
 +				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				KEY_USR_VIEW,
-+				KEY_ALLOC_NOT_IN_QUOTA);
+				KEY_ALLOC_NOT_IN_QUOTA |
 +				KEY_ALLOC_TRUSTED);
 +
 +			if (IS_ERR(key))
 +				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
@ -232,10 +233,10 @@ index 1da1b3c..42a1d25 100644
 1.8.3.1
-From 0e4e8acfd0932bbf6b02112218092c810d9469a5 Mon Sep 17 00:00:00 2001
+From cebc8870a8f0b97b2585a07d9957ead0f21cdc8a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 3/4] MODSIGN: Add module certificate blacklist keyring
+Subject: [PATCH 3/4] KEYS: Add a system blacklist keyring
 This adds an additional keyring that is used to store certificates that
 are blacklisted.  This keyring is searched first when loading signed modules
@ -244,86 +245,57 @@ useful in cases where third party certificates are used for module signing.
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- init/Kconfig             |  8 ++++++++
+ include/keys/system_keyring.h |  4 ++++
- kernel/modsign_pubkey.c  | 14 ++++++++++++++
+ init/Kconfig                  |  9 +++++++++
- kernel/module-internal.h |  3 +++
+ kernel/module_signing.c       | 12 ++++++++++++
- kernel/module_signing.c  | 12 ++++++++++++
+ kernel/system_keyring.c       | 17 +++++++++++++++++
- 4 files changed, 37 insertions(+)
+ 4 files changed, 42 insertions(+)
 diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
 index 8dabc39..e466de1 100644
 --- a/include/keys/system_keyring.h
 +++ b/include/keys/system_keyring.h
@@ -18,6 +18,10 @@
 extern struct key *system_trusted_keyring;
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +extern struct key *system_blacklist_keyring;
 +#endif
 +
 #endif
 #endif /* _KEYS_SYSTEM_KEYRING_H */
 diff --git a/init/Kconfig b/init/Kconfig
-index fed81b5..b4fa2d1 100644
+index 9f3cfdc..547f617 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1772,6 +1772,14 @@ config MODULE_SIG_ALL
+@@ -1676,6 +1676,15 @@ config SYSTEM_TRUSTED_KEYRING
 comment "Do not forget to sign required modules with scripts/sign-file"
 	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
-+config MODULE_SIG_BLACKLIST
+ 	  Keys in this keyring are used by module signature checking.
-+	bool "Support for blacklisting module signature certificates"
+ 
-+	depends on MODULE_SIG
+config SYSTEM_BLACKLIST_KEYRING
 +	bool "Provide system-wide ring of blacklisted keys"
 +	depends on KEYS
 +	help
-+	  This adds support for keeping a blacklist of certificates that
+	  Provide a system keyring to which blacklisted keys can be added.  Keys
-+	  should not pass module signature verification.  If a module is
+	  in the keyring are considered entirely untrusted.  Keys in this keyring
-+	  signed with something in this keyring, the load will be rejected.
+	  are used by the module signature checking to reject loading of modules
 +	  signed with a blacklisted key.
 +
- choice
+ menuconfig MODULES
- 	prompt "Which hash algorithm should modules be signed with?"
+ 	bool "Enable loadable module support"
- 	depends on MODULE_SIG
+ 	help
 diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
 index 2b6e699..4cd408d 100644
 --- a/kernel/modsign_pubkey.c
 +++ b/kernel/modsign_pubkey.c
@@ -17,6 +17,9 @@
 #include "module-internal.h"
 struct key *modsign_keyring;
 +#ifdef CONFIG_MODULE_SIG_BLACKLIST
 +struct key *modsign_blacklist;
 +#endif
 extern __initdata const u8 modsign_certificate_list[];
 extern __initdata const u8 modsign_certificate_list_end[];
@@ -43,6 +46,17 @@ static __init int module_verify_init(void)
 	if (IS_ERR(modsign_keyring))
 		panic("Can't allocate module signing keyring\n");
 +#ifdef CONFIG_MODULE_SIG_BLACKLIST
 +	modsign_blacklist = keyring_alloc(".modsign_blacklist",
 +				    KUIDT_INIT(0), KGIDT_INIT(0),
 +				    current_cred(),
 +				    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				    KEY_USR_VIEW | KEY_USR_READ,
 +				    KEY_ALLOC_NOT_IN_QUOTA, NULL);
 +	if (IS_ERR(modsign_blacklist))
 +		panic("Can't allocate module signing blacklist keyring\n");
 +#endif
 +
 	return 0;
 }
 diff --git a/kernel/module-internal.h b/kernel/module-internal.h
 index 24f9247..51a8380 100644
 --- a/kernel/module-internal.h
 +++ b/kernel/module-internal.h
@@ -10,5 +10,8 @@
  */
 extern struct key *modsign_keyring;
 +#ifdef CONFIG_MODULE_SIG_BLACKLIST
 +extern struct key *modsign_blacklist;
 +#endif
 extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
 diff --git a/kernel/module_signing.c b/kernel/module_signing.c
-index f2970bd..5423195 100644
+index 0b6b870..0a29b40 100644
 --- a/kernel/module_signing.c
 +++ b/kernel/module_signing.c
-@@ -157,6 +157,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
+@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
 	pr_debug("Look up: \"%s\"\n", id);
-+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+	key = keyring_search(make_key_ref(modsign_blacklist, 1),
+	key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
 +				   &key_type_asymmetric, id);
 +	if (!IS_ERR(key)) {
 +		/* module is signed with a cert in the blacklist.  reject */
@ -334,20 +306,55 @@ index f2970bd..5423195 100644
 +	}
 +#endif
 +
- 	key = keyring_search(make_key_ref(modsign_keyring, 1),
+ 	key = keyring_search(make_key_ref(system_trusted_keyring, 1),
 			     &key_type_asymmetric, id);
 	if (IS_ERR(key))
 diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
 index 4ca7072..b19cc6e 100644
 --- a/kernel/system_keyring.c
 +++ b/kernel/system_keyring.c
@@ -20,6 +20,9 @@
 struct key *system_trusted_keyring;
 EXPORT_SYMBOL_GPL(system_trusted_keyring);
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +struct key *system_blacklist_keyring;
 +#endif
 extern __initdata const u8 system_certificate_list[];
 extern __initdata const u8 system_certificate_list_end[];
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
 		panic("Can't allocate system trusted keyring\n");
 	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
 +
 +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
 +				    KUIDT_INIT(0), KGIDT_INIT(0),
 +				    current_cred(),
 +				    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				    KEY_USR_VIEW | KEY_USR_READ,
 +				    KEY_ALLOC_NOT_IN_QUOTA, NULL);
 +	if (IS_ERR(system_blacklist_keyring))
 +		panic("Can't allocate system blacklist keyring\n");
 +
 +	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
 +#endif
 +
 	return 0;
 }
 -- 
 1.8.3.1
-From c558b46370e850851a94795df67b7c57aecc48ea Mon Sep 17 00:00:00 2001
+From aa4f39ac51f8b9f589c13766e5e32a5b7794ed68 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
 Subject: [PATCH 4/4] MODSIGN: Import certificates from UEFI Secure Boot
 Secure Boot stores a list of allowed certificates in the 'db' variable.
-This imports those certificates into the module signing keyring.  This
+This imports those certificates into the system trusted keyring.  This
 allows for a third party signing certificate to be used in conjunction
 with signed modules.  By importing the public certificate into the 'db'
 variable, a user can allow a module signed with that certificate to
@ -356,7 +363,7 @@ in the 'MokListRT' variable.  We import those as well.
 In the opposite case, Secure Boot maintains a list of disallowed
 certificates in the 'dbx' variable.  We load those certificates into
-the newly introduced module blacklist keyring and forbid any module
+the newly introduced system blacklist keyring and forbid any module
 signed with those from loading.
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
@ -364,8 +371,8 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 include/linux/efi.h   |  6 ++++
 init/Kconfig          |  9 +++++
 kernel/Makefile       |  3 ++
- kernel/modsign_uefi.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 109 insertions(+)
+ 4 files changed, 110 insertions(+)
 create mode 100644 kernel/modsign_uefi.c
 diff --git a/include/linux/efi.h b/include/linux/efi.h
@ -386,16 +393,16 @@ index 42a1d25..d3e6036 100644
 	efi_guid_t guid;
 	u64 table;
 diff --git a/init/Kconfig b/init/Kconfig
-index b4fa2d1..94ce526 100644
+index 547f617..8e943bf 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1780,6 +1780,15 @@ config MODULE_SIG_BLACKLIST
+@@ -1794,6 +1794,15 @@ config MODULE_SIG_ALL
- 	  should not pass module signature verification.  If a module is
+ comment "Do not forget to sign required modules with scripts/sign-file"
- 	  signed with something in this keyring, the load will be rejected.
+ 	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
 +config MODULE_SIG_UEFI
 +	bool "Allow modules signed with certs stored in UEFI"
-+	depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI
+	depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI
 +	select EFI_SIGNATURE_LIST_PARSER
 +	help
 +	  This will import certificates stored in UEFI and allow modules
@ -406,18 +413,18 @@ index b4fa2d1..94ce526 100644
 	prompt "Which hash algorithm should modules be signed with?"
 	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index 35ef118..6ca1fea 100644
+index 1ff5e3b..f9b9998 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
+@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o
- obj-$(CONFIG_UID16) += uid16.o
+ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
 obj-$(CONFIG_MODULES) += module.o
- obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o
+ obj-$(CONFIG_MODULE_SIG) += module_signing.o
 +obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
 obj-$(CONFIG_KEXEC) += kexec.o
-@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
+@@ -115,6 +116,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
 $(obj)/configs.o: $(obj)/config_data.h
@ -428,10 +435,10 @@ index 35ef118..6ca1fea 100644
 targets += config_data.gz
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
 new file mode 100644
-index 0000000..7eae5b4
+index 0000000..94b0eb3
 --- /dev/null
 +++ b/kernel/modsign_uefi.c
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,92 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/cred.h>
@ -439,6 +446,7 @@ index 0000000..7eae5b4
 +#include <linux/efi.h>
 +#include <linux/slab.h>
 +#include <keys/asymmetric-type.h>
 +#include <keys/system_keyring.h>
 +#include "module-internal.h"
 +
 +static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
@ -493,7 +501,7 @@ index 0000000..7eae5b4
 +	if (!db) {
 +		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +	} else {
-+		rc = parse_efi_signature_list(db, dbsize, modsign_keyring);
+		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
 +		if (rc)
 +			pr_err("Couldn't parse db signatures: %d\n", rc);
 +		kfree(db);
@ -503,7 +511,7 @@ index 0000000..7eae5b4
 +	if (!mok) {
 +		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
 +	} else {
-+		rc = parse_efi_signature_list(mok, moksize, modsign_keyring);
+		rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
 +		if (rc)
 +			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
 +		kfree(mok);
@ -514,7 +522,7 @@ index 0000000..7eae5b4
 +		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
 +	} else {
 +		rc = parse_efi_signature_list(dbx, dbxsize,
-+			modsign_blacklist);
+			system_blacklist_keyring);
 +		if (rc)
 +			pr_err("Couldn't parse dbx signatures: %d\n", rc);
 +		kfree(dbx);
--- a/sb-hibernate.patch
+++ b/sb-hibernate.patch
@ -1,4 +1,4 @@
-From 4fe6d11d21b548d6e8272cc8cad5fcc6150ef081 Mon Sep 17 00:00:00 2001
+From ffe1ee94d526900ce1e5191cdd38934477dd209a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 14:02:09 -0400
 Subject: [PATCH] hibernate: Disable in a signed modules environment
@ -12,8 +12,8 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com>
 ---
 kernel/power/hibernate.c | 16 +++++++++++++++-
 kernel/power/main.c      |  7 ++++++-
- kernel/power/user.c      |  5 +++++
+ kernel/power/user.c      |  1 +
- 3 files changed, 26 insertions(+), 2 deletions(-)
+ 3 files changed, 22 insertions(+), 2 deletions(-)
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
 index b26f5f1..e65228b 100644
@ -96,28 +96,17 @@ index 1d1bf63..300f300 100644
 	if (s != buf)
 		/* convert the last space to a newline */
 diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 4ed81e7..b714ee6 100644
+index 15cb72f..fa85ed5 100644
 --- a/kernel/power/user.c
 +++ b/kernel/power/user.c
-@@ -24,6 +24,8 @@
+@@ -25,6 +25,7 @@
 #include <linux/console.h>
 #include <linux/cpu.h>
 #include <linux/freezer.h>
 #include <linux/module.h>
 +#include <linux/efi.h>
 +#include <linux/module.h>
 #include <asm/uaccess.h>
@@ -48,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
 	struct snapshot_data *data;
 	int error;
 +	if (secure_modules())
 +		return -EPERM;
 +
 	lock_system_sleep();
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
 -- 
 1.8.3.1
--- a/secure-modules.patch
+++ b/secure-modules.patch
@ -1,7 +1,7 @@
-From 17832506ee9b52bc8e00c2ec89b49257998171ed Mon Sep 17 00:00:00 2001
+From 8dea807503a1ba88d9e27595daae7f86ec968711 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:02 -0400
+Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/13] Add secure_modules() call
+Subject: [PATCH 01/14] Add secure_modules() call
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@ -39,7 +39,7 @@ index 46f1ea0..0c266b2 100644
 #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 2069158..499ee57 100644
+index 2069158..0e94acf 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
@@ -3852,3 +3852,13 @@ void module_layout(struct module *mod,
@ -55,15 +55,15 @@ index 2069158..499ee57 100644
 +	return modules_disabled;
 +#endif
 +}
-+EXPORT_SYMBOL_GPL(secure_modules);
+EXPORT_SYMBOL(secure_modules);
 -- 
 1.8.3.1
-From e347503648ace6a4b71dfb566365f1aa19657746 Mon Sep 17 00:00:00 2001
+From 9b7b3f6283bf784e4ea1c34e52646b12971b2823 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:03 -0400
+Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/13] PCI: Lock down BAR access when module security is
+Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
 enabled
 Any hardware that can potentially generate DMA has to be locked down from
@ -179,10 +179,10 @@ index e1c1ec5..bffbf71 100644
 1.8.3.1
-From b846e3958d3f4ff875ec958efba8b681ccbae04e Mon Sep 17 00:00:00 2001
+From aac2425a2664c09c2a369e1eec6e7a5bc2713cb1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:04 -0400
+Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/13] x86: Lock down IO port access when module security is
+Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
 enabled
 IO port access would permit users to gain access to PCI configuration
@ -252,10 +252,10 @@ index f895a8c..1af8664 100644
 1.8.3.1
-From 8c11e2cc989eece2d4978cfbc83f9b898f3cd1aa Mon Sep 17 00:00:00 2001
+From e7f9789c7eedf291972666befee726ff8e7126f6 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:05 -0400
+Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/13] ACPI: Limit access to custom_method
+Subject: [PATCH 04/14] ACPI: Limit access to custom_method
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
@ -263,22 +263,14 @@ Disable it if any such restrictions have been enabled.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
- drivers/acpi/custom_method.c | 4 ++++
+ drivers/acpi/custom_method.c | 3 +++
- 1 file changed, 4 insertions(+)
+ 1 file changed, 3 insertions(+)
 diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index 12b62f2..55a013f 100644
+index 12b62f2..50647b3 100644
 --- a/drivers/acpi/custom_method.c
 +++ b/drivers/acpi/custom_method.c
-@@ -7,6 +7,7 @@
+@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
 #include <linux/kernel.h>
 #include <linux/uaccess.h>
 #include <linux/debugfs.h>
 +#include <linux/module.h>
 #include <acpi/acpi_drivers.h>
 #include "internal.h"
@@ -29,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
 	struct acpi_table_header table;
 	acpi_status status;
@ -292,10 +284,10 @@ index 12b62f2..55a013f 100644
 1.8.3.1
-From 968ccfb32df5d5c9673c57641ebf90b25c0df880 Mon Sep 17 00:00:00 2001
+From d81cd6628c821d47bd086354cbc57b1474f3c1a8 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:06 -0400
+Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/13] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
 loading is restricted
 We have no way of validating what all of the Asus WMI methods do on a
@ -347,10 +339,10 @@ index 19c313b..db18ef66 100644
 1.8.3.1
-From e492d0a80bb591c34391757f97fc5aa8eb198e4f Mon Sep 17 00:00:00 2001
+From df75e984729ef50bb691b4d15472529fcd81580b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:07 -0400
+Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/13] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
 restricted
 Allowing users to write to address space makes it possible for the kernel
@ -390,10 +382,10 @@ index 1af8664..61406c8 100644
 1.8.3.1
-From 145913d656bfe8216032b38a576ac150699521e5 Mon Sep 17 00:00:00 2001
+From 78955913cc46cc5e5c7f2c71c1b07a5c18e06456 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 19 Aug 2013 13:26:08 -0400
+Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/13] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
 loading is restricted
 This option allows userspace to pass the RSDP address to the kernel, which
@ -430,10 +422,95 @@ index 6ab2c35..e4c4410 100644
 1.8.3.1
-From 012ac79f54ab746114d8276d8858a3df18b10e22 Mon Sep 17 00:00:00 2001
+From 23aae9143fbece326b3a26bf5ba48956c99cabe4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:10 -0400
+Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH 08/13] x86: Restrict MSR access when module loading is
+Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
 loading restrictions
 kexec permits the loading and execution of arbitrary code in ring 0, which
 is something that module signing enforcement is meant to prevent. It makes
 sense to disable kexec in this situation.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
 kernel/kexec.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/kernel/kexec.c b/kernel/kexec.c
 index 59f7b55..3e2b63a 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
@@ -32,6 +32,7 @@
 #include <linux/vmalloc.h>
 #include <linux/swap.h>
 #include <linux/syscore_ops.h>
 +#include <linux/module.h>
 #include <asm/page.h>
 #include <asm/uaccess.h>
@@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 		return -EPERM;
 	/*
 +	 * kexec can be used to circumvent module loading restrictions, so
 +	 * prevent loading in that case
 +	 */
 +	if (secure_modules())
 +		return -EPERM;
 +
 +	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.
 	 */
 -- 
 1.8.3.1
 From 218cd49aa2d6a085c5c4edc0396200864f0b54ad Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 3 Sep 2013 11:23:29 -0400
 Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
 uswsusp allows a user process to dump and then restore kernel state, which
 makes it possible to avoid module loading restrictions. Prevent this when
 any restrictions have been imposed on loading modules.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
 kernel/power/user.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/kernel/power/user.c b/kernel/power/user.c
 index 4ed81e7..15cb72f 100644
 --- a/kernel/power/user.c
 +++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
 #include <linux/console.h>
 #include <linux/cpu.h>
 #include <linux/freezer.h>
 +#include <linux/module.h>
 #include <asm/uaccess.h>
@@ -48,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
 	struct snapshot_data *data;
 	int error;
 +	if (secure_modules())
 +		return -EPERM;
 +
 	lock_system_sleep();
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
 -- 
 1.8.3.1
 From beeaac053d4ae57dc65be1da8b46e5d4bc6542b8 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
 Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is
 restricted
 Writing to MSRs should not be allowed if module loading is restricted,
@ -475,51 +552,10 @@ index 88458fa..d08f7e3 100644
 1.8.3.1
-From a44d2968968fd667c8cbeba7c043f674d17e7ce7 Mon Sep 17 00:00:00 2001
+From b4331711c52aff0a6a9cef0f4b52fe261874d6f2 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Mon, 19 Aug 2013 13:26:09 -0400
+Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 09/13] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 11/14] Add option to automatically enforce module signatures
 loading restrictions
 kexec permits the loading and execution of arbitrary code in ring 0, which
 is something that module signing enforcement is meant to prevent. It makes
 sense to disable kexec in this situation.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
 kernel/kexec.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/kernel/kexec.c b/kernel/kexec.c
 index 59f7b55..1a7690f 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
@@ -32,6 +32,7 @@
 #include <linux/vmalloc.h>
 #include <linux/swap.h>
 #include <linux/syscore_ops.h>
 +#include <linux/module.h>
 #include <asm/page.h>
 #include <asm/uaccess.h>
@@ -1645,6 +1646,9 @@ int kernel_kexec(void)
 		goto Unlock;
 	}
 +	if (secure_modules())
 +		return -EPERM;
 +
 #ifdef CONFIG_KEXEC_JUMP
 	if (kexec_image->preserve_context) {
 		lock_system_sleep();
 -- 
 1.8.3.1
 From f8f879da5dcc060a990a3b660aa5f340429cc4ed Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Mon, 19 Aug 2013 13:26:11 -0400
 Subject: [PATCH 10/13] Add option to automatically enforce module signatures
 when in Secure Boot mode
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@ -528,17 +564,15 @@ require that all kernel modules also be signed. Add a configuration option
 that enforces this automatically when enabled.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- Documentation/x86/zero-page.txt        |  2 ++
+ Documentation/x86/zero-page.txt       |  2 ++
- arch/x86/Kconfig                       | 10 ++++++++++
+ arch/x86/Kconfig                      | 10 ++++++++++
- arch/x86/boot/compressed/eboot.c       | 33 +++++++++++++++++++++++++++++++++
+ arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
- arch/x86/include/asm/bootparam_utils.h |  8 ++++++--
+ arch/x86/include/uapi/asm/bootparam.h |  3 ++-
- arch/x86/include/uapi/asm/bootparam.h  |  3 ++-
+ arch/x86/kernel/setup.c               |  6 ++++++
- arch/x86/kernel/setup.c                |  6 ++++++
+ include/linux/module.h                |  6 ++++++
- include/linux/module.h                 |  6 ++++++
+ kernel/module.c                       |  7 +++++++
- kernel/module.c                        |  7 +++++++
+ 7 files changed, 69 insertions(+), 1 deletion(-)
 8 files changed, 72 insertions(+), 3 deletions(-)
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
 index 199f453..ec38acf 100644
@ -575,14 +609,22 @@ index b32ebf9..6a6c19b 100644
 	def_bool y
 	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index b7388a4..145294d 100644
+index b7388a4..53bfe4f 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
-@@ -861,6 +861,37 @@ fail:
+@@ -12,6 +12,7 @@
 #include <asm/efi.h>
 #include <asm/setup.h>
 #include <asm/desc.h>
 +#include <asm/bootparam_utils.h>
 #undef memcpy			/* Use memcpy from misc.c */
@@ -861,6 +862,37 @@ fail:
 	return status;
 }
-+static int get_secure_boot(efi_system_table_t *_table)
+static int get_secure_boot(void)
 +{
 +	u8 sb, setup;
 +	unsigned long datasize = sizeof(sb);
@ -616,37 +658,19 @@ index b7388a4..145294d 100644
 /*
  * Because the x86 boot code expects to be passed a boot_params we
  * need to create one ourselves (usually the bootloader would create
-@@ -1169,6 +1200,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
+@@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
 	if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
 		goto fail;
-+	boot_params->secure_boot = get_secure_boot(sys_table);
+	sanitize_boot_params(boot_params);
 +
 +	boot_params->secure_boot = get_secure_boot();
 +
 	setup_graphics(boot_params);
 	setup_efi_pci(boot_params);
 diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h
 index 4a8cb8d..25f9cf1 100644
 --- a/arch/x86/include/asm/bootparam_utils.h
 +++ b/arch/x86/include/asm/bootparam_utils.h
@@ -38,9 +38,13 @@ static void sanitize_boot_params(struct boot_params *boot_params)
 		memset(&boot_params->ext_ramdisk_image, 0,
 		       (char *)&boot_params->efi_info -
 			(char *)&boot_params->ext_ramdisk_image);
 -		memset(&boot_params->kbd_status, 0,
 +		memset(&boot_params->kbd_status, 0, sizeof(boot_params->kbd_status));
 +		/* don't clear boot_params->secure_boot.  we set that ourselves
 +		 * earlier.
 +		 */
 +		memset(&boot_params->_pad5[0], 0,
 		       (char *)&boot_params->hdr -
 -		       (char *)&boot_params->kbd_status);
 +		       (char *)&boot_params->_pad5[0]);
 		memset(&boot_params->_pad7[0], 0,
 		       (char *)&boot_params->edd_mbr_sig_buffer[0] -
 			(char *)&boot_params->_pad7[0]);
 diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index c15ddaf..d35da96 100644
+index c15ddaf..85d7685 100644
 --- a/arch/x86/include/uapi/asm/bootparam.h
 +++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -131,7 +131,8 @@ struct boot_params {
@ -655,7 +679,7 @@ index c15ddaf..d35da96 100644
 	__u8  kbd_status;				/* 0x1eb */
 -	__u8  _pad5[3];					/* 0x1ec */
 +	__u8  secure_boot;				/* 0x1ec */
-+	__u8  _pad5[2];					/* 0x1ec */
+	__u8  _pad5[2];					/* 0x1ed */
 	/*
 	 * The sentinel is set to a nonzero value (0xff) in header.S.
 	 *
@ -694,7 +718,7 @@ index 0c266b2..5a6374a 100644
 extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 499ee57..bc7c987 100644
+index 0e94acf..974139b 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
@@ -3853,6 +3853,13 @@ void module_layout(struct module *mod,
@ -715,10 +739,10 @@ index 499ee57..bc7c987 100644
 1.8.3.1
-From b1604407fff69b17b598af03888a9efda0d58f2b Mon Sep 17 00:00:00 2001
+From bb28516d346e6511f1e012321c48eb142763e539 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH 11/13] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode
 A user can manually tell the shim boot loader to disable validation of
 images it loads.  When a user does this, it creates a UEFI variable called
@ -732,12 +756,12 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 1 file changed, 19 insertions(+), 1 deletion(-)
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 145294d..545d4a6 100644
+index 53bfe4f..946028b 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
-@@ -863,8 +863,9 @@ fail:
+@@ -864,8 +864,9 @@ fail:
- static int get_secure_boot(efi_system_table_t *_table)
+ static int get_secure_boot(void)
 {
 -	u8 sb, setup;
 +	u8 sb, setup, moksbstate;
@ -746,7 +770,7 @@ index 145294d..545d4a6 100644
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
 	efi_status_t status;
-@@ -888,6 +889,23 @@ static int get_secure_boot(efi_system_table_t *_table)
+@@ -889,6 +890,23 @@ static int get_secure_boot(void)
 	if (setup == 1)
 		return 0;
@ -774,10 +798,10 @@ index 145294d..545d4a6 100644
 1.8.3.1
-From 4d8b5cab923a2df15e1f33b3f0511366f9f98756 Mon Sep 17 00:00:00 2001
+From 4c8824bac8d4284e66c39c365ba84151f2d78e87 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 12/13] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@ -805,10 +829,10 @@ index 6a6c19b..10498ec 100644
 1.8.3.1
-From a87ca6498b8a9f8e3c1d7e6ef7ef4e233ec8639d Mon Sep 17 00:00:00 2001
+From 871b0ed1847c3c5413a4ca72ecf18735858f7708 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 13/13] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.