Linux v4.20-10911-g645ff1e8e704

Dropped part of the efi-lockdown patchset for IMA until
conflicts get resolved.
This commit is contained in:
Laura Abbott 2019-01-03 08:27:44 -08:00
parent cca46e0b1d
commit dd000cd2fd
23 changed files with 56 additions and 334 deletions

View File

@ -1,60 +0,0 @@
From 0451d4e795929a69a0fda6d960aa4b077c5bd179 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Fri, 5 May 2017 08:21:58 +0100
Subject: [PATCH 1/4] efi: Add EFI signature data types
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/efi.h | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index ec36f42..3259ad6 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -614,6 +614,10 @@ void efi_native_runtime_setup(void);
#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+#define EFI_CERT_SHA256_GUID EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
+#define EFI_CERT_X509_GUID EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
+#define EFI_CERT_X509_SHA256_GUID EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
+
/*
* This GUID is used to pass to the kernel proper the struct screen_info
* structure that was populated by the stub based on the GOP protocol instance
@@ -873,6 +877,27 @@ typedef struct {
efi_memory_desc_t entry[0];
} efi_memory_attributes_table_t;
+typedef struct {
+ efi_guid_t signature_owner;
+ u8 signature_data[];
+} efi_signature_data_t;
+
+typedef struct {
+ efi_guid_t signature_type;
+ u32 signature_list_size;
+ u32 signature_header_size;
+ u32 signature_size;
+ u8 signature_header[];
+ /* efi_signature_data_t signatures[][] */
+} efi_signature_list_t;
+
+typedef u8 efi_sha256_hash_t[32];
+
+typedef struct {
+ efi_sha256_hash_t to_be_signed_hash;
+ efi_time_t time_of_revocation;
+} efi_cert_x509_sha256_t;
+
/*
* All runtime access to EFI goes through this structure:
*/
--
2.9.3

View File

@ -1,7 +1,7 @@
From e4c62c12635a371e43bd17e8d33a936668264491 Mon Sep 17 00:00:00 2001
From 73e105771858bf39aeabcbcd2f7b002c24ac4bb0 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Fri, 5 May 2017 08:21:58 +0100
Subject: [PATCH 2/4] efi: Add an EFI signature blob parser
Subject: [PATCH] efi: Add an EFI signature blob parser
Add a function to parse an EFI signature blob looking for elements of
interest. A list is made up of a series of sublists, where all the
@ -18,21 +18,20 @@ function in turn.
Signed-off-by: David Howells <dhowells@redhat.com>
---
certs/Kconfig | 8 ++++
certs/Makefile | 1 +
certs/efi_parser.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 9 +++++
4 files changed, 130 insertions(+)
certs/Kconfig | 8 ++++
certs/Makefile | 1 +
certs/efi_parser.c | 112 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 121 insertions(+)
create mode 100644 certs/efi_parser.c
diff --git a/certs/Kconfig b/certs/Kconfig
index 6ce51ed..630ae09 100644
index c94e93d8bccf..650ffcb8db79 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -82,4 +82,12 @@ config SYSTEM_BLACKLIST_HASH_LIST
@@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST
wrapper to incorporate the list into the kernel. Each <hash> should
be a string of hex digits.
+config EFI_SIGNATURE_LIST_PARSER
+ bool "EFI signature list parser"
+ depends on EFI
@ -43,20 +42,20 @@ index 6ce51ed..630ae09 100644
+
endmenu
diff --git a/certs/Makefile b/certs/Makefile
index 4119bb3..738151a 100644
index 5d0999b9e21b..7e5e179ac685 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -9,6 +9,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
@@ -10,6 +10,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
else
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
endif
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
diff --git a/certs/efi_parser.c b/certs/efi_parser.c
new file mode 100644
index 0000000..4e396f9
index 000000000000..4e396f98f5c7
--- /dev/null
+++ b/certs/efi_parser.c
@@ -0,0 +1,112 @@
@ -172,26 +171,6 @@ index 0000000..4e396f9
+
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 3259ad6..08024c6 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1055,6 +1055,15 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
char * __init efi_md_typeattr_format(char *buf, size_t size,
const efi_memory_desc_t *md);
+
+typedef void (*efi_element_handler_t)(const char *source,
+ const void *element_data,
+ size_t element_size);
+extern int __init parse_efi_signature_list(
+ const char *source,
+ const void *data, size_t size,
+ efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *));
+
/**
* efi_range_is_wc - check the WC bit on an address range
* @start: starting kvirt address
--
2.9.3
2.20.1

View File

@ -0,0 +1 @@
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set

View File

@ -0,0 +1 @@
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set

View File

@ -0,0 +1 @@
# CONFIG_IMA_ARCH_POLICY is not set

View File

@ -518,239 +518,6 @@ index f35ffdd096ad..2615669dbf03 100644
--
2.14.3
From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Mon, 9 Apr 2018 09:52:45 +0100
Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
Require the "secure_boot" rules, whether or not it is specified
on the boot command line, for both the builtin and custom policies
in secure boot lockdown mode.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 8c9499867c91..f8428f579924 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func)
*/
void __init ima_init_policy(void)
{
- int i, measure_entries, appraise_entries, secure_boot_entries;
+ int i;
+ int measure_entries = 0;
+ int appraise_entries = 0;
+ int secure_boot_entries = 0;
+ bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
/* if !ima_policy set entries = 0 so we load NO default rules */
- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
- appraise_entries = ima_use_appraise_tcb ?
- ARRAY_SIZE(default_appraise_rules) : 0;
- secure_boot_entries = ima_use_secure_boot ?
- ARRAY_SIZE(secure_boot_rules) : 0;
+ if (ima_policy)
+ measure_entries = ARRAY_SIZE(dont_measure_rules);
+
+ if (ima_use_appraise_tcb)
+ appraise_entries = ARRAY_SIZE(default_appraise_rules);
+
+ if (ima_use_secure_boot || kernel_locked_down)
+ secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
for (i = 0; i < measure_entries; i++)
list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
@@ -509,12 +516,25 @@ void __init ima_init_policy(void)
/*
* Insert the builtin "secure_boot" policy rules requiring file
- * signatures, prior to any other appraise rules.
+ * signatures, prior to any other appraise rules. In secure boot
+ * lock-down mode, also require these appraise rules for custom
+ * policies.
*/
for (i = 0; i < secure_boot_entries; i++) {
+ struct ima_rule_entry *entry;
+
+ /* Include for builtin policies */
list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
temp_ima_appraise |=
ima_appraise_flag(secure_boot_rules[i].func);
+
+ /* Include for custom policies */
+ if (kernel_locked_down) {
+ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
+ GFP_KERNEL);
+ if (entry)
+ list_add_tail(&entry->list, &ima_policy_rules);
+ }
}
/*
--
2.17.1
From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 9 Apr 2018 09:52:46 +0100
Subject: [PATCH] Enforce module signatures if the kernel is locked down
If the kernel is locked down, require that all modules have valid
signatures that we can verify or that IMA can validate the file.
I have adjusted the errors generated:
(1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
ENOKEY), then:
(a) If signatures are enforced then EKEYREJECTED is returned.
(b) If IMA will have validated the image, return 0 (okay).
(c) If there's no signature or we can't check it, but the kernel is
locked down then EPERM is returned (this is then consistent with
other lockdown cases).
(2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
return the error we got.
Note that the X.509 code doesn't check for key expiry as the RTC might not
be valid or might not have been transferred to the kernel's clock yet.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
cc: "Lee, Chun-Yi" <jlee@suse.com>
cc: James Morris <james.l.morris@oracle.com>
---
kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------
1 file changed, 43 insertions(+), 13 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index b046a32520d8..3bb0722c106e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -64,6 +64,7 @@
#include <linux/bsearch.h>
#include <linux/dynamic_debug.h>
#include <linux/audit.h>
+#include <linux/ima.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod,
#endif
#ifdef CONFIG_MODULE_SIG
-static int module_sig_check(struct load_info *info, int flags)
+static int module_sig_check(struct load_info *info, int flags,
+ bool can_do_ima_check)
{
- int err = -ENOKEY;
+ int err = -ENODATA;
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ const char *reason;
const void *mod = info->hdr;
/*
@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags)
err = mod_verify_sig(mod, info);
}
- if (!err) {
+ switch (err) {
+ case 0:
info->sig_ok = true;
return 0;
- }
- /* Not having a signature is only an error if we're strict. */
- if (err == -ENOKEY && !is_module_sig_enforced())
- err = 0;
+ /* We don't permit modules to be loaded into trusted kernels
+ * without a valid signature on them, but if we're not
+ * enforcing, certain errors are non-fatal.
+ */
+ case -ENODATA:
+ reason = "Loading of unsigned module";
+ goto decide;
+ case -ENOPKG:
+ reason = "Loading of module with unsupported crypto";
+ goto decide;
+ case -ENOKEY:
+ reason = "Loading of module with unavailable key";
+ decide:
+ if (sig_enforce) {
+ pr_notice("%s is rejected\n", reason);
+ return -EKEYREJECTED;
+ }
- return err;
+ if (can_do_ima_check && is_ima_appraise_enabled())
+ return 0;
+ if (kernel_is_locked_down(reason))
+ return -EPERM;
+ return 0;
+
+ /* All other errors are fatal, including nomem, unparseable
+ * signatures and signature check failures - even if signatures
+ * aren't required.
+ */
+ default:
+ return err;
+ }
}
#else /* !CONFIG_MODULE_SIG */
-static int module_sig_check(struct load_info *info, int flags)
+static int module_sig_check(struct load_info *info, int flags,
+ bool can_do_ima_check)
{
return 0;
}
@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
/* Allocate and load the module: note that size of section 0 is always
zero, and we rely on this for optional sections. */
static int load_module(struct load_info *info, const char __user *uargs,
- int flags)
+ int flags, bool can_do_ima_check)
{
struct module *mod;
long err = 0;
@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
goto free_copy;
}
- err = module_sig_check(info, flags);
+ err = module_sig_check(info, flags, can_do_ima_check);
if (err)
goto free_copy;
@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
if (err)
return err;
- return load_module(&info, uargs, 0);
+ return load_module(&info, uargs, 0, false);
}
SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
info.hdr = hdr;
info.len = size;
- return load_module(&info, uargs, flags);
+ return load_module(&info, uargs, flags, true);
}
static inline int within(unsigned long addr, void *start, unsigned long size)
--
2.17.1
From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Mon, 9 Apr 2018 09:52:46 +0100

2
gitrev
View File

@ -1 +1 @@
8e143b90e4d45cca3dc53760d3cfab988bc74571
645ff1e8e704c4f33ab1fcd3c87f95cb9b6d7144

View File

@ -2503,6 +2503,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -6287,6 +6288,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2486,6 +2486,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -6264,6 +6265,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2626,6 +2626,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -6693,6 +6694,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2495,6 +2495,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -6286,6 +6287,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2479,6 +2479,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -6264,6 +6265,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2610,6 +2610,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -6671,6 +6672,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2199,6 +2199,7 @@ CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE is not set
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
@ -2331,6 +2332,7 @@ CONFIG_INT3406_THERMAL=m
CONFIG_INT340X_THERMAL=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
@ -5871,6 +5873,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2181,6 +2181,7 @@ CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE is not set
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
@ -2313,6 +2314,7 @@ CONFIG_INT3406_THERMAL=m
CONFIG_INT340X_THERMAL=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
@ -5849,6 +5851,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2156,6 +2156,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -5537,6 +5538,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2138,6 +2138,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -5513,6 +5514,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2109,6 +2109,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -5433,6 +5434,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2091,6 +2091,7 @@ CONFIG_INPUT=y
CONFIG_INPUT_YEALINK=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
@ -5409,6 +5410,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2241,6 +2241,7 @@ CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE is not set
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
@ -2376,6 +2377,7 @@ CONFIG_INT3406_THERMAL=m
CONFIG_INT340X_THERMAL=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
@ -5915,6 +5917,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -2223,6 +2223,7 @@ CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE is not set
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
@ -2358,6 +2359,7 @@ CONFIG_INT3406_THERMAL=m
CONFIG_INT340X_THERMAL=m
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
@ -5893,6 +5895,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
CONFIG_TOUCHSCREEN_RM_TS=m
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
# CONFIG_TOUCHSCREEN_S6SY761 is not set

View File

@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 0
# The git snapshot level
%define gitrev 5
%define gitrev 6
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@ -539,8 +539,6 @@ Patch201: efi-lockdown.patch
Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
Patch203: Add-EFI-signature-data-types.patch
Patch204: Add-an-EFI-signature-blob-parser-and-key-loader.patch
Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@ -1878,6 +1876,9 @@ fi
#
#
%changelog
* Thu Jan 03 2019 Laura Abbott <labbott@redhat.com> - 4.21.0-0.rc0.git6.1
- Linux v4.20-10911-g645ff1e8e704
* Wed Jan 02 2019 Laura Abbott <labbott@redhat.com> - 4.21.0-0.rc0.git5.1
- Linux v4.20-10595-g8e143b90e4d4

View File

@ -1,2 +1,2 @@
SHA512 (linux-4.20.tar.xz) = e282399beea5da539701aed2bc131abd5bc74a970dcd344163e9d295106dfd700180e672ed546ae5e55bc6b9ac95efd5ca1de2039015c1b7a6fc9c01ea6583d4
SHA512 (patch-4.20-git5.xz) = 8735ac8abb204356c45534465cb14765c6e36d0b062b469bb4a439d64c1fafc81b650841ba5cfde93fc23d81266c9981b72cec52ad22777f52b96082b9b69e81
SHA512 (patch-4.20-git6.xz) = 8529bfd268ea6edb0d958a717c70271565b85ce3a0f712d7ba72cf61c4f4c7323a346dbde886d5ab34e4dd92588f966dd36fdd327be8b1f89305bae82b3c87e7