Refresh SB patchset to fix bisectability issue
This commit is contained in:
parent
793d04075c
commit
ea38f2f938
@ -1,4 +1,4 @@
|
||||
From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001
|
||||
From 36d02761fc952f8190fca75bb4b81c2c7b7ddf68 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 04/20] ACPI: Limit access to custom_method
|
||||
@ -27,5 +27,5 @@ index c68e72414a67..4277938af700 100644
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
2.4.3
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
|
||||
From ba3f737b8521314b62edaa7d4cc4bdc9aeefe394 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:30:54 -0400
|
||||
Subject: [PATCH 4/9] Add EFI signature data types
|
||||
Subject: [PATCH 15/20] Add EFI signature data types
|
||||
|
||||
Add the data types that are used for containing hashes, keys and certificates
|
||||
for cryptographic verification.
|
||||
@ -11,14 +11,14 @@ Upstream-status: Fedora mustard for now
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
include/linux/efi.h | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
include/linux/efi.h | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 8cb38cfcba74..8c274b4ea8e6 100644
|
||||
index 5af91b58afae..190858d62fe3 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -647,6 +647,9 @@ void efi_native_runtime_setup(void);
|
||||
@@ -603,6 +603,9 @@ void efi_native_runtime_setup(void);
|
||||
#define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95)
|
||||
#define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
|
||||
|
||||
@ -28,7 +28,7 @@ index 8cb38cfcba74..8c274b4ea8e6 100644
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u64 table;
|
||||
@@ -879,6 +885,20 @@ typedef struct {
|
||||
@@ -853,6 +856,20 @@ typedef struct {
|
||||
efi_memory_desc_t entry[0];
|
||||
} efi_memory_attributes_table_t;
|
||||
|
||||
@ -50,5 +50,5 @@ index 8cb38cfcba74..8c274b4ea8e6 100644
|
||||
* All runtime access to EFI goes through this structure:
|
||||
*/
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
|
||||
From 822b4b3eb76ca451a416a51f0a7bfedfa5c5ea39 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||
Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
|
||||
Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
|
||||
|
||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||
keys.
|
||||
@ -17,10 +17,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
create mode 100644 crypto/asymmetric_keys/efi_parser.c
|
||||
|
||||
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
|
||||
index e28e912000a7..94024e8aedaa 100644
|
||||
index 331f6baf2df8..5f9002d3192e 100644
|
||||
--- a/crypto/asymmetric_keys/Kconfig
|
||||
+++ b/crypto/asymmetric_keys/Kconfig
|
||||
@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
@@ -61,4 +61,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
This option provides support for verifying the signature(s) on a
|
||||
signed PE binary.
|
||||
|
||||
@ -160,10 +160,10 @@ index 000000000000..636feb18b733
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 8c274b4ea8e6..ff1877145aa4 100644
|
||||
index 190858d62fe3..668aa1244885 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
|
||||
@@ -1025,6 +1025,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
|
||||
char * __init efi_md_typeattr_format(char *buf, size_t size,
|
||||
const efi_memory_desc_t *md);
|
||||
|
||||
@ -175,5 +175,5 @@ index 8c274b4ea8e6..ff1877145aa4 100644
|
||||
* efi_range_is_wc - check the WC bit on an address range
|
||||
* @start: starting kvirt address
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
|
||||
From 6b6203b92cfb457a0669a9c87a29b360405bffc6 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH] Add option to automatically enforce module signatures when in
|
||||
Secure Boot mode
|
||||
Subject: [PATCH 10/20] Add option to automatically enforce module signatures
|
||||
when in Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
@ -34,10 +34,10 @@ index 95a4d34af3fd..b8527c6b7646 100644
|
||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||
2D0/A00 ALL e820_map E820 memory map table
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 0a7b885964ba..29b8ba9ae713 100644
|
||||
index bada636d1065..d666ef8b616c 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1776,6 +1776,17 @@ config EFI_MIXED
|
||||
@@ -1786,6 +1786,17 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
@ -56,7 +56,7 @@ index 0a7b885964ba..29b8ba9ae713 100644
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 52fef606bc54..6b8b9a775b46 100644
|
||||
index cc69e37548db..ebc85c1eefd6 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -12,6 +12,7 @@
|
||||
@ -67,7 +67,7 @@ index 52fef606bc54..6b8b9a775b46 100644
|
||||
|
||||
#include "../string.h"
|
||||
#include "eboot.h"
|
||||
@@ -571,6 +572,67 @@ free_handle:
|
||||
@@ -537,6 +538,67 @@ static void setup_efi_pci(struct boot_params *params)
|
||||
efi_call_early(free_pool, pci_handle);
|
||||
}
|
||||
|
||||
@ -135,7 +135,7 @@ index 52fef606bc54..6b8b9a775b46 100644
|
||||
static efi_status_t
|
||||
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
|
||||
{
|
||||
@@ -1126,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
@@ -1094,6 +1156,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
else
|
||||
setup_boot_services32(efi_early);
|
||||
|
||||
@ -161,10 +161,10 @@ index c18ce67495fa..2b3e5427097b 100644
|
||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||
*
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index c4e7b3991b60..bdb9881c7afd 100644
|
||||
index bbfbca5fea0c..d40e961753c9 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
io_delay_init();
|
||||
|
||||
@ -178,10 +178,10 @@ index c4e7b3991b60..bdb9881c7afd 100644
|
||||
* Parse the ACPI tables for possible boot-time SMP configuration.
|
||||
*/
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index 082298a09df1..38d0597f7615 100644
|
||||
index 05bd6c989a0c..32327704e18d 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
|
||||
@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \
|
||||
|
||||
struct notifier_block;
|
||||
|
||||
@ -195,10 +195,10 @@ index 082298a09df1..38d0597f7615 100644
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 3c384968f553..ea484f3a35b2 100644
|
||||
index cb864505d020..cb1f1da69bf4 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4285,6 +4285,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
@ -213,5 +213,5 @@ index 3c384968f553..ea484f3a35b2 100644
|
||||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 3213f1513a744fb21b6b9e4d4f2650a204855b3e Mon Sep 17 00:00:00 2001
|
||||
From 80d2d273b36b33d46820ab128c7a5b068389f643 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH] Add secure_modules() call
|
||||
Subject: [PATCH 01/20] Add secure_modules() call
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
has been configured to either disable module loading entirely or to load
|
||||
@ -17,7 +17,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index 0c3207d..05bd6c9 100644
|
||||
index 0c3207d26ac0..05bd6c989a0c 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -641,6 +641,8 @@ static inline bool is_livepatch_module(struct module *mod)
|
||||
@ -41,10 +41,10 @@ index 0c3207d..05bd6c9 100644
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 529efae..0332fdd 100644
|
||||
index f57dd63186e6..cb864505d020 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4284,3 +4284,13 @@ void module_layout(struct module *mod,
|
||||
}
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
@ -59,5 +59,5 @@ index 529efae..0332fdd 100644
|
||||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
2.9.2
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
|
||||
From d9e0379e8d3cb51efe4e2b1a5a60c52c2c40bdfb Mon Sep 17 00:00:00 2001
|
||||
From: Kyle McMartin <kyle@redhat.com>
|
||||
Date: Fri, 30 Aug 2013 09:28:51 -0400
|
||||
Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
|
||||
Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard
|
||||
@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
|
||||
7 files changed, 64 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index a666b6c29c77..7732c769937b 100644
|
||||
index b93183336674..dab2882927c2 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -70,6 +70,11 @@
|
||||
@ -70,7 +70,7 @@ index a666b6c29c77..7732c769937b 100644
|
||||
.notifier_call = dump_kernel_offset
|
||||
};
|
||||
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
|
||||
index abe1a927b332..f4126fcec10c 100644
|
||||
index 92595b98e7ed..894ed3f74f04 100644
|
||||
--- a/drivers/input/misc/uinput.c
|
||||
+++ b/drivers/input/misc/uinput.c
|
||||
@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
|
||||
@ -82,10 +82,10 @@ index abe1a927b332..f4126fcec10c 100644
|
||||
input_set_drvdata(udev->dev, udev);
|
||||
|
||||
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
|
||||
index e5139402e7f8..5ef2e04a03ad 100644
|
||||
index 52bbd27e93ae..594bd731253a 100644
|
||||
--- a/drivers/tty/sysrq.c
|
||||
+++ b/drivers/tty/sysrq.c
|
||||
@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
|
||||
@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
|
||||
/* x: May be registered on mips for TLB dump */
|
||||
/* x: May be registered on ppc/powerpc for xmon */
|
||||
/* x: May be registered on sparc64 for global PMU dump */
|
||||
@ -93,7 +93,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
NULL, /* x */
|
||||
/* y: May be registered on sparc64 for global register dump */
|
||||
NULL, /* y */
|
||||
@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
|
||||
@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
|
||||
sysrq_key_table[i] = op_p;
|
||||
}
|
||||
|
||||
@ -102,7 +102,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
{
|
||||
struct sysrq_key_op *op_p;
|
||||
int orig_log_level;
|
||||
@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
|
||||
op_p = __sysrq_get_key_op(key);
|
||||
if (op_p) {
|
||||
@ -119,7 +119,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
pr_cont("%s\n", op_p->action_msg);
|
||||
console_loglevel = orig_log_level;
|
||||
op_p->handler(key);
|
||||
@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask)
|
||||
void handle_sysrq(int key)
|
||||
{
|
||||
if (sysrq_on())
|
||||
@ -128,7 +128,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
}
|
||||
EXPORT_SYMBOL(handle_sysrq);
|
||||
|
||||
@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
|
||||
@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state)
|
||||
static void sysrq_handle_reset_request(struct sysrq_state *state)
|
||||
{
|
||||
if (state->reset_requested)
|
||||
@ -137,7 +137,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
|
||||
if (sysrq_reset_downtime_ms)
|
||||
mod_timer(&state->keyreset_timer,
|
||||
@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
|
||||
@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
|
||||
|
||||
default:
|
||||
if (sysrq->active && value && value != 2) {
|
||||
@ -149,7 +149,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
|
||||
@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
|
||||
|
||||
if (get_user(c, buf))
|
||||
return -EFAULT;
|
||||
@ -159,7 +159,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
|
||||
|
||||
return count;
|
||||
diff --git a/include/linux/input.h b/include/linux/input.h
|
||||
index 1e967694e9a5..2b56c6f9673c 100644
|
||||
index a65e3b24fb18..8b0357175049 100644
|
||||
--- a/include/linux/input.h
|
||||
+++ b/include/linux/input.h
|
||||
@@ -42,6 +42,7 @@ struct input_value {
|
||||
@ -229,10 +229,10 @@ index 2a20c0dfdafc..3d17205dab77 100644
|
||||
|
||||
return 0;
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index ea484f3a35b2..84b00659b0ee 100644
|
||||
index cb1f1da69bf4..5933c27ba19e 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
|
||||
@@ -270,7 +270,7 @@ static void module_assert_mutex_or_preempt(void)
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -242,5 +242,5 @@ index ea484f3a35b2..84b00659b0ee 100644
|
||||
module_param(sig_enforce, bool_enable_only, 0644);
|
||||
#endif /* !CONFIG_MODULE_SIG_FORCE */
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
|
||||
From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
||||
Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
|
||||
Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
|
||||
|
||||
This adds an additional keyring that is used to store certificates that
|
||||
are blacklisted. This keyring is searched first when loading signed modules
|
||||
@ -78,10 +78,10 @@ index fbd4647767e9..5bc291a3d261 100644
|
||||
extern struct key *ima_blacklist_keyring;
|
||||
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index a9c4aefd5436..e5449d5aeff9 100644
|
||||
index 34407f15e6d3..461ad575a608 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
|
||||
@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION
|
||||
module verification, kexec image verification and firmware blob
|
||||
verification.
|
||||
|
||||
@ -98,5 +98,5 @@ index a9c4aefd5436..e5449d5aeff9 100644
|
||||
bool "Profiling support"
|
||||
help
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
|
||||
From 8a4535bcfe24d317be675e53cdc8c61d22fdc7f3 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
Subject: [PATCH 18/20] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
|
||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||
This imports those certificates into the system trusted keyring. This
|
||||
@ -20,11 +20,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
certs/system_keyring.c | 13 ++++++
|
||||
include/keys/system_keyring.h | 1 +
|
||||
include/linux/efi.h | 6 +++
|
||||
init/Kconfig | 9 ++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
|
||||
6 files changed, 131 insertions(+)
|
||||
5 files changed, 125 insertions(+)
|
||||
create mode 100644 kernel/modsign_uefi.c
|
||||
|
||||
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
||||
@ -63,28 +62,11 @@ index 5bc291a3d261..56ff5715ab67 100644
|
||||
|
||||
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
||||
extern struct key *ima_blacklist_keyring;
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index ff1877145aa4..2483de19c719 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -658,6 +658,12 @@ typedef struct {
|
||||
u64 table;
|
||||
} efi_config_table_64_t;
|
||||
|
||||
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||||
+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )
|
||||
+
|
||||
+#define EFI_SHIM_LOCK_GUID \
|
||||
+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
|
||||
+
|
||||
typedef struct {
|
||||
efi_guid_t guid;
|
||||
u32 table;
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index e5449d5aeff9..5408c96f6604 100644
|
||||
index 461ad575a608..93646fd7b1c8 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
|
||||
@@ -2009,6 +2009,15 @@ config MODULE_SIG_ALL
|
||||
comment "Do not forget to sign required modules with scripts/sign-file"
|
||||
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
||||
|
||||
@ -101,7 +83,7 @@ index e5449d5aeff9..5408c96f6604 100644
|
||||
prompt "Which hash algorithm should modules be signed with?"
|
||||
depends on MODULE_SIG
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index e2ec54e2b952..8dab549985d8 100644
|
||||
index eb26e12c6c2a..e0c2268cb97e 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -57,6 +57,7 @@ endif
|
||||
@ -227,5 +209,5 @@ index 000000000000..fe4a6f2bf10a
|
||||
+}
|
||||
+late_initcall(load_uefi_certs);
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
|
||||
From 9d2e5c61d5adcf7911f67ed44a1b0ff881f175bb Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
||||
Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
|
||||
Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
|
||||
|
||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
index 03f601a0052c..321c79a3b282 100644
|
||||
index fe4a6f2bf10a..a41da14b1ffd 100644
|
||||
--- a/kernel/modsign_uefi.c
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -8,6 +8,23 @@
|
||||
@ -82,5 +82,5 @@ index 03f601a0052c..321c79a3b282 100644
|
||||
|
||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 6f756b32a45b022428e33ce20181e874c73ca82e Mon Sep 17 00:00:00 2001
|
||||
From 03a4ad09f20944e1917abfd24d1d0e5f107a2861 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
|
||||
Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
|
||||
enabled
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down from
|
||||
userspace in order to avoid it being possible for an attacker to modify
|
||||
@ -17,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
||||
index bcd10c7..a950301 100644
|
||||
index bcd10c795284..a950301496f3 100644
|
||||
--- a/drivers/pci/pci-sysfs.c
|
||||
+++ b/drivers/pci/pci-sysfs.c
|
||||
@@ -30,6 +30,7 @@
|
||||
@ -59,7 +60,7 @@ index bcd10c7..a950301 100644
|
||||
}
|
||||
|
||||
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
|
||||
index 2408abe..59f321c 100644
|
||||
index 2408abe4ee8c..59f321c56c18 100644
|
||||
--- a/drivers/pci/proc.c
|
||||
+++ b/drivers/pci/proc.c
|
||||
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
|
||||
@ -92,7 +93,7 @@ index 2408abe..59f321c 100644
|
||||
|
||||
/* Make sure the caller is mapping a real resource for this device */
|
||||
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
|
||||
index b91c4da..98f5637 100644
|
||||
index b91c4da68365..98f5637304d1 100644
|
||||
--- a/drivers/pci/syscall.c
|
||||
+++ b/drivers/pci/syscall.c
|
||||
@@ -10,6 +10,7 @@
|
||||
@ -113,5 +114,5 @@ index b91c4da..98f5637 100644
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
2.9.2
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 3dfb34906e9e57e70bd497ee21e8d59325c841d2 Mon Sep 17 00:00:00 2001
|
||||
From 9f31204f829da97f99f7aacf30f0ddc26e456df7 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
restricted
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel
|
||||
@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 5bb1985..74ee6a4 100644
|
||||
index 7f1a7ab5850d..d6a6f05fbc1c 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
|
||||
@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
|
||||
if (p != *ppos)
|
||||
return -EFBIG;
|
||||
|
||||
@ -27,7 +27,7 @@ index 5bb1985..74ee6a4 100644
|
||||
if (!valid_phys_addr_range(p, count))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -515,6 +518,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
|
||||
@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
|
||||
if (!pfn_valid(PFN_DOWN(p)))
|
||||
return -EIO;
|
||||
|
||||
@ -38,5 +38,5 @@ index 5bb1985..74ee6a4 100644
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
2.7.4
|
||||
2.9.3
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001
|
||||
From ee880324686af8bb212fc088495ea528e3042cd6 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
||||
index 739a4a6b3b9b..9ef2a020a7a9 100644
|
||||
index 416953a42510..4887e343c7fd 100644
|
||||
--- a/drivers/acpi/osl.c
|
||||
+++ b/drivers/acpi/osl.c
|
||||
@@ -40,6 +40,7 @@
|
||||
@ -25,7 +25,7 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644
|
||||
|
||||
#include <asm/io.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
|
||||
@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
|
||||
acpi_physical_address __init acpi_os_get_root_pointer(void)
|
||||
{
|
||||
#ifdef CONFIG_KEXEC
|
||||
@ -35,5 +35,5 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644
|
||||
#endif
|
||||
|
||||
--
|
||||
2.4.3
|
||||
2.9.3
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001
|
||||
From ebbd8d01acdf472594f7e43e9a4274745c402e8e Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
|
||||
@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index efbc3f0c592b..071171be4b7f 100644
|
||||
index ce6ca31a2d09..55d23994d6a2 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -1868,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
@@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
@ -29,7 +29,7 @@ index efbc3f0c592b..071171be4b7f 100644
|
||||
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
|
||||
|
||||
if (err < 0)
|
||||
@@ -1884,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
@@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
@ -39,7 +39,7 @@ index efbc3f0c592b..071171be4b7f 100644
|
||||
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
|
||||
&retval);
|
||||
|
||||
@@ -1908,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
@@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
union acpi_object *obj;
|
||||
acpi_status status;
|
||||
|
||||
@ -50,5 +50,5 @@ index efbc3f0c592b..071171be4b7f 100644
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
2.4.3
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
|
||||
From a8883aff32f1e15b65e210462804aa2a9ab9a0b6 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index bdb9881c7afd..a666b6c29c77 100644
|
||||
index d40e961753c9..b93183336674 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
if (boot_params.secure_boot) {
|
||||
@ -27,10 +27,10 @@ index bdb9881c7afd..a666b6c29c77 100644
|
||||
#endif
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index c2db3ca22217..8cb38cfcba74 100644
|
||||
index ce943d5accfd..5af91b58afae 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
@@ -1046,6 +1046,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_ARCH_1 7 /* First arch-specific bit */
|
||||
#define EFI_DBG 8 /* Print additional debug info at runtime */
|
||||
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
|
||||
@ -39,5 +39,5 @@ index c2db3ca22217..8cb38cfcba74 100644
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
31
efi-Add-SHIM-and-image-security-database-GUID-defini.patch
Normal file
31
efi-Add-SHIM-and-image-security-database-GUID-defini.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 3a9fe1504e08824d894bb3a804c6a313f5d1be8a Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 25 Oct 2016 12:54:11 -0400
|
||||
Subject: [PATCH 11/20] efi: Add SHIM and image security database GUID
|
||||
definitions
|
||||
|
||||
Add the definitions for shim and image security database, both of which
|
||||
are used widely in various Linux distros.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/linux/efi.h | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 2d089487d2da..ce943d5accfd 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -592,6 +592,9 @@ void efi_native_runtime_setup(void);
|
||||
#define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
|
||||
#define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
|
||||
|
||||
+#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
|
||||
+#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
|
||||
+
|
||||
/*
|
||||
* This GUID is used to pass to the kernel proper the struct screen_info
|
||||
* structure that was populated by the stub based on the GOP protocol instance
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
|
||||
From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
||||
Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
|
||||
Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode
|
||||
|
||||
A user can manually tell the shim boot loader to disable validation of
|
||||
images it loads. When a user does this, it creates a UEFI variable called
|
||||
@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 6b8b9a775b46..b3a5364d31c6 100644
|
||||
index ebc85c1eefd6..50e027f388d8 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -574,8 +574,9 @@ free_handle:
|
||||
@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)
|
||||
|
||||
static int get_secure_boot(void)
|
||||
{
|
||||
@ -29,7 +29,7 @@ index 6b8b9a775b46..b3a5364d31c6 100644
|
||||
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
efi_status_t status;
|
||||
|
||||
@@ -599,6 +600,23 @@ static int get_secure_boot(void)
|
||||
@@ -565,6 +566,23 @@ static int get_secure_boot(void)
|
||||
if (setup == 1)
|
||||
return 0;
|
||||
|
||||
@ -54,5 +54,5 @@ index 6b8b9a775b46..b3a5364d31c6 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
|
||||
From 6c56c15ec618a508b0eca98571780a8b7114cb92 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
|
||||
Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index fca9254280ee..ffd8644078b2 100644
|
||||
index b26dbc48c75b..ab187ad3fc61 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -29,6 +29,7 @@
|
||||
@ -25,7 +25,7 @@ index fca9254280ee..ffd8644078b2 100644
|
||||
#include <trace/events/power.h>
|
||||
|
||||
#include "power.h"
|
||||
@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
|
||||
@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
|
||||
|
||||
bool hibernation_available(void)
|
||||
{
|
||||
@ -35,5 +35,5 @@ index fca9254280ee..ffd8644078b2 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -549,7 +549,9 @@ Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch
|
||||
|
||||
Patch482: Add-option-to-automatically-enforce-module-signature.patch
|
||||
|
||||
Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
|
||||
Patch483: efi-Add-SHIM-and-image-security-database-GUID-defini.patch
|
||||
|
||||
Patch484: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
|
||||
|
||||
Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
|
||||
|
||||
@ -2147,6 +2149,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Oct 27 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Refresh SB patchset to fix bisectability issue
|
||||
|
||||
* Thu Oct 27 2016 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2016-9083 CVE-2016-9084 vfio multiple flaws (rhbz 1389258 1389259 1389285)
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001
|
||||
From 85968a9f0b3f05c56d4ac4002748f3412a9baab0 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 03:33:56 -0400
|
||||
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
|
||||
Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
|
||||
loading restrictions
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index 4c5edc357923..db431971dbd4 100644
|
||||
index 980936a90ee6..fce28bf7d5d7 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -10,6 +10,7 @@
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <linux/mm.h>
|
||||
#include <linux/file.h>
|
||||
#include <linux/kexec.h>
|
||||
@ -25,7 +25,7 @@ index 4c5edc357923..db431971dbd4 100644
|
||||
#include <linux/mutex.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/syscalls.h>
|
||||
@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
@@ -194,6 +195,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
@ -40,5 +40,5 @@ index 4c5edc357923..db431971dbd4 100644
|
||||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
2.4.3
|
||||
2.9.3
|
||||
|
||||
|
@ -1,7 +1,8 @@
|
||||
From 8010b5eb4680df797575e6306d4d891200e303ab Mon Sep 17 00:00:00 2001
|
||||
From e7817a96c7ef1b502dba6f70b75f9e8993a8750b Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH] x86: Lock down IO port access when module security is enabled
|
||||
Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
|
||||
enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
registers, which in turn (on a lot of hardware) give access to MMIO register
|
||||
@ -45,10 +46,10 @@ index 589b3193f102..ab8372443efb 100644
|
||||
}
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 71025c2f6bbb..86e5bfa91563 100644
|
||||
index 5bb1985ec484..7f1a7ab5850d 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -27,6 +27,7 @@
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <linux/export.h>
|
||||
#include <linux/io.h>
|
||||
#include <linux/uio.h>
|
||||
@ -56,7 +57,7 @@ index 71025c2f6bbb..86e5bfa91563 100644
|
||||
|
||||
#include <linux/uaccess.h>
|
||||
|
||||
@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
|
||||
@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
|
||||
unsigned long i = *ppos;
|
||||
const char __user *tmp = buf;
|
||||
|
||||
@ -67,5 +68,5 @@ index 71025c2f6bbb..86e5bfa91563 100644
|
||||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
2.5.5
|
||||
2.9.3
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001
|
||||
From 85539b332c79fbce1b9f371ff1a2a8d489e65110 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
|
||||
@ -15,10 +15,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||||
index 113e70784854..26c2f83fc470 100644
|
||||
index 7f3550acde1b..963ba4011923 100644
|
||||
--- a/arch/x86/kernel/msr.c
|
||||
+++ b/arch/x86/kernel/msr.c
|
||||
@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
|
||||
@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
|
||||
int err = 0;
|
||||
ssize_t bytes = 0;
|
||||
|
||||
@ -28,7 +28,7 @@ index 113e70784854..26c2f83fc470 100644
|
||||
if (count % 8)
|
||||
return -EINVAL; /* Invalid chunk size */
|
||||
|
||||
@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
|
||||
@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
|
||||
err = -EBADF;
|
||||
break;
|
||||
}
|
||||
@ -40,5 +40,5 @@ index 113e70784854..26c2f83fc470 100644
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
2.4.3
|
||||
2.9.3
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user