Switch to using modsign-post-KS upstream with x509 certs

2012-09-25 12:02:24 -04:00 · 2012-09-25 12:02:24 -04:00 · f0f4ff23f1
commit f0f4ff23f1
parent 7e6e483520
7 changed files with 9497 additions and 10704 deletions
--- a/10
+++ b/10
@ -1,10 +0,0 @@
 %pubring modsign.pub
 %secring modsign.sec
 %no-protection: yes
 %transient-key: yes
 Key-Type: RSA
 Key-Length: 2048
 Name-Real: Fedora Project
 Name-Comment: Kernel Module GPG key
 %commit
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}
 # base_sublevel is the kernel version we're starting with and patching
@ -551,19 +551,20 @@ BuildRequires: rpm-build >= 4.9.0-1, elfutils >= elfutils-0.153-1
 %endif
 %if %{signmodules}
-BuildRequires: gnupg
+BuildRequires: openssl
 BuildRequires: pesign >= 0.10-4
 %endif
 Source0: ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-%{kversion}.tar.xz
 %if %{signmodules}
-Source11: genkey
+Source11: x509.genkey
 %endif
 Source15: merge.pl
 Source16: mod-extra.list
 Source17: mod-extra.sh
 Source18: mod-extra-sign.sh
 Source19: Makefile.release
 Source20: Makefile.config
@ -680,10 +681,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
 Patch800: linux-2.6-crash-driver.patch
 # crypto/
-Patch900: modsign-20120816.patch
+Patch900: modsign-post-KS-jwb.patch
 # secure boot
-Patch1000: secure-boot-20120809.patch
+Patch1000: secure-boot-20120924.patch
 # Improve PCI support on UEFI
 Patch1100: handle-efi-roms.patch
@ -1393,10 +1394,10 @@ ApplyPatch linux-2.6-crash-driver.patch
 ApplyPatch linux-2.6-e1000-ich9-montevina.patch
 # crypto/
-ApplyPatch modsign-20120816.patch
+ApplyPatch modsign-post-KS-jwb.patch
 # secure boot
-ApplyPatch secure-boot-20120809.patch
+ApplyPatch secure-boot-20120924.patch
 # Improved PCI support for UEFI
 ApplyPatch handle-efi-roms.patch
@ -1623,13 +1624,6 @@ BuildKernel() {
    # we'll get it from the linux-firmware package and we don't want conflicts
    make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
 %if %{signmodules}
        if [ -z "$(readelf -n $(find fs/ -name \*.ko | head -n 1) | grep module.sig)" ]; then
            echo "ERROR: modules are NOT signed" >&2;
            exit 1;
        fi
 %endif
 %ifarch %{vdso_arches}
    make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
    if [ ! -s ldconfig-kernel.conf ]; then
@ -1753,6 +1747,12 @@ BuildKernel() {
    # Call the modules-extra script to move things around
    %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE16}
 %if %{signmodules}
    # Save off the .tmp_versions/ directory.  We'll use it in the 
    # __debug_install_post macro below to sign the right things
    cp -r .tmp_versions .tmp_versions.sign${Flavour:+.${Flavour}}
 %endif
    # remove files that will be auto generated by depmod at rpm -i time
    for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap devname softdep
    do
@ -1875,9 +1875,56 @@ find Documentation -type d | xargs chmod u+w
 # This macro is used by %%install, so we must redefine it before that.
 %define debug_package %{nil}
 # In the modsign case, we do 3 things.  1) We check the "flavour" and hard
 # code the value in the following invocations.  This is somewhat sub-optimal
 # but we're doing this inside of an RPM macro and it isn't as easy as it
 # could be because of that.  2) We restore the .tmp_versions/ directory from
 # the one we saved off in BuildKernel above.  This is to make sure we're
 # signing the modules we actually built/installed in that flavour.  3) We
 # grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh
 # commands to actually sign the modules.
 #
 # We have to do all of those things _after_ find-debuginfo runs, otherwise
 # that will strip the signature off of the modules.
 %if %{with_debuginfo}
 %define __debug_install_post \
  /usr/lib/rpm/find-debuginfo.sh %{debuginfo_args} %{_builddir}/%{?buildsubdir}\
  if [ "%{signmodules}" == "1" ]; \
  then \
    if [ "%{with_pae}" != "0" ]; \
    then \
      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAE.config | cut -b 3-` \
      rm -rf .tmp_versions \
      mv .tmp_versions.sign.PAE .tmp_versions \
      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \
      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \
    fi \
    if [ "%{with_debug}" != "0" ]; \
    then \
      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \
      rm -rf .tmp_versions \
      mv .tmp_versions.sign.debug .tmp_versions \
      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \
      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \
    fi \
    if [ "%{with_pae_debug}" != "0" ]; \
    then \
      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \
      rm -rf .tmp_versions \
      mv .tmp_versions.sign.PAEdebug .tmp_versions \
      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \
      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \
    fi \
    if [ "%{with_up}" != "0" ]; \
    then \
      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \
      rm -rf .tmp_versions \
      mv .tmp_versions.sign .tmp_versions \
      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \
      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \
    fi \
  fi \
 %{nil}
 %ifnarch noarch
@ -2263,6 +2310,7 @@ fi
 * Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com>
 - Move the modules-extra processing to a script
 - Prep mod-extra.sh for signed modules
 - Switch to using modsign-post-KS upstream with x509 certs
 * Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc7.git1.2
 - Update team driver from net-next from Jiri Pirko
--- a/mod-extra-sign.sh
+++ b/mod-extra-sign.sh
@ -0,0 +1,28 @@
 #! /bin/bash
 # We need to sign modules we've moved from <path>/kernel/ to <path>/extra/
 # during mod-extra processing by hand.  The 'modules_sign' Kbuild target can
 # "handle" out-of-tree modules, but it does that by not signing them.  Plus,
 # the modules we've moved aren't actually out-of-tree.  We've just shifted
 # them to a different location behind Kbuild's back because we are mean.
 # This essentially duplicates the 'modules_sign' Kbuild target and runs the
 # same commands for those modules.
 moddir=$1
 modules=`find $moddir -name *.ko`
 MODSECKEY="./signing_key.priv"
 MODPUBKEY="./signing_key.x509"
 for mod in $modules
 do
    dir=`dirname $mod`
    file=`basename $mod`
    sh ./scripts/sign-file ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} \
       ${dir}/${file}.signed
    mv ${dir}/${file}.signed ${dir}/${file}
    rm -f ${dir}/${file}.{sig,dig}
 done
--- a/modsign-20120816.patch
+++ b/modsign-20120816.patch
--- a/modsign-post-KS-jwb.patch
+++ b/modsign-post-KS-jwb.patch
--- a/secure-boot-20120924.patch
+++ b/secure-boot-20120924.patch
@ -1,7 +1,7 @@
-From 617309bdd75bbce794ae2d41d44e7b76fb8c6d8b Mon Sep 17 00:00:00 2001
+From 57c0dbcbafaa724313c672830ff0087f56a84c47 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Thu, 8 Mar 2012 09:56:33 -0500
+Date: Thu, 20 Sep 2012 10:40:56 -0400
-Subject: [PATCH 01/13] Secure boot: Add new capability
+Subject: [PATCH 01/14] Secure boot: Add new capability
 Secure boot adds certain policy requirements, including that root must not
 be able to do anything that could cause the kernel to execute arbitrary code.
@ -15,7 +15,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/include/linux/capability.h b/include/linux/capability.h
-index d10b7ed..6a39163 100644
+index d10b7ed..4345bc8 100644
 --- a/include/linux/capability.h
 +++ b/include/linux/capability.h
@@ -364,7 +364,11 @@ struct cpu_vfs_cap_data {
@ -23,22 +23,22 @@ index d10b7ed..6a39163 100644
 #define CAP_BLOCK_SUSPEND    36
 -#define CAP_LAST_CAP         CAP_BLOCK_SUSPEND
-+/* Allow things that are dangerous under secure boot */
+/* Allow things that trivially permit root to modify the running kernel */
 +
-+#define CAP_SECURE_FIRMWARE  37
+#define CAP_COMPROMISE_KERNEL  37
 +
-+#define CAP_LAST_CAP         CAP_SECURE_FIRMWARE
+#define CAP_LAST_CAP         CAP_COMPROMISE_KERNEL
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 -- 
-1.7.11.2
+1.7.11.4
-From ac892cb2320872717005736c8ef88208c12e61ee Mon Sep 17 00:00:00 2001
+From 95fd8148be46036e20fc64c480104d2a2b454e27 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Thu, 8 Mar 2012 10:10:38 -0500
+Date: Thu, 20 Sep 2012 10:40:57 -0400
-Subject: [PATCH 02/13] PCI: Lock down BAR access in secure boot environments
+Subject: [PATCH 02/14] PCI: Lock down BAR access in secure boot environments
 Any hardware that can potentially generate DMA has to be locked down from
 userspace in order to avoid it being possible for an attacker to cause
@ -53,14 +53,14 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 3 files changed, 17 insertions(+), 2 deletions(-)
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 6869009..a1ad0f7 100644
+index 6869009..c03fb85 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
@@ -542,6 +542,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
 	loff_t init_off = off;
 	u8 *data = (u8*) buf;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	if (off > dev->cfg_size)
@ -70,7 +70,7 @@ index 6869009..a1ad0f7 100644
 	resource_size_t start, end;
 	int i;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
@ -80,21 +80,21 @@ index 6869009..a1ad0f7 100644
 		      struct bin_attribute *attr, char *buf,
 		      loff_t off, size_t count)
 {
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
 }
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 27911b5..01d4753 100644
+index 27911b5..ac8c9a5 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
@@ -135,6 +135,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
 	int size = dp->size;
 	int cnt;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	if (pos >= size)
@ -104,7 +104,7 @@ index 27911b5..01d4753 100644
 #endif /* HAVE_PCI_MMAP */
 	int ret = 0;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	switch (cmd) {
@ -115,12 +115,12 @@ index 27911b5..01d4753 100644
 	int i, ret;
 -	if (!capable(CAP_SYS_RAWIO))
-+	if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))
 		return -EPERM;
 	/* Make sure the caller is mapping a real resource for this device */
 diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index e1c1ec5..a778ba9 100644
+index e1c1ec5..97e785f 100644
 --- a/drivers/pci/syscall.c
 +++ b/drivers/pci/syscall.c
@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
@ -128,18 +128,18 @@ index e1c1ec5..a778ba9 100644
 	int err = 0;
 -	if (!capable(CAP_SYS_ADMIN))
-+	if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_SYS_ADMIN) || !capable(CAP_COMPROMISE_KERNEL))
 		return -EPERM;
 	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-1.7.11.2
+1.7.11.4
-From 4c02feefb934d587f03c74cc48e8d58904416c68 Mon Sep 17 00:00:00 2001
+From 2d23d2726583d79062e58abcc32c7dd027d312aa Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Thu, 8 Mar 2012 10:35:59 -0500
+Date: Thu, 20 Sep 2012 10:40:58 -0400
-Subject: [PATCH 03/13] x86: Lock down IO port access in secure boot
+Subject: [PATCH 03/14] x86: Lock down IO port access in secure boot
 environments
 IO port access would permit users to gain access to PCI configuration
@ -154,7 +154,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 2 files changed, 5 insertions(+), 2 deletions(-)
 diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 8c96897..c3a1bb2 100644
+index 8c96897..a2578c4 100644
 --- a/arch/x86/kernel/ioport.c
 +++ b/arch/x86/kernel/ioport.c
@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
@ -162,7 +162,7 @@ index 8c96897..c3a1bb2 100644
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
 -	if (turn_on && !capable(CAP_SYS_RAWIO))
-+	if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE)))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)))
 		return -EPERM;
 	/*
@ -171,32 +171,32 @@ index 8c96897..c3a1bb2 100644
 	/* Trying to gain more privileges? */
 	if (level > old) {
 -		if (!capable(CAP_SYS_RAWIO))
-+		if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))
+		if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index e5eedfa..8f5f872 100644
+index e5eedfa..1e0a660 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
 	unsigned long i = *ppos;
 	const char __user * tmp = buf;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	if (!access_ok(VERIFY_READ, buf, count))
 		return -EFAULT;
 	while (count-- > 0 && i < 65536) {
 -- 
-1.7.11.2
+1.7.11.4
-From d379d102316075d51011b81748433530d294a70c Mon Sep 17 00:00:00 2001
+From e063cb2f3a667d2540682d4bdbef91fdb23b1a84 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Fri, 9 Mar 2012 08:39:37 -0500
+Date: Thu, 20 Sep 2012 10:40:59 -0400
-Subject: [PATCH 04/13] ACPI: Limit access to custom_method
+Subject: [PATCH 04/14] ACPI: Limit access to custom_method
 It must be impossible for even root to get code executed in kernel context
 under a secure boot environment. custom_method effectively allows arbitrary
@ -208,27 +208,27 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 1 file changed, 3 insertions(+)
 diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index 5d42c24..3e78014 100644
+index 5d42c24..247d58b 100644
 --- a/drivers/acpi/custom_method.c
 +++ b/drivers/acpi/custom_method.c
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
 	struct acpi_table_header table;
 	acpi_status status;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	if (!(*ppos)) {
 		/* parse the table header to get the table length */
 		if (count <= sizeof(struct acpi_table_header))
 -- 
-1.7.11.2
+1.7.11.4
-From afc7c002eb264fc745a38fb6ec322be4928338dd Mon Sep 17 00:00:00 2001
+From a1cccbd084c7355dcb2be7ae2934f168ce9ba9d5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Fri, 9 Mar 2012 08:46:50 -0500
+Date: Thu, 20 Sep 2012 10:41:00 -0400
-Subject: [PATCH 05/13] asus-wmi: Restrict debugfs interface
+Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface
 We have no way of validating what all of the Asus WMI methods do on a
 given machine, and there's a risk that some will allow hardware state to
@ -241,47 +241,47 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 1 file changed, 9 insertions(+)
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index c7a36f6..0fb58bc 100644
+index 2eb9fe8..61e055d 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
-@@ -1509,6 +1509,9 @@ static int show_dsts(struct seq_file *m, void *data)
+@@ -1523,6 +1523,9 @@ static int show_dsts(struct seq_file *m, void *data)
 	int err;
 	u32 retval = -1;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
 	if (err < 0)
-@@ -1525,6 +1528,9 @@ static int show_devs(struct seq_file *m, void *data)
+@@ -1539,6 +1542,9 @@ static int show_devs(struct seq_file *m, void *data)
 	int err;
 	u32 retval = -1;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
 				    &retval);
-@@ -1549,6 +1555,9 @@ static int show_call(struct seq_file *m, void *data)
+@@ -1563,6 +1569,9 @@ static int show_call(struct seq_file *m, void *data)
 	union acpi_object *obj;
 	acpi_status status;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
 				     1, asus->debug.method_id,
 				     &input, &output);
 -- 
-1.7.11.2
+1.7.11.4
-From 21bd1f0da09b40a0ba50636267f7eac8f839a336 Mon Sep 17 00:00:00 2001
+From 1c9e53b626268f82509062751eda14e8572717cf Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Fri, 9 Mar 2012 09:28:15 -0500
+Date: Thu, 20 Sep 2012 10:41:01 -0400
-Subject: [PATCH 06/13] Restrict /dev/mem and /dev/kmem in secure boot setups
+Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem in secure boot setups
 Allowing users to write to address space makes it possible for the kernel
 to be subverted. Restrict this when we need to protect the kernel.
@ -292,14 +292,14 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
 1 file changed, 6 insertions(+)
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 8f5f872..c1de8e1 100644
+index 1e0a660..33eb947 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
 	unsigned long copied;
 	void *ptr;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	if (!valid_phys_addr_range(p, count))
@ -309,96 +309,86 @@ index 8f5f872..c1de8e1 100644
 	char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
 	int err = 0;
-+	if (!capable(CAP_SECURE_FIRMWARE))
+	if (!capable(CAP_COMPROMISE_KERNEL))
 +		return -EPERM;
 +
 	if (p < (unsigned long) high_memory) {
 		unsigned long to_write = min_t(unsigned long, count,
 					       (unsigned long)high_memory - p);
 -- 
-1.7.11.2
+1.7.11.4
-From 1940a18cd651113f5b46f5a41290065963d6fbad Mon Sep 17 00:00:00 2001
+From fbf919bf372b9a7a08bdacac8129d47ced1b1f19 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Fri, 9 Mar 2012 11:47:56 -0500
 Subject: [PATCH 07/13] kexec: Disable in a secure boot environment
 kexec could be used as a vector for a malicious user to use a signed kernel
 to circumvent the secure boot trust model. In the long run we'll want to
 support signed kexec payloads, but for the moment we should just disable
 loading entirely in that situation.
 Signed-off-by: Matthew Garrett <mjg@redhat.com>
 ---
 kernel/kexec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/kernel/kexec.c b/kernel/kexec.c
 index 0668d58..48852ec 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
@@ -944,7 +944,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 	int result;
 	/* We only trust the superuser with rebooting the system. */
 -	if (!capable(CAP_SYS_BOOT))
 +	if (!capable(CAP_SYS_BOOT) || !capable(CAP_SECURE_FIRMWARE))
 		return -EPERM;
 	/*
 -- 
 1.7.11.2
 From c83bad5d60b8f02ebbedf9b4c4b69cdee49a7976 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 25 Jun 2012 19:45:15 -0400
+Date: Thu, 20 Sep 2012 10:41:02 -0400
-Subject: [PATCH 08/13] Secure boot: Add a dummy kernel parameter that will
+Subject: [PATCH 07/14] Secure boot: Add a dummy kernel parameter that will
 switch on Secure Boot mode
-This forcibly drops CAP_SECURE_FIRMWARE from both cap_permitted and cap_bset
+This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
 in the init_cred struct, which everything else inherits from.  This works on
 any machine and can be used to develop even if the box doesn't have UEFI.
 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 ---
- kernel/cred.c | 14 ++++++++++++++
+ Documentation/kernel-parameters.txt |  7 +++++++
- 1 file changed, 14 insertions(+)
+ kernel/cred.c                       | 17 +++++++++++++++++
 2 files changed, 24 insertions(+)
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
 index 9b2b8d3..93978d5 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
@@ -2562,6 +2562,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Note: increases power consumption, thus should only be
 			enabled if running jitter sensitive (HPC/RT) workloads.
 +	secureboot_enable=
 +			[KNL] Enables an emulated UEFI Secure Boot mode.  This
 +			locks down various aspects of the kernel guarded by the
 +			CAP_COMPROMISE_KERNEL capability.  This includes things
 +			like /dev/mem, IO port access, and other areas.  It can
 +			be used on non-UEFI machines for testing purposes.
 +
 	security=	[SECURITY] Choose a security module to enable at boot.
 			If this boot parameter is not specified, only the first
 			security module asking for security registration will be
 diff --git a/kernel/cred.c b/kernel/cred.c
-index de728ac..0d71d02 100644
+index de728ac..7e6e83f 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
-@@ -623,6 +623,20 @@ void __init cred_init(void)
+@@ -623,6 +623,23 @@ void __init cred_init(void)
 				     0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
 }
-+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
+void __init secureboot_enable()
 +static int __init secureboot_enable(char *str)
 +{
 +	pr_info("Secure boot enabled\n");
 +	cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL);
 +	cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL);
 +}
 +
 +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
 +static int __init secureboot_enable_opt(char *str)
 +{
 +	int sb_enable = !!simple_strtol(str, NULL, 0);
-+	pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled"));
+	if (sb_enable)
-+	if (sb_enable) {
+		secureboot_enable();
 +		cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
 +		cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
 +	}
 +	return 1;
 +}
-+__setup("secureboot_enable=", secureboot_enable);
+__setup("secureboot_enable=", secureboot_enable_opt);
 +
 /**
  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
  * @daemon: A userspace daemon to be used as a reference
 -- 
-1.7.11.2
+1.7.11.4
-From b70595f1523ecadc4ce9d43e9a0c465436ed1007 Mon Sep 17 00:00:00 2001
+From 43ed7865d867ae692e30227d66fa58cdecbd9269 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
-Date: Wed, 18 Jul 2012 11:28:00 -0400
+Date: Thu, 20 Sep 2012 10:41:03 -0400
-Subject: [PATCH 09/13] efi: Enable secure boot lockdown automatically when
+Subject: [PATCH 08/14] efi: Enable secure boot lockdown automatically when
 enabled in firmware
 The firmware has a set of flags that indicate whether secure boot is enabled
@ -407,13 +397,26 @@ down.
 Signed-off-by: Matthew Garrett <mjg@redhat.com>
 ---
 Documentation/x86/zero-page.txt  |  2 ++
 arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
 arch/x86/include/asm/bootparam.h |  3 ++-
 arch/x86/kernel/setup.c          |  3 +++
 include/linux/cred.h             |  2 ++
- kernel/cred.c                    | 18 +++++++++++-------
+ 5 files changed, 41 insertions(+), 1 deletion(-)
 5 files changed, 50 insertions(+), 8 deletions(-)
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
 index cf5437d..7f9ed48 100644
 --- a/Documentation/x86/zero-page.txt
 +++ b/Documentation/x86/zero-page.txt
@@ -27,6 +27,8 @@ Offset	Proto	Name		Meaning
 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
 				(below)
 +1EB/001	ALL	kbd_status	Numlock is enabled
 +1EC/001	ALL	secure_boot	Kernel should enable secure boot lockdowns
 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
 2D0/A00	ALL	e820_map	E820 memory map table
 				(array of struct e820entry)
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
 index b3e0227..3789356 100644
 --- a/arch/x86/boot/compressed/eboot.c
@ -505,54 +508,19 @@ index ebbed2c..a24faf1 100644
 /*
  * check for validity of credentials
  */
 diff --git a/kernel/cred.c b/kernel/cred.c
 index 0d71d02..c43e2b0 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
@@ -623,19 +623,23 @@ void __init cred_init(void)
 				     0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
 }
 +void __init secureboot_enable()
 +{
 +	pr_info("Secure boot enabled\n");
 +	cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
 +	cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
 +}
 +
 /* Dummy Secure Boot enable option to fake out UEFI SB=1 */
 -static int __init secureboot_enable(char *str)
 +static int __init secureboot_enable_opt(char *str)
 {
 	int sb_enable = !!simple_strtol(str, NULL, 0);
 -	pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled"));
 -	if (sb_enable) {
 -		cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
 -		cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
 -	}
 +	if (sb_enable)
 +		secureboot_enable();
 	return 1;
 }
 -__setup("secureboot_enable=", secureboot_enable);
 +__setup("secureboot_enable=", secureboot_enable_opt);
 /**
  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
 -- 
-1.7.11.2
+1.7.11.4
-From 411c18c35ccacb1a9e3f3dc67383a6431e110e17 Mon Sep 17 00:00:00 2001
+From 3acf1ceb5f6f3be9103c9da16ddc24afc6d8b02a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 25 Jun 2012 19:57:30 -0400
+Date: Thu, 20 Sep 2012 10:41:04 -0400
-Subject: [PATCH 10/13] acpi: Ignore acpi_rsdp kernel parameter in a secure
+Subject: [PATCH 09/14] acpi: Ignore acpi_rsdp kernel parameter in a secure
 boot environment
 This option allows userspace to pass the RSDP address to the kernel.  This
 could potentially be used to circumvent the secure boot trust model.
-We ignore the setting if we don't have the CAP_SECURE_FIRMWARE capability.
+We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability.
 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 ---
@ -560,7 +528,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 9eaf708..50c94e4 100644
+index 9eaf708..f94341b 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@ -568,18 +536,83 @@ index 9eaf708..50c94e4 100644
 {
 #ifdef CONFIG_KEXEC
 -	if (acpi_rsdp)
-+	if (acpi_rsdp && capable(CAP_SECURE_FIRMWARE))
+	if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL))
 		return acpi_rsdp;
 #endif
 -- 
-1.7.11.2
+1.7.11.4
-From 7bf87e8da8c7b57ba7f9448855c8ec84c684fb65 Mon Sep 17 00:00:00 2001
+From 03fb06d272ddc1062e610521c5cfdbe42f251209 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Thu, 20 Sep 2012 10:41:05 -0400
 Subject: [PATCH 10/14] SELinux: define mapping for new Secure Boot capability
 Add the name of the new Secure Boot capability.  This allows SELinux
 policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
 capability class.
 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 ---
 security/selinux/include/classmap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
 index df2de54..70e2834 100644
 --- a/security/selinux/include/classmap.h
 +++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
 	{ "memprotect", { "mmap_zero", NULL } },
 	{ "peer", { "recv", NULL } },
 	{ "capability2",
 -	  { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
 -	    NULL } },
 +	  { "mac_override", "mac_admin", "syslog", "wake_alarm",
 +	    "block_suspend", "compromise_kernel", NULL } },
 	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
 	{ "tun_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 -- 
 1.7.11.4
 From 0cfaa5ecf01f8eaaa2a84d88b7258a94ac9a1bfe Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg@redhat.com>
 Date: Tue, 4 Sep 2012 11:55:13 -0400
 Subject: [PATCH 11/14] kexec: Disable in a secure boot environment
 kexec could be used as a vector for a malicious user to use a signed kernel
 to circumvent the secure boot trust model. In the long run we'll want to
 support signed kexec payloads, but for the moment we should just disable
 loading entirely in that situation.
 Signed-off-by: Matthew Garrett <mjg@redhat.com>
 ---
 kernel/kexec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/kernel/kexec.c b/kernel/kexec.c
 index 0668d58..8b976a5 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
@@ -944,7 +944,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 	int result;
 	/* We only trust the superuser with rebooting the system. */
 -	if (!capable(CAP_SYS_BOOT))
 +	if (!capable(CAP_SYS_BOOT) || !capable(CAP_COMPROMISE_KERNEL))
 		return -EPERM;
 	/*
 -- 
 1.7.11.4
 From 895c46276788b3711aee05a1a1d685eff69d48b9 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 21:29:46 -0400
-Subject: [PATCH 11/13] Documentation: kernel-parameters.txt remove
+Subject: [PATCH 12/14] Documentation: kernel-parameters.txt remove
 capability.disable
 Remove the documentation for capability.disable.  The code supporting this
@ -597,7 +630,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 1 file changed, 6 deletions(-)
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index ad7e2e5..33c4029 100644
+index 93978d5..e3e5f8c 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
@@ -446,12 +446,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@ -614,98 +647,13 @@ index ad7e2e5..33c4029 100644
 			See Documentation/s390/CommonIO for details.
 -- 
-1.7.11.2
+1.7.11.4
-From ec0ca55ba3d1c2a59b0c0b6e38f7ae9966d676aa Mon Sep 17 00:00:00 2001
+From 294d339c63b0f67a362efaa62713f26d9f496da8 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
+From: Matthew Garrett <mjg@redhat.com>
-Date: Tue, 26 Jun 2012 14:15:51 -0400
+Date: Thu, 26 Jul 2012 18:00:00 -0400
-Subject: [PATCH 12/13] SELinux: define mapping for new Secure Boot capability
+Subject: [PATCH 13/14] efi: Build EFI stub with EFI-appropriate options
 Add the name of the new Secure Boot capability.  This allows SELinux
 policies to properly map CAP_SECURE_FIRMWARE to the appropriate
 capability class.
 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 ---
 security/selinux/include/classmap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
 index df2de54..0a1e348 100644
 --- a/security/selinux/include/classmap.h
 +++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
 	{ "memprotect", { "mmap_zero", NULL } },
 	{ "peer", { "recv", NULL } },
 	{ "capability2",
 -	  { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
 -	    NULL } },
 +	  { "mac_override", "mac_admin", "syslog", "wake_alarm",
 +	    "block_suspend", "secure_firmware", NULL } },
 	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
 	{ "tun_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 -- 
 1.7.11.2
 From 0a90e99e45f5c8eddd3b8cfcd63a4c6355c5688d Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 26 Jun 2012 16:27:26 -0400
 Subject: [PATCH 13/13] modsign: Reject unsigned modules in a Secure Boot
 environment
 If a machine is booted into a Secure Boot environment, we need to
 protect the trust model.  This requires that all modules be signed
 with a key that is in the kernel's _modsign keyring.  We add a
 capability check and reject modules that are not signed.
 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 ---
 kernel/module-verify.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/kernel/module-verify.c b/kernel/module-verify.c
 index 22036d4..f6821b3 100644
 --- a/kernel/module-verify.c
 +++ b/kernel/module-verify.c
@@ -31,6 +31,7 @@
 #include <linux/modsign.h>
 #include <linux/moduleparam.h>
 #include <linux/fips.h>
 +#include <linux/capability.h>
 #include <keys/crypto-type.h>
 #include "module-verify.h"
 #include "module-verify-defs.h"
@@ -699,7 +700,7 @@ int module_verify(const Elf_Ehdr *hdr, size_t size, bool *_gpgsig_ok)
 	/* The ELF checker found the sig for us if it exists */
 	if (mvdata.sig_index <= 0) {
 		/* Deal with an unsigned module */
 -		if (modsign_signedonly) {
 +		if (modsign_signedonly || !capable(CAP_SECURE_FIRMWARE)) {
 			pr_err("An attempt to load unsigned module was rejected\n");
 			return -EKEYREJECTED;
 		} else {
@@ -736,7 +737,7 @@ out:
 		break;
 	case -ENOKEY:		/* Signed, but we don't have the public key */
 		pr_err("Module signed with unknown public key\n");
 -		if (!modsign_signedonly) {
 +		if (!modsign_signedonly && capable(CAP_SECURE_FIRMWARE)) {
 			/* Allow a module to be signed with an unknown public
 			 * key unless we're enforcing.
 			 */
 -- 
 1.7.11.2
 From:	Matthew Garrett <mjg@redhat.com>
 To:	matt.fleming@intel.com
 Cc:	linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
 	x86@kernel.org, Matthew Garrett <mjg@redhat.com>
 Date:	Thu, 26 Jul 2012 18:00:00 -0400
 Message-Id: <1343340000-7587-1-git-send-email-mjg@redhat.com>
 Subject: [PATCH] efi: Build EFI stub with EFI-appropriate options
 We can't assume the presence of the red zone while we're still in a boot
 services environment, so we should build with -fno-red-zone to avoid
@ -714,7 +662,7 @@ simpler.
 Signed-off-by: Matthew Garrett <mjg@redhat.com>
 ---
- arch/x86/boot/compressed/Makefile |    3 +++
+ arch/x86/boot/compressed/Makefile | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
@ -731,4 +679,48 @@ index e398bb5..8a84501 100644
 ifeq ($(CONFIG_EFI_STUB), y)
 	VMLINUX_OBJS += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o
 endif
 -- 
 1.7.11.4
 From d1a225668878a3339adcd7ce0be256e857360ada Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 26 Jun 2012 16:27:26 -0400
 Subject: [PATCH 14/14] modsign: Reject unsigned modules in a Secure Boot
 environment
 If a machine is booted into a Secure Boot environment, we need to
 protect the trust model.  This requires that all modules be signed
 with a key that is in the kernel's _modsign keyring.  We add a
 capability check and reject modules that are not signed.
 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 ---
 kernel/module.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/kernel/module.c b/kernel/module.c
 index de16959..5af69cc 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
@@ -2463,7 +2463,7 @@ static int module_sig_check(struct load_info *info,
 	}
 	/* Not having a signature is only an error if we're strict. */
 -	if (!err && !info->sig_ok && sig_enforce)
 +	if (!err && !info->sig_ok && (sig_enforce || !capable(CAP_COMPROMISE_KERNEL)))
 		err = -EKEYREJECTED;
 	return err;
@@ -2475,7 +2475,7 @@ found_marker:
 	if (err < 0 && fips_enabled)
 		panic("Module verification failed with error %d in FIPS mode\n",
 		      err);
 -	if (err == -ENOKEY && !sig_enforce)
 +	if (err == -ENOKEY && (!sig_enforce && capable(CAP_COMPROMISE_KERNEL)))
 		err = 0;
 	return err;
 }
 -- 
 1.7.11.4
--- a/x509.genkey
+++ b/x509.genkey
@ -0,0 +1,16 @@
 [ req ]
 default_bits = 4096
 distinguished_name = req_distinguished_name
 prompt = no
 x509_extensions = myexts
 [ req_distinguished_name ]
 O = Fedora
 CN = Fedora kernel signing key
 emailAddress = kernel-team@fedoraproject.org
 [ myexts ]
 basicConstraints=critical,CA:FALSE
 keyUsage=digitalSignature
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid