kernel-5.7.0-0.rc2.20200423git7adc4b399952.1

* Thu Apr 23 2020 CKI@GitLab <cki-project@redhat.com> [5.7.0-0.rc2.20200423git7adc4b399952.1]
- 7adc4b399952 rebase
- Match template format in kernel.spec.template ("Justin M. Forbes")
- Break out the Patches into individual files for dist-git ("Justin M. Forbes")
- Break the Red Hat patch into individual commits (Jeremy Cline)
- Adjust module filtering so CONFIG_DRM_DP_CEC can be set (Jeremy Cline)
- Add a script to generate release tags and branches (Jeremy Cline)
- Set CONFIG_VDPA for fedora ("Justin M. Forbes")
- Provide defaults in ark-rebase-patches.sh (Jeremy Cline)
- Default ark-rebase-patches.sh to not report issues (Jeremy Cline)
Resolves: rhbz#

Signed-off-by: Jeremy Cline <jcline@redhat.com>

1 files changed, 72 insertions, 0 deletions

diff --git a/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
new file mode 100644
index 000000000..4d3d56713
--- /dev/null
+++ b/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -0,0 +1,72 @@
+From f8b4469d9bd35b145296f904130218afe52982e4 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 30 Sep 2019 21:28:16 +0000
+Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode
+
+UEFI Secure Boot provides a mechanism for ensuring that the firmware
+will only load signed bootloaders and kernels.  Certain use cases may
+also require that all kernel modules also be signed.  Add a
+configuration option that to lock down the kernel - which includes
+requiring validly signed modules - if the kernel is secure-booted.
+
+Upstream Status: RHEL only
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ arch/x86/kernel/setup.c   |  8 ++++++++
+ security/lockdown/Kconfig | 13 +++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 08e9f5fc26a8..b6f5510f3d91 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -18,6 +18,7 @@
+ #include <linux/sfi.h>
+ #include <linux/hugetlb.h>
+ #include <linux/tboot.h>
++#include <linux/security.h>
+ #include <linux/usb/xhci-dbgp.h>
+ 
+ #include <uapi/linux/mount.h>
+@@ -1099,6 +1100,13 @@ void __init setup_arch(char **cmdline_p)
+ 	if (efi_enabled(EFI_BOOT))
+ 		efi_init();
+ 
++	efi_set_secure_boot(boot_params.secure_boot);
++
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++	if (efi_enabled(EFI_SECURE_BOOT))
++		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
++#endif
++
+ 	dmi_setup();
+ 
+ 	/*
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ 	  subsystem is fully initialised. If enabled, lockdown will
+ 	  unconditionally be called before any other LSMs.
+ 
++config LOCK_DOWN_IN_EFI_SECURE_BOOT
++	bool "Lock down the kernel in EFI Secure Boot mode"
++	default n
++	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
++	help
++	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
++	  will only load signed bootloaders and kernels.  Secure boot mode may
++	  be determined from EFI variables provided by the system firmware if
++	  not indicated by the boot parameters.
++
++	  Enabling this option results in kernel lockdown being triggered if
++	  EFI Secure Boot is set.
++
+ choice
+ 	prompt "Kernel default lockdown mode"
+ 	default LOCK_DOWN_KERNEL_FORCE_NONE
+-- 
+2.26.0
+