diff options
| author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-26 07:58:40 +0200 |
|---|---|---|
| committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-26 07:58:40 +0200 |
| commit | 348012821f7014b45577b6c34b7f895cd345c63a (patch) | |
| tree | 3ae03f632d74cc113c0752725e8ae75ac25dd9a9 | |
| parent | 3d1f9b96026f06f1d6130a975ad9988c33dc3b0d (diff) | |
| parent | b43cd9971349391d46e3c71da0b041c7099d6c9a (diff) | |
| download | kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc23.tar.gz kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc23.tar.xz kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc23.zip | |
Merge remote-tracking branch 'origin/master'kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc25kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc24kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc23kernel-4.7.0-0.rc0.git8.1.vanilla.knurd.1.fc22
| -rw-r--r-- | Add-EFI-signature-data-types.patch | 10 | ||||
| -rw-r--r-- | Add-an-EFI-signature-blob-parser-and-key-loader.patch | 14 | ||||
| -rw-r--r-- | Add-option-to-automatically-enforce-module-signature.patch | 32 | ||||
| -rw-r--r-- | Add-sysrq-option-to-disable-secure-boot-mode.patch | 38 | ||||
| -rw-r--r-- | KEYS-Add-a-system-blacklist-keyring.patch | 77 | ||||
| -rw-r--r-- | MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch | 81 | ||||
| -rw-r--r-- | MODSIGN-Support-not-importing-certs-from-db.patch | 20 | ||||
| -rw-r--r-- | config-arm-generic | 1 | ||||
| -rw-r--r-- | config-arm64 | 2 | ||||
| -rw-r--r-- | config-armv7 | 3 | ||||
| -rw-r--r-- | config-armv7-generic | 1 | ||||
| -rw-r--r-- | config-generic | 4 | ||||
| -rw-r--r-- | config-powerpc64-generic | 2 | ||||
| -rw-r--r-- | config-s390x | 2 | ||||
| -rw-r--r-- | config-x86-generic | 2 | ||||
| -rw-r--r-- | config-x86_64-generic | 6 | ||||
| -rw-r--r-- | drm-i915-hush-check-crtc-state.patch | 24 | ||||
| -rw-r--r-- | efi-Add-EFI_SECURE_BOOT-bit.patch | 14 | ||||
| -rw-r--r-- | efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch | 12 | ||||
| -rw-r--r-- | gitrev | 2 | ||||
| -rw-r--r-- | hibernate-Disable-in-a-signed-modules-environment.patch | 8 | ||||
| -rw-r--r-- | kernel.spec | 15 | ||||
| -rw-r--r-- | sources | 2 |
23 files changed, 218 insertions, 154 deletions
diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch index dd1840817..094c5a34c 100644 --- a/Add-EFI-signature-data-types.patch +++ b/Add-EFI-signature-data-types.patch @@ -1,7 +1,7 @@ -From 6fb2a60e6bfb5ce2d3a4964e7b47ac5c7ecd6f82 Mon Sep 17 00:00:00 2001 +From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH] Add EFI signature data types +Subject: [PATCH 4/9] Add EFI signature data types Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. @@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com> 1 file changed, 20 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h -index fb0734f..b80227a 100644 +index 8cb38cfcba74..8c274b4ea8e6 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -653,6 +653,12 @@ void efi_native_runtime_setup(void); +@@ -647,6 +647,12 @@ void efi_native_runtime_setup(void); EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, \ 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f) @@ -31,7 +31,7 @@ index fb0734f..b80227a 100644 typedef struct { efi_guid_t guid; u64 table; -@@ -885,6 +891,20 @@ typedef struct { +@@ -879,6 +885,20 @@ typedef struct { efi_memory_desc_t entry[0]; } efi_memory_attributes_table_t; diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index 78f482b39..3697a4b74 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,7 +1,7 @@ -From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001 +From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. +Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com> create mode 100644 crypto/asymmetric_keys/efi_parser.c diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index e28e912..94024e8 100644 +index e28e912000a7..94024e8aedaa 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION @@ -34,7 +34,7 @@ index e28e912..94024e8 100644 + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index 6516855..c099fe1 100644 +index 6516855bec18..c099fe15ed6d 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -10,6 +10,7 @@ asymmetric_keys-y := \ @@ -47,7 +47,7 @@ index 6516855..c099fe1 100644 # X.509 Certificate handling diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c new file mode 100644 -index 0000000..636feb1 +index 000000000000..636feb18b733 --- /dev/null +++ b/crypto/asymmetric_keys/efi_parser.c @@ -0,0 +1,108 @@ @@ -160,10 +160,10 @@ index 0000000..636feb1 + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index b80227a..18443e3 100644 +index 8c274b4ea8e6..ff1877145aa4 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, +@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, char * __init efi_md_typeattr_format(char *buf, size_t size, const efi_memory_desc_t *md); diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch index d3fab0297..aa1983377 100644 --- a/Add-option-to-automatically-enforce-module-signature.patch +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,8 @@ -From 8802c7e62531b3867580068ee8b50415b966d22c Mon Sep 17 00:00:00 2001 +From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode +Subject: [PATCH] Add option to automatically enforce module signatures when in + Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -11,16 +12,16 @@ that enforces this automatically when enabled. Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> --- Documentation/x86/zero-page.txt | 2 ++ - arch/x86/Kconfig | 10 ++++++ + arch/x86/Kconfig | 11 ++++++ arch/x86/boot/compressed/eboot.c | 66 +++++++++++++++++++++++++++++++++++ arch/x86/include/uapi/asm/bootparam.h | 3 +- arch/x86/kernel/setup.c | 6 ++++ include/linux/module.h | 6 ++++ kernel/module.c | 7 ++++ - 7 files changed, 99 insertions(+), 1 deletion(-) + 7 files changed, 100 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 95a4d34..b8527c6 100644 +index 95a4d34af3fd..b8527c6b7646 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt @@ -31,6 +31,8 @@ Offset Proto Name Meaning @@ -33,15 +34,16 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 2dc18605..a701d09 100644 +index 0a7b885964ba..29b8ba9ae713 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1785,6 +1785,16 @@ config EFI_MIXED +@@ -1776,6 +1776,17 @@ config EFI_MIXED If unsure, say N. +config EFI_SECURE_BOOT_SIG_ENFORCE -+ def_bool n ++ def_bool n ++ depends on EFI + prompt "Force module signing when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the @@ -54,7 +56,7 @@ index 2dc18605..a701d09 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 52fef60..6b8b9a7 100644 +index 52fef606bc54..6b8b9a775b46 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -145,7 +147,7 @@ index 52fef60..6b8b9a7 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 3292543..b61f853 100644 +index c18ce67495fa..2b3e5427097b 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -134,7 +134,8 @@ struct boot_params { @@ -159,10 +161,10 @@ index 3292543..b61f853 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 2367ae0..1a78bf7 100644 +index c4e7b3991b60..bdb9881c7afd 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -176,7 +178,7 @@ index 2367ae0..1a78bf7 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index ab13009..e072b84 100644 +index 082298a09df1..38d0597f7615 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); @@ -193,10 +195,10 @@ index ab13009..e072b84 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 392ac8c..676c578 100644 +index 3c384968f553..ea484f3a35b2 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod, +@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch index 4600848cf..3cecd1399 100644 --- a/Add-sysrq-option-to-disable-secure-boot-mode.patch +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -1,7 +1,7 @@ -From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001 +From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001 From: Kyle McMartin <kyle@redhat.com> Date: Fri, 30 Aug 2013 09:28:51 -0400 -Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode +Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode Bugzilla: N/A Upstream-status: Fedora mustard @@ -16,7 +16,7 @@ Upstream-status: Fedora mustard 7 files changed, 64 insertions(+), 9 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index f93826b8522c..41679b1aca83 100644 +index a666b6c29c77..7732c769937b 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -70,6 +70,11 @@ @@ -31,7 +31,7 @@ index f93826b8522c..41679b1aca83 100644 #include <video/edid.h> #include <asm/mtrr.h> -@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void) +@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void) #endif /* CONFIG_X86_32 */ @@ -70,10 +70,10 @@ index f93826b8522c..41679b1aca83 100644 .notifier_call = dump_kernel_offset }; diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 345df9b03aed..dea6a6c4a39b 100644 +index abe1a927b332..f4126fcec10c 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c -@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev) +@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev) if (!udev->dev) return -ENOMEM; @@ -82,10 +82,10 @@ index 345df9b03aed..dea6a6c4a39b 100644 input_set_drvdata(udev->dev, udev); diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index 95b330a9ea98..dfa3e154a719 100644 +index e5139402e7f8..5ef2e04a03ad 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c -@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { +@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { /* x: May be registered on mips for TLB dump */ /* x: May be registered on ppc/powerpc for xmon */ /* x: May be registered on sparc64 for global PMU dump */ @@ -93,7 +93,7 @@ index 95b330a9ea98..dfa3e154a719 100644 NULL, /* x */ /* y: May be registered on sparc64 for global register dump */ NULL, /* y */ -@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) +@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) sysrq_key_table[i] = op_p; } @@ -102,7 +102,7 @@ index 95b330a9ea98..dfa3e154a719 100644 { struct sysrq_key_op *op_p; int orig_log_level; -@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask) +@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask) op_p = __sysrq_get_key_op(key); if (op_p) { @@ -119,7 +119,7 @@ index 95b330a9ea98..dfa3e154a719 100644 pr_cont("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); -@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask) +@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask) void handle_sysrq(int key) { if (sysrq_on()) @@ -128,7 +128,7 @@ index 95b330a9ea98..dfa3e154a719 100644 } EXPORT_SYMBOL(handle_sysrq); -@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state) +@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state) static void sysrq_handle_reset_request(struct sysrq_state *state) { if (state->reset_requested) @@ -137,7 +137,7 @@ index 95b330a9ea98..dfa3e154a719 100644 if (sysrq_reset_downtime_ms) mod_timer(&state->keyreset_timer, -@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, +@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, default: if (sysrq->active && value && value != 2) { @@ -149,7 +149,7 @@ index 95b330a9ea98..dfa3e154a719 100644 } break; } -@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, +@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, if (get_user(c, buf)) return -EFAULT; @@ -159,7 +159,7 @@ index 95b330a9ea98..dfa3e154a719 100644 return count; diff --git a/include/linux/input.h b/include/linux/input.h -index 82ce323b9986..9e534f228945 100644 +index 1e967694e9a5..2b56c6f9673c 100644 --- a/include/linux/input.h +++ b/include/linux/input.h @@ -42,6 +42,7 @@ struct input_value { @@ -216,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644 int unregister_sysrq_key(int key, struct sysrq_key_op *op); struct sysrq_key_op *__sysrq_get_key_op(int key); diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 4121345498e0..0ff3cef5df96 100644 +index 2a20c0dfdafc..3d17205dab77 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -1968,7 +1968,7 @@ static int kdb_sr(int argc, const char **argv) @@ -229,10 +229,10 @@ index 4121345498e0..0ff3cef5df96 100644 return 0; diff --git a/kernel/module.c b/kernel/module.c -index 2b403ab0ef29..7818c110e95c 100644 +index ea484f3a35b2..84b00659b0ee 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void) +@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void) #endif } @@ -242,5 +242,5 @@ index 2b403ab0ef29..7818c110e95c 100644 module_param(sig_enforce, bool_enable_only, 0644); #endif /* !CONFIG_MODULE_SIG_FORCE */ -- -2.4.3 +2.5.5 diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch index 469ac35ab..4f5678a15 100644 --- a/KEYS-Add-a-system-blacklist-keyring.patch +++ b/KEYS-Add-a-system-blacklist-keyring.patch @@ -1,7 +1,7 @@ -From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001 +From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring +Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -10,52 +10,48 @@ useful in cases where third party certificates are used for module signing. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- - certs/system_keyring.c | 27 +++++++++++++++++++++++++++ + certs/system_keyring.c | 22 ++++++++++++++++++++++ include/keys/system_keyring.h | 4 ++++ init/Kconfig | 9 +++++++++ - 3 files changed, 40 insertions(+) + 3 files changed, 35 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c -index 2570598b784d..53733822993f 100644 +index 50979d6dcecd..787eeead2f57 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c -@@ -20,6 +20,9 @@ - - struct key *system_trusted_keyring; - EXPORT_SYMBOL_GPL(system_trusted_keyring); +@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + static struct key *secondary_trusted_keys; + #endif +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING +struct key *system_blacklist_keyring; +#endif extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; -@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void) - panic("Can't allocate system trusted keyring\n"); - - set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); -+ -+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING +@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void) + if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0) + panic("Can't link trusted keyrings\n"); + #endif ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", -+ KUIDT_INIT(0), KGIDT_INIT(0), -+ current_cred(), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ, -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); ++ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), ++ KEY_ALLOC_NOT_IN_QUOTA, ++ NULL, NULL); + if (IS_ERR(system_blacklist_keyring)) + panic("Can't allocate system blacklist keyring\n"); -+ -+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags); +#endif -+ + return 0; } - -@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len, - if (ret < 0) - goto error; - +@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len, + trusted_keys = builtin_trusted_keys; + #endif + } +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted); ++ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring); + if (!ret) { + /* module is signed with a cert in the blacklist. reject */ + pr_err("Module key is in the blacklist\n"); @@ -63,30 +59,29 @@ index 2570598b784d..53733822993f 100644 + goto error; + } +#endif -+ - ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted); - if (ret < 0) - goto error; + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { + if (ret == -ENOKEY) diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index b20cd885c1fd..51d8ddc60e0f 100644 +index fbd4647767e9..5bc291a3d261 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h -@@ -35,6 +35,10 @@ extern int system_verify_data(const void *data, unsigned long len, - enum key_being_used_for usage); +@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING +extern struct key *system_blacklist_keyring; +#endif + - #ifdef CONFIG_IMA_MOK_KEYRING - extern struct key *ima_mok_keyring; + #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; + diff --git a/init/Kconfig b/init/Kconfig -index 02da9f1fd9df..782d26f02885 100644 +index a9c4aefd5436..e5449d5aeff9 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION +@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION module verification, kexec image verification and firmware blob verification. @@ -103,5 +98,5 @@ index 02da9f1fd9df..782d26f02885 100644 bool "Profiling support" help -- -2.4.3 +2.5.5 diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index 8a484b6d8..05be7a028 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1,4 +1,4 @@ -From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001 +From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:42:16 -0400 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot @@ -18,18 +18,56 @@ signed with those from loading. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- - include/linux/efi.h | 6 ++++ - init/Kconfig | 9 +++++ - kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 110 insertions(+) + certs/system_keyring.c | 13 ++++++ + include/keys/system_keyring.h | 1 + + include/linux/efi.h | 6 +++ + init/Kconfig | 9 ++++ + kernel/Makefile | 3 ++ + kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 131 insertions(+) create mode 100644 kernel/modsign_uefi.c +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 787eeead2f57..4d9123ed5c07 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; + + /** ++ * get_system_keyring - Return a pointer to the system keyring ++ * ++ */ ++struct key *get_system_keyring(void) ++{ ++ struct key *system_keyring = NULL; ++ ++ system_keyring = builtin_trusted_keys; ++ return system_keyring; ++} ++EXPORT_SYMBOL_GPL(get_system_keyring); ++ ++/** + * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * + * Restrict the addition of keys into a keyring based on the key-to-be-added +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 5bc291a3d261..56ff5715ab67 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + extern struct key *system_blacklist_keyring; + #endif ++extern struct key *get_system_keyring(void); + + #ifdef CONFIG_IMA_BLACKLIST_KEYRING + extern struct key *ima_blacklist_keyring; diff --git a/include/linux/efi.h b/include/linux/efi.h -index 85ef051ac6fb..a042b2ece788 100644 +index ff1877145aa4..2483de19c719 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -600,6 +600,12 @@ typedef struct { +@@ -658,6 +658,12 @@ typedef struct { u64 table; } efi_config_table_64_t; @@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644 efi_guid_t guid; u32 table; diff --git a/init/Kconfig b/init/Kconfig -index 02da9f1fd9df..90c73a0564b1 100644 +index e5449d5aeff9..5408c96f6604 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL +@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index d4988410b410..55e886239e7e 100644 +index e2ec54e2b952..8dab549985d8 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -47,6 +47,7 @@ endif +@@ -57,6 +57,7 @@ endif obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o @@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644 obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC_CORE) += kexec_core.o -@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o +@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o obj-$(CONFIG_HAS_IOMEM) += memremap.o @@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644 # config_data.h contains the same information as ikconfig.h but gzipped. diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c new file mode 100644 -index 000000000000..94b0eb38a284 +index 000000000000..fe4a6f2bf10a --- /dev/null +++ b/kernel/modsign_uefi.c -@@ -0,0 +1,92 @@ +@@ -0,0 +1,99 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/cred.h> @@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284 + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + int rc = 0; ++ struct key *keyring = NULL; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ keyring = get_system_keyring(); ++ if (!keyring) { ++ pr_err("MODSIGN: Couldn't get system keyring\n"); ++ return -EINVAL; ++ } ++ + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ @@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284 + if (!db) { + pr_err("MODSIGN: Couldn't get UEFI db list\n"); + } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ rc = parse_efi_signature_list(db, dbsize, keyring); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); @@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284 + if (!mok) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else { -+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring); ++ rc = parse_efi_signature_list(mok, moksize, keyring); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); @@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284 +} +late_initcall(load_uefi_certs); -- -2.4.3 +2.5.5 diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index bb5ae2a2c..3339ce76e 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -1,7 +1,7 @@ -From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001 +From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Thu, 3 Oct 2013 10:14:23 -0400 -Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db +Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -index 94b0eb38a284..ae28b974d49a 100644 +index 03f601a0052c..321c79a3b282 100644 --- a/kernel/modsign_uefi.c +++ b/kernel/modsign_uefi.c @@ -8,6 +8,23 @@ @@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) { efi_status_t status; -@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) +@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void) efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *db = NULL, *dbx = NULL, *mok = NULL; unsigned long dbsize = 0, dbxsize = 0, moksize = 0; - int rc = 0; + int ignore_db, rc = 0; + struct key *keyring = NULL; /* Check if SB is enabled and just return if not */ - if (!efi_enabled(EFI_SECURE_BOOT)) - return 0; +@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void) + return -EINVAL; + } + /* See if the user has setup Ignore DB mode */ + ignore_db = check_ignore_db(); @@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644 - if (!db) { - pr_err("MODSIGN: Couldn't get UEFI db list\n"); - } else { -- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); +- rc = parse_efi_signature_list(db, dbsize, keyring); - if (rc) - pr_err("Couldn't parse db signatures: %d\n", rc); - kfree(db); @@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644 + if (!db) { + pr_err("MODSIGN: Couldn't get UEFI db list\n"); + } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ rc = parse_efi_signature_list(db, dbsize, keyring); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); @@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644 mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -- -2.4.3 +2.5.5 diff --git a/config-arm-generic b/config-arm-generic index 2b71fa092..3c5a9eb1b 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -116,6 +116,7 @@ CONFIG_ROCKCHIP_SARADC=m CONFIG_ROCKCHIP_IOMMU=y CONFIG_ROCKCHIP_THERMAL=m CONFIG_DRM_ROCKCHIP=m +CONFIG_ROCKCHIP_ANALOGIX_DP=m CONFIG_ROCKCHIP_DW_HDMI=m CONFIG_ROCKCHIP_DW_MIPI_DSI=y CONFIG_ROCKCHIP_INNO_HDMI=m diff --git a/config-arm64 b/config-arm64 index cc7214b89..58c2ab24d 100644 --- a/config-arm64 +++ b/config-arm64 @@ -159,6 +159,8 @@ CONFIG_PHY_HI6220_USB=m CONFIG_COMMON_RESET_HI6220=m CONFIG_HI6220_MBOX=m # CONFIG_RESET_HISI is not set +CONFIG_DRM_HISI_KIRIN=m +CONFIG_HISI_KIRIN_DW_DSI=m # Tegra CONFIG_ARCH_TEGRA_132_SOC=y diff --git a/config-armv7 b/config-armv7 index d2191cee9..c3d64fafb 100644 --- a/config-armv7 +++ b/config-armv7 @@ -318,6 +318,8 @@ CONFIG_PHY_QCOM_IPQ806X_SATA=m CONFIG_DWMAC_IPQ806X=m CONFIG_CRYPTO_DEV_QCE=m CONFIG_DRM_MSM=m +# CONFIG_DRM_MSM_REGISTER_LOGGING is not set +CONFIG_DRM_MSM_HDMI_HDCP=y CONFIG_USB_EHCI_MSM=m CONFIG_MFD_PM8XXX=m CONFIG_KEYBOARD_PMIC8XXX=m @@ -325,7 +327,6 @@ CONFIG_INPUT_PM8XXX_VIBRATOR=m CONFIG_INPUT_PMIC8XXX_PWRKEY=m CONFIG_INPUT_PM8941_PWRKEY=m CONFIG_RTC_DRV_PM8XXX=m -# CONFIG_DRM_MSM_REGISTER_LOGGING is not set CONFIG_QCOM_WDT=m CONFIG_MFD_SPMI_PMIC=m CONFIG_SPMI=m diff --git a/config-armv7-generic b/config-armv7-generic index 5baab4acb..3e9afc353 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -206,6 +206,7 @@ CONFIG_MACH_SUN8I=y CONFIG_SUNXI_SRAM=y CONFIG_DMA_SUN4I=m CONFIG_DMA_SUN6I=m +CONFIG_DRM_SUN4I=m CONFIG_SUNXI_WATCHDOG=m CONFIG_NET_VENDOR_ALLWINNER=y CONFIG_RTC_DRV_SUNXI=m diff --git a/config-generic b/config-generic index b94ee30f7..c08fb2e99 100644 --- a/config-generic +++ b/config-generic @@ -598,6 +598,7 @@ CONFIG_ATA_BMDMA=y CONFIG_ATA_VERBOSE_ERROR=y CONFIG_ATA_SFF=y CONFIG_ATA_PIIX=y +# CONFIG_SATA_DWC is not set # CONFIG_SATA_HIGHBANK is not set CONFIG_ATA_ACPI=y CONFIG_BLK_DEV_SX8=m @@ -3346,6 +3347,8 @@ CONFIG_VGA_ARB_MAX_GPUS=16 CONFIG_DRM=m +CONFIG_DRM_ANALOGIX_ANX78XX=m +# CONFIG_DRM_ARCPGU is not set CONFIG_DRM_DP_AUX_CHARDEV=y CONFIG_DRM_FBDEV_EMULATION=y CONFIG_DRM_LOAD_EDID_FIRMWARE=y @@ -3359,6 +3362,7 @@ CONFIG_DRM_AMDGPU=m CONFIG_DRM_AMD_ACP=y # CONFIG_DRM_AMDGPU_CIK is not set CONFIG_DRM_AMDGPU_USERPTR=y +# CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set CONFIG_DRM_AMD_POWERPLAY=y # CONFIG_DRM_I810 is not set # CONFIG_DRM_MGA is not set diff --git a/config-powerpc64-generic b/config-powerpc64-generic index 32fa17ff9..af4bbb251 100644 --- a/config-powerpc64-generic +++ b/config-powerpc64-generic @@ -56,7 +56,7 @@ CONFIG_PPC_64K_PAGES=y CONFIG_PPC_SUBPAGE_PROT=y CONFIG_SCHED_SMT=y CONFIG_MEMORY_HOTPLUG=y -# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y CONFIG_MEMORY_HOTREMOVE=y CONFIG_PPC64_SUPPORTS_MEMORY_FAILURE=y diff --git a/config-s390x b/config-s390x index e6e2f85a9..d559c6570 100644 --- a/config-s390x +++ b/config-s390x @@ -183,7 +183,7 @@ CONFIG_VIRTIO_CONSOLE=y CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y -# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y CONFIG_CHSC_SCH=m # drivers/isdn/hardware/mISDN/hfcmulti.c:5255:2: error: #error "not running on big endian machines now" diff --git a/config-x86-generic b/config-x86-generic index 5418ee7ab..bc40117b3 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -333,6 +333,7 @@ CONFIG_SPI_MASTER=y CONFIG_SPI_PXA2XX=m # CONFIG_SPI_CADENCE is not set # CONFIG_SPI_ZYNQMP_GQSPI is not set +# CONFIG_SPI_ROCKCHIP is not set # CONFIG_DRM_PANEL_SAMSUNG_LD9040 is not set # CONFIG_DRM_PANEL_LG_LG4573 is not set # CONFIG_DRM_PANEL_PANASONIC_VVX10F034N00 is not set @@ -361,7 +362,6 @@ CONFIG_DMI_SYSFS=y CONFIG_ISCSI_IBFT_FIND=y CONFIG_ISCSI_IBFT=m -CONFIG_DMADEVICES=y CONFIG_INTEL_IOATDMA=m CONFIG_INTEL_IDMA64=m diff --git a/config-x86_64-generic b/config-x86_64-generic index 82e99a062..0614913aa 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -117,7 +117,7 @@ CONFIG_SPARSEMEM_EXTREME=y CONFIG_SPARSEMEM_VMEMMAP=y # CONFIG_MOVABLE_NODE is not set CONFIG_MEMORY_HOTPLUG=y -# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y # CONFIG_ARCH_MEMORY_PROBE is not set CONFIG_MEMORY_HOTREMOVE=y # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set @@ -223,8 +223,12 @@ CONFIG_CMA_AREAS=7 CONFIG_ZONE_DMA=y CONFIG_ZONE_DEVICE=y CONFIG_NVDIMM_PFN=y +CONFIG_NVDIMM_DAX=y CONFIG_ND_PFN=m +CONFIG_DEV_DAX=m +CONFIG_DEV_DAX_PMEM=m + # Staging CONFIG_STAGING_RDMA=y CONFIG_INFINIBAND_HFI1=m diff --git a/drm-i915-hush-check-crtc-state.patch b/drm-i915-hush-check-crtc-state.patch index fa4baffbf..acf05056c 100644 --- a/drm-i915-hush-check-crtc-state.patch +++ b/drm-i915-hush-check-crtc-state.patch @@ -1,4 +1,4 @@ -From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001 +From 5550f20b5f9becb485fb3a67bf0193025d40bc6f Mon Sep 17 00:00:00 2001 From: Adam Jackson <ajax@redhat.com> Date: Wed, 13 Nov 2013 10:17:24 -0500 Subject: [PATCH] drm/i915: hush check crtc state @@ -15,18 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index ca9278be49f7..308ac0539a87 100644 +index 46f9be3ad5a2..ad2e62e4cdba 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state) - sw_config = to_intel_crtc_state(crtc->state); - if (!intel_pipe_config_compare(dev, sw_config, - pipe_config, false)) { -- I915_STATE_WARN(1, "pipe state doesn't match!\n"); -+ DRM_DEBUG_KMS("pipe state doesn't match!\n"); - intel_dump_pipe_config(intel_crtc, pipe_config, - "[hw state]"); - intel_dump_pipe_config(intel_crtc, sw_config, +@@ -12970,7 +12970,7 @@ verify_crtc_state(struct drm_crtc *crtc, + sw_config = to_intel_crtc_state(crtc->state); + if (!intel_pipe_config_compare(dev, sw_config, + pipe_config, false)) { +- I915_STATE_WARN(1, "pipe state doesn't match!\n"); ++ DRM_DEBUG_KMS("pipe state doesn't match!\n"); + intel_dump_pipe_config(intel_crtc, pipe_config, + "[hw state]"); + intel_dump_pipe_config(intel_crtc, sw_config, -- -2.4.3 +2.5.5 diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch index 89b9664c7..dca2eb296 100644 --- a/efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From c01ff700ea4192ae04b306fef725d62189550236 Mon Sep 17 00:00:00 2001 +From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index f3b804f..a401ff8 100644 +index bdb9881c7afd..a666b6c29c77 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,10 +27,10 @@ index f3b804f..a401ff8 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 569b5a8..4dc970e 100644 +index c2db3ca22217..8cb38cfcba74 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ @@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644 #ifdef CONFIG_EFI /* -- -2.5.0 +2.5.5 diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch index ba2f3cefa..7d4a46e15 100644 --- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -1,7 +1,7 @@ -From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001 +From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode +Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called @@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index b4de3faa3f29..5cc2ef570390 100644 +index 6b8b9a775b46..b3a5364d31c6 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -830,8 +830,9 @@ out: +@@ -574,8 +574,9 @@ free_handle: static int get_secure_boot(void) { @@ -29,7 +29,7 @@ index b4de3faa3f29..5cc2ef570390 100644 efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; efi_status_t status; -@@ -855,6 +856,23 @@ static int get_secure_boot(void) +@@ -599,6 +600,23 @@ static int get_secure_boot(void) if (setup == 1) return 0; @@ -54,5 +54,5 @@ index b4de3faa3f29..5cc2ef570390 100644 } -- -2.4.3 +2.5.5 @@ -1 +1 @@ -7639dad93a5564579987abded4ec05e3db13659d +28165ec7a99be98123aa89540bf2cfc24df19498 diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch index f62ea08b0..bea2892ee 100644 --- a/hibernate-Disable-in-a-signed-modules-environment.patch +++ b/hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001 +From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment +Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 690f78f210f2..037303a1cba9 100644 +index fca9254280ee..ffd8644078b2 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -35,5 +35,5 @@ index 690f78f210f2..037303a1cba9 100644 /** -- -2.4.3 +2.5.5 diff --git a/kernel.spec b/kernel.spec index 1739bf88b..f28dee2b1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 6 +%define gitrev 8 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -570,8 +570,6 @@ Patch482: Add-option-to-automatically-enforce-module-signature.patch Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch -Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch - Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch Patch486: hibernate-Disable-in-a-signed-modules-environment.patch @@ -583,7 +581,7 @@ Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch # This doesn't apply. It seems like it could be replaced by # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c # which has an explicit line about blacklisting -# Patch489: KEYS-Add-a-system-blacklist-keyring.patch +Patch489: KEYS-Add-a-system-blacklist-keyring.patch Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -2155,6 +2153,15 @@ fi # # %changelog +* Wed May 25 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git8.1 +- Linux v4.6-10530-g28165ec +- ARM SoC, asm-generic, nfsd, ext4, spi, mtd, xen, merges + +* Tue May 24 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.7.0-0.rc0.git7.1 +- Linux v4.6-10203-g84787c572d40 +- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281) +- Fixup SB patchset to work with upstream changes + * Mon May 23 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git6.1 - Linux v4.6-8907-g7639dad - trace, f2fs, btrfs, rtc, mailbox, akpm, staging, driver core, char, usb, @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -4c4f2eb647eef6e04a1dbb843e4fd72d patch-4.6-git6.xz +61182eb17e964ea257bd40e9f946005c patch-4.6-git8.xz |