diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-09-09 11:10:06 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-09-09 11:10:17 -0400 |
| commit | 18c82493e579cff717864e8931960040bd820b33 (patch) | |
| tree | 42493f93faa2f0b8f8d84ad46ef9a8a86bdd2fb9 | |
| parent | 818326ffa2208b592aa1d46ae62d1f562dbb89ea (diff) | |
| download | kernel-18c82493e579cff717864e8931960040bd820b33.tar.gz kernel-18c82493e579cff717864e8931960040bd820b33.tar.xz kernel-18c82493e579cff717864e8931960040bd820b33.zip | |
Linux v4.2-10637-ga794b4f32921
- Rework secure boot patchset
26 files changed, 235 insertions, 144 deletions
diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch index 88709a324..38236753e 100644 --- a/ACPI-Limit-access-to-custom_method.patch +++ b/ACPI-Limit-access-to-custom_method.patch @@ -1,6 +1,7 @@ +From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH] ACPI: Limit access to custom_method +Subject: [PATCH 04/20] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -25,3 +26,6 @@ index c68e72414a67..4277938af700 100644 if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) +-- +2.4.3 + diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch index f24473d44..57847dc56 100644 --- a/Add-EFI-signature-data-types.patch +++ b/Add-EFI-signature-data-types.patch @@ -1,6 +1,7 @@ +From 34e3e23e08fdccbf4637deab0cf03070d4f2226d Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH] Add EFI signature data types +Subject: [PATCH 15/20] Add EFI signature data types Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. @@ -51,3 +52,6 @@ index de3e45088d4a..fac43c611614 100644 /* * All runtime access to EFI goes through this structure: */ +-- +2.4.3 + diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index c4feebea5..06ddd1596 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,6 +1,7 @@ +From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH] Add an EFI signature blob parser and key loader. +Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -32,7 +33,7 @@ index 4870f28403f5..4a1b50d73b80 100644 + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index e47fcd9ac5e8..6512f6596785 100644 +index cd1406f9b14a..d9db380bbe53 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o @@ -173,3 +174,6 @@ index fac43c611614..414c3c3d988d 100644 /** * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address +-- +2.4.3 + diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch index ff4fc0512..015371b8b 100644 --- a/Add-option-to-automatically-enforce-module-signature.patch +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,8 @@ +From 37431394b3eeb1ef6d38d0e6b2693210606c2c2c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH] Add option to automatically enforce module signatures when in - Secure Boot mode +Subject: [PATCH 10/20] Add option to automatically enforce module signatures + when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -20,10 +21,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 82fbdbc1e0b0..a811210ad486 100644 +index 95a4d34af3fd..b8527c6b7646 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning +@@ -31,6 +31,8 @@ Offset Proto Name Meaning 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) @@ -33,10 +34,10 @@ index 82fbdbc1e0b0..a811210ad486 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 3dbb7e7909ca..4da6644b1fd0 100644 +index cc0d73eac047..14db458f4774 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1703,6 +1703,16 @@ config EFI_MIXED +@@ -1734,6 +1734,16 @@ config EFI_MIXED If unsure, say N. @@ -54,7 +55,7 @@ index 3dbb7e7909ca..4da6644b1fd0 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 2c82bd150d43..1ef8ea7f8ed9 100644 +index ee1b6d346b98..b4de3faa3f29 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -115,7 +116,7 @@ index 2c82bd150d43..1ef8ea7f8ed9 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index ab456dc233b5..74ba4083e7ce 100644 +index 329254373479..b61f8533c0fd 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -134,7 +134,8 @@ struct boot_params { @@ -129,10 +130,10 @@ index ab456dc233b5..74ba4083e7ce 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 80f874bf999e..c2e4f52cad30 100644 +index baadbf90a7c5..1ac118146e90 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -146,10 +147,10 @@ index 80f874bf999e..c2e4f52cad30 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index 57474384b66b..b69d657c3700 100644 +index db386349cd01..4b8df91f03cd 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -189,6 +189,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); struct notifier_block; @@ -163,10 +164,10 @@ index 57474384b66b..b69d657c3700 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index e9869c497175..87fa14fedc88 100644 +index 7f045246e123..2b403ab0ef29 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4084,6 +4084,13 @@ void module_layout(struct module *mod, +@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -180,3 +181,6 @@ index e9869c497175..87fa14fedc88 100644 bool secure_modules(void) { #ifdef CONFIG_MODULE_SIG +-- +2.4.3 + diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch index 158e7f1d2..b6e039ff0 100644 --- a/Add-secure_modules-call.patch +++ b/Add-secure_modules-call.patch @@ -1,6 +1,7 @@ +From a1aaf20cffb1a949c5d6b1198690c7c30cfda4d5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH] Add secure_modules() call +Subject: [PATCH 01/20] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -16,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index d67b1932cc59..57474384b66b 100644 +index 3a19c79918e0..db386349cd01 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -551,6 +551,8 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module) return module && module->async_probe_requested; } @@ -28,7 +29,7 @@ index d67b1932cc59..57474384b66b 100644 #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -667,6 +669,10 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module) return false; } @@ -40,10 +41,10 @@ index d67b1932cc59..57474384b66b 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 4d2b82e610e2..e9869c497175 100644 +index b86b7bf1be38..7f045246e123 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4083,3 +4083,13 @@ void module_layout(struct module *mod, +@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -57,3 +58,6 @@ index 4d2b82e610e2..e9869c497175 100644 +#endif +} +EXPORT_SYMBOL(secure_modules); +-- +2.4.3 + diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch index ffc460849..4600848cf 100644 --- a/Add-sysrq-option-to-disable-secure-boot-mode.patch +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -1,6 +1,7 @@ +From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001 From: Kyle McMartin <kyle@redhat.com> Date: Fri, 30 Aug 2013 09:28:51 -0400 -Subject: [PATCH] Add sysrq option to disable secure boot mode +Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode Bugzilla: N/A Upstream-status: Fedora mustard @@ -15,7 +16,7 @@ Upstream-status: Fedora mustard 7 files changed, 64 insertions(+), 9 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 5def6b4143fa..1eac9d22cb0b 100644 +index f93826b8522c..41679b1aca83 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -70,6 +70,11 @@ @@ -30,7 +31,7 @@ index 5def6b4143fa..1eac9d22cb0b 100644 #include <video/edid.h> #include <asm/mtrr.h> -@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void) +@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void) #endif /* CONFIG_X86_32 */ @@ -69,10 +70,10 @@ index 5def6b4143fa..1eac9d22cb0b 100644 .notifier_call = dump_kernel_offset }; diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 421e29e4cd81..61c1eb97806c 100644 +index 345df9b03aed..dea6a6c4a39b 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c -@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev) +@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev) if (!udev->dev) return -ENOMEM; @@ -81,10 +82,10 @@ index 421e29e4cd81..61c1eb97806c 100644 input_set_drvdata(udev->dev, udev); diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index b5b427888b24..289c7898a3b0 100644 +index 95b330a9ea98..dfa3e154a719 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c -@@ -465,6 +465,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { +@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { /* x: May be registered on mips for TLB dump */ /* x: May be registered on ppc/powerpc for xmon */ /* x: May be registered on sparc64 for global PMU dump */ @@ -92,7 +93,7 @@ index b5b427888b24..289c7898a3b0 100644 NULL, /* x */ /* y: May be registered on sparc64 for global register dump */ NULL, /* y */ -@@ -508,7 +509,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) +@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) sysrq_key_table[i] = op_p; } @@ -101,7 +102,7 @@ index b5b427888b24..289c7898a3b0 100644 { struct sysrq_key_op *op_p; int orig_log_level; -@@ -528,11 +529,15 @@ void __handle_sysrq(int key, bool check_mask) +@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask) op_p = __sysrq_get_key_op(key); if (op_p) { @@ -118,7 +119,7 @@ index b5b427888b24..289c7898a3b0 100644 pr_cont("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); -@@ -564,7 +569,7 @@ void __handle_sysrq(int key, bool check_mask) +@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask) void handle_sysrq(int key) { if (sysrq_on()) @@ -127,7 +128,7 @@ index b5b427888b24..289c7898a3b0 100644 } EXPORT_SYMBOL(handle_sysrq); -@@ -645,7 +650,7 @@ static void sysrq_do_reset(unsigned long _state) +@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state) static void sysrq_handle_reset_request(struct sysrq_state *state) { if (state->reset_requested) @@ -136,7 +137,7 @@ index b5b427888b24..289c7898a3b0 100644 if (sysrq_reset_downtime_ms) mod_timer(&state->keyreset_timer, -@@ -796,8 +801,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, +@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, default: if (sysrq->active && value && value != 2) { @@ -148,7 +149,7 @@ index b5b427888b24..289c7898a3b0 100644 } break; } -@@ -1077,7 +1084,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, +@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, if (get_user(c, buf)) return -EFAULT; @@ -228,7 +229,7 @@ index 4121345498e0..0ff3cef5df96 100644 return 0; diff --git a/kernel/module.c b/kernel/module.c -index 87fa14fedc88..61385e686d49 100644 +index 2b403ab0ef29..7818c110e95c 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void) @@ -240,3 +241,6 @@ index 87fa14fedc88..61385e686d49 100644 #ifndef CONFIG_MODULE_SIG_FORCE module_param(sig_enforce, bool_enable_only, 0644); #endif /* !CONFIG_MODULE_SIG_FORCE */ +-- +2.4.3 + diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch index fe06d51b9..be35564a6 100644 --- a/KEYS-Add-a-system-blacklist-keyring.patch +++ b/KEYS-Add-a-system-blacklist-keyring.patch @@ -1,6 +1,7 @@ +From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH] KEYS: Add a system blacklist keyring +Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -9,72 +10,15 @@ useful in cases where third party certificates are used for module signing. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- + certs/system_keyring.c | 27 +++++++++++++++++++++++++++ include/keys/system_keyring.h | 4 ++++ init/Kconfig | 9 +++++++++ - kernel/module_signing.c | 12 ++++++++++++ - kernel/system_keyring.c | 17 +++++++++++++++++ - 4 files changed, 42 insertions(+) + 3 files changed, 40 insertions(+) -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index 72665eb80692..2c7b80d31366 100644 ---- a/include/keys/system_keyring.h -+++ b/include/keys/system_keyring.h -@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void) - } - #endif - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+extern struct key *system_blacklist_keyring; -+#endif -+ - #endif /* _KEYS_SYSTEM_KEYRING_H */ -diff --git a/init/Kconfig b/init/Kconfig -index af09b4fb43d2..62f6fd191e4f 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1752,6 +1752,15 @@ config SYSTEM_TRUSTED_KEYRING - - Keys in this keyring are used by module signature checking. - -+config SYSTEM_BLACKLIST_KEYRING -+ bool "Provide system-wide ring of blacklisted keys" -+ depends on KEYS -+ help -+ Provide a system keyring to which blacklisted keys can be added. -+ Keys in the keyring are considered entirely untrusted. Keys in this -+ keyring are used by the module signature checking to reject loading -+ of modules signed with a blacklisted key. -+ - config PROFILING - bool "Profiling support" - help -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index be5b8fac4bd0..fed815fcdaf2 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1), -+ &key_type_asymmetric, id); -+ if (!IS_ERR(key)) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key '%s' is in blacklist\n", id); -+ key_ref_put(key); -+ kfree(id); -+ return ERR_PTR(-EKEYREJECTED); -+ } -+#endif -+ - key = keyring_search(make_key_ref(system_trusted_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) -diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index 875f64e8935b..c15e93f5a418 100644 ---- a/kernel/system_keyring.c -+++ b/kernel/system_keyring.c +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 2570598b784d..53733822993f 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c @@ -20,6 +20,9 @@ struct key *system_trusted_keyring; @@ -90,7 +34,7 @@ index 875f64e8935b..c15e93f5a418 100644 set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); + -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", + KUIDT_INIT(0), KGIDT_INIT(0), + current_cred(), @@ -106,3 +50,56 @@ index 875f64e8935b..c15e93f5a418 100644 return 0; } +@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len, + if (ret < 0) + goto error; + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted); ++ if (!ret) { ++ /* module is signed with a cert in the blacklist. reject */ ++ pr_err("Module key is in the blacklist\n"); ++ ret = -EKEYREJECTED; ++ goto error; ++ } ++#endif ++ + ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted); + if (ret < 0) + goto error; +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index b20cd885c1fd..51d8ddc60e0f 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -35,4 +35,8 @@ extern int system_verify_data(const void *data, unsigned long len, + enum key_being_used_for usage); + #endif + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++extern struct key *system_blacklist_keyring; ++#endif ++ + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/init/Kconfig b/init/Kconfig +index 02da9f1fd9df..782d26f02885 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION + module verification, kexec image verification and firmware blob + verification. + ++config SYSTEM_BLACKLIST_KEYRING ++ bool "Provide system-wide ring of blacklisted keys" ++ depends on KEYS ++ help ++ Provide a system keyring to which blacklisted keys can be added. ++ Keys in the keyring are considered entirely untrusted. Keys in this ++ keyring are used by the module signature checking to reject loading ++ of modules signed with a blacklisted key. ++ + config PROFILING + bool "Profiling support" + help +-- +2.4.3 + diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index dafc0a668..35ea8c43e 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1,3 +1,4 @@ +From b890a85619bee4262876ad131eb0565014ae82b0 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:42:16 -0400 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot @@ -42,10 +43,10 @@ index 414c3c3d988d..d920a6be6c8b 100644 efi_guid_t guid; u64 table; diff --git a/init/Kconfig b/init/Kconfig -index 62f6fd191e4f..648bb79d6b73 100644 +index 782d26f02885..bcc71c2f4b80 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1906,6 +1906,15 @@ config MODULE_SIG_ALL +@@ -1933,6 +1933,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -62,11 +63,11 @@ index 62f6fd191e4f..648bb79d6b73 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index 43c4c920f30a..3193574387ac 100644 +index e0d7587e7684..566ac6bb720c 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -48,6 +48,7 @@ obj-$(CONFIG_UID16) += uid16.o - obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +@@ -47,6 +47,7 @@ endif + obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o +obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o @@ -75,13 +76,13 @@ index 43c4c920f30a..3193574387ac 100644 obj-$(CONFIG_KEXEC) += kexec.o @@ -101,6 +102,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o - $(obj)/configs.o: $(obj)/config_data.h + obj-$(CONFIG_HAS_IOMEM) += memremap.o +$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar + + $(obj)/configs.o: $(obj)/config_data.h + # config_data.h contains the same information as ikconfig.h but gzipped. - # Info from config_data can be extracted from /proc/config* - targets += config_data.gz diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c new file mode 100644 index 000000000000..94b0eb38a284 @@ -180,3 +181,6 @@ index 000000000000..94b0eb38a284 + return rc; +} +late_initcall(load_uefi_certs); +-- +2.4.3 + diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index 4782e734f..bb5ae2a2c 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -1,6 +1,7 @@ +From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Thu, 3 Oct 2013 10:14:23 -0400 -Subject: [PATCH] MODSIGN: Support not importing certs from db +Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. @@ -78,3 +79,6 @@ index 94b0eb38a284..ae28b974d49a 100644 } mok = get_cert_list(L"MokListRT", &mok_var, &moksize); +-- +2.4.3 + diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 92e028d07..23a514f3b 100644 --- a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,6 +1,8 @@ +From 655fbf360e1481db4f06001f893d388c15ac307f Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH] PCI: Lock down BAR access when module security is enabled +Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is + enabled Any hardware that can potentially generate DMA has to be locked down from userspace in order to avoid it being possible for an attacker to modify @@ -111,3 +113,6 @@ index b91c4da68365..98f5637304d1 100644 return -EPERM; dev = pci_get_bus_and_slot(bus, dfn); +-- +2.4.3 + diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 27e4b2370..acf28cf88 100644 --- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,6 +1,7 @@ +From d4ae417828427de74e9f857f9caa49580aecf1fe Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -36,3 +37,6 @@ index 53fe675f9bd7..b52c88860532 100644 if (p < (unsigned long) high_memory) { unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); +-- +2.4.3 + diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 807b59841..2794b155f 100644 --- a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,8 @@ +From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading - is restricted +Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module + loading is restricted This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to circumvent any restrictions imposed on @@ -13,10 +14,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 3b8963f21b36..a5ae6a7fef5e 100644 +index 739a4a6b3b9b..9ef2a020a7a9 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c -@@ -44,6 +44,7 @@ +@@ -40,6 +40,7 @@ #include <linux/list.h> #include <linux/jiffies.h> #include <linux/semaphore.h> @@ -24,7 +25,7 @@ index 3b8963f21b36..a5ae6a7fef5e 100644 #include <asm/io.h> #include <asm/uaccess.h> -@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -33,3 +34,6 @@ index 3b8963f21b36..a5ae6a7fef5e 100644 return acpi_rsdp; #endif +-- +2.4.3 + diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 12a657cb9..3ab7b85ea 100644 --- a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,8 @@ +From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is - restricted +Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module + loading is restricted We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to @@ -48,3 +49,6 @@ index efbc3f0c592b..071171be4b7f 100644 status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, 1, asus->debug.method_id, &input, &output); +-- +2.4.3 + diff --git a/config-arm-generic b/config-arm-generic index 547ff7f7b..63d488ccc 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -218,6 +218,7 @@ CONFIG_I2C_MUX_GPIO=m CONFIG_I2C_MUX_PINCTRL=m CONFIG_I2C_MUX_PCA9541=m CONFIG_I2C_MUX_PCA954x=m +CONFIG_I2C_MUX_REG=m # spi CONFIG_SPI_PL022=m diff --git a/config-generic b/config-generic index ff9f9b918..0eb1eca9a 100644 --- a/config-generic +++ b/config-generic @@ -146,6 +146,8 @@ CONFIG_MMC_TIFM_SD=m CONFIG_MMC_WBSD=m CONFIG_MMC_VIA_SDMMC=m CONFIG_MMC_SDHCI_PLTFM=m +# CONFIG_MMC_SDHCI_OF is not set +# CONFIG_MMC_SDHCI_OF_AT91 is not set CONFIG_MMC_CB710=m CONFIG_MMC_RICOH_MMC=y CONFIG_MMC_USHC=m @@ -2571,6 +2573,7 @@ CONFIG_I2C_CHARDEV=m # CONFIG_I2C_MUX_GPIO is not set # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PINCTRL is not set +# CONFIG_I2C_MUX_REG is not set # # @@ -2599,6 +2602,7 @@ CONFIG_I2C_ALGOPCA=m # CONFIG_I2C_NFORCE2_S4985 is not set # CONFIG_I2C_EG20T is not set # CONFIG_I2C_CBUS_GPIO is not set +# CONFIG_I2C_EMEV2 is not set CONFIG_I2C_VIPERBOARD=m CONFIG_EEPROM_AT24=m @@ -3139,6 +3143,7 @@ CONFIG_RTC_DRV_PCF85063=m # CONFIG_RTC_DRV_ISL12057 is not set # CONFIG_RTC_DRV_XGENE is not set # CONFIG_RTC_DRV_ABB5ZES3 is not set +# CONFIG_RTC_DRV_ZYNQMP is not set CONFIG_R3964=m # CONFIG_APPLICOM is not set diff --git a/config-x86-generic b/config-x86-generic index 9177a0102..cdf5ae8ac 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -314,6 +314,7 @@ CONFIG_XEN_PCIDEV_BACKEND=m CONFIG_XEN_ACPI_PROCESSOR=m # CONFIG_XEN_SCSI_FRONTEND is not set # CONFIG_XEN_SCSI_BACKEND is not set +CONFIG_XEN_SYMS=y CONFIG_MTD_ESB2ROM=m CONFIG_MTD_CK804XROM=m @@ -461,6 +462,8 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_HP_ACCEL=m +CONFIG_SURFACE_PRO3_BUTTON=m + # CONFIG_RAPIDIO is not set CONFIG_SCHED_SMT=y @@ -562,6 +565,8 @@ CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_FORCE is not set +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="" CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y CONFIG_EFI_SIGNATURE_LIST_PARSER=y diff --git a/config-x86_64-generic b/config-x86_64-generic index da3bed3e6..6c6f88c48 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -136,6 +136,7 @@ CONFIG_XEN_SYS_HYPERVISOR=y # CONFIG_XEN_MCE_LOG is not set # CONFIG_XEN_STUB is not set # CONFIG_XEN_PVH is not set +CONFIG_XEN_512GB=y CONFIG_PROVIDE_OHCI1394_DMA_INIT=y diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch index 318a8e70d..94f7fe768 100644 --- a/efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,6 +1,7 @@ +From b4467813ec088c13bd8c9f1eafb7c29d889d7c8f Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -12,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index c2e4f52cad30..5def6b4143fa 100644 +index 1ac118146e90..f93826b8522c 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -37,3 +38,6 @@ index 85ef051ac6fb..de3e45088d4a 100644 #ifdef CONFIG_EFI /* +-- +2.4.3 + diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch index 6fd94c8ee..ba2f3cefa 100644 --- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -1,6 +1,7 @@ +From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode +Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called @@ -14,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 1ef8ea7f8ed9..d82dc9c1c19e 100644 +index b4de3faa3f29..5cc2ef570390 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -830,8 +830,9 @@ out: @@ -52,3 +53,6 @@ index 1ef8ea7f8ed9..d82dc9c1c19e 100644 return 1; } +-- +2.4.3 + diff --git a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index 5bdd21b9d..095bea782 100644 --- a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,6 +1,7 @@ +From 0081083434db41c15b72eced975da0bd9b80566b Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 12/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -11,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 4da6644b1fd0..341a1457f7c7 100644 +index 14db458f4774..f6ff0a86d841 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1704,7 +1704,8 @@ config EFI_MIXED +@@ -1735,7 +1735,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -24,3 +25,6 @@ index 4da6644b1fd0..341a1457f7c7 100644 prompt "Force module signing when UEFI Secure Boot is enabled" ---help--- UEFI Secure Boot provides a mechanism for ensuring that the +-- +2.4.3 + diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch index 9450e8bf3..f62ea08b0 100644 --- a/hibernate-Disable-in-a-signed-modules-environment.patch +++ b/hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,6 +1,7 @@ +From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH] hibernate: Disable in a signed modules environment +Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -33,3 +34,6 @@ index 690f78f210f2..037303a1cba9 100644 } /** +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 043af017a..c2306c32f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,7 +67,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 9 +%define gitrev 10 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -389,7 +389,7 @@ BuildRequires: rpm-build, elfutils %endif %if %{signmodules} -BuildRequires: openssl +BuildRequires: openssl-devel BuildRequires: pesign >= 0.10-4 %endif @@ -1304,11 +1304,9 @@ BuildKernel() { cp configs/$Config .config %if %{signmodules} - cp %{SOURCE11} . + cp %{SOURCE11} certs/. %endif - chmod +x scripts/sign-file - Arch=`head -1 .config | cut -b 3-` echo USING ARCH=$Arch @@ -1550,8 +1548,8 @@ BuildKernel() { %if %{signmodules} # Save the signing keys so we can sign the modules in __modsign_install_post - cp signing_key.priv signing_key.priv.sign${Flav} - cp signing_key.x509 signing_key.x509.sign${Flav} + cp certs/signing_key.pem certs/signing_key.pem.sign${Flav} + cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav} %endif # Move the devel headers out of the root file system @@ -1646,16 +1644,16 @@ popd %define __modsign_install_post \ if [ "%{signmodules}" -eq "1" ]; then \ if [ "%{with_pae}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ + %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ fi \ if [ "%{with_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ + %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ fi \ if [ "%{with_pae_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ + %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ fi \ if [ "%{with_up}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ + %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ fi \ fi \ if [ "%{zipmodules}" -eq "1" ]; then \ @@ -2046,6 +2044,10 @@ fi # # %changelog +* Wed Sep 09 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.0-0.rc0.git10.1 +- Linux v4.2-10637-ga794b4f32921 +- Rework secure boot patchset + * Tue Sep 8 2015 Peter Robinson <pbrobinson@fedoraproject.org> - Config updates for ARMv7/aarch64 diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index cc821411d..2d06dad3c 100644 --- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,6 +1,7 @@ +From 1fc498d024c07e39105c060603e40cb7bc6bd5b8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 -Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -38,3 +39,6 @@ index a785c1015e25..81d6b404f33c 100644 * Verify we have a legal set of flags * This leaves us room for future extensions. */ +-- +2.4.3 + @@ -1,3 +1,4 @@ 3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz 4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz 6a9a3a0d7627f69cff33dcbb902fb967 patch-4.2-git9.xz +03499f6f8de1a578e3f9884a3a6cbd18 patch-4.2-git10.xz diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch index 4c1211d43..708006c2e 100644 --- a/x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,6 +1,8 @@ +From 7a3cdd26e6d38031338a6cb591ec2f3faaa9234b Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH] x86: Lock down IO port access when module security is enabled +Subject: [PATCH 03/20] x86: Lock down IO port access when module security is + enabled IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register @@ -65,3 +67,6 @@ index 6b1721f978c2..53fe675f9bd7 100644 if (!access_ok(VERIFY_READ, buf, count)) return -EFAULT; while (count-- > 0 && i < 65536) { +-- +2.4.3 + diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 9053f2aea..5c91ab143 100644 --- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,6 +1,8 @@ +From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH] x86: Restrict MSR access when module loading is restricted +Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is + restricted Writing to MSRs should not be allowed if module loading is restricted, since it could lead to execution of arbitrary code in kernel mode. Based @@ -37,3 +39,6 @@ index 113e70784854..26c2f83fc470 100644 if (copy_from_user(®s, uregs, sizeof regs)) { err = -EFAULT; break; +-- +2.4.3 + |