summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@fedoraproject.org>2015-09-09 11:10:06 -0400
committerJosh Boyer <jwboyer@fedoraproject.org>2015-09-09 11:10:17 -0400
commit18c82493e579cff717864e8931960040bd820b33 (patch)
tree42493f93faa2f0b8f8d84ad46ef9a8a86bdd2fb9
parent818326ffa2208b592aa1d46ae62d1f562dbb89ea (diff)
downloadkernel-18c82493e579cff717864e8931960040bd820b33.tar.gz
kernel-18c82493e579cff717864e8931960040bd820b33.tar.xz
kernel-18c82493e579cff717864e8931960040bd820b33.zip
Linux v4.2-10637-ga794b4f32921
- Rework secure boot patchset
-rw-r--r--ACPI-Limit-access-to-custom_method.patch6
-rw-r--r--Add-EFI-signature-data-types.patch6
-rw-r--r--Add-an-EFI-signature-blob-parser-and-key-loader.patch8
-rw-r--r--Add-option-to-automatically-enforce-module-signature.patch32
-rw-r--r--Add-secure_modules-call.patch16
-rw-r--r--Add-sysrq-option-to-disable-secure-boot-mode.patch32
-rw-r--r--KEYS-Add-a-system-blacklist-keyring.patch127
-rw-r--r--MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch20
-rw-r--r--MODSIGN-Support-not-importing-certs-from-db.patch6
-rw-r--r--PCI-Lock-down-BAR-access-when-module-security-is-ena.patch7
-rw-r--r--Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch6
-rw-r--r--acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch14
-rw-r--r--asus-wmi-Restrict-debugfs-interface-when-module-load.patch8
-rw-r--r--config-arm-generic1
-rw-r--r--config-generic5
-rw-r--r--config-x86-generic5
-rw-r--r--config-x86_64-generic1
-rw-r--r--efi-Add-EFI_SECURE_BOOT-bit.patch10
-rw-r--r--efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch8
-rw-r--r--efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch10
-rw-r--r--hibernate-Disable-in-a-signed-modules-environment.patch6
-rw-r--r--kernel.spec24
-rw-r--r--kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch6
-rw-r--r--sources1
-rw-r--r--x86-Lock-down-IO-port-access-when-module-security-is.patch7
-rw-r--r--x86-Restrict-MSR-access-when-module-loading-is-restr.patch7
26 files changed, 235 insertions, 144 deletions
diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch
index 88709a324..38236753e 100644
--- a/ACPI-Limit-access-to-custom_method.patch
+++ b/ACPI-Limit-access-to-custom_method.patch
@@ -1,6 +1,7 @@
+From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH] ACPI: Limit access to custom_method
+Subject: [PATCH 04/20] ACPI: Limit access to custom_method
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
@@ -25,3 +26,6 @@ index c68e72414a67..4277938af700 100644
if (!(*ppos)) {
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
+--
+2.4.3
+
diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch
index f24473d44..57847dc56 100644
--- a/Add-EFI-signature-data-types.patch
+++ b/Add-EFI-signature-data-types.patch
@@ -1,6 +1,7 @@
+From 34e3e23e08fdccbf4637deab0cf03070d4f2226d Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH] Add EFI signature data types
+Subject: [PATCH 15/20] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
@@ -51,3 +52,6 @@ index de3e45088d4a..fac43c611614 100644
/*
* All runtime access to EFI goes through this structure:
*/
+--
+2.4.3
+
diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
index c4feebea5..06ddd1596 100644
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@@ -1,6 +1,7 @@
+From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
@@ -32,7 +33,7 @@ index 4870f28403f5..4a1b50d73b80 100644
+
endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index e47fcd9ac5e8..6512f6596785 100644
+index cd1406f9b14a..d9db380bbe53 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o
@@ -173,3 +174,6 @@ index fac43c611614..414c3c3d988d 100644
/**
* efi_range_is_wc - check the WC bit on an address range
* @start: starting kvirt address
+--
+2.4.3
+
diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch
index ff4fc0512..015371b8b 100644
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@@ -1,7 +1,8 @@
+From 37431394b3eeb1ef6d38d0e6b2693210606c2c2c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH] Add option to automatically enforce module signatures when in
- Secure Boot mode
+Subject: [PATCH 10/20] Add option to automatically enforce module signatures
+ when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@@ -20,10 +21,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
7 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 82fbdbc1e0b0..a811210ad486 100644
+index 95a4d34af3fd..b8527c6b7646 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
-@@ -30,6 +30,8 @@ Offset Proto Name Meaning
+@@ -31,6 +31,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
@@ -33,10 +34,10 @@ index 82fbdbc1e0b0..a811210ad486 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 3dbb7e7909ca..4da6644b1fd0 100644
+index cc0d73eac047..14db458f4774 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1703,6 +1703,16 @@ config EFI_MIXED
+@@ -1734,6 +1734,16 @@ config EFI_MIXED
If unsure, say N.
@@ -54,7 +55,7 @@ index 3dbb7e7909ca..4da6644b1fd0 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 2c82bd150d43..1ef8ea7f8ed9 100644
+index ee1b6d346b98..b4de3faa3f29 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@@ -115,7 +116,7 @@ index 2c82bd150d43..1ef8ea7f8ed9 100644
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index ab456dc233b5..74ba4083e7ce 100644
+index 329254373479..b61f8533c0fd 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -134,7 +134,8 @@ struct boot_params {
@@ -129,10 +130,10 @@ index ab456dc233b5..74ba4083e7ce 100644
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 80f874bf999e..c2e4f52cad30 100644
+index baadbf90a7c5..1ac118146e90 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
@@ -146,10 +147,10 @@ index 80f874bf999e..c2e4f52cad30 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/module.h b/include/linux/module.h
-index 57474384b66b..b69d657c3700 100644
+index db386349cd01..4b8df91f03cd 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
-@@ -189,6 +189,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
+@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
struct notifier_block;
@@ -163,10 +164,10 @@ index 57474384b66b..b69d657c3700 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
-index e9869c497175..87fa14fedc88 100644
+index 7f045246e123..2b403ab0ef29 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -4084,6 +4084,13 @@ void module_layout(struct module *mod,
+@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod,
EXPORT_SYMBOL(module_layout);
#endif
@@ -180,3 +181,6 @@ index e9869c497175..87fa14fedc88 100644
bool secure_modules(void)
{
#ifdef CONFIG_MODULE_SIG
+--
+2.4.3
+
diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch
index 158e7f1d2..b6e039ff0 100644
--- a/Add-secure_modules-call.patch
+++ b/Add-secure_modules-call.patch
@@ -1,6 +1,7 @@
+From a1aaf20cffb1a949c5d6b1198690c7c30cfda4d5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH] Add secure_modules() call
+Subject: [PATCH 01/20] Add secure_modules() call
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
@@ -16,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
2 files changed, 16 insertions(+)
diff --git a/include/linux/module.h b/include/linux/module.h
-index d67b1932cc59..57474384b66b 100644
+index 3a19c79918e0..db386349cd01 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
-@@ -551,6 +551,8 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module)
return module && module->async_probe_requested;
}
@@ -28,7 +29,7 @@ index d67b1932cc59..57474384b66b 100644
#else /* !CONFIG_MODULES... */
/* Given an address, look for it in the exception tables. */
-@@ -667,6 +669,10 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module)
return false;
}
@@ -40,10 +41,10 @@ index d67b1932cc59..57474384b66b 100644
#ifdef CONFIG_SYSFS
diff --git a/kernel/module.c b/kernel/module.c
-index 4d2b82e610e2..e9869c497175 100644
+index b86b7bf1be38..7f045246e123 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -4083,3 +4083,13 @@ void module_layout(struct module *mod,
+@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod,
}
EXPORT_SYMBOL(module_layout);
#endif
@@ -57,3 +58,6 @@ index 4d2b82e610e2..e9869c497175 100644
+#endif
+}
+EXPORT_SYMBOL(secure_modules);
+--
+2.4.3
+
diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch
index ffc460849..4600848cf 100644
--- a/Add-sysrq-option-to-disable-secure-boot-mode.patch
+++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch
@@ -1,6 +1,7 @@
+From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Fri, 30 Aug 2013 09:28:51 -0400
-Subject: [PATCH] Add sysrq option to disable secure boot mode
+Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
Bugzilla: N/A
Upstream-status: Fedora mustard
@@ -15,7 +16,7 @@ Upstream-status: Fedora mustard
7 files changed, 64 insertions(+), 9 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 5def6b4143fa..1eac9d22cb0b 100644
+index f93826b8522c..41679b1aca83 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -70,6 +70,11 @@
@@ -30,7 +31,7 @@ index 5def6b4143fa..1eac9d22cb0b 100644
#include <video/edid.h>
#include <asm/mtrr.h>
-@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
+@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
#endif /* CONFIG_X86_32 */
@@ -69,10 +70,10 @@ index 5def6b4143fa..1eac9d22cb0b 100644
.notifier_call = dump_kernel_offset
};
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 421e29e4cd81..61c1eb97806c 100644
+index 345df9b03aed..dea6a6c4a39b 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
-@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
if (!udev->dev)
return -ENOMEM;
@@ -81,10 +82,10 @@ index 421e29e4cd81..61c1eb97806c 100644
input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index b5b427888b24..289c7898a3b0 100644
+index 95b330a9ea98..dfa3e154a719 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
-@@ -465,6 +465,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
@@ -92,7 +93,7 @@ index b5b427888b24..289c7898a3b0 100644
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
-@@ -508,7 +509,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
@@ -101,7 +102,7 @@ index b5b427888b24..289c7898a3b0 100644
{
struct sysrq_key_op *op_p;
int orig_log_level;
-@@ -528,11 +529,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
op_p = __sysrq_get_key_op(key);
if (op_p) {
@@ -118,7 +119,7 @@ index b5b427888b24..289c7898a3b0 100644
pr_cont("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
-@@ -564,7 +569,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
void handle_sysrq(int key)
{
if (sysrq_on())
@@ -127,7 +128,7 @@ index b5b427888b24..289c7898a3b0 100644
}
EXPORT_SYMBOL(handle_sysrq);
-@@ -645,7 +650,7 @@ static void sysrq_do_reset(unsigned long _state)
+@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
@@ -136,7 +137,7 @@ index b5b427888b24..289c7898a3b0 100644
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
-@@ -796,8 +801,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
default:
if (sysrq->active && value && value != 2) {
@@ -148,7 +149,7 @@ index b5b427888b24..289c7898a3b0 100644
}
break;
}
-@@ -1077,7 +1084,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
if (get_user(c, buf))
return -EFAULT;
@@ -228,7 +229,7 @@ index 4121345498e0..0ff3cef5df96 100644
return 0;
diff --git a/kernel/module.c b/kernel/module.c
-index 87fa14fedc88..61385e686d49 100644
+index 2b403ab0ef29..7818c110e95c 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
@@ -240,3 +241,6 @@ index 87fa14fedc88..61385e686d49 100644
#ifndef CONFIG_MODULE_SIG_FORCE
module_param(sig_enforce, bool_enable_only, 0644);
#endif /* !CONFIG_MODULE_SIG_FORCE */
+--
+2.4.3
+
diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch
index fe06d51b9..be35564a6 100644
--- a/KEYS-Add-a-system-blacklist-keyring.patch
+++ b/KEYS-Add-a-system-blacklist-keyring.patch
@@ -1,6 +1,7 @@
+From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH] KEYS: Add a system blacklist keyring
+Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@@ -9,72 +10,15 @@ useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
+ certs/system_keyring.c | 27 +++++++++++++++++++++++++++
include/keys/system_keyring.h | 4 ++++
init/Kconfig | 9 +++++++++
- kernel/module_signing.c | 12 ++++++++++++
- kernel/system_keyring.c | 17 +++++++++++++++++
- 4 files changed, 42 insertions(+)
+ 3 files changed, 40 insertions(+)
-diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index 72665eb80692..2c7b80d31366 100644
---- a/include/keys/system_keyring.h
-+++ b/include/keys/system_keyring.h
-@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void)
- }
- #endif
-
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+extern struct key *system_blacklist_keyring;
-+#endif
-+
- #endif /* _KEYS_SYSTEM_KEYRING_H */
-diff --git a/init/Kconfig b/init/Kconfig
-index af09b4fb43d2..62f6fd191e4f 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1752,6 +1752,15 @@ config SYSTEM_TRUSTED_KEYRING
-
- Keys in this keyring are used by module signature checking.
-
-+config SYSTEM_BLACKLIST_KEYRING
-+ bool "Provide system-wide ring of blacklisted keys"
-+ depends on KEYS
-+ help
-+ Provide a system keyring to which blacklisted keys can be added.
-+ Keys in the keyring are considered entirely untrusted. Keys in this
-+ keyring are used by the module signature checking to reject loading
-+ of modules signed with a blacklisted key.
-+
- config PROFILING
- bool "Profiling support"
- help
-diff --git a/kernel/module_signing.c b/kernel/module_signing.c
-index be5b8fac4bd0..fed815fcdaf2 100644
---- a/kernel/module_signing.c
-+++ b/kernel/module_signing.c
-@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
-
- pr_debug("Look up: \"%s\"\n", id);
-
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
-+ &key_type_asymmetric, id);
-+ if (!IS_ERR(key)) {
-+ /* module is signed with a cert in the blacklist. reject */
-+ pr_err("Module key '%s' is in blacklist\n", id);
-+ key_ref_put(key);
-+ kfree(id);
-+ return ERR_PTR(-EKEYREJECTED);
-+ }
-+#endif
-+
- key = keyring_search(make_key_ref(system_trusted_keyring, 1),
- &key_type_asymmetric, id);
- if (IS_ERR(key))
-diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
-index 875f64e8935b..c15e93f5a418 100644
---- a/kernel/system_keyring.c
-+++ b/kernel/system_keyring.c
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 2570598b784d..53733822993f 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
@@ -20,6 +20,9 @@
struct key *system_trusted_keyring;
@@ -90,7 +34,7 @@ index 875f64e8935b..c15e93f5a418 100644
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
+
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
++ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
@@ -106,3 +50,56 @@ index 875f64e8935b..c15e93f5a418 100644
return 0;
}
+@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
+ if (ret < 0)
+ goto error;
+
++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
++ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
++ if (!ret) {
++ /* module is signed with a cert in the blacklist. reject */
++ pr_err("Module key is in the blacklist\n");
++ ret = -EKEYREJECTED;
++ goto error;
++ }
++#endif
++
+ ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
+ if (ret < 0)
+ goto error;
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index b20cd885c1fd..51d8ddc60e0f 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -35,4 +35,8 @@ extern int system_verify_data(const void *data, unsigned long len,
+ enum key_being_used_for usage);
+ #endif
+
++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
++extern struct key *system_blacklist_keyring;
++#endif
++
+ #endif /* _KEYS_SYSTEM_KEYRING_H */
+diff --git a/init/Kconfig b/init/Kconfig
+index 02da9f1fd9df..782d26f02885 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
+ module verification, kexec image verification and firmware blob
+ verification.
+
++config SYSTEM_BLACKLIST_KEYRING
++ bool "Provide system-wide ring of blacklisted keys"
++ depends on KEYS
++ help
++ Provide a system keyring to which blacklisted keys can be added.
++ Keys in the keyring are considered entirely untrusted. Keys in this
++ keyring are used by the module signature checking to reject loading
++ of modules signed with a blacklisted key.
++
+ config PROFILING
+ bool "Profiling support"
+ help
+--
+2.4.3
+
diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
index dafc0a668..35ea8c43e 100644
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@@ -1,3 +1,4 @@
+From b890a85619bee4262876ad131eb0565014ae82b0 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@@ -42,10 +43,10 @@ index 414c3c3d988d..d920a6be6c8b 100644
efi_guid_t guid;
u64 table;
diff --git a/init/Kconfig b/init/Kconfig
-index 62f6fd191e4f..648bb79d6b73 100644
+index 782d26f02885..bcc71c2f4b80 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1906,6 +1906,15 @@ config MODULE_SIG_ALL
+@@ -1933,6 +1933,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@@ -62,11 +63,11 @@ index 62f6fd191e4f..648bb79d6b73 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
-index 43c4c920f30a..3193574387ac 100644
+index e0d7587e7684..566ac6bb720c 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
-@@ -48,6 +48,7 @@ obj-$(CONFIG_UID16) += uid16.o
- obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
+@@ -47,6 +47,7 @@ endif
+ obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
@@ -75,13 +76,13 @@ index 43c4c920f30a..3193574387ac 100644
obj-$(CONFIG_KEXEC) += kexec.o
@@ -101,6 +102,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
- $(obj)/configs.o: $(obj)/config_data.h
+ obj-$(CONFIG_HAS_IOMEM) += memremap.o
+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar
+
+ $(obj)/configs.o: $(obj)/config_data.h
+
# config_data.h contains the same information as ikconfig.h but gzipped.
- # Info from config_data can be extracted from /proc/config*
- targets += config_data.gz
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
new file mode 100644
index 000000000000..94b0eb38a284
@@ -180,3 +181,6 @@ index 000000000000..94b0eb38a284
+ return rc;
+}
+late_initcall(load_uefi_certs);
+--
+2.4.3
+
diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch
index 4782e734f..bb5ae2a2c 100644
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ b/MODSIGN-Support-not-importing-certs-from-db.patch
@@ -1,6 +1,7 @@
+From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH] MODSIGN: Support not importing certs from db
+Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@@ -78,3 +79,6 @@ index 94b0eb38a284..ae28b974d49a 100644
}
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+--
+2.4.3
+
diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
index 92e028d07..23a514f3b 100644
--- a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
@@ -1,6 +1,8 @@
+From 655fbf360e1481db4f06001f893d388c15ac307f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
+Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
+ enabled
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
@@ -111,3 +113,6 @@ index b91c4da68365..98f5637304d1 100644
return -EPERM;
dev = pci_get_bus_and_slot(bus, dfn);
+--
+2.4.3
+
diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
index 27e4b2370..acf28cf88 100644
--- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@@ -1,6 +1,7 @@
+From d4ae417828427de74e9f857f9caa49580aecf1fe Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
restricted
Allowing users to write to address space makes it possible for the kernel
@@ -36,3 +37,6 @@ index 53fe675f9bd7..b52c88860532 100644
if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
+--
+2.4.3
+
diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
index 807b59841..2794b155f 100644
--- a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
@@ -1,7 +1,8 @@
+From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading
- is restricted
+Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
+ loading is restricted
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to circumvent any restrictions imposed on
@@ -13,10 +14,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 3b8963f21b36..a5ae6a7fef5e 100644
+index 739a4a6b3b9b..9ef2a020a7a9 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
-@@ -44,6 +44,7 @@
+@@ -40,6 +40,7 @@
#include <linux/list.h>
#include <linux/jiffies.h>
#include <linux/semaphore.h>
@@ -24,7 +25,7 @@ index 3b8963f21b36..a5ae6a7fef5e 100644
#include <asm/io.h>
#include <asm/uaccess.h>
-@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void)
{
#ifdef CONFIG_KEXEC
@@ -33,3 +34,6 @@ index 3b8963f21b36..a5ae6a7fef5e 100644
return acpi_rsdp;
#endif
+--
+2.4.3
+
diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch
index 12a657cb9..3ab7b85ea 100644
--- a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch
@@ -1,7 +1,8 @@
+From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is
- restricted
+Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
+ loading is restricted
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
@@ -48,3 +49,6 @@ index efbc3f0c592b..071171be4b7f 100644
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
1, asus->debug.method_id,
&input, &output);
+--
+2.4.3
+
diff --git a/config-arm-generic b/config-arm-generic
index 547ff7f7b..63d488ccc 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -218,6 +218,7 @@ CONFIG_I2C_MUX_GPIO=m
CONFIG_I2C_MUX_PINCTRL=m
CONFIG_I2C_MUX_PCA9541=m
CONFIG_I2C_MUX_PCA954x=m
+CONFIG_I2C_MUX_REG=m
# spi
CONFIG_SPI_PL022=m
diff --git a/config-generic b/config-generic
index ff9f9b918..0eb1eca9a 100644
--- a/config-generic
+++ b/config-generic
@@ -146,6 +146,8 @@ CONFIG_MMC_TIFM_SD=m
CONFIG_MMC_WBSD=m
CONFIG_MMC_VIA_SDMMC=m
CONFIG_MMC_SDHCI_PLTFM=m
+# CONFIG_MMC_SDHCI_OF is not set
+# CONFIG_MMC_SDHCI_OF_AT91 is not set
CONFIG_MMC_CB710=m
CONFIG_MMC_RICOH_MMC=y
CONFIG_MMC_USHC=m
@@ -2571,6 +2573,7 @@ CONFIG_I2C_CHARDEV=m
# CONFIG_I2C_MUX_GPIO is not set
# CONFIG_I2C_MUX_PCA9541 is not set
# CONFIG_I2C_MUX_PINCTRL is not set
+# CONFIG_I2C_MUX_REG is not set
#
#
@@ -2599,6 +2602,7 @@ CONFIG_I2C_ALGOPCA=m
# CONFIG_I2C_NFORCE2_S4985 is not set
# CONFIG_I2C_EG20T is not set
# CONFIG_I2C_CBUS_GPIO is not set
+# CONFIG_I2C_EMEV2 is not set
CONFIG_I2C_VIPERBOARD=m
CONFIG_EEPROM_AT24=m
@@ -3139,6 +3143,7 @@ CONFIG_RTC_DRV_PCF85063=m
# CONFIG_RTC_DRV_ISL12057 is not set
# CONFIG_RTC_DRV_XGENE is not set
# CONFIG_RTC_DRV_ABB5ZES3 is not set
+# CONFIG_RTC_DRV_ZYNQMP is not set
CONFIG_R3964=m
# CONFIG_APPLICOM is not set
diff --git a/config-x86-generic b/config-x86-generic
index 9177a0102..cdf5ae8ac 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -314,6 +314,7 @@ CONFIG_XEN_PCIDEV_BACKEND=m
CONFIG_XEN_ACPI_PROCESSOR=m
# CONFIG_XEN_SCSI_FRONTEND is not set
# CONFIG_XEN_SCSI_BACKEND is not set
+CONFIG_XEN_SYMS=y
CONFIG_MTD_ESB2ROM=m
CONFIG_MTD_CK804XROM=m
@@ -461,6 +462,8 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_HP_ACCEL=m
+CONFIG_SURFACE_PRO3_BUTTON=m
+
# CONFIG_RAPIDIO is not set
CONFIG_SCHED_SMT=y
@@ -562,6 +565,8 @@ CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
CONFIG_EFI_SIGNATURE_LIST_PARSER=y
diff --git a/config-x86_64-generic b/config-x86_64-generic
index da3bed3e6..6c6f88c48 100644
--- a/config-x86_64-generic
+++ b/config-x86_64-generic
@@ -136,6 +136,7 @@ CONFIG_XEN_SYS_HYPERVISOR=y
# CONFIG_XEN_MCE_LOG is not set
# CONFIG_XEN_STUB is not set
# CONFIG_XEN_PVH is not set
+CONFIG_XEN_512GB=y
CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch
index 318a8e70d..94f7fe768 100644
--- a/efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,6 +1,7 @@
+From b4467813ec088c13bd8c9f1eafb7c29d889d7c8f Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
@@ -12,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index c2e4f52cad30..5def6b4143fa 100644
+index 1ac118146e90..f93826b8522c 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
@@ -37,3 +38,6 @@ index 85ef051ac6fb..de3e45088d4a 100644
#ifdef CONFIG_EFI
/*
+--
+2.4.3
+
diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
index 6fd94c8ee..ba2f3cefa 100644
--- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
@@ -1,6 +1,7 @@
+From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@@ -14,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 1ef8ea7f8ed9..d82dc9c1c19e 100644
+index b4de3faa3f29..5cc2ef570390 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -830,8 +830,9 @@ out:
@@ -52,3 +53,6 @@ index 1ef8ea7f8ed9..d82dc9c1c19e 100644
return 1;
}
+--
+2.4.3
+
diff --git a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
index 5bdd21b9d..095bea782 100644
--- a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
@@ -1,6 +1,7 @@
+From 0081083434db41c15b72eced975da0bd9b80566b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 12/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
The functionality of the config option is dependent upon the platform being
UEFI based. Reflect this in the config deps.
@@ -11,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 4da6644b1fd0..341a1457f7c7 100644
+index 14db458f4774..f6ff0a86d841 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1704,7 +1704,8 @@ config EFI_MIXED
+@@ -1735,7 +1735,8 @@ config EFI_MIXED
If unsure, say N.
config EFI_SECURE_BOOT_SIG_ENFORCE
@@ -24,3 +25,6 @@ index 4da6644b1fd0..341a1457f7c7 100644
prompt "Force module signing when UEFI Secure Boot is enabled"
---help---
UEFI Secure Boot provides a mechanism for ensuring that the
+--
+2.4.3
+
diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch
index 9450e8bf3..f62ea08b0 100644
--- a/hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/hibernate-Disable-in-a-signed-modules-environment.patch
@@ -1,6 +1,7 @@
+From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH] hibernate: Disable in a signed modules environment
+Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@@ -33,3 +34,6 @@ index 690f78f210f2..037303a1cba9 100644
}
/**
+--
+2.4.3
+
diff --git a/kernel.spec b/kernel.spec
index 043af017a..c2306c32f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -67,7 +67,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 0
# The git snapshot level
-%define gitrev 9
+%define gitrev 10
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@@ -389,7 +389,7 @@ BuildRequires: rpm-build, elfutils
%endif
%if %{signmodules}
-BuildRequires: openssl
+BuildRequires: openssl-devel
BuildRequires: pesign >= 0.10-4
%endif
@@ -1304,11 +1304,9 @@ BuildKernel() {
cp configs/$Config .config
%if %{signmodules}
- cp %{SOURCE11} .
+ cp %{SOURCE11} certs/.
%endif
- chmod +x scripts/sign-file
-
Arch=`head -1 .config | cut -b 3-`
echo USING ARCH=$Arch
@@ -1550,8 +1548,8 @@ BuildKernel() {
%if %{signmodules}
# Save the signing keys so we can sign the modules in __modsign_install_post
- cp signing_key.priv signing_key.priv.sign${Flav}
- cp signing_key.x509 signing_key.x509.sign${Flav}
+ cp certs/signing_key.pem certs/signing_key.pem.sign${Flav}
+ cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav}
%endif
# Move the devel headers out of the root file system
@@ -1646,16 +1644,16 @@ popd
%define __modsign_install_post \
if [ "%{signmodules}" -eq "1" ]; then \
if [ "%{with_pae}" -ne "0" ]; then \
- %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
+ %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
fi \
if [ "%{with_debug}" -ne "0" ]; then \
- %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
+ %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
fi \
if [ "%{with_pae_debug}" -ne "0" ]; then \
- %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
+ %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
fi \
if [ "%{with_up}" -ne "0" ]; then \
- %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
+ %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
fi \
fi \
if [ "%{zipmodules}" -eq "1" ]; then \
@@ -2046,6 +2044,10 @@ fi
#
#
%changelog
+* Wed Sep 09 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.0-0.rc0.git10.1
+- Linux v4.2-10637-ga794b4f32921
+- Rework secure boot patchset
+
* Tue Sep 8 2015 Peter Robinson <pbrobinson@fedoraproject.org>
- Config updates for ARMv7/aarch64
diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
index cc821411d..2d06dad3c 100644
--- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
@@ -1,6 +1,7 @@
+From 1fc498d024c07e39105c060603e40cb7bc6bd5b8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which
@@ -38,3 +39,6 @@ index a785c1015e25..81d6b404f33c 100644
* Verify we have a legal set of flags
* This leaves us room for future extensions.
*/
+--
+2.4.3
+
diff --git a/sources b/sources
index 0cbcc710a..d6c489e13 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz
4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz
6a9a3a0d7627f69cff33dcbb902fb967 patch-4.2-git9.xz
+03499f6f8de1a578e3f9884a3a6cbd18 patch-4.2-git10.xz
diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch
index 4c1211d43..708006c2e 100644
--- a/x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch
@@ -1,6 +1,8 @@
+From 7a3cdd26e6d38031338a6cb591ec2f3faaa9234b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH] x86: Lock down IO port access when module security is enabled
+Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
+ enabled
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
@@ -65,3 +67,6 @@ index 6b1721f978c2..53fe675f9bd7 100644
if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
+--
+2.4.3
+
diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch
index 9053f2aea..5c91ab143 100644
--- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch
@@ -1,6 +1,8 @@
+From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH] x86: Restrict MSR access when module loading is restricted
+Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
+ restricted
Writing to MSRs should not be allowed if module loading is restricted,
since it could lead to execution of arbitrary code in kernel mode. Based
@@ -37,3 +39,6 @@ index 113e70784854..26c2f83fc470 100644
if (copy_from_user(&regs, uregs, sizeof regs)) {
err = -EFAULT;
break;
+--
+2.4.3
+