diff options
| author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-10-02 17:02:52 +0200 |
|---|---|---|
| committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-10-02 17:02:52 +0200 |
| commit | 5de4cf03bd7394503f4ae9aa0b932704e59f5662 (patch) | |
| tree | 4c97d17f535b1b706266fdc1e9bf8591b80a408d | |
| parent | adb4c4084b6540ea36307ae756bb9916aa25bd7d (diff) | |
| parent | c16b4f1acf76c41e38f71a038d92b80b77f5b107 (diff) | |
| download | kernel-5de4cf03bd7394503f4ae9aa0b932704e59f5662.tar.gz kernel-5de4cf03bd7394503f4ae9aa0b932704e59f5662.tar.xz kernel-5de4cf03bd7394503f4ae9aa0b932704e59f5662.zip | |
Merge remote-tracking branch 'origin/master' into rawhide-user-thl-vanilla-fedora
76 files changed, 472 insertions, 2396 deletions
diff --git a/0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch b/0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch new file mode 100644 index 000000000..e87612358 --- /dev/null +++ b/0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch @@ -0,0 +1,71 @@ +From 14d329da03ea1145efce866b127b10ea6390b5e1 Mon Sep 17 00:00:00 2001 +From: Murphy Zhou <jencce.kernel@gmail.com> +Date: Sun, 29 Sep 2019 17:56:59 +0800 +Subject: [PATCH] mm/kmemleak: skip late_init if not skip disable + +Now if DEFAULT_OFF set to y, kmemleak_init will start the cleanup_work +workqueue. Then late_init call will set kmemleak_initialized to 1, the +cleaup workqueue will try to do cleanup, triggering: + +[24.738773] ================================================================== +[24.742784] BUG: KASAN: global-out-of-bounds in __kmemleak_do_cleanup+0x166/0x180 +[24.744144] Key type ._fscrypt registered +[24.745680] Read of size 8 at addr ffffffff88746c90 by task kworker/3:1/171 +[24.745687] +[24.745697] CPU: 3 PID: 171 Comm: kworker/3:1 Not tainted 5.3.0-v5.3-12475-gcbafe18 #1 +[24.745701] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[24.745710] Workqueue: events kmemleak_do_cleanup +[24.745717] Call Trace: +[24.745736] dump_stack+0x7c/0xc0 +[24.745755] print_address_description.constprop.4+0x1f/0x300 +[24.751562] Key type .fscrypt registered +[24.754370] __kasan_report.cold.8+0x76/0xb2 +[24.754388] ? __kmemleak_do_cleanup+0x166/0x180 +[24.754407] kasan_report+0xe/0x20 +[24.778543] __kmemleak_do_cleanup+0x166/0x180 +[24.780795] process_one_work+0x919/0x17d0 +[24.782929] ? pwq_dec_nr_in_flight+0x320/0x320 +[24.785092] worker_thread+0x87/0xb40 +[24.786948] ? __kthread_parkme+0xc3/0x190 +[24.789217] ? process_one_work+0x17d0/0x17d0 +[24.791414] kthread+0x333/0x3f0 +[24.793031] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[24.795473] ret_from_fork+0x3a/0x50 +[24.797303] +[24.798091] The buggy address belongs to the variable: +[24.800634] mem_pool_free_count+0x10/0x40 +[24.802656] +[24.803434] Memory state around the buggy address: +[24.805793] ffffffff88746b80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 +[24.809177] ffffffff88746c00: 00 fa fa fa fa fa fa fa 00 00 fa fa fa fa fa fa +[24.812407] >ffffffff88746c80: 04 fa fa fa fa fa fa fa 00 00 fa fa fa fa fa fa +[24.815638] ^ +[24.817372] ffffffff88746d00: 00 00 fa fa fa fa fa fa 00 00 00 00 00 00 00 00 +[24.820740] ffffffff88746d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[24.824021] ================================================================== + +Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") +Signed-off-by: Murphy Zhou <jencce.kernel@gmail.com> +--- + mm/kmemleak.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 03a8d84badad..b9baf617fe35 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1946,6 +1946,11 @@ void __init kmemleak_init(void) + */ + static int __init kmemleak_late_init(void) + { ++ if (!kmemleak_skip_disable) { ++ kmemleak_disable(); ++ return 0; ++ } ++ + kmemleak_initialized = 1; + + debugfs_create_file("kmemleak", 0644, NULL, NULL, &kmemleak_fops); +-- +2.21.0 + diff --git a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch index 33b84115e..871105093 100644 --- a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch +++ b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch @@ -39,9 +39,9 @@ index 557a47829d0..e8f9c7d84e9 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -31,6 +31,7 @@ - #include <linux/acpi.h> #include <linux/ucs2_string.h> #include <linux/memblock.h> + #include <linux/security.h> +#include <linux/bsearch.h> #include <asm/early_ioremap.h> diff --git a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch index a13dcdba5..7c2a0b68d 100644 --- a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch +++ b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch @@ -13,42 +13,31 @@ As such, kernel modules signed with keys from the MokList variable were not successfully verified. Signed-off-by: Robert Holmes <robeholmes@gmail.com> +Signed-off-by: Jeremy Cline <jcline@redhat.com> --- kernel/module_signing.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index 6b9a926fd86b..cf94220e9154 100644 +index 9d9fc678c91d..84ad75a53c83 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c -@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) - { - struct module_signature ms; - size_t sig_len, modlen = info->len; -+ int ret; - - pr_devel("==>%s(,%zu)\n", __func__, modlen); - -@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info) - return -EBADMSG; - } +@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info) + modlen -= sig_len + sizeof(ms); + info->len = modlen; - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, -- VERIFY_USE_SECONDARY_KEYRING, -- VERIFYING_MODULE_SIGNATURE, -- NULL, NULL); + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, -+ VERIFY_USE_SECONDARY_KEYRING, -+ VERIFYING_MODULE_SIGNATURE, -+ NULL, NULL); + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, -+ VERIFY_USE_PLATFORM_KEYRING, -+ VERIFYING_MODULE_SIGNATURE, -+ NULL, NULL); ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); + } + return ret; } -- 2.21.0 - diff --git a/arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch b/arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch deleted file mode 100644 index a7f7c8f20..000000000 --- a/arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch +++ /dev/null @@ -1,128 +0,0 @@ -From patchwork Thu Sep 5 19:24:12 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Lee Jones <lee.jones@linaro.org> -X-Patchwork-Id: 11133827 -Return-Path: <SRS0=OmJI=XA=vger.kernel.org=linux-arm-msm-owner@kernel.org> -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DDFD514ED - for <patchwork-linux-arm-msm@patchwork.kernel.org>; - Thu, 5 Sep 2019 19:24:19 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id D540020870 - for <patchwork-linux-arm-msm@patchwork.kernel.org>; - Thu, 5 Sep 2019 19:24:19 +0000 (UTC) -Authentication-Results: mail.kernel.org; - dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org - header.b="j/6kUy9p" -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1727540AbfIETYS (ORCPT - <rfc822;patchwork-linux-arm-msm@patchwork.kernel.org>); - Thu, 5 Sep 2019 15:24:18 -0400 -Received: from mail-wr1-f49.google.com ([209.85.221.49]:36821 "EHLO - mail-wr1-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1726008AbfIETYS (ORCPT - <rfc822;linux-arm-msm@vger.kernel.org>); - Thu, 5 Sep 2019 15:24:18 -0400 -Received: by mail-wr1-f49.google.com with SMTP id y19so4081592wrd.3 - for <linux-arm-msm@vger.kernel.org>; - Thu, 05 Sep 2019 12:24:16 -0700 (PDT) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=linaro.org; s=google; - h=from:to:cc:subject:date:message-id; - bh=19vbMBbLeKgWt8VsEseKuJu+9+rmeS/Lh0ZhXOFWQYc=; - b=j/6kUy9psCaV+YLvz8j0kAZ3/WrmOU3xyh5rDOj0TwK0TnwjLtaLil9Q+C9KpFvvVG - h4R8p4cZFB0U4b/PAfc9Xt4p4xJNkAIpTzL4QRjM+nkXdDcYyiwUGkr9BRJnJmO0lyZB - zmylqwjRd1oOrTQ1tPvwqUV3OUR5u6WA+rDyhn+A516vskkns0bEICMG787HdDEwjigd - +3SR4L9u7swSDpNhqxtfPsn9UFP36sehUfgx32xUcjUhX3ls4RtX+6HCZU+rkeQuILt5 - 0qlmqliIuKXWkQe+ii/gtrK+ulFQ7lEl76YfDJyqXVo4Z357rIhVFAz+mooVn5qpscmU - E+xA== -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20161025; - h=x-gm-message-state:from:to:cc:subject:date:message-id; - bh=19vbMBbLeKgWt8VsEseKuJu+9+rmeS/Lh0ZhXOFWQYc=; - b=QjFuCunKeBkoabY9fIsWTo3krapsS69k52eNtOIeLBaCd7M1lvCmItn41DcbJ5ykqT - RQ0rnlNq35x9QvKNumPai3fMZp9AWt3KpJpxbpEokltyLbkGUqRWaeYTrOtuV9P9nRmT - Yj72UBVzYj4d/G+FGq8EBesWjRyEFC51+RekvPlbRZ/h1fVW7/XAy5cO1ywnHrtNe8pQ - 7gYQJ3Xh1Y09qkiO0i8iru5PSMTK3U+vPSLWVdFOeqMh+Beins6I9mbKf+UX+xa8ECK3 - mEFjYxY57YVx+SpaKrmBwEmu9YXLgXqEif1OH1FHFiKZVQ4ABPp19D4+5JOXEV1tCwUS - B6Qw== -X-Gm-Message-State: APjAAAUM7yEkrkGZ+mbleFtCMQGsXfLQSXt2Bd+K6leuP2oAs8Vj1j9k - 4bsoJvF042q/z9+6bnLlGShjoA== -X-Google-Smtp-Source: - APXvYqyThx0kWliMdrjc7dedZ/+AhabFi7TIc04exnxhWAEkAOh7foRP8Cz8ZjjhxGJCvUyUPA4lFg== -X-Received: by 2002:adf:ea0c:: with SMTP id q12mr4172788wrm.172.1567711455933; - Thu, 05 Sep 2019 12:24:15 -0700 (PDT) -Received: from localhost.localdomain ([95.147.198.36]) - by smtp.gmail.com with ESMTPSA id - q24sm7942378wmc.3.2019.09.05.12.24.14 - (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); - Thu, 05 Sep 2019 12:24:14 -0700 (PDT) -From: Lee Jones <lee.jones@linaro.org> -To: alokc@codeaurora.org, agross@kernel.org, robh+dt@kernel.org, - mark.rutland@arm.com, bjorn.andersson@linaro.org, vkoul@kernel.org, - wsa@the-dreams.de -Cc: linux-i2c@vger.kernel.org, linux-arm-msm@vger.kernel.org, - devicetree@vger.kernel.org, Lee Jones <lee.jones@linaro.org> -Subject: [RESEND v3 1/1] i2c: qcom-geni: Disable DMA processing on the Lenovo - Yoga C630 -Date: Thu, 5 Sep 2019 20:24:12 +0100 -Message-Id: <20190905192412.23116-1-lee.jones@linaro.org> -X-Mailer: git-send-email 2.17.1 -Sender: linux-arm-msm-owner@vger.kernel.org -Precedence: bulk -List-ID: <linux-arm-msm.vger.kernel.org> -X-Mailing-List: linux-arm-msm@vger.kernel.org - -We have a production-level laptop (Lenovo Yoga C630) which is exhibiting -a rather horrific bug. When I2C HID devices are being scanned for at -boot-time the QCom Geni based I2C (Serial Engine) attempts to use DMA. -When it does, the laptop reboots and the user never sees the OS. - -Attempts are being made to debug the reason for the spontaneous reboot. -No luck so far, hence the requirement for this hot-fix. This workaround -will be removed once we have a viable fix. - -Signed-off-by: Lee Jones <lee.jones@linaro.org> ---- - drivers/i2c/busses/i2c-qcom-geni.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c -index a89bfce5388e..17abf60c94ae 100644 ---- a/drivers/i2c/busses/i2c-qcom-geni.c -+++ b/drivers/i2c/busses/i2c-qcom-geni.c -@@ -355,11 +355,13 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, - { - dma_addr_t rx_dma; - unsigned long time_left; -- void *dma_buf; -+ void *dma_buf = NULL; - struct geni_se *se = &gi2c->se; - size_t len = msg->len; - -- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); -+ if (!of_machine_is_compatible("lenovo,yoga-c630")) -+ dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); -+ - if (dma_buf) - geni_se_select_mode(se, GENI_SE_DMA); - else -@@ -394,11 +396,13 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, - { - dma_addr_t tx_dma; - unsigned long time_left; -- void *dma_buf; -+ void *dma_buf = NULL; - struct geni_se *se = &gi2c->se; - size_t len = msg->len; - -- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); -+ if (!of_machine_is_compatible("lenovo,yoga-c630")) -+ dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); -+ - if (dma_buf) - geni_se_select_mode(se, GENI_SE_DMA); - else diff --git a/configs/fedora/generic/CONFIG_CROS_EC_CHARDEV b/configs/fedora/generic/CONFIG_CROS_EC_CHARDEV deleted file mode 100644 index 3fab49bb4..000000000 --- a/configs/fedora/generic/CONFIG_CROS_EC_CHARDEV +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CROS_EC_CHARDEV is not set diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG b/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG new file mode 100644 index 000000000..2718d4513 --- /dev/null +++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG @@ -0,0 +1 @@ +# CONFIG_IMA_APPRAISE_MODSIG is not set diff --git a/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY new file mode 100644 index 000000000..97079e8b0 --- /dev/null +++ b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY @@ -0,0 +1 @@ +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY new file mode 100644 index 000000000..895927de3 --- /dev/null +++ b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY @@ -0,0 +1 @@ +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set diff --git a/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE new file mode 100644 index 000000000..9c975c314 --- /dev/null +++ b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE @@ -0,0 +1 @@ +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y diff --git a/configs/fedora/generic/CONFIG_MFD_CROS_EC_DEV b/configs/fedora/generic/CONFIG_MFD_CROS_EC_DEV deleted file mode 100644 index a3f848d39..000000000 --- a/configs/fedora/generic/CONFIG_MFD_CROS_EC_DEV +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_MFD_CROS_EC_DEV is not set diff --git a/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING b/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING index b7e716809..6991e6d3f 100644 --- a/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING +++ b/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING @@ -1 +1 @@ -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y diff --git a/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM new file mode 100644 index 000000000..4a55be3bb --- /dev/null +++ b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM @@ -0,0 +1 @@ +CONFIG_SECURITY_LOCKDOWN_LSM=y diff --git a/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY new file mode 100644 index 000000000..edb6d0007 --- /dev/null +++ b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY @@ -0,0 +1 @@ +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/configs/fedora/generic/CONFIG_SND_HDA_INTEL b/configs/fedora/generic/CONFIG_SND_HDA_INTEL index dfe74ea98..6f057ecfe 100644 --- a/configs/fedora/generic/CONFIG_SND_HDA_INTEL +++ b/configs/fedora/generic/CONFIG_SND_HDA_INTEL @@ -1 +1 @@ -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set diff --git a/configs/fedora/generic/CONFIG_VIRTIO_FS b/configs/fedora/generic/CONFIG_VIRTIO_FS new file mode 100644 index 000000000..9fe646616 --- /dev/null +++ b/configs/fedora/generic/CONFIG_VIRTIO_FS @@ -0,0 +1 @@ +CONFIG_VIRTIO_FS=m diff --git a/configs/fedora/generic/arm/CONFIG_ARM_PSCI_CPUIDLE b/configs/fedora/generic/arm/CONFIG_ARM_PSCI_CPUIDLE index 5d304af48..29843b961 100644 --- a/configs/fedora/generic/arm/CONFIG_ARM_PSCI_CPUIDLE +++ b/configs/fedora/generic/arm/CONFIG_ARM_PSCI_CPUIDLE @@ -1 +1 @@ -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y diff --git a/configs/fedora/generic/arm/CONFIG_ARM_PSCI_FW b/configs/fedora/generic/arm/CONFIG_ARM_PSCI_FW new file mode 100644 index 000000000..8f3a93575 --- /dev/null +++ b/configs/fedora/generic/arm/CONFIG_ARM_PSCI_FW @@ -0,0 +1 @@ +CONFIG_ARM_PSCI_FW=y diff --git a/configs/fedora/generic/arm/CONFIG_ARM_TEGRA20_DEVFREQ b/configs/fedora/generic/arm/CONFIG_ARM_TEGRA20_DEVFREQ deleted file mode 100644 index 494e80851..000000000 --- a/configs/fedora/generic/arm/CONFIG_ARM_TEGRA20_DEVFREQ +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_ARM_TEGRA20_DEVFREQ is not set diff --git a/configs/fedora/generic/arm/CONFIG_CROS_EC_CHARDEV b/configs/fedora/generic/arm/CONFIG_CROS_EC_CHARDEV new file mode 100644 index 000000000..a3df83240 --- /dev/null +++ b/configs/fedora/generic/arm/CONFIG_CROS_EC_CHARDEV @@ -0,0 +1 @@ +CONFIG_CROS_EC_CHARDEV=m diff --git a/configs/fedora/generic/arm/CONFIG_GPIO_MOXTET b/configs/fedora/generic/arm/CONFIG_GPIO_MOXTET new file mode 100644 index 000000000..14a747e37 --- /dev/null +++ b/configs/fedora/generic/arm/CONFIG_GPIO_MOXTET @@ -0,0 +1 @@ +CONFIG_GPIO_MOXTET=m diff --git a/configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT b/configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT new file mode 100644 index 000000000..fc7a20637 --- /dev/null +++ b/configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT @@ -0,0 +1 @@ +# CONFIG_IMX7ULP_WDT is not set diff --git a/configs/fedora/generic/arm/CONFIG_MFD_CROS_EC b/configs/fedora/generic/arm/CONFIG_MFD_CROS_EC deleted file mode 100644 index 3600231f6..000000000 --- a/configs/fedora/generic/arm/CONFIG_MFD_CROS_EC +++ /dev/null @@ -1 +0,0 @@ -CONFIG_MFD_CROS_EC=m diff --git a/configs/fedora/generic/arm/CONFIG_MFD_CROS_EC_DEV b/configs/fedora/generic/arm/CONFIG_MFD_CROS_EC_DEV new file mode 100644 index 000000000..a4fd1512e --- /dev/null +++ b/configs/fedora/generic/arm/CONFIG_MFD_CROS_EC_DEV @@ -0,0 +1 @@ +CONFIG_MFD_CROS_EC_DEV=m diff --git a/configs/fedora/generic/arm/CONFIG_MOXTET b/configs/fedora/generic/arm/CONFIG_MOXTET new file mode 100644 index 000000000..29810388f --- /dev/null +++ b/configs/fedora/generic/arm/CONFIG_MOXTET @@ -0,0 +1 @@ +CONFIG_MOXTET=m diff --git a/configs/fedora/generic/arm/CONFIG_RTC_DRV_MESON_VRTC b/configs/fedora/generic/arm/CONFIG_RTC_DRV_MESON_VRTC index 41e7719b0..4ae0ab82f 100644 --- a/configs/fedora/generic/arm/CONFIG_RTC_DRV_MESON_VRTC +++ b/configs/fedora/generic/arm/CONFIG_RTC_DRV_MESON_VRTC @@ -1 +1 @@ -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m diff --git a/configs/fedora/generic/CONFIG_TCG_FTPM_TEE b/configs/fedora/generic/arm/CONFIG_TCG_FTPM_TEE index f84ad6543..f84ad6543 100644 --- a/configs/fedora/generic/CONFIG_TCG_FTPM_TEE +++ b/configs/fedora/generic/arm/CONFIG_TCG_FTPM_TEE diff --git a/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG b/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG new file mode 100644 index 000000000..67b688658 --- /dev/null +++ b/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG @@ -0,0 +1 @@ +CONFIG_KEXEC_SIG=y diff --git a/configs/fedora/generic/arm/aarch64/CONFIG_RTC_DRV_FSL_FTM_ALARM b/configs/fedora/generic/arm/aarch64/CONFIG_RTC_DRV_FSL_FTM_ALARM index 703404f40..390851818 100644 --- a/configs/fedora/generic/arm/aarch64/CONFIG_RTC_DRV_FSL_FTM_ALARM +++ b/configs/fedora/generic/arm/aarch64/CONFIG_RTC_DRV_FSL_FTM_ALARM @@ -1 +1 @@ -# CONFIG_RTC_DRV_FSL_FTM_ALARM is not set +CONFIG_RTC_DRV_FSL_FTM_ALARM=m diff --git a/configs/fedora/generic/arm/aarch64/CONFIG_SM_GCC_8150 b/configs/fedora/generic/arm/aarch64/CONFIG_SM_GCC_8150 new file mode 100644 index 000000000..3e341c392 --- /dev/null +++ b/configs/fedora/generic/arm/aarch64/CONFIG_SM_GCC_8150 @@ -0,0 +1 @@ +CONFIG_SM_GCC_8150=y diff --git a/configs/fedora/generic/arm/armv7/CONFIG_EDAC_ARMADA_XP b/configs/fedora/generic/arm/armv7/CONFIG_EDAC_ARMADA_XP index aac50a620..301caab79 100644 --- a/configs/fedora/generic/arm/armv7/CONFIG_EDAC_ARMADA_XP +++ b/configs/fedora/generic/arm/armv7/CONFIG_EDAC_ARMADA_XP @@ -1 +1 @@ -# CONFIG_EDAC_ARMADA_XP is not set +CONFIG_EDAC_ARMADA_XP=y diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_ARM_TEGRA20_DEVFREQ b/configs/fedora/generic/arm/armv7/armv7/CONFIG_ARM_TEGRA20_DEVFREQ new file mode 100644 index 000000000..c3c35e684 --- /dev/null +++ b/configs/fedora/generic/arm/armv7/armv7/CONFIG_ARM_TEGRA20_DEVFREQ @@ -0,0 +1 @@ +CONFIG_ARM_TEGRA20_DEVFREQ=m diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_LGPHILIPS_LB035Q02 b/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_LGPHILIPS_LB035Q02 deleted file mode 100644 index 59d16a459..000000000 --- a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_LGPHILIPS_LB035Q02 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_DRM_OMAP_PANEL_LGPHILIPS_LB035Q02=m diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11 b/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11 deleted file mode 100644 index 8751af145..000000000 --- a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11=m diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_SHARP_LS037V7DW01 b/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_SHARP_LS037V7DW01 deleted file mode 100644 index fe01d0a37..000000000 --- a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_SHARP_LS037V7DW01 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_DRM_OMAP_PANEL_SHARP_LS037V7DW01=m diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_SONY_ACX565AKM b/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_SONY_ACX565AKM deleted file mode 100644 index d4629e2b7..000000000 --- a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_SONY_ACX565AKM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_DRM_OMAP_PANEL_SONY_ACX565AKM=m diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1 b/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1 deleted file mode 100644 index de91d35b4..000000000 --- a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1=m diff --git a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1 b/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1 deleted file mode 100644 index 9a503f8e7..000000000 --- a/configs/fedora/generic/arm/armv7/armv7/CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1=m diff --git a/configs/fedora/generic/s390x/CONFIG_KEXEC_SIG b/configs/fedora/generic/s390x/CONFIG_KEXEC_SIG new file mode 100644 index 000000000..67b688658 --- /dev/null +++ b/configs/fedora/generic/s390x/CONFIG_KEXEC_SIG @@ -0,0 +1 @@ +CONFIG_KEXEC_SIG=y diff --git a/configs/fedora/generic/x86/CONFIG_CROS_EC b/configs/fedora/generic/x86/CONFIG_CROS_EC index 1ad522e6a..bd6dd449b 100644 --- a/configs/fedora/generic/x86/CONFIG_CROS_EC +++ b/configs/fedora/generic/x86/CONFIG_CROS_EC @@ -1 +1 @@ -CONFIG_CROS_EC=m +# CONFIG_CROS_EC is not set diff --git a/configs/fedora/generic/x86/CONFIG_CROS_EC_I2C b/configs/fedora/generic/x86/CONFIG_CROS_EC_I2C deleted file mode 100644 index 67550eb9c..000000000 --- a/configs/fedora/generic/x86/CONFIG_CROS_EC_I2C +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CROS_EC_I2C=m diff --git a/configs/fedora/generic/x86/CONFIG_CROS_EC_LPC b/configs/fedora/generic/x86/CONFIG_CROS_EC_LPC deleted file mode 100644 index 7de54fecd..000000000 --- a/configs/fedora/generic/x86/CONFIG_CROS_EC_LPC +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CROS_EC_LPC is not set diff --git a/configs/fedora/generic/x86/CONFIG_CROS_EC_PROTO b/configs/fedora/generic/x86/CONFIG_CROS_EC_PROTO deleted file mode 100644 index 96a1e9bcb..000000000 --- a/configs/fedora/generic/x86/CONFIG_CROS_EC_PROTO +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CROS_EC_PROTO=y diff --git a/configs/fedora/generic/x86/CONFIG_CROS_EC_SPI b/configs/fedora/generic/x86/CONFIG_CROS_EC_SPI deleted file mode 100644 index 54b52bed4..000000000 --- a/configs/fedora/generic/x86/CONFIG_CROS_EC_SPI +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CROS_EC_SPI=m diff --git a/configs/fedora/generic/x86/CONFIG_EXTCON_USBC_CROS_EC b/configs/fedora/generic/x86/CONFIG_EXTCON_USBC_CROS_EC deleted file mode 100644 index 06a7e44b6..000000000 --- a/configs/fedora/generic/x86/CONFIG_EXTCON_USBC_CROS_EC +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_EXTCON_USBC_CROS_EC is not set diff --git a/configs/fedora/generic/x86/CONFIG_I2C_CROS_EC_TUNNEL b/configs/fedora/generic/x86/CONFIG_I2C_CROS_EC_TUNNEL deleted file mode 100644 index 01606add6..000000000 --- a/configs/fedora/generic/x86/CONFIG_I2C_CROS_EC_TUNNEL +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_I2C_CROS_EC_TUNNEL is not set diff --git a/configs/fedora/generic/x86/CONFIG_IIO_CROS_EC_SENSORS_CORE b/configs/fedora/generic/x86/CONFIG_IIO_CROS_EC_SENSORS_CORE deleted file mode 100644 index 9a7ec394f..000000000 --- a/configs/fedora/generic/x86/CONFIG_IIO_CROS_EC_SENSORS_CORE +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IIO_CROS_EC_SENSORS_CORE is not set diff --git a/configs/fedora/generic/x86/CONFIG_KEYBOARD_CROS_EC b/configs/fedora/generic/x86/CONFIG_KEYBOARD_CROS_EC deleted file mode 100644 index 051955397..000000000 --- a/configs/fedora/generic/x86/CONFIG_KEYBOARD_CROS_EC +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_KEYBOARD_CROS_EC is not set diff --git a/configs/fedora/generic/x86/CONFIG_PWM_CROS_EC b/configs/fedora/generic/x86/CONFIG_PWM_CROS_EC deleted file mode 100644 index 5e2b1eb81..000000000 --- a/configs/fedora/generic/x86/CONFIG_PWM_CROS_EC +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_PWM_CROS_EC is not set diff --git a/configs/fedora/generic/x86/CONFIG_RTC_DRV_CROS_EC b/configs/fedora/generic/x86/CONFIG_RTC_DRV_CROS_EC deleted file mode 100644 index f4844f71a..000000000 --- a/configs/fedora/generic/x86/CONFIG_RTC_DRV_CROS_EC +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_RTC_DRV_CROS_EC is not set diff --git a/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL b/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL new file mode 100644 index 000000000..dfe74ea98 --- /dev/null +++ b/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL @@ -0,0 +1 @@ +CONFIG_SND_HDA_INTEL=m diff --git a/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL_DETECT_DMIC b/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL_DETECT_DMIC index c0a8ee9a6..501f523b0 100644 --- a/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL_DETECT_DMIC +++ b/configs/fedora/generic/x86/CONFIG_SND_HDA_INTEL_DETECT_DMIC @@ -1 +1 @@ -CONFIG_SND_HDA_INTEL_DETECT_DMIC=y +# CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set diff --git a/configs/fedora/generic/x86/CONFIG_SND_SOC_CROS_EC_CODEC b/configs/fedora/generic/x86/CONFIG_SND_SOC_CROS_EC_CODEC deleted file mode 100644 index ee20b04c0..000000000 --- a/configs/fedora/generic/x86/CONFIG_SND_SOC_CROS_EC_CODEC +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_SND_SOC_CROS_EC_CODEC is not set diff --git a/configs/fedora/generic/x86/CONFIG_VIDEO_CROS_EC_CEC b/configs/fedora/generic/x86/CONFIG_VIDEO_CROS_EC_CEC deleted file mode 100644 index 180ec3f10..000000000 --- a/configs/fedora/generic/x86/CONFIG_VIDEO_CROS_EC_CEC +++ /dev/null @@ -1 +0,0 @@ -CONFIG_VIDEO_CROS_EC_CEC=m diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_CROS_EC_CHARDEV b/configs/fedora/generic/x86/x86_64/CONFIG_CROS_EC_CHARDEV new file mode 100644 index 000000000..a3df83240 --- /dev/null +++ b/configs/fedora/generic/x86/x86_64/CONFIG_CROS_EC_CHARDEV @@ -0,0 +1 @@ +CONFIG_CROS_EC_CHARDEV=m diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_MFD_CROS_EC b/configs/fedora/generic/x86/x86_64/CONFIG_MFD_CROS_EC deleted file mode 100644 index 3600231f6..000000000 --- a/configs/fedora/generic/x86/x86_64/CONFIG_MFD_CROS_EC +++ /dev/null @@ -1 +0,0 @@ -CONFIG_MFD_CROS_EC=m diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_MFD_CROS_EC_DEV b/configs/fedora/generic/x86/x86_64/CONFIG_MFD_CROS_EC_DEV new file mode 100644 index 000000000..a4fd1512e --- /dev/null +++ b/configs/fedora/generic/x86/x86_64/CONFIG_MFD_CROS_EC_DEV @@ -0,0 +1 @@ +CONFIG_MFD_CROS_EC_DEV=m diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING b/configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING deleted file mode 100644 index 6991e6d3f..000000000 --- a/configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING +++ /dev/null @@ -1 +0,0 @@ -CONFIG_OPTIMIZE_INLINING=y diff --git a/efi-lockdown.patch b/efi-lockdown.patch index c213cfce9..be4f35e07 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1,1826 +1,3 @@ -From 4f426f922e12f0ffaed373536f68531e18d68495 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:44:57 +0000 -Subject: [PATCH 01/29] Add the ability to lock down access to the running - kernel image - -Provide a single call to allow kernel code to determine whether the system -should be locked down, thereby disallowing various accesses that might -allow the running kernel image to be changed including the loading of -modules that aren't validly signed with a key we recognise, fiddling with -MSR registers and disallowing hibernation. - -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: James Morris <james.l.morris@oracle.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - include/linux/kernel.h | 17 ++++++++++++ - include/linux/security.h | 9 +++++- - security/Kconfig | 15 ++++++++++ - security/Makefile | 3 ++ - security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 103 insertions(+), 1 deletion(-) - create mode 100644 security/lock_down.c - -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 0c9bc231107f..f71008b0a641 100644 ---- a/include/linux/kernel.h -+++ b/include/linux/kernel.h -@@ -312,6 +312,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) - { } - #endif - -+#ifdef CONFIG_LOCK_DOWN_KERNEL -+extern bool __kernel_is_locked_down(const char *what, bool first); -+#else -+static inline bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ return false; -+} -+#endif -+ -+#define kernel_is_locked_down(what) \ -+ ({ \ -+ static bool message_given; \ -+ bool locked_down = __kernel_is_locked_down(what, !message_given); \ -+ message_given = true; \ -+ locked_down; \ -+ }) -+ - /* Internal, do not use. */ - int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); - int __must_check _kstrtol(const char *s, unsigned int base, long *res); -diff --git a/include/linux/security.h b/include/linux/security.h -index 5f7441abbf42..fd7579c879a6 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -1829,5 +1829,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) - #endif /* CONFIG_SECURITY */ - #endif /* CONFIG_BPF_SYSCALL */ - --#endif /* ! __LINUX_SECURITY_H */ -+#ifdef CONFIG_LOCK_DOWN_KERNEL -+extern void __init init_lockdown(void); -+#else -+static inline void __init init_lockdown(void) -+{ -+} -+#endif - -+#endif /* ! __LINUX_SECURITY_H */ -diff --git a/security/Kconfig b/security/Kconfig -index 06a30851511a..720cf9dee2b4 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH - If you wish for all usermode helper programs to be disabled, - specify an empty string here (i.e. ""). - -+config LOCK_DOWN_KERNEL -+ bool "Allow the kernel to be 'locked down'" -+ help -+ Allow the kernel to be locked down. If lockdown support is enabled -+ and activated, the kernel will impose additional restrictions -+ intended to prevent uid 0 from being able to modify the running -+ kernel. This may break userland applications that rely on low-level -+ access to hardware. -+ -+config LOCK_DOWN_KERNEL_FORCE -+ bool "Enable kernel lockdown mode automatically" -+ depends on LOCK_DOWN_KERNEL -+ help -+ Enable the kernel lock down functionality automatically at boot. -+ - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/Makefile b/security/Makefile -index c598b904938f..5ff090149c88 100644 ---- a/security/Makefile -+++ b/security/Makefile -@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o - # Object integrity file lists - subdir-$(CONFIG_INTEGRITY) += integrity - obj-$(CONFIG_INTEGRITY) += integrity/ -+ -+# Allow the kernel to be locked down -+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o -diff --git a/security/lock_down.c b/security/lock_down.c -new file mode 100644 -index 000000000000..18d8776a4d02 ---- /dev/null -+++ b/security/lock_down.c -@@ -0,0 +1,60 @@ -+// SPDX-License-Identifier: GPL-2.0 -+/* Lock down the kernel -+ * -+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#include <linux/security.h> -+#include <linux/export.h> -+ -+static __ro_after_init bool kernel_locked_down; -+ -+/* -+ * Put the kernel into lock-down mode. -+ */ -+static void __init lock_kernel_down(const char *where) -+{ -+ if (!kernel_locked_down) { -+ kernel_locked_down = true; -+ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", -+ where); -+ } -+} -+ -+static int __init lockdown_param(char *ignored) -+{ -+ lock_kernel_down("command line"); -+ return 0; -+} -+ -+early_param("lockdown", lockdown_param); -+ -+/* -+ * Lock the kernel down from very early in the arch setup. This must happen -+ * prior to things like ACPI being initialised. -+ */ -+void __init init_lockdown(void) -+{ -+#ifdef CONFIG_LOCK_DOWN_FORCE -+ lock_kernel_down("Kernel configuration"); -+#endif -+} -+ -+/** -+ * kernel_is_locked_down - Find out if the kernel is locked down -+ * @what: Tag to use in notice generated if lockdown is in effect -+ */ -+bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ if (what && first && kernel_locked_down) -+ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", -+ what); -+ return kernel_locked_down; -+} -+EXPORT_SYMBOL(__kernel_is_locked_down); --- -2.21.0 - - -From 7b3d34ce99e1db6152f3f350f7512ed67712d2bb Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 02/29] Enforce module signatures if the kernel is locked down - -If the kernel is locked down, require that all modules have valid -signatures that we can verify. - -I have adjusted the errors generated: - - (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, - ENOKEY), then: - - (a) If signatures are enforced then EKEYREJECTED is returned. - - (b) If there's no signature or we can't check it, but the kernel is - locked down then EPERM is returned (this is then consistent with - other lockdown cases). - - (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails - the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we - return the error we got. - -Note that the X.509 code doesn't check for key expiry as the RTC might not -be valid or might not have been transferred to the kernel's clock yet. - - [Modified by Matthew Garrett to remove the IMA integration. This will - be replaced with integration with the IMA architecture policy - patchset.] - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Jiri Bohac <jbohac@suse.cz> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> -Cc: Jessica Yu <jeyu@kernel.org> ---- - kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- - 1 file changed, 32 insertions(+), 7 deletions(-) - -diff --git a/kernel/module.c b/kernel/module.c -index a2cee14a83f3..c771a183b741 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod, - #ifdef CONFIG_MODULE_SIG - static int module_sig_check(struct load_info *info, int flags) - { -- int err = -ENOKEY; -+ int err = -ENODATA; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; -+ const char *reason; - const void *mod = info->hdr; - - /* -@@ -2769,16 +2770,40 @@ static int module_sig_check(struct load_info *info, int flags) - err = mod_verify_sig(mod, info); - } - -- if (!err) { -+ switch (err) { -+ case 0: - info->sig_ok = true; - return 0; -- } - -- /* Not having a signature is only an error if we're strict. */ -- if (err == -ENOKEY && !is_module_sig_enforced()) -- err = 0; -+ /* We don't permit modules to be loaded into trusted kernels -+ * without a valid signature on them, but if we're not -+ * enforcing, certain errors are non-fatal. -+ */ -+ case -ENODATA: -+ reason = "Loading of unsigned module"; -+ goto decide; -+ case -ENOPKG: -+ reason = "Loading of module with unsupported crypto"; -+ goto decide; -+ case -ENOKEY: -+ reason = "Loading of module with unavailable key"; -+ decide: -+ if (is_module_sig_enforced()) { -+ pr_notice("%s is rejected\n", reason); -+ return -EKEYREJECTED; -+ } - -- return err; -+ if (kernel_is_locked_down(reason)) -+ return -EPERM; -+ return 0; -+ -+ /* All other errors are fatal, including nomem, unparseable -+ * signatures and signature check failures - even if signatures -+ * aren't required. -+ */ -+ default: -+ return err; -+ } - } - #else /* !CONFIG_MODULE_SIG */ - static int module_sig_check(struct load_info *info, int flags) --- -2.21.0 - - -From e6cee3fcc560211fbc3d1efaf048ad4b987a4b73 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 03/29] Restrict /dev/{mem,kmem,port} when the kernel is locked - down - -Allowing users to read and write to core kernel memory makes it possible -for the kernel to be subverted, avoiding module loading restrictions, and -also to steal cryptographic information. - -Disallow /dev/mem and /dev/kmem from being opened this when the kernel has -been locked down to prevent this. - -Also disallow /dev/port from being opened to prevent raw ioport access and -thus DMA from being used to accomplish the same thing. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> -Cc: x86@kernel.org ---- - drivers/char/mem.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index b08dc50f9f26..0a2f2e75d5f4 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) - - static int open_port(struct inode *inode, struct file *filp) - { -+ if (kernel_is_locked_down("/dev/mem,kmem,port")) -+ return -EPERM; - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; - } - --- -2.21.0 - - -From 1fe9d9809a7bedff1c0a043f5bcaf128d479fe24 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 04/29] kexec_load: Disable at runtime if the kernel is locked - down - -The kexec_load() syscall permits the loading and execution of arbitrary -code in ring 0, which is something that lock-down is meant to prevent. It -makes sense to disable kexec_load() in this situation. - -This does not affect kexec_file_load() syscall which can check for a -signature on the image to be booted. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Dave Young <dyoung@redhat.com> -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - kernel/kexec.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 1b018f1a6e0d..fc87f152c229 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -205,6 +205,13 @@ static inline int kexec_load_check(unsigned long nr_segments, - if (result < 0) - return result; - -+ /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (kernel_is_locked_down("kexec of unsigned images")) -+ return -EPERM; -+ - /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. --- -2.21.0 - - -From b1dbde991ca218ddc1b25e293e94e72907b2b2dc Mon Sep 17 00:00:00 2001 -From: Dave Young <dyoung@redhat.com> -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 05/29] Copy secure_boot flag in boot params across kexec - reboot - -Kexec reboot in case secure boot being enabled does not keep the secure -boot mode in new kernel, so later one can load unsigned kernel via legacy -kexec_load. In this state, the system is missing the protections provided -by secure boot. - -Adding a patch to fix this by retain the secure_boot flag in original -kernel. - -secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the -stub. Fixing this issue by copying secure_boot flag across kexec reboot. - -Signed-off-by: Dave Young <dyoung@redhat.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - arch/x86/kernel/kexec-bzimage64.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index 5ebcd02cbca7..d2f4e706a428 100644 ---- a/arch/x86/kernel/kexec-bzimage64.c -+++ b/arch/x86/kernel/kexec-bzimage64.c -@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, - if (efi_enabled(EFI_OLD_MEMMAP)) - return 0; - -+ params->secure_boot = boot_params.secure_boot; - ei->efi_loader_signature = current_ei->efi_loader_signature; - ei->efi_systab = current_ei->efi_systab; - ei->efi_systab_hi = current_ei->efi_systab_hi; --- -2.21.0 - - -From 054c9d4879b81dcf7c49c5815c30db59ad9356ea Mon Sep 17 00:00:00 2001 -From: Jiri Bohac <jbohac@suse.cz> -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 06/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and - KEXEC_SIG_FORCE - -This is a preparatory patch for kexec_file_load() lockdown. A locked down -kernel needs to prevent unsigned kernel images from being loaded with -kexec_file_load(). Currently, the only way to force the signature -verification is compiling with KEXEC_VERIFY_SIG. This prevents loading -usigned images even when the kernel is not locked down at runtime. - -This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. -Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG -turns on the signature verification but allows unsigned images to be -loaded. KEXEC_SIG_FORCE disallows images without a valid signature. - -[Modified by David Howells such that: - - (1) verify_pefile_signature() differentiates between no-signature and - sig-didn't-match in its returned errors. - - (2) kexec fails with EKEYREJECTED and logs an appropriate message if - signature checking is enforced and an signature is not found, uses - unsupported crypto or has no matching key. - - (3) kexec fails with EKEYREJECTED if there is a signature for which we - have a key, but signature doesn't match - even if in non-forcing mode. - - (4) kexec fails with EBADMSG or some other error if there is a signature - which cannot be parsed - even if in non-forcing mode. - - (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract - the signature - even if in non-forcing mode. - -] - -Signed-off-by: Jiri Bohac <jbohac@suse.cz> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Jiri Bohac <jbohac@suse.cz> -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - arch/x86/Kconfig | 20 ++++++++--- - crypto/asymmetric_keys/verify_pefile.c | 4 ++- - include/linux/kexec.h | 4 +-- - kernel/kexec_file.c | 48 ++++++++++++++++++++++---- - 4 files changed, 61 insertions(+), 15 deletions(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 879741336771..df9592ce8503 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -2026,20 +2026,30 @@ config KEXEC_FILE - config ARCH_HAS_KEXEC_PURGATORY - def_bool KEXEC_FILE - --config KEXEC_VERIFY_SIG -+config KEXEC_SIG - bool "Verify kernel signature during kexec_file_load() syscall" - depends on KEXEC_FILE - ---help--- -- This option makes kernel signature verification mandatory for -- the kexec_file_load() syscall. - -- In addition to that option, you need to enable signature -+ This option makes the kexec_file_load() syscall check for a valid -+ signature of the kernel image. The image can still be loaded without -+ a valid signature unless you also enable KEXEC_SIG_FORCE, though if -+ there's a signature that we can check, then it must be valid. -+ -+ In addition to this option, you need to enable signature - verification for the corresponding kernel image type being - loaded in order for this to work. - -+config KEXEC_SIG_FORCE -+ bool "Require a valid signature in kexec_file_load() syscall" -+ depends on KEXEC_SIG -+ ---help--- -+ This option makes kernel signature verification mandatory for -+ the kexec_file_load() syscall. -+ - config KEXEC_BZIMAGE_VERIFY_SIG - bool "Enable bzImage signature verification support" -- depends on KEXEC_VERIFY_SIG -+ depends on KEXEC_SIG - depends on SIGNED_PE_FILE_VERIFICATION - select SYSTEM_TRUSTED_KEYRING - ---help--- -diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c -index 3b303fe2f061..cc9dbcecaaca 100644 ---- a/crypto/asymmetric_keys/verify_pefile.c -+++ b/crypto/asymmetric_keys/verify_pefile.c -@@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, - - if (!ddir->certs.virtual_address || !ddir->certs.size) { - pr_debug("Unsigned PE binary\n"); -- return -EKEYREJECTED; -+ return -ENODATA; - } - - chkaddr(ctx->header_size, ddir->certs.virtual_address, -@@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, - * (*) 0 if at least one signature chain intersects with the keys in the trust - * keyring, or: - * -+ * (*) -ENODATA if there is no signature present. -+ * - * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a - * chain. - * -diff --git a/include/linux/kexec.h b/include/linux/kexec.h -index b9b1bc5f9669..58b27c7bdc2b 100644 ---- a/include/linux/kexec.h -+++ b/include/linux/kexec.h -@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, - unsigned long cmdline_len); - typedef int (kexec_cleanup_t)(void *loader_data); - --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - typedef int (kexec_verify_sig_t)(const char *kernel_buf, - unsigned long kernel_len); - #endif -@@ -134,7 +134,7 @@ struct kexec_file_ops { - kexec_probe_t *probe; - kexec_load_t *load; - kexec_cleanup_t *cleanup; --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - kexec_verify_sig_t *verify_sig; - #endif - }; -diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index b8cc032d5620..5036bde1e5b3 100644 ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) - return kexec_image_post_load_cleanup_default(image); - } - --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - static int kexec_image_verify_sig_default(struct kimage *image, void *buf, - unsigned long buf_len) - { -@@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - const char __user *cmdline_ptr, - unsigned long cmdline_len, unsigned flags) - { -- int ret = 0; -+ const char *reason; -+ int ret; - void *ldata; - loff_t size; - -@@ -202,15 +203,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - if (ret) - goto out; - --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, - image->kernel_buf_len); -- if (ret) { -- pr_debug("kernel signature verification failed.\n"); -+#else -+ ret = -ENODATA; -+#endif -+ -+ switch (ret) { -+ case 0: -+ break; -+ -+ /* Certain verification errors are non-fatal if we're not -+ * checking errors, provided we aren't mandating that there -+ * must be a valid signature. -+ */ -+ case -ENODATA: -+ reason = "kexec of unsigned image"; -+ goto decide; -+ case -ENOPKG: -+ reason = "kexec of image with unsupported crypto"; -+ goto decide; -+ case -ENOKEY: -+ reason = "kexec of image with unavailable key"; -+ decide: -+ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { -+ pr_notice("%s rejected\n", reason); -+ ret = -EKEYREJECTED; -+ goto out; -+ } -+ -+ ret = 0; -+ break; -+ -+ /* All other errors are fatal, including nomem, unparseable -+ * signatures and signature check failures - even if signatures -+ * aren't required. -+ */ -+ default: -+ pr_notice("kernel signature verification failed (%d).\n", ret); - goto out; - } -- pr_debug("kernel signature verification successful.\n"); --#endif -+ - /* It is possible that there no initramfs is being loaded */ - if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { - ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, --- -2.21.0 - - -From d0ca8a6c26bfd6c8de7ed1d83326aae9b4bdfbf4 Mon Sep 17 00:00:00 2001 -From: Jiri Bohac <jbohac@suse.cz> -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 07/29] kexec_file: Restrict at runtime if the kernel is locked - down - -When KEXEC_SIG is not enabled, kernel should not load images through -kexec_file systemcall if the kernel is locked down. - -[Modified by David Howells to fit with modifications to the previous patch - and to return -EPERM if the kernel is locked down for consistency with - other lockdowns. Modified by Matthew Garrett to remove the IMA - integration, which will be replaced by integrating with the IMA - architecture policy patches.] - -Signed-off-by: Jiri Bohac <jbohac@suse.cz> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Jiri Bohac <jbohac@suse.cz> -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - kernel/kexec_file.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index 5036bde1e5b3..0668c29d2eaf 100644 ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -234,6 +234,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - } - - ret = 0; -+ -+ if (kernel_is_locked_down(reason)) { -+ ret = -EPERM; -+ goto out; -+ } -+ - break; - - /* All other errors are fatal, including nomem, unparseable --- -2.21.0 - - -From 3754ff197e10abd8ef88875e069741025ea0dd84 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 08/29] hibernate: Disable when the kernel is locked down - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it when the -kernel is locked down. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Cc: rjw@rjwysocki.net -Cc: pavel@ucw.cz -cc: linux-pm@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - kernel/power/hibernate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index cd7434e6000d..0f30de4a712a 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -68,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - - bool hibernation_available(void) - { -- return (nohibernate == 0); -+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); - } - - /** --- -2.21.0 - - -From a144fd3bcc7fcbf55b608c89b8cf64abec72130c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 09/29] uswsusp: Disable when the kernel is locked down - -uswsusp allows a user process to dump and then restore kernel state, which -makes it possible to modify the running kernel. Disable this if the kernel -is locked down. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: James Morris <james.l.morris@oracle.com> -cc: linux-pm@vger.kernel.org -Cc: pavel@ucw.cz -Cc: rjw@rjwysocki.net -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - kernel/power/user.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/power/user.c b/kernel/power/user.c -index 77438954cc2b..0caff429eb55 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -49,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) - if (!hibernation_available()) - return -EPERM; - -+ if (kernel_is_locked_down("/dev/snapshot")) -+ return -EPERM; -+ - lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { --- -2.21.0 - - -From 069af594117ee566597173886950d3577c523983 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 10/29] PCI: Lock down BAR access when the kernel is locked - down - -Any hardware that can potentially generate DMA has to be locked down in -order to avoid it being possible for an attacker to modify kernel code, -allowing them to circumvent disabled module loading or module signing. -Default to paranoid - in future we can potentially relax this for -sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Bjorn Helgaas <bhelgaas@google.com> -cc: linux-pci@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 9 ++++++++- - drivers/pci/syscall.c | 3 ++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 965c72104150..f8cef3e348a3 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -907,6 +907,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8 *) buf; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -1168,6 +1171,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - enum pci_mmap_state mmap_type; - struct resource *res = &pdev->resource[bar]; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) - return -EINVAL; - -@@ -1243,6 +1249,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index fe7fe678965b..23c9b5979f5d 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, - int size = dev->cfg_size; - int cnt; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -238,7 +244,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("Direct PCI access")) - return -EPERM; - - if (fpriv->mmap_state == pci_mmap_io) { -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index d96626c614f5..b8a08d3166a1 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || -+ kernel_is_locked_down("Direct PCI access")) - return -EPERM; - - dev = pci_get_domain_bus_and_slot(0, bus, dfn); --- -2.21.0 - - -From 97f7b0338b58afd67817ca886de78ce9bba67f29 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 11/29] x86: Lock down IO port access when the kernel is locked - down - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO -register space. This would potentially permit root to trigger arbitrary -DMA, so lock it down by default. - -This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and -KDDISABIO console ioctls. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Thomas Gleixner <tglx@linutronix.de> -cc: x86@kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - arch/x86/kernel/ioport.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 0fe1c8782208..abc702a6ae9c 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("ioperm"))) - return -EPERM; - - /* -@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("iopl")) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | --- -2.21.0 - - -From 65029f8df39eb1d0a48cbcb6686b21e844ff9b3c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 12/29] x86/msr: Restrict MSR access when the kernel is locked - down - -Writing to MSRs should not be allowed if the kernel is locked down, since -it could lead to execution of arbitrary code in kernel mode. Based on a -patch by Kees Cook. - -MSR accesses are logged for the purposes of building up a whitelist as per -Alan Cox's suggestion. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Thomas Gleixner <tglx@linutronix.de> -cc: x86@kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - arch/x86/kernel/msr.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 3db2252b958d..5eed6530c223 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -79,6 +79,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (kernel_is_locked_down("Direct MSR access")) { -+ pr_info("Direct access to MSR %x\n", reg); -+ return -EPERM; -+ } -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -130,6 +135,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EFAULT; - break; - } -+ if (kernel_is_locked_down("Direct MSR access")) { -+ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ -+ err = -EPERM; -+ break; -+ } - err = wrmsr_safe_regs_on_cpu(cpu, regs); - if (err) - break; --- -2.21.0 - - -From 0a0ad07ecc667dae61d7a1073559830184022be7 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 13/29] ACPI: Limit access to custom_method when the kernel is - locked down - -custom_method effectively allows arbitrary access to system memory, making -it possible for an attacker to circumvent restrictions on module loading. -Disable it if the kernel is locked down. - -Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index b2ef4c2ec955..33b821be0600 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -30,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (kernel_is_locked_down("ACPI custom methods")) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -2.21.0 - - -From ad843f3ba6d525cc47eb2c866de74a324d3a960c Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 14/29] acpi: Ignore acpi_rsdp kernel param when the kernel has - been locked down - -This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to modify the workings of hardware . Reject -the option when the kernel is locked down. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Dave Young <dyoung@redhat.com> -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/acpi/osl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 9c0edf2fc0dd..0c5c7b51fb72 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -180,7 +180,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) - acpi_physical_address pa; - - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) - return acpi_rsdp; - #endif - pa = acpi_arch_get_root_pointer(); --- -2.21.0 - - -From 146618cd3ae3556184f3ca94ca82809f4e7090b9 Mon Sep 17 00:00:00 2001 -From: Linn Crosetto <linn@hpe.com> -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 15/29] acpi: Disable ACPI table override if the kernel is - locked down - -From the kernel documentation (initrd_table_override.txt): - - If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible - to override nearly any ACPI table provided by the BIOS with an - instrumented, modified one. - -When securelevel is set, the kernel should disallow any unauthenticated -changes to kernel space. ACPI tables contain code invoked by the kernel, -so do not allow ACPI tables to be overridden if the kernel is locked down. - -Signed-off-by: Linn Crosetto <linn@hpe.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/acpi/tables.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index b32327759380..6fd5c8328427 100644 ---- a/drivers/acpi/tables.c -+++ b/drivers/acpi/tables.c -@@ -578,6 +578,11 @@ void __init acpi_table_upgrade(void) - if (table_nr == 0) - return; - -+ if (kernel_is_locked_down("ACPI table override")) { -+ pr_notice("kernel is locked down, ignoring table override\n"); -+ return; -+ } -+ - acpi_tables_addr = - memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, - all_tables_size, PAGE_SIZE); --- -2.21.0 - - -From e183b69655b6069c7007ad911252dd681fb0083f Mon Sep 17 00:00:00 2001 -From: Linn Crosetto <linn@hpe.com> -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 16/29] acpi: Disable APEI error injection if the kernel is - locked down - -ACPI provides an error injection mechanism, EINJ, for debugging and testing -the ACPI Platform Error Interface (APEI) and other RAS features. If -supported by the firmware, ACPI specification 5.0 and later provide for a -way to specify a physical memory address to which to inject the error. - -Injecting errors through EINJ can produce errors which to the platform are -indistinguishable from real hardware errors. This can have undesirable -side-effects, such as causing the platform to mark hardware as needing -replacement. - -While it does not provide a method to load unauthenticated privileged code, -the effect of these errors may persist across reboots and affect trust in -the underlying hardware, so disable error injection through EINJ if -the kernel is locked down. - -Signed-off-by: Linn Crosetto <linn@hpe.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/acpi/apei/einj.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index e430cf4caec2..dde995f871d6 100644 ---- a/drivers/acpi/apei/einj.c -+++ b/drivers/acpi/apei/einj.c -@@ -510,6 +510,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, - int rc; - u64 base_addr, size; - -+ if (kernel_is_locked_down("ACPI error injection")) -+ return -EPERM; -+ - /* If user manually set "flags", make sure it is legal */ - if (flags && (flags & - ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) --- -2.21.0 - - -From 2c469f9240f58dce6049eae000d70dcef8025cfa Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 17/29] Prohibit PCMCIA CIS storage when the kernel is locked - down - -Prohibit replacement of the PCMCIA Card Information Structure when the -kernel is locked down. - -Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: linux-pcmcia@lists.infradead.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/pcmcia/cistpl.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index abd029945cc8..77919fa3fb4a 100644 ---- a/drivers/pcmcia/cistpl.c -+++ b/drivers/pcmcia/cistpl.c -@@ -1575,6 +1575,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, - struct pcmcia_socket *s; - int error; - -+ if (kernel_is_locked_down("Direct PCMCIA CIS storage")) -+ return -EPERM; -+ - s = to_socket(container_of(kobj, struct device, kobj)); - - if (off) --- -2.21.0 - - -From 5f1bdf370484979c291e37cd6905480a12083b18 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 18/29] Lock down TIOCSSERIAL - -Lock down TIOCSSERIAL as that can be used to change the ioport and irq -settings on a serial port. This only appears to be an issue for the serial -drivers that use the core serial code. All other drivers seem to either -ignore attempts to change port/irq or give an error. - -Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Jiri Slaby <jslaby@suse.com> -Cc: linux-serial@vger.kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - drivers/tty/serial/serial_core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 4223cb496764..4f3cd7bc1713 100644 ---- a/drivers/tty/serial/serial_core.c -+++ b/drivers/tty/serial/serial_core.c -@@ -846,6 +846,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, - new_flags = (__force upf_t)new_info->flags; - old_custom_divisor = uport->custom_divisor; - -+ if ((change_port || change_irq) && -+ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { -+ retval = -EPERM; -+ goto exit; -+ } -+ - if (!capable(CAP_SYS_ADMIN)) { - retval = -EPERM; - if (change_irq || change_port || --- -2.21.0 - - -From b07159ff6bc3345b49db17a82fa31013f398d4e5 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:01 +0000 -Subject: [PATCH 19/29] Lock down module params that specify hardware - parameters (eg. ioport) - -Provided an annotation for module parameters that specify hardware -parameters (such as io ports, iomem addresses, irqs, dma channels, fixed -dma buffers and other types). - -Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - kernel/params.c | 26 +++++++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/kernel/params.c b/kernel/params.c -index cf448785d058..61a08a5da208 100644 ---- a/kernel/params.c -+++ b/kernel/params.c -@@ -96,13 +96,19 @@ bool parameq(const char *a, const char *b) - return parameqn(a, b, strlen(a)+1); - } - --static void param_check_unsafe(const struct kernel_param *kp) -+static bool param_check_unsafe(const struct kernel_param *kp, -+ const char *doing) - { - if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { - pr_notice("Setting dangerous option %s - tainting kernel\n", - kp->name); - add_taint(TAINT_USER, LOCKDEP_STILL_OK); - } -+ -+ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && -+ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) -+ return false; -+ return true; - } - - static int parse_one(char *param, -@@ -132,8 +138,10 @@ static int parse_one(char *param, - pr_debug("handling %s with %p\n", param, - params[i].ops->set); - kernel_param_lock(params[i].mod); -- param_check_unsafe(¶ms[i]); -- err = params[i].ops->set(val, ¶ms[i]); -+ if (param_check_unsafe(¶ms[i], doing)) -+ err = params[i].ops->set(val, ¶ms[i]); -+ else -+ err = -EPERM; - kernel_param_unlock(params[i].mod); - return err; - } -@@ -541,6 +549,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, - return count; - } - -+#ifdef CONFIG_MODULES -+#define mod_name(mod) (mod)->name -+#else -+#define mod_name(mod) "unknown" -+#endif -+ - /* sysfs always hands a nul-terminated string in buf. We rely on that. */ - static ssize_t param_attr_store(struct module_attribute *mattr, - struct module_kobject *mk, -@@ -553,8 +567,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, - return -EPERM; - - kernel_param_lock(mk->mod); -- param_check_unsafe(attribute->param); -- err = attribute->param->ops->set(buf, attribute->param); -+ if (param_check_unsafe(attribute->param, mod_name(mk->mod))) -+ err = attribute->param->ops->set(buf, attribute->param); -+ else -+ err = -EPERM; - kernel_param_unlock(mk->mod); - if (!err) - return len; --- -2.21.0 - - -From 3e7fdce10f144b2a947f020bd0eeeb536c77153e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:01 +0000 -Subject: [PATCH 20/29] x86/mmiotrace: Lock down the testmmiotrace module - -The testmmiotrace module shouldn't be permitted when the kernel is locked -down as it can be used to arbitrarily read and write MMIO space. - -Suggested-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: David Howells <dhowells@redhat.com -cc: Thomas Gleixner <tglx@linutronix.de> -cc: Steven Rostedt <rostedt@goodmis.org> -cc: Ingo Molnar <mingo@kernel.org> -cc: "H. Peter Anvin" <hpa@zytor.com> -cc: x86@kernel.org -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - arch/x86/mm/testmmiotrace.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c -index 0881e1ff1e58..13f1da99ee5e 100644 ---- a/arch/x86/mm/testmmiotrace.c -+++ b/arch/x86/mm/testmmiotrace.c -@@ -116,6 +116,9 @@ static int __init init(void) - { - unsigned long size = (read_far) ? (8 << 20) : (16 << 10); - -+ if (kernel_is_locked_down("MMIO trace testing")) -+ return -EPERM; -+ - if (mmio_address == 0) { - pr_err("you have to use the module argument mmio_address.\n"); - pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); --- -2.21.0 - - -From 1e81a8fd6ed139113011e3b7d70aa8b5c59a97cb Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 21/29] Lock down /proc/kcore - -Disallow access to /proc/kcore when the kernel is locked down to prevent -access to cryptographic data. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: James Morris <james.l.morris@oracle.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - fs/proc/kcore.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c -index f5834488b67d..0639228c4904 100644 ---- a/fs/proc/kcore.c -+++ b/fs/proc/kcore.c -@@ -545,6 +545,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) - - static int open_kcore(struct inode *inode, struct file *filp) - { -+ if (kernel_is_locked_down("/proc/kcore")) -+ return -EPERM; - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - --- -2.21.0 - - -From 03a1ba6091a421ae40a17dc67f61a96733c8f0d2 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 22/29] Lock down kprobes - -Disallow the creation of kprobes when the kernel is locked down by -preventing their registration. This prevents kprobes from being used to -access kernel memory, either to make modifications or to steal crypto data. - -Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> -Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com> -Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com> -Cc: davem@davemloft.net -Cc: Masami Hiramatsu <mhiramat@kernel.org> ---- - kernel/kprobes.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index 9f5433a52488..e54c7b70298a 100644 ---- a/kernel/kprobes.c -+++ b/kernel/kprobes.c -@@ -1556,6 +1556,9 @@ int register_kprobe(struct kprobe *p) - struct module *probed_mod; - kprobe_opcode_t *addr; - -+ if (kernel_is_locked_down("Use of kprobes")) -+ return -EPERM; -+ - /* Adjust probe address from symbol */ - addr = kprobe_addr(p); - if (IS_ERR(addr)) --- -2.21.0 - - -From d743cdf3a9508b9d9293acb3170b1d76f5556d1a Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 23/29] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program and kernel memory to be altered without -restriction. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee <jlee@suse.com> -cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Cc: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 5d141f16f6fa..cf9f0d069a2a 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2813,6 +2813,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.21.0 - - -From 7ec8d8a7bc177bc54e627b04a6aa4520174965cd Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 24/29] Lock down perf - -Disallow the use of certain perf facilities that might allow userspace to -access kernel data. - -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: Arnaldo Carvalho de Melo <acme@kernel.org> ---- - kernel/events/core.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index eea9d52b010c..08f51f91d959 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -10824,6 +10824,11 @@ SYSCALL_DEFINE5(perf_event_open, - return -EINVAL; - } - -+ if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && -+ kernel_is_locked_down("PERF_SAMPLE_REGS_INTR")) -+ /* REGS_INTR can leak data, lockdown must prevent this */ -+ return -EPERM; -+ - /* Only privileged users can get physical addresses */ - if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && - perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) --- -2.21.0 - - -From 98fa6aca64b1723db15cb1791b734aebb105433e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 25/29] debugfs: Restrict debugfs when the kernel is locked - down - -Disallow opening of debugfs files that might be used to muck around when -the kernel is locked down as various drivers give raw access to hardware -through debugfs. Given the effort of auditing all 2000 or so files and -manually fixing each one as necessary, I've chosen to apply a heuristic -instead. The following changes are made: - - (1) chmod and chown are disallowed on debugfs objects (though the root dir - can be modified by mount and remount, but I'm not worried about that). - - (2) When the kernel is locked down, only files with the following criteria - are permitted to be opened: - - - The file must have mode 00444 - - The file must not have ioctl methods - - The file must not have mmap - - (3) When the kernel is locked down, files may only be opened for reading. - -Normal device interaction should be done through configfs, sysfs or a -miscdev, not debugfs. - -Note that this makes it unnecessary to specifically lock down show_dsts(), -show_devs() and show_call() in the asus-wmi driver. - -I would actually prefer to lock down all files by default and have the -the files unlocked by the creator. This is tricky to manage correctly, -though, as there are 19 creation functions and ~1600 call sites (some of -them in loops scanning tables). - -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Andy Shevchenko <andy.shevchenko@gmail.com> -cc: acpi4asus-user@lists.sourceforge.net -cc: platform-driver-x86@vger.kernel.org -cc: Matthew Garrett <mjg59@srcf.ucam.org> -cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ - fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- - 2 files changed, 56 insertions(+), 2 deletions(-) - -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 93e4ca6b2ad7..8eeff9068228 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) - } - EXPORT_SYMBOL_GPL(debugfs_file_put); - -+/* -+ * Only permit access to world-readable files when the kernel is locked down. -+ * We also need to exclude any file that has ways to write or alter it as root -+ * can bypass the permissions check. -+ */ -+static bool debugfs_is_locked_down(struct inode *inode, -+ struct file *filp, -+ const struct file_operations *real_fops) -+{ -+ if ((inode->i_mode & 07777) == 0444 && -+ !(filp->f_mode & FMODE_WRITE) && -+ !real_fops->unlocked_ioctl && -+ !real_fops->compat_ioctl && -+ !real_fops->mmap) -+ return false; -+ -+ return kernel_is_locked_down("debugfs"); -+} -+ - static int open_proxy_open(struct inode *inode, struct file *filp) - { - struct dentry *dentry = F_DENTRY(filp); -@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -+ -+ r = -EPERM; -+ if (debugfs_is_locked_down(inode, filp, real_fops)) -+ goto out; -+ - real_fops = fops_get(real_fops); - if (!real_fops) { - /* Huh? Module did not clean up after itself at exit? */ -@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -+ r = -EPERM; -+ if (debugfs_is_locked_down(inode, filp, real_fops)) -+ goto out; -+ - real_fops = fops_get(real_fops); - if (!real_fops) { - /* Huh? Module did not cleanup after itself at exit? */ -diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 042b688ed124..cc0486ca1a11 100644 ---- a/fs/debugfs/inode.c -+++ b/fs/debugfs/inode.c -@@ -35,6 +35,31 @@ static struct vfsmount *debugfs_mount; - static int debugfs_mount_count; - static bool debugfs_registered; - -+/* -+ * Don't allow access attributes to be changed whilst the kernel is locked down -+ * so that we can use the file mode as part of a heuristic to determine whether -+ * to lock down individual files. -+ */ -+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) -+{ -+ if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && -+ kernel_is_locked_down("debugfs")) -+ return -EPERM; -+ return simple_setattr(dentry, ia); -+} -+ -+static const struct inode_operations debugfs_file_inode_operations = { -+ .setattr = debugfs_setattr, -+}; -+static const struct inode_operations debugfs_dir_inode_operations = { -+ .lookup = simple_lookup, -+ .setattr = debugfs_setattr, -+}; -+static const struct inode_operations debugfs_symlink_inode_operations = { -+ .get_link = simple_get_link, -+ .setattr = debugfs_setattr, -+}; -+ - static struct inode *debugfs_get_inode(struct super_block *sb) - { - struct inode *inode = new_inode(sb); -@@ -369,6 +394,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, - inode->i_mode = mode; - inode->i_private = data; - -+ inode->i_op = &debugfs_file_inode_operations; - inode->i_fop = proxy_fops; - dentry->d_fsdata = (void *)((unsigned long)real_fops | - DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); -@@ -532,7 +558,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) - } - - inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; -- inode->i_op = &simple_dir_inode_operations; -+ inode->i_op = &debugfs_dir_inode_operations; - inode->i_fop = &simple_dir_operations; - - /* directory inodes start off with i_nlink == 2 (for "." entry) */ -@@ -632,7 +658,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, - return failed_creating(dentry); - } - inode->i_mode = S_IFLNK | S_IRWXUGO; -- inode->i_op = &simple_symlink_inode_operations; -+ inode->i_op = &debugfs_symlink_inode_operations; - inode->i_link = link; - d_instantiate(dentry, inode); - return end_creating(dentry); --- -2.21.0 - - -From 39ffa9315f46123f0f1f66fb6fd0597211b43b1d Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 28 Feb 2018 14:43:03 +0000 -Subject: [PATCH 26/29] lockdown: Print current->comm in restriction messages - -Print the content of current->comm in messages generated by lockdown to -indicate a restriction that was hit. This makes it a bit easier to find -out what caused the message. - -The message now patterned something like: - - Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 - -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Matthew Garrett <matthewgarrett@google.com> ---- - security/lock_down.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/lock_down.c b/security/lock_down.c -index 18d8776a4d02..ee00ca2677e7 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -53,8 +53,8 @@ void __init init_lockdown(void) - bool __kernel_is_locked_down(const char *what, bool first) - { - if (what && first && kernel_locked_down) -- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", -- what); -+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", -+ current->comm, what); - return kernel_locked_down; - } - EXPORT_SYMBOL(__kernel_is_locked_down); --- -2.21.0 - - -From 0086dbfaa88118636bc5d77f25bd578034a84075 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthewgarrett@google.com> -Date: Tue, 12 Mar 2019 12:50:30 -0700 -Subject: [PATCH 27/29] kexec: Allow kexec_file() with appropriate IMA policy - when locked down - -Systems in lockdown mode should block the kexec of untrusted kernels. -For x86 and ARM we can ensure that a kernel is trustworthy by validating -a PE signature, but this isn't possible on other architectures. On those -platforms we can use IMA digital signatures instead. Add a function to -determine whether IMA has or will verify signatures for a given event type, -and if so permit kexec_file() even if the kernel is otherwise locked down. -This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set -in order to prevent an attacker from loading additional keys at runtime. - -Signed-off-by: Matthew Garrett <mjg59@google.com> -Acked-by: Mimi Zohar <zohar@linux.ibm.com> -Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> -Cc: linux-integrity@vger.kernel.org ---- - include/linux/ima.h | 9 ++++++ - kernel/kexec_file.c | 7 +++- - security/integrity/ima/ima.h | 2 ++ - security/integrity/ima/ima_main.c | 2 +- - security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ - 5 files changed, 68 insertions(+), 2 deletions(-) - -diff --git a/include/linux/ima.h b/include/linux/ima.h -index a20ad398d260..1c37f17f7203 100644 ---- a/include/linux/ima.h -+++ b/include/linux/ima.h -@@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, - return 0; - } - #endif /* CONFIG_IMA_APPRAISE */ -+ -+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) -+extern bool ima_appraise_signature(enum kernel_read_file_id func); -+#else -+static inline bool ima_appraise_signature(enum kernel_read_file_id func) -+{ -+ return false; -+} -+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ - #endif /* _LINUX_IMA_H */ -diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index 0668c29d2eaf..78728a0f16a7 100644 ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -235,7 +235,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - - ret = 0; - -- if (kernel_is_locked_down(reason)) { -+ /* If IMA is guaranteed to appraise a signature on the kexec -+ * image, permit it even if the kernel is otherwise locked -+ * down. -+ */ -+ if (!ima_appraise_signature(READING_KEXEC_IMAGE) && -+ kernel_is_locked_down(reason)) { - ret = -EPERM; - goto out; - } -diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h -index 011b91c79351..64dcb11cf444 100644 ---- a/security/integrity/ima/ima.h -+++ b/security/integrity/ima/ima.h -@@ -113,6 +113,8 @@ struct ima_kexec_hdr { - u64 count; - }; - -+extern const int read_idmap[]; -+ - #ifdef CONFIG_HAVE_IMA_KEXEC - void ima_load_kexec_buffer(void); - #else -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 584019728660..b9f57503af2c 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) - return 0; - } - --static const int read_idmap[READING_MAX_ID] = { -+const int read_idmap[READING_MAX_ID] = { - [READING_FIRMWARE] = FIRMWARE_CHECK, - [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, - [READING_MODULE] = MODULE_CHECK, -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index 6df7f641ff66..827f1e33fe86 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v) - return 0; - } - #endif /* CONFIG_IMA_READ_POLICY */ -+ -+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) -+/* -+ * ima_appraise_signature: whether IMA will appraise a given function using -+ * an IMA digital signature. This is restricted to cases where the kernel -+ * has a set of built-in trusted keys in order to avoid an attacker simply -+ * loading additional keys. -+ */ -+bool ima_appraise_signature(enum kernel_read_file_id id) -+{ -+ struct ima_rule_entry *entry; -+ bool found = false; -+ enum ima_hooks func; -+ -+ if (id >= READING_MAX_ID) -+ return false; -+ -+ func = read_idmap[id] ?: FILE_CHECK; -+ -+ rcu_read_lock(); -+ list_for_each_entry_rcu(entry, ima_rules, list) { -+ if (entry->action != APPRAISE) -+ continue; -+ -+ /* -+ * A generic entry will match, but otherwise require that it -+ * match the func we're looking for -+ */ -+ if (entry->func && entry->func != func) -+ continue; -+ -+ /* -+ * We require this to be a digital signature, not a raw IMA -+ * hash. -+ */ -+ if (entry->flags & IMA_DIGSIG_REQUIRED) -+ found = true; -+ -+ /* -+ * We've found a rule that matches, so break now even if it -+ * didn't require a digital signature - a later rule that does -+ * won't override it, so would be a false positive. -+ */ -+ break; -+ } -+ -+ rcu_read_unlock(); -+ return found; -+} -+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ --- -2.21.0 - - From 4a84d19a10c31a363aa7d1f325bd212012263a98 Mon Sep 17 00:00:00 2001 From: Kyle McMartin <kyle@redhat.com> Date: Mon, 9 Apr 2018 09:52:45 +0100 @@ -2107,63 +284,3 @@ index ee00ca2677e7..d68dff872ced 100644 +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ -- 2.21.0 - - -From c3e9fb754f7603ae10a750f685f0174c5ae51ffa Mon Sep 17 00:00:00 2001 -From: Vasily Gorbik <gor@linux.ibm.com> -Date: Wed, 21 Nov 2018 13:05:10 +0100 -Subject: [PATCH 29/29] debugfs: avoid EPERM when no open file operation - defined - -With "debugfs: Restrict debugfs when the kernel is locked down" -return code "r" is unconditionally set to -EPERM, which stays like that -until function return if no "open" file operation defined, effectivelly -resulting in "Operation not permitted" for all such files despite kernel -lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. - -In particular this breaks 2 debugfs files on s390: -/sys/kernel/debug/s390_hypfs/diag_304 -/sys/kernel/debug/s390_hypfs/diag_204 - -To address that set EPERM return code only when debugfs_is_locked_down -returns true. - -Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") -Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> ---- - fs/debugfs/file.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 8eeff9068228..9c56e1aa1f29 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) - - real_fops = debugfs_real_fops(filp); - -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } - - real_fops = fops_get(real_fops); - if (!real_fops) { -@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } - - real_fops = fops_get(real_fops); - if (!real_fops) { --- -2.21.0 - diff --git a/efi-secureboot.patch b/efi-secureboot.patch index 4f8a97bcf..de6f5eef9 100644 --- a/efi-secureboot.patch +++ b/efi-secureboot.patch @@ -1,7 +1,109 @@ +From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001 +From: Jeremy Cline <jcline@redhat.com> +Date: Mon, 30 Sep 2019 21:22:47 +0000 +Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down + +In order to automatically lock down kernels running on UEFI machines +booted in Secure Boot mode, expose the lock_kernel_down() hook. + +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + include/linux/lsm_hooks.h | 8 ++++++++ + include/linux/security.h | 5 +++++ + security/lockdown/lockdown.c | 1 + + security/security.c | 6 ++++++ + 4 files changed, 20 insertions(+) + +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index a3763247547c..8d76d1f153ed 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1454,6 +1454,12 @@ + * code execution in kernel space should be permitted. + * + * @what: kernel feature being accessed ++ * ++ * @lock_kernel_down ++ * Put the kernel into lock-down mode. ++ * ++ * @where: Where the lock-down is originating from (e.g. command line option) ++ * @level: The lock-down level (can only increase) + */ + union security_list_options { + int (*binder_set_context_mgr)(struct task_struct *mgr); +@@ -1818,6 +1824,7 @@ union security_list_options { + void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); + #endif /* CONFIG_BPF_SYSCALL */ + int (*locked_down)(enum lockdown_reason what); ++ int (*lock_kernel_down)(const char *where, enum lockdown_reason level); + }; + + struct security_hook_heads { +@@ -2060,6 +2067,7 @@ struct security_hook_heads { + struct hlist_head bpf_prog_free_security; + #endif /* CONFIG_BPF_SYSCALL */ + struct hlist_head locked_down; ++ struct hlist_head lock_kernel_down; + } __randomize_layout; + + /* +diff --git a/include/linux/security.h b/include/linux/security.h +index a8d59d612d27..467b9ccdf993 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); + int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); + int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + int security_locked_down(enum lockdown_reason what); ++int security_lock_kernel_down(const char *where, enum lockdown_reason level); + #else /* CONFIG_SECURITY */ + + static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) +@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what) + { + return 0; + } ++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level); ++{ ++ return 0; ++} + #endif /* CONFIG_SECURITY */ + + #ifdef CONFIG_SECURITY_NETWORK +diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c +index 8a10b43daf74..72a623075749 100644 +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c +@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) + + static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), ++ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), + }; + + static int __init lockdown_lsm_init(void) +diff --git a/security/security.c b/security/security.c +index 1bc000f834e2..1506b95427cf 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what) + return call_int_hook(locked_down, 0, what); + } + EXPORT_SYMBOL(security_locked_down); ++ ++int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return call_int_hook(lock_kernel_down, 0, where, level); ++} ++EXPORT_SYMBOL(security_lock_kernel_down); +-- +2.21.0 + + From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Tue, 27 Feb 2018 10:04:55 +0000 -Subject: [PATCH 29/31] efi: Add an EFI_SECURE_BOOT flag to indicate secure +Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT @@ -160,119 +262,73 @@ index 21d81021c1f4..758ec061d03b 100644 2.21.0 -From d78bf678059f83e22bec8ada1a448e22b9b90203 Mon Sep 17 00:00:00 2001 +From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Tue, 27 Feb 2018 10:04:55 +0000 -Subject: [PATCH 30/31] efi: Lock down the kernel if booted in secure boot mode +Date: Mon, 30 Sep 2019 21:28:16 +0000 +Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode -UEFI Secure Boot provides a mechanism for ensuring that the firmware will -only load signed bootloaders and kernels. Certain use cases may also -require that all kernel modules also be signed. Add a configuration option -that to lock down the kernel - which includes requiring validly signed -modules - if the kernel is secure-booted. +UEFI Secure Boot provides a mechanism for ensuring that the firmware +will only load signed bootloaders and kernels. Certain use cases may +also require that all kernel modules also be signed. Add a +configuration option that to lock down the kernel - which includes +requiring validly signed modules - if the kernel is secure-booted. Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -cc: linux-efi@vger.kernel.org +Signed-off-by: Jeremy Cline <jcline@redhat.com> --- - arch/x86/kernel/setup.c | 6 ++++-- - fs/debugfs/inode.c | 2 +- - security/Kconfig | 14 ++++++++++++++ - security/lock_down.c | 5 +++++ - 4 files changed, 20 insertions(+), 3 deletions(-) + arch/x86/kernel/setup.c | 8 ++++++++ + security/lockdown/Kconfig | 13 +++++++++++++ + 2 files changed, 21 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index adeee6329f55..27a54ec878bd 100644 +index 77ea96b794bd..a119e1bc9623 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -65,6 +65,7 @@ - #include <linux/dma-mapping.h> - #include <linux/ctype.h> - #include <linux/uaccess.h> +@@ -73,6 +73,7 @@ + #include <linux/jiffies.h> + #include <linux/mem_encrypt.h> + #include <linux/sizes.h> +#include <linux/security.h> - #include <linux/percpu.h> - #include <linux/crash_dump.h> -@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p) + #include <linux/usb/xhci-dbgp.h> + #include <video/edid.h> +@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); + efi_set_secure_boot(boot_params.secure_boot); + -+ init_lockdown(); ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++#endif + dmi_setup(); /* -@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p) - /* Allocate bigger log buffer */ - setup_log_buf(1); - -- efi_set_secure_boot(boot_params.secure_boot); -- - reserve_initrd(); - - acpi_table_upgrade(); -diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index ce261e1765ff..7aff55b309a6 100644 ---- a/fs/debugfs/inode.c -+++ b/fs/debugfs/inode.c -@@ -40,7 +40,7 @@ static bool debugfs_registered; - static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) - { - if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && -- kernel_is_locked_down("debugfs")) -+ kernel_is_locked_down("changing perms in debugfs")) - return -EPERM; - return simple_setattr(dentry, ia); - } -diff --git a/security/Kconfig b/security/Kconfig -index 9c343f262bdd..30788bc47863 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE - Allow the lockdown on a kernel to be lifted, by pressing a SysRq key - combination on a wired keyboard. On x86, this is SysRq+x. +diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig +index e84ddf484010..d0501353a4b9 100644 +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. +config LOCK_DOWN_IN_EFI_SECURE_BOOT + bool "Lock down the kernel in EFI Secure Boot mode" + default n -+ select LOCK_DOWN_KERNEL -+ depends on EFI ++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the system firmware if + not indicated by the boot parameters. + -+ Enabling this option turns on results in kernel lockdown being -+ triggered if EFI Secure Boot is set. ++ Enabling this option results in kernel lockdown being triggered if ++ EFI Secure Boot is set. + - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/lock_down.c b/security/lock_down.c -index ee00ca2677e7..bb4dc7838f3e 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -12,6 +12,7 @@ - - #include <linux/security.h> - #include <linux/export.h> -+#include <linux/efi.h> - #include <linux/sysrq.h> - #include <asm/setup.h> - -@@ -44,6 +45,10 @@ void __init init_lockdown(void) - #ifdef CONFIG_LOCK_DOWN_FORCE - lock_kernel_down("Kernel configuration"); - #endif -+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT -+ if (efi_enabled(EFI_SECURE_BOOT)) -+ lock_kernel_down("EFI secure boot"); -+#endif - } - - /** + choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE -- -2.14.3 +2.21.0 @@ -1 +1 @@ -f41def397161053eb0d3ed6861ef65985efbf293 +97f9a3c4eee55b0178b518ae7114a6a53372913d diff --git a/iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch b/iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch deleted file mode 100644 index f583a5b2d..000000000 --- a/iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch +++ /dev/null @@ -1,87 +0,0 @@ -From patchwork Tue Sep 24 10:30:57 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Luca Coelho <luca@coelho.fi> -X-Patchwork-Id: 11158395 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: <SRS0=l3ON=XT=vger.kernel.org=linux-wireless-owner@kernel.org> -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 62FF3112B - for <patchwork-linux-wireless@patchwork.kernel.org>; - Tue, 24 Sep 2019 10:31:06 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 4AA4E214D9 - for <patchwork-linux-wireless@patchwork.kernel.org>; - Tue, 24 Sep 2019 10:31:06 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2409468AbfIXKbF (ORCPT - <rfc822;patchwork-linux-wireless@patchwork.kernel.org>); - Tue, 24 Sep 2019 06:31:05 -0400 -Received: from paleale.coelho.fi ([176.9.41.70]:44742 "EHLO - farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org - with ESMTP id S2387644AbfIXKbF (ORCPT - <rfc822;linux-wireless@vger.kernel.org>); - Tue, 24 Sep 2019 06:31:05 -0400 -Received: from [91.156.6.193] (helo=redipa.ger.corp.intel.com) - by farmhouse.coelho.fi with esmtpsa - (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) - (Exim 4.92) - (envelope-from <luca@coelho.fi>) - id 1iCi63-0005Je-8E; Tue, 24 Sep 2019 13:31:03 +0300 -From: Luca Coelho <luca@coelho.fi> -To: kvalo@codeaurora.org -Cc: linux-wireless@vger.kernel.org -Date: Tue, 24 Sep 2019 13:30:57 +0300 -Message-Id: <20190924103057.17147-1-luca@coelho.fi> -X-Mailer: git-send-email 2.23.0 -MIME-Version: 1.0 -X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on farmhouse.coelho.fi -X-Spam-Level: -X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, - URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 -Subject: [PATCH v5.4] iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW - version 36 -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: <linux-wireless.vger.kernel.org> -X-Mailing-List: linux-wireless@vger.kernel.org - -From: Luca Coelho <luciano.coelho@intel.com> - -The intention was to have the GEO_TX_POWER_LIMIT command in FW version -36 as well, but not all 8000 family got this feature enabled. The -8000 family is the only one using version 36, so skip this version -entirely. If we try to send this command to the firmwares that do not -support it, we get a BAD_COMMAND response from the firmware. - -This fixes https://bugzilla.kernel.org/show_bug.cgi?id=204151. - -Cc: stable@vger.kernel.org # 4.19+ -Signed-off-by: Luca Coelho <luciano.coelho@intel.com> ---- - drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c -index 014eca6596e2..32a5e4e5461f 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c -@@ -889,11 +889,13 @@ static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm) - * firmware versions. Unfortunately, we don't have a TLV API - * flag to rely on, so rely on the major version which is in - * the first byte of ucode_ver. This was implemented -- * initially on version 38 and then backported to 36, 29 and -- * 17. -+ * initially on version 38 and then backported to29 and 17. -+ * The intention was to have it in 36 as well, but not all -+ * 8000 family got this feature enabled. The 8000 family is -+ * the only one using version 36, so skip this version -+ * entirely. - */ - return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 || -- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 || - IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 || - IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17; - } diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index aed83899b..dbc949f1e 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -360,7 +360,8 @@ CONFIG_ARM_MHU=m CONFIG_ARM_PL172_MPMC=m CONFIG_ARM_PMU=y # CONFIG_ARM_PSCI_CHECKER is not set -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_ARM_PSCI_FW=y CONFIG_ARM_PSCI=y CONFIG_ARM_PTDUMP_DEBUGFS=y CONFIG_ARM_QCOM_CPUFREQ_HW=m @@ -385,7 +386,6 @@ CONFIG_ARM_SPE_PMU=m CONFIG_ARM_TEGRA124_CPUFREQ=y CONFIG_ARM_TEGRA186_CPUFREQ=m # CONFIG_ARM_TEGRA20_CPUFREQ is not set -# CONFIG_ARM_TEGRA20_DEVFREQ is not set CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_TIMER_SP804=y CONFIG_ARMV8_DEPRECATED=y @@ -1088,7 +1088,7 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m CONFIG_CROS_EC_DEBUGFS=m CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m @@ -2051,6 +2051,7 @@ CONFIG_GPIO_MB86S7X=m # CONFIG_GPIO_MC33880 is not set CONFIG_GPIO_MLXBF=m # CONFIG_GPIO_MOCKUP is not set +CONFIG_GPIO_MOXTET=m CONFIG_GPIO_MPC8XXX=y CONFIG_GPIO_MVEBU=y CONFIG_GPIO_PCA953X_IRQ=y @@ -2456,6 +2457,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2477,6 +2479,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -2928,6 +2931,7 @@ CONFIG_KERNEL_MODE_NEON=y # CONFIG_KERNEL_UNCOMPRESSED is not set # CONFIG_KERNEL_XZ is not set # CONFIG_KEXEC_FILE is not set +CONFIG_KEXEC_SIG=y CONFIG_KEXEC=y CONFIG_KEYBOARD_ADC=m # CONFIG_KEYBOARD_ADP5588 is not set @@ -3122,6 +3126,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -3336,8 +3343,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_DA9052_SPI is not set @@ -3574,7 +3581,7 @@ CONFIG_MOUSE_SYNAPTICS_USB=m CONFIG_MOUSE_VSXXXAA=m # CONFIG_MOXA_INTELLIO is not set # CONFIG_MOXA_SMARTIO is not set -# CONFIG_MOXTET is not set +CONFIG_MOXTET=m CONFIG_MPL115_I2C=m # CONFIG_MPL115_SPI is not set # CONFIG_MPL3115 is not set @@ -4310,7 +4317,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5112,7 +5119,7 @@ CONFIG_RTC_DRV_DS3232=m CONFIG_RTC_DRV_EFI=y CONFIG_RTC_DRV_EM3027=m CONFIG_RTC_DRV_FM3130=m -# CONFIG_RTC_DRV_FSL_FTM_ALARM is not set +CONFIG_RTC_DRV_FSL_FTM_ALARM=m # CONFIG_RTC_DRV_FTRTC010 is not set # CONFIG_RTC_DRV_HID_SENSOR_TIME is not set CONFIG_RTC_DRV_HYM8563=m @@ -5133,7 +5140,7 @@ CONFIG_RTC_DRV_MAX6902=m CONFIG_RTC_DRV_MAX6916=m CONFIG_RTC_DRV_MAX77686=m CONFIG_RTC_DRV_MCP795=m -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m CONFIG_RTC_DRV_MSM6242=m CONFIG_RTC_DRV_MV=m # CONFIG_RTC_DRV_MXC is not set @@ -5374,6 +5381,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5692,7 +5701,7 @@ CONFIG_SMC91X=m CONFIG_SMC_DIAG=m CONFIG_SMC=m # CONFIG_SM_FTL is not set -# CONFIG_SM_GCC_8150 is not set +CONFIG_SM_GCC_8150=y CONFIG_SMP=y CONFIG_SMSC911X=m CONFIG_SMSC9420=m @@ -5783,7 +5792,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -7154,6 +7163,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index e71cea7fe..e2fcff0a2 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -360,7 +360,8 @@ CONFIG_ARM_MHU=m CONFIG_ARM_PL172_MPMC=m CONFIG_ARM_PMU=y # CONFIG_ARM_PSCI_CHECKER is not set -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_ARM_PSCI_FW=y CONFIG_ARM_PSCI=y # CONFIG_ARM_PTDUMP_DEBUGFS is not set CONFIG_ARM_QCOM_CPUFREQ_HW=m @@ -385,7 +386,6 @@ CONFIG_ARM_SPE_PMU=m CONFIG_ARM_TEGRA124_CPUFREQ=y CONFIG_ARM_TEGRA186_CPUFREQ=m # CONFIG_ARM_TEGRA20_CPUFREQ is not set -# CONFIG_ARM_TEGRA20_DEVFREQ is not set CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_TIMER_SP804=y CONFIG_ARMV8_DEPRECATED=y @@ -1088,7 +1088,7 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m @@ -2035,6 +2035,7 @@ CONFIG_GPIO_MB86S7X=m # CONFIG_GPIO_MC33880 is not set CONFIG_GPIO_MLXBF=m # CONFIG_GPIO_MOCKUP is not set +CONFIG_GPIO_MOXTET=m CONFIG_GPIO_MPC8XXX=y CONFIG_GPIO_MVEBU=y CONFIG_GPIO_PCA953X_IRQ=y @@ -2440,6 +2441,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2461,6 +2463,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -2910,6 +2913,7 @@ CONFIG_KERNEL_MODE_NEON=y # CONFIG_KERNEL_UNCOMPRESSED is not set # CONFIG_KERNEL_XZ is not set # CONFIG_KEXEC_FILE is not set +CONFIG_KEXEC_SIG=y CONFIG_KEXEC=y CONFIG_KEYBOARD_ADC=m # CONFIG_KEYBOARD_ADP5588 is not set @@ -3104,6 +3108,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -3317,8 +3324,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_DA9052_SPI is not set @@ -3554,7 +3561,7 @@ CONFIG_MOUSE_SYNAPTICS_USB=m CONFIG_MOUSE_VSXXXAA=m # CONFIG_MOXA_INTELLIO is not set # CONFIG_MOXA_SMARTIO is not set -# CONFIG_MOXTET is not set +CONFIG_MOXTET=m CONFIG_MPL115_I2C=m # CONFIG_MPL115_SPI is not set # CONFIG_MPL3115 is not set @@ -4290,7 +4297,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5091,7 +5098,7 @@ CONFIG_RTC_DRV_DS3232=m CONFIG_RTC_DRV_EFI=y CONFIG_RTC_DRV_EM3027=m CONFIG_RTC_DRV_FM3130=m -# CONFIG_RTC_DRV_FSL_FTM_ALARM is not set +CONFIG_RTC_DRV_FSL_FTM_ALARM=m # CONFIG_RTC_DRV_FTRTC010 is not set # CONFIG_RTC_DRV_HID_SENSOR_TIME is not set CONFIG_RTC_DRV_HYM8563=m @@ -5112,7 +5119,7 @@ CONFIG_RTC_DRV_MAX6902=m CONFIG_RTC_DRV_MAX6916=m CONFIG_RTC_DRV_MAX77686=m CONFIG_RTC_DRV_MCP795=m -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m CONFIG_RTC_DRV_MSM6242=m CONFIG_RTC_DRV_MV=m # CONFIG_RTC_DRV_MXC is not set @@ -5353,6 +5360,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5671,7 +5680,7 @@ CONFIG_SMC91X=m CONFIG_SMC_DIAG=m CONFIG_SMC=m # CONFIG_SM_FTL is not set -# CONFIG_SM_GCC_8150 is not set +CONFIG_SM_GCC_8150=y CONFIG_SMP=y CONFIG_SMSC911X=m CONFIG_SMSC9420=m @@ -5762,7 +5771,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -7132,6 +7141,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 48d48ae3e..79ab1e0ce 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -352,7 +352,8 @@ CONFIG_ARM_PATCH_IDIV=y CONFIG_ARM_PL172_MPMC=m CONFIG_ARM_PMU=y # CONFIG_ARM_PSCI_CHECKER is not set -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_ARM_PSCI_FW=y CONFIG_ARM_PSCI=y CONFIG_ARM_PTDUMP_DEBUGFS=y CONFIG_ARM_QCOM_CPUFREQ_HW=m @@ -372,7 +373,7 @@ CONFIG_ARM_SPE_PMU=m CONFIG_ARM_STI_CPUFREQ=m CONFIG_ARM_TEGRA124_CPUFREQ=y CONFIG_ARM_TEGRA20_CPUFREQ=m -# CONFIG_ARM_TEGRA20_DEVFREQ is not set +CONFIG_ARM_TEGRA20_DEVFREQ=m CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_THUMBEE=y CONFIG_ARM_THUMB=y @@ -1082,7 +1083,7 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m CONFIG_CROS_EC_DEBUGFS=m CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m @@ -1538,12 +1539,6 @@ CONFIG_DRM_OMAP_ENCODER_OPA362=m CONFIG_DRM_OMAP_ENCODER_TPD12S015=m CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_PANEL_DSI_CM=m -CONFIG_DRM_OMAP_PANEL_LGPHILIPS_LB035Q02=m -CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11=m -CONFIG_DRM_OMAP_PANEL_SHARP_LS037V7DW01=m -CONFIG_DRM_OMAP_PANEL_SONY_ACX565AKM=m -CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1=m -CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1=m CONFIG_DRM_PANEL_ARM_VERSATILE=m CONFIG_DRM_PANEL_BRIDGE=y CONFIG_DRM_PANEL_FEIYANG_FY07024DI26A30D=m @@ -1749,7 +1744,7 @@ CONFIG_EARLY_PRINTK=y CONFIG_ECHO=m CONFIG_ECRYPT_FS=m # CONFIG_ECRYPT_FS_MESSAGING is not set -# CONFIG_EDAC_ARMADA_XP is not set +CONFIG_EDAC_ARMADA_XP=y # CONFIG_EDAC_DEBUG is not set CONFIG_EDAC_GHES=y CONFIG_EDAC_HIGHBANK_L2=m @@ -2071,6 +2066,7 @@ CONFIG_GPIO_MAX77650=m # CONFIG_GPIO_MB86S7X is not set CONFIG_GPIO_MC33880=m # CONFIG_GPIO_MOCKUP is not set +CONFIG_GPIO_MOXTET=m # CONFIG_GPIO_MPC8XXX is not set CONFIG_GPIO_MVEBU=y CONFIG_GPIO_OMAP=y @@ -2482,6 +2478,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2503,6 +2500,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -3162,6 +3160,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -3394,8 +3395,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set CONFIG_MFD_DA9052_I2C=y CONFIG_MFD_DA9052_SPI=y @@ -3645,7 +3646,7 @@ CONFIG_MOUSE_SYNAPTICS_USB=m CONFIG_MOUSE_VSXXXAA=m # CONFIG_MOXA_INTELLIO is not set # CONFIG_MOXA_SMARTIO is not set -# CONFIG_MOXTET is not set +CONFIG_MOXTET=m CONFIG_MPL115_I2C=m # CONFIG_MPL115_SPI is not set CONFIG_MPL3115=m @@ -4419,7 +4420,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5262,7 +5263,7 @@ CONFIG_RTC_DRV_MAX8997=m CONFIG_RTC_DRV_MC13XXX=m # CONFIG_RTC_DRV_MCP795 is not set CONFIG_RTC_DRV_MESON=m -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m CONFIG_RTC_DRV_MSM6242=m CONFIG_RTC_DRV_MV=m # CONFIG_RTC_DRV_MXC is not set @@ -5512,6 +5513,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5935,7 +5938,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -7466,6 +7469,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 5fb1f3b84..5c6ef4a6f 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -342,7 +342,8 @@ CONFIG_ARM_PATCH_IDIV=y CONFIG_ARM_PL172_MPMC=m CONFIG_ARM_PMU=y # CONFIG_ARM_PSCI_CHECKER is not set -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_ARM_PSCI_FW=y CONFIG_ARM_PSCI=y CONFIG_ARM_PTDUMP_DEBUGFS=y CONFIG_ARM_QCOM_CPUFREQ_HW=m @@ -361,7 +362,6 @@ CONFIG_ARM_SP805_WATCHDOG=m CONFIG_ARM_SPE_PMU=m CONFIG_ARM_TEGRA124_CPUFREQ=y # CONFIG_ARM_TEGRA20_CPUFREQ is not set -# CONFIG_ARM_TEGRA20_DEVFREQ is not set CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_THUMBEE=y CONFIG_ARM_THUMB=y @@ -1050,7 +1050,7 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m CONFIG_CROS_EC_DEBUGFS=m CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m @@ -1682,7 +1682,7 @@ CONFIG_EARLY_PRINTK=y CONFIG_ECHO=m CONFIG_ECRYPT_FS=m # CONFIG_ECRYPT_FS_MESSAGING is not set -# CONFIG_EDAC_ARMADA_XP is not set +CONFIG_EDAC_ARMADA_XP=y # CONFIG_EDAC_DEBUG is not set CONFIG_EDAC_GHES=y CONFIG_EDAC_HIGHBANK_L2=m @@ -2002,6 +2002,7 @@ CONFIG_GPIO_MAX77650=m # CONFIG_GPIO_MB86S7X is not set CONFIG_GPIO_MC33880=m # CONFIG_GPIO_MOCKUP is not set +CONFIG_GPIO_MOXTET=m # CONFIG_GPIO_MPC8XXX is not set CONFIG_GPIO_MVEBU=y CONFIG_GPIO_PCA953X_IRQ=y @@ -2399,6 +2400,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2420,6 +2422,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -3061,6 +3064,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -3285,8 +3291,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_DA9052_SPI is not set @@ -3526,7 +3532,7 @@ CONFIG_MOUSE_SYNAPTICS_USB=m CONFIG_MOUSE_VSXXXAA=m # CONFIG_MOXA_INTELLIO is not set # CONFIG_MOXA_SMARTIO is not set -# CONFIG_MOXTET is not set +CONFIG_MOXTET=m CONFIG_MPL115_I2C=m # CONFIG_MPL115_SPI is not set CONFIG_MPL3115=m @@ -4255,7 +4261,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5020,7 +5026,7 @@ CONFIG_RTC_DRV_MAX77686=m CONFIG_RTC_DRV_MAX8997=m # CONFIG_RTC_DRV_MCP795 is not set CONFIG_RTC_DRV_MESON=m -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m CONFIG_RTC_DRV_MSM6242=m CONFIG_RTC_DRV_MV=m # CONFIG_RTC_DRV_MXC is not set @@ -5265,6 +5271,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5674,7 +5682,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -7092,6 +7100,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 7dd283606..e2e594cff 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -342,7 +342,8 @@ CONFIG_ARM_PATCH_IDIV=y CONFIG_ARM_PL172_MPMC=m CONFIG_ARM_PMU=y # CONFIG_ARM_PSCI_CHECKER is not set -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_ARM_PSCI_FW=y CONFIG_ARM_PSCI=y # CONFIG_ARM_PTDUMP_DEBUGFS is not set CONFIG_ARM_QCOM_CPUFREQ_HW=m @@ -361,7 +362,6 @@ CONFIG_ARM_SP805_WATCHDOG=m CONFIG_ARM_SPE_PMU=m CONFIG_ARM_TEGRA124_CPUFREQ=y # CONFIG_ARM_TEGRA20_CPUFREQ is not set -# CONFIG_ARM_TEGRA20_DEVFREQ is not set CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_THUMBEE=y CONFIG_ARM_THUMB=y @@ -1050,7 +1050,7 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m @@ -1675,7 +1675,7 @@ CONFIG_EARLY_PRINTK=y CONFIG_ECHO=m CONFIG_ECRYPT_FS=m # CONFIG_ECRYPT_FS_MESSAGING is not set -# CONFIG_EDAC_ARMADA_XP is not set +CONFIG_EDAC_ARMADA_XP=y # CONFIG_EDAC_DEBUG is not set CONFIG_EDAC_GHES=y CONFIG_EDAC_HIGHBANK_L2=m @@ -1987,6 +1987,7 @@ CONFIG_GPIO_MAX77650=m # CONFIG_GPIO_MB86S7X is not set CONFIG_GPIO_MC33880=m # CONFIG_GPIO_MOCKUP is not set +CONFIG_GPIO_MOXTET=m # CONFIG_GPIO_MPC8XXX is not set CONFIG_GPIO_MVEBU=y CONFIG_GPIO_PCA953X_IRQ=y @@ -2384,6 +2385,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2405,6 +2407,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -3044,6 +3047,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -3267,8 +3273,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_DA9052_SPI is not set @@ -3507,7 +3513,7 @@ CONFIG_MOUSE_SYNAPTICS_USB=m CONFIG_MOUSE_VSXXXAA=m # CONFIG_MOXA_INTELLIO is not set # CONFIG_MOXA_SMARTIO is not set -# CONFIG_MOXTET is not set +CONFIG_MOXTET=m CONFIG_MPL115_I2C=m # CONFIG_MPL115_SPI is not set CONFIG_MPL3115=m @@ -4236,7 +4242,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5000,7 +5006,7 @@ CONFIG_RTC_DRV_MAX77686=m CONFIG_RTC_DRV_MAX8997=m # CONFIG_RTC_DRV_MCP795 is not set CONFIG_RTC_DRV_MESON=m -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m CONFIG_RTC_DRV_MSM6242=m CONFIG_RTC_DRV_MV=m # CONFIG_RTC_DRV_MXC is not set @@ -5245,6 +5251,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5654,7 +5662,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -7071,6 +7079,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index f4f5ab153..5fb99fb42 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -352,7 +352,8 @@ CONFIG_ARM_PATCH_IDIV=y CONFIG_ARM_PL172_MPMC=m CONFIG_ARM_PMU=y # CONFIG_ARM_PSCI_CHECKER is not set -# CONFIG_ARM_PSCI_CPUIDLE is not set +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_ARM_PSCI_FW=y CONFIG_ARM_PSCI=y # CONFIG_ARM_PTDUMP_DEBUGFS is not set CONFIG_ARM_QCOM_CPUFREQ_HW=m @@ -372,7 +373,7 @@ CONFIG_ARM_SPE_PMU=m CONFIG_ARM_STI_CPUFREQ=m CONFIG_ARM_TEGRA124_CPUFREQ=y CONFIG_ARM_TEGRA20_CPUFREQ=m -# CONFIG_ARM_TEGRA20_DEVFREQ is not set +CONFIG_ARM_TEGRA20_DEVFREQ=m CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_THUMBEE=y CONFIG_ARM_THUMB=y @@ -1082,7 +1083,7 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m @@ -1531,12 +1532,6 @@ CONFIG_DRM_OMAP_ENCODER_OPA362=m CONFIG_DRM_OMAP_ENCODER_TPD12S015=m CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_PANEL_DSI_CM=m -CONFIG_DRM_OMAP_PANEL_LGPHILIPS_LB035Q02=m -CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11=m -CONFIG_DRM_OMAP_PANEL_SHARP_LS037V7DW01=m -CONFIG_DRM_OMAP_PANEL_SONY_ACX565AKM=m -CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1=m -CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1=m CONFIG_DRM_PANEL_ARM_VERSATILE=m CONFIG_DRM_PANEL_BRIDGE=y CONFIG_DRM_PANEL_FEIYANG_FY07024DI26A30D=m @@ -1742,7 +1737,7 @@ CONFIG_EARLY_PRINTK=y CONFIG_ECHO=m CONFIG_ECRYPT_FS=m # CONFIG_ECRYPT_FS_MESSAGING is not set -# CONFIG_EDAC_ARMADA_XP is not set +CONFIG_EDAC_ARMADA_XP=y # CONFIG_EDAC_DEBUG is not set CONFIG_EDAC_GHES=y CONFIG_EDAC_HIGHBANK_L2=m @@ -2056,6 +2051,7 @@ CONFIG_GPIO_MAX77650=m # CONFIG_GPIO_MB86S7X is not set CONFIG_GPIO_MC33880=m # CONFIG_GPIO_MOCKUP is not set +CONFIG_GPIO_MOXTET=m # CONFIG_GPIO_MPC8XXX is not set CONFIG_GPIO_MVEBU=y CONFIG_GPIO_OMAP=y @@ -2467,6 +2463,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2488,6 +2485,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -3145,6 +3143,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -3376,8 +3377,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set CONFIG_MFD_DA9052_I2C=y CONFIG_MFD_DA9052_SPI=y @@ -3626,7 +3627,7 @@ CONFIG_MOUSE_SYNAPTICS_USB=m CONFIG_MOUSE_VSXXXAA=m # CONFIG_MOXA_INTELLIO is not set # CONFIG_MOXA_SMARTIO is not set -# CONFIG_MOXTET is not set +CONFIG_MOXTET=m CONFIG_MPL115_I2C=m # CONFIG_MPL115_SPI is not set CONFIG_MPL3115=m @@ -4400,7 +4401,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5242,7 +5243,7 @@ CONFIG_RTC_DRV_MAX8997=m CONFIG_RTC_DRV_MC13XXX=m # CONFIG_RTC_DRV_MCP795 is not set CONFIG_RTC_DRV_MESON=m -# CONFIG_RTC_DRV_MESON_VRTC is not set +CONFIG_RTC_DRV_MESON_VRTC=m CONFIG_RTC_DRV_MSM6242=m CONFIG_RTC_DRV_MV=m # CONFIG_RTC_DRV_MXC is not set @@ -5492,6 +5493,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5915,7 +5918,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -7445,6 +7448,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index d1cd36275..534a21f04 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -885,16 +885,11 @@ CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_PMIC_OPREGION=y CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set CONFIG_CROS_EC_DEBUGFS=m -CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m +# CONFIG_CROS_EC is not set # CONFIG_CROS_EC_LIGHTBAR is not set -# CONFIG_CROS_EC_LPC is not set -CONFIG_CROS_EC=m -CONFIG_CROS_EC_PROTO=y CONFIG_CROS_EC_RPMSG=m -CONFIG_CROS_EC_SPI=m CONFIG_CROS_KBD_LED_BACKLIGHT=m CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_CROS_USBPD_LOGGER=m @@ -1541,7 +1536,6 @@ CONFIG_EXTCON_INTEL_INT3496=m # CONFIG_EXTCON_QCOM_SPMI_MISC is not set # CONFIG_EXTCON_RT8973A is not set # CONFIG_EXTCON_SM5502 is not set -# CONFIG_EXTCON_USBC_CROS_EC is not set # CONFIG_EXTCON_USB_GPIO is not set CONFIG_EXTCON=y CONFIG_EXTRA_FIRMWARE="" @@ -2061,7 +2055,6 @@ CONFIG_I2C_AMD_MP2=m # CONFIG_I2C_CBUS_GPIO is not set CONFIG_I2C_CHARDEV=m CONFIG_I2C_COMPAT=y -# CONFIG_I2C_CROS_EC_TUNNEL is not set # CONFIG_I2C_DEBUG_ALGO is not set # CONFIG_I2C_DEBUG_BUS is not set # CONFIG_I2C_DEBUG_CORE is not set @@ -2169,7 +2162,6 @@ CONFIG_IIO_BUFFER=y CONFIG_IIO_CONFIGFS=m CONFIG_IIO_CONSUMERS_PER_TRIGGER=2 CONFIG_IIO_CROS_EC_ACCEL_LEGACY=m -# CONFIG_IIO_CROS_EC_SENSORS_CORE is not set # CONFIG_IIO_CROS_EC_SENSORS_LID_ANGLE is not set # CONFIG_IIO_HRTIMER_TRIGGER is not set CONFIG_IIO_INTERRUPT_TRIGGER=m @@ -2198,6 +2190,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2695,7 +2688,6 @@ CONFIG_KEXEC=y CONFIG_KEYBOARD_ATKBD=y # CONFIG_KEYBOARD_BCM is not set # CONFIG_KEYBOARD_CAP11XX is not set -# CONFIG_KEYBOARD_CROS_EC is not set # CONFIG_KEYBOARD_DLINK_DIR685 is not set CONFIG_KEYBOARD_GPIO=m CONFIG_KEYBOARD_GPIO_POLLED=m @@ -2878,7 +2870,10 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -3077,7 +3072,6 @@ CONFIG_MFD_AT91_USART=m CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set -# CONFIG_MFD_CROS_EC_DEV is not set # CONFIG_MFD_CROS_EC is not set CONFIG_MFD_CS5535=y # CONFIG_MFD_DA9052_I2C is not set @@ -3996,7 +3990,7 @@ CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_VXLAN=m # CONFIG_OPROFILE is not set CONFIG_OPT3001=m -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -4352,7 +4346,6 @@ CONFIG_PTP_1588_CLOCK=y CONFIG_PVH=y CONFIG_PVPANIC=m CONFIG_PWM_CRC=y -# CONFIG_PWM_CROS_EC is not set # CONFIG_PWM_FSL_FTM is not set CONFIG_PWM_HIBVT=m CONFIG_PWM_LPSS=m @@ -4594,7 +4587,6 @@ CONFIG_RTC_DRV_BQ32K=m CONFIG_RTC_DRV_BQ4802=m # CONFIG_RTC_DRV_CADENCE is not set CONFIG_RTC_DRV_CMOS=y -# CONFIG_RTC_DRV_CROS_EC is not set CONFIG_RTC_DRV_DS1286=m # CONFIG_RTC_DRV_DS1302 is not set CONFIG_RTC_DRV_DS1305=m @@ -4866,6 +4858,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5257,7 +5251,7 @@ CONFIG_SND_HDA_HWDEP=y CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y -CONFIG_SND_HDA_INTEL_DETECT_DMIC=y +# CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set CONFIG_SND_HDA_INTEL=m CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 @@ -5340,7 +5334,6 @@ CONFIG_SND_SOC_AMD_CZ_RT5645_MACH=m # CONFIG_SND_SOC_ARNDALE_RT5631_ALC5631 is not set CONFIG_SND_SOC_BD28623=m # CONFIG_SND_SOC_BT_SCO is not set -# CONFIG_SND_SOC_CROS_EC_CODEC is not set # CONFIG_SND_SOC_CS35L32 is not set # CONFIG_SND_SOC_CS35L33 is not set CONFIG_SND_SOC_CS35L34=m @@ -5722,7 +5715,6 @@ CONFIG_TASK_XACCT=y CONFIG_TC1100_WMI=m CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m CONFIG_TCG_INFINEON=m CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6415,7 +6407,7 @@ CONFIG_VIDEO_BT848=m # CONFIG_VIDEO_CADENCE is not set CONFIG_VIDEO_CAFE_CCIC=m CONFIG_VIDEO_CPIA2=m -CONFIG_VIDEO_CROS_EC_CEC=m +# CONFIG_VIDEO_CROS_EC_CEC is not set CONFIG_VIDEO_CX18_ALSA=m CONFIG_VIDEO_CX18=m CONFIG_VIDEO_CX231XX_ALSA=m @@ -6494,6 +6486,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-i686.config b/kernel-i686.config index 52b88adff..0d0f48582 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -884,16 +884,11 @@ CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_PMIC_OPREGION=y CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set # CONFIG_CROS_EC_DEBUGFS is not set -CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m +# CONFIG_CROS_EC is not set # CONFIG_CROS_EC_LIGHTBAR is not set -# CONFIG_CROS_EC_LPC is not set -CONFIG_CROS_EC=m -CONFIG_CROS_EC_PROTO=y CONFIG_CROS_EC_RPMSG=m -CONFIG_CROS_EC_SPI=m CONFIG_CROS_KBD_LED_BACKLIGHT=m CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_CROS_USBPD_LOGGER=m @@ -1532,7 +1527,6 @@ CONFIG_EXTCON_INTEL_INT3496=m # CONFIG_EXTCON_QCOM_SPMI_MISC is not set # CONFIG_EXTCON_RT8973A is not set # CONFIG_EXTCON_SM5502 is not set -# CONFIG_EXTCON_USBC_CROS_EC is not set # CONFIG_EXTCON_USB_GPIO is not set CONFIG_EXTCON=y CONFIG_EXTRA_FIRMWARE="" @@ -2044,7 +2038,6 @@ CONFIG_I2C_AMD_MP2=m # CONFIG_I2C_CBUS_GPIO is not set CONFIG_I2C_CHARDEV=m CONFIG_I2C_COMPAT=y -# CONFIG_I2C_CROS_EC_TUNNEL is not set # CONFIG_I2C_DEBUG_ALGO is not set # CONFIG_I2C_DEBUG_BUS is not set # CONFIG_I2C_DEBUG_CORE is not set @@ -2152,7 +2145,6 @@ CONFIG_IIO_BUFFER=y CONFIG_IIO_CONFIGFS=m CONFIG_IIO_CONSUMERS_PER_TRIGGER=2 CONFIG_IIO_CROS_EC_ACCEL_LEGACY=m -# CONFIG_IIO_CROS_EC_SENSORS_CORE is not set # CONFIG_IIO_CROS_EC_SENSORS_LID_ANGLE is not set # CONFIG_IIO_HRTIMER_TRIGGER is not set CONFIG_IIO_INTERRUPT_TRIGGER=m @@ -2181,6 +2173,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2676,7 +2669,6 @@ CONFIG_KEXEC=y CONFIG_KEYBOARD_ATKBD=y # CONFIG_KEYBOARD_BCM is not set # CONFIG_KEYBOARD_CAP11XX is not set -# CONFIG_KEYBOARD_CROS_EC is not set # CONFIG_KEYBOARD_DLINK_DIR685 is not set CONFIG_KEYBOARD_GPIO=m CONFIG_KEYBOARD_GPIO_POLLED=m @@ -2859,7 +2851,10 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -3058,7 +3053,6 @@ CONFIG_MFD_AT91_USART=m CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set -# CONFIG_MFD_CROS_EC_DEV is not set # CONFIG_MFD_CROS_EC is not set CONFIG_MFD_CS5535=y # CONFIG_MFD_DA9052_I2C is not set @@ -3977,7 +3971,7 @@ CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_VXLAN=m # CONFIG_OPROFILE is not set CONFIG_OPT3001=m -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -4332,7 +4326,6 @@ CONFIG_PTP_1588_CLOCK=y CONFIG_PVH=y CONFIG_PVPANIC=m CONFIG_PWM_CRC=y -# CONFIG_PWM_CROS_EC is not set # CONFIG_PWM_FSL_FTM is not set CONFIG_PWM_HIBVT=m CONFIG_PWM_LPSS=m @@ -4574,7 +4567,6 @@ CONFIG_RTC_DRV_BQ32K=m CONFIG_RTC_DRV_BQ4802=m # CONFIG_RTC_DRV_CADENCE is not set CONFIG_RTC_DRV_CMOS=y -# CONFIG_RTC_DRV_CROS_EC is not set CONFIG_RTC_DRV_DS1286=m # CONFIG_RTC_DRV_DS1302 is not set CONFIG_RTC_DRV_DS1305=m @@ -4846,6 +4838,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5237,7 +5231,7 @@ CONFIG_SND_HDA_HWDEP=y CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y -CONFIG_SND_HDA_INTEL_DETECT_DMIC=y +# CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set CONFIG_SND_HDA_INTEL=m CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 @@ -5319,7 +5313,6 @@ CONFIG_SND_SOC_AMD_CZ_RT5645_MACH=m # CONFIG_SND_SOC_ARNDALE_RT5631_ALC5631 is not set CONFIG_SND_SOC_BD28623=m # CONFIG_SND_SOC_BT_SCO is not set -# CONFIG_SND_SOC_CROS_EC_CODEC is not set # CONFIG_SND_SOC_CS35L32 is not set # CONFIG_SND_SOC_CS35L33 is not set CONFIG_SND_SOC_CS35L34=m @@ -5701,7 +5694,6 @@ CONFIG_TASK_XACCT=y CONFIG_TC1100_WMI=m CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m CONFIG_TCG_INFINEON=m CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6394,7 +6386,7 @@ CONFIG_VIDEO_BT848=m # CONFIG_VIDEO_CADENCE is not set CONFIG_VIDEO_CAFE_CCIC=m CONFIG_VIDEO_CPIA2=m -CONFIG_VIDEO_CROS_EC_CEC=m +# CONFIG_VIDEO_CROS_EC_CEC is not set CONFIG_VIDEO_CX18_ALSA=m CONFIG_VIDEO_CX18=m CONFIG_VIDEO_CX231XX_ALSA=m @@ -6473,6 +6465,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 92b5d37a1..316e6e492 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -823,7 +823,6 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_ISHTP=m # CONFIG_CROS_EC is not set @@ -1999,6 +1998,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2624,6 +2624,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -2819,7 +2822,6 @@ CONFIG_MFD_AT91_USART=m CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=m # CONFIG_MFD_CPCAP is not set -# CONFIG_MFD_CROS_EC_DEV is not set # CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set @@ -3708,7 +3710,7 @@ CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_VXLAN=m # CONFIG_OPROFILE is not set CONFIG_OPT3001=m -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -4555,6 +4557,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -4933,7 +4937,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -5334,7 +5338,6 @@ CONFIG_TASKSTATS=y CONFIG_TASK_XACCT=y CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m # CONFIG_TCG_INFINEON is not set CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6087,6 +6090,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index 6a5b4fc5e..fec43aed8 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -822,7 +822,6 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_ISHTP=m # CONFIG_CROS_EC is not set @@ -1982,6 +1981,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2605,6 +2605,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -2799,7 +2802,6 @@ CONFIG_MFD_AT91_USART=m CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=m # CONFIG_MFD_CPCAP is not set -# CONFIG_MFD_CROS_EC_DEV is not set # CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set @@ -3687,7 +3689,7 @@ CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_VXLAN=m # CONFIG_OPROFILE is not set CONFIG_OPT3001=m -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -4533,6 +4535,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -4911,7 +4915,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -5311,7 +5315,6 @@ CONFIG_TASKSTATS=y CONFIG_TASK_XACCT=y CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m # CONFIG_TCG_INFINEON is not set CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6064,6 +6067,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index df5319d73..301d9d7eb 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -829,7 +829,6 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_ISHTP=m # CONFIG_CROS_EC is not set @@ -1979,6 +1978,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2416,6 +2416,7 @@ CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_UNCOMPRESSED is not set # CONFIG_KERNEL_XZ is not set CONFIG_KEXEC_FILE=y +CONFIG_KEXEC_SIG=y # CONFIG_KEXEC_VERIFY_SIG is not set CONFIG_KEXEC=y # CONFIG_KEYBOARD_ADC is not set @@ -2600,6 +2601,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -2795,7 +2799,6 @@ CONFIG_MFD_AT91_USART=m # CONFIG_MFD_BD9571MWV is not set CONFIG_MFD_CORE=m # CONFIG_MFD_CPCAP is not set -# CONFIG_MFD_CROS_EC_DEV is not set # CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set @@ -3675,7 +3678,7 @@ CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_VXLAN=m # CONFIG_OPROFILE is not set CONFIG_OPT3001=m -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -4501,6 +4504,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -4876,7 +4881,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -5270,7 +5275,6 @@ CONFIG_TASKSTATS=y CONFIG_TASK_XACCT=y CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m # CONFIG_TCG_INFINEON is not set CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6026,6 +6030,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=y +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-s390x.config b/kernel-s390x.config index 6a0f49513..e9c67dc4f 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -828,7 +828,6 @@ CONFIG_CRC8=m CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set # CONFIG_CROS_EC_DEBUGFS is not set CONFIG_CROS_EC_ISHTP=m # CONFIG_CROS_EC is not set @@ -1962,6 +1961,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2397,6 +2397,7 @@ CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_UNCOMPRESSED is not set # CONFIG_KERNEL_XZ is not set CONFIG_KEXEC_FILE=y +CONFIG_KEXEC_SIG=y # CONFIG_KEXEC_VERIFY_SIG is not set CONFIG_KEXEC=y # CONFIG_KEYBOARD_ADC is not set @@ -2581,6 +2582,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -2775,7 +2779,6 @@ CONFIG_MFD_AT91_USART=m # CONFIG_MFD_BD9571MWV is not set CONFIG_MFD_CORE=m # CONFIG_MFD_CPCAP is not set -# CONFIG_MFD_CROS_EC_DEV is not set # CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set @@ -3654,7 +3657,7 @@ CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_VXLAN=m # CONFIG_OPROFILE is not set CONFIG_OPT3001=m -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -4479,6 +4482,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -4854,7 +4859,7 @@ CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y # CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set -CONFIG_SND_HDA_INTEL=m +# CONFIG_SND_HDA_INTEL is not set CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 CONFIG_SND_HDA_PREALLOC_SIZE=4096 @@ -5247,7 +5252,6 @@ CONFIG_TASKSTATS=y CONFIG_TASK_XACCT=y CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m # CONFIG_TCG_INFINEON is not set CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6003,6 +6007,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=y +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 86dd39864..3e92006d3 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -899,16 +899,13 @@ CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_PMIC_OPREGION=y CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m CONFIG_CROS_EC_DEBUGFS=m -CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m +# CONFIG_CROS_EC is not set CONFIG_CROS_EC_LIGHTBAR=m CONFIG_CROS_EC_LPC=m -CONFIG_CROS_EC=m -CONFIG_CROS_EC_PROTO=y CONFIG_CROS_EC_RPMSG=m -CONFIG_CROS_EC_SPI=m CONFIG_CROS_EC_SYSFS=m CONFIG_CROS_KBD_LED_BACKLIGHT=m CONFIG_CROSS_MEMORY_ATTACH=y @@ -2237,6 +2234,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2929,7 +2927,10 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCKD_V4=y CONFIG_LOCK_EVENT_COUNTS=y @@ -3124,8 +3125,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_DA9052_SPI is not set @@ -4907,6 +4908,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5304,7 +5307,7 @@ CONFIG_SND_HDA_HWDEP=y CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y -CONFIG_SND_HDA_INTEL_DETECT_DMIC=y +# CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set CONFIG_SND_HDA_INTEL=m CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 @@ -5772,7 +5775,6 @@ CONFIG_TASKSTATS=y CONFIG_TASK_XACCT=y CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m CONFIG_TCG_INFINEON=m CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6467,7 +6469,7 @@ CONFIG_VIDEO_BT848=m # CONFIG_VIDEO_CADENCE is not set # CONFIG_VIDEO_CAFE_CCIC is not set CONFIG_VIDEO_CPIA2=m -CONFIG_VIDEO_CROS_EC_CEC=m +# CONFIG_VIDEO_CROS_EC_CEC is not set CONFIG_VIDEO_CX18_ALSA=m CONFIG_VIDEO_CX18=m CONFIG_VIDEO_CX231XX_ALSA=m @@ -6546,6 +6548,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 8328f1911..6aa6c712b 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -898,16 +898,13 @@ CONFIG_CRC_CCITT=y CONFIG_CRC_ITU_T=m CONFIG_CRC_PMIC_OPREGION=y CONFIG_CRC_T10DIF=y -# CONFIG_CROS_EC_CHARDEV is not set +CONFIG_CROS_EC_CHARDEV=m # CONFIG_CROS_EC_DEBUGFS is not set -CONFIG_CROS_EC_I2C=m CONFIG_CROS_EC_ISHTP=m +# CONFIG_CROS_EC is not set CONFIG_CROS_EC_LIGHTBAR=m CONFIG_CROS_EC_LPC=m -CONFIG_CROS_EC=m -CONFIG_CROS_EC_PROTO=y CONFIG_CROS_EC_RPMSG=m -CONFIG_CROS_EC_SPI=m CONFIG_CROS_EC_SYSFS=m CONFIG_CROS_KBD_LED_BACKLIGHT=m CONFIG_CROSS_MEMORY_ATTACH=y @@ -2220,6 +2217,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2910,7 +2908,10 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -3105,8 +3106,8 @@ CONFIG_MFD_BD9571MWV=m CONFIG_MFD_CORE=y # CONFIG_MFD_CPCAP is not set CONFIG_MFD_CROS_EC_CHARDEV=m -# CONFIG_MFD_CROS_EC_DEV is not set -CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_DEV=m +# CONFIG_MFD_CROS_EC is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_DA9052_SPI is not set @@ -4887,6 +4888,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -5284,7 +5287,7 @@ CONFIG_SND_HDA_HWDEP=y CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_INPUT_BEEP_MODE=0 CONFIG_SND_HDA_INPUT_BEEP=y -CONFIG_SND_HDA_INTEL_DETECT_DMIC=y +# CONFIG_SND_HDA_INTEL_DETECT_DMIC is not set CONFIG_SND_HDA_INTEL=m CONFIG_SND_HDA_PATCH_LOADER=y CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 @@ -5751,7 +5754,6 @@ CONFIG_TASKSTATS=y CONFIG_TASK_XACCT=y CONFIG_TCG_ATMEL=m CONFIG_TCG_CRB=y -CONFIG_TCG_FTPM_TEE=m CONFIG_TCG_INFINEON=m CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set @@ -6446,7 +6448,7 @@ CONFIG_VIDEO_BT848=m # CONFIG_VIDEO_CADENCE is not set # CONFIG_VIDEO_CAFE_CCIC is not set CONFIG_VIDEO_CPIA2=m -CONFIG_VIDEO_CROS_EC_CEC=m +# CONFIG_VIDEO_CROS_EC_CEC is not set CONFIG_VIDEO_CX18_ALSA=m CONFIG_VIDEO_CX18=m CONFIG_VIDEO_CX231XX_ALSA=m @@ -6525,6 +6527,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y diff --git a/kernel.spec b/kernel.spec index 2ce755ccf..11678608d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -516,7 +516,7 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch # 200 - x86 / secureboot -Patch201: efi-lockdown.patch +# Patch201: efi-lockdown.patch # bz 1497559 - Make kernel MODSIGN code not error on missing variables Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch @@ -551,10 +551,6 @@ Patch320: arm64-tegra-jetson-tx1-fixes.patch # https://www.spinics.net/lists/linux-tegra/msg43110.html Patch321: arm64-tegra-Jetson-TX2-Allow-bootloader-to-configure.patch -# QCom laptop bits -# https://patchwork.kernel.org/patch/11133827/ -Patch330: arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch - # 400 - IBM (ppc/s390x) patches # 500 - Temp fixes/CVEs etc @@ -568,8 +564,9 @@ Patch502: 0001-Drop-that-for-now.patch # Submitted upstream at https://lkml.org/lkml/2019/4/23/89 Patch503: KEYS-Make-use-of-platform-keyring-for-module-signature.patch -# https://patchwork.kernel.org/patch/11158395/ -Patch504: iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch +# Fixes a boot hang on debug kernels +# https://bugzilla.redhat.com/show_bug.cgi?id=1756655 +Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch # END OF PATCH DEFINITIONS @@ -1775,6 +1772,15 @@ fi # # %changelog +* Wed Oct 02 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc1.git0.1 +- Linux v5.4-rc1 + +* Wed Oct 02 2019 Jeremy Cline <jcline@redhat.com> +- Disable debugging options. + +* Mon Sep 30 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc0.git9.1 +- Linux v5.3-13236-g97f9a3c4eee5 + * Thu Sep 26 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc0.git8.1 - Linux v5.3-12397-gf41def397161 |