summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThorsten Leemhuis <fedora@leemhuis.info>2020-03-21 06:22:28 +0100
committerThorsten Leemhuis <fedora@leemhuis.info>2020-03-21 06:22:28 +0100
commit2b1c0c48627fe757dafbd0c2c51ee6124e15181c (patch)
tree6622cb6461cae448c5838a049f787c5997f3f987
parent7ffee9e655f6d3c8ae7a1d7006377947be014cc6 (diff)
parent8323383234985150c0578cc47e885d7d6fe72759 (diff)
downloadkernel-2b1c0c48627fe757dafbd0c2c51ee6124e15181c.tar.gz
kernel-2b1c0c48627fe757dafbd0c2c51ee6124e15181c.tar.xz
kernel-2b1c0c48627fe757dafbd0c2c51ee6124e15181c.zip
-rw-r--r--efi-secureboot.patch2
-rw-r--r--gitrev2
-rw-r--r--kernel.spec6
-rw-r--r--s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch4
-rw-r--r--sources3
5 files changed, 10 insertions, 7 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch
index 326c73a0f..90ac9feca 100644
--- a/efi-secureboot.patch
+++ b/efi-secureboot.patch
@@ -303,7 +303,7 @@ index 1797623b0c3a..fa8ac411bf6e 100644
+
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ if (efi_enabled(EFI_SECURE_BOOT))
-+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
+#endif
+
dmi_setup();
diff --git a/gitrev b/gitrev
index 708b0a19d..22fff2bf7 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-ac309e7744bee222df6de0122facaf2d9706fa70
+5ad0ec0b86525d0c5d3d250d3cfad7f183b00cfa
diff --git a/kernel.spec b/kernel.spec
index b0e1f4cec..7546fefa5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -115,7 +115,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 6
# The git snapshot level
-%define gitrev 1
+%define gitrev 2
# Set rpm version accordingly
%define rpmversion 5.%{upstream_sublevel}.0
%endif
@@ -3002,6 +3002,10 @@ fi
#
#
%changelog
+* Fri Mar 20 2020 Jeremy Cline <jcline@redhat.com> - 5.6.0-0.rc6.git2.1
+- Linux v5.6-rc6-115-g5ad0ec0b8652
+- Switch Secure Boot to lock down to integrity mode (rhbz 1815571)
+
* Wed Mar 18 2020 Jeremy Cline <jcline@redhat.com> - 5.6.0-0.rc6.git1.1
- Linux v5.6-rc6-9-gac309e7744be
diff --git a/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch b/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch
index 0779418b4..70e3f76a8 100644
--- a/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch
+++ b/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch
@@ -3,7 +3,7 @@ From: Jeremy Cline <jcline@redhat.com>
Date: Wed, 30 Oct 2019 14:37:49 +0000
Subject: [PATCH] s390: Lock down the kernel when the IPL secure flag is set
-Automatically lock down the kernel to LOCKDOWN_CONFIDENTIALITY_MAX if
+Automatically lock down the kernel to LOCKDOWN_INTEGRITY_MAX if
the IPL secure flag is set.
Suggested-by: Philipp Rudo <prudo@redhat.com>
@@ -56,7 +56,7 @@ index 9cbf490fd162..0510ecdfc3f6 100644
log_component_list();
+ if (ipl_get_secureboot())
-+ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_CONFIDENTIALITY_MAX);
++ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
+
/* Have one command line that is parsed and saved in /proc/cmdline */
/* boot_command_line has been already set up in early.c */
diff --git a/sources b/sources
index 850362190..b95341d61 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,3 @@
SHA512 (linux-5.5.tar.xz) = fa74fdabb5e63384a39e54da05b86a9ae9ea16179524b041fbbdffc7177e80b53600ae98d76be127ba216148f9dc55fe07ab20637e22c6d6030cb4aa09eb2f86
SHA512 (patch-5.6-rc6.xz) = cb4867da79eaf199e65414be258b1ebf231eff3c506b27d0196c835a05c40937ec02604a982359379ed9a6a7d066f00ca87553df5f57bccfd47db0ceada9ae7f
-SHA512 (patch-5.6-rc6-git1.xz) = 0d0c1995e9da2ce8138b3e58a3a7e3d431cccbca869a6889fefeb8c3e8dfee32f6ed0235404a81eaadb9d37ed08e90a17da9c4c194ab6d87efe11240321ef7b6
-
+SHA512 (patch-5.6-rc6-git2.xz) = bcf4b88390df78503b1ae4e3154d53e269ecdfc9fc6aeca2a9807a302409168b15988a3a4eafaa9ef94e1bba357dd6245eee9c53027e915a10522e58e7ab6698