diff options
author | Laura Abbott <labbott@redhat.com> | 2019-01-03 08:27:44 -0800 |
---|---|---|
committer | Laura Abbott <labbott@redhat.com> | 2019-01-03 08:28:18 -0800 |
commit | dd000cd2fd91c63e5b4d660ec4f44666a1779716 (patch) | |
tree | 7650c96b98efc9051cd2e688d9a04fce03a79c15 | |
parent | cca46e0b1d2ddbaaa6197f118a0229031cfcd69c (diff) | |
download | kernel-dd000cd2fd91c63e5b4d660ec4f44666a1779716.tar.gz kernel-dd000cd2fd91c63e5b4d660ec4f44666a1779716.tar.xz kernel-dd000cd2fd91c63e5b4d660ec4f44666a1779716.zip |
Linux v4.20-10911-g645ff1e8e704
Dropped part of the efi-lockdown patchset for IMA until
conflicts get resolved.
-rw-r--r-- | Add-EFI-signature-data-types.patch | 60 | ||||
-rw-r--r-- | Add-an-EFI-signature-blob-parser-and-key-loader.patch | 51 | ||||
-rw-r--r-- | configs/fedora/generic/CONFIG_INTEGRITY_PLATFORM_KEYRING | 1 | ||||
-rw-r--r-- | configs/fedora/generic/CONFIG_TOUCHSCREEN_RASPBERRYPI_FW | 1 | ||||
-rw-r--r-- | configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY | 1 | ||||
-rw-r--r-- | efi-lockdown.patch | 233 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel-aarch64-debug.config | 2 | ||||
-rw-r--r-- | kernel-aarch64.config | 2 | ||||
-rw-r--r-- | kernel-armv7hl-debug.config | 2 | ||||
-rw-r--r-- | kernel-armv7hl-lpae-debug.config | 2 | ||||
-rw-r--r-- | kernel-armv7hl-lpae.config | 2 | ||||
-rw-r--r-- | kernel-armv7hl.config | 2 | ||||
-rw-r--r-- | kernel-i686-debug.config | 3 | ||||
-rw-r--r-- | kernel-i686.config | 3 | ||||
-rw-r--r-- | kernel-ppc64le-debug.config | 2 | ||||
-rw-r--r-- | kernel-ppc64le.config | 2 | ||||
-rw-r--r-- | kernel-s390x-debug.config | 2 | ||||
-rw-r--r-- | kernel-s390x.config | 2 | ||||
-rw-r--r-- | kernel-x86_64-debug.config | 3 | ||||
-rw-r--r-- | kernel-x86_64.config | 3 | ||||
-rw-r--r-- | kernel.spec | 7 | ||||
-rw-r--r-- | sources | 2 |
23 files changed, 56 insertions, 334 deletions
diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch deleted file mode 100644 index f7f7c36d3..000000000 --- a/Add-EFI-signature-data-types.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0451d4e795929a69a0fda6d960aa4b077c5bd179 Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Fri, 5 May 2017 08:21:58 +0100 -Subject: [PATCH 1/4] efi: Add EFI signature data types - -Add the data types that are used for containing hashes, keys and -certificates for cryptographic verification along with their corresponding -type GUIDs. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - include/linux/efi.h | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index ec36f42..3259ad6 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -614,6 +614,10 @@ void efi_native_runtime_setup(void); - #define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f) - #define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23) - -+#define EFI_CERT_SHA256_GUID EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28) -+#define EFI_CERT_X509_GUID EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72) -+#define EFI_CERT_X509_SHA256_GUID EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed) -+ - /* - * This GUID is used to pass to the kernel proper the struct screen_info - * structure that was populated by the stub based on the GOP protocol instance -@@ -873,6 +877,27 @@ typedef struct { - efi_memory_desc_t entry[0]; - } efi_memory_attributes_table_t; - -+typedef struct { -+ efi_guid_t signature_owner; -+ u8 signature_data[]; -+} efi_signature_data_t; -+ -+typedef struct { -+ efi_guid_t signature_type; -+ u32 signature_list_size; -+ u32 signature_header_size; -+ u32 signature_size; -+ u8 signature_header[]; -+ /* efi_signature_data_t signatures[][] */ -+} efi_signature_list_t; -+ -+typedef u8 efi_sha256_hash_t[32]; -+ -+typedef struct { -+ efi_sha256_hash_t to_be_signed_hash; -+ efi_time_t time_of_revocation; -+} efi_cert_x509_sha256_t; -+ - /* - * All runtime access to EFI goes through this structure: - */ --- -2.9.3 - diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index e3941eeaa..276eb708d 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,7 +1,7 @@ -From e4c62c12635a371e43bd17e8d33a936668264491 Mon Sep 17 00:00:00 2001 +From 73e105771858bf39aeabcbcd2f7b002c24ac4bb0 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Fri, 5 May 2017 08:21:58 +0100 -Subject: [PATCH 2/4] efi: Add an EFI signature blob parser +Subject: [PATCH] efi: Add an EFI signature blob parser Add a function to parse an EFI signature blob looking for elements of interest. A list is made up of a series of sublists, where all the @@ -18,21 +18,20 @@ function in turn. Signed-off-by: David Howells <dhowells@redhat.com> --- - certs/Kconfig | 8 ++++ - certs/Makefile | 1 + - certs/efi_parser.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - include/linux/efi.h | 9 +++++ - 4 files changed, 130 insertions(+) + certs/Kconfig | 8 ++++ + certs/Makefile | 1 + + certs/efi_parser.c | 112 +++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 121 insertions(+) create mode 100644 certs/efi_parser.c diff --git a/certs/Kconfig b/certs/Kconfig -index 6ce51ed..630ae09 100644 +index c94e93d8bccf..650ffcb8db79 100644 --- a/certs/Kconfig +++ b/certs/Kconfig -@@ -82,4 +82,12 @@ config SYSTEM_BLACKLIST_HASH_LIST +@@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST wrapper to incorporate the list into the kernel. Each <hash> should be a string of hex digits. - + +config EFI_SIGNATURE_LIST_PARSER + bool "EFI signature list parser" + depends on EFI @@ -43,20 +42,20 @@ index 6ce51ed..630ae09 100644 + endmenu diff --git a/certs/Makefile b/certs/Makefile -index 4119bb3..738151a 100644 +index 5d0999b9e21b..7e5e179ac685 100644 --- a/certs/Makefile +++ b/certs/Makefile -@@ -9,6 +9,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o +@@ -10,6 +10,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - + ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - + diff --git a/certs/efi_parser.c b/certs/efi_parser.c new file mode 100644 -index 0000000..4e396f9 +index 000000000000..4e396f98f5c7 --- /dev/null +++ b/certs/efi_parser.c @@ -0,0 +1,112 @@ @@ -172,26 +171,6 @@ index 0000000..4e396f9 + + return 0; +} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 3259ad6..08024c6 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -1055,6 +1055,15 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, - char * __init efi_md_typeattr_format(char *buf, size_t size, - const efi_memory_desc_t *md); - -+ -+typedef void (*efi_element_handler_t)(const char *source, -+ const void *element_data, -+ size_t element_size); -+extern int __init parse_efi_signature_list( -+ const char *source, -+ const void *data, size_t size, -+ efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *)); -+ - /** - * efi_range_is_wc - check the WC bit on an address range - * @start: starting kvirt address -- -2.9.3 +2.20.1 diff --git a/configs/fedora/generic/CONFIG_INTEGRITY_PLATFORM_KEYRING b/configs/fedora/generic/CONFIG_INTEGRITY_PLATFORM_KEYRING new file mode 100644 index 000000000..94fd8a717 --- /dev/null +++ b/configs/fedora/generic/CONFIG_INTEGRITY_PLATFORM_KEYRING @@ -0,0 +1 @@ +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set diff --git a/configs/fedora/generic/CONFIG_TOUCHSCREEN_RASPBERRYPI_FW b/configs/fedora/generic/CONFIG_TOUCHSCREEN_RASPBERRYPI_FW new file mode 100644 index 000000000..78aeb56ef --- /dev/null +++ b/configs/fedora/generic/CONFIG_TOUCHSCREEN_RASPBERRYPI_FW @@ -0,0 +1 @@ +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set diff --git a/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY b/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY new file mode 100644 index 000000000..7187ae0dc --- /dev/null +++ b/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY @@ -0,0 +1 @@ +# CONFIG_IMA_ARCH_POLICY is not set diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 6347e5dc6..b858022dd 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -518,239 +518,6 @@ index f35ffdd096ad..2615669dbf03 100644 -- 2.14.3 -From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001 -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode - -Require the "secure_boot" rules, whether or not it is specified -on the boot command line, for both the builtin and custom policies -in secure boot lockdown mode. - -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------ - 1 file changed, 27 insertions(+), 7 deletions(-) - -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index 8c9499867c91..f8428f579924 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func) - */ - void __init ima_init_policy(void) - { -- int i, measure_entries, appraise_entries, secure_boot_entries; -+ int i; -+ int measure_entries = 0; -+ int appraise_entries = 0; -+ int secure_boot_entries = 0; -+ bool kernel_locked_down = __kernel_is_locked_down(NULL, false); - - /* if !ima_policy set entries = 0 so we load NO default rules */ -- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; -- appraise_entries = ima_use_appraise_tcb ? -- ARRAY_SIZE(default_appraise_rules) : 0; -- secure_boot_entries = ima_use_secure_boot ? -- ARRAY_SIZE(secure_boot_rules) : 0; -+ if (ima_policy) -+ measure_entries = ARRAY_SIZE(dont_measure_rules); -+ -+ if (ima_use_appraise_tcb) -+ appraise_entries = ARRAY_SIZE(default_appraise_rules); -+ -+ if (ima_use_secure_boot || kernel_locked_down) -+ secure_boot_entries = ARRAY_SIZE(secure_boot_rules); - - for (i = 0; i < measure_entries; i++) - list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); -@@ -509,12 +516,25 @@ void __init ima_init_policy(void) - - /* - * Insert the builtin "secure_boot" policy rules requiring file -- * signatures, prior to any other appraise rules. -+ * signatures, prior to any other appraise rules. In secure boot -+ * lock-down mode, also require these appraise rules for custom -+ * policies. - */ - for (i = 0; i < secure_boot_entries; i++) { -+ struct ima_rule_entry *entry; -+ -+ /* Include for builtin policies */ - list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); - temp_ima_appraise |= - ima_appraise_flag(secure_boot_rules[i].func); -+ -+ /* Include for custom policies */ -+ if (kernel_locked_down) { -+ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry), -+ GFP_KERNEL); -+ if (entry) -+ list_add_tail(&entry->list, &ima_policy_rules); -+ } - } - - /* --- -2.17.1 - -From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH] Enforce module signatures if the kernel is locked down - -If the kernel is locked down, require that all modules have valid -signatures that we can verify or that IMA can validate the file. - -I have adjusted the errors generated: - - (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, - ENOKEY), then: - - (a) If signatures are enforced then EKEYREJECTED is returned. - - (b) If IMA will have validated the image, return 0 (okay). - - (c) If there's no signature or we can't check it, but the kernel is - locked down then EPERM is returned (this is then consistent with - other lockdown cases). - - (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails - the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we - return the error we got. - -Note that the X.509 code doesn't check for key expiry as the RTC might not -be valid or might not have been transferred to the kernel's clock yet. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Jiri Bohac <jbohac@suse.cz> -cc: "Lee, Chun-Yi" <jlee@suse.com> -cc: James Morris <james.l.morris@oracle.com> ---- - kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 43 insertions(+), 13 deletions(-) - -diff --git a/kernel/module.c b/kernel/module.c -index b046a32520d8..3bb0722c106e 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -64,6 +64,7 @@ - #include <linux/bsearch.h> - #include <linux/dynamic_debug.h> - #include <linux/audit.h> -+#include <linux/ima.h> - #include <uapi/linux/module.h> - #include "module-internal.h" - -@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod, - #endif - - #ifdef CONFIG_MODULE_SIG --static int module_sig_check(struct load_info *info, int flags) -+static int module_sig_check(struct load_info *info, int flags, -+ bool can_do_ima_check) - { -- int err = -ENOKEY; -+ int err = -ENODATA; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; -+ const char *reason; - const void *mod = info->hdr; - - /* -@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags) - err = mod_verify_sig(mod, info); - } - -- if (!err) { -+ switch (err) { -+ case 0: - info->sig_ok = true; - return 0; -- } - -- /* Not having a signature is only an error if we're strict. */ -- if (err == -ENOKEY && !is_module_sig_enforced()) -- err = 0; -+ /* We don't permit modules to be loaded into trusted kernels -+ * without a valid signature on them, but if we're not -+ * enforcing, certain errors are non-fatal. -+ */ -+ case -ENODATA: -+ reason = "Loading of unsigned module"; -+ goto decide; -+ case -ENOPKG: -+ reason = "Loading of module with unsupported crypto"; -+ goto decide; -+ case -ENOKEY: -+ reason = "Loading of module with unavailable key"; -+ decide: -+ if (sig_enforce) { -+ pr_notice("%s is rejected\n", reason); -+ return -EKEYREJECTED; -+ } - -- return err; -+ if (can_do_ima_check && is_ima_appraise_enabled()) -+ return 0; -+ if (kernel_is_locked_down(reason)) -+ return -EPERM; -+ return 0; -+ -+ /* All other errors are fatal, including nomem, unparseable -+ * signatures and signature check failures - even if signatures -+ * aren't required. -+ */ -+ default: -+ return err; -+ } - } - #else /* !CONFIG_MODULE_SIG */ --static int module_sig_check(struct load_info *info, int flags) -+static int module_sig_check(struct load_info *info, int flags, -+ bool can_do_ima_check) - { - return 0; - } -@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, - /* Allocate and load the module: note that size of section 0 is always - zero, and we rely on this for optional sections. */ - static int load_module(struct load_info *info, const char __user *uargs, -- int flags) -+ int flags, bool can_do_ima_check) - { - struct module *mod; - long err = 0; -@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs, - goto free_copy; - } - -- err = module_sig_check(info, flags); -+ err = module_sig_check(info, flags, can_do_ima_check); - if (err) - goto free_copy; - -@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, - if (err) - return err; - -- return load_module(&info, uargs, 0); -+ return load_module(&info, uargs, 0, false); - } - - SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) -@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) - info.hdr = hdr; - info.len = size; - -- return load_module(&info, uargs, flags); -+ return load_module(&info, uargs, flags, true); - } - - static inline int within(unsigned long addr, void *start, unsigned long size) --- -2.17.1 - From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> Date: Mon, 9 Apr 2018 09:52:46 +0100 @@ -1 +1 @@ -8e143b90e4d45cca3dc53760d3cfab988bc74571 +645ff1e8e704c4f33ab1fcd3c87f95cb9b6d7144 diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index a71c4d3e3..582a21533 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -2503,6 +2503,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -6287,6 +6288,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-aarch64.config b/kernel-aarch64.config index fe95093d7..ca661fba3 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -2486,6 +2486,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -6264,6 +6265,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 086fbdf13..a55a95e0e 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -2626,6 +2626,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -6693,6 +6694,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 144205d69..9644639ec 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -2495,6 +2495,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -6286,6 +6287,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index e6b7b2acf..e3740e6df 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -2479,6 +2479,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -6264,6 +6265,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 650152897..90f899e6b 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -2610,6 +2610,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -6671,6 +6672,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 51da615b0..5af911004 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2199,6 +2199,7 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE is not set +# CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_DEFAULT_HASH_SHA1=y # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set @@ -2331,6 +2332,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m @@ -5871,6 +5873,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-i686.config b/kernel-i686.config index e0ee1951b..2ba4fcc23 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2181,6 +2181,7 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE is not set +# CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_DEFAULT_HASH_SHA1=y # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set @@ -2313,6 +2314,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m @@ -5849,6 +5851,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 1ae57fb0f..154094529 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -2156,6 +2156,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -5537,6 +5538,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index 5a733c804..efc0c1313 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -2138,6 +2138,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -5513,6 +5514,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index 9aef66b5a..770ef99e0 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -2109,6 +2109,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -5433,6 +5434,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-s390x.config b/kernel-s390x.config index 6dfe92279..971795aeb 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -2091,6 +2091,7 @@ CONFIG_INPUT=y CONFIG_INPUT_YEALINK=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set @@ -5409,6 +5410,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index b63a5878b..217e71f18 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2241,6 +2241,7 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE is not set +# CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_DEFAULT_HASH_SHA1=y # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set @@ -2376,6 +2377,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m @@ -5915,6 +5917,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel-x86_64.config b/kernel-x86_64.config index bd097f4fb..938b3b19a 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2223,6 +2223,7 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE is not set +# CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_DEFAULT_HASH_SHA1=y # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set @@ -2358,6 +2359,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y +# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m @@ -5893,6 +5895,7 @@ CONFIG_TOUCHSCREEN_MMS114=m CONFIG_TOUCHSCREEN_MTOUCH=m CONFIG_TOUCHSCREEN_PENMOUNT=m CONFIG_TOUCHSCREEN_PIXCIR=m +# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set CONFIG_TOUCHSCREEN_RM_TS=m # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set # CONFIG_TOUCHSCREEN_S6SY761 is not set diff --git a/kernel.spec b/kernel.spec index d0531dd2d..8f6c915a0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 0 # The git snapshot level -%define gitrev 5 +%define gitrev 6 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -539,8 +539,6 @@ Patch201: efi-lockdown.patch Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch -Patch203: Add-EFI-signature-data-types.patch - Patch204: Add-an-EFI-signature-blob-parser-and-key-loader.patch Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1878,6 +1876,9 @@ fi # # %changelog +* Thu Jan 03 2019 Laura Abbott <labbott@redhat.com> - 4.21.0-0.rc0.git6.1 +- Linux v4.20-10911-g645ff1e8e704 + * Wed Jan 02 2019 Laura Abbott <labbott@redhat.com> - 4.21.0-0.rc0.git5.1 - Linux v4.20-10595-g8e143b90e4d4 @@ -1,2 +1,2 @@ SHA512 (linux-4.20.tar.xz) = e282399beea5da539701aed2bc131abd5bc74a970dcd344163e9d295106dfd700180e672ed546ae5e55bc6b9ac95efd5ca1de2039015c1b7a6fc9c01ea6583d4 -SHA512 (patch-4.20-git5.xz) = 8735ac8abb204356c45534465cb14765c6e36d0b062b469bb4a439d64c1fafc81b650841ba5cfde93fc23d81266c9981b72cec52ad22777f52b96082b9b69e81 +SHA512 (patch-4.20-git6.xz) = 8529bfd268ea6edb0d958a717c70271565b85ce3a0f712d7ba72cf61c4f4c7323a346dbde886d5ab34e4dd92588f966dd36fdd327be8b1f89305bae82b3c87e7 |