Linux v4.7

author: Laura Abbott <labbott@fedoraproject.org> 2016-07-25 15:01:09 -0700
committer: Laura Abbott <labbott@fedoraproject.org> 2016-07-26 16:36:43 -0700
commit: f339ce1dadf093ec63e24a19c01e75b821bb3974 (patch)
tree: 03552e16d4f7efe60041baeba6835989e8a99dd5 /Add-option-to-automatically-enforce-module-signature.patch
parent: bf1d35cfe8b31cbac09a036ab36cd742b63031f1 (diff)
download: kernel-f339ce1dadf093ec63e24a19c01e75b821bb3974.tar.gz
kernel-f339ce1dadf093ec63e24a19c01e75b821bb3974.tar.xz
kernel-f339ce1dadf093ec63e24a19c01e75b821bb3974.zip
1 files changed, 58 insertions, 27 deletions
diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch
index 015371b8b..aa1983377 100644
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@@ -1,8 +1,8 @@
-From 37431394b3eeb1ef6d38d0e6b2693210606c2c2c Mon Sep 17 00:00:00 2001
+From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/20] Add option to automatically enforce module signatures
- when in Secure Boot mode
+Subject: [PATCH] Add option to automatically enforce module signatures when in
+ Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels. Certain use cases may also
@@ -12,13 +12,13 @@ that enforces this automatically when enabled.
 Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 ---
  Documentation/x86/zero-page.txt       |  2 ++
- arch/x86/Kconfig                      | 10 ++++++++++
- arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
- arch/x86/include/uapi/asm/bootparam.h |  3 ++-
- arch/x86/kernel/setup.c               |  6 ++++++
- include/linux/module.h                |  6 ++++++
- kernel/module.c                       |  7 +++++++
- 7 files changed, 69 insertions(+), 1 deletion(-)
+ arch/x86/Kconfig                      | 11 ++++++
+ arch/x86/boot/compressed/eboot.c      | 66 +++++++++++++++++++++++++++++++++++
+ arch/x86/include/uapi/asm/bootparam.h |  3 +-
+ arch/x86/kernel/setup.c               |  6 ++++
+ include/linux/module.h                |  6 ++++
+ kernel/module.c                       |  7 ++++
+ 7 files changed, 100 insertions(+), 1 deletion(-)
 
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
 index 95a4d34af3fd..b8527c6b7646 100644
@@ -34,15 +34,16 @@ index 95a4d34af3fd..b8527c6b7646 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index cc0d73eac047..14db458f4774 100644
+index 0a7b885964ba..29b8ba9ae713 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1734,6 +1734,16 @@ config EFI_MIXED
+@@ -1776,6 +1776,17 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
 +config EFI_SECURE_BOOT_SIG_ENFORCE
-+        def_bool n
++	def_bool n
++	depends on EFI
 +	prompt "Force module signing when UEFI Secure Boot is enabled"
 +	---help---
 +	  UEFI Secure Boot provides a mechanism for ensuring that the
@@ -55,7 +56,7 @@ index cc0d73eac047..14db458f4774 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index ee1b6d346b98..b4de3faa3f29 100644
+index 52fef606bc54..6b8b9a775b46 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -66,8 +67,8 @@ index ee1b6d346b98..b4de3faa3f29 100644
  
  #include "../string.h"
  #include "eboot.h"
-@@ -827,6 +828,37 @@ out:
- 	return status;
+@@ -571,6 +572,67 @@ free_handle:
+ 	efi_call_early(free_pool, pci_handle);
  }
  
 +static int get_secure_boot(void)
@@ -101,10 +102,40 @@ index ee1b6d346b98..b4de3faa3f29 100644
 +}
 +
 +
- /*
-  * See if we have Graphics Output Protocol
-  */
-@@ -1412,6 +1444,10 @@ struct boot_params *efi_main(struct efi_config *c,
++/*
++ * See if we have Graphics Output Protocol
++ */
++static efi_status_t setup_gop(struct screen_info *si, efi_guid_t *proto,
++			      unsigned long size)
++{
++	efi_status_t status;
++	void **gop_handle = NULL;
++
++	status = efi_call_early(allocate_pool, EFI_LOADER_DATA,
++				size, (void **)&gop_handle);
++	if (status != EFI_SUCCESS)
++		return status;
++
++	status = efi_call_early(locate_handle,
++				EFI_LOCATE_BY_PROTOCOL,
++				proto, NULL, &size, gop_handle);
++	if (status != EFI_SUCCESS)
++		goto free_handle;
++
++	if (efi_early->is64)
++		status = setup_gop64(si, proto, size, gop_handle);
++	else
++		status = setup_gop32(si, proto, size, gop_handle);
++
++free_handle:
++	efi_call_early(free_pool, gop_handle);
++	return status;
++}
++
+ static efi_status_t
+ setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
+ {
+@@ -1126,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
  	else
  		setup_boot_services32(efi_early);
  
@@ -116,7 +147,7 @@ index ee1b6d346b98..b4de3faa3f29 100644
  
  	setup_efi_pci(boot_params);
 diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 329254373479..b61f8533c0fd 100644
+index c18ce67495fa..2b3e5427097b 100644
 --- a/arch/x86/include/uapi/asm/bootparam.h
 +++ b/arch/x86/include/uapi/asm/bootparam.h
 @@ -134,7 +134,8 @@ struct boot_params {
@@ -130,10 +161,10 @@ index 329254373479..b61f8533c0fd 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index baadbf90a7c5..1ac118146e90 100644
+index c4e7b3991b60..bdb9881c7afd 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -147,7 +178,7 @@ index baadbf90a7c5..1ac118146e90 100644
  	 * Parse the ACPI tables for possible boot-time SMP configuration.
  	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index db386349cd01..4b8df91f03cd 100644
+index 082298a09df1..38d0597f7615 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
 @@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -164,10 +195,10 @@ index db386349cd01..4b8df91f03cd 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 7f045246e123..2b403ab0ef29 100644
+index 3c384968f553..ea484f3a35b2 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod,
+@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  
@@ -182,5 +213,5 @@ index 7f045246e123..2b403ab0ef29 100644
  {
  #ifdef CONFIG_MODULE_SIG
 -- 
-2.4.3
+2.5.5
author	Laura Abbott <labbott@fedoraproject.org>	2016-07-25 15:01:09 -0700
committer	Laura Abbott <labbott@fedoraproject.org>	2016-07-26 16:36:43 -0700
commit	f339ce1dadf093ec63e24a19c01e75b821bb3974 (patch)
tree	03552e16d4f7efe60041baeba6835989e8a99dd5 /Add-option-to-automatically-enforce-module-signature.patch
parent	bf1d35cfe8b31cbac09a036ab36cd742b63031f1 (diff)
download	kernel-f339ce1dadf093ec63e24a19c01e75b821bb3974.tar.gz kernel-f339ce1dadf093ec63e24a19c01e75b821bb3974.tar.xz kernel-f339ce1dadf093ec63e24a19c01e75b821bb3974.zip