Rework Secure Boot support to use the secure_modules approach

- Drop pekey

1 files changed, 123 insertions, 0 deletions

diff --git a/sb-hibernate.patch b/sb-hibernate.patch
new file mode 100644
index 000000000..966024b9b
--- /dev/null
+++ b/sb-hibernate.patch
@@ -0,0 +1,123 @@
+From 4fe6d11d21b548d6e8272cc8cad5fcc6150ef081 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Fri, 26 Oct 2012 14:02:09 -0400
+Subject: [PATCH] hibernate: Disable in a signed modules environment
+
+There is currently no way to verify the resume image when returning
+from hibernate.  This might compromise the signed modules trust model,
+so until we can work with signed hibernate images we disable it in
+a secure modules environment.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com>
+---
+ kernel/power/hibernate.c | 16 +++++++++++++++-
+ kernel/power/main.c      |  7 ++++++-
+ kernel/power/user.c      |  5 +++++
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index b26f5f1..e65228b 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -28,6 +28,8 @@
+ #include <linux/syscore_ops.h>
+ #include <linux/ctype.h>
+ #include <linux/genhd.h>
++#include <linux/efi.h>
++#include <linux/module.h>
+ 
+ #include "power.h"
+ 
+@@ -632,6 +634,10 @@ int hibernate(void)
+ {
+ 	int error;
+ 
++	if (secure_modules()) {
++		return -EPERM;
++	}
++
+ 	lock_system_sleep();
+ 	/* The snapshot device should not be opened while we're running */
+ 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
+@@ -723,7 +729,7 @@ static int software_resume(void)
+ 	/*
+ 	 * If the user said "noresume".. bail out early.
+ 	 */
+-	if (noresume)
++	if (noresume || secure_modules())
+ 		return 0;
+ 
+ 	/*
+@@ -889,6 +895,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
+ 	int i;
+ 	char *start = buf;
+ 
++	if (efi_enabled(EFI_SECURE_BOOT)) {
++		buf += sprintf(buf, "[%s]\n", "disabled");
++		return buf-start;
++	}
++
+ 	for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
+ 		if (!hibernation_modes[i])
+ 			continue;
+@@ -923,6 +934,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
+ 	char *p;
+ 	int mode = HIBERNATION_INVALID;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	p = memchr(buf, '\n', n);
+ 	len = p ? p - buf : n;
+ 
+diff --git a/kernel/power/main.c b/kernel/power/main.c
+index 1d1bf63..300f300 100644
+--- a/kernel/power/main.c
++++ b/kernel/power/main.c
+@@ -15,6 +15,7 @@
+ #include <linux/workqueue.h>
+ #include <linux/debugfs.h>
+ #include <linux/seq_file.h>
++#include <linux/efi.h>
+ 
+ #include "power.h"
+ 
+@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr,
+ 	}
+ #endif
+ #ifdef CONFIG_HIBERNATION
+-	s += sprintf(s, "%s\n", "disk");
++	if (!efi_enabled(EFI_SECURE_BOOT)) {
++		s += sprintf(s, "%s\n", "disk");
++	} else {
++		s += sprintf(s, "\n");
++	}
+ #else
+ 	if (s != buf)
+ 		/* convert the last space to a newline */
+diff --git a/kernel/power/user.c b/kernel/power/user.c
+index 4ed81e7..b714ee6 100644
+--- a/kernel/power/user.c
++++ b/kernel/power/user.c
+@@ -24,6 +24,8 @@
+ #include <linux/console.h>
+ #include <linux/cpu.h>
+ #include <linux/freezer.h>
++#include <linux/efi.h>
++#include <linux/module.h>
+ 
+ #include <asm/uaccess.h>
+ 
+@@ -48,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
+ 	struct snapshot_data *data;
+ 	int error;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	lock_system_sleep();
+ 
+ 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
+-- 
+1.8.3.1
+