diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-07-31 10:53:23 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-07-31 10:53:40 -0400 |
commit | 0432d120d5ba3b4574c6604331d4801a0e1862f1 (patch) | |
tree | ecc457f3b8375bcae22f0b2c1310e39b164b3bbb /secure-modules.patch | |
parent | e59c07299449eec8631231021cc106c7f50f5472 (diff) | |
download | kernel-0432d120d5ba3b4574c6604331d4801a0e1862f1.tar.gz kernel-0432d120d5ba3b4574c6604331d4801a0e1862f1.tar.xz kernel-0432d120d5ba3b4574c6604331d4801a0e1862f1.zip |
Linux v3.16-rc7-76-g3a1122d26c62
Diffstat (limited to 'secure-modules.patch')
-rw-r--r-- | secure-modules.patch | 45 |
1 files changed, 22 insertions, 23 deletions
diff --git a/secure-modules.patch b/secure-modules.patch index b51a22cdb..2d3174c22 100644 --- a/secure-modules.patch +++ b/secure-modules.patch @@ -1,8 +1,7 @@ Bugzilla: N/A Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd - -From 3b083aa4b42c6f2e814742b24e1948aced3a5e3f Mon Sep 17 00:00:00 2001 +From 952dbcbea4cffb1a05773af3b5f41e8ed477c5fe Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/14] Add secure_modules() call @@ -64,7 +63,7 @@ index 81e727cf6df9..fc14f48915dd 100644 1.9.3 -From 5c9708ebd7a52bf432745dc9b739c54666f2789d Mon Sep 17 00:00:00 2001 +From 3b451a12e60a47d152ecce1c02634c4d7320b024 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is @@ -183,7 +182,7 @@ index b91c4da68365..98f5637304d1 100644 1.9.3 -From c5f35519151d28b1a3c3dee5cb67fd67befa7fb6 Mon Sep 17 00:00:00 2001 +From 42a620055ac873fb378ec69731c7a2200f6779cc Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is @@ -256,7 +255,7 @@ index 917403fe10da..cdf839f9defe 100644 1.9.3 -From 24b607adc80fdebbc3497efc4b997a62edc06280 Mon Sep 17 00:00:00 2001 +From 8019fb7c7b5f18b19f7c980987953680ee218c9f Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/14] ACPI: Limit access to custom_method @@ -288,7 +287,7 @@ index c68e72414a67..4277938af700 100644 1.9.3 -From 215559c7708671e85ceb42f6e25445b9b27f6c38 Mon Sep 17 00:00:00 2001 +From bf84e9e1022b2d3d0c97ae48fb8b61e5336c50f8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module @@ -343,7 +342,7 @@ index 3c6ccedc82b6..960c46536c65 100644 1.9.3 -From b709a5110b728b526063c6814413a8c0f0d01203 Mon Sep 17 00:00:00 2001 +From 9a56e8715d3b6dc84989997f34b6b5d407cabad2 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is @@ -386,7 +385,7 @@ index cdf839f9defe..c63cf93b00eb 100644 1.9.3 -From 2896018a1c991e19691ab203a9e9010e898587e7 Mon Sep 17 00:00:00 2001 +From 8d6faa19bbbaa4df411becda7e40c4ea0684c134 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module @@ -426,7 +425,7 @@ index bad25b070fe0..0606585e8b93 100644 1.9.3 -From a9c7c2c5e39d3e687b3e90845a753673144a754b Mon Sep 17 00:00:00 2001 +From 1ff86ddea019f543f6668b56889f86811028f303 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module @@ -442,18 +441,18 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 6748688813d0..d4d88984bf45 100644 +index 4b8f0c925884..df14daa323a9 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -33,6 +33,7 @@ - #include <linux/swap.h> +@@ -34,6 +34,7 @@ #include <linux/syscore_ops.h> #include <linux/compiler.h> + #include <linux/hugetlb.h> +#include <linux/module.h> #include <asm/page.h> #include <asm/uaccess.h> -@@ -946,6 +947,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -947,6 +948,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -471,7 +470,7 @@ index 6748688813d0..d4d88984bf45 100644 1.9.3 -From 4ce6023b9f02d5397156976568b3aad88b2f5b95 Mon Sep 17 00:00:00 2001 +From 4d56368f1364b45c18067bab1d6abc5ce0f67183 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is @@ -516,7 +515,7 @@ index c9603ac80de5..8bef43fc3f40 100644 1.9.3 -From c95290110f65724e58b7506281759c0bac59b9f5 Mon Sep 17 00:00:00 2001 +From aab8ba85241a85a0b2ed622edd7874c74cafa496 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 10/14] Add option to automatically enforce module signatures @@ -552,10 +551,10 @@ index 199f453cb4de..ec38acf00b40 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index a8f749ef0fdc..35bfd8259993 100644 +index d24887b645dc..870aac9520b3 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1556,6 +1556,16 @@ config EFI_MIXED +@@ -1557,6 +1557,16 @@ config EFI_MIXED If unsure, say N. @@ -703,7 +702,7 @@ index fc14f48915dd..2d68d276f3b6 100644 1.9.3 -From f0baa6f34da3f151c059ca3043945837db0ca8d1 Mon Sep 17 00:00:00 2001 +From eae8a80ddc185b3f233e2620dbfc6454b6f0c3a6 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode @@ -762,7 +761,7 @@ index 85defaf5a27c..b4013a4ba005 100644 1.9.3 -From 6bc90bfd4c13fd6cc4a536630807406c16395bf5 Mon Sep 17 00:00:00 2001 +From 9728a4f49b284b7354876e1d77174d5838306e21 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -776,10 +775,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 35bfd8259993..746b1b63da8c 100644 +index 870aac9520b3..7aecd3f9f8ee 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1557,7 +1557,8 @@ config EFI_MIXED +@@ -1558,7 +1558,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -793,7 +792,7 @@ index 35bfd8259993..746b1b63da8c 100644 1.9.3 -From 292f6faa86f44fe261c8da58cc2c7f65aa0acad6 Mon Sep 17 00:00:00 2001 +From 4211b4919b8ccecc4f4cdc0a46ead7294478b687 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit @@ -837,7 +836,7 @@ index 41bbf8ba4ba8..e73f391fd3c8 100644 1.9.3 -From 594e605ee9589150919aa113e3e01163168ad041 Mon Sep 17 00:00:00 2001 +From 18b50c6f0597b606cb03cbd8a9fdef7478cb2b21 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 20 Jun 2014 08:53:24 -0400 Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment |