diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-06-11 13:36:24 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-06-11 13:36:24 -0400 |
commit | a7fb62873e9c07443c920a413add27908562ca76 (patch) | |
tree | 78454f4072909a435d3a6bf83f7f7a6c59dc5f3a /secure-modules.patch | |
parent | 2a04f7df27e6da73e6af6b25a6da9c9c88d8d4af (diff) | |
download | kernel-a7fb62873e9c07443c920a413add27908562ca76.tar.gz kernel-a7fb62873e9c07443c920a413add27908562ca76.tar.xz kernel-a7fb62873e9c07443c920a413add27908562ca76.zip |
Linux v3.15-7218-g3f17ea6dea8b
- Reenable debugging options.
Diffstat (limited to 'secure-modules.patch')
-rw-r--r-- | secure-modules.patch | 116 |
1 files changed, 58 insertions, 58 deletions
diff --git a/secure-modules.patch b/secure-modules.patch index 478c62ff5..bcc1c99a4 100644 --- a/secure-modules.patch +++ b/secure-modules.patch @@ -1,7 +1,7 @@ Bugzilla: N/A Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd -From 0f81a4461431941c17ff26fd3d5e284ede4a368a Mon Sep 17 00:00:00 2001 +From 18c06266b23a1241491e62003144ed8e74b7a725 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/14] Add secure_modules() call @@ -42,7 +42,7 @@ index f520a767c86c..fc9b54eb779e 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 11869408f79b..2b9204fe055f 100644 +index 079c4615607d..90be09d5da44 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3835,3 +3835,13 @@ void module_layout(struct module *mod, @@ -60,10 +60,10 @@ index 11869408f79b..2b9204fe055f 100644 +} +EXPORT_SYMBOL(secure_modules); -- -1.8.5.3 +1.9.3 -From 806c4ee0e6484b529b88b3d0ceb49f6edf96ae11 Mon Sep 17 00:00:00 2001 +From 6f64d0544f267a7410fde0e2062a5713248c258c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is @@ -83,18 +83,18 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 4e0acefb7565..01b56d13d021 100644 +index 84c350994b06..c4ee5c98f780 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c -@@ -29,6 +29,7 @@ - #include <linux/slab.h> +@@ -30,6 +30,7 @@ #include <linux/vgaarb.h> #include <linux/pm_runtime.h> + #include <linux/of.h> +#include <linux/module.h> #include "pci.h" static int sysfs_initialized; /* = 0 */ -@@ -652,6 +653,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, +@@ -710,6 +711,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8*) buf; @@ -104,7 +104,7 @@ index 4e0acefb7565..01b56d13d021 100644 if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -958,6 +962,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -1016,6 +1020,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; @@ -114,7 +114,7 @@ index 4e0acefb7565..01b56d13d021 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1065,6 +1072,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1123,6 +1130,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -179,10 +179,10 @@ index 24750a1b39b6..fa57896b97dd 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -1.8.5.3 +1.9.3 -From 16ee82e2add8684e374451e6ba34be3ee41e4ef1 Mon Sep 17 00:00:00 2001 +From 9c9b7deb557fd099b7f8e4a9283003ee0bf43332 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is @@ -252,10 +252,10 @@ index 917403fe10da..cdf839f9defe 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -1.8.5.3 +1.9.3 -From 2fd4b35393b19cde87e4770d3b85d12760e72f6a Mon Sep 17 00:00:00 2001 +From 2e2c456ba495b9bb3183279af630e0b36d8e2c4e Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/14] ACPI: Limit access to custom_method @@ -284,10 +284,10 @@ index c68e72414a67..4277938af700 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -1.8.5.3 +1.9.3 -From 543d64276237adb782ec30a5dab67d0b21afc1d4 Mon Sep 17 00:00:00 2001 +From e604f163f62405afdf52860295767fcfabac0b05 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module @@ -305,10 +305,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index c5e082fb82fa..03c57fc8de8a 100644 +index 91ef69a52263..3e6bf9075d9f 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c -@@ -1595,6 +1595,9 @@ static int show_dsts(struct seq_file *m, void *data) +@@ -1594,6 +1594,9 @@ static int show_dsts(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -318,7 +318,7 @@ index c5e082fb82fa..03c57fc8de8a 100644 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); if (err < 0) -@@ -1611,6 +1614,9 @@ static int show_devs(struct seq_file *m, void *data) +@@ -1610,6 +1613,9 @@ static int show_devs(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -328,7 +328,7 @@ index c5e082fb82fa..03c57fc8de8a 100644 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, &retval); -@@ -1635,6 +1641,9 @@ static int show_call(struct seq_file *m, void *data) +@@ -1634,6 +1640,9 @@ static int show_call(struct seq_file *m, void *data) union acpi_object *obj; acpi_status status; @@ -339,10 +339,10 @@ index c5e082fb82fa..03c57fc8de8a 100644 1, asus->debug.method_id, &input, &output); -- -1.8.5.3 +1.9.3 -From 6e2fec5547b597c43ca72e34729b8a402660a7c1 Mon Sep 17 00:00:00 2001 +From 7a27eb92368ea62098831471625d7aadf240beaa Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is @@ -382,10 +382,10 @@ index cdf839f9defe..c63cf93b00eb 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -1.8.5.3 +1.9.3 -From 358cea0a54f726fa61839b411f3f54284d4588bf Mon Sep 17 00:00:00 2001 +From 6a2a0adbe438e500fdc6d8aa4f75f0a75250629b Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module @@ -401,7 +401,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index f7fd72ac69cf..ccdae1c8c386 100644 +index 147bc1b91b42..b6e63bc0671c 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -44,6 +44,7 @@ @@ -422,10 +422,10 @@ index f7fd72ac69cf..ccdae1c8c386 100644 #endif -- -1.8.5.3 +1.9.3 -From 89751b3ad4dea7cf5b806cd14126dd70657a9148 Mon Sep 17 00:00:00 2001 +From dc797540b1dc002300c837aed6bb9a9361502db2 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module @@ -441,7 +441,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index c8380ad203bc..e6eb239f567a 100644 +index 6748688813d0..d4d88984bf45 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -33,6 +33,7 @@ @@ -452,7 +452,7 @@ index c8380ad203bc..e6eb239f567a 100644 #include <asm/page.h> #include <asm/uaccess.h> -@@ -948,6 +949,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -946,6 +947,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -467,10 +467,10 @@ index c8380ad203bc..e6eb239f567a 100644 * This leaves us room for future extensions. */ -- -1.8.5.3 +1.9.3 -From 31174421a7103571a1c3faf7ba27d4045e5fbc18 Mon Sep 17 00:00:00 2001 +From 093851b8593880db428c36ddd897ed7cde3c9460 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Tue, 3 Sep 2013 11:23:29 -0400 Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted @@ -507,10 +507,10 @@ index 98d357584cd6..efe99dee9510 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -1.8.5.3 +1.9.3 -From ea5cf8801db979fa7d5f90ab3faf72eb22490f9b Mon Sep 17 00:00:00 2001 +From c3017981f472b25d68ffb1cbb19760374707ecaf Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is @@ -552,10 +552,10 @@ index c9603ac80de5..8bef43fc3f40 100644 err = -EFAULT; break; -- -1.8.5.3 +1.9.3 -From 2985684ff78972bde7ebf1e295b52afd9bea29e0 Mon Sep 17 00:00:00 2001 +From f1ce1d6cea8ac32712f7a555c47223d5350979c2 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 11/14] Add option to automatically enforce module signatures @@ -591,10 +591,10 @@ index 199f453cb4de..ec38acf00b40 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 5b8ec0f53b57..085d5eb36361 100644 +index b660088c220d..b4229b168d4e 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1534,6 +1534,16 @@ config EFI_MIXED +@@ -1555,6 +1555,16 @@ config EFI_MIXED If unsure, say N. @@ -612,7 +612,7 @@ index 5b8ec0f53b57..085d5eb36361 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 1e6146137f8e..b00745ff398a 100644 +index 0331d765c2bb..85defaf5a27c 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -634,7 +634,7 @@ index 1e6146137f8e..b00745ff398a 100644 + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + -+ status = efi_call_phys5(sys_table->runtime->get_variable, ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, + L"SecureBoot", &var_guid, NULL, &datasize, &sb); + + if (status != EFI_SUCCESS) @@ -644,7 +644,7 @@ index 1e6146137f8e..b00745ff398a 100644 + return 0; + + -+ status = efi_call_phys5(sys_table->runtime->get_variable, ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, + L"SetupMode", &var_guid, NULL, &datasize, + &setup); + @@ -687,7 +687,7 @@ index 225b0988043a..90dbfb73e11f 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 09c76d265550..5a61d732fd5c 100644 +index 78a0e6298922..8ecfec85e527 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p) @@ -721,7 +721,7 @@ index fc9b54eb779e..7377bc851461 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 2b9204fe055f..2b8cc2d57c16 100644 +index 90be09d5da44..452079124fb7 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3836,6 +3836,13 @@ void module_layout(struct module *mod, @@ -739,11 +739,11 @@ index 2b9204fe055f..2b8cc2d57c16 100644 { #ifdef CONFIG_MODULE_SIG -- -1.8.5.3 +1.9.3 -From b2e4ea728ccab2befbd5fe1bd834881a7dd8f34b Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> +From 58bd85fa405992926e9c8c6205bda6580cc150ff Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode @@ -753,13 +753,13 @@ MokSBState that does not have the runtime attribute set. Given that the user explicitly disabled validation, we can honor that and not enable secure boot mode if that variable is set. -Signed-off-by: Josh Boyer <jwboyer@redhat.com> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index b00745ff398a..bf42cc5f083d 100644 +index 85defaf5a27c..b4013a4ba005 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -812,8 +812,9 @@ out: @@ -781,7 +781,7 @@ index b00745ff398a..bf42cc5f083d 100644 + * doesn't have the runtime attribute set, we might as well honor that. + */ + var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_call_phys5(sys_table->runtime->get_variable, ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, + L"MokSBState", &var_guid, &attr, &datasize, + &moksbstate); + @@ -798,10 +798,10 @@ index b00745ff398a..bf42cc5f083d 100644 } -- -1.8.5.3 +1.9.3 -From fb418c682d01c447d30b5591a591fdbf33b1334e Mon Sep 17 00:00:00 2001 +From 156ea92ad8cb0716fda8a4b9fe7cb21b39d0e405 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -815,10 +815,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 085d5eb36361..3e8d398a976d 100644 +index b4229b168d4e..6b08f48417b0 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1535,7 +1535,8 @@ config EFI_MIXED +@@ -1556,7 +1556,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -829,10 +829,10 @@ index 085d5eb36361..3e8d398a976d 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -1.8.5.3 +1.9.3 -From 87bf357dd4589cfca043ec4b641b912a088b1234 Mon Sep 17 00:00:00 2001 +From 8934fb355e0be514c9735bfa3afb0d28920a0210 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit @@ -847,7 +847,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 5a61d732fd5c..23fe9bf3c401 100644 +index 8ecfec85e527..5ce785fc9f05 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p) @@ -861,10 +861,10 @@ index 5a61d732fd5c..23fe9bf3c401 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 6c100ff0cae4..3a77a70fff27 100644 +index 41bbf8ba4ba8..e73f391fd3c8 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -899,6 +899,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -917,6 +917,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ #define EFI_64BIT 5 /* Is the firmware 64-bit? */ #define EFI_ARCH_1 6 /* First arch-specific bit */ @@ -873,5 +873,5 @@ index 6c100ff0cae4..3a77a70fff27 100644 #ifdef CONFIG_EFI /* -- -1.8.5.3 +1.9.3 |