summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ACPI-Limit-access-to-custom_method.patch4
-rw-r--r--Add-EFI-signature-data-types.patch16
-rw-r--r--Add-an-EFI-signature-blob-parser-and-key-loader.patch14
-rw-r--r--Add-option-to-automatically-enforce-module-signature.patch30
-rw-r--r--Add-secure_modules-call.patch12
-rw-r--r--Add-sysrq-option-to-disable-secure-boot-mode.patch32
-rw-r--r--KEYS-Add-a-system-blacklist-keyring.patch10
-rw-r--r--MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch32
-rw-r--r--MODSIGN-Support-not-importing-certs-from-db.patch8
-rw-r--r--PCI-Lock-down-BAR-access-when-module-security-is-ena.patch13
-rw-r--r--Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch12
-rw-r--r--acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch8
-rw-r--r--asus-wmi-Restrict-debugfs-interface-when-module-load.patch12
-rw-r--r--efi-Add-EFI_SECURE_BOOT-bit.patch14
-rw-r--r--efi-Add-SHIM-and-image-security-database-GUID-defini.patch31
-rw-r--r--efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch12
-rw-r--r--hibernate-Disable-in-a-signed-modules-environment.patch10
-rw-r--r--kernel.spec7
-rw-r--r--kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch12
-rw-r--r--x86-Lock-down-IO-port-access-when-module-security-is.patch13
-rw-r--r--x86-Restrict-MSR-access-when-module-loading-is-restr.patch10
21 files changed, 166 insertions, 146 deletions
diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch
index 38236753e..44d2a004d 100644
--- a/ACPI-Limit-access-to-custom_method.patch
+++ b/ACPI-Limit-access-to-custom_method.patch
@@ -1,4 +1,4 @@
-From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001
+From 36d02761fc952f8190fca75bb4b81c2c7b7ddf68 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH 04/20] ACPI: Limit access to custom_method
@@ -27,5 +27,5 @@ index c68e72414a67..4277938af700 100644
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
--
-2.4.3
+2.9.3
diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch
index 23402354e..c376c48b3 100644
--- a/Add-EFI-signature-data-types.patch
+++ b/Add-EFI-signature-data-types.patch
@@ -1,7 +1,7 @@
-From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
+From ba3f737b8521314b62edaa7d4cc4bdc9aeefe394 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH 4/9] Add EFI signature data types
+Subject: [PATCH 15/20] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
@@ -11,14 +11,14 @@ Upstream-status: Fedora mustard for now
Signed-off-by: David Howells <dhowells@redhat.com>
---
- include/linux/efi.h | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
+ include/linux/efi.h | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 8cb38cfcba74..8c274b4ea8e6 100644
+index 5af91b58afae..190858d62fe3 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -647,6 +647,9 @@ void efi_native_runtime_setup(void);
+@@ -603,6 +603,9 @@ void efi_native_runtime_setup(void);
#define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95)
#define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
@@ -28,7 +28,7 @@ index 8cb38cfcba74..8c274b4ea8e6 100644
typedef struct {
efi_guid_t guid;
u64 table;
-@@ -879,6 +885,20 @@ typedef struct {
+@@ -853,6 +856,20 @@ typedef struct {
efi_memory_desc_t entry[0];
} efi_memory_attributes_table_t;
@@ -50,5 +50,5 @@ index 8cb38cfcba74..8c274b4ea8e6 100644
* All runtime access to EFI goes through this structure:
*/
--
-2.5.5
+2.9.3
diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
index 3697a4b74..f57abc9f2 100644
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@@ -1,7 +1,7 @@
-From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
+From 822b4b3eb76ca451a416a51f0a7bfedfa5c5ea39 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
@@ -17,10 +17,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
create mode 100644 crypto/asymmetric_keys/efi_parser.c
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index e28e912000a7..94024e8aedaa 100644
+index 331f6baf2df8..5f9002d3192e 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
-@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
+@@ -61,4 +61,12 @@ config SIGNED_PE_FILE_VERIFICATION
This option provides support for verifying the signature(s) on a
signed PE binary.
@@ -160,10 +160,10 @@ index 000000000000..636feb18b733
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 8c274b4ea8e6..ff1877145aa4 100644
+index 190858d62fe3..668aa1244885 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
+@@ -1025,6 +1025,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
char * __init efi_md_typeattr_format(char *buf, size_t size,
const efi_memory_desc_t *md);
@@ -175,5 +175,5 @@ index 8c274b4ea8e6..ff1877145aa4 100644
* efi_range_is_wc - check the WC bit on an address range
* @start: starting kvirt address
--
-2.5.5
+2.9.3
diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch
index aa1983377..ebabac62e 100644
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@@ -1,8 +1,8 @@
-From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
+From 6b6203b92cfb457a0669a9c87a29b360405bffc6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH] Add option to automatically enforce module signatures when in
- Secure Boot mode
+Subject: [PATCH 10/20] Add option to automatically enforce module signatures
+ when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@@ -34,10 +34,10 @@ index 95a4d34af3fd..b8527c6b7646 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 0a7b885964ba..29b8ba9ae713 100644
+index bada636d1065..d666ef8b616c 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1776,6 +1776,17 @@ config EFI_MIXED
+@@ -1786,6 +1786,17 @@ config EFI_MIXED
If unsure, say N.
@@ -56,7 +56,7 @@ index 0a7b885964ba..29b8ba9ae713 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 52fef606bc54..6b8b9a775b46 100644
+index cc69e37548db..ebc85c1eefd6 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@@ -67,7 +67,7 @@ index 52fef606bc54..6b8b9a775b46 100644
#include "../string.h"
#include "eboot.h"
-@@ -571,6 +572,67 @@ free_handle:
+@@ -537,6 +538,67 @@ static void setup_efi_pci(struct boot_params *params)
efi_call_early(free_pool, pci_handle);
}
@@ -135,7 +135,7 @@ index 52fef606bc54..6b8b9a775b46 100644
static efi_status_t
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
{
-@@ -1126,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1094,6 +1156,10 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);
@@ -161,10 +161,10 @@ index c18ce67495fa..2b3e5427097b 100644
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index c4e7b3991b60..bdb9881c7afd 100644
+index bbfbca5fea0c..d40e961753c9 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
@@ -178,10 +178,10 @@ index c4e7b3991b60..bdb9881c7afd 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/module.h b/include/linux/module.h
-index 082298a09df1..38d0597f7615 100644
+index 05bd6c989a0c..32327704e18d 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
-@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
+@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \
struct notifier_block;
@@ -195,10 +195,10 @@ index 082298a09df1..38d0597f7615 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
-index 3c384968f553..ea484f3a35b2 100644
+index cb864505d020..cb1f1da69bf4 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
+@@ -4285,6 +4285,13 @@ void module_layout(struct module *mod,
EXPORT_SYMBOL(module_layout);
#endif
@@ -213,5 +213,5 @@ index 3c384968f553..ea484f3a35b2 100644
{
#ifdef CONFIG_MODULE_SIG
--
-2.5.5
+2.9.3
diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch
index 1cbf3afd9..99d04c43e 100644
--- a/Add-secure_modules-call.patch
+++ b/Add-secure_modules-call.patch
@@ -1,7 +1,7 @@
-From 3213f1513a744fb21b6b9e4d4f2650a204855b3e Mon Sep 17 00:00:00 2001
+From 80d2d273b36b33d46820ab128c7a5b068389f643 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH] Add secure_modules() call
+Subject: [PATCH 01/20] Add secure_modules() call
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
@@ -17,7 +17,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
2 files changed, 16 insertions(+)
diff --git a/include/linux/module.h b/include/linux/module.h
-index 0c3207d..05bd6c9 100644
+index 0c3207d26ac0..05bd6c989a0c 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -641,6 +641,8 @@ static inline bool is_livepatch_module(struct module *mod)
@@ -41,10 +41,10 @@ index 0c3207d..05bd6c9 100644
#ifdef CONFIG_SYSFS
diff --git a/kernel/module.c b/kernel/module.c
-index 529efae..0332fdd 100644
+index f57dd63186e6..cb864505d020 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
+@@ -4284,3 +4284,13 @@ void module_layout(struct module *mod,
}
EXPORT_SYMBOL(module_layout);
#endif
@@ -59,5 +59,5 @@ index 529efae..0332fdd 100644
+}
+EXPORT_SYMBOL(secure_modules);
--
-2.9.2
+2.9.3
diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch
index 3cecd1399..edd6039f9 100644
--- a/Add-sysrq-option-to-disable-secure-boot-mode.patch
+++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch
@@ -1,7 +1,7 @@
-From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
+From d9e0379e8d3cb51efe4e2b1a5a60c52c2c40bdfb Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Fri, 30 Aug 2013 09:28:51 -0400
-Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
+Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
Bugzilla: N/A
Upstream-status: Fedora mustard
@@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
7 files changed, 64 insertions(+), 9 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index a666b6c29c77..7732c769937b 100644
+index b93183336674..dab2882927c2 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -70,6 +70,11 @@
@@ -70,7 +70,7 @@ index a666b6c29c77..7732c769937b 100644
.notifier_call = dump_kernel_offset
};
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index abe1a927b332..f4126fcec10c 100644
+index 92595b98e7ed..894ed3f74f04 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
@@ -82,10 +82,10 @@ index abe1a927b332..f4126fcec10c 100644
input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index e5139402e7f8..5ef2e04a03ad 100644
+index 52bbd27e93ae..594bd731253a 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
-@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
@@ -93,7 +93,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
-@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
@@ -102,7 +102,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
{
struct sysrq_key_op *op_p;
int orig_log_level;
-@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)
op_p = __sysrq_get_key_op(key);
if (op_p) {
@@ -119,7 +119,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
pr_cont("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
-@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask)
void handle_sysrq(int key)
{
if (sysrq_on())
@@ -128,7 +128,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
}
EXPORT_SYMBOL(handle_sysrq);
-@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
+@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
@@ -137,7 +137,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
-@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
default:
if (sysrq->active && value && value != 2) {
@@ -149,7 +149,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
}
break;
}
-@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
if (get_user(c, buf))
return -EFAULT;
@@ -159,7 +159,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
return count;
diff --git a/include/linux/input.h b/include/linux/input.h
-index 1e967694e9a5..2b56c6f9673c 100644
+index a65e3b24fb18..8b0357175049 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -42,6 +42,7 @@ struct input_value {
@@ -229,10 +229,10 @@ index 2a20c0dfdafc..3d17205dab77 100644
return 0;
diff --git a/kernel/module.c b/kernel/module.c
-index ea484f3a35b2..84b00659b0ee 100644
+index cb1f1da69bf4..5933c27ba19e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
+@@ -270,7 +270,7 @@ static void module_assert_mutex_or_preempt(void)
#endif
}
@@ -242,5 +242,5 @@ index ea484f3a35b2..84b00659b0ee 100644
module_param(sig_enforce, bool_enable_only, 0644);
#endif /* !CONFIG_MODULE_SIG_FORCE */
--
-2.5.5
+2.9.3
diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch
index 4f5678a15..262c960b8 100644
--- a/KEYS-Add-a-system-blacklist-keyring.patch
+++ b/KEYS-Add-a-system-blacklist-keyring.patch
@@ -1,7 +1,7 @@
-From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
+From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
+Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@@ -78,10 +78,10 @@ index fbd4647767e9..5bc291a3d261 100644
extern struct key *ima_blacklist_keyring;
diff --git a/init/Kconfig b/init/Kconfig
-index a9c4aefd5436..e5449d5aeff9 100644
+index 34407f15e6d3..461ad575a608 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
+@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION
module verification, kexec image verification and firmware blob
verification.
@@ -98,5 +98,5 @@ index a9c4aefd5436..e5449d5aeff9 100644
bool "Profiling support"
help
--
-2.5.5
+2.9.3
diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
index 05be7a028..752ba4631 100644
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@@ -1,7 +1,7 @@
-From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
+From 8a4535bcfe24d317be675e53cdc8c61d22fdc7f3 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
-Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
+Subject: [PATCH 18/20] MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This
@@ -20,11 +20,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
certs/system_keyring.c | 13 ++++++
include/keys/system_keyring.h | 1 +
- include/linux/efi.h | 6 +++
init/Kconfig | 9 ++++
kernel/Makefile | 3 ++
kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
- 6 files changed, 131 insertions(+)
+ 5 files changed, 125 insertions(+)
create mode 100644 kernel/modsign_uefi.c
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
@@ -63,28 +62,11 @@ index 5bc291a3d261..56ff5715ab67 100644
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index ff1877145aa4..2483de19c719 100644
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -658,6 +658,12 @@ typedef struct {
- u64 table;
- } efi_config_table_64_t;
-
-+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
-+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )
-+
-+#define EFI_SHIM_LOCK_GUID \
-+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
-+
- typedef struct {
- efi_guid_t guid;
- u32 table;
diff --git a/init/Kconfig b/init/Kconfig
-index e5449d5aeff9..5408c96f6604 100644
+index 461ad575a608..93646fd7b1c8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
+@@ -2009,6 +2009,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@@ -101,7 +83,7 @@ index e5449d5aeff9..5408c96f6604 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
-index e2ec54e2b952..8dab549985d8 100644
+index eb26e12c6c2a..e0c2268cb97e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -57,6 +57,7 @@ endif
@@ -227,5 +209,5 @@ index 000000000000..fe4a6f2bf10a
+}
+late_initcall(load_uefi_certs);
--
-2.5.5
+2.9.3
diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch
index 3339ce76e..d7087b5e7 100644
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ b/MODSIGN-Support-not-importing-certs-from-db.patch
@@ -1,7 +1,7 @@
-From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
+From 9d2e5c61d5adcf7911f67ed44a1b0ff881f175bb Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
+Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
-index 03f601a0052c..321c79a3b282 100644
+index fe4a6f2bf10a..a41da14b1ffd 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
@@ -82,5 +82,5 @@ index 03f601a0052c..321c79a3b282 100644
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--
-2.5.5
+2.9.3
diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
index 9500b96d2..e30b337c1 100644
--- a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
@@ -1,7 +1,8 @@
-From 6f756b32a45b022428e33ce20181e874c73ca82e Mon Sep 17 00:00:00 2001
+From 03a4ad09f20944e1917abfd24d1d0e5f107a2861 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
+Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
+ enabled
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
@@ -17,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index bcd10c7..a950301 100644
+index bcd10c795284..a950301496f3 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -30,6 +30,7 @@
@@ -59,7 +60,7 @@ index bcd10c7..a950301 100644
}
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 2408abe..59f321c 100644
+index 2408abe4ee8c..59f321c56c18 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@@ -92,7 +93,7 @@ index 2408abe..59f321c 100644
/* Make sure the caller is mapping a real resource for this device */
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index b91c4da..98f5637 100644
+index b91c4da68365..98f5637304d1 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -10,6 +10,7 @@
@@ -113,5 +114,5 @@ index b91c4da..98f5637 100644
dev = pci_get_bus_and_slot(bus, dfn);
--
-2.9.2
+2.9.3
diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
index 7cd4eb574..24f1d5b5d 100644
--- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@@ -1,7 +1,7 @@
-From 3dfb34906e9e57e70bd497ee21e8d59325c841d2 Mon Sep 17 00:00:00 2001
+From 9f31204f829da97f99f7aacf30f0ddc26e456df7 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
restricted
Allowing users to write to address space makes it possible for the kernel
@@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 5bb1985..74ee6a4 100644
+index 7f1a7ab5850d..d6a6f05fbc1c 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
-@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;
@@ -27,7 +27,7 @@ index 5bb1985..74ee6a4 100644
if (!valid_phys_addr_range(p, count))
return -EFAULT;
-@@ -515,6 +518,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
if (!pfn_valid(PFN_DOWN(p)))
return -EIO;
@@ -38,5 +38,5 @@ index 5bb1985..74ee6a4 100644
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
--
-2.7.4
+2.9.3
diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
index 2794b155f..89d59424b 100644
--- a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
@@ -1,4 +1,4 @@
-From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001
+From ee880324686af8bb212fc088495ea528e3042cd6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 739a4a6b3b9b..9ef2a020a7a9 100644
+index 416953a42510..4887e343c7fd 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644
#include <asm/io.h>
#include <asm/uaccess.h>
-@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void)
{
#ifdef CONFIG_KEXEC
@@ -35,5 +35,5 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644
#endif
--
-2.4.3
+2.9.3
diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch
index 3ab7b85ea..7e70e4f1a 100644
--- a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch
@@ -1,4 +1,4 @@
-From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001
+From ebbd8d01acdf472594f7e43e9a4274745c402e8e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
@@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index efbc3f0c592b..071171be4b7f 100644
+index ce6ca31a2d09..55d23994d6a2 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
-@@ -1868,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data)
+@@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@@ -29,7 +29,7 @@ index efbc3f0c592b..071171be4b7f 100644
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
if (err < 0)
-@@ -1884,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data)
+@@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@@ -39,7 +39,7 @@ index efbc3f0c592b..071171be4b7f 100644
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);
-@@ -1908,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data)
+@@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;
@@ -50,5 +50,5 @@ index efbc3f0c592b..071171be4b7f 100644
1, asus->debug.method_id,
&input, &output);
--
-2.4.3
+2.9.3
diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch
index dca2eb296..c44010322 100644
--- a/efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,7 +1,7 @@
-From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
+From a8883aff32f1e15b65e210462804aa2a9ab9a0b6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index bdb9881c7afd..a666b6c29c77 100644
+index d40e961753c9..b93183336674 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
@@ -27,10 +27,10 @@ index bdb9881c7afd..a666b6c29c77 100644
#endif
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index c2db3ca22217..8cb38cfcba74 100644
+index ce943d5accfd..5af91b58afae 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1046,6 +1046,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_ARCH_1 7 /* First arch-specific bit */
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
@@ -39,5 +39,5 @@ index c2db3ca22217..8cb38cfcba74 100644
#ifdef CONFIG_EFI
/*
--
-2.5.5
+2.9.3
diff --git a/efi-Add-SHIM-and-image-security-database-GUID-defini.patch b/efi-Add-SHIM-and-image-security-database-GUID-defini.patch
new file mode 100644
index 000000000..4d380ea76
--- /dev/null
+++ b/efi-Add-SHIM-and-image-security-database-GUID-defini.patch
@@ -0,0 +1,31 @@
+From 3a9fe1504e08824d894bb3a804c6a313f5d1be8a Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Tue, 25 Oct 2016 12:54:11 -0400
+Subject: [PATCH 11/20] efi: Add SHIM and image security database GUID
+ definitions
+
+Add the definitions for shim and image security database, both of which
+are used widely in various Linux distros.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ include/linux/efi.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 2d089487d2da..ce943d5accfd 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -592,6 +592,9 @@ void efi_native_runtime_setup(void);
+ #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
+ #define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
+
++#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
++#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
++
+ /*
+ * This GUID is used to pass to the kernel proper the struct screen_info
+ * structure that was populated by the stub based on the GOP protocol instance
+--
+2.9.3
+
diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
index 7d4a46e15..761a66ff7 100644
--- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
@@ -1,7 +1,7 @@
-From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
+From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 6b8b9a775b46..b3a5364d31c6 100644
+index ebc85c1eefd6..50e027f388d8 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -574,8 +574,9 @@ free_handle:
+@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)
static int get_secure_boot(void)
{
@@ -29,7 +29,7 @@ index 6b8b9a775b46..b3a5364d31c6 100644
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
-@@ -599,6 +600,23 @@ static int get_secure_boot(void)
+@@ -565,6 +566,23 @@ static int get_secure_boot(void)
if (setup == 1)
return 0;
@@ -54,5 +54,5 @@ index 6b8b9a775b46..b3a5364d31c6 100644
}
--
-2.5.5
+2.9.3
diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch
index bea2892ee..0cbf94137 100644
--- a/hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/hibernate-Disable-in-a-signed-modules-environment.patch
@@ -1,7 +1,7 @@
-From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
+From 6c56c15ec618a508b0eca98571780a8b7114cb92 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
+Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index fca9254280ee..ffd8644078b2 100644
+index b26dbc48c75b..ab187ad3fc61 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -29,6 +29,7 @@
@@ -25,7 +25,7 @@ index fca9254280ee..ffd8644078b2 100644
#include <trace/events/power.h>
#include "power.h"
-@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
+@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
bool hibernation_available(void)
{
@@ -35,5 +35,5 @@ index fca9254280ee..ffd8644078b2 100644
/**
--
-2.5.5
+2.9.3
diff --git a/kernel.spec b/kernel.spec
index a4777910a..0f116f42f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -549,7 +549,9 @@ Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch
Patch482: Add-option-to-automatically-enforce-module-signature.patch
-Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+Patch483: efi-Add-SHIM-and-image-security-database-GUID-defini.patch
+
+Patch484: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -2147,6 +2149,9 @@ fi
#
#
%changelog
+* Thu Oct 27 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Refresh SB patchset to fix bisectability issue
+
* Thu Oct 27 2016 Justin M. Forbes <jforbes@fedoraproject.org>
- CVE-2016-9083 CVE-2016-9084 vfio multiple flaws (rhbz 1389258 1389259 1389285)
diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
index a5832ea70..ec8675eb4 100644
--- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
@@ -1,7 +1,7 @@
-From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001
+From 85968a9f0b3f05c56d4ac4002748f3412a9baab0 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which
@@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 8 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 4c5edc357923..db431971dbd4 100644
+index 980936a90ee6..fce28bf7d5d7 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
-@@ -10,6 +10,7 @@
+@@ -12,6 +12,7 @@
#include <linux/mm.h>
#include <linux/file.h>
#include <linux/kexec.h>
@@ -25,7 +25,7 @@ index 4c5edc357923..db431971dbd4 100644
#include <linux/mutex.h>
#include <linux/list.h>
#include <linux/syscalls.h>
-@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -194,6 +195,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;
/*
@@ -40,5 +40,5 @@ index 4c5edc357923..db431971dbd4 100644
* This leaves us room for future extensions.
*/
--
-2.4.3
+2.9.3
diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch
index 185b1da99..3bb42bb45 100644
--- a/x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch
@@ -1,7 +1,8 @@
-From 8010b5eb4680df797575e6306d4d891200e303ab Mon Sep 17 00:00:00 2001
+From e7817a96c7ef1b502dba6f70b75f9e8993a8750b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH] x86: Lock down IO port access when module security is enabled
+Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
+ enabled
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
@@ -45,10 +46,10 @@ index 589b3193f102..ab8372443efb 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 71025c2f6bbb..86e5bfa91563 100644
+index 5bb1985ec484..7f1a7ab5850d 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
-@@ -27,6 +27,7 @@
+@@ -28,6 +28,7 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
@@ -56,7 +57,7 @@ index 71025c2f6bbb..86e5bfa91563 100644
#include <linux/uaccess.h>
-@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user *tmp = buf;
@@ -67,5 +68,5 @@ index 71025c2f6bbb..86e5bfa91563 100644
return -EFAULT;
while (count-- > 0 && i < 65536) {
--
-2.5.5
+2.9.3
diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch
index 5c91ab143..71b5b2edb 100644
--- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch
@@ -1,4 +1,4 @@
-From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001
+From 85539b332c79fbce1b9f371ff1a2a8d489e65110 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
@@ -15,10 +15,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 113e70784854..26c2f83fc470 100644
+index 7f3550acde1b..963ba4011923 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
-@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
@@ -28,7 +28,7 @@ index 113e70784854..26c2f83fc470 100644
if (count % 8)
return -EINVAL; /* Invalid chunk size */
-@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
+@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF;
break;
}
@@ -40,5 +40,5 @@ index 113e70784854..26c2f83fc470 100644
err = -EFAULT;
break;
--
-2.4.3
+2.9.3