diff options
-rw-r--r-- | config-generic | 11 | ||||
-rw-r--r-- | config-nodebug | 114 | ||||
-rw-r--r-- | config-x86-generic | 3 | ||||
-rw-r--r-- | kernel.spec | 14 | ||||
-rw-r--r-- | modsign-uefi.patch | 58 | ||||
-rw-r--r-- | perf-plugin-dir.patch | 24 | ||||
-rw-r--r-- | secure-modules.patch | 122 | ||||
-rw-r--r-- | sources | 1 |
8 files changed, 191 insertions, 156 deletions
diff --git a/config-generic b/config-generic index 1fbffe352..ac5b7c620 100644 --- a/config-generic +++ b/config-generic @@ -72,7 +72,7 @@ CONFIG_PREEMPT_VOLUNTARY=y CONFIG_SLUB=y CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SLUB_STATS is not set -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y # CONFIG_AD525X_DPOT is not set # CONFIG_ATMEL_PWM is not set @@ -1643,13 +1643,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3460,7 +3460,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -4267,6 +4267,7 @@ CONFIG_LOCKUP_DETECTOR=y # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set # CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set # CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_TIMEOUT=0 CONFIG_ATOMIC64_SELFTEST=y CONFIG_MEMORY_FAILURE=y CONFIG_HWPOISON_INJECT=m @@ -4519,7 +4520,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index ee4842bfc..9d4b2e91f 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,98 +2,98 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set - -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y + +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y # CONFIG_XFS_WARN is not set -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y # CONFIG_RTLWIFI_DEBUG is not set -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y @@ -101,18 +101,18 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y # CONFIG_PERCPU_TEST is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_TEST_LIST_SORT=y # CONFIG_TEST_STRING_HELPERS is not set -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -123,7 +123,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set +CONFIG_X86_DEBUG_STATIC_CPU_HAS=y # CONFIG_SCHEDSTATS is not set # CONFIG_LATENCYTOP is not set diff --git a/config-x86-generic b/config-x86-generic index 3d42bbcb2..5136feb10 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -41,6 +41,7 @@ CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_PCDP=y CONFIG_FB_EFI=y CONFIG_EARLY_PRINTK_EFI=y +CONFIG_EFI_RUNTIME_MAP=y # needs FB_SIMPLE to work correctly # CONFIG_X86_SYSFB is not set @@ -328,7 +329,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index d45554c2a..1b5c4cc0f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -6,7 +6,7 @@ Summary: The Linux kernel # For a stable, released kernel, released_kernel should be 1. For rawhide # and/or a kernel built from an rc or git snapshot, released_kernel should # be 0. -%global released_kernel 1 +%global released_kernel 0 # Sign modules on x86. Make sure the config files match this setting if more # architectures are added. @@ -61,7 +61,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -122,7 +122,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -646,6 +646,8 @@ Patch25183: 0003-Input-wacom-add-reporting-of-SW_MUTE_DEVICE-events.patch #rhbz 953211 Patch25184: Input-ALPS-add-support-for-Dolphin-devices.patch +Patch25185: perf-plugin-dir.patch + # END OF PATCH DEFINITIONS %endif @@ -1314,6 +1316,8 @@ ApplyPatch 0003-Input-wacom-add-reporting-of-SW_MUTE_DEVICE-events.patch #rhbz 953211 ApplyPatch Input-ALPS-add-support-for-Dolphin-devices.patch +ApplyPatch perf-plugin-dir.patch + # END OF PATCH APPLICATIONS %endif @@ -2092,6 +2096,10 @@ fi # ||----w | # || || %changelog +* Tue Jan 21 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc0.git1.1 +- Linux v3.13-737-g7fe67a1 +- Reenable debugging options. Enable SLUB_DEBUG + * Mon Jan 20 2014 Kyle McMartin <kyle@fedoraproject.org> - Enable CONFIG_KVM on AArch64. diff --git a/modsign-uefi.patch b/modsign-uefi.patch index 658af25dc..d8e762cb7 100644 --- a/modsign-uefi.patch +++ b/modsign-uefi.patch @@ -1,7 +1,7 @@ Bugzilla: N/A Upstream-status: Fedora mustard for now -From 0a5e59dd7a921f20d77b13aa4e01392086ddbd12 Mon Sep 17 00:00:00 2001 +From 2b668e069365b608e855cf1f5edcf8caed0aaa4d Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:30:54 -0400 Subject: [PATCH 1/5] Add EFI signature data types @@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com> 1 file changed, 20 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h -index eed2202..1da1b3c 100644 +index 0c1d367..de1faea 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -389,6 +389,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si +@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si #define EFI_FILE_SYSTEM_GUID \ EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) @@ -31,7 +31,7 @@ index eed2202..1da1b3c 100644 typedef struct { efi_guid_t guid; u64 table; -@@ -524,6 +530,20 @@ typedef struct { +@@ -541,6 +547,20 @@ typedef struct _efi_file_io_interface { #define EFI_INVALID_TABLE_ADDR (~0UL) @@ -53,10 +53,10 @@ index eed2202..1da1b3c 100644 * All runtime access to EFI goes through this structure: */ -- -1.8.3.1 +1.8.4.2 -From 8b75428a7e1813cd3bc225a959e63d67898e4808 Mon Sep 17 00:00:00 2001 +From 42d75e3e3fe134cc274f765525031b764540a587 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:36:28 -0400 Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader. @@ -74,10 +74,10 @@ Signed-off-by: David Howells <dhowells@redhat.com> create mode 100644 crypto/asymmetric_keys/efi_parser.c diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 6d2c2ea..ace9c30 100644 +index 03a6eb9..6306ffc 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig -@@ -35,4 +35,12 @@ config X509_CERTIFICATE_PARSER +@@ -37,4 +37,12 @@ config X509_CERTIFICATE_PARSER data and provides the ability to instantiate a crypto key from a public key packet found inside the certificate. @@ -218,10 +218,10 @@ index 0000000..424896a + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index 1da1b3c..42a1d25 100644 +index de1faea..13e1425 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -619,6 +619,10 @@ extern int efi_set_rtc_mmss(const struct timespec *now); +@@ -641,6 +641,10 @@ extern int efi_set_rtc_mmss(const struct timespec *now); extern void efi_reserve_boot_services(void); extern struct efi_memory_map memmap; @@ -233,10 +233,10 @@ index 1da1b3c..42a1d25 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -1.8.3.1 +1.8.4.2 -From 920108c0f9cc5854dd329a5dfc904e91d40a4b26 Mon Sep 17 00:00:00 2001 +From d750dbcdcb3a712a2ea4ec57b9c9729c6a26b41d Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:36:24 -0400 Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring @@ -270,10 +270,10 @@ index 8dabc39..e466de1 100644 #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/init/Kconfig b/init/Kconfig -index 0ff5407..ba76e57 100644 +index 5236dc5..f59e6fe 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1680,6 +1680,15 @@ config SYSTEM_TRUSTED_KEYRING +@@ -1673,6 +1673,15 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. @@ -290,7 +290,7 @@ index 0ff5407..ba76e57 100644 bool "Enable loadable module support" option modules diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index 0b6b870..0a29b40 100644 +index be5b8fa..fed815f 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, @@ -313,7 +313,7 @@ index 0b6b870..0a29b40 100644 &key_type_asymmetric, id); if (IS_ERR(key)) diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index 564dd93..389b50d 100644 +index 52ebc70..478c4f8 100644 --- a/kernel/system_keyring.c +++ b/kernel/system_keyring.c @@ -20,6 +20,9 @@ @@ -325,7 +325,7 @@ index 564dd93..389b50d 100644 +#endif extern __initconst const u8 system_certificate_list[]; - extern __initconst const u8 system_certificate_list_end[]; + extern __initconst const unsigned long system_certificate_list_size; @@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void) panic("Can't allocate system trusted keyring\n"); @@ -348,10 +348,10 @@ index 564dd93..389b50d 100644 } -- -1.8.3.1 +1.8.4.2 -From 69dca9998380c1931227a01205cdf23c34509753 Mon Sep 17 00:00:00 2001 +From c32beadd0d75fddcd75b700e4a75884d7a82e9bb Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:42:16 -0400 Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot @@ -379,10 +379,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> create mode 100644 kernel/modsign_uefi.c diff --git a/include/linux/efi.h b/include/linux/efi.h -index 42a1d25..d3e6036 100644 +index 13e1425..a7175eb 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -395,6 +395,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si +@@ -400,6 +400,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si #define EFI_CERT_X509_GUID \ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) @@ -396,10 +396,10 @@ index 42a1d25..d3e6036 100644 efi_guid_t guid; u64 table; diff --git a/init/Kconfig b/init/Kconfig -index ba76e57..b09cd98 100644 +index f59e6fe..90fa75f 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1799,6 +1799,15 @@ config MODULE_SIG_ALL +@@ -1792,6 +1792,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -416,10 +416,10 @@ index ba76e57..b09cd98 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index 6313698..cb35a89 100644 +index bc010ee..bee938f 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -57,6 +57,7 @@ obj-$(CONFIG_UID16) += uid16.o +@@ -44,6 +44,7 @@ obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o @@ -427,7 +427,7 @@ index 6313698..cb35a89 100644 obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC) += kexec.o -@@ -115,6 +116,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o +@@ -96,6 +97,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o $(obj)/configs.o: $(obj)/config_data.h @@ -535,10 +535,10 @@ index 0000000..94b0eb3 +} +late_initcall(load_uefi_certs); -- -1.8.3.1 +1.8.4.2 -From c8e6d256ddfa2182d5b011a4ab70f8c5c9b2b590 Mon Sep 17 00:00:00 2001 +From 5c86fc6c7e4d51286d75ee6d8ceedf983ae434fb Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Thu, 3 Oct 2013 10:14:23 -0400 Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db @@ -620,5 +620,5 @@ index 94b0eb3..ae28b97 100644 mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -- -1.8.3.1 +1.8.4.2 diff --git a/perf-plugin-dir.patch b/perf-plugin-dir.patch new file mode 100644 index 000000000..d4a972eb8 --- /dev/null +++ b/perf-plugin-dir.patch @@ -0,0 +1,24 @@ +diff --git a/tools/lib/traceevent/Makefile b/tools/lib/traceevent/Makefile +index 56d52a3..005c9cc 100644 +--- a/tools/lib/traceevent/Makefile ++++ b/tools/lib/traceevent/Makefile +@@ -63,7 +63,7 @@ endif + endif + + ifeq ($(set_plugin_dir),1) +-PLUGIN_DIR = -DPLUGIN_DIR="$(DESTDIR)/$(plugin_dir)" ++PLUGIN_DIR = -DPLUGIN_DIR="$(plugin_dir)" + PLUGIN_DIR_SQ = '$(subst ','\'',$(PLUGIN_DIR))' + endif + +diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile +index d604e50..c48d449 100644 +--- a/tools/perf/config/Makefile ++++ b/tools/perf/config/Makefile +@@ -600,5 +600,5 @@ perfexec_instdir_SQ = $(subst ','\'',$(perfexec_instdir)) + # Otherwise we install plugins into the global $(libdir). + ifdef DESTDIR + plugindir=$(libdir)/traceevent/plugins +-plugindir_SQ= $(subst ','\'',$(prefix)/$(plugindir)) ++plugindir_SQ= $(subst ','\'',$(plugindir)) + endif diff --git a/secure-modules.patch b/secure-modules.patch index 21157c933..86bf9dc6f 100644 --- a/secure-modules.patch +++ b/secure-modules.patch @@ -1,7 +1,7 @@ Bugzilla: N/A Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd -From 0fc411ee00c81b8a18b1417d31f2736fad155d89 Mon Sep 17 00:00:00 2001 +From f212a4d8b8638a3e15e4cd76874d4fab60726752 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/14] Add secure_modules() call @@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 2 files changed, 17 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index 05f2447..de97e77 100644 +index 15cd6b1..30702eb 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -515,6 +515,8 @@ int unregister_module_notifier(struct notifier_block * nb); +@@ -512,6 +512,8 @@ int unregister_module_notifier(struct notifier_block * nb); extern void print_modules(void); @@ -29,7 +29,7 @@ index 05f2447..de97e77 100644 #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -625,6 +627,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb) +@@ -622,6 +624,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb) static inline void print_modules(void) { } @@ -42,10 +42,10 @@ index 05f2447..de97e77 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index dc58274..81206c1 100644 +index f5a3b1e..644c33e 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3860,3 +3860,13 @@ void module_layout(struct module *mod, +@@ -3831,3 +3831,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -60,10 +60,10 @@ index dc58274..81206c1 100644 +} +EXPORT_SYMBOL(secure_modules); -- -1.8.3.1 +1.8.4.2 -From b94942e55b519e70366e970cea3665c464d1b7da Mon Sep 17 00:00:00 2001 +From 394a8259d0b457495dddda8704821ec9e56ea44a Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is @@ -83,7 +83,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index d8eb880..a851ad6 100644 +index c91e6c1..447742e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -29,6 +29,7 @@ @@ -94,7 +94,7 @@ index d8eb880..a851ad6 100644 #include "pci.h" static int sysfs_initialized; /* = 0 */ -@@ -644,6 +645,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, +@@ -668,6 +669,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8*) buf; @@ -104,7 +104,7 @@ index d8eb880..a851ad6 100644 if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -950,6 +954,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -974,6 +978,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; @@ -114,7 +114,7 @@ index d8eb880..a851ad6 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1057,6 +1064,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1081,6 +1088,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -125,7 +125,7 @@ index d8eb880..a851ad6 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index cdc7836..e3d498b 100644 +index 46d1378..294fe7b 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof @@ -158,7 +158,7 @@ index cdc7836..e3d498b 100644 /* Make sure the caller is mapping a real resource for this device */ diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index e1c1ec5..bffbf71 100644 +index 24750a1..fa57896 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -10,6 +10,7 @@ @@ -179,10 +179,10 @@ index e1c1ec5..bffbf71 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -1.8.3.1 +1.8.4.2 -From 36f34509fe52cc49e1b1f6815a3f235040f64a03 Mon Sep 17 00:00:00 2001 +From 69532e626cece8a43c2528246e0421488b468102 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is @@ -252,10 +252,10 @@ index f895a8c..1af8664 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -1.8.3.1 +1.8.4.2 -From 67d9800dcf60467e076587b0aac67bcdc516cfe2 Mon Sep 17 00:00:00 2001 +From 8771ff55273e964d707b174dd0dbe433783c0254 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/14] ACPI: Limit access to custom_method @@ -284,10 +284,10 @@ index 12b62f2..50647b3 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -1.8.3.1 +1.8.4.2 -From bdf3761573167c20c72b151c1088b24fd24869ac Mon Sep 17 00:00:00 2001 +From 7d3e3db90e1b4cf33ba4a46624ae4a68f787e5fc Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module @@ -339,10 +339,10 @@ index 19c313b..db18ef66 100644 1, asus->debug.method_id, &input, &output); -- -1.8.3.1 +1.8.4.2 -From 65d88af5a2c6bb6d01da17819d8ba782bd208837 Mon Sep 17 00:00:00 2001 +From 98ebe083d75333e269730fe374cca42ac7f08a07 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is @@ -382,10 +382,10 @@ index 1af8664..61406c8 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -1.8.3.1 +1.8.4.2 -From 4aa42b7fa5d7f79eb1d179e728ffa561fd9cf354 Mon Sep 17 00:00:00 2001 +From 71353d491c70b303a07b4e79c896e729a4f74978 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module @@ -401,7 +401,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index e5f416c..9311c00 100644 +index 54a20ff..d21d269 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -45,6 +45,7 @@ @@ -412,7 +412,7 @@ index e5f416c..9311c00 100644 #include <asm/io.h> #include <asm/uaccess.h> -@@ -249,7 +250,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -248,7 +249,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -422,10 +422,10 @@ index e5f416c..9311c00 100644 #endif -- -1.8.3.1 +1.8.4.2 -From c9e62c2ce588d98a774a3853e56d95e48b9df98c Mon Sep 17 00:00:00 2001 +From e0a6b0dd91460123d71784d531b9df26449940ae Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module @@ -441,7 +441,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 2a74f30..13601e3 100644 +index 9c97016..8ad0d38 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -32,6 +32,7 @@ @@ -452,7 +452,7 @@ index 2a74f30..13601e3 100644 #include <asm/page.h> #include <asm/uaccess.h> -@@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -946,6 +947,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -467,10 +467,10 @@ index 2a74f30..13601e3 100644 * This leaves us room for future extensions. */ -- -1.8.3.1 +1.8.4.2 -From d0e3cb2c13dc9634849ddacf75b6f0d94147516a Mon Sep 17 00:00:00 2001 +From c340630e68e5ed4d731d60d05ef9e2ae27080b66 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Tue, 3 Sep 2013 11:23:29 -0400 Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted @@ -485,7 +485,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 4 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c -index 957f061..e570609d 100644 +index 98d3575..efe99de 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -24,6 +24,7 @@ @@ -507,10 +507,10 @@ index 957f061..e570609d 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -1.8.3.1 +1.8.4.2 -From b238417ed3c5a0b21bbfcac84f6c70011b8977c0 Mon Sep 17 00:00:00 2001 +From 273deda4ddec360ce67ac256b8cbdabdc5e8c51d Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is @@ -552,10 +552,10 @@ index 05266b5..e2bd647 100644 err = -EFAULT; break; -- -1.8.3.1 +1.8.4.2 -From c3a9afb3b580b4f721d245fc5d13e378b99b9cd8 Mon Sep 17 00:00:00 2001 +From 089166c0d42f1b82988aad4f23607deb6ee531e7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 11/14] Add option to automatically enforce module signatures @@ -591,10 +591,10 @@ index 199f453..ec38acf 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 725e157..fe212ef 100644 +index 5216e28..2a147a3 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1604,6 +1604,16 @@ config EFI_STUB +@@ -1582,6 +1582,16 @@ config EFI_STUB See Documentation/efi-stub.txt for more information. @@ -673,10 +673,10 @@ index a7677ba..4e172e9 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 9c3733c..a7ba210 100644 +index 225b098..90dbfb7 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -131,7 +131,8 @@ struct boot_params { +@@ -133,7 +133,8 @@ struct boot_params { __u8 eddbuf_entries; /* 0x1e9 */ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ __u8 kbd_status; /* 0x1eb */ @@ -687,10 +687,10 @@ index 9c3733c..a7ba210 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 918d489..fe429c1 100644 +index 182b3f9..ab6cc9e 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1127,6 +1127,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -704,7 +704,7 @@ index 918d489..fe429c1 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index de97e77..d69fe19 100644 +index 30702eb..3eb0f52 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -190,6 +190,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); @@ -721,10 +721,10 @@ index de97e77..d69fe19 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 81206c1..e1428f0 100644 +index 644c33e..92b73b1 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3861,6 +3861,13 @@ void module_layout(struct module *mod, +@@ -3832,6 +3832,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -739,10 +739,10 @@ index 81206c1..e1428f0 100644 { #ifdef CONFIG_MODULE_SIG -- -1.8.3.1 +1.8.4.2 -From 27a1aa77c7fbaaae8c6a776190a38dcbf3c3d6d2 Mon Sep 17 00:00:00 2001 +From e9ad6bd405fa01b7dd52d8c75b9dc91ae52e131d Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode @@ -798,10 +798,10 @@ index 4e172e9..4905f4d 100644 } -- -1.8.3.1 +1.8.4.2 -From 2a445ca2c187da4497ef5f68f111574fd2b0d419 Mon Sep 17 00:00:00 2001 +From f9f355d5e58c1503bb7c03d92c9e89267e0f46ad Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -815,10 +815,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index fe212ef..bf83fd3 100644 +index 2a147a3..9e644d5 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1605,7 +1605,8 @@ config EFI_STUB +@@ -1583,7 +1583,8 @@ config EFI_STUB See Documentation/efi-stub.txt for more information. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -829,10 +829,10 @@ index fe212ef..bf83fd3 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -1.8.3.1 +1.8.4.2 -From b1c533cc1d1ca7a03497cc4f2e1b029bde95633c Mon Sep 17 00:00:00 2001 +From a30576a9db583213474b74360c5869e8882e6ed7 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit @@ -847,10 +847,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index fe429c1..469fbf0 100644 +index ab6cc9e..99933cd 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1129,7 +1129,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1131,7 +1131,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -861,17 +861,17 @@ index fe429c1..469fbf0 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index bc5687d..b010a2e 100644 +index 0a819e7..0c1d367 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -653,6 +653,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ +@@ -657,6 +657,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ #define EFI_64BIT 5 /* Is the firmware 64-bit? */ -+#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ + #define EFI_ARCH_1 6 /* First arch-specific bit */ ++#define EFI_SECURE_BOOT 7 /* Are we in Secure Boot mode? */ #ifdef CONFIG_EFI # ifdef CONFIG_X86 -- -1.8.3.1 +1.8.4.2 @@ -1,2 +1,3 @@ 0ecbaf65c00374eb4a826c2f9f37606f linux-3.13.tar.xz 732d1952898b28d5ccc264cad77b0619 perf-man-3.13.tar.gz +eedf25215e15e77a96c6e1f7d0987294 patch-3.13-git1.xz |