summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch2
-rw-r--r--KEYS-Make-use-of-platform-keyring-for-module-signature.patch33
-rw-r--r--arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch128
-rw-r--r--configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG1
-rw-r--r--configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY1
-rw-r--r--configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY1
-rw-r--r--configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE1
-rw-r--r--configs/fedora/generic/CONFIG_OPTIMIZE_INLINING2
-rw-r--r--configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM1
-rw-r--r--configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY1
-rw-r--r--configs/fedora/generic/CONFIG_VIRTIO_FS1
-rw-r--r--configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT1
-rw-r--r--configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG1
-rw-r--r--configs/fedora/generic/s390x/CONFIG_KEXEC_SIG1
-rw-r--r--configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING1
-rw-r--r--efi-lockdown.patch1883
-rw-r--r--efi-secureboot.patch226
-rw-r--r--gitrev2
-rw-r--r--iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch87
-rw-r--r--kernel-aarch64-debug.config11
-rw-r--r--kernel-aarch64.config11
-rw-r--r--kernel-armv7hl-debug.config10
-rw-r--r--kernel-armv7hl-lpae-debug.config10
-rw-r--r--kernel-armv7hl-lpae.config10
-rw-r--r--kernel-armv7hl.config10
-rw-r--r--kernel-i686-debug.config9
-rw-r--r--kernel-i686.config9
-rw-r--r--kernel-ppc64le-debug.config9
-rw-r--r--kernel-ppc64le.config9
-rw-r--r--kernel-s390x-debug.config10
-rw-r--r--kernel-s390x.config10
-rw-r--r--kernel-x86_64-debug.config7
-rw-r--r--kernel-x86_64.config7
-rw-r--r--kernel.spec14
-rw-r--r--sources2
35 files changed, 291 insertions, 2231 deletions
diff --git a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
index 33b84115e..871105093 100644
--- a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
+++ b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@@ -39,9 +39,9 @@ index 557a47829d0..e8f9c7d84e9 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -31,6 +31,7 @@
- #include <linux/acpi.h>
#include <linux/ucs2_string.h>
#include <linux/memblock.h>
+ #include <linux/security.h>
+#include <linux/bsearch.h>
#include <asm/early_ioremap.h>
diff --git a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
index a13dcdba5..7c2a0b68d 100644
--- a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+++ b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
@@ -13,42 +13,31 @@ As such, kernel modules signed with keys from the MokList variable
were not successfully verified.
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
kernel/module_signing.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
-index 6b9a926fd86b..cf94220e9154 100644
+index 9d9fc678c91d..84ad75a53c83 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
-@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
- {
- struct module_signature ms;
- size_t sig_len, modlen = info->len;
-+ int ret;
-
- pr_devel("==>%s(,%zu)\n", __func__, modlen);
-
-@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
- return -EBADMSG;
- }
+@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ modlen -= sig_len + sizeof(ms);
+ info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-- VERIFY_USE_SECONDARY_KEYRING,
-- VERIFYING_MODULE_SIGNATURE,
-- NULL, NULL);
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-+ VERIFY_USE_SECONDARY_KEYRING,
-+ VERIFYING_MODULE_SIGNATURE,
-+ NULL, NULL);
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-+ VERIFY_USE_PLATFORM_KEYRING,
-+ VERIFYING_MODULE_SIGNATURE,
-+ NULL, NULL);
++ VERIFY_USE_PLATFORM_KEYRING,
++ VERIFYING_MODULE_SIGNATURE,
++ NULL, NULL);
+ }
+ return ret;
}
--
2.21.0
-
diff --git a/arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch b/arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch
deleted file mode 100644
index a7f7c8f20..000000000
--- a/arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From patchwork Thu Sep 5 19:24:12 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Lee Jones <lee.jones@linaro.org>
-X-Patchwork-Id: 11133827
-Return-Path: <SRS0=OmJI=XA=vger.kernel.org=linux-arm-msm-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
- by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DDFD514ED
- for <patchwork-linux-arm-msm@patchwork.kernel.org>;
- Thu, 5 Sep 2019 19:24:19 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
- by mail.kernel.org (Postfix) with ESMTP id D540020870
- for <patchwork-linux-arm-msm@patchwork.kernel.org>;
- Thu, 5 Sep 2019 19:24:19 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
- dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
- header.b="j/6kUy9p"
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
- id S1727540AbfIETYS (ORCPT
- <rfc822;patchwork-linux-arm-msm@patchwork.kernel.org>);
- Thu, 5 Sep 2019 15:24:18 -0400
-Received: from mail-wr1-f49.google.com ([209.85.221.49]:36821 "EHLO
- mail-wr1-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
- with ESMTP id S1726008AbfIETYS (ORCPT
- <rfc822;linux-arm-msm@vger.kernel.org>);
- Thu, 5 Sep 2019 15:24:18 -0400
-Received: by mail-wr1-f49.google.com with SMTP id y19so4081592wrd.3
- for <linux-arm-msm@vger.kernel.org>;
- Thu, 05 Sep 2019 12:24:16 -0700 (PDT)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
- d=linaro.org; s=google;
- h=from:to:cc:subject:date:message-id;
- bh=19vbMBbLeKgWt8VsEseKuJu+9+rmeS/Lh0ZhXOFWQYc=;
- b=j/6kUy9psCaV+YLvz8j0kAZ3/WrmOU3xyh5rDOj0TwK0TnwjLtaLil9Q+C9KpFvvVG
- h4R8p4cZFB0U4b/PAfc9Xt4p4xJNkAIpTzL4QRjM+nkXdDcYyiwUGkr9BRJnJmO0lyZB
- zmylqwjRd1oOrTQ1tPvwqUV3OUR5u6WA+rDyhn+A516vskkns0bEICMG787HdDEwjigd
- +3SR4L9u7swSDpNhqxtfPsn9UFP36sehUfgx32xUcjUhX3ls4RtX+6HCZU+rkeQuILt5
- 0qlmqliIuKXWkQe+ii/gtrK+ulFQ7lEl76YfDJyqXVo4Z357rIhVFAz+mooVn5qpscmU
- E+xA==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
- d=1e100.net; s=20161025;
- h=x-gm-message-state:from:to:cc:subject:date:message-id;
- bh=19vbMBbLeKgWt8VsEseKuJu+9+rmeS/Lh0ZhXOFWQYc=;
- b=QjFuCunKeBkoabY9fIsWTo3krapsS69k52eNtOIeLBaCd7M1lvCmItn41DcbJ5ykqT
- RQ0rnlNq35x9QvKNumPai3fMZp9AWt3KpJpxbpEokltyLbkGUqRWaeYTrOtuV9P9nRmT
- Yj72UBVzYj4d/G+FGq8EBesWjRyEFC51+RekvPlbRZ/h1fVW7/XAy5cO1ywnHrtNe8pQ
- 7gYQJ3Xh1Y09qkiO0i8iru5PSMTK3U+vPSLWVdFOeqMh+Beins6I9mbKf+UX+xa8ECK3
- mEFjYxY57YVx+SpaKrmBwEmu9YXLgXqEif1OH1FHFiKZVQ4ABPp19D4+5JOXEV1tCwUS
- B6Qw==
-X-Gm-Message-State: APjAAAUM7yEkrkGZ+mbleFtCMQGsXfLQSXt2Bd+K6leuP2oAs8Vj1j9k
- 4bsoJvF042q/z9+6bnLlGShjoA==
-X-Google-Smtp-Source:
- APXvYqyThx0kWliMdrjc7dedZ/+AhabFi7TIc04exnxhWAEkAOh7foRP8Cz8ZjjhxGJCvUyUPA4lFg==
-X-Received: by 2002:adf:ea0c:: with SMTP id q12mr4172788wrm.172.1567711455933;
- Thu, 05 Sep 2019 12:24:15 -0700 (PDT)
-Received: from localhost.localdomain ([95.147.198.36])
- by smtp.gmail.com with ESMTPSA id
- q24sm7942378wmc.3.2019.09.05.12.24.14
- (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
- Thu, 05 Sep 2019 12:24:14 -0700 (PDT)
-From: Lee Jones <lee.jones@linaro.org>
-To: alokc@codeaurora.org, agross@kernel.org, robh+dt@kernel.org,
- mark.rutland@arm.com, bjorn.andersson@linaro.org, vkoul@kernel.org,
- wsa@the-dreams.de
-Cc: linux-i2c@vger.kernel.org, linux-arm-msm@vger.kernel.org,
- devicetree@vger.kernel.org, Lee Jones <lee.jones@linaro.org>
-Subject: [RESEND v3 1/1] i2c: qcom-geni: Disable DMA processing on the Lenovo
- Yoga C630
-Date: Thu, 5 Sep 2019 20:24:12 +0100
-Message-Id: <20190905192412.23116-1-lee.jones@linaro.org>
-X-Mailer: git-send-email 2.17.1
-Sender: linux-arm-msm-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-arm-msm.vger.kernel.org>
-X-Mailing-List: linux-arm-msm@vger.kernel.org
-
-We have a production-level laptop (Lenovo Yoga C630) which is exhibiting
-a rather horrific bug. When I2C HID devices are being scanned for at
-boot-time the QCom Geni based I2C (Serial Engine) attempts to use DMA.
-When it does, the laptop reboots and the user never sees the OS.
-
-Attempts are being made to debug the reason for the spontaneous reboot.
-No luck so far, hence the requirement for this hot-fix. This workaround
-will be removed once we have a viable fix.
-
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
----
- drivers/i2c/busses/i2c-qcom-geni.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
-index a89bfce5388e..17abf60c94ae 100644
---- a/drivers/i2c/busses/i2c-qcom-geni.c
-+++ b/drivers/i2c/busses/i2c-qcom-geni.c
-@@ -355,11 +355,13 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
- {
- dma_addr_t rx_dma;
- unsigned long time_left;
-- void *dma_buf;
-+ void *dma_buf = NULL;
- struct geni_se *se = &gi2c->se;
- size_t len = msg->len;
-
-- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+ if (!of_machine_is_compatible("lenovo,yoga-c630"))
-+ dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+
- if (dma_buf)
- geni_se_select_mode(se, GENI_SE_DMA);
- else
-@@ -394,11 +396,13 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
- {
- dma_addr_t tx_dma;
- unsigned long time_left;
-- void *dma_buf;
-+ void *dma_buf = NULL;
- struct geni_se *se = &gi2c->se;
- size_t len = msg->len;
-
-- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+ if (!of_machine_is_compatible("lenovo,yoga-c630"))
-+ dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
-+
- if (dma_buf)
- geni_se_select_mode(se, GENI_SE_DMA);
- else
diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG b/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG
new file mode 100644
index 000000000..2718d4513
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG
@@ -0,0 +1 @@
+# CONFIG_IMA_APPRAISE_MODSIG is not set
diff --git a/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
new file mode 100644
index 000000000..97079e8b0
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
@@ -0,0 +1 @@
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
diff --git a/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
new file mode 100644
index 000000000..895927de3
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
@@ -0,0 +1 @@
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
diff --git a/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
new file mode 100644
index 000000000..9c975c314
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
@@ -0,0 +1 @@
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
diff --git a/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING b/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING
index b7e716809..6991e6d3f 100644
--- a/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING
+++ b/configs/fedora/generic/CONFIG_OPTIMIZE_INLINING
@@ -1 +1 @@
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
diff --git a/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM
new file mode 100644
index 000000000..4a55be3bb
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM
@@ -0,0 +1 @@
+CONFIG_SECURITY_LOCKDOWN_LSM=y
diff --git a/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
new file mode 100644
index 000000000..edb6d0007
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
@@ -0,0 +1 @@
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/configs/fedora/generic/CONFIG_VIRTIO_FS b/configs/fedora/generic/CONFIG_VIRTIO_FS
new file mode 100644
index 000000000..9fe646616
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_VIRTIO_FS
@@ -0,0 +1 @@
+CONFIG_VIRTIO_FS=m
diff --git a/configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT b/configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT
new file mode 100644
index 000000000..fc7a20637
--- /dev/null
+++ b/configs/fedora/generic/arm/CONFIG_IMX7ULP_WDT
@@ -0,0 +1 @@
+# CONFIG_IMX7ULP_WDT is not set
diff --git a/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG b/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG
new file mode 100644
index 000000000..67b688658
--- /dev/null
+++ b/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG
@@ -0,0 +1 @@
+CONFIG_KEXEC_SIG=y
diff --git a/configs/fedora/generic/s390x/CONFIG_KEXEC_SIG b/configs/fedora/generic/s390x/CONFIG_KEXEC_SIG
new file mode 100644
index 000000000..67b688658
--- /dev/null
+++ b/configs/fedora/generic/s390x/CONFIG_KEXEC_SIG
@@ -0,0 +1 @@
+CONFIG_KEXEC_SIG=y
diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING b/configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING
deleted file mode 100644
index 6991e6d3f..000000000
--- a/configs/fedora/generic/x86/x86_64/CONFIG_OPTIMIZE_INLINING
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_OPTIMIZE_INLINING=y
diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index c213cfce9..be4f35e07 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -1,1826 +1,3 @@
-From 4f426f922e12f0ffaed373536f68531e18d68495 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:57 +0000
-Subject: [PATCH 01/29] Add the ability to lock down access to the running
- kernel image
-
-Provide a single call to allow kernel code to determine whether the system
-should be locked down, thereby disallowing various accesses that might
-allow the running kernel image to be changed including the loading of
-modules that aren't validly signed with a key we recognise, fiddling with
-MSR registers and disallowing hibernation.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: James Morris <james.l.morris@oracle.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- include/linux/kernel.h | 17 ++++++++++++
- include/linux/security.h | 9 +++++-
- security/Kconfig | 15 ++++++++++
- security/Makefile | 3 ++
- security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 103 insertions(+), 1 deletion(-)
- create mode 100644 security/lock_down.c
-
-diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 0c9bc231107f..f71008b0a641 100644
---- a/include/linux/kernel.h
-+++ b/include/linux/kernel.h
-@@ -312,6 +312,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
- { }
- #endif
-
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern bool __kernel_is_locked_down(const char *what, bool first);
-+#else
-+static inline bool __kernel_is_locked_down(const char *what, bool first)
-+{
-+ return false;
-+}
-+#endif
-+
-+#define kernel_is_locked_down(what) \
-+ ({ \
-+ static bool message_given; \
-+ bool locked_down = __kernel_is_locked_down(what, !message_given); \
-+ message_given = true; \
-+ locked_down; \
-+ })
-+
- /* Internal, do not use. */
- int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
- int __must_check _kstrtol(const char *s, unsigned int base, long *res);
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 5f7441abbf42..fd7579c879a6 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -1829,5 +1829,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
- #endif /* CONFIG_SECURITY */
- #endif /* CONFIG_BPF_SYSCALL */
-
--#endif /* ! __LINUX_SECURITY_H */
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern void __init init_lockdown(void);
-+#else
-+static inline void __init init_lockdown(void)
-+{
-+}
-+#endif
-
-+#endif /* ! __LINUX_SECURITY_H */
-diff --git a/security/Kconfig b/security/Kconfig
-index 06a30851511a..720cf9dee2b4 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH
- If you wish for all usermode helper programs to be disabled,
- specify an empty string here (i.e. "").
-
-+config LOCK_DOWN_KERNEL
-+ bool "Allow the kernel to be 'locked down'"
-+ help
-+ Allow the kernel to be locked down. If lockdown support is enabled
-+ and activated, the kernel will impose additional restrictions
-+ intended to prevent uid 0 from being able to modify the running
-+ kernel. This may break userland applications that rely on low-level
-+ access to hardware.
-+
-+config LOCK_DOWN_KERNEL_FORCE
-+ bool "Enable kernel lockdown mode automatically"
-+ depends on LOCK_DOWN_KERNEL
-+ help
-+ Enable the kernel lock down functionality automatically at boot.
-+
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
-diff --git a/security/Makefile b/security/Makefile
-index c598b904938f..5ff090149c88 100644
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
- # Object integrity file lists
- subdir-$(CONFIG_INTEGRITY) += integrity
- obj-$(CONFIG_INTEGRITY) += integrity/
-+
-+# Allow the kernel to be locked down
-+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
-diff --git a/security/lock_down.c b/security/lock_down.c
-new file mode 100644
-index 000000000000..18d8776a4d02
---- /dev/null
-+++ b/security/lock_down.c
-@@ -0,0 +1,60 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/* Lock down the kernel
-+ *
-+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#include <linux/security.h>
-+#include <linux/export.h>
-+
-+static __ro_after_init bool kernel_locked_down;
-+
-+/*
-+ * Put the kernel into lock-down mode.
-+ */
-+static void __init lock_kernel_down(const char *where)
-+{
-+ if (!kernel_locked_down) {
-+ kernel_locked_down = true;
-+ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
-+ where);
-+ }
-+}
-+
-+static int __init lockdown_param(char *ignored)
-+{
-+ lock_kernel_down("command line");
-+ return 0;
-+}
-+
-+early_param("lockdown", lockdown_param);
-+
-+/*
-+ * Lock the kernel down from very early in the arch setup. This must happen
-+ * prior to things like ACPI being initialised.
-+ */
-+void __init init_lockdown(void)
-+{
-+#ifdef CONFIG_LOCK_DOWN_FORCE
-+ lock_kernel_down("Kernel configuration");
-+#endif
-+}
-+
-+/**
-+ * kernel_is_locked_down - Find out if the kernel is locked down
-+ * @what: Tag to use in notice generated if lockdown is in effect
-+ */
-+bool __kernel_is_locked_down(const char *what, bool first)
-+{
-+ if (what && first && kernel_locked_down)
-+ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-+ what);
-+ return kernel_locked_down;
-+}
-+EXPORT_SYMBOL(__kernel_is_locked_down);
---
-2.21.0
-
-
-From 7b3d34ce99e1db6152f3f350f7512ed67712d2bb Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 02/29] Enforce module signatures if the kernel is locked down
-
-If the kernel is locked down, require that all modules have valid
-signatures that we can verify.
-
-I have adjusted the errors generated:
-
- (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
- ENOKEY), then:
-
- (a) If signatures are enforced then EKEYREJECTED is returned.
-
- (b) If there's no signature or we can't check it, but the kernel is
- locked down then EPERM is returned (this is then consistent with
- other lockdown cases).
-
- (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
- the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
- return the error we got.
-
-Note that the X.509 code doesn't check for key expiry as the RTC might not
-be valid or might not have been transferred to the kernel's clock yet.
-
- [Modified by Matthew Garrett to remove the IMA integration. This will
- be replaced with integration with the IMA architecture policy
- patchset.]
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: Jessica Yu <jeyu@kernel.org>
----
- kernel/module.c | 39 ++++++++++++++++++++++++++++++++-------
- 1 file changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/kernel/module.c b/kernel/module.c
-index a2cee14a83f3..c771a183b741 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod,
- #ifdef CONFIG_MODULE_SIG
- static int module_sig_check(struct load_info *info, int flags)
- {
-- int err = -ENOKEY;
-+ int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
-+ const char *reason;
- const void *mod = info->hdr;
-
- /*
-@@ -2769,16 +2770,40 @@ static int module_sig_check(struct load_info *info, int flags)
- err = mod_verify_sig(mod, info);
- }
-
-- if (!err) {
-+ switch (err) {
-+ case 0:
- info->sig_ok = true;
- return 0;
-- }
-
-- /* Not having a signature is only an error if we're strict. */
-- if (err == -ENOKEY && !is_module_sig_enforced())
-- err = 0;
-+ /* We don't permit modules to be loaded into trusted kernels
-+ * without a valid signature on them, but if we're not
-+ * enforcing, certain errors are non-fatal.
-+ */
-+ case -ENODATA:
-+ reason = "Loading of unsigned module";
-+ goto decide;
-+ case -ENOPKG:
-+ reason = "Loading of module with unsupported crypto";
-+ goto decide;
-+ case -ENOKEY:
-+ reason = "Loading of module with unavailable key";
-+ decide:
-+ if (is_module_sig_enforced()) {
-+ pr_notice("%s is rejected\n", reason);
-+ return -EKEYREJECTED;
-+ }
-
-- return err;
-+ if (kernel_is_locked_down(reason))
-+ return -EPERM;
-+ return 0;
-+
-+ /* All other errors are fatal, including nomem, unparseable
-+ * signatures and signature check failures - even if signatures
-+ * aren't required.
-+ */
-+ default:
-+ return err;
-+ }
- }
- #else /* !CONFIG_MODULE_SIG */
- static int module_sig_check(struct load_info *info, int flags)
---
-2.21.0
-
-
-From e6cee3fcc560211fbc3d1efaf048ad4b987a4b73 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 03/29] Restrict /dev/{mem,kmem,port} when the kernel is locked
- down
-
-Allowing users to read and write to core kernel memory makes it possible
-for the kernel to be subverted, avoiding module loading restrictions, and
-also to steal cryptographic information.
-
-Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
-been locked down to prevent this.
-
-Also disallow /dev/port from being opened to prevent raw ioport access and
-thus DMA from being used to accomplish the same thing.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: x86@kernel.org
----
- drivers/char/mem.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index b08dc50f9f26..0a2f2e75d5f4 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
-
- static int open_port(struct inode *inode, struct file *filp)
- {
-+ if (kernel_is_locked_down("/dev/mem,kmem,port"))
-+ return -EPERM;
- return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
- }
-
---
-2.21.0
-
-
-From 1fe9d9809a7bedff1c0a043f5bcaf128d479fe24 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 04/29] kexec_load: Disable at runtime if the kernel is locked
- down
-
-The kexec_load() syscall permits the loading and execution of arbitrary
-code in ring 0, which is something that lock-down is meant to prevent. It
-makes sense to disable kexec_load() in this situation.
-
-This does not affect kexec_file_load() syscall which can check for a
-signature on the image to be booted.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Dave Young <dyoung@redhat.com>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/kexec.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 1b018f1a6e0d..fc87f152c229 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -205,6 +205,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
- if (result < 0)
- return result;
-
-+ /*
-+ * kexec can be used to circumvent module loading restrictions, so
-+ * prevent loading in that case
-+ */
-+ if (kernel_is_locked_down("kexec of unsigned images"))
-+ return -EPERM;
-+
- /*
- * Verify we have a legal set of flags
- * This leaves us room for future extensions.
---
-2.21.0
-
-
-From b1dbde991ca218ddc1b25e293e94e72907b2b2dc Mon Sep 17 00:00:00 2001
-From: Dave Young <dyoung@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 05/29] Copy secure_boot flag in boot params across kexec
- reboot
-
-Kexec reboot in case secure boot being enabled does not keep the secure
-boot mode in new kernel, so later one can load unsigned kernel via legacy
-kexec_load. In this state, the system is missing the protections provided
-by secure boot.
-
-Adding a patch to fix this by retain the secure_boot flag in original
-kernel.
-
-secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub. Fixing this issue by copying secure_boot flag across kexec reboot.
-
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/kernel/kexec-bzimage64.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 5ebcd02cbca7..d2f4e706a428 100644
---- a/arch/x86/kernel/kexec-bzimage64.c
-+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
- if (efi_enabled(EFI_OLD_MEMMAP))
- return 0;
-
-+ params->secure_boot = boot_params.secure_boot;
- ei->efi_loader_signature = current_ei->efi_loader_signature;
- ei->efi_systab = current_ei->efi_systab;
- ei->efi_systab_hi = current_ei->efi_systab_hi;
---
-2.21.0
-
-
-From 054c9d4879b81dcf7c49c5815c30db59ad9356ea Mon Sep 17 00:00:00 2001
-From: Jiri Bohac <jbohac@suse.cz>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 06/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
- KEXEC_SIG_FORCE
-
-This is a preparatory patch for kexec_file_load() lockdown. A locked down
-kernel needs to prevent unsigned kernel images from being loaded with
-kexec_file_load(). Currently, the only way to force the signature
-verification is compiling with KEXEC_VERIFY_SIG. This prevents loading
-usigned images even when the kernel is not locked down at runtime.
-
-This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
-Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
-turns on the signature verification but allows unsigned images to be
-loaded. KEXEC_SIG_FORCE disallows images without a valid signature.
-
-[Modified by David Howells such that:
-
- (1) verify_pefile_signature() differentiates between no-signature and
- sig-didn't-match in its returned errors.
-
- (2) kexec fails with EKEYREJECTED and logs an appropriate message if
- signature checking is enforced and an signature is not found, uses
- unsupported crypto or has no matching key.
-
- (3) kexec fails with EKEYREJECTED if there is a signature for which we
- have a key, but signature doesn't match - even if in non-forcing mode.
-
- (4) kexec fails with EBADMSG or some other error if there is a signature
- which cannot be parsed - even if in non-forcing mode.
-
- (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
- the signature - even if in non-forcing mode.
-
-]
-
-Signed-off-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/Kconfig | 20 ++++++++---
- crypto/asymmetric_keys/verify_pefile.c | 4 ++-
- include/linux/kexec.h | 4 +--
- kernel/kexec_file.c | 48 ++++++++++++++++++++++----
- 4 files changed, 61 insertions(+), 15 deletions(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 879741336771..df9592ce8503 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -2026,20 +2026,30 @@ config KEXEC_FILE
- config ARCH_HAS_KEXEC_PURGATORY
- def_bool KEXEC_FILE
-
--config KEXEC_VERIFY_SIG
-+config KEXEC_SIG
- bool "Verify kernel signature during kexec_file_load() syscall"
- depends on KEXEC_FILE
- ---help---
-- This option makes kernel signature verification mandatory for
-- the kexec_file_load() syscall.
-
-- In addition to that option, you need to enable signature
-+ This option makes the kexec_file_load() syscall check for a valid
-+ signature of the kernel image. The image can still be loaded without
-+ a valid signature unless you also enable KEXEC_SIG_FORCE, though if
-+ there's a signature that we can check, then it must be valid.
-+
-+ In addition to this option, you need to enable signature
- verification for the corresponding kernel image type being
- loaded in order for this to work.
-
-+config KEXEC_SIG_FORCE
-+ bool "Require a valid signature in kexec_file_load() syscall"
-+ depends on KEXEC_SIG
-+ ---help---
-+ This option makes kernel signature verification mandatory for
-+ the kexec_file_load() syscall.
-+
- config KEXEC_BZIMAGE_VERIFY_SIG
- bool "Enable bzImage signature verification support"
-- depends on KEXEC_VERIFY_SIG
-+ depends on KEXEC_SIG
- depends on SIGNED_PE_FILE_VERIFICATION
- select SYSTEM_TRUSTED_KEYRING
- ---help---
-diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
-index 3b303fe2f061..cc9dbcecaaca 100644
---- a/crypto/asymmetric_keys/verify_pefile.c
-+++ b/crypto/asymmetric_keys/verify_pefile.c
-@@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
-
- if (!ddir->certs.virtual_address || !ddir->certs.size) {
- pr_debug("Unsigned PE binary\n");
-- return -EKEYREJECTED;
-+ return -ENODATA;
- }
-
- chkaddr(ctx->header_size, ddir->certs.virtual_address,
-@@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
- * (*) 0 if at least one signature chain intersects with the keys in the trust
- * keyring, or:
- *
-+ * (*) -ENODATA if there is no signature present.
-+ *
- * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
- * chain.
- *
-diff --git a/include/linux/kexec.h b/include/linux/kexec.h
-index b9b1bc5f9669..58b27c7bdc2b 100644
---- a/include/linux/kexec.h
-+++ b/include/linux/kexec.h
-@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
- unsigned long cmdline_len);
- typedef int (kexec_cleanup_t)(void *loader_data);
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- typedef int (kexec_verify_sig_t)(const char *kernel_buf,
- unsigned long kernel_len);
- #endif
-@@ -134,7 +134,7 @@ struct kexec_file_ops {
- kexec_probe_t *probe;
- kexec_load_t *load;
- kexec_cleanup_t *cleanup;
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- kexec_verify_sig_t *verify_sig;
- #endif
- };
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index b8cc032d5620..5036bde1e5b3 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
- return kexec_image_post_load_cleanup_default(image);
- }
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
- unsigned long buf_len)
- {
-@@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- const char __user *cmdline_ptr,
- unsigned long cmdline_len, unsigned flags)
- {
-- int ret = 0;
-+ const char *reason;
-+ int ret;
- void *ldata;
- loff_t size;
-
-@@ -202,15 +203,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- if (ret)
- goto out;
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
- image->kernel_buf_len);
-- if (ret) {
-- pr_debug("kernel signature verification failed.\n");
-+#else
-+ ret = -ENODATA;
-+#endif
-+
-+ switch (ret) {
-+ case 0:
-+ break;
-+
-+ /* Certain verification errors are non-fatal if we're not
-+ * checking errors, provided we aren't mandating that there
-+ * must be a valid signature.
-+ */
-+ case -ENODATA:
-+ reason = "kexec of unsigned image";
-+ goto decide;
-+ case -ENOPKG:
-+ reason = "kexec of image with unsupported crypto";
-+ goto decide;
-+ case -ENOKEY:
-+ reason = "kexec of image with unavailable key";
-+ decide:
-+ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-+ pr_notice("%s rejected\n", reason);
-+ ret = -EKEYREJECTED;
-+ goto out;
-+ }
-+
-+ ret = 0;
-+ break;
-+
-+ /* All other errors are fatal, including nomem, unparseable
-+ * signatures and signature check failures - even if signatures
-+ * aren't required.
-+ */
-+ default:
-+ pr_notice("kernel signature verification failed (%d).\n", ret);
- goto out;
- }
-- pr_debug("kernel signature verification successful.\n");
--#endif
-+
- /* It is possible that there no initramfs is being loaded */
- if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
- ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
---
-2.21.0
-
-
-From d0ca8a6c26bfd6c8de7ed1d83326aae9b4bdfbf4 Mon Sep 17 00:00:00 2001
-From: Jiri Bohac <jbohac@suse.cz>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 07/29] kexec_file: Restrict at runtime if the kernel is locked
- down
-
-When KEXEC_SIG is not enabled, kernel should not load images through
-kexec_file systemcall if the kernel is locked down.
-
-[Modified by David Howells to fit with modifications to the previous patch
- and to return -EPERM if the kernel is locked down for consistency with
- other lockdowns. Modified by Matthew Garrett to remove the IMA
- integration, which will be replaced by integrating with the IMA
- architecture policy patches.]
-
-Signed-off-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/kexec_file.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index 5036bde1e5b3..0668c29d2eaf 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -234,6 +234,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- }
-
- ret = 0;
-+
-+ if (kernel_is_locked_down(reason)) {
-+ ret = -EPERM;
-+ goto out;
-+ }
-+
- break;
-
- /* All other errors are fatal, including nomem, unparseable
---
-2.21.0
-
-
-From 3754ff197e10abd8ef88875e069741025ea0dd84 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 08/29] hibernate: Disable when the kernel is locked down
-
-There is currently no way to verify the resume image when returning
-from hibernate. This might compromise the signed modules trust model,
-so until we can work with signed hibernate images we disable it when the
-kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Cc: rjw@rjwysocki.net
-Cc: pavel@ucw.cz
-cc: linux-pm@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/power/hibernate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index cd7434e6000d..0f30de4a712a 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -68,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
-
- bool hibernation_available(void)
- {
-- return (nohibernate == 0);
-+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
- }
-
- /**
---
-2.21.0
-
-
-From a144fd3bcc7fcbf55b608c89b8cf64abec72130c Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 09/29] uswsusp: Disable when the kernel is locked down
-
-uswsusp allows a user process to dump and then restore kernel state, which
-makes it possible to modify the running kernel. Disable this if the kernel
-is locked down.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: James Morris <james.l.morris@oracle.com>
-cc: linux-pm@vger.kernel.org
-Cc: pavel@ucw.cz
-Cc: rjw@rjwysocki.net
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/power/user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 77438954cc2b..0caff429eb55 100644
---- a/kernel/power/user.c
-+++ b/kernel/power/user.c
-@@ -49,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
- if (!hibernation_available())
- return -EPERM;
-
-+ if (kernel_is_locked_down("/dev/snapshot"))
-+ return -EPERM;
-+
- lock_system_sleep();
-
- if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
---
-2.21.0
-
-
-From 069af594117ee566597173886950d3577c523983 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 10/29] PCI: Lock down BAR access when the kernel is locked
- down
-
-Any hardware that can potentially generate DMA has to be locked down in
-order to avoid it being possible for an attacker to modify kernel code,
-allowing them to circumvent disabled module loading or module signing.
-Default to paranoid - in future we can potentially relax this for
-sufficiently IOMMU-isolated devices.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Bjorn Helgaas <bhelgaas@google.com>
-cc: linux-pci@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/pci/pci-sysfs.c | 9 +++++++++
- drivers/pci/proc.c | 9 ++++++++-
- drivers/pci/syscall.c | 3 ++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 965c72104150..f8cef3e348a3 100644
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -907,6 +907,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
- loff_t init_off = off;
- u8 *data = (u8 *) buf;
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- if (off > dev->cfg_size)
- return 0;
- if (off + count > dev->cfg_size) {
-@@ -1168,6 +1171,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
- enum pci_mmap_state mmap_type;
- struct resource *res = &pdev->resource[bar];
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
- return -EINVAL;
-
-@@ -1243,6 +1249,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
- struct bin_attribute *attr, char *buf,
- loff_t off, size_t count)
- {
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
-
-diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index fe7fe678965b..23c9b5979f5d 100644
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
- int size = dev->cfg_size;
- int cnt;
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- if (pos >= size)
- return 0;
- if (nbytes >= size)
-@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
- #endif /* HAVE_PCI_MMAP */
- int ret = 0;
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- switch (cmd) {
- case PCIIOC_CONTROLLER:
- ret = pci_domain_nr(dev->bus);
-@@ -238,7 +244,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
- struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
-
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) ||
-+ kernel_is_locked_down("Direct PCI access"))
- return -EPERM;
-
- if (fpriv->mmap_state == pci_mmap_io) {
-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index d96626c614f5..b8a08d3166a1 100644
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
- u32 dword;
- int err = 0;
-
-- if (!capable(CAP_SYS_ADMIN))
-+ if (!capable(CAP_SYS_ADMIN) ||
-+ kernel_is_locked_down("Direct PCI access"))
- return -EPERM;
-
- dev = pci_get_domain_bus_and_slot(0, bus, dfn);
---
-2.21.0
-
-
-From 97f7b0338b58afd67817ca886de78ce9bba67f29 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 11/29] x86: Lock down IO port access when the kernel is locked
- down
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO
-register space. This would potentially permit root to trigger arbitrary
-DMA, so lock it down by default.
-
-This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
-KDDISABIO console ioctls.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-cc: x86@kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/kernel/ioport.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 0fe1c8782208..abc702a6ae9c 100644
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
-
- if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- return -EINVAL;
-- if (turn_on && !capable(CAP_SYS_RAWIO))
-+ if (turn_on && (!capable(CAP_SYS_RAWIO) ||
-+ kernel_is_locked_down("ioperm")))
- return -EPERM;
-
- /*
-@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
- return -EINVAL;
- /* Trying to gain more privileges? */
- if (level > old) {
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) ||
-+ kernel_is_locked_down("iopl"))
- return -EPERM;
- }
- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
---
-2.21.0
-
-
-From 65029f8df39eb1d0a48cbcb6686b21e844ff9b3c Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 12/29] x86/msr: Restrict MSR access when the kernel is locked
- down
-
-Writing to MSRs should not be allowed if the kernel is locked down, since
-it could lead to execution of arbitrary code in kernel mode. Based on a
-patch by Kees Cook.
-
-MSR accesses are logged for the purposes of building up a whitelist as per
-Alan Cox's suggestion.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-cc: x86@kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/kernel/msr.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 3db2252b958d..5eed6530c223 100644
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -79,6 +79,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
- int err = 0;
- ssize_t bytes = 0;
-
-+ if (kernel_is_locked_down("Direct MSR access")) {
-+ pr_info("Direct access to MSR %x\n", reg);
-+ return -EPERM;
-+ }
-+
- if (count % 8)
- return -EINVAL; /* Invalid chunk size */
-
-@@ -130,6 +135,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
- err = -EFAULT;
- break;
- }
-+ if (kernel_is_locked_down("Direct MSR access")) {
-+ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
-+ err = -EPERM;
-+ break;
-+ }
- err = wrmsr_safe_regs_on_cpu(cpu, regs);
- if (err)
- break;
---
-2.21.0
-
-
-From 0a0ad07ecc667dae61d7a1073559830184022be7 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 13/29] ACPI: Limit access to custom_method when the kernel is
- locked down
-
-custom_method effectively allows arbitrary access to system memory, making
-it possible for an attacker to circumvent restrictions on module loading.
-Disable it if the kernel is locked down.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/custom_method.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index b2ef4c2ec955..33b821be0600 100644
---- a/drivers/acpi/custom_method.c
-+++ b/drivers/acpi/custom_method.c
-@@ -30,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
- struct acpi_table_header table;
- acpi_status status;
-
-+ if (kernel_is_locked_down("ACPI custom methods"))
-+ return -EPERM;
-+
- if (!(*ppos)) {
- /* parse the table header to get the table length */
- if (count <= sizeof(struct acpi_table_header))
---
-2.21.0
-
-
-From ad843f3ba6d525cc47eb2c866de74a324d3a960c Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 14/29] acpi: Ignore acpi_rsdp kernel param when the kernel has
- been locked down
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to modify the workings of hardware . Reject
-the option when the kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Dave Young <dyoung@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/osl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 9c0edf2fc0dd..0c5c7b51fb72 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -180,7 +180,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
- acpi_physical_address pa;
-
- #ifdef CONFIG_KEXEC
-- if (acpi_rsdp)
-+ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
- return acpi_rsdp;
- #endif
- pa = acpi_arch_get_root_pointer();
---
-2.21.0
-
-
-From 146618cd3ae3556184f3ca94ca82809f4e7090b9 Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 15/29] acpi: Disable ACPI table override if the kernel is
- locked down
-
-From the kernel documentation (initrd_table_override.txt):
-
- If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
- to override nearly any ACPI table provided by the BIOS with an
- instrumented, modified one.
-
-When securelevel is set, the kernel should disallow any unauthenticated
-changes to kernel space. ACPI tables contain code invoked by the kernel,
-so do not allow ACPI tables to be overridden if the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/tables.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index b32327759380..6fd5c8328427 100644
---- a/drivers/acpi/tables.c
-+++ b/drivers/acpi/tables.c
-@@ -578,6 +578,11 @@ void __init acpi_table_upgrade(void)
- if (table_nr == 0)
- return;
-
-+ if (kernel_is_locked_down("ACPI table override")) {
-+ pr_notice("kernel is locked down, ignoring table override\n");
-+ return;
-+ }
-+
- acpi_tables_addr =
- memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
- all_tables_size, PAGE_SIZE);
---
-2.21.0
-
-
-From e183b69655b6069c7007ad911252dd681fb0083f Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 16/29] acpi: Disable APEI error injection if the kernel is
- locked down
-
-ACPI provides an error injection mechanism, EINJ, for debugging and testing
-the ACPI Platform Error Interface (APEI) and other RAS features. If
-supported by the firmware, ACPI specification 5.0 and later provide for a
-way to specify a physical memory address to which to inject the error.
-
-Injecting errors through EINJ can produce errors which to the platform are
-indistinguishable from real hardware errors. This can have undesirable
-side-effects, such as causing the platform to mark hardware as needing
-replacement.
-
-While it does not provide a method to load unauthenticated privileged code,
-the effect of these errors may persist across reboots and affect trust in
-the underlying hardware, so disable error injection through EINJ if
-the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/apei/einj.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
-index e430cf4caec2..dde995f871d6 100644
---- a/drivers/acpi/apei/einj.c
-+++ b/drivers/acpi/apei/einj.c
-@@ -510,6 +510,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
- int rc;
- u64 base_addr, size;
-
-+ if (kernel_is_locked_down("ACPI error injection"))
-+ return -EPERM;
-+
- /* If user manually set "flags", make sure it is legal */
- if (flags && (flags &
- ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
---
-2.21.0
-
-
-From 2c469f9240f58dce6049eae000d70dcef8025cfa Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 17/29] Prohibit PCMCIA CIS storage when the kernel is locked
- down
-
-Prohibit replacement of the PCMCIA Card Information Structure when the
-kernel is locked down.
-
-Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-pcmcia@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/pcmcia/cistpl.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
-index abd029945cc8..77919fa3fb4a 100644
---- a/drivers/pcmcia/cistpl.c
-+++ b/drivers/pcmcia/cistpl.c
-@@ -1575,6 +1575,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
- struct pcmcia_socket *s;
- int error;
-
-+ if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
-+ return -EPERM;
-+
- s = to_socket(container_of(kobj, struct device, kobj));
-
- if (off)
---
-2.21.0
-
-
-From 5f1bdf370484979c291e37cd6905480a12083b18 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 18/29] Lock down TIOCSSERIAL
-
-Lock down TIOCSSERIAL as that can be used to change the ioport and irq
-settings on a serial port. This only appears to be an issue for the serial
-drivers that use the core serial code. All other drivers seem to either
-ignore attempts to change port/irq or give an error.
-
-Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Jiri Slaby <jslaby@suse.com>
-Cc: linux-serial@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/tty/serial/serial_core.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 4223cb496764..4f3cd7bc1713 100644
---- a/drivers/tty/serial/serial_core.c
-+++ b/drivers/tty/serial/serial_core.c
-@@ -846,6 +846,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
- new_flags = (__force upf_t)new_info->flags;
- old_custom_divisor = uport->custom_divisor;
-
-+ if ((change_port || change_irq) &&
-+ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
-+ retval = -EPERM;
-+ goto exit;
-+ }
-+
- if (!capable(CAP_SYS_ADMIN)) {
- retval = -EPERM;
- if (change_irq || change_port ||
---
-2.21.0
-
-
-From b07159ff6bc3345b49db17a82fa31013f398d4e5 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:01 +0000
-Subject: [PATCH 19/29] Lock down module params that specify hardware
- parameters (eg. ioport)
-
-Provided an annotation for module parameters that specify hardware
-parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
-dma buffers and other types).
-
-Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/params.c | 26 +++++++++++++++++++++-----
- 1 file changed, 21 insertions(+), 5 deletions(-)
-
-diff --git a/kernel/params.c b/kernel/params.c
-index cf448785d058..61a08a5da208 100644
---- a/kernel/params.c
-+++ b/kernel/params.c
-@@ -96,13 +96,19 @@ bool parameq(const char *a, const char *b)
- return parameqn(a, b, strlen(a)+1);
- }
-
--static void param_check_unsafe(const struct kernel_param *kp)
-+static bool param_check_unsafe(const struct kernel_param *kp,
-+ const char *doing)
- {
- if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
- pr_notice("Setting dangerous option %s - tainting kernel\n",
- kp->name);
- add_taint(TAINT_USER, LOCKDEP_STILL_OK);
- }
-+
-+ if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
-+ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
-+ return false;
-+ return true;
- }
-
- static int parse_one(char *param,
-@@ -132,8 +138,10 @@ static int parse_one(char *param,
- pr_debug("handling %s with %p\n", param,
- params[i].ops->set);
- kernel_param_lock(params[i].mod);
-- param_check_unsafe(&params[i]);
-- err = params[i].ops->set(val, &params[i]);
-+ if (param_check_unsafe(&params[i], doing))
-+ err = params[i].ops->set(val, &params[i]);
-+ else
-+ err = -EPERM;
- kernel_param_unlock(params[i].mod);
- return err;
- }
-@@ -541,6 +549,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
- return count;
- }
-
-+#ifdef CONFIG_MODULES
-+#define mod_name(mod) (mod)->name
-+#else
-+#define mod_name(mod) "unknown"
-+#endif
-+
- /* sysfs always hands a nul-terminated string in buf. We rely on that. */
- static ssize_t param_attr_store(struct module_attribute *mattr,
- struct module_kobject *mk,
-@@ -553,8 +567,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
- return -EPERM;
-
- kernel_param_lock(mk->mod);
-- param_check_unsafe(attribute->param);
-- err = attribute->param->ops->set(buf, attribute->param);
-+ if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
-+ err = attribute->param->ops->set(buf, attribute->param);
-+ else
-+ err = -EPERM;
- kernel_param_unlock(mk->mod);
- if (!err)
- return len;
---
-2.21.0
-
-
-From 3e7fdce10f144b2a947f020bd0eeeb536c77153e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:01 +0000
-Subject: [PATCH 20/29] x86/mmiotrace: Lock down the testmmiotrace module
-
-The testmmiotrace module shouldn't be permitted when the kernel is locked
-down as it can be used to arbitrarily read and write MMIO space.
-
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: David Howells <dhowells@redhat.com
-cc: Thomas Gleixner <tglx@linutronix.de>
-cc: Steven Rostedt <rostedt@goodmis.org>
-cc: Ingo Molnar <mingo@kernel.org>
-cc: "H. Peter Anvin" <hpa@zytor.com>
-cc: x86@kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/mm/testmmiotrace.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
-index 0881e1ff1e58..13f1da99ee5e 100644
---- a/arch/x86/mm/testmmiotrace.c
-+++ b/arch/x86/mm/testmmiotrace.c
-@@ -116,6 +116,9 @@ static int __init init(void)
- {
- unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
-
-+ if (kernel_is_locked_down("MMIO trace testing"))
-+ return -EPERM;
-+
- if (mmio_address == 0) {
- pr_err("you have to use the module argument mmio_address.\n");
- pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
---
-2.21.0
-
-
-From 1e81a8fd6ed139113011e3b7d70aa8b5c59a97cb Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 21/29] Lock down /proc/kcore
-
-Disallow access to /proc/kcore when the kernel is locked down to prevent
-access to cryptographic data.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: James Morris <james.l.morris@oracle.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- fs/proc/kcore.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
-index f5834488b67d..0639228c4904 100644
---- a/fs/proc/kcore.c
-+++ b/fs/proc/kcore.c
-@@ -545,6 +545,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
-
- static int open_kcore(struct inode *inode, struct file *filp)
- {
-+ if (kernel_is_locked_down("/proc/kcore"))
-+ return -EPERM;
- if (!capable(CAP_SYS_RAWIO))
- return -EPERM;
-
---
-2.21.0
-
-
-From 03a1ba6091a421ae40a17dc67f61a96733c8f0d2 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 22/29] Lock down kprobes
-
-Disallow the creation of kprobes when the kernel is locked down by
-preventing their registration. This prevents kprobes from being used to
-access kernel memory, either to make modifications or to steal crypto data.
-
-Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
-Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
-Cc: davem@davemloft.net
-Cc: Masami Hiramatsu <mhiramat@kernel.org>
----
- kernel/kprobes.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/kprobes.c b/kernel/kprobes.c
-index 9f5433a52488..e54c7b70298a 100644
---- a/kernel/kprobes.c
-+++ b/kernel/kprobes.c
-@@ -1556,6 +1556,9 @@ int register_kprobe(struct kprobe *p)
- struct module *probed_mod;
- kprobe_opcode_t *addr;
-
-+ if (kernel_is_locked_down("Use of kprobes"))
-+ return -EPERM;
-+
- /* Adjust probe address from symbol */
- addr = kprobe_addr(p);
- if (IS_ERR(addr))
---
-2.21.0
-
-
-From d743cdf3a9508b9d9293acb3170b1d76f5556d1a Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 23/29] bpf: Restrict kernel image access functions when the
- kernel is locked down
-
-There are some bpf functions can be used to read kernel memory:
-bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
-private keys in kernel memory (e.g. the hibernation image signing key) to
-be read by an eBPF program and kernel memory to be altered without
-restriction.
-
-Completely prohibit the use of BPF when the kernel is locked down.
-
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: netdev@vger.kernel.org
-cc: Chun-Yi Lee <jlee@suse.com>
-cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Cc: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/bpf/syscall.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
-index 5d141f16f6fa..cf9f0d069a2a 100644
---- a/kernel/bpf/syscall.c
-+++ b/kernel/bpf/syscall.c
-@@ -2813,6 +2813,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
- if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
- return -EPERM;
-
-+ if (kernel_is_locked_down("BPF"))
-+ return -EPERM;
-+
- err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
- if (err)
- return err;
---
-2.21.0
-
-
-From 7ec8d8a7bc177bc54e627b04a6aa4520174965cd Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 24/29] Lock down perf
-
-Disallow the use of certain perf facilities that might allow userspace to
-access kernel data.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
----
- kernel/events/core.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index eea9d52b010c..08f51f91d959 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -10824,6 +10824,11 @@ SYSCALL_DEFINE5(perf_event_open,
- return -EINVAL;
- }
-
-+ if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
-+ kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
-+ /* REGS_INTR can leak data, lockdown must prevent this */
-+ return -EPERM;
-+
- /* Only privileged users can get physical addresses */
- if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
- perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
---
-2.21.0
-
-
-From 98fa6aca64b1723db15cb1791b734aebb105433e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 25/29] debugfs: Restrict debugfs when the kernel is locked
- down
-
-Disallow opening of debugfs files that might be used to muck around when
-the kernel is locked down as various drivers give raw access to hardware
-through debugfs. Given the effort of auditing all 2000 or so files and
-manually fixing each one as necessary, I've chosen to apply a heuristic
-instead. The following changes are made:
-
- (1) chmod and chown are disallowed on debugfs objects (though the root dir
- can be modified by mount and remount, but I'm not worried about that).
-
- (2) When the kernel is locked down, only files with the following criteria
- are permitted to be opened:
-
- - The file must have mode 00444
- - The file must not have ioctl methods
- - The file must not have mmap
-
- (3) When the kernel is locked down, files may only be opened for reading.
-
-Normal device interaction should be done through configfs, sysfs or a
-miscdev, not debugfs.
-
-Note that this makes it unnecessary to specifically lock down show_dsts(),
-show_devs() and show_call() in the asus-wmi driver.
-
-I would actually prefer to lock down all files by default and have the
-the files unlocked by the creator. This is tricky to manage correctly,
-though, as there are 19 creation functions and ~1600 call sites (some of
-them in loops scanning tables).
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Andy Shevchenko <andy.shevchenko@gmail.com>
-cc: acpi4asus-user@lists.sourceforge.net
-cc: platform-driver-x86@vger.kernel.org
-cc: Matthew Garrett <mjg59@srcf.ucam.org>
-cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++
- fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
- 2 files changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 93e4ca6b2ad7..8eeff9068228 100644
---- a/fs/debugfs/file.c
-+++ b/fs/debugfs/file.c
-@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
- }
- EXPORT_SYMBOL_GPL(debugfs_file_put);
-
-+/*
-+ * Only permit access to world-readable files when the kernel is locked down.
-+ * We also need to exclude any file that has ways to write or alter it as root
-+ * can bypass the permissions check.
-+ */
-+static bool debugfs_is_locked_down(struct inode *inode,
-+ struct file *filp,
-+ const struct file_operations *real_fops)
-+{
-+ if ((inode->i_mode & 07777) == 0444 &&
-+ !(filp->f_mode & FMODE_WRITE) &&
-+ !real_fops->unlocked_ioctl &&
-+ !real_fops->compat_ioctl &&
-+ !real_fops->mmap)
-+ return false;
-+
-+ return kernel_is_locked_down("debugfs");
-+}
-+
- static int open_proxy_open(struct inode *inode, struct file *filp)
- {
- struct dentry *dentry = F_DENTRY(filp);
-@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
- return r == -EIO ? -ENOENT : r;
-
- real_fops = debugfs_real_fops(filp);
-+
-+ r = -EPERM;
-+ if (debugfs_is_locked_down(inode, filp, real_fops))
-+ goto out;
-+
- real_fops = fops_get(real_fops);
- if (!real_fops) {
- /* Huh? Module did not clean up after itself at exit? */
-@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
- return r == -EIO ? -ENOENT : r;
-
- real_fops = debugfs_real_fops(filp);
-+ r = -EPERM;
-+ if (debugfs_is_locked_down(inode, filp, real_fops))
-+ goto out;
-+
- real_fops = fops_get(real_fops);
- if (!real_fops) {
- /* Huh? Module did not cleanup after itself at exit? */
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 042b688ed124..cc0486ca1a11 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -35,6 +35,31 @@ static struct vfsmount *debugfs_mount;
- static int debugfs_mount_count;
- static bool debugfs_registered;
-
-+/*
-+ * Don't allow access attributes to be changed whilst the kernel is locked down
-+ * so that we can use the file mode as part of a heuristic to determine whether
-+ * to lock down individual files.
-+ */
-+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
-+{
-+ if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
-+ kernel_is_locked_down("debugfs"))
-+ return -EPERM;
-+ return simple_setattr(dentry, ia);
-+}
-+
-+static const struct inode_operations debugfs_file_inode_operations = {
-+ .setattr = debugfs_setattr,
-+};
-+static const struct inode_operations debugfs_dir_inode_operations = {
-+ .lookup = simple_lookup,
-+ .setattr = debugfs_setattr,
-+};
-+static const struct inode_operations debugfs_symlink_inode_operations = {
-+ .get_link = simple_get_link,
-+ .setattr = debugfs_setattr,
-+};
-+
- static struct inode *debugfs_get_inode(struct super_block *sb)
- {
- struct inode *inode = new_inode(sb);
-@@ -369,6 +394,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
- inode->i_mode = mode;
- inode->i_private = data;
-
-+ inode->i_op = &debugfs_file_inode_operations;
- inode->i_fop = proxy_fops;
- dentry->d_fsdata = (void *)((unsigned long)real_fops |
- DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
-@@ -532,7 +558,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
- }
-
- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
-- inode->i_op = &simple_dir_inode_operations;
-+ inode->i_op = &debugfs_dir_inode_operations;
- inode->i_fop = &simple_dir_operations;
-
- /* directory inodes start off with i_nlink == 2 (for "." entry) */
-@@ -632,7 +658,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
- return failed_creating(dentry);
- }
- inode->i_mode = S_IFLNK | S_IRWXUGO;
-- inode->i_op = &simple_symlink_inode_operations;
-+ inode->i_op = &debugfs_symlink_inode_operations;
- inode->i_link = link;
- d_instantiate(dentry, inode);
- return end_creating(dentry);
---
-2.21.0
-
-
-From 39ffa9315f46123f0f1f66fb6fd0597211b43b1d Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 28 Feb 2018 14:43:03 +0000
-Subject: [PATCH 26/29] lockdown: Print current->comm in restriction messages
-
-Print the content of current->comm in messages generated by lockdown to
-indicate a restriction that was hit. This makes it a bit easier to find
-out what caused the message.
-
-The message now patterned something like:
-
- Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- security/lock_down.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/security/lock_down.c b/security/lock_down.c
-index 18d8776a4d02..ee00ca2677e7 100644
---- a/security/lock_down.c
-+++ b/security/lock_down.c
-@@ -53,8 +53,8 @@ void __init init_lockdown(void)
- bool __kernel_is_locked_down(const char *what, bool first)
- {
- if (what && first && kernel_locked_down)
-- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-- what);
-+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
-+ current->comm, what);
- return kernel_locked_down;
- }
- EXPORT_SYMBOL(__kernel_is_locked_down);
---
-2.21.0
-
-
-From 0086dbfaa88118636bc5d77f25bd578034a84075 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthewgarrett@google.com>
-Date: Tue, 12 Mar 2019 12:50:30 -0700
-Subject: [PATCH 27/29] kexec: Allow kexec_file() with appropriate IMA policy
- when locked down
-
-Systems in lockdown mode should block the kexec of untrusted kernels.
-For x86 and ARM we can ensure that a kernel is trustworthy by validating
-a PE signature, but this isn't possible on other architectures. On those
-platforms we can use IMA digital signatures instead. Add a function to
-determine whether IMA has or will verify signatures for a given event type,
-and if so permit kexec_file() even if the kernel is otherwise locked down.
-This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set
-in order to prevent an attacker from loading additional keys at runtime.
-
-Signed-off-by: Matthew Garrett <mjg59@google.com>
-Acked-by: Mimi Zohar <zohar@linux.ibm.com>
-Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
-Cc: linux-integrity@vger.kernel.org
----
- include/linux/ima.h | 9 ++++++
- kernel/kexec_file.c | 7 +++-
- security/integrity/ima/ima.h | 2 ++
- security/integrity/ima/ima_main.c | 2 +-
- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++
- 5 files changed, 68 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index a20ad398d260..1c37f17f7203 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
- return 0;
- }
- #endif /* CONFIG_IMA_APPRAISE */
-+
-+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
-+extern bool ima_appraise_signature(enum kernel_read_file_id func);
-+#else
-+static inline bool ima_appraise_signature(enum kernel_read_file_id func)
-+{
-+ return false;
-+}
-+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
- #endif /* _LINUX_IMA_H */
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index 0668c29d2eaf..78728a0f16a7 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -235,7 +235,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
-
- ret = 0;
-
-- if (kernel_is_locked_down(reason)) {
-+ /* If IMA is guaranteed to appraise a signature on the kexec
-+ * image, permit it even if the kernel is otherwise locked
-+ * down.
-+ */
-+ if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
-+ kernel_is_locked_down(reason)) {
- ret = -EPERM;
- goto out;
- }
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 011b91c79351..64dcb11cf444 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -113,6 +113,8 @@ struct ima_kexec_hdr {
- u64 count;
- };
-
-+extern const int read_idmap[];
-+
- #ifdef CONFIG_HAVE_IMA_KEXEC
- void ima_load_kexec_buffer(void);
- #else
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index 584019728660..b9f57503af2c 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
- return 0;
- }
-
--static const int read_idmap[READING_MAX_ID] = {
-+const int read_idmap[READING_MAX_ID] = {
- [READING_FIRMWARE] = FIRMWARE_CHECK,
- [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
- [READING_MODULE] = MODULE_CHECK,
-diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index 6df7f641ff66..827f1e33fe86 100644
---- a/security/integrity/ima/ima_policy.c
-+++ b/security/integrity/ima/ima_policy.c
-@@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v)
- return 0;
- }
- #endif /* CONFIG_IMA_READ_POLICY */
-+
-+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
-+/*
-+ * ima_appraise_signature: whether IMA will appraise a given function using
-+ * an IMA digital signature. This is restricted to cases where the kernel
-+ * has a set of built-in trusted keys in order to avoid an attacker simply
-+ * loading additional keys.
-+ */
-+bool ima_appraise_signature(enum kernel_read_file_id id)
-+{
-+ struct ima_rule_entry *entry;
-+ bool found = false;
-+ enum ima_hooks func;
-+
-+ if (id >= READING_MAX_ID)
-+ return false;
-+
-+ func = read_idmap[id] ?: FILE_CHECK;
-+
-+ rcu_read_lock();
-+ list_for_each_entry_rcu(entry, ima_rules, list) {
-+ if (entry->action != APPRAISE)
-+ continue;
-+
-+ /*
-+ * A generic entry will match, but otherwise require that it
-+ * match the func we're looking for
-+ */
-+ if (entry->func && entry->func != func)
-+ continue;
-+
-+ /*
-+ * We require this to be a digital signature, not a raw IMA
-+ * hash.
-+ */
-+ if (entry->flags & IMA_DIGSIG_REQUIRED)
-+ found = true;
-+
-+ /*
-+ * We've found a rule that matches, so break now even if it
-+ * didn't require a digital signature - a later rule that does
-+ * won't override it, so would be a false positive.
-+ */
-+ break;
-+ }
-+
-+ rcu_read_unlock();
-+ return found;
-+}
-+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
---
-2.21.0
-
-
From 4a84d19a10c31a363aa7d1f325bd212012263a98 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Mon, 9 Apr 2018 09:52:45 +0100
@@ -2107,63 +284,3 @@ index ee00ca2677e7..d68dff872ced 100644
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
--
2.21.0
-
-
-From c3e9fb754f7603ae10a750f685f0174c5ae51ffa Mon Sep 17 00:00:00 2001
-From: Vasily Gorbik <gor@linux.ibm.com>
-Date: Wed, 21 Nov 2018 13:05:10 +0100
-Subject: [PATCH 29/29] debugfs: avoid EPERM when no open file operation
- defined
-
-With "debugfs: Restrict debugfs when the kernel is locked down"
-return code "r" is unconditionally set to -EPERM, which stays like that
-until function return if no "open" file operation defined, effectivelly
-resulting in "Operation not permitted" for all such files despite kernel
-lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
-
-In particular this breaks 2 debugfs files on s390:
-/sys/kernel/debug/s390_hypfs/diag_304
-/sys/kernel/debug/s390_hypfs/diag_204
-
-To address that set EPERM return code only when debugfs_is_locked_down
-returns true.
-
-Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
-Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
----
- fs/debugfs/file.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 8eeff9068228..9c56e1aa1f29 100644
---- a/fs/debugfs/file.c
-+++ b/fs/debugfs/file.c
-@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
-
- real_fops = debugfs_real_fops(filp);
-
-- r = -EPERM;
-- if (debugfs_is_locked_down(inode, filp, real_fops))
-+ if (debugfs_is_locked_down(inode, filp, real_fops)) {
-+ r = -EPERM;
- goto out;
-+ }
-
- real_fops = fops_get(real_fops);
- if (!real_fops) {
-@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
- return r == -EIO ? -ENOENT : r;
-
- real_fops = debugfs_real_fops(filp);
-- r = -EPERM;
-- if (debugfs_is_locked_down(inode, filp, real_fops))
-+ if (debugfs_is_locked_down(inode, filp, real_fops)) {
-+ r = -EPERM;
- goto out;
-+ }
-
- real_fops = fops_get(real_fops);
- if (!real_fops) {
---
-2.21.0
-
diff --git a/efi-secureboot.patch b/efi-secureboot.patch
index 4f8a97bcf..de6f5eef9 100644
--- a/efi-secureboot.patch
+++ b/efi-secureboot.patch
@@ -1,7 +1,109 @@
+From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Mon, 30 Sep 2019 21:22:47 +0000
+Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
+
+In order to automatically lock down kernels running on UEFI machines
+booted in Secure Boot mode, expose the lock_kernel_down() hook.
+
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ include/linux/lsm_hooks.h | 8 ++++++++
+ include/linux/security.h | 5 +++++
+ security/lockdown/lockdown.c | 1 +
+ security/security.c | 6 ++++++
+ 4 files changed, 20 insertions(+)
+
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index a3763247547c..8d76d1f153ed 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1454,6 +1454,12 @@
+ * code execution in kernel space should be permitted.
+ *
+ * @what: kernel feature being accessed
++ *
++ * @lock_kernel_down
++ * Put the kernel into lock-down mode.
++ *
++ * @where: Where the lock-down is originating from (e.g. command line option)
++ * @level: The lock-down level (can only increase)
+ */
+ union security_list_options {
+ int (*binder_set_context_mgr)(struct task_struct *mgr);
+@@ -1818,6 +1824,7 @@ union security_list_options {
+ void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
+ #endif /* CONFIG_BPF_SYSCALL */
+ int (*locked_down)(enum lockdown_reason what);
++ int (*lock_kernel_down)(const char *where, enum lockdown_reason level);
+ };
+
+ struct security_hook_heads {
+@@ -2060,6 +2067,7 @@ struct security_hook_heads {
+ struct hlist_head bpf_prog_free_security;
+ #endif /* CONFIG_BPF_SYSCALL */
+ struct hlist_head locked_down;
++ struct hlist_head lock_kernel_down;
+ } __randomize_layout;
+
+ /*
+diff --git a/include/linux/security.h b/include/linux/security.h
+index a8d59d612d27..467b9ccdf993 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what)
+ {
+ return 0;
+ }
++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level);
++{
++ return 0;
++}
+ #endif /* CONFIG_SECURITY */
+
+ #ifdef CONFIG_SECURITY_NETWORK
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 8a10b43daf74..72a623075749 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
+
+ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
++ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+
+ static int __init lockdown_lsm_init(void)
+diff --git a/security/security.c b/security/security.c
+index 1bc000f834e2..1506b95427cf 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what)
+ return call_int_hook(locked_down, 0, what);
+ }
+ EXPORT_SYMBOL(security_locked_down);
++
++int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++ return call_int_hook(lock_kernel_down, 0, where, level);
++}
++EXPORT_SYMBOL(security_lock_kernel_down);
+--
+2.21.0
+
+
From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 29/31] efi: Add an EFI_SECURE_BOOT flag to indicate secure
+Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure
boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
@@ -160,119 +262,73 @@ index 21d81021c1f4..758ec061d03b 100644
2.21.0
-From d78bf678059f83e22bec8ada1a448e22b9b90203 Mon Sep 17 00:00:00 2001
+From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 30/31] efi: Lock down the kernel if booted in secure boot mode
+Date: Mon, 30 Sep 2019 21:28:16 +0000
+Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels. Certain use cases may also
-require that all kernel modules also be signed. Add a configuration option
-that to lock down the kernel - which includes requiring validly signed
-modules - if the kernel is secure-booted.
+UEFI Secure Boot provides a mechanism for ensuring that the firmware
+will only load signed bootloaders and kernels. Certain use cases may
+also require that all kernel modules also be signed. Add a
+configuration option that to lock down the kernel - which includes
+requiring validly signed modules - if the kernel is secure-booted.
Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-cc: linux-efi@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
- arch/x86/kernel/setup.c | 6 ++++--
- fs/debugfs/inode.c | 2 +-
- security/Kconfig | 14 ++++++++++++++
- security/lock_down.c | 5 +++++
- 4 files changed, 20 insertions(+), 3 deletions(-)
+ arch/x86/kernel/setup.c | 8 ++++++++
+ security/lockdown/Kconfig | 13 +++++++++++++
+ 2 files changed, 21 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index adeee6329f55..27a54ec878bd 100644
+index 77ea96b794bd..a119e1bc9623 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -65,6 +65,7 @@
- #include <linux/dma-mapping.h>
- #include <linux/ctype.h>
- #include <linux/uaccess.h>
+@@ -73,6 +73,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/mem_encrypt.h>
+ #include <linux/sizes.h>
+#include <linux/security.h>
- #include <linux/percpu.h>
- #include <linux/crash_dump.h>
-@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
+ #include <linux/usb/xhci-dbgp.h>
+ #include <video/edid.h>
+@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
-+ init_lockdown();
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++ if (efi_enabled(EFI_SECURE_BOOT))
++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
++#endif
+
dmi_setup();
/*
-@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
- /* Allocate bigger log buffer */
- setup_log_buf(1);
-
-- efi_set_secure_boot(boot_params.secure_boot);
--
- reserve_initrd();
-
- acpi_table_upgrade();
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index ce261e1765ff..7aff55b309a6 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -40,7 +40,7 @@ static bool debugfs_registered;
- static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
- {
- if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
-- kernel_is_locked_down("debugfs"))
-+ kernel_is_locked_down("changing perms in debugfs"))
- return -EPERM;
- return simple_setattr(dentry, ia);
- }
-diff --git a/security/Kconfig b/security/Kconfig
-index 9c343f262bdd..30788bc47863 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
- Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
- combination on a wired keyboard. On x86, this is SysRq+x.
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ subsystem is fully initialised. If enabled, lockdown will
+ unconditionally be called before any other LSMs.
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
-+ select LOCK_DOWN_KERNEL
-+ depends on EFI
++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
+ help
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
+ will only load signed bootloaders and kernels. Secure boot mode may
+ be determined from EFI variables provided by the system firmware if
+ not indicated by the boot parameters.
+
-+ Enabling this option turns on results in kernel lockdown being
-+ triggered if EFI Secure Boot is set.
++ Enabling this option results in kernel lockdown being triggered if
++ EFI Secure Boot is set.
+
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
-diff --git a/security/lock_down.c b/security/lock_down.c
-index ee00ca2677e7..bb4dc7838f3e 100644
---- a/security/lock_down.c
-+++ b/security/lock_down.c
-@@ -12,6 +12,7 @@
-
- #include <linux/security.h>
- #include <linux/export.h>
-+#include <linux/efi.h>
- #include <linux/sysrq.h>
- #include <asm/setup.h>
-
-@@ -44,6 +45,10 @@ void __init init_lockdown(void)
- #ifdef CONFIG_LOCK_DOWN_FORCE
- lock_kernel_down("Kernel configuration");
- #endif
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+ if (efi_enabled(EFI_SECURE_BOOT))
-+ lock_kernel_down("EFI secure boot");
-+#endif
- }
-
- /**
+ choice
+ prompt "Kernel default lockdown mode"
+ default LOCK_DOWN_KERNEL_FORCE_NONE
--
-2.14.3
+2.21.0
diff --git a/gitrev b/gitrev
index eeac76fb0..8a6ba8d25 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-f41def397161053eb0d3ed6861ef65985efbf293
+97f9a3c4eee55b0178b518ae7114a6a53372913d
diff --git a/iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch b/iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch
deleted file mode 100644
index f583a5b2d..000000000
--- a/iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From patchwork Tue Sep 24 10:30:57 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Luca Coelho <luca@coelho.fi>
-X-Patchwork-Id: 11158395
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <SRS0=l3ON=XT=vger.kernel.org=linux-wireless-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
- by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 62FF3112B
- for <patchwork-linux-wireless@patchwork.kernel.org>;
- Tue, 24 Sep 2019 10:31:06 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
- by mail.kernel.org (Postfix) with ESMTP id 4AA4E214D9
- for <patchwork-linux-wireless@patchwork.kernel.org>;
- Tue, 24 Sep 2019 10:31:06 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
- id S2409468AbfIXKbF (ORCPT
- <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
- Tue, 24 Sep 2019 06:31:05 -0400
-Received: from paleale.coelho.fi ([176.9.41.70]:44742 "EHLO
- farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
- with ESMTP id S2387644AbfIXKbF (ORCPT
- <rfc822;linux-wireless@vger.kernel.org>);
- Tue, 24 Sep 2019 06:31:05 -0400
-Received: from [91.156.6.193] (helo=redipa.ger.corp.intel.com)
- by farmhouse.coelho.fi with esmtpsa
- (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
- (Exim 4.92)
- (envelope-from <luca@coelho.fi>)
- id 1iCi63-0005Je-8E; Tue, 24 Sep 2019 13:31:03 +0300
-From: Luca Coelho <luca@coelho.fi>
-To: kvalo@codeaurora.org
-Cc: linux-wireless@vger.kernel.org
-Date: Tue, 24 Sep 2019 13:30:57 +0300
-Message-Id: <20190924103057.17147-1-luca@coelho.fi>
-X-Mailer: git-send-email 2.23.0
-MIME-Version: 1.0
-X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on farmhouse.coelho.fi
-X-Spam-Level:
-X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
- URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2
-Subject: [PATCH v5.4] iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW
- version 36
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-
-From: Luca Coelho <luciano.coelho@intel.com>
-
-The intention was to have the GEO_TX_POWER_LIMIT command in FW version
-36 as well, but not all 8000 family got this feature enabled. The
-8000 family is the only one using version 36, so skip this version
-entirely. If we try to send this command to the firmwares that do not
-support it, we get a BAD_COMMAND response from the firmware.
-
-This fixes https://bugzilla.kernel.org/show_bug.cgi?id=204151.
-
-Cc: stable@vger.kernel.org # 4.19+
-Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
----
- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
-index 014eca6596e2..32a5e4e5461f 100644
---- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
-@@ -889,11 +889,13 @@ static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm)
- * firmware versions. Unfortunately, we don't have a TLV API
- * flag to rely on, so rely on the major version which is in
- * the first byte of ucode_ver. This was implemented
-- * initially on version 38 and then backported to 36, 29 and
-- * 17.
-+ * initially on version 38 and then backported to29 and 17.
-+ * The intention was to have it in 36 as well, but not all
-+ * 8000 family got this feature enabled. The 8000 family is
-+ * the only one using version 36, so skip this version
-+ * entirely.
- */
- return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 ||
-- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 ||
- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 ||
- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17;
- }
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index aed83899b..86e575028 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -2456,6 +2456,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2477,6 +2478,7 @@ CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
CONFIG_IMX2_WDT=m
CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
# CONFIG_IMX_DMA is not set
# CONFIG_IMX_DSP is not set
CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -2928,6 +2930,7 @@ CONFIG_KERNEL_MODE_NEON=y
# CONFIG_KERNEL_UNCOMPRESSED is not set
# CONFIG_KERNEL_XZ is not set
# CONFIG_KEXEC_FILE is not set
+CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y
CONFIG_KEYBOARD_ADC=m
# CONFIG_KEYBOARD_ADP5588 is not set
@@ -3122,6 +3125,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -4310,7 +4316,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
CONFIG_OPT3001=m
CONFIG_OPTEE=m
CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -5374,6 +5380,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -7154,6 +7162,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index e71cea7fe..8742f7eaf 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -2440,6 +2440,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2461,6 +2462,7 @@ CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
CONFIG_IMX2_WDT=m
CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
# CONFIG_IMX_DMA is not set
# CONFIG_IMX_DSP is not set
CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -2910,6 +2912,7 @@ CONFIG_KERNEL_MODE_NEON=y
# CONFIG_KERNEL_UNCOMPRESSED is not set
# CONFIG_KERNEL_XZ is not set
# CONFIG_KEXEC_FILE is not set
+CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y
CONFIG_KEYBOARD_ADC=m
# CONFIG_KEYBOARD_ADP5588 is not set
@@ -3104,6 +3107,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4290,7 +4296,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
CONFIG_OPT3001=m
CONFIG_OPTEE=m
CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -5353,6 +5359,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -7132,6 +7140,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index 48d48ae3e..d9582c84a 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -2482,6 +2482,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2503,6 +2504,7 @@ CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
CONFIG_IMX2_WDT=m
CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
# CONFIG_IMX_DMA is not set
# CONFIG_IMX_DSP is not set
CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3162,6 +3164,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -4419,7 +4424,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
CONFIG_OPT3001=m
CONFIG_OPTEE=m
CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -5512,6 +5517,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_INFINIBAND is not set
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -7466,6 +7473,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index 5fb1f3b84..8f434465c 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -2399,6 +2399,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2420,6 +2421,7 @@ CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
CONFIG_IMX2_WDT=m
CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
# CONFIG_IMX_DMA is not set
# CONFIG_IMX_DSP is not set
CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3061,6 +3063,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -4255,7 +4260,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
CONFIG_OPT3001=m
CONFIG_OPTEE=m
CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -5265,6 +5270,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_INFINIBAND is not set
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -7092,6 +7099,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 7dd283606..89757645b 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -2384,6 +2384,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2405,6 +2406,7 @@ CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
CONFIG_IMX2_WDT=m
CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
# CONFIG_IMX_DMA is not set
# CONFIG_IMX_DSP is not set
CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3044,6 +3046,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4236,7 +4241,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
CONFIG_OPT3001=m
CONFIG_OPTEE=m
CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -5245,6 +5250,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_INFINIBAND is not set
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -7071,6 +7078,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index f4f5ab153..996968493 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -2467,6 +2467,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2488,6 +2489,7 @@ CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
CONFIG_IMX2_WDT=m
CONFIG_IMX7D_ADC=m
+# CONFIG_IMX7ULP_WDT is not set
# CONFIG_IMX_DMA is not set
# CONFIG_IMX_DSP is not set
CONFIG_IMX_GPCV2_PM_DOMAINS=y
@@ -3145,6 +3147,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4400,7 +4405,7 @@ CONFIG_OPENVSWITCH_VXLAN=m
CONFIG_OPT3001=m
CONFIG_OPTEE=m
CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -5492,6 +5497,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_INFINIBAND is not set
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -7445,6 +7452,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index d1cd36275..66582a46a 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -2198,6 +2198,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2878,7 +2879,10 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
CONFIG_LOCK_DOWN_KERNEL=y
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -3996,7 +4000,7 @@ CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_VXLAN=m
# CONFIG_OPROFILE is not set
CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -4866,6 +4870,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6494,6 +6500,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-i686.config b/kernel-i686.config
index 52b88adff..3f8ebe8c7 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -2181,6 +2181,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2859,7 +2860,10 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
CONFIG_LOCK_DOWN_KERNEL=y
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -3977,7 +3981,7 @@ CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_VXLAN=m
# CONFIG_OPROFILE is not set
CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -4846,6 +4850,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6473,6 +6479,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config
index 92b5d37a1..31bfb177e 100644
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@@ -1999,6 +1999,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2624,6 +2625,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -3708,7 +3712,7 @@ CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_VXLAN=m
# CONFIG_OPROFILE is not set
CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -4555,6 +4559,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6087,6 +6093,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config
index 6a5b4fc5e..970e3f97d 100644
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@@ -1982,6 +1982,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2605,6 +2606,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -3687,7 +3691,7 @@ CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_VXLAN=m
# CONFIG_OPROFILE is not set
CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -4533,6 +4537,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6064,6 +6070,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config
index df5319d73..26d01b430 100644
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@@ -1979,6 +1979,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2416,6 +2417,7 @@ CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_UNCOMPRESSED is not set
# CONFIG_KERNEL_XZ is not set
CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_VERIFY_SIG is not set
CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set
@@ -2600,6 +2602,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -3675,7 +3680,7 @@ CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_VXLAN=m
# CONFIG_OPROFILE is not set
CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -4501,6 +4506,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6026,6 +6033,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-s390x.config b/kernel-s390x.config
index 6a0f49513..0ae907c13 100644
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@@ -1962,6 +1962,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2397,6 +2398,7 @@ CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_UNCOMPRESSED is not set
# CONFIG_KERNEL_XZ is not set
CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_SIG=y
# CONFIG_KEXEC_VERIFY_SIG is not set
CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set
@@ -2581,6 +2583,9 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -3654,7 +3659,7 @@ CONFIG_OPENVSWITCH=m
CONFIG_OPENVSWITCH_VXLAN=m
# CONFIG_OPROFILE is not set
CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
CONFIG_OPTPROBES=y
CONFIG_ORANGEFS_FS=m
CONFIG_ORINOCO_USB=m
@@ -4479,6 +4484,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6003,6 +6010,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index 86dd39864..e5a54dfdb 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -2237,6 +2237,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2929,7 +2930,10 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
CONFIG_LOCK_DOWN_KERNEL=y
CONFIG_LOCKD_V4=y
CONFIG_LOCK_EVENT_COUNTS=y
@@ -4907,6 +4911,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6546,6 +6552,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 8328f1911..f1bd843d1 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -2220,6 +2220,7 @@ CONFIG_IIO_TRIGGER=y
CONFIG_IKHEADERS=m
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -2910,7 +2911,10 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
CONFIG_LOCK_DOWN_KERNEL=y
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_EVENT_COUNTS is not set
@@ -4887,6 +4891,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
@@ -6525,6 +6531,7 @@ CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_BLK=m
# CONFIG_VIRTIO_BLK_SCSI is not set
CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
CONFIG_VIRTIO_INPUT=m
# CONFIG_VIRTIO_IOMMU is not set
CONFIG_VIRTIO_MENU=y
diff --git a/kernel.spec b/kernel.spec
index 2999a5931..96779738c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -71,7 +71,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 0
# The git snapshot level
-%define gitrev 8
+%define gitrev 9
# Set rpm version accordingly
%define rpmversion 5.%{upstream_sublevel}.0
%endif
@@ -499,7 +499,7 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
# 200 - x86 / secureboot
-Patch201: efi-lockdown.patch
+# Patch201: efi-lockdown.patch
# bz 1497559 - Make kernel MODSIGN code not error on missing variables
Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
@@ -534,10 +534,6 @@ Patch320: arm64-tegra-jetson-tx1-fixes.patch
# https://www.spinics.net/lists/linux-tegra/msg43110.html
Patch321: arm64-tegra-Jetson-TX2-Allow-bootloader-to-configure.patch
-# QCom laptop bits
-# https://patchwork.kernel.org/patch/11133827/
-Patch330: arm64-qcom-i2c-geni-Disable-DMA-processing-on-the-Lenovo-Yoga-C630.patch
-
# 400 - IBM (ppc/s390x) patches
# 500 - Temp fixes/CVEs etc
@@ -551,9 +547,6 @@ Patch502: 0001-Drop-that-for-now.patch
# Submitted upstream at https://lkml.org/lkml/2019/4/23/89
Patch503: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
-# https://patchwork.kernel.org/patch/11158395/
-Patch504: iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch
-
# END OF PATCH DEFINITIONS
%endif
@@ -1755,6 +1748,9 @@ fi
#
#
%changelog
+* Mon Sep 30 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc0.git9.1
+- Linux v5.3-13236-g97f9a3c4eee5
+
* Thu Sep 26 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc0.git8.1
- Linux v5.3-12397-gf41def397161
diff --git a/sources b/sources
index a50a9647b..374400250 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (linux-5.3.tar.xz) = 6b5edef47c319a3fa7f6c20a3e0903a5acd89ec75e32dc5f99adcb60c9fe118ea312722d9c3d27e2e3900afa2455afb86e83a8b6bb131009bc79ddbe6fb0595d
-SHA512 (patch-5.3-git8.xz) = 6d20a445bce9b821cb9c83c2440fce5b3e3e70ddc5f31d535524687fcefeab1edad7c72dfaa53b6bbf9beeb7811ae04d1301094d69463771b95f86dffed8b2ce
+SHA512 (patch-5.3-git9.xz) = 47761a6fb683ba11c648df4fe542f13b90f1bc3bdeba236ea0be4df12c7ce7373f5841e194641023370bf52d94ad8660dc85bf51d44942c7c2508b996e365c88