diff options
59 files changed, 2358 insertions, 2339 deletions
diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch new file mode 100644 index 000000000..148feeb39 --- /dev/null +++ b/ACPI-Limit-access-to-custom_method.patch @@ -0,0 +1,31 @@ +From 534706023a5b169f0d85c92c00c4a658346704f5 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Mar 2012 08:39:37 -0500 +Subject: [PATCH] ACPI: Limit access to custom_method + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if any such restrictions have been enabled. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index c68e72414a67..4277938af700 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +1.9.3 + diff --git a/ARM-tegra-usb-no-reset.patch b/ARM-tegra-usb-no-reset.patch new file mode 100644 index 000000000..004d7e823 --- /dev/null +++ b/ARM-tegra-usb-no-reset.patch @@ -0,0 +1,32 @@ +From 8820ddd6eefc70f2780b8fc06741de6e05ccd019 Mon Sep 17 00:00:00 2001 +From: Peter Robinson <pbrobinson@gmail.com> +Date: Thu, 3 May 2012 20:27:11 +0100 +Subject: [PATCH] ARM: tegra: usb no reset + +Patch for disconnect issues with storage attached to a + tegra-ehci controller +--- + drivers/usb/core/hub.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 8a4dcbc7a75f..8ab01fbcc6a9 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5031,6 +5031,13 @@ static void hub_events(void) + (u16) hub->change_bits[0], + (u16) hub->event_bits[0]); + ++ /* Don't disconnect USB-SATA on TrimSlice */ ++ if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) { ++ if ((hdev->state == 7) && (hub->change_bits[0] == 0) && ++ (hub->event_bits[0] == 0x2)) ++ hub->event_bits[0] = 0; ++ } ++ + /* Lock the device, then check to see if we were + * disconnected while waiting for the lock to succeed. */ + usb_lock_device(hdev); +-- +1.9.3 + diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch new file mode 100644 index 000000000..d935ccbda --- /dev/null +++ b/Add-EFI-signature-data-types.patch @@ -0,0 +1,57 @@ +From 319b6d06b46f630629fcaaa6532f62dc1aae945a Mon Sep 17 00:00:00 2001 +From: Dave Howells <dhowells@redhat.com> +Date: Tue, 23 Oct 2012 09:30:54 -0400 +Subject: [PATCH] Add EFI signature data types + +Add the data types that are used for containing hashes, keys and certificates +for cryptographic verification. + +Bugzilla: N/A +Upstream-status: Fedora mustard for now + +Signed-off-by: David Howells <dhowells@redhat.com> +--- + include/linux/efi.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index ebe6a24cc1e1..5ce40e215f15 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -581,6 +581,12 @@ void efi_native_runtime_setup(void); + #define DEVICE_TREE_GUID \ + EFI_GUID( 0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 ) + ++#define EFI_CERT_SHA256_GUID \ ++ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) ++ ++#define EFI_CERT_X509_GUID \ ++ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +@@ -796,6 +802,20 @@ typedef struct _efi_file_io_interface { + + #define EFI_INVALID_TABLE_ADDR (~0UL) + ++typedef struct { ++ efi_guid_t signature_owner; ++ u8 signature_data[]; ++} efi_signature_data_t; ++ ++typedef struct { ++ efi_guid_t signature_type; ++ u32 signature_list_size; ++ u32 signature_header_size; ++ u32 signature_size; ++ u8 signature_header[]; ++ /* efi_signature_data_t signatures[][] */ ++} efi_signature_list_t; ++ + /* + * All runtime access to EFI goes through this structure: + */ +-- +1.9.3 + diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch new file mode 100644 index 000000000..6575b7cd7 --- /dev/null +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -0,0 +1,179 @@ +From 30f41111b3e9ec5087a5bf7ac1ffc8982fb7db59 Mon Sep 17 00:00:00 2001 +From: Dave Howells <dhowells@redhat.com> +Date: Tue, 23 Oct 2012 09:36:28 -0400 +Subject: [PATCH] Add an EFI signature blob parser and key loader. + +X.509 certificates are loaded into the specified keyring as asymmetric type +keys. + +Signed-off-by: David Howells <dhowells@redhat.com> +--- + crypto/asymmetric_keys/Kconfig | 8 +++ + crypto/asymmetric_keys/Makefile | 1 + + crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 4 ++ + 4 files changed, 122 insertions(+) + create mode 100644 crypto/asymmetric_keys/efi_parser.c + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index 4870f28403f5..4a1b50d73b80 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION + This option provides support for verifying the signature(s) on a + signed PE binary. + ++config EFI_SIGNATURE_LIST_PARSER ++ bool "EFI signature list parser" ++ depends on EFI ++ select X509_CERTIFICATE_PARSER ++ help ++ This option provides support for parsing EFI signature lists for ++ X.509 certificates and turning them into keys. ++ + endif # ASYMMETRIC_KEY_TYPE +diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile +index e47fcd9ac5e8..6512f6596785 100644 +--- a/crypto/asymmetric_keys/Makefile ++++ b/crypto/asymmetric_keys/Makefile +@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o + + obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o + obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o ++obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o + + # + # X.509 Certificate handling +diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c +new file mode 100644 +index 000000000000..424896a0b169 +--- /dev/null ++++ b/crypto/asymmetric_keys/efi_parser.c +@@ -0,0 +1,109 @@ ++/* EFI signature/key/certificate list parser ++ * ++ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) "EFI: "fmt ++#include <linux/module.h> ++#include <linux/printk.h> ++#include <linux/err.h> ++#include <linux/efi.h> ++#include <keys/asymmetric-type.h> ++ ++static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; ++ ++/** ++ * parse_efi_signature_list - Parse an EFI signature list for certificates ++ * @data: The data blob to parse ++ * @size: The size of the data blob ++ * @keyring: The keyring to add extracted keys to ++ */ ++int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) ++{ ++ unsigned offs = 0; ++ size_t lsize, esize, hsize, elsize; ++ ++ pr_devel("-->%s(,%zu)\n", __func__, size); ++ ++ while (size > 0) { ++ efi_signature_list_t list; ++ const efi_signature_data_t *elem; ++ key_ref_t key; ++ ++ if (size < sizeof(list)) ++ return -EBADMSG; ++ ++ memcpy(&list, data, sizeof(list)); ++ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", ++ offs, ++ list.signature_type.b, list.signature_list_size, ++ list.signature_header_size, list.signature_size); ++ ++ lsize = list.signature_list_size; ++ hsize = list.signature_header_size; ++ esize = list.signature_size; ++ elsize = lsize - sizeof(list) - hsize; ++ ++ if (lsize > size) { ++ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", ++ __func__, offs); ++ return -EBADMSG; ++ } ++ if (lsize < sizeof(list) || ++ lsize - sizeof(list) < hsize || ++ esize < sizeof(*elem) || ++ elsize < esize || ++ elsize % esize != 0) { ++ pr_devel("- bad size combo @%x\n", offs); ++ return -EBADMSG; ++ } ++ ++ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { ++ data += lsize; ++ size -= lsize; ++ offs += lsize; ++ continue; ++ } ++ ++ data += sizeof(list) + hsize; ++ size -= sizeof(list) + hsize; ++ offs += sizeof(list) + hsize; ++ ++ for (; elsize > 0; elsize -= esize) { ++ elem = data; ++ ++ pr_devel("ELEM[%04x]\n", offs); ++ ++ key = key_create_or_update( ++ make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ &elem->signature_data, ++ esize - sizeof(*elem), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW, ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_TRUSTED); ++ ++ if (IS_ERR(key)) ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ else ++ pr_notice("Loaded cert '%s' linked to '%s'\n", ++ key_ref_to_ptr(key)->description, ++ keyring->description); ++ ++ data += esize; ++ size -= esize; ++ offs += esize; ++ } ++ } ++ ++ return 0; ++} +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 5ce40e215f15..41359e548bcb 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -906,6 +906,10 @@ extern bool efi_poweroff_required(void); + (md) <= (efi_memory_desc_t *)((m)->map_end - (m)->desc_size); \ + (md) = (void *)(md) + (m)->desc_size) + ++struct key; ++extern int __init parse_efi_signature_list(const void *data, size_t size, ++ struct key *keyring); ++ + /** + * efi_range_is_wc - check the WC bit on an address range + * @start: starting kvirt address +-- +1.9.3 + diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch new file mode 100644 index 000000000..9ad433cf7 --- /dev/null +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -0,0 +1,186 @@ +From acfbe6c8714da667ad980b9847edefe947f7e67e Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Aug 2013 18:36:30 -0400 +Subject: [PATCH] Add option to automatically enforce module signatures when in + Secure Boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that enforces this automatically when enabled. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + Documentation/x86/zero-page.txt | 2 ++ + arch/x86/Kconfig | 10 ++++++++++ + arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ + arch/x86/include/uapi/asm/bootparam.h | 3 ++- + arch/x86/kernel/setup.c | 6 ++++++ + include/linux/module.h | 6 ++++++ + kernel/module.c | 7 +++++++ + 7 files changed, 69 insertions(+), 1 deletion(-) + +diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt +index 199f453cb4de..ec38acf00b40 100644 +--- a/Documentation/x86/zero-page.txt ++++ b/Documentation/x86/zero-page.txt +@@ -30,6 +30,8 @@ Offset Proto Name Meaning + 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) + 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer + (below) ++1EB/001 ALL kbd_status Numlock is enabled ++1EC/001 ALL secure_boot Secure boot is enabled in the firmware + 1EF/001 ALL sentinel Used to detect broken bootloaders + 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures + 2D0/A00 ALL e820_map E820 memory map table +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 5d0bf1aa9dcb..46392bfab57e 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1565,6 +1565,16 @@ config EFI_MIXED + + If unsure, say N. + ++config EFI_SECURE_BOOT_SIG_ENFORCE ++ def_bool n ++ prompt "Force module signing when UEFI Secure Boot is enabled" ++ ---help--- ++ UEFI Secure Boot provides a mechanism for ensuring that the ++ firmware will only load signed bootloaders and kernels. Certain ++ use cases may also require that all kernel modules also be signed. ++ Say Y here to automatically enable module signature enforcement ++ when a system boots with UEFI Secure Boot enabled. ++ + config SECCOMP + def_bool y + prompt "Enable seccomp to safely compute untrusted bytecode" +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index f277184e2ac1..88edd48f03e9 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -12,6 +12,7 @@ + #include <asm/efi.h> + #include <asm/setup.h> + #include <asm/desc.h> ++#include <asm/bootparam_utils.h> + + #undef memcpy /* Use memcpy from misc.c */ + +@@ -803,6 +804,37 @@ out: + return status; + } + ++static int get_secure_boot(void) ++{ ++ u8 sb, setup; ++ unsigned long datasize = sizeof(sb); ++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; ++ efi_status_t status; ++ ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"SecureBoot", &var_guid, NULL, &datasize, &sb); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (sb == 0) ++ return 0; ++ ++ ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"SetupMode", &var_guid, NULL, &datasize, ++ &setup); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (setup == 1) ++ return 0; ++ ++ return 1; ++} ++ ++ + /* + * See if we have Graphics Output Protocol + */ +@@ -1374,6 +1406,10 @@ struct boot_params *efi_main(struct efi_config *c, + else + setup_boot_services32(efi_early); + ++ sanitize_boot_params(boot_params); ++ ++ boot_params->secure_boot = get_secure_boot(); ++ + setup_graphics(boot_params); + + status = setup_efi_pci(boot_params); +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index 225b0988043a..90dbfb73e11f 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -133,7 +133,8 @@ struct boot_params { + __u8 eddbuf_entries; /* 0x1e9 */ + __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ + __u8 kbd_status; /* 0x1eb */ +- __u8 _pad5[3]; /* 0x1ec */ ++ __u8 secure_boot; /* 0x1ec */ ++ __u8 _pad5[2]; /* 0x1ed */ + /* + * The sentinel is set to a nonzero value (0xff) in header.S. + * +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 41ead8d3bc0b..5a5cf7395724 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p) + + io_delay_init(); + ++#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE ++ if (boot_params.secure_boot) { ++ enforce_signed_modules(); ++ } ++#endif ++ + /* + * Parse the ACPI tables for possible boot-time SMP configuration. + */ +diff --git a/include/linux/module.h b/include/linux/module.h +index 341a73ecea2e..cca08ac450e2 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); + + struct notifier_block; + ++#ifdef CONFIG_MODULE_SIG ++extern void enforce_signed_modules(void); ++#else ++static inline void enforce_signed_modules(void) {}; ++#endif ++ + #ifdef CONFIG_MODULES + + extern int modules_disabled; /* for sysctl */ +diff --git a/kernel/module.c b/kernel/module.c +index 1f7b4664300e..866417ecc76a 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3843,6 +3843,13 @@ void module_layout(struct module *mod, + EXPORT_SYMBOL(module_layout); + #endif + ++#ifdef CONFIG_MODULE_SIG ++void enforce_signed_modules(void) ++{ ++ sig_enforce = true; ++} ++#endif ++ + bool secure_modules(void) + { + #ifdef CONFIG_MODULE_SIG +-- +1.9.3 + diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch new file mode 100644 index 000000000..25a60e5b6 --- /dev/null +++ b/Add-secure_modules-call.patch @@ -0,0 +1,64 @@ +From 2b10c8cae99674ce201497dda8830d13291f46b5 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Aug 2013 17:58:15 -0400 +Subject: [PATCH] Add secure_modules() call + +Provide a single call to allow kernel code to determine whether the system +has been configured to either disable module loading entirely or to load +only modules signed with a trusted key. + +Bugzilla: N/A +Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + include/linux/module.h | 7 +++++++ + kernel/module.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/include/linux/module.h b/include/linux/module.h +index 71f282a4e307..341a73ecea2e 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -516,6 +516,8 @@ int unregister_module_notifier(struct notifier_block *nb); + + extern void print_modules(void); + ++extern bool secure_modules(void); ++ + #else /* !CONFIG_MODULES... */ + + /* Given an address, look for it in the exception tables. */ +@@ -626,6 +628,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) + static inline void print_modules(void) + { + } ++ ++static inline bool secure_modules(void) ++{ ++ return false; ++} + #endif /* CONFIG_MODULES */ + + #ifdef CONFIG_SYSFS +diff --git a/kernel/module.c b/kernel/module.c +index 03214bd288e9..1f7b4664300e 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3842,3 +3842,13 @@ void module_layout(struct module *mod, + } + EXPORT_SYMBOL(module_layout); + #endif ++ ++bool secure_modules(void) ++{ ++#ifdef CONFIG_MODULE_SIG ++ return (sig_enforce || modules_disabled); ++#else ++ return modules_disabled; ++#endif ++} ++EXPORT_SYMBOL(secure_modules); +-- +1.9.3 + diff --git a/sysrq-secure-boot.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch index 1b1399340..ec0b5d770 100644 --- a/sysrq-secure-boot.patch +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -1,11 +1,10 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard - -From 603230771bdbca78e6530d29dbe8b239cdcc8473 Mon Sep 17 00:00:00 2001 +From fa99247d0a0867fdaa29a3a2df56d388e605f543 Mon Sep 17 00:00:00 2001 From: Kyle McMartin <kyle@redhat.com> Date: Fri, 30 Aug 2013 09:28:51 -0400 Subject: [PATCH] Add sysrq option to disable secure boot mode +Bugzilla: N/A +Upstream-status: Fedora mustard --- arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/input/misc/uinput.c | 1 + @@ -17,7 +16,7 @@ Subject: [PATCH] Add sysrq option to disable secure boot mode 7 files changed, 65 insertions(+), 10 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 5ce785fc9f05..2024cbb7169b 100644 +index fb282ff6a802..d291d16ba257 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -70,6 +70,11 @@ @@ -71,10 +70,10 @@ index 5ce785fc9f05..2024cbb7169b 100644 .notifier_call = dump_kernel_offset }; diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 856936247500..1e87a1ea704b 100644 +index 421e29e4cd81..61c1eb97806c 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c -@@ -353,6 +353,7 @@ static int uinput_allocate_device(struct uinput_device *udev) +@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev) if (!udev->dev) return -ENOMEM; @@ -83,7 +82,7 @@ index 856936247500..1e87a1ea704b 100644 input_set_drvdata(udev->dev, udev); diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index 454b65898e2c..19d67594a3b8 100644 +index 42bad18c66c9..496e073b09d7 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c @@ -463,6 +463,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { @@ -217,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644 int unregister_sysrq_key(int key, struct sysrq_key_op *op); struct sysrq_key_op *__sysrq_get_key_op(int key); diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 2f7c760305ca..abb29d9811af 100644 +index 379650b984f8..070f29fefdc2 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -1924,7 +1924,7 @@ static int kdb_sr(int argc, const char **argv) @@ -230,10 +229,10 @@ index 2f7c760305ca..abb29d9811af 100644 return 0; diff --git a/kernel/module.c b/kernel/module.c -index 452079124fb7..37dabbc1e902 100644 +index 866417ecc76a..d7ca95c5a349 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ +@@ -108,9 +108,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ #ifdef CONFIG_MODULE_SIG #ifdef CONFIG_MODULE_SIG_FORCE diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch new file mode 100644 index 000000000..3e6935870 --- /dev/null +++ b/KEYS-Add-a-system-blacklist-keyring.patch @@ -0,0 +1,112 @@ +From 8d5fa1114c4c28e39636d5ff11979e42450a4480 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 26 Oct 2012 12:36:24 -0400 +Subject: [PATCH] KEYS: Add a system blacklist keyring + +This adds an additional keyring that is used to store certificates that +are blacklisted. This keyring is searched first when loading signed modules +and if the module's certificate is found, it will refuse to load. This is +useful in cases where third party certificates are used for module signing. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + include/keys/system_keyring.h | 4 ++++ + init/Kconfig | 9 +++++++++ + kernel/module_signing.c | 12 ++++++++++++ + kernel/system_keyring.c | 17 +++++++++++++++++ + 4 files changed, 42 insertions(+) + +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 72665eb80692..2c7b80d31366 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void) + } + #endif + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++extern struct key *system_blacklist_keyring; ++#endif ++ + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/init/Kconfig b/init/Kconfig +index e84c6423a2e5..223b1a32bbcb 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1720,6 +1720,15 @@ config SYSTEM_TRUSTED_KEYRING + + Keys in this keyring are used by module signature checking. + ++config SYSTEM_BLACKLIST_KEYRING ++ bool "Provide system-wide ring of blacklisted keys" ++ depends on KEYS ++ help ++ Provide a system keyring to which blacklisted keys can be added. ++ Keys in the keyring are considered entirely untrusted. Keys in this ++ keyring are used by the module signature checking to reject loading ++ of modules signed with a blacklisted key. ++ + config PROFILING + bool "Profiling support" + help +diff --git a/kernel/module_signing.c b/kernel/module_signing.c +index be5b8fac4bd0..fed815fcdaf2 100644 +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, + + pr_debug("Look up: \"%s\"\n", id); + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ key = keyring_search(make_key_ref(system_blacklist_keyring, 1), ++ &key_type_asymmetric, id); ++ if (!IS_ERR(key)) { ++ /* module is signed with a cert in the blacklist. reject */ ++ pr_err("Module key '%s' is in blacklist\n", id); ++ key_ref_put(key); ++ kfree(id); ++ return ERR_PTR(-EKEYREJECTED); ++ } ++#endif ++ + key = keyring_search(make_key_ref(system_trusted_keyring, 1), + &key_type_asymmetric, id); + if (IS_ERR(key)) +diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c +index 875f64e8935b..c15e93f5a418 100644 +--- a/kernel/system_keyring.c ++++ b/kernel/system_keyring.c +@@ -20,6 +20,9 @@ + + struct key *system_trusted_keyring; + EXPORT_SYMBOL_GPL(system_trusted_keyring); ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++struct key *system_blacklist_keyring; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; +@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void) + panic("Can't allocate system trusted keyring\n"); + + set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); ++ ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", ++ KUIDT_INIT(0), KGIDT_INIT(0), ++ current_cred(), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ, ++ KEY_ALLOC_NOT_IN_QUOTA, NULL); ++ if (IS_ERR(system_blacklist_keyring)) ++ panic("Can't allocate system blacklist keyring\n"); ++ ++ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags); ++#endif ++ + return 0; + } + +-- +1.9.3 + diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch new file mode 100644 index 000000000..e65958a30 --- /dev/null +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -0,0 +1,186 @@ +From f06dd05414175619d0083fe4236705755f4692bd Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 26 Oct 2012 12:42:16 -0400 +Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot + +Secure Boot stores a list of allowed certificates in the 'db' variable. +This imports those certificates into the system trusted keyring. This +allows for a third party signing certificate to be used in conjunction +with signed modules. By importing the public certificate into the 'db' +variable, a user can allow a module signed with that certificate to +load. The shim UEFI bootloader has a similar certificate list stored +in the 'MokListRT' variable. We import those as well. + +In the opposite case, Secure Boot maintains a list of disallowed +certificates in the 'dbx' variable. We load those certificates into +the newly introduced system blacklist keyring and forbid any module +signed with those from loading. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + include/linux/efi.h | 6 ++++ + init/Kconfig | 9 +++++ + kernel/Makefile | 3 ++ + kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 110 insertions(+) + create mode 100644 kernel/modsign_uefi.c + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 41359e548bcb..db9e6118575e 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -587,6 +587,12 @@ void efi_native_runtime_setup(void); + #define EFI_CERT_X509_GUID \ + EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) + ++#define EFI_IMAGE_SECURITY_DATABASE_GUID \ ++ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) ++ ++#define EFI_SHIM_LOCK_GUID \ ++ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +diff --git a/init/Kconfig b/init/Kconfig +index 223b1a32bbcb..3bad458f1c68 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1874,6 +1874,15 @@ config MODULE_SIG_ALL + comment "Do not forget to sign required modules with scripts/sign-file" + depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL + ++config MODULE_SIG_UEFI ++ bool "Allow modules signed with certs stored in UEFI" ++ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI ++ select EFI_SIGNATURE_LIST_PARSER ++ help ++ This will import certificates stored in UEFI and allow modules ++ signed with those to be loaded. It will also disallow loading ++ of modules stored in the UEFI dbx variable. ++ + choice + prompt "Which hash algorithm should modules be signed with?" + depends on MODULE_SIG +diff --git a/kernel/Makefile b/kernel/Makefile +index dc5c77544fd6..95bdf3398880 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -45,6 +45,7 @@ obj-$(CONFIG_UID16) += uid16.o + obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o + obj-$(CONFIG_MODULES) += module.o + obj-$(CONFIG_MODULE_SIG) += module_signing.o ++obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o + obj-$(CONFIG_KALLSYMS) += kallsyms.o + obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o + obj-$(CONFIG_KEXEC) += kexec.o +@@ -99,6 +100,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o + + $(obj)/configs.o: $(obj)/config_data.h + ++$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar ++ + # config_data.h contains the same information as ikconfig.h but gzipped. + # Info from config_data can be extracted from /proc/config* + targets += config_data.gz +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +new file mode 100644 +index 000000000000..94b0eb38a284 +--- /dev/null ++++ b/kernel/modsign_uefi.c +@@ -0,0 +1,92 @@ ++#include <linux/kernel.h> ++#include <linux/sched.h> ++#include <linux/cred.h> ++#include <linux/err.h> ++#include <linux/efi.h> ++#include <linux/slab.h> ++#include <keys/asymmetric-type.h> ++#include <keys/system_keyring.h> ++#include "module-internal.h" ++ ++static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) ++{ ++ efi_status_t status; ++ unsigned long lsize = 4; ++ unsigned long tmpdb[4]; ++ void *db = NULL; ++ ++ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); ++ if (status != EFI_BUFFER_TOO_SMALL) { ++ pr_err("Couldn't get size: 0x%lx\n", status); ++ return NULL; ++ } ++ ++ db = kmalloc(lsize, GFP_KERNEL); ++ if (!db) { ++ pr_err("Couldn't allocate memory for uefi cert list\n"); ++ goto out; ++ } ++ ++ status = efi.get_variable(name, guid, NULL, &lsize, db); ++ if (status != EFI_SUCCESS) { ++ kfree(db); ++ db = NULL; ++ pr_err("Error reading db var: 0x%lx\n", status); ++ } ++out: ++ *size = lsize; ++ return db; ++} ++ ++/* ++ * * Load the certs contained in the UEFI databases ++ * */ ++static int __init load_uefi_certs(void) ++{ ++ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; ++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; ++ void *db = NULL, *dbx = NULL, *mok = NULL; ++ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; ++ int rc = 0; ++ ++ /* Check if SB is enabled and just return if not */ ++ if (!efi_enabled(EFI_SECURE_BOOT)) ++ return 0; ++ ++ /* Get db, MokListRT, and dbx. They might not exist, so it isn't ++ * an error if we can't get them. ++ */ ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } ++ ++ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); ++ if (!mok) { ++ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); ++ } else { ++ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); ++ kfree(mok); ++ } ++ ++ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); ++ if (!dbx) { ++ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); ++ } else { ++ rc = parse_efi_signature_list(dbx, dbxsize, ++ system_blacklist_keyring); ++ if (rc) ++ pr_err("Couldn't parse dbx signatures: %d\n", rc); ++ kfree(dbx); ++ } ++ ++ return rc; ++} ++late_initcall(load_uefi_certs); +-- +1.9.3 + diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch new file mode 100644 index 000000000..5da7a95c9 --- /dev/null +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -0,0 +1,84 @@ +From 97810ad51fb090a759a7c56cd860e0a886675945 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Thu, 3 Oct 2013 10:14:23 -0400 +Subject: [PATCH] MODSIGN: Support not importing certs from db + +If a user tells shim to not use the certs/hashes in the UEFI db variable +for verification purposes, shim will set a UEFI variable called MokIgnoreDB. +Have the uefi import code look for this and not import things from the db +variable. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +index 94b0eb38a284..ae28b974d49a 100644 +--- a/kernel/modsign_uefi.c ++++ b/kernel/modsign_uefi.c +@@ -8,6 +8,23 @@ + #include <keys/system_keyring.h> + #include "module-internal.h" + ++static __init int check_ignore_db(void) ++{ ++ efi_status_t status; ++ unsigned int db = 0; ++ unsigned long size = sizeof(db); ++ efi_guid_t guid = EFI_SHIM_LOCK_GUID; ++ ++ /* Check and see if the MokIgnoreDB variable exists. If that fails ++ * then we don't ignore DB. If it succeeds, we do. ++ */ ++ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ return 1; ++} ++ + static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) + { + efi_status_t status; +@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; +- int rc = 0; ++ int ignore_db, rc = 0; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ /* See if the user has setup Ignore DB mode */ ++ ignore_db = check_ignore_db(); ++ + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ +- db = get_cert_list(L"db", &secure_var, &dbsize); +- if (!db) { +- pr_err("MODSIGN: Couldn't get UEFI db list\n"); +- } else { +- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); +- if (rc) +- pr_err("Couldn't parse db signatures: %d\n", rc); +- kfree(db); ++ if (!ignore_db) { ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } + } + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); +-- +1.9.3 + diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch new file mode 100644 index 000000000..4bc2c9178 --- /dev/null +++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -0,0 +1,117 @@ +From ba3b2c51e65b95125e4c29725d6c7180d4dea061 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Thu, 8 Mar 2012 10:10:38 -0500 +Subject: [PATCH] PCI: Lock down BAR access when module security is enabled + +Any hardware that can potentially generate DMA has to be locked down from +userspace in order to avoid it being possible for an attacker to modify +kernel code, allowing them to circumvent disabled module loading or module +signing. Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/pci/pci-sysfs.c | 10 ++++++++++ + drivers/pci/proc.c | 8 +++++++- + drivers/pci/syscall.c | 3 ++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 9ff0a901ecf7..8d0d5d92b8d9 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -30,6 +30,7 @@ + #include <linux/vgaarb.h> + #include <linux/pm_runtime.h> + #include <linux/of.h> ++#include <linux/module.h> + #include "pci.h" + + static int sysfs_initialized; /* = 0 */ +@@ -704,6 +705,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8 *) buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + resource_size_t start, end; + int i; + ++ if (secure_modules()) ++ return -EPERM; ++ + for (i = 0; i < PCI_ROM_RESOURCE; i++) + if (res == &pdev->resource[i]) + break; +@@ -1099,6 +1106,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (secure_modules()) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index 3f155e78513f..4265ea07e3b0 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, + int size = dev->cfg_size; + int cnt; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + + /* Make sure the caller is mapping a real resource for this device */ +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index b91c4da68365..98f5637304d1 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -10,6 +10,7 @@ + #include <linux/errno.h> + #include <linux/pci.h> + #include <linux/syscalls.h> ++#include <linux/module.h> + #include <asm/uaccess.h> + #include "pci.h" + +@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || secure_modules()) + return -EPERM; + + dev = pci_get_bus_and_slot(bus, dfn); +-- +1.9.3 + diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch new file mode 100644 index 000000000..5c8f248fd --- /dev/null +++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -0,0 +1,42 @@ +From b5eb26c8283e04ddc93419c4403442a3dae1c581 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Mar 2012 09:28:15 -0500 +Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is + restricted + +Allowing users to write to address space makes it possible for the kernel +to be subverted, avoiding module loading restrictions. Prevent this when +any restrictions have been imposed on loading modules. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/char/mem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index cdf839f9defe..c63cf93b00eb 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, + if (p != *ppos) + return -EFBIG; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!valid_phys_addr_range(p, count)) + return -EFAULT; + +@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (p < (unsigned long) high_memory) { + unsigned long to_write = min_t(unsigned long, count, + (unsigned long)high_memory - p); +-- +1.9.3 + diff --git a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch index 2f44032c8..050d362b7 100644 --- a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch +++ b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch @@ -1,23 +1,25 @@ -Bugzilla: N/A -Upstream-status: Sigh. We almost got to drop this. - -From 20e3f1e1b9341d233a11734c07c076caac9936ef Mon Sep 17 00:00:00 2001 +From 303ffc5057887b2589b946df891506f7acadaa6f Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Mon, 28 Jul 2014 12:59:48 -0400 Subject: [PATCH] Revert "Revert "ACPI / video: change acpi-video brightness_switch_enabled default to 0"" This reverts commit 2843768b701971ab10e62c77d5c75ad7c306f1bd. + +Bugzilla: N/A +Upstream-status: Sigh. We almost got to drop this. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- Documentation/kernel-parameters.txt | 2 +- drivers/acpi/video.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index b7fa2f599459..e8db409a7e3a 100644 +index 5ae8608ca9f5..8ffa8f91eeb2 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt -@@ -3532,7 +3532,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -3595,7 +3595,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the allocated input device; If set to 0, video driver will only send out the event without touching backlight brightness level. @@ -27,7 +29,7 @@ index b7fa2f599459..e8db409a7e3a 100644 virtio_mmio.device= [VMMIO] Memory mapped virtio (platform) device. diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index 350d52a8f781..44c89f705018 100644 +index 826884392e6b..a9fa83829ee4 100644 --- a/drivers/acpi/video.c +++ b/drivers/acpi/video.c @@ -68,7 +68,7 @@ MODULE_AUTHOR("Bruno Ducrot"); diff --git a/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/Revert-userns-Allow-unprivileged-users-to-create-use.patch index cea6bff01..43aa96ac7 100644 --- a/Revert-userns-Allow-unprivileged-users-to-create-use.patch +++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch @@ -1,7 +1,4 @@ -Bugzilla: 917708 -Upstream-status: Fedora mustard - -From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001 +From 6401611f6bd360109394b46051107f2e0f55c9da Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Wed, 13 Nov 2013 10:21:18 -0500 Subject: [PATCH] Revert "userns: Allow unprivileged users to create user @@ -9,6 +6,11 @@ Subject: [PATCH] Revert "userns: Allow unprivileged users to create user This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946. +Bugzilla: 917708 +Upstream-status: Fedora mustard + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> + Conflicts: kernel/fork.c --- @@ -16,10 +18,10 @@ Conflicts: 1 file changed, 13 insertions(+) diff --git a/kernel/fork.c b/kernel/fork.c -index f6d11fc..e04c9a7 100644 +index 0cf9cdb6e491..31d3a9763887 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags, +@@ -1624,6 +1624,19 @@ long do_fork(unsigned long clone_flags, long nr; /* @@ -40,5 +42,5 @@ index f6d11fc..e04c9a7 100644 * called from kernel_thread or CLONE_UNTRACED is explicitly * requested, no event is reported; otherwise, report if the event -- -1.8.3.1 +1.9.3 diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch new file mode 100644 index 000000000..bedaf1072 --- /dev/null +++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -0,0 +1,39 @@ +From 0eca3e79748fdc9ac4491a85dc6c2d306077c749 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Mon, 25 Jun 2012 19:57:30 -0400 +Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading + is restricted + +This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to circumvent any restrictions imposed on +loading modules. Disable it in that case. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +--- + drivers/acpi/osl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 3abe9b223ba7..ee8f11cf65da 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -44,6 +44,7 @@ + #include <linux/list.h> + #include <linux/jiffies.h> + #include <linux/semaphore.h> ++#include <linux/module.h> + + #include <asm/io.h> + #include <asm/uaccess.h> +@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); + acpi_physical_address __init acpi_os_get_root_pointer(void) + { + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && !secure_modules()) + return acpi_rsdp; + #endif + +-- +1.9.3 + diff --git a/0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch b/acpi-video-Add-4-new-models-to-the-use_native_backli.patch index dd7f27367..7344d032e 100644 --- a/0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch +++ b/acpi-video-Add-4-new-models-to-the-use_native_backli.patch @@ -1,8 +1,8 @@ -From 5573624261ab5d54f2dea2a3e09a98729db9ecd9 Mon Sep 17 00:00:00 2001 +From 1313c37c6a3223b837d39e97d49c5372157641cb Mon Sep 17 00:00:00 2001 From: Hans de Goede <hdegoede@redhat.com> Date: Wed, 30 Apr 2014 15:24:19 +0200 -Subject: [PATCH 1/2] acpi-video: Add 4 new models to the use_native_backlight - dmi list +Subject: [PATCH] acpi-video: Add 4 new models to the use_native_backlight dmi + list Acer Aspire V5-171 https://bugzilla.redhat.com/show_bug.cgi?id=983342 @@ -21,10 +21,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com> 1 file changed, 32 insertions(+) diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index 8b6990e..48146fc 100644 +index a9fa83829ee4..bef6c393e8a0 100644 --- a/drivers/acpi/video.c +++ b/drivers/acpi/video.c -@@ -488,6 +488,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { +@@ -550,6 +550,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { }, }, { @@ -39,7 +39,7 @@ index 8b6990e..48146fc 100644 .callback = video_set_use_native_backlight, .ident = "Thinkpad Helix", .matches = { -@@ -513,6 +521,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { +@@ -591,6 +599,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { }, { .callback = video_set_use_native_backlight, @@ -54,7 +54,7 @@ index 8b6990e..48146fc 100644 .ident = "Acer Aspire V5-431", .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Acer"), -@@ -520,6 +536,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { +@@ -638,6 +654,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { }, }, { @@ -69,7 +69,7 @@ index 8b6990e..48146fc 100644 .callback = video_set_use_native_backlight, .ident = "HP ProBook 4340s", .matches = { -@@ -571,6 +595,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { +@@ -714,6 +738,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { }, { .callback = video_set_use_native_backlight, @@ -85,5 +85,5 @@ index 8b6990e..48146fc 100644 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), -- -1.9.0 +1.9.3 diff --git a/acpi-video-Add-use-native-backlight-quirk-for-the-Th.patch b/acpi-video-Add-use-native-backlight-quirk-for-the-Th.patch index f3d36889f..c1a0612f2 100644 --- a/acpi-video-Add-use-native-backlight-quirk-for-the-Th.patch +++ b/acpi-video-Add-use-native-backlight-quirk-for-the-Th.patch @@ -1,11 +1,8 @@ -Bugzilla: 1093171 -Upstream-status: Queued for 3.16 - -From 7ac976d0109433d1ad0812f4f6889a904d9a0c40 Mon Sep 17 00:00:00 2001 +From 5189e67f2e7236c8c808837e342e4f19b3389735 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hdegoede@redhat.com> Date: Mon, 2 Jun 2014 17:41:10 +0200 -Subject: [PATCH 13/14] acpi-video: Add use native backlight quirk for the - ThinkPad W530 +Subject: [PATCH] acpi-video: Add use native backlight quirk for the ThinkPad + W530 Like all of the other *30 ThinkPad models, the W530 has a broken acpi-video backlight control. Note in order for this to actually fix things on the @@ -15,6 +12,9 @@ is also needed. https://bugzilla.redhat.com/show_bug.cgi?id=1093171 +Bugzilla: 1093171 +Upstream-status: Queued for 3.16 + Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- @@ -22,10 +22,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com> 1 file changed, 8 insertions(+) diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index ab7cd65ce21e..dcb0ef4c22f6 100644 +index bef6c393e8a0..eb82264d9ef9 100644 --- a/drivers/acpi/video.c +++ b/drivers/acpi/video.c -@@ -468,6 +468,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { +@@ -463,6 +463,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { }, { .callback = video_set_use_native_backlight, @@ -41,5 +41,5 @@ index ab7cd65ce21e..dcb0ef4c22f6 100644 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -- -1.9.0 +1.9.3 diff --git a/acpi-video-Add-use_native_backlight-quirk-for-HP-Pro.patch b/acpi-video-Add-use_native_backlight-quirk-for-HP-Pro.patch index c8c1f7aa2..cd1f1b776 100644 --- a/acpi-video-Add-use_native_backlight-quirk-for-HP-Pro.patch +++ b/acpi-video-Add-use_native_backlight-quirk-for-HP-Pro.patch @@ -1,16 +1,16 @@ -Bugzilla: 1025690 -Upstream-status: Waiting for feedback from reporter - -From dfe2c6722a6f6cb45f6b336b094b26a77acd8393 Mon Sep 17 00:00:00 2001 +From 44227606cebb34bf7429aab843181ea2992efc20 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hdegoede@redhat.com> Date: Mon, 2 Jun 2014 17:41:11 +0200 -Subject: [PATCH 14/14] acpi-video: Add use_native_backlight quirk for HP - ProBook 4540s +Subject: [PATCH] acpi-video: Add use_native_backlight quirk for HP ProBook + 4540s As reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1025690 This is yet another model which needs this quirk. +Bugzilla: 1025690 +Upstream-status: Waiting for feedback from reporter + Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- @@ -18,10 +18,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com> 1 file changed, 8 insertions(+) diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index dcb0ef4c22f6..3db16753f88a 100644 +index eb82264d9ef9..34da76ffc59a 100644 --- a/drivers/acpi/video.c +++ b/drivers/acpi/video.c -@@ -548,6 +548,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { +@@ -687,6 +687,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { }, { .callback = video_set_use_native_backlight, @@ -37,5 +37,5 @@ index dcb0ef4c22f6..3db16753f88a 100644 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), -- -1.9.0 +1.9.3 diff --git a/arm-beagle.patch b/arm-beagle.patch deleted file mode 100644 index 5e2d8abdc..000000000 --- a/arm-beagle.patch +++ /dev/null @@ -1,460 +0,0 @@ -Bugzilla: 1012025 -Upstream-status: In beagle github repository https://github.com/beagleboard/kernel - -From b5a2528c89fc8049b2a6a750634c14983e33d00f Mon Sep 17 00:00:00 2001 -From: Robert Nelson <robertcnelson@gmail.com> -Date: Fri, 27 Dec 2013 13:05:09 -0600 -Subject: [PATCH] arm: dts: am335x-boneblack: lcdc add panel-info - -Signed-off-by: Robert Nelson <robertcnelson@gmail.com> ---- - arch/arm/boot/dts/am335x-boneblack.dts | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts -index 6b71ad9..09ffbd8 100644 ---- a/arch/arm/boot/dts/am335x-boneblack.dts -+++ b/arch/arm/boot/dts/am335x-boneblack.dts -@@ -74,5 +74,18 @@ - pinctrl-0 = <&nxp_hdmi_bonelt_pins>; - pinctrl-1 = <&nxp_hdmi_bonelt_off_pins>; - status = "okay"; -+ -+ panel-info { -+ bpp = <16>; -+ ac-bias = <255>; -+ ac-bias-intrpt = <0>; -+ dma-burst-sz = <16>; -+ fdd = <16>; -+ sync-edge = <1>; -+ sync-ctrl = <1>; -+ raster-order = <0>; -+ fifo-th = <0>; -+ invert-pxl-clk; -+ }; - }; - }; --- -1.8.5.1 - -From 1da083a002581520dd358b8b8e097078000d12b9 Mon Sep 17 00:00:00 2001 -From: Robert Nelson <robertcnelson@gmail.com> -Date: Fri, 27 Dec 2013 13:14:19 -0600 -Subject: [PATCH 2/2] arm: dts: am335x-boneblack: add cpu0 opp points - -Signed-off-by: Robert Nelson <robertcnelson@gmail.com> ---- - arch/arm/boot/dts/am335x-boneblack.dts | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts -index 09ffbd8..f213ccd 100644 ---- a/arch/arm/boot/dts/am335x-boneblack.dts -+++ b/arch/arm/boot/dts/am335x-boneblack.dts -@@ -67,6 +67,24 @@ - }; - - / { -+ cpus { -+ cpu@0 { -+ cpu0-supply = <&dcdc2_reg>; -+ /* -+ * To consider voltage drop between PMIC and SoC, -+ * tolerance value is reduced to 2% from 4% and -+ * voltage value is increased as a precaution. -+ */ -+ operating-points = < -+ /* kHz uV */ -+ 1000000 1325000 -+ 800000 1300000 -+ 600000 1112000 -+ 300000 969000 -+ >; -+ }; -+ }; -+ - hdmi { - compatible = "ti,tilcdc,slave"; - i2c = <&i2c0>; --- -1.8.5.1 - -From 8551d8aa7d3e002da2097e7e902fb96fceb8694e Mon Sep 17 00:00:00 2001 -From: Robert Nelson <robertcnelson@gmail.com> -Date: Tue, 31 Dec 2013 11:17:45 -0600 -Subject: [PATCH 3/3] arm: dts: am335x-bone-common: enable and use i2c2 - -Signed-off-by: Robert Nelson <robertcnelson@gmail.com> ---- - arch/arm/boot/dts/am335x-bone-common.dtsi | 39 +++++++++++++++++++++++++++++++ - 1 file changed, 39 insertions(+) - -diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi -index e3f27ec..54366b6 100644 ---- a/arch/arm/boot/dts/am335x-bone-common.dtsi -+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi -@@ -84,6 +84,13 @@ - >; - }; - -+ i2c2_pins: pinmux_i2c2_pins { -+ pinctrl-single,pins = < -+ 0x178 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_ctsn.i2c2_sda */ -+ 0x17c 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_rtsn.i2c2_scl */ -+ >; -+ }; -+ - uart0_pins: pinmux_uart0_pins { - pinctrl-single,pins = < - 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ -@@ -220,6 +227,38 @@ - reg = <0x24>; - }; - -+ baseboard_eeprom: baseboard_eeprom@50 { -+ compatible = "at,24c256"; -+ reg = <0x50>; -+ }; -+}; -+ -+&i2c2 { -+ status = "okay"; -+ pinctrl-names = "default"; -+ pinctrl-0 = <&i2c2_pins>; -+ -+ clock-frequency = <100000>; -+ -+ cape_eeprom0: cape_eeprom0@54 { -+ compatible = "at,24c256"; -+ reg = <0x54>; -+ }; -+ -+ cape_eeprom1: cape_eeprom1@55 { -+ compatible = "at,24c256"; -+ reg = <0x55>; -+ }; -+ -+ cape_eeprom2: cape_eeprom2@56 { -+ compatible = "at,24c256"; -+ reg = <0x56>; -+ }; -+ -+ cape_eeprom3: cape_eeprom3@57 { -+ compatible = "at,24c256"; -+ reg = <0x57>; -+ }; - }; - - /include/ "tps65217.dtsi" --- -1.8.5.2 - -From a3099dc53a47d1694a5b575580ec3406dc429bf8 Mon Sep 17 00:00:00 2001 -From: Robert Nelson <robertcnelson@gmail.com> -Date: Tue, 31 Dec 2013 14:18:00 -0600 -Subject: [PATCH 4/4] arm: dts: am335x-bone-common: setup default pinmux - http://elinux.org/Basic_Proto_Cape - -Signed-off-by: Robert Nelson <robertcnelson@gmail.com> ---- - arch/arm/boot/dts/am335x-bone-common.dtsi | 130 ++++++++++++++++++++++++++++++ - 1 file changed, 130 insertions(+) - -diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi -index e4571af..f85cabc 100644 ---- a/arch/arm/boot/dts/am335x-bone-common.dtsi -+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi -@@ -98,6 +98,13 @@ - >; - }; - -+ uart1_pins: pinmux_uart1_pins { -+ pinctrl-single,pins = < -+ 0x180 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart1_rxd.uart1_rxd */ -+ 0x184 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart1_txd.uart1_txd */ -+ >; -+ }; -+ - clkout2_pin: pinmux_clkout2_pin { - pinctrl-single,pins = < - 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ -@@ -178,6 +185,33 @@ - 0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */ - >; - }; -+ -+ spi0_pins: pinmux_spi0_pins { -+ pinctrl-single,pins = < -+ 0x150 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_sclk.spi0_sclk */ -+ 0x154 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d0.spi0_d0 */ -+ 0x158 (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_d1.spi0_d1 */ -+ 0x15c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_cs0.spi0_cs0 */ -+ >; -+ }; -+ -+ ehrpwm1_pin_p9_14: pinmux_ehrpwm1_pin_p9_14 { -+ pinctrl-single,pins = < -+ 0x048 0x6 /* P9_14 (ZCZ ball U14) | MODE 6 */ -+ >; -+ }; -+ -+ ehrpwm1_pin_p9_16: pinmux_ehrpwm1_pin_p9_16 { -+ pinctrl-single,pins = < -+ 0x04c 0x6 /* P9_16 (ZCZ ball T14) | MODE 6 */ -+ >; -+ }; -+ -+ ecap0_pin_p9_42: pinmux_ecap0_pin_p9_42 { -+ pinctrl-single,pins = < -+ 0x164 0x0 /* P9_42 (ZCZ ball C18) | MODE 0 */ -+ >; -+ }; - }; - - &uart0 { -@@ -187,6 +221,13 @@ - status = "okay"; - }; - -+&uart1 { -+ pinctrl-names = "default"; -+ pinctrl-0 = <&uart1_pins>; -+ -+ status = "okay"; -+}; -+ - &usb { - status = "okay"; - -@@ -261,6 +302,56 @@ - }; - }; - -+&epwmss0 { -+ pinctrl-names = "default"; -+ pinctrl-0 = <&ecap0_pin_p9_42>; -+ status = "okay"; -+ -+ ecap@48300100 { -+ status = "okay"; -+ }; -+}; -+ -+&epwmss1 { -+ pinctrl-names = "default"; -+ pinctrl-0 = < -+ &ehrpwm1_pin_p9_14 -+ &ehrpwm1_pin_p9_16 -+ >; -+ -+ status = "okay"; -+ -+ ehrpwm@48302200 { -+ status = "okay"; -+ }; -+}; -+ -+&spi0 { -+ pinctrl-names = "default"; -+ pinctrl-0 = <&spi0_pins>; -+ status = "okay"; -+ -+ spidev0: spi@0 { -+ compatible = "spidev"; -+ reg = <0>; -+ spi-max-frequency = <16000000>; -+ spi-cpha; -+ }; -+ -+ spidev1: spi@1 { -+ compatible = "spidev"; -+ reg = <1>; -+ spi-max-frequency = <16000000>; -+ }; -+}; -+ -+&tscadc { -+ status = "okay"; -+ adc { -+ ti,adc-channels = <4 5 6>; -+ }; -+}; -+ - /include/ "tps65217.dtsi" - - &tps { -@@ -336,3 +427,42 @@ - cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; - cd-inverted; - }; -+ -+/ { -+ ocp { -+ //FIXME: these pwm's still need work, this guild isn't working.. -+ //http://elinux.org/EBC_Exercise_13_Pulse_Width_Modulation -+ pwm_test_P9_14@0 { -+ compatible = "pwm_test"; -+ pwms = <&ehrpwm1 0 500000 1>; -+ pwm-names = "PWM_P9_14"; -+ pinctrl-names = "default"; -+ pinctrl-0 = <&ehrpwm1_pin_p9_14>; -+ enabled = <1>; -+ duty = <0>; -+ status = "okay"; -+ }; -+ -+ pwm_test_P9_16@0 { -+ compatible = "pwm_test"; -+ pwms = <&ehrpwm1 0 500000 1>; -+ pwm-names = "PWM_P9_16"; -+ pinctrl-names = "default"; -+ pinctrl-0 = <&ehrpwm1_pin_p9_16>; -+ enabled = <1>; -+ duty = <0>; -+ status = "okay"; -+ }; -+ -+ pwm_test_P9_42 { -+ compatible = "pwm_test"; -+ pwms = <&ecap0 0 500000 1>; -+ pwm-names = "PWM_P9_42"; -+ pinctrl-names = "default"; -+ pinctrl-0 = <&ecap0_pin_p9_42>; -+ enabled = <1>; -+ duty = <0>; -+ status = "okay"; -+ }; -+ }; -+}; --- -1.8.5.2 - -From b6e2c817edfc6d73874cf833daffe1be6c7ed8bb Mon Sep 17 00:00:00 2001 -From: Robert Nelson <robertcnelson@gmail.com> -Date: Thu, 13 Mar 2014 14:18:52 -0500 -Subject: [PATCH] arm: dts: am335x-bone-common: add - uart2_pins/uart4_pins/uart5_pins - -Signed-off-by: Robert Nelson <robertcnelson@gmail.com> ---- - arch/arm/boot/dts/am335x-bone-common.dtsi | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi -index f85cabc..5270d18 100644 ---- a/arch/arm/boot/dts/am335x-bone-common.dtsi -+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi -@@ -105,6 +105,27 @@ - >; - }; - -+ uart2_pins: pinmux_uart2_pins { -+ pinctrl-single,pins = < -+ 0x150 0x21 /* spi0_sclk.uart2_rxd | MODE1 */ -+ 0x154 0x01 /* spi0_d0.uart2_txd | MODE1 */ -+ >; -+ }; -+ -+ uart4_pins: pinmux_uart4_pins { -+ pinctrl-single,pins = < -+ 0x070 0x26 /* gpmc_wait0.uart4_rxd | MODE6 */ -+ 0x074 0x06 /* gpmc_wpn.uart4_txd | MODE6 */ -+ >; -+ }; -+ -+ uart5_pins: pinmux_uart5_pins { -+ pinctrl-single,pins = < -+ 0x0C4 0x24 /* lcd_data9.uart5_rxd | MODE4 */ -+ 0x0C0 0x04 /* lcd_data8.uart5_txd | MODE4 */ -+ >; -+ }; -+ - clkout2_pin: pinmux_clkout2_pin { - pinctrl-single,pins = < - 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ --- -1.9.0 - -From 72567452d5d6007010597158f6afd00e2bf07579 Mon Sep 17 00:00:00 2001 -From: Pantelis Antoniou <panto@antoniou-consulting.com> -Date: Sat, 15 Sep 2012 12:00:41 +0300 -Subject: [PATCH] pinctrl: pinctrl-single must be initialized early. - -When using pinctrl-single to handle i2c initialization, it has -to be done early. Whether this is the best way to do so, is an -exercise left to the reader. ---- - drivers/pinctrl/pinctrl-single.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c -index 829b98c..5107dcf 100644 ---- a/drivers/pinctrl/pinctrl-single.c -+++ b/drivers/pinctrl/pinctrl-single.c -@@ -2039,7 +2039,17 @@ static struct platform_driver pcs_driver = { - #endif - }; - --module_platform_driver(pcs_driver); -+static int __init pcs_init(void) -+{ -+ return platform_driver_register(&pcs_driver); -+} -+postcore_initcall(pcs_init); -+ -+static void __exit pcs_exit(void) -+{ -+ platform_driver_unregister(&pcs_driver); -+} -+module_exit(pcs_exit); - - MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>"); - MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver"); --- -1.8.5.2 - -From b6e2c817edfc6d73874cf833daffe1be6c7ed8bb Mon Sep 17 00:00:00 2001 -From: Robert Nelson <robertcnelson@gmail.com> -Date: Thu, 13 Mar 2014 14:18:52 -0500 -Subject: [PATCH] arm: dts: am335x-bone-common: add - uart2_pins/uart4_pins/uart5_pins - -Signed-off-by: Robert Nelson <robertcnelson@gmail.com> ---- - arch/arm/boot/dts/am335x-bone-common.dtsi | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi -index f85cabc..5270d18 100644 ---- a/arch/arm/boot/dts/am335x-bone-common.dtsi -+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi -@@ -105,6 +105,27 @@ - >; - }; - -+ uart2_pins: pinmux_uart2_pins { -+ pinctrl-single,pins = < -+ 0x150 0x21 /* spi0_sclk.uart2_rxd | MODE1 */ -+ 0x154 0x01 /* spi0_d0.uart2_txd | MODE1 */ -+ >; -+ }; -+ -+ uart4_pins: pinmux_uart4_pins { -+ pinctrl-single,pins = < -+ 0x070 0x26 /* gpmc_wait0.uart4_rxd | MODE6 */ -+ 0x074 0x06 /* gpmc_wpn.uart4_txd | MODE6 */ -+ >; -+ }; -+ -+ uart5_pins: pinmux_uart5_pins { -+ pinctrl-single,pins = < -+ 0x0C4 0x24 /* lcd_data9.uart5_rxd | MODE4 */ -+ 0x0C0 0x04 /* lcd_data8.uart5_txd | MODE4 */ -+ >; -+ }; -+ - clkout2_pin: pinmux_clkout2_pin { - pinctrl-single,pins = < - 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ --- -1.9.0 diff --git a/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch b/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch new file mode 100644 index 000000000..ed2ec9228 --- /dev/null +++ b/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch @@ -0,0 +1,46 @@ +From e2106f3eff00baedfe05e5e334731bd80465292e Mon Sep 17 00:00:00 2001 +From: Robert Nelson <robertcnelson@gmail.com> +Date: Thu, 13 Mar 2014 14:18:52 -0500 +Subject: [PATCH] arm: dts: am335x-bone-common: add + uart2_pins/uart4_pins/uart5_pins + +Signed-off-by: Robert Nelson <robertcnelson@gmail.com> +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index db4518ef755d..c983caab7d9b 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -126,6 +126,27 @@ + >; + }; + ++ uart2_pins: pinmux_uart2_pins { ++ pinctrl-single,pins = < ++ 0x150 0x21 /* spi0_sclk.uart2_rxd | MODE1 */ ++ 0x154 0x01 /* spi0_d0.uart2_txd | MODE1 */ ++ >; ++ }; ++ ++ uart4_pins: pinmux_uart4_pins { ++ pinctrl-single,pins = < ++ 0x070 0x26 /* gpmc_wait0.uart4_rxd | MODE6 */ ++ 0x074 0x06 /* gpmc_wpn.uart4_txd | MODE6 */ ++ >; ++ }; ++ ++ uart5_pins: pinmux_uart5_pins { ++ pinctrl-single,pins = < ++ 0x0C4 0x24 /* lcd_data9.uart5_rxd | MODE4 */ ++ 0x0C0 0x04 /* lcd_data8.uart5_txd | MODE4 */ ++ >; ++ }; ++ + clkout2_pin: pinmux_clkout2_pin { + pinctrl-single,pins = < + 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ +-- +1.9.3 + diff --git a/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch b/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch new file mode 100644 index 000000000..3221aa2a9 --- /dev/null +++ b/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch @@ -0,0 +1,70 @@ +From 8f78a0f9c488620f58532e69c8b632b75ee11907 Mon Sep 17 00:00:00 2001 +From: Robert Nelson <robertcnelson@gmail.com> +Date: Tue, 31 Dec 2013 11:17:45 -0600 +Subject: [PATCH] arm: dts: am335x-bone-common: enable and use i2c2 + +Signed-off-by: Robert Nelson <robertcnelson@gmail.com> +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 39 +++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index bde1777b62be..c7357bcc7d5c 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -84,6 +84,13 @@ + >; + }; + ++ i2c2_pins: pinmux_i2c2_pins { ++ pinctrl-single,pins = < ++ 0x178 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_ctsn.i2c2_sda */ ++ 0x17c 0x73 /* (SLEWCTRL_SLOW | PIN_INPUT_PULLUP | MUX_MODE3) uart1_rtsn.i2c2_scl */ ++ >; ++ }; ++ + uart0_pins: pinmux_uart0_pins { + pinctrl-single,pins = < + 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ +@@ -220,6 +227,38 @@ + reg = <0x24>; + }; + ++ baseboard_eeprom: baseboard_eeprom@50 { ++ compatible = "at,24c256"; ++ reg = <0x50>; ++ }; ++}; ++ ++&i2c2 { ++ status = "okay"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2c2_pins>; ++ ++ clock-frequency = <100000>; ++ ++ cape_eeprom0: cape_eeprom0@54 { ++ compatible = "at,24c256"; ++ reg = <0x54>; ++ }; ++ ++ cape_eeprom1: cape_eeprom1@55 { ++ compatible = "at,24c256"; ++ reg = <0x55>; ++ }; ++ ++ cape_eeprom2: cape_eeprom2@56 { ++ compatible = "at,24c256"; ++ reg = <0x56>; ++ }; ++ ++ cape_eeprom3: cape_eeprom3@57 { ++ compatible = "at,24c256"; ++ reg = <0x57>; ++ }; + }; + + /include/ "tps65217.dtsi" +-- +1.9.3 + diff --git a/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch b/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch new file mode 100644 index 000000000..095618331 --- /dev/null +++ b/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch @@ -0,0 +1,180 @@ +From 4546ddeebfc63fcb8ea157d6d730be0e4f122344 Mon Sep 17 00:00:00 2001 +From: Robert Nelson <robertcnelson@gmail.com> +Date: Tue, 31 Dec 2013 14:18:00 -0600 +Subject: [PATCH] arm: dts: am335x-bone-common: setup default pinmux + http://elinux.org/Basic_Proto_Cape + +Signed-off-by: Robert Nelson <robertcnelson@gmail.com> +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 130 ++++++++++++++++++++++++++++++ + 1 file changed, 130 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index c7357bcc7d5c..86cdb52dbf8a 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -98,6 +98,13 @@ + >; + }; + ++ uart1_pins: pinmux_uart1_pins { ++ pinctrl-single,pins = < ++ 0x180 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart1_rxd.uart1_rxd */ ++ 0x184 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart1_txd.uart1_txd */ ++ >; ++ }; ++ + clkout2_pin: pinmux_clkout2_pin { + pinctrl-single,pins = < + 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ +@@ -178,6 +185,33 @@ + 0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */ + >; + }; ++ ++ spi0_pins: pinmux_spi0_pins { ++ pinctrl-single,pins = < ++ 0x150 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_sclk.spi0_sclk */ ++ 0x154 (PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d0.spi0_d0 */ ++ 0x158 (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_d1.spi0_d1 */ ++ 0x15c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* spi0_cs0.spi0_cs0 */ ++ >; ++ }; ++ ++ ehrpwm1_pin_p9_14: pinmux_ehrpwm1_pin_p9_14 { ++ pinctrl-single,pins = < ++ 0x048 0x6 /* P9_14 (ZCZ ball U14) | MODE 6 */ ++ >; ++ }; ++ ++ ehrpwm1_pin_p9_16: pinmux_ehrpwm1_pin_p9_16 { ++ pinctrl-single,pins = < ++ 0x04c 0x6 /* P9_16 (ZCZ ball T14) | MODE 6 */ ++ >; ++ }; ++ ++ ecap0_pin_p9_42: pinmux_ecap0_pin_p9_42 { ++ pinctrl-single,pins = < ++ 0x164 0x0 /* P9_42 (ZCZ ball C18) | MODE 0 */ ++ >; ++ }; + }; + + &uart0 { +@@ -187,6 +221,13 @@ + status = "okay"; + }; + ++&uart1 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart1_pins>; ++ ++ status = "okay"; ++}; ++ + &usb { + status = "okay"; + }; +@@ -261,6 +302,56 @@ + }; + }; + ++&epwmss0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&ecap0_pin_p9_42>; ++ status = "okay"; ++ ++ ecap@48300100 { ++ status = "okay"; ++ }; ++}; ++ ++&epwmss1 { ++ pinctrl-names = "default"; ++ pinctrl-0 = < ++ &ehrpwm1_pin_p9_14 ++ &ehrpwm1_pin_p9_16 ++ >; ++ ++ status = "okay"; ++ ++ ehrpwm@48302200 { ++ status = "okay"; ++ }; ++}; ++ ++&spi0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&spi0_pins>; ++ status = "okay"; ++ ++ spidev0: spi@0 { ++ compatible = "spidev"; ++ reg = <0>; ++ spi-max-frequency = <16000000>; ++ spi-cpha; ++ }; ++ ++ spidev1: spi@1 { ++ compatible = "spidev"; ++ reg = <1>; ++ spi-max-frequency = <16000000>; ++ }; ++}; ++ ++&tscadc { ++ status = "okay"; ++ adc { ++ ti,adc-channels = <4 5 6>; ++ }; ++}; ++ + /include/ "tps65217.dtsi" + + &tps { +@@ -337,3 +428,42 @@ + cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; + cd-inverted; + }; ++ ++/ { ++ ocp { ++ //FIXME: these pwm's still need work, this guild isn't working.. ++ //http://elinux.org/EBC_Exercise_13_Pulse_Width_Modulation ++ pwm_test_P9_14@0 { ++ compatible = "pwm_test"; ++ pwms = <&ehrpwm1 0 500000 1>; ++ pwm-names = "PWM_P9_14"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&ehrpwm1_pin_p9_14>; ++ enabled = <1>; ++ duty = <0>; ++ status = "okay"; ++ }; ++ ++ pwm_test_P9_16@0 { ++ compatible = "pwm_test"; ++ pwms = <&ehrpwm1 0 500000 1>; ++ pwm-names = "PWM_P9_16"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&ehrpwm1_pin_p9_16>; ++ enabled = <1>; ++ duty = <0>; ++ status = "okay"; ++ }; ++ ++ pwm_test_P9_42 { ++ compatible = "pwm_test"; ++ pwms = <&ecap0 0 500000 1>; ++ pwm-names = "PWM_P9_42"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&ecap0_pin_p9_42>; ++ enabled = <1>; ++ duty = <0>; ++ status = "okay"; ++ }; ++ }; ++}; +-- +1.9.3 + diff --git a/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch b/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch new file mode 100644 index 000000000..901f6985a --- /dev/null +++ b/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch @@ -0,0 +1,42 @@ +From ff97bcb64690196202be14fcb99c428075e6d373 Mon Sep 17 00:00:00 2001 +From: Robert Nelson <robertcnelson@gmail.com> +Date: Fri, 27 Dec 2013 13:14:19 -0600 +Subject: [PATCH] arm: dts: am335x-boneblack: add cpu0 opp points + +Signed-off-by: Robert Nelson <robertcnelson@gmail.com> +--- + arch/arm/boot/dts/am335x-boneblack.dts | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts +index bf5349165542..acfff3befff5 100644 +--- a/arch/arm/boot/dts/am335x-boneblack.dts ++++ b/arch/arm/boot/dts/am335x-boneblack.dts +@@ -66,6 +66,24 @@ + }; + + / { ++ cpus { ++ cpu@0 { ++ cpu0-supply = <&dcdc2_reg>; ++ /* ++ * To consider voltage drop between PMIC and SoC, ++ * tolerance value is reduced to 2% from 4% and ++ * voltage value is increased as a precaution. ++ */ ++ operating-points = < ++ /* kHz uV */ ++ 1000000 1325000 ++ 800000 1300000 ++ 600000 1112000 ++ 300000 969000 ++ >; ++ }; ++ }; ++ + hdmi { + compatible = "ti,tilcdc,slave"; + i2c = <&i2c0>; +-- +1.9.3 + diff --git a/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch b/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch new file mode 100644 index 000000000..b7d0491f2 --- /dev/null +++ b/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch @@ -0,0 +1,39 @@ +From 686c0fbe0b0758420728e99fbbc9898856c61a65 Mon Sep 17 00:00:00 2001 +From: Robert Nelson <robertcnelson@gmail.com> +Date: Fri, 27 Dec 2013 13:05:09 -0600 +Subject: [PATCH] arm: dts: am335x-boneblack: lcdc add panel-info + +Bugzilla: 1012025 +Upstream-status: In beagle github repository https://github.com/beagleboard/kernel + +Signed-off-by: Robert Nelson <robertcnelson@gmail.com> +--- + arch/arm/boot/dts/am335x-boneblack.dts | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts +index 305975d3f531..bf5349165542 100644 +--- a/arch/arm/boot/dts/am335x-boneblack.dts ++++ b/arch/arm/boot/dts/am335x-boneblack.dts +@@ -73,5 +73,18 @@ + pinctrl-0 = <&nxp_hdmi_bonelt_pins>; + pinctrl-1 = <&nxp_hdmi_bonelt_off_pins>; + status = "okay"; ++ ++ panel-info { ++ bpp = <16>; ++ ac-bias = <255>; ++ ac-bias-intrpt = <0>; ++ dma-burst-sz = <16>; ++ fdd = <16>; ++ sync-edge = <1>; ++ sync-ctrl = <1>; ++ raster-order = <0>; ++ fifo-th = <0>; ++ invert-pxl-clk; ++ }; + }; + }; +-- +1.9.3 + diff --git a/arm-imx6-utilite.patch b/arm-i.MX6-Utilite-device-dtb.patch index bb0747202..b65471ace 100644 --- a/arm-imx6-utilite.patch +++ b/arm-i.MX6-Utilite-device-dtb.patch @@ -1,5 +1,14 @@ +From 4c556949693ab7de84984559735bdd1b33cb77b5 Mon Sep 17 00:00:00 2001 +From: Peter Robinson <pbrobinson@gmail.com> +Date: Fri, 11 Jul 2014 00:10:56 +0100 +Subject: [PATCH] arm: i.MX6 Utilite device dtb + +--- + arch/arm/boot/dts/imx6q-cm-fx6.dts | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + diff --git a/arch/arm/boot/dts/imx6q-cm-fx6.dts b/arch/arm/boot/dts/imx6q-cm-fx6.dts -index 99b46f8..8b6ddd1 100644 +index 99b46f8030ad..8b6ddd16dcc5 100644 --- a/arch/arm/boot/dts/imx6q-cm-fx6.dts +++ b/arch/arm/boot/dts/imx6q-cm-fx6.dts @@ -97,11 +97,49 @@ @@ -52,3 +61,6 @@ index 99b46f8..8b6ddd1 100644 + pinctrl-0 = <&pinctrl_usdhc3>; + status = "okay"; +}; +-- +1.9.3 + diff --git a/arm-tegra-usb-no-reset-linux33.patch b/arm-tegra-usb-no-reset-linux33.patch deleted file mode 100644 index 342e80f5a..000000000 --- a/arm-tegra-usb-no-reset-linux33.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- linux-3.3.4-3.fc17.x86_64_orig/drivers/usb/core/hub.c 2012-05-02 20:08:18.421685932 -0400
-+++ linux-3.3.4-3.fc17.x86_64/drivers/usb/core/hub.c 2012-05-02 20:30:36.565865425 -0400
-@@ -3484,6 +3484,13 @@ static void hub_events(void)
- (u16) hub->change_bits[0],
- (u16) hub->event_bits[0]);
-
-+ /* Don't disconnect USB-SATA on TrimSlice */
-+ if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) {
-+ if ((hdev->state == 7) && (hub->change_bits[0] == 0) &&
-+ (hub->event_bits[0] == 0x2))
-+ hub->event_bits[0] = 0;
-+ }
-+
- /* Lock the device, then check to see if we were
- * disconnected while waiting for the lock to succeed. */
- usb_lock_device(hdev);
diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch new file mode 100644 index 000000000..781c8e0ce --- /dev/null +++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -0,0 +1,54 @@ +From ed8fc77bea869c0277b035b2b79470ba350c31e0 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Mar 2012 08:46:50 -0500 +Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is + restricted + +We have no way of validating what all of the Asus WMI methods do on a +given machine, and there's a risk that some will allow hardware state to +be manipulated in such a way that arbitrary code can be executed in the +kernel, circumventing module loading restrictions. Prevent that if any of +these features are enabled. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 21fc932da3a1..c6d42ad95c08 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1590,6 +1590,9 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1606,6 +1609,9 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1630,6 +1636,9 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 1, asus->debug.method_id, + &input, &output); +-- +1.9.3 + diff --git a/ath9k_rx_dma_stop_check.patch b/ath9k-rx-dma-stop-check.patch index 606eb1c63..49a20d335 100644 --- a/ath9k_rx_dma_stop_check.patch +++ b/ath9k-rx-dma-stop-check.patch @@ -1,6 +1,17 @@ +From dfc1afd652976a77e8fcfb57866ad0f29b50d042 Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Wed, 6 Feb 2013 09:57:47 -0500 +Subject: [PATCH] ath9k: rx dma stop check + +--- + drivers/net/wireless/ath/ath9k/mac.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c +index 275205ab5f15..bb842623bdf6 100644 --- a/drivers/net/wireless/ath/ath9k/mac.c +++ b/drivers/net/wireless/ath/ath9k/mac.c -@@ -689,7 +689,7 @@ bool ath9k_hw_stopdmarecv(struct ath_hw +@@ -700,7 +700,7 @@ bool ath9k_hw_stopdmarecv(struct ath_hw *ah, bool *reset) { #define AH_RX_STOP_DMA_TIMEOUT 10000 /* usec */ struct ath_common *common = ath9k_hw_common(ah); @@ -9,7 +20,7 @@ int i; /* Enable access to the DMA observation bus */ -@@ -719,6 +719,16 @@ bool ath9k_hw_stopdmarecv(struct ath_hw +@@ -730,6 +730,16 @@ bool ath9k_hw_stopdmarecv(struct ath_hw *ah, bool *reset) } if (i == 0) { @@ -26,3 +37,6 @@ ath_err(common, "DMA failed to stop in %d ms AR_CR=0x%08x AR_DIAG_SW=0x%08x DMADBG_7=0x%08x\n", AH_RX_STOP_DMA_TIMEOUT / 1000, +-- +1.9.3 + diff --git a/crash-driver.patch b/crash-driver.patch index c39728997..298c6eeec 100644 --- a/crash-driver.patch +++ b/crash-driver.patch @@ -1,24 +1,23 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard - -From 1786bc697d34af944e29437ce44337b0eb8b6799 Mon Sep 17 00:00:00 2001 -From: Kyle McMartin <kyle@dreadnought.bos.jkkm.org> +From 35f42a829ac374b0085015e29e73b44d227a83b1 Mon Sep 17 00:00:00 2001 +From: Dave Anderson <anderson@redhat.com> Date: Tue, 26 Nov 2013 12:42:46 -0500 Subject: [PATCH] crash-driver +Bugzilla: N/A +Upstream-status: Fedora mustard --- arch/arm/include/asm/crash-driver.h | 6 ++ arch/arm64/include/asm/crash-driver.h | 6 ++ - arch/ia64/include/asm/crash-driver.h | 90 +++++++++++++++++++++++++++ - arch/ia64/kernel/ia64_ksyms.c | 3 + + arch/ia64/include/asm/crash-driver.h | 90 ++++++++++++++++++++++ + arch/ia64/kernel/ia64_ksyms.c | 3 + arch/powerpc/include/asm/crash-driver.h | 6 ++ - arch/s390/include/asm/crash-driver.h | 60 ++++++++++++++++++ - arch/s390/mm/maccess.c | 2 + + arch/s390/include/asm/crash-driver.h | 60 +++++++++++++++ + arch/s390/mm/maccess.c | 2 + arch/x86/include/asm/crash-driver.h | 6 ++ - drivers/char/Kconfig | 3 + - drivers/char/Makefile | 2 + - drivers/char/crash.c | 128 +++++++++++++++++++++++++++++++++++++++ - include/asm-generic/crash-driver.h | 72 ++++++++++++++++++++++ + drivers/char/Kconfig | 3 + + drivers/char/Makefile | 2 + + drivers/char/crash.c | 128 ++++++++++++++++++++++++++++++++ + include/asm-generic/crash-driver.h | 72 ++++++++++++++++++ 12 files changed, 384 insertions(+) create mode 100644 arch/arm/include/asm/crash-driver.h create mode 100644 arch/arm64/include/asm/crash-driver.h @@ -31,7 +30,7 @@ Subject: [PATCH] crash-driver diff --git a/arch/arm/include/asm/crash-driver.h b/arch/arm/include/asm/crash-driver.h new file mode 100644 -index 0000000..1d2e537 +index 000000000000..06e7ae916601 --- /dev/null +++ b/arch/arm/include/asm/crash-driver.h @@ -0,0 +1,6 @@ @@ -43,7 +42,7 @@ index 0000000..1d2e537 +#endif /* _ARM_CRASH_H */ diff --git a/arch/arm64/include/asm/crash-driver.h b/arch/arm64/include/asm/crash-driver.h new file mode 100644 -index 0000000..a7fcc28 +index 000000000000..43b26da0c5d6 --- /dev/null +++ b/arch/arm64/include/asm/crash-driver.h @@ -0,0 +1,6 @@ @@ -55,7 +54,7 @@ index 0000000..a7fcc28 +#endif /* _ARM64_CRASH_H */ diff --git a/arch/ia64/include/asm/crash-driver.h b/arch/ia64/include/asm/crash-driver.h new file mode 100644 -index 0000000..28bd955 +index 000000000000..404bcb93c112 --- /dev/null +++ b/arch/ia64/include/asm/crash-driver.h @@ -0,0 +1,90 @@ @@ -150,7 +149,7 @@ index 0000000..28bd955 + +#endif /* _ASM_IA64_CRASH_H */ diff --git a/arch/ia64/kernel/ia64_ksyms.c b/arch/ia64/kernel/ia64_ksyms.c -index 5b7791d..aee4b87 100644 +index 5b7791dd3965..aee4b870c763 100644 --- a/arch/ia64/kernel/ia64_ksyms.c +++ b/arch/ia64/kernel/ia64_ksyms.c @@ -84,6 +84,9 @@ EXPORT_SYMBOL(ia64_save_scratch_fpregs); @@ -165,7 +164,7 @@ index 5b7791d..aee4b87 100644 EXPORT_SYMBOL_GPL(esi_call_phys); diff --git a/arch/powerpc/include/asm/crash-driver.h b/arch/powerpc/include/asm/crash-driver.h new file mode 100644 -index 0000000..daa8c4d +index 000000000000..50092d965dc5 --- /dev/null +++ b/arch/powerpc/include/asm/crash-driver.h @@ -0,0 +1,6 @@ @@ -177,7 +176,7 @@ index 0000000..daa8c4d +#endif /* _PPC64_CRASH_H */ diff --git a/arch/s390/include/asm/crash-driver.h b/arch/s390/include/asm/crash-driver.h new file mode 100644 -index 0000000..552be5e +index 000000000000..552be5e2c571 --- /dev/null +++ b/arch/s390/include/asm/crash-driver.h @@ -0,0 +1,60 @@ @@ -242,10 +241,10 @@ index 0000000..552be5e + +#endif /* _S390_CRASH_H */ diff --git a/arch/s390/mm/maccess.c b/arch/s390/mm/maccess.c -index d1e0e0c..a2be459 100644 +index 2a2e35416d2f..a529181429bb 100644 --- a/arch/s390/mm/maccess.c +++ b/arch/s390/mm/maccess.c -@@ -219,6 +219,7 @@ void *xlate_dev_mem_ptr(unsigned long addr) +@@ -193,6 +193,7 @@ void *xlate_dev_mem_ptr(unsigned long addr) put_online_cpus(); return bounce; } @@ -253,14 +252,14 @@ index d1e0e0c..a2be459 100644 /* * Free converted buffer for /dev/mem access (if necessary) -@@ -228,3 +229,4 @@ void unxlate_dev_mem_ptr(unsigned long addr, void *buf) +@@ -202,3 +203,4 @@ void unxlate_dev_mem_ptr(unsigned long addr, void *buf) if ((void *) addr != buf) free_page((unsigned long) buf); } +EXPORT_SYMBOL_GPL(unxlate_dev_mem_ptr); diff --git a/arch/x86/include/asm/crash-driver.h b/arch/x86/include/asm/crash-driver.h new file mode 100644 -index 0000000..27a4156 +index 000000000000..fd4736ec99f5 --- /dev/null +++ b/arch/x86/include/asm/crash-driver.h @@ -0,0 +1,6 @@ @@ -271,7 +270,7 @@ index 0000000..27a4156 + +#endif /* _X86_CRASH_H */ diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index fa3243d..83643e5b 100644 +index 6e9f74a5c095..ee6bae16b04c 100644 --- a/drivers/char/Kconfig +++ b/drivers/char/Kconfig @@ -4,6 +4,9 @@ @@ -285,10 +284,10 @@ index fa3243d..83643e5b 100644 config DEVKMEM diff --git a/drivers/char/Makefile b/drivers/char/Makefile -index 7ff1d0d..3ed67af 100644 +index a324f9303e36..33ce2fb1d0a3 100644 --- a/drivers/char/Makefile +++ b/drivers/char/Makefile -@@ -62,3 +62,5 @@ obj-$(CONFIG_JS_RTC) += js-rtc.o +@@ -61,3 +61,5 @@ obj-$(CONFIG_JS_RTC) += js-rtc.o js-rtc-y = rtc.o obj-$(CONFIG_TILE_SROM) += tile-srom.o @@ -296,7 +295,7 @@ index 7ff1d0d..3ed67af 100644 +obj-$(CONFIG_CRASH) += crash.o diff --git a/drivers/char/crash.c b/drivers/char/crash.c new file mode 100644 -index 0000000..a142bb3 +index 000000000000..085378a1d539 --- /dev/null +++ b/drivers/char/crash.c @@ -0,0 +1,128 @@ @@ -430,7 +429,7 @@ index 0000000..a142bb3 +MODULE_LICENSE("GPL"); diff --git a/include/asm-generic/crash-driver.h b/include/asm-generic/crash-driver.h new file mode 100644 -index 0000000..8a0a69a +index 000000000000..25ab9869d566 --- /dev/null +++ b/include/asm-generic/crash-driver.h @@ -0,0 +1,72 @@ @@ -507,5 +506,5 @@ index 0000000..8a0a69a + +#endif /* __CRASH_H__ */ -- -1.8.3.1 +1.9.3 diff --git a/criu-no-expert.patch b/criu-no-expert.patch index 28c8a987d..4c3573b24 100644 --- a/criu-no-expert.patch +++ b/criu-no-expert.patch @@ -1,11 +1,19 @@ +From cb32e566a709fd6a7e36ef7a41b2047fcdfb921d Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Wed, 30 Jan 2013 10:55:31 -0500 +Subject: [PATCH] criu: no expert + Bugzilla: N/A Upstream-status: Fedora mustard +--- + init/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/init/Kconfig b/init/Kconfig -index be8b7f5..7461760 100644 +index 3bad458f1c68..aee58b9fedfc 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -989,7 +989,7 @@ config DEBUG_BLK_CGROUP +@@ -1147,7 +1147,7 @@ config DEBUG_BLK_CGROUP endif # CGROUPS config CHECKPOINT_RESTORE @@ -14,7 +22,7 @@ index be8b7f5..7461760 100644 default n help Enables additional kernel features in a sake of checkpoint/restore. -@@ -1000,7 +1000,7 @@ config CHECKPOINT_RESTORE +@@ -1158,7 +1158,7 @@ config CHECKPOINT_RESTORE If unsure, say N here. menuconfig NAMESPACES @@ -23,3 +31,6 @@ index be8b7f5..7461760 100644 default !EXPERT help Provides the way to make tasks work with different objects using +-- +1.9.3 + diff --git a/die-floppy-die.patch b/die-floppy-die.patch index 8fd0f3f1e..764cf53ab 100644 --- a/die-floppy-die.patch +++ b/die-floppy-die.patch @@ -1,24 +1,24 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard - -From 4ff58b642f80dedb20533978123d89b5ac9b1ed5 Mon Sep 17 00:00:00 2001 +From c6f9176d4c916dba021a44a2ad9de1756fc6c5ad Mon Sep 17 00:00:00 2001 From: Kyle McMartin <kyle@phobos.i.jkkm.org> Date: Tue, 30 Mar 2010 00:04:29 -0400 -Subject: die-floppy-die +Subject: [PATCH] die-floppy-die Kill the floppy.ko pnp modalias. We were surviving just fine without autoloading floppy drivers, tyvm. Please feel free to register all complaints in the wastepaper bin. + +Bugzilla: N/A +Upstream-status: Fedora mustard --- - drivers/block/floppy.c | 3 +-- - 1 files changed, 1 insertions(+), 2 deletions(-) + drivers/block/floppy.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c -index 90c4038..f4a0b90 100644 +index 56d46ffb08e1..1c8db250df88 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c -@@ -4619,8 +4619,7 @@ static const struct pnp_device_id floppy_pnpids[] = { +@@ -4634,8 +4634,7 @@ static const struct pnp_device_id floppy_pnpids[] = { {"PNP0700", 0}, {} }; @@ -29,5 +29,5 @@ index 90c4038..f4a0b90 100644 #else -- -1.7.0.1 +1.9.3 diff --git a/disable-i8042-check-on-apple-mac.patch b/disable-i8042-check-on-apple-mac.patch index ec6e48594..6af52af4e 100644 --- a/disable-i8042-check-on-apple-mac.patch +++ b/disable-i8042-check-on-apple-mac.patch @@ -1,10 +1,7 @@ -Bugzilla: N/A -Upstream-status: http://lkml.indiana.edu/hypermail/linux/kernel/1005.0/00938.html (and pinged on Dec 17, 2013) - -From 2a79554c864ac58fa2ad982f0fcee2cc2aa33eb5 Mon Sep 17 00:00:00 2001 +From a2e5f724a7e33329651ead92d4122907bdfdb208 Mon Sep 17 00:00:00 2001 From: Bastien Nocera <hadess@hadess.net> Date: Thu, 20 May 2010 10:30:31 -0400 -Subject: Disable i8042 checks on Intel Apple Macs +Subject: [PATCH] disable i8042 check on apple mac As those computers never had any i8042 controllers, and the current lookup code could potentially lock up/hang/wait for @@ -12,16 +9,19 @@ timeout for long periods of time. Fixes intermittent hangs on boot on a MacbookAir1,1 +Bugzilla: N/A +Upstream-status: http://lkml.indiana.edu/hypermail/linux/kernel/1005.0/00938.html (and pinged on Dec 17, 2013) + Signed-off-by: Bastien Nocera <hadess@hadess.net> --- - drivers/input/serio/i8042.c | 22 ++++++++++++++++++++++ - 1 files changed, 22 insertions(+), 0 deletions(-) + drivers/input/serio/i8042.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c -index 6440a8f..4d7cf98 100644 +index 612f855c340f..f1aeb0240d6e 100644 --- a/drivers/input/serio/i8042.c +++ b/drivers/input/serio/i8042.c -@@ -1451,6 +1451,22 @@ static struct platform_driver i8042_driver = { +@@ -1469,6 +1469,22 @@ static struct platform_driver i8042_driver = { .shutdown = i8042_shutdown, }; @@ -44,7 +44,7 @@ index 6440a8f..4d7cf98 100644 static int __init i8042_init(void) { struct platform_device *pdev; -@@ -1458,6 +1474,12 @@ static int __init i8042_init(void) +@@ -1476,6 +1492,12 @@ static int __init i8042_init(void) dbg_init(); @@ -58,5 +58,5 @@ index 6440a8f..4d7cf98 100644 if (err) return err; -- -1.7.0.1 +1.9.3 diff --git a/disable-libdw-unwind-on-non-x86.patch b/disable-libdw-unwind-on-non-x86.patch index 445fc1942..86bb70ae0 100644 --- a/disable-libdw-unwind-on-non-x86.patch +++ b/disable-libdw-unwind-on-non-x86.patch @@ -1,9 +1,20 @@ +From 5a8e4c7cafd99ce849d75c86409b822ac1da18e4 Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Fri, 18 Apr 2014 06:58:29 -0400 +Subject: [PATCH] disable libdw unwind on non-x86 + +Bugzilla: 1025603 +Upstream-status: ?? +--- + tools/perf/config/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile -index ee21fa9..19ee413 100644 +index 1f67aa02d240..86c21a24da46 100644 --- a/tools/perf/config/Makefile +++ b/tools/perf/config/Makefile -@@ -34,6 +34,10 @@ ifeq ($(ARCH),arm) - LIBUNWIND_LIBS = -lunwind -lunwind-arm +@@ -52,6 +52,10 @@ ifeq ($(ARCH),powerpc) + CFLAGS += -DHAVE_SKIP_CALLCHAIN_IDX endif +ifneq ($(ARCH),x86) @@ -13,3 +24,6 @@ index ee21fa9..19ee413 100644 ifeq ($(LIBUNWIND_LIBS),) NO_LIBUNWIND := 1 else +-- +1.9.3 + diff --git a/drm-i915-hush-check-crtc-state.patch b/drm-i915-hush-check-crtc-state.patch index 295cad7b7..76ab873cd 100644 --- a/drm-i915-hush-check-crtc-state.patch +++ b/drm-i915-hush-check-crtc-state.patch @@ -1,15 +1,24 @@ -Bugzilla: 1027037 1028785 -Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/035948.html +From e2d0333d3dc0c63e79a94f08d3770cd2a7d6a667 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Wed, 13 Nov 2013 10:17:24 -0500 +Subject: [PATCH] drm/i915: hush check crtc state This is _by far_ the most common backtrace for i915 on retrace.fp.o, and it's mostly useless noise. There's not enough context when it's generated to know if something actually went wrong. Downgrade the message to KMS debugging so we can still get it if we want it. -diff -up linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c.jx linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c ---- linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c.jx 2013-11-03 18:41:51.000000000 -0500 -+++ linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_display.c 2013-11-13 10:12:05.781301624 -0500 -@@ -8803,7 +8803,7 @@ check_crtc_state(struct drm_device *dev) +Bugzilla: 1027037 1028785 +Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/035948.html +--- + drivers/gpu/drm/i915/intel_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 018fb7222f60..922818d16e93 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -10640,7 +10640,7 @@ check_crtc_state(struct drm_device *dev) if (active && !intel_pipe_config_compare(dev, &crtc->config, &pipe_config)) { @@ -18,3 +27,6 @@ diff -up linux-3.13.0-0.rc0.git2.1.fc21.x86_64/drivers/gpu/drm/i915/intel_displa intel_dump_pipe_config(crtc, &pipe_config, "[hw state]"); intel_dump_pipe_config(crtc, &crtc->config, +-- +1.9.3 + diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch new file mode 100644 index 000000000..90404745d --- /dev/null +++ b/efi-Add-EFI_SECURE_BOOT-bit.patch @@ -0,0 +1,43 @@ +From a2ebe652ed2e730d4a7fc2699c39a8736b823480 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 27 Aug 2013 13:33:03 -0400 +Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit + +UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit +for use with efi_enabled. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/kernel/setup.c | 2 ++ + include/linux/efi.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 5a5cf7395724..fb282ff6a802 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE + if (boot_params.secure_boot) { ++ set_bit(EFI_SECURE_BOOT, &efi.flags); + enforce_signed_modules(); ++ pr_info("Secure boot enabled\n"); + } + #endif + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 45cb4ffdea62..ebe6a24cc1e1 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -923,6 +923,7 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_64BIT 5 /* Is the firmware 64-bit? */ + #define EFI_PARAVIRT 6 /* Access is via a paravirt interface */ + #define EFI_ARCH_1 7 /* First arch-specific bit */ ++#define EFI_SECURE_BOOT 8 /* Are we in Secure Boot mode? */ + + #ifdef CONFIG_EFI + /* +-- +1.9.3 + diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch new file mode 100644 index 000000000..5c0186088 --- /dev/null +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -0,0 +1,58 @@ +From 3d2fbfb0264c8286432026e152d7561975506ffc Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 5 Feb 2013 19:25:05 -0500 +Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode + +A user can manually tell the shim boot loader to disable validation of +images it loads. When a user does this, it creates a UEFI variable called +MokSBState that does not have the runtime attribute set. Given that the +user explicitly disabled validation, we can honor that and not enable +secure boot mode if that variable is set. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 88edd48f03e9..3b18ef2b534c 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -806,8 +806,9 @@ out: + + static int get_secure_boot(void) + { +- u8 sb, setup; ++ u8 sb, setup, moksbstate; + unsigned long datasize = sizeof(sb); ++ u32 attr; + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + +@@ -831,6 +832,23 @@ static int get_secure_boot(void) + if (setup == 1) + return 0; + ++ /* See if a user has put shim into insecure_mode. If so, and the variable ++ * doesn't have the runtime attribute set, we might as well honor that. ++ */ ++ var_guid = EFI_SHIM_LOCK_GUID; ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"MokSBState", &var_guid, &attr, &datasize, ++ &moksbstate); ++ ++ /* If it fails, we don't care why. Default to secure */ ++ if (status != EFI_SUCCESS) ++ return 1; ++ ++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ if (moksbstate == 1) ++ return 0; ++ } ++ + return 1; + } + +-- +1.9.3 + diff --git a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch new file mode 100644 index 000000000..b1fd83096 --- /dev/null +++ b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -0,0 +1,30 @@ +From 2850989c51158efb074313d4e3aeb2665f978ed4 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 27 Aug 2013 13:28:43 -0400 +Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI + +The functionality of the config option is dependent upon the platform being +UEFI based. Reflect this in the config deps. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 46392bfab57e..5bb9b06573a3 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1566,7 +1566,8 @@ config EFI_MIXED + If unsure, say N. + + config EFI_SECURE_BOOT_SIG_ENFORCE +- def_bool n ++ def_bool n ++ depends on EFI + prompt "Force module signing when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the +-- +1.9.3 + diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch new file mode 100644 index 000000000..db215ec21 --- /dev/null +++ b/hibernate-Disable-in-a-signed-modules-environment.patch @@ -0,0 +1,39 @@ +From f32db30954f67a233bbb6d56f48143698f44e5bc Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 20 Jun 2014 08:53:24 -0400 +Subject: [PATCH] hibernate: Disable in a signed modules environment + +There is currently no way to verify the resume image when returning +from hibernate. This might compromise the signed modules trust model, +so until we can work with signed hibernate images we disable it in +a secure modules environment. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + kernel/power/hibernate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index a9dfa79b6bab..14c7356ff53a 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -28,6 +28,7 @@ + #include <linux/syscore_ops.h> + #include <linux/ctype.h> + #include <linux/genhd.h> ++#include <linux/module.h> + #include <trace/events/power.h> + + #include "power.h" +@@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops; + + bool hibernation_available(void) + { +- return (nohibernate == 0); ++ return ((nohibernate == 0) && !secure_modules()); + } + + /** +-- +1.9.3 + diff --git a/input-kill-stupid-messages.patch b/input-kill-stupid-messages.patch index 754bf8a30..31ff55375 100644 --- a/input-kill-stupid-messages.patch +++ b/input-kill-stupid-messages.patch @@ -1,11 +1,19 @@ +From 0115cafe4d9a93deef3259b18b5b9cdafd60fbef Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Thu, 29 Jul 2010 16:46:31 -0700 +Subject: [PATCH] input: kill stupid messages + Bugzilla: N/A Upstream-status: Fedora mustard +--- + drivers/input/keyboard/atkbd.c | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c -index add5ffd..5eb2f03 100644 +index 2dd1d0dd4f7d..7116b70074bf 100644 --- a/drivers/input/keyboard/atkbd.c +++ b/drivers/input/keyboard/atkbd.c -@@ -430,11 +430,15 @@ static irqreturn_t atkbd_interrupt(struct serio *serio, unsigned char data, +@@ -436,11 +436,15 @@ static irqreturn_t atkbd_interrupt(struct serio *serio, unsigned char data, goto out; case ATKBD_RET_ACK: case ATKBD_RET_NAK: @@ -21,3 +29,6 @@ index add5ffd..5eb2f03 100644 goto out; case ATKBD_RET_ERR: atkbd->err_count++; +-- +1.9.3 + diff --git a/silence-noise.patch b/input-silence-i8042-noise.patch index 1058f70dd..2dac82a70 100644 --- a/silence-noise.patch +++ b/input-silence-i8042-noise.patch @@ -1,37 +1,51 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard - -From b4e96f34c17e5a79cd28774cc722bb33e7e02c6e Mon Sep 17 00:00:00 2001 +From 10da76f4101b3dd43dcf9cbb6c9c7b6d6f92c829 Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Thu, 25 Sep 2008 16:23:33 -0400 -Subject: [PATCH] Don't print an error message just because there's no i8042 chip. +Subject: [PATCH] input: silence i8042 noise +Don't print an error message just because there's no i8042 chip. Some systems, such as EFI-based Apple systems, won't necessarily have an i8042 to initialize. We shouldn't be printing an error message in this case, since not detecting the chip is the correct behavior. + +Bugzilla: N/A +Upstream-status: Fedora mustard --- + drivers/base/power/main.c | 2 -- + drivers/input/serio/i8042.c | 1 - + net/can/af_can.c | 8 ++------ + 3 files changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index b67d9aef9fe4..dd58b0fdaafd 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -122,8 +122,6 @@ void device_pm_unlock(void) + */ + void device_pm_add(struct device *dev) + { +- pr_debug("PM: Adding info for %s:%s\n", +- dev->bus ? dev->bus->name : "No Bus", dev_name(dev)); + mutex_lock(&dpm_list_mtx); + if (dev->parent && dev->parent->power.is_prepared) + dev_warn(dev, "parent %s should not be sleeping\n", diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c -index 52c9ebf..c374a96 100644 +index 3807c3e971cc..612f855c340f 100644 --- a/drivers/input/serio/i8042.c +++ b/drivers/input/serio/i8042.c -@@ -855,7 +855,6 @@ static int __init i8042_check_aux(void) +@@ -857,7 +857,6 @@ static int __init i8042_check_aux(void) static int i8042_controller_check(void) { if (i8042_flush()) { - pr_err("No controller found\n"); return -ENODEV; } - --- -Socket fuzzers like sfuzz will trigger this printk a lot, even though it's -ratelimited. It isn't particularly useful, so just remove it. - -Signed-off-by: Dave Jones <davej@redhat.com> - +diff --git a/net/can/af_can.c b/net/can/af_can.c +index ce82337521f6..a3fee4becc93 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c -@@ -157,13 +157,9 @@ static int can_create(struct net *net, struct socket *sock, int protocol, +@@ -158,13 +158,9 @@ static int can_create(struct net *net, struct socket *sock, int protocol, err = request_module("can-proto-%d", protocol); /* @@ -47,22 +61,6 @@ Signed-off-by: Dave Jones <davej@redhat.com> cp = can_get_proto(protocol); } - -This was removed in revision 1.6 of linux-2.6-silence-noise.patch -in ye olde CVS tree. I have no idea why. Originally the pr_debug in -device_pm_remove was nuked as well, but that seems to have gotten lost in -the r1.634 of kernel.spec (2.6.26-rc2-git5.) +-- +1.9.3 -diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c -index 2a52270..bacbdd2 100644 ---- a/drivers/base/power/main.c -+++ b/drivers/base/power/main.c -@@ -87,8 +87,6 @@ void device_pm_unlock(void) - */ - void device_pm_add(struct device *dev) - { -- pr_debug("PM: Adding info for %s:%s\n", -- dev->bus ? dev->bus->name : "No Bus", dev_name(dev)); - mutex_lock(&dpm_list_mtx); - if (dev->parent && dev->parent->power.is_prepared) - dev_warn(dev, "parent %s should not be sleeping\n", diff --git a/makefile-after_link.patch b/kbuild-AFTER_LINK.patch index a2342c025..897a1f945 100644 --- a/makefile-after_link.patch +++ b/kbuild-AFTER_LINK.patch @@ -1,7 +1,4 @@ -Bugzilla: N/A -Upstream-status: ?? - -From fd4e7f06ecc891474dea3a93df083de5f8c50cdc Mon Sep 17 00:00:00 2001 +From 4df7d687b12092b4ae94415cc528bc09a0437624 Mon Sep 17 00:00:00 2001 From: Roland McGrath <roland@redhat.com> Date: Mon, 6 Oct 2008 23:03:03 -0700 Subject: [PATCH] kbuild: AFTER_LINK @@ -9,6 +6,9 @@ Subject: [PATCH] kbuild: AFTER_LINK If the make variable AFTER_LINK is set, it is a command line to run after each final link. This includes vmlinux itself and vDSO images. +Bugzilla: N/A +Upstream-status: ?? + Signed-off-by: Roland McGrath <roland@redhat.com> --- arch/arm64/kernel/vdso/Makefile | 3 ++- @@ -121,3 +121,6 @@ index 86a4fe75f453..161637ed5611 100644 } +-- +1.9.3 + diff --git a/kernel.spec b/kernel.spec index 39b3a6768..a9a5d2d82 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -537,7 +537,7 @@ Patch00: patch-3.%{base_sublevel}-git%{gitrev}.xz Patch04: compile-fixes.patch # build tweak for build ID magic, even for -vanilla -Patch05: makefile-after_link.patch +Patch05: kbuild-AFTER_LINK.patch %if !%{nopatches} @@ -555,10 +555,10 @@ Patch470: die-floppy-die.patch Patch500: Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch -Patch510: silence-noise.patch +Patch510: input-silence-i8042-noise.patch Patch530: silence-fbcon-logo.patch -Patch600: 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +Patch600: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch #rhbz 917708 Patch700: Revert-userns-Allow-unprivileged-users-to-create-use.patch @@ -568,10 +568,28 @@ Patch800: crash-driver.patch # crypto/ # secure boot -Patch1000: secure-modules.patch -Patch1001: modsign-uefi.patch -# atch1002: sb-hibernate.patch -Patch1003: sysrq-secure-boot.patch +Patch1000: Add-secure_modules-call.patch +Patch1001: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +Patch1002: x86-Lock-down-IO-port-access-when-module-security-is.patch +Patch1003: ACPI-Limit-access-to-custom_method.patch +Patch1004: asus-wmi-Restrict-debugfs-interface-when-module-load.patch +Patch1005: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +Patch1006: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +Patch1007: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +Patch1008: x86-Restrict-MSR-access-when-module-loading-is-restr.patch +Patch1009: Add-option-to-automatically-enforce-module-signature.patch +Patch1010: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +Patch1011: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +Patch1012: efi-Add-EFI_SECURE_BOOT-bit.patch +Patch1013: hibernate-Disable-in-a-signed-modules-environment.patch + +Patch1014: Add-EFI-signature-data-types.patch +Patch1015: Add-an-EFI-signature-blob-parser-and-key-loader.patch +Patch1016: KEYS-Add-a-system-blacklist-keyring.patch +Patch1017: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +Patch1018: MODSIGN-Support-not-importing-certs-from-db.patch + +Patch1019: Add-sysrq-option-to-disable-secure-boot-mode.patch # virt + ksm patches @@ -594,14 +612,21 @@ Patch14000: hibernate-freeze-filesystems.patch Patch14010: lis3-improve-handling-of-null-rate.patch -Patch15000: nowatchdog-on-virt.patch +Patch15000: watchdog-Disable-watchdog-on-virtual-machines.patch # ARM64 # ARMv7 -Patch21020: arm-tegra-usb-no-reset-linux33.patch -Patch21021: arm-beagle.patch -Patch21022: arm-imx6-utilite.patch +Patch21020: ARM-tegra-usb-no-reset.patch +Patch21021: arm-dts-am335x-boneblack-lcdc-add-panel-info.patch +Patch21022: arm-dts-am335x-boneblack-add-cpu0-opp-points.patch +Patch21023: arm-dts-am335x-bone-common-enable-and-use-i2c2.patch +Patch21024: arm-dts-am335x-bone-common-setup-default-pinmux-http.patch +Patch21025: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch +Patch21026: pinctrl-pinctrl-single-must-be-initialized-early.patch +Patch21027: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch + +Patch21028: arm-i.MX6-Utilite-device-dtb.patch #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -610,7 +635,7 @@ Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch Patch21242: criu-no-expert.patch #rhbz 892811 -Patch21247: ath9k_rx_dma_stop_check.patch +Patch21247: ath9k-rx-dma-stop-check.patch Patch22000: weird-root-dentry-name-debug.patch @@ -618,9 +643,9 @@ Patch22000: weird-root-dentry-name-debug.patch Patch25063: disable-libdw-unwind-on-non-x86.patch #rhbz 983342 1093120 -Patch25069: 0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch +Patch25069: acpi-video-Add-4-new-models-to-the-use_native_backli.patch -Patch26000: perf-lib64.patch +Patch26000: perf-install-trace-event-plugins.patch # Patch series from Hans for various backlight and platform driver fixes Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch @@ -1203,7 +1228,7 @@ do done %endif -ApplyPatch makefile-after_link.patch +ApplyPatch kbuild-AFTER_LINK.patch # # misc small stuff to make things compile @@ -1217,16 +1242,23 @@ ApplyOptionalPatch upstream-reverts.patch -R # Architecture patches # x86(-64) -ApplyPatch 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +ApplyPatch lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch # ARM64 # # ARM # -ApplyPatch arm-tegra-usb-no-reset-linux33.patch -ApplyPatch arm-beagle.patch -ApplyPatch arm-imx6-utilite.patch +ApplyPatch ARM-tegra-usb-no-reset.patch +ApplyPatch arm-dts-am335x-boneblack-lcdc-add-panel-info.patch +ApplyPatch arm-dts-am335x-boneblack-add-cpu0-opp-points.patch +ApplyPatch arm-dts-am335x-bone-common-enable-and-use-i2c2.patch +ApplyPatch arm-dts-am335x-bone-common-setup-default-pinmux-http.patch +ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch +ApplyPatch pinctrl-pinctrl-single-must-be-initialized-early.patch +ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch + +ApplyPatch arm-i.MX6-Utilite-device-dtb.patch # # bugfixes to drivers and filesystems @@ -1274,7 +1306,7 @@ ApplyPatch die-floppy-die.patch ApplyPatch no-pcspkr-modalias.patch # Silence some useless messages that still get printed with 'quiet' -ApplyPatch silence-noise.patch +ApplyPatch input-silence-i8042-noise.patch # Make fbcon not show the penguins with 'quiet' ApplyPatch silence-fbcon-logo.patch @@ -1290,10 +1322,28 @@ ApplyPatch crash-driver.patch # crypto/ # secure boot -ApplyPatch secure-modules.patch -ApplyPatch modsign-uefi.patch -# pplyPatch sb-hibernate.patch -ApplyPatch sysrq-secure-boot.patch +ApplyPatch Add-secure_modules-call.patch +ApplyPatch PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +ApplyPatch x86-Lock-down-IO-port-access-when-module-security-is.patch +ApplyPatch ACPI-Limit-access-to-custom_method.patch +ApplyPatch asus-wmi-Restrict-debugfs-interface-when-module-load.patch +ApplyPatch Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +ApplyPatch acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +ApplyPatch kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +ApplyPatch x86-Restrict-MSR-access-when-module-loading-is-restr.patch +ApplyPatch Add-option-to-automatically-enforce-module-signature.patch +ApplyPatch efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +ApplyPatch efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +ApplyPatch efi-Add-EFI_SECURE_BOOT-bit.patch +ApplyPatch hibernate-Disable-in-a-signed-modules-environment.patch + +ApplyPatch Add-EFI-signature-data-types.patch +ApplyPatch Add-an-EFI-signature-blob-parser-and-key-loader.patch +ApplyPatch KEYS-Add-a-system-blacklist-keyring.patch +ApplyPatch MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +ApplyPatch MODSIGN-Support-not-importing-certs-from-db.patch + +ApplyPatch Add-sysrq-option-to-disable-secure-boot-mode.patch # Assorted Virt Fixes @@ -1315,7 +1365,7 @@ ApplyPatch disable-i8042-check-on-apple-mac.patch ApplyPatch lis3-improve-handling-of-null-rate.patch # Disable watchdog on virtual machines. -ApplyPatch nowatchdog-on-virt.patch +ApplyPatch watchdog-Disable-watchdog-on-virtual-machines.patch #rhbz 754518 ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -1326,15 +1376,15 @@ ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch ApplyPatch criu-no-expert.patch #rhbz 892811 -ApplyPatch ath9k_rx_dma_stop_check.patch +ApplyPatch ath9k-rx-dma-stop-check.patch #rhbz 1025603 ApplyPatch disable-libdw-unwind-on-non-x86.patch #rhbz 983342 1093120 -ApplyPatch 0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch +ApplyPatch acpi-video-Add-4-new-models-to-the-use_native_backli.patch -ApplyPatch perf-lib64.patch +ApplyPatch perf-install-trace-event-plugins.patch # Patch series from Hans for various backlight and platform driver fixes ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch new file mode 100644 index 000000000..ebd5371f4 --- /dev/null +++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -0,0 +1,44 @@ +From 8633ed1850c24ea2e52c7c64c293186946935e8a Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Aug 2013 03:33:56 -0400 +Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module + loading restrictions + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that module signing enforcement is meant to prevent. It makes +sense to disable kexec in this situation. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + kernel/kexec.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 0b49a0a58102..8e649f7c22e1 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -36,6 +36,7 @@ + #include <linux/syscore_ops.h> + #include <linux/compiler.h> + #include <linux/hugetlb.h> ++#include <linux/module.h> + + #include <asm/page.h> + #include <asm/uaccess.h> +@@ -1245,6 +1246,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + return -EPERM; + + /* ++ * kexec can be used to circumvent module loading restrictions, so ++ * prevent loading in that case ++ */ ++ if (secure_modules()) ++ return -EPERM; ++ ++ /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. + */ +-- +1.9.3 + diff --git a/0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch b/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch index d25452268..bc5ec698f 100644 --- a/0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +++ b/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch @@ -1,7 +1,4 @@ -Bugzilla: N/A -Upstream-status: Nak'd, supposedly replacement coming to auto-select - -From 0f3f5c5b4ca2eb1f41947c50bedb9b17aa1a1f80 Mon Sep 17 00:00:00 2001 +From d53e8bbf853e6de66ac48e15794d722edf7877b4 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Mon, 11 Nov 2013 08:39:16 -0500 Subject: [PATCH] lib/cpumask: Make CPUMASK_OFFSTACK usable without debug @@ -14,16 +11,19 @@ operation of the feature, and we need CPUMASK_OFFSTACK to increase the NR_CPUS value beyond 512 on x86. We drop the current dependency and make sure SMP is set. +Bugzilla: N/A +Upstream-status: Nak'd, supposedly replacement coming to auto-select + Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- lib/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/Kconfig b/lib/Kconfig -index b3c8be0..50b47cd 100644 +index a5ce0c7f6c30..54cef46c99d7 100644 --- a/lib/Kconfig +++ b/lib/Kconfig -@@ -342,7 +342,8 @@ config CHECK_SIGNATURE +@@ -379,7 +379,8 @@ config CHECK_SIGNATURE bool config CPUMASK_OFFSTACK @@ -34,5 +34,5 @@ index b3c8be0..50b47cd 100644 Use dynamic allocation for cpumask_var_t, instead of putting them on the stack. This is a bit more expensive, but avoids -- -1.8.3.1 +1.9.3 diff --git a/lis3-improve-handling-of-null-rate.patch b/lis3-improve-handling-of-null-rate.patch index ead58ce2b..ad2d1084f 100644 --- a/lis3-improve-handling-of-null-rate.patch +++ b/lis3-improve-handling-of-null-rate.patch @@ -1,13 +1,7 @@ -Bugzilla: 785814 -Upstream-status: ?? - ->From 56fb161a9ca0129f8e266e4dbe79346552ff8089 Mon Sep 17 00:00:00 2001 +From 77389d33a694cf99c965e009ccf2a49fb27157c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Piel?= <eric.piel@tremplin-utc.net> Date: Thu, 3 Nov 2011 16:22:40 +0100 -Subject: [PATCH] lis3: Improve handling of null rate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit +Subject: [PATCH] lis3: improve handling of null rate When obtaining a rate of 0, we would disable the device supposely because it seems to behave incorectly. It actually only comes from the @@ -15,16 +9,19 @@ fact that the device is off and on lis3dc it's reflected in the rate. So handle this nicely by just waiting a safe time, and then using the device as normally. +Bugzilla: 785814 +Upstream-status: ?? + Signed-off-by: ??ric Piel <eric.piel@tremplin-utc.net> --- - drivers/misc/lis3lv02d/lis3lv02d.c | 16 ++++++++-------- - 1 files changed, 8 insertions(+), 8 deletions(-) + drivers/misc/lis3lv02d/lis3lv02d.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c -index 35c67e0..42dce2a 100644 +index 3ef4627f9cb1..2b2d2e8e5eeb 100644 --- a/drivers/misc/lis3lv02d/lis3lv02d.c +++ b/drivers/misc/lis3lv02d/lis3lv02d.c -@@ -188,7 +188,8 @@ static void lis3lv02d_get_xyz(struct lis3lv02d *lis3, int *x, int *y, int *z) +@@ -216,7 +216,8 @@ static void lis3lv02d_get_xyz(struct lis3lv02d *lis3, int *x, int *y, int *z) /* conversion btw sampling rate and the register values */ static int lis3_12_rates[4] = {40, 160, 640, 2560}; static int lis3_8_rates[2] = {100, 400}; @@ -34,7 +31,7 @@ index 35c67e0..42dce2a 100644 static int lis3_3dlh_rates[4] = {50, 100, 400, 1000}; /* ODR is Output Data Rate */ -@@ -202,12 +203,11 @@ static int lis3lv02d_get_odr(struct lis3lv02d *lis3) +@@ -231,12 +232,11 @@ static int lis3lv02d_get_odr(struct lis3lv02d *lis3) return lis3->odrs[(ctrl >> shift)]; } @@ -50,7 +47,7 @@ index 35c67e0..42dce2a 100644 /* LIS3 power on delay is quite long */ msleep(lis3->pwron_delay / div); -@@ -274,7 +274,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3]) +@@ -303,7 +303,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3]) lis3->read(lis3, ctlreg, ®); lis3->write(lis3, ctlreg, (reg | selftest)); @@ -59,7 +56,7 @@ index 35c67e0..42dce2a 100644 if (ret) goto fail; -@@ -285,7 +285,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3]) +@@ -314,7 +314,7 @@ static int lis3lv02d_selftest(struct lis3lv02d *lis3, s16 results[3]) /* back to normal settings */ lis3->write(lis3, ctlreg, reg); @@ -68,8 +65,8 @@ index 35c67e0..42dce2a 100644 if (ret) goto fail; -@@ -397,7 +397,7 @@ int lis3lv02d_poweron(struct lis3lv02d *lis3) - lis3->write(lis3, CTRL_REG2, reg); +@@ -434,7 +434,7 @@ int lis3lv02d_poweron(struct lis3lv02d *lis3) + } } - err = lis3lv02d_get_pwron_wait(lis3); @@ -78,5 +75,5 @@ index 35c67e0..42dce2a 100644 return err; -- -1.7.7.1 +1.9.3 diff --git a/modsign-uefi.patch b/modsign-uefi.patch deleted file mode 100644 index ceb9ec989..000000000 --- a/modsign-uefi.patch +++ /dev/null @@ -1,623 +0,0 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard for now - - -From ca81c32a62c0330afedb506324ace85cc0116eaf Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 1/5] Add EFI signature data types - -Add the data types that are used for containing hashes, keys and certificates -for cryptographic verification. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - include/linux/efi.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 3f683a13d7aa..27aae6eb65d8 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -581,6 +581,12 @@ void efi_native_runtime_setup(void); - #define DEVICE_TREE_GUID \ - EFI_GUID( 0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 ) - -+#define EFI_CERT_SHA256_GUID \ -+ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) -+ -+#define EFI_CERT_X509_GUID \ -+ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -@@ -796,6 +802,20 @@ typedef struct _efi_file_io_interface { - - #define EFI_INVALID_TABLE_ADDR (~0UL) - -+typedef struct { -+ efi_guid_t signature_owner; -+ u8 signature_data[]; -+} efi_signature_data_t; -+ -+typedef struct { -+ efi_guid_t signature_type; -+ u32 signature_list_size; -+ u32 signature_header_size; -+ u32 signature_size; -+ u8 signature_header[]; -+ /* efi_signature_data_t signatures[][] */ -+} efi_signature_list_t; -+ - /* - * All runtime access to EFI goes through this structure: - */ --- -2.0.4 - - -From 8662475501e4f68f872c86f5e915c204ccae0cb2 Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader. - -X.509 certificates are loaded into the specified keyring as asymmetric type -keys. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - crypto/asymmetric_keys/Kconfig | 8 +++ - crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ - include/linux/efi.h | 4 ++ - 4 files changed, 122 insertions(+) - create mode 100644 crypto/asymmetric_keys/efi_parser.c - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 4870f28403f5..4a1b50d73b80 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION - This option provides support for verifying the signature(s) on a - signed PE binary. - -+config EFI_SIGNATURE_LIST_PARSER -+ bool "EFI signature list parser" -+ depends on EFI -+ select X509_CERTIFICATE_PARSER -+ help -+ This option provides support for parsing EFI signature lists for -+ X.509 certificates and turning them into keys. -+ - endif # ASYMMETRIC_KEY_TYPE -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index e47fcd9ac5e8..6512f6596785 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o - - obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o - obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o -+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - - # - # X.509 Certificate handling -diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c -new file mode 100644 -index 000000000000..424896a0b169 ---- /dev/null -+++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,109 @@ -+/* EFI signature/key/certificate list parser -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "EFI: "fmt -+#include <linux/module.h> -+#include <linux/printk.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <keys/asymmetric-type.h> -+ -+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; -+ -+/** -+ * parse_efi_signature_list - Parse an EFI signature list for certificates -+ * @data: The data blob to parse -+ * @size: The size of the data blob -+ * @keyring: The keyring to add extracted keys to -+ */ -+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) -+{ -+ unsigned offs = 0; -+ size_t lsize, esize, hsize, elsize; -+ -+ pr_devel("-->%s(,%zu)\n", __func__, size); -+ -+ while (size > 0) { -+ efi_signature_list_t list; -+ const efi_signature_data_t *elem; -+ key_ref_t key; -+ -+ if (size < sizeof(list)) -+ return -EBADMSG; -+ -+ memcpy(&list, data, sizeof(list)); -+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", -+ offs, -+ list.signature_type.b, list.signature_list_size, -+ list.signature_header_size, list.signature_size); -+ -+ lsize = list.signature_list_size; -+ hsize = list.signature_header_size; -+ esize = list.signature_size; -+ elsize = lsize - sizeof(list) - hsize; -+ -+ if (lsize > size) { -+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", -+ __func__, offs); -+ return -EBADMSG; -+ } -+ if (lsize < sizeof(list) || -+ lsize - sizeof(list) < hsize || -+ esize < sizeof(*elem) || -+ elsize < esize || -+ elsize % esize != 0) { -+ pr_devel("- bad size combo @%x\n", offs); -+ return -EBADMSG; -+ } -+ -+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { -+ data += lsize; -+ size -= lsize; -+ offs += lsize; -+ continue; -+ } -+ -+ data += sizeof(list) + hsize; -+ size -= sizeof(list) + hsize; -+ offs += sizeof(list) + hsize; -+ -+ for (; elsize > 0; elsize -= esize) { -+ elem = data; -+ -+ pr_devel("ELEM[%04x]\n", offs); -+ -+ key = key_create_or_update( -+ make_key_ref(keyring, 1), -+ "asymmetric", -+ NULL, -+ &elem->signature_data, -+ esize - sizeof(*elem), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_TRUSTED); -+ -+ if (IS_ERR(key)) -+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", -+ PTR_ERR(key)); -+ else -+ pr_notice("Loaded cert '%s' linked to '%s'\n", -+ key_ref_to_ptr(key)->description, -+ keyring->description); -+ -+ data += esize; -+ size -= esize; -+ offs += esize; -+ } -+ } -+ -+ return 0; -+} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 27aae6eb65d8..353dd105533e 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -906,6 +906,10 @@ extern bool efi_poweroff_required(void); - (md) <= (efi_memory_desc_t *)((m)->map_end - (m)->desc_size); \ - (md) = (void *)(md) + (m)->desc_size) - -+struct key; -+extern int __init parse_efi_signature_list(const void *data, size_t size, -+ struct key *keyring); -+ - /** - * efi_range_is_wc - check the WC bit on an address range - * @start: starting kvirt address --- -2.0.4 - - -From d5bc057ec6b984222b76622b2222485bef771ceb Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring - -This adds an additional keyring that is used to store certificates that -are blacklisted. This keyring is searched first when loading signed modules -and if the module's certificate is found, it will refuse to load. This is -useful in cases where third party certificates are used for module signing. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - include/keys/system_keyring.h | 4 ++++ - init/Kconfig | 9 +++++++++ - kernel/module_signing.c | 12 ++++++++++++ - kernel/system_keyring.c | 17 +++++++++++++++++ - 4 files changed, 42 insertions(+) - -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index 72665eb80692..2c7b80d31366 100644 ---- a/include/keys/system_keyring.h -+++ b/include/keys/system_keyring.h -@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void) - } - #endif - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+extern struct key *system_blacklist_keyring; -+#endif -+ - #endif /* _KEYS_SYSTEM_KEYRING_H */ -diff --git a/init/Kconfig b/init/Kconfig -index a291b7ef4738..7c199415ee28 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1715,6 +1715,15 @@ config SYSTEM_TRUSTED_KEYRING - - Keys in this keyring are used by module signature checking. - -+config SYSTEM_BLACKLIST_KEYRING -+ bool "Provide system-wide ring of blacklisted keys" -+ depends on KEYS -+ help -+ Provide a system keyring to which blacklisted keys can be added. -+ Keys in the keyring are considered entirely untrusted. Keys in this -+ keyring are used by the module signature checking to reject loading -+ of modules signed with a blacklisted key. -+ - config PROFILING - bool "Profiling support" - help -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index be5b8fac4bd0..fed815fcdaf2 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1), -+ &key_type_asymmetric, id); -+ if (!IS_ERR(key)) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key '%s' is in blacklist\n", id); -+ key_ref_put(key); -+ kfree(id); -+ return ERR_PTR(-EKEYREJECTED); -+ } -+#endif -+ - key = keyring_search(make_key_ref(system_trusted_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) -diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index 875f64e8935b..c15e93f5a418 100644 ---- a/kernel/system_keyring.c -+++ b/kernel/system_keyring.c -@@ -20,6 +20,9 @@ - - struct key *system_trusted_keyring; - EXPORT_SYMBOL_GPL(system_trusted_keyring); -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+struct key *system_blacklist_keyring; -+#endif - - extern __initconst const u8 system_certificate_list[]; - extern __initconst const unsigned long system_certificate_list_size; -@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void) - panic("Can't allocate system trusted keyring\n"); - - set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); -+ -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", -+ KUIDT_INIT(0), KGIDT_INIT(0), -+ current_cred(), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ, -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); -+ if (IS_ERR(system_blacklist_keyring)) -+ panic("Can't allocate system blacklist keyring\n"); -+ -+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags); -+#endif -+ - return 0; - } - --- -2.0.4 - - -From 2f1892982340c8219cb07e38ca06275e67f7caf2 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot - -Secure Boot stores a list of allowed certificates in the 'db' variable. -This imports those certificates into the system trusted keyring. This -allows for a third party signing certificate to be used in conjunction -with signed modules. By importing the public certificate into the 'db' -variable, a user can allow a module signed with that certificate to -load. The shim UEFI bootloader has a similar certificate list stored -in the 'MokListRT' variable. We import those as well. - -In the opposite case, Secure Boot maintains a list of disallowed -certificates in the 'dbx' variable. We load those certificates into -the newly introduced system blacklist keyring and forbid any module -signed with those from loading. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - include/linux/efi.h | 6 ++++ - init/Kconfig | 9 +++++ - kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 110 insertions(+) - create mode 100644 kernel/modsign_uefi.c - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 353dd105533e..f89c9a427dd4 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -587,6 +587,12 @@ void efi_native_runtime_setup(void); - #define EFI_CERT_X509_GUID \ - EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) - -+#define EFI_IMAGE_SECURITY_DATABASE_GUID \ -+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) -+ -+#define EFI_SHIM_LOCK_GUID \ -+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -diff --git a/init/Kconfig b/init/Kconfig -index 7c199415ee28..673796afbf7d 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1869,6 +1869,15 @@ config MODULE_SIG_ALL - comment "Do not forget to sign required modules with scripts/sign-file" - depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL - -+config MODULE_SIG_UEFI -+ bool "Allow modules signed with certs stored in UEFI" -+ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI -+ select EFI_SIGNATURE_LIST_PARSER -+ help -+ This will import certificates stored in UEFI and allow modules -+ signed with those to be loaded. It will also disallow loading -+ of modules stored in the UEFI dbx variable. -+ - choice - prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG -diff --git a/kernel/Makefile b/kernel/Makefile -index 0026cf531769..63f3d0023798 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -45,6 +45,7 @@ obj-$(CONFIG_UID16) += uid16.o - obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o - obj-$(CONFIG_MODULES) += module.o - obj-$(CONFIG_MODULE_SIG) += module_signing.o -+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o - obj-$(CONFIG_KALLSYMS) += kallsyms.o - obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o - obj-$(CONFIG_KEXEC) += kexec.o -@@ -99,6 +100,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o - - $(obj)/configs.o: $(obj)/config_data.h - -+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar -+ - # config_data.h contains the same information as ikconfig.h but gzipped. - # Info from config_data can be extracted from /proc/config* - targets += config_data.gz -diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -new file mode 100644 -index 000000000000..94b0eb38a284 ---- /dev/null -+++ b/kernel/modsign_uefi.c -@@ -0,0 +1,92 @@ -+#include <linux/kernel.h> -+#include <linux/sched.h> -+#include <linux/cred.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <linux/slab.h> -+#include <keys/asymmetric-type.h> -+#include <keys/system_keyring.h> -+#include "module-internal.h" -+ -+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) -+{ -+ efi_status_t status; -+ unsigned long lsize = 4; -+ unsigned long tmpdb[4]; -+ void *db = NULL; -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); -+ if (status != EFI_BUFFER_TOO_SMALL) { -+ pr_err("Couldn't get size: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ db = kmalloc(lsize, GFP_KERNEL); -+ if (!db) { -+ pr_err("Couldn't allocate memory for uefi cert list\n"); -+ goto out; -+ } -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, db); -+ if (status != EFI_SUCCESS) { -+ kfree(db); -+ db = NULL; -+ pr_err("Error reading db var: 0x%lx\n", status); -+ } -+out: -+ *size = lsize; -+ return db; -+} -+ -+/* -+ * * Load the certs contained in the UEFI databases -+ * */ -+static int __init load_uefi_certs(void) -+{ -+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; -+ void *db = NULL, *dbx = NULL, *mok = NULL; -+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -+ int rc = 0; -+ -+ /* Check if SB is enabled and just return if not */ -+ if (!efi_enabled(EFI_SECURE_BOOT)) -+ return 0; -+ -+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't -+ * an error if we can't get them. -+ */ -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } -+ -+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -+ if (!mok) { -+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); -+ } else { -+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring); -+ if (rc) -+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); -+ kfree(mok); -+ } -+ -+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); -+ if (!dbx) { -+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); -+ } else { -+ rc = parse_efi_signature_list(dbx, dbxsize, -+ system_blacklist_keyring); -+ if (rc) -+ pr_err("Couldn't parse dbx signatures: %d\n", rc); -+ kfree(dbx); -+ } -+ -+ return rc; -+} -+late_initcall(load_uefi_certs); --- -2.0.4 - - -From 396b99487836b7e5bb37422f4ffb32e722b9f794 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Thu, 3 Oct 2013 10:14:23 -0400 -Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db - -If a user tells shim to not use the certs/hashes in the UEFI db variable -for verification purposes, shim will set a UEFI variable called MokIgnoreDB. -Have the uefi import code look for this and not import things from the db -variable. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++--------- - 1 file changed, 31 insertions(+), 9 deletions(-) - -diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -index 94b0eb38a284..ae28b974d49a 100644 ---- a/kernel/modsign_uefi.c -+++ b/kernel/modsign_uefi.c -@@ -8,6 +8,23 @@ - #include <keys/system_keyring.h> - #include "module-internal.h" - -+static __init int check_ignore_db(void) -+{ -+ efi_status_t status; -+ unsigned int db = 0; -+ unsigned long size = sizeof(db); -+ efi_guid_t guid = EFI_SHIM_LOCK_GUID; -+ -+ /* Check and see if the MokIgnoreDB variable exists. If that fails -+ * then we don't ignore DB. If it succeeds, we do. -+ */ -+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ return 1; -+} -+ - static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) - { - efi_status_t status; -@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -- int rc = 0; -+ int ignore_db, rc = 0; - - /* Check if SB is enabled and just return if not */ - if (!efi_enabled(EFI_SECURE_BOOT)) - return 0; - -+ /* See if the user has setup Ignore DB mode */ -+ ignore_db = check_ignore_db(); -+ - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. - */ -- db = get_cert_list(L"db", &secure_var, &dbsize); -- if (!db) { -- pr_err("MODSIGN: Couldn't get UEFI db list\n"); -- } else { -- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); -- if (rc) -- pr_err("Couldn't parse db signatures: %d\n", rc); -- kfree(db); -+ if (!ignore_db) { -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } - } - - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); --- -2.0.4 - diff --git a/no-pcspkr-modalias.patch b/no-pcspkr-modalias.patch index 701178b5f..f75f5152a 100644 --- a/no-pcspkr-modalias.patch +++ b/no-pcspkr-modalias.patch @@ -1,11 +1,19 @@ +From 782885a741ad73ca03683ddec92b04399c6eae24 Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Thu, 29 Jul 2010 16:46:31 -0700 +Subject: [PATCH] no pcspkr modalias + Bugzilla: N/A Upstream-status: Fedora mustard +--- + drivers/input/misc/pcspkr.c | 1 - + 1 file changed, 1 deletion(-) diff --git a/drivers/input/misc/pcspkr.c b/drivers/input/misc/pcspkr.c -index 34f4d2e..3e40c70 100644 +index 674a2cfc3c0e..9a2807227c69 100644 --- a/drivers/input/misc/pcspkr.c +++ b/drivers/input/misc/pcspkr.c -@@ -24,7 +24,6 @@ +@@ -23,7 +23,6 @@ MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>"); MODULE_DESCRIPTION("PC Speaker beeper driver"); MODULE_LICENSE("GPL"); @@ -13,3 +21,6 @@ index 34f4d2e..3e40c70 100644 static int pcspkr_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) { +-- +1.9.3 + diff --git a/perf-install-trace-event-plugins.patch b/perf-install-trace-event-plugins.patch new file mode 100644 index 000000000..d2026db51 --- /dev/null +++ b/perf-install-trace-event-plugins.patch @@ -0,0 +1,31 @@ +From 0abf5980c420adf5846fc25fd5c5a907d131afcc Mon Sep 17 00:00:00 2001 +From: Kyle McMartin <kmcmarti@redhat.com> +Date: Mon, 2 Jun 2014 15:11:01 -0400 +Subject: [PATCH] perf: install trace-event plugins + +perf hardcodes $libdir to be lib for all but x86_64, so kludge around it +until upstream gets their act together. +--- + tools/perf/config/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile +index 86c21a24da46..bf0fe97bd358 100644 +--- a/tools/perf/config/Makefile ++++ b/tools/perf/config/Makefile +@@ -642,8 +642,12 @@ endif + ifeq ($(IS_X86_64),1) + lib = lib64 + else ++ifdef MULTILIBDIR ++lib = $(MULTILIBDIR) ++else + lib = lib + endif ++endif + libdir = $(prefix)/$(lib) + + # Shell quote (do not use $(call) to accommodate ancient setups); +-- +1.9.3 + diff --git a/perf-lib64.patch b/perf-lib64.patch deleted file mode 100644 index 85790ba92..000000000 --- a/perf-lib64.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile -index 802cf54..7f30bfa 100644 ---- a/tools/perf/config/Makefile -+++ b/tools/perf/config/Makefile -@@ -621,8 +621,12 @@ endif - ifeq ($(IS_X86_64),1) - lib = lib64 - else -+ifdef MULTILIBDIR -+lib = $(MULTILIBDIR) -+else - lib = lib - endif -+endif - libdir = $(prefix)/$(lib) - - # Shell quote (do not use $(call) to accommodate ancient setups); diff --git a/pinctrl-pinctrl-single-must-be-initialized-early.patch b/pinctrl-pinctrl-single-must-be-initialized-early.patch new file mode 100644 index 000000000..39caec4c4 --- /dev/null +++ b/pinctrl-pinctrl-single-must-be-initialized-early.patch @@ -0,0 +1,38 @@ +From 8946fa3addc278d256c2f687381be65d3ad3a7b1 Mon Sep 17 00:00:00 2001 +From: Pantelis Antoniou <panto@antoniou-consulting.com> +Date: Sat, 15 Sep 2012 12:00:41 +0300 +Subject: [PATCH] pinctrl: pinctrl-single must be initialized early. + +When using pinctrl-single to handle i2c initialization, it has +to be done early. Whether this is the best way to do so, is an +exercise left to the reader. +--- + drivers/pinctrl/pinctrl-single.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index 95dd9cf55cb3..800fc34d7ea9 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -2012,7 +2012,17 @@ static struct platform_driver pcs_driver = { + #endif + }; + +-module_platform_driver(pcs_driver); ++static int __init pcs_init(void) ++{ ++ return platform_driver_register(&pcs_driver); ++} ++postcore_initcall(pcs_init); ++ ++static void __exit pcs_exit(void) ++{ ++ platform_driver_unregister(&pcs_driver); ++} ++module_exit(pcs_exit); + + MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>"); + MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver"); +-- +1.9.3 + diff --git a/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch b/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch index 93c4073ce..08e570d92 100644 --- a/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch +++ b/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch @@ -1,21 +1,19 @@ -Bugzilla: 861573 -Upstream-status: Waiting for feedback from reporter - -From 2fa2078cdd4198b49c02cb03087158d398476463 Mon Sep 17 00:00:00 2001 +From 6a7fb976264a8b7bd05daa8db9d58338ef6b3632 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hdegoede@redhat.com> Date: Mon, 2 Jun 2014 17:40:59 +0200 -Subject: [PATCH 02/14] samsung-laptop: Add broken-acpi-video quirk for - NC210/NC110 +Subject: [PATCH] samsung-laptop: Add broken-acpi-video quirk for NC210/NC110 Reported (and tested) here: https://bugzilla.redhat.com/show_bug.cgi?id=861573 +Bugzilla: 861573 +Upstream-status: Waiting for feedback from reporter + Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- drivers/platform/x86/samsung-laptop.c | 10 ++++++++++ 1 file changed, 10 insertions(+) - diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c index 5a5966512277..0d7954e0fc74 100644 --- a/drivers/platform/x86/samsung-laptop.c @@ -37,3 +35,6 @@ index 5a5966512277..0d7954e0fc74 100644 { }, }; MODULE_DEVICE_TABLE(dmi, samsung_dmi_table); +-- +1.9.3 + diff --git a/sb-hibernate.patch b/sb-hibernate.patch deleted file mode 100644 index 4b1bd1673..000000000 --- a/sb-hibernate.patch +++ /dev/null @@ -1,115 +0,0 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard - -From 9cdffb6980a2c573844b4b87f907da24d68fb916 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 26 Oct 2012 14:02:09 -0400 -Subject: [PATCH] hibernate: Disable in a signed modules environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it in -a secure modules environment. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com> ---- - kernel/power/hibernate.c | 16 +++++++++++++++- - kernel/power/main.c | 7 ++++++- - kernel/power/user.c | 1 + - 3 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 49e0a20fd010..777eff68e8ef 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -29,6 +29,8 @@ - #include <linux/ctype.h> - #include <linux/genhd.h> - #include <trace/events/power.h> -+#include <linux/module.h> -+#include <linux/efi.h> - - #include "power.h" - -@@ -642,6 +644,10 @@ int hibernate(void) - { - int error; - -+ if (secure_modules()) { -+ return -EPERM; -+ } -+ - lock_system_sleep(); - /* The snapshot device should not be opened while we're running */ - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -@@ -734,7 +740,7 @@ static int software_resume(void) - /* - * If the user said "noresume".. bail out early. - */ -- if (noresume) -+ if (noresume || secure_modules()) - return 0; - - /* -@@ -900,6 +906,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, - int i; - char *start = buf; - -+ if (efi_enabled(EFI_SECURE_BOOT)) { -+ buf += sprintf(buf, "[%s]\n", "disabled"); -+ return buf-start; -+ } -+ - for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { - if (!hibernation_modes[i]) - continue; -@@ -934,6 +945,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, - char *p; - int mode = HIBERNATION_INVALID; - -+ if (secure_modules()) -+ return -EPERM; -+ - p = memchr(buf, '\n', n); - len = p ? p - buf : n; - -diff --git a/kernel/power/main.c b/kernel/power/main.c -index 573410d6647e..f5201093adc4 100644 ---- a/kernel/power/main.c -+++ b/kernel/power/main.c -@@ -15,6 +15,7 @@ - #include <linux/workqueue.h> - #include <linux/debugfs.h> - #include <linux/seq_file.h> -+#include <linux/efi.h> - - #include "power.h" - -@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, - - #endif - #ifdef CONFIG_HIBERNATION -- s += sprintf(s, "%s\n", "disk"); -+ if (!efi_enabled(EFI_SECURE_BOOT)) { -+ s += sprintf(s, "%s\n", "disk"); -+ } else { -+ s += sprintf(s, "\n"); -+ } - #else - if (s != buf) - /* convert the last space to a newline */ -diff --git a/kernel/power/user.c b/kernel/power/user.c -index efe99dee9510..5f5d1026f1e2 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -25,6 +25,7 @@ - #include <linux/cpu.h> - #include <linux/freezer.h> - #include <linux/module.h> -+#include <linux/efi.h> - - #include <asm/uaccess.h> - --- -1.9.3 - diff --git a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch index 350705249..1ef5196e1 100644 --- a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch +++ b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -1,6 +1,13 @@ +From 26fcec7a2c92ad6d31d858d2bd357511ab79ea7c Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Fri, 10 Feb 2012 14:56:13 -0500 +Subject: [PATCH] scsi: sd_revalidate_disk prevent NULL ptr deref + Bugzilla: 754518 Upstream-status: Fedora mustard (might be worth dropping...) - +--- + drivers/scsi/sd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 2c2041ca4b70..e10812d985af 100644 @@ -26,3 +33,6 @@ index 2c2041ca4b70..e10812d985af 100644 /* * If the device is offline, don't try and read capacity or any * of the other niceties. +-- +1.9.3 + diff --git a/secure-modules.patch b/secure-modules.patch deleted file mode 100644 index e88d617ce..000000000 --- a/secure-modules.patch +++ /dev/null @@ -1,877 +0,0 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd - -From c66361cce3b23ea9c7fa8010f55e1fe31c23d5b1 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 01/14] Add secure_modules() call - -Provide a single call to allow kernel code to determine whether the system -has been configured to either disable module loading entirely or to load -only modules signed with a trusted key. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - include/linux/module.h | 7 +++++++ - kernel/module.c | 10 ++++++++++ - 2 files changed, 17 insertions(+) - -diff --git a/include/linux/module.h b/include/linux/module.h -index f520a767c86c..fc9b54eb779e 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block *nb); - - extern void print_modules(void); - -+extern bool secure_modules(void); -+ - #else /* !CONFIG_MODULES... */ - - /* Given an address, look for it in the exception tables. */ -@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) - static inline void print_modules(void) - { - } -+ -+static inline bool secure_modules(void) -+{ -+ return false; -+} - #endif /* CONFIG_MODULES */ - - #ifdef CONFIG_SYSFS -diff --git a/kernel/module.c b/kernel/module.c -index ae79ce615cb9..e8909e2a8b96 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3839,3 +3839,13 @@ void module_layout(struct module *mod, - } - EXPORT_SYMBOL(module_layout); - #endif -+ -+bool secure_modules(void) -+{ -+#ifdef CONFIG_MODULE_SIG -+ return (sig_enforce || modules_disabled); -+#else -+ return modules_disabled; -+#endif -+} -+EXPORT_SYMBOL(secure_modules); --- -2.0.4 - - -From eb614212bd2ad9acb2a279c669624a174899e0d5 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is - enabled - -Any hardware that can potentially generate DMA has to be locked down from -userspace in order to avoid it being possible for an attacker to modify -kernel code, allowing them to circumvent disabled module loading or module -signing. Default to paranoid - in future we can potentially relax this for -sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/pci/pci-sysfs.c | 10 ++++++++++ - drivers/pci/proc.c | 8 +++++++- - drivers/pci/syscall.c | 3 ++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 9ff0a901ecf7..8d0d5d92b8d9 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -30,6 +30,7 @@ - #include <linux/vgaarb.h> - #include <linux/pm_runtime.h> - #include <linux/of.h> -+#include <linux/module.h> - #include "pci.h" - - static int sysfs_initialized; /* = 0 */ -@@ -704,6 +705,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8 *) buf; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - resource_size_t start, end; - int i; - -+ if (secure_modules()) -+ return -EPERM; -+ - for (i = 0; i < PCI_ROM_RESOURCE; i++) - if (res == &pdev->resource[i]) - break; -@@ -1099,6 +1106,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (secure_modules()) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 3f155e78513f..4265ea07e3b0 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, - int size = dev->cfg_size; - int cnt; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || secure_modules()) - return -EPERM; - - /* Make sure the caller is mapping a real resource for this device */ -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index b91c4da68365..98f5637304d1 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -10,6 +10,7 @@ - #include <linux/errno.h> - #include <linux/pci.h> - #include <linux/syscalls.h> -+#include <linux/module.h> - #include <asm/uaccess.h> - #include "pci.h" - -@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || secure_modules()) - return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); --- -2.0.4 - - -From 6774235b4571f527a2a101c291434f43fc8b668c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 03/14] x86: Lock down IO port access when module security is - enabled - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO register -space. This would potentially permit root to trigger arbitrary DMA, so lock -it down by default. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - arch/x86/kernel/ioport.c | 5 +++-- - drivers/char/mem.c | 4 ++++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 4ddaf66ea35f..00b440307419 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -15,6 +15,7 @@ - #include <linux/thread_info.h> - #include <linux/syscalls.h> - #include <linux/bitmap.h> -+#include <linux/module.h> - #include <asm/syscalls.h> - - /* -@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) - return -EPERM; - - /* -@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || secure_modules()) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 917403fe10da..cdf839f9defe 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -27,6 +27,7 @@ - #include <linux/export.h> - #include <linux/io.h> - #include <linux/aio.h> -+#include <linux/module.h> - - #include <asm/uaccess.h> - -@@ -568,6 +569,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, - unsigned long i = *ppos; - const char __user *tmp = buf; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - while (count-- > 0 && i < 65536) { --- -2.0.4 - - -From 8693d39f3b0d3f43dbc45f9a1961e695e8a21373 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 04/14] ACPI: Limit access to custom_method - -custom_method effectively allows arbitrary access to system memory, making -it possible for an attacker to circumvent restrictions on module loading. -Disable it if any such restrictions have been enabled. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index c68e72414a67..4277938af700 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -2.0.4 - - -From 7e5fa9a5109284bcd70c8ae2fc82265e2617a31c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module - loading is restricted - -We have no way of validating what all of the Asus WMI methods do on a -given machine, and there's a risk that some will allow hardware state to -be manipulated in such a way that arbitrary code can be executed in the -kernel, circumventing module loading restrictions. Prevent that if any of -these features are enabled. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/platform/x86/asus-wmi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 3c6ccedc82b6..960c46536c65 100644 ---- a/drivers/platform/x86/asus-wmi.c -+++ b/drivers/platform/x86/asus-wmi.c -@@ -1592,6 +1592,9 @@ static int show_dsts(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (secure_modules()) -+ return -EPERM; -+ - err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - - if (err < 0) -@@ -1608,6 +1611,9 @@ static int show_devs(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (secure_modules()) -+ return -EPERM; -+ - err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, - &retval); - -@@ -1632,6 +1638,9 @@ static int show_call(struct seq_file *m, void *data) - union acpi_object *obj; - acpi_status status; - -+ if (secure_modules()) -+ return -EPERM; -+ - status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, - 1, asus->debug.method_id, - &input, &output); --- -2.0.4 - - -From 7ed379a80612df99b1220869003522211d23bd96 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is - restricted - -Allowing users to write to address space makes it possible for the kernel -to be subverted, avoiding module loading restrictions. Prevent this when -any restrictions have been imposed on loading modules. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/char/mem.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index cdf839f9defe..c63cf93b00eb 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, - if (p != *ppos) - return -EFBIG; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!valid_phys_addr_range(p, count)) - return -EFAULT; - -@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (p < (unsigned long) high_memory) { - unsigned long to_write = min_t(unsigned long, count, - (unsigned long)high_memory - p); --- -2.0.4 - - -From c46f20cad9d85bbf467162dddb56759e7b02e0f2 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module - loading is restricted - -This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to circumvent any restrictions imposed on -loading modules. Disable it in that case. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - drivers/acpi/osl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index bad25b070fe0..0606585e8b93 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -44,6 +44,7 @@ - #include <linux/list.h> - #include <linux/jiffies.h> - #include <linux/semaphore.h> -+#include <linux/module.h> - - #include <asm/io.h> - #include <asm/uaccess.h> -@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); - acpi_physical_address __init acpi_os_get_root_pointer(void) - { - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !secure_modules()) - return acpi_rsdp; - #endif - --- -2.0.4 - - -From 8cb020222a1602bd196163d132b95bb1f69925b2 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Aug 2013 03:33:56 -0400 -Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module - loading restrictions - -kexec permits the loading and execution of arbitrary code in ring 0, which -is something that module signing enforcement is meant to prevent. It makes -sense to disable kexec in this situation. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - kernel/kexec.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 4b8f0c925884..df14daa323a9 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -34,6 +34,7 @@ - #include <linux/syscore_ops.h> - #include <linux/compiler.h> - #include <linux/hugetlb.h> -+#include <linux/module.h> - - #include <asm/page.h> - #include <asm/uaccess.h> -@@ -947,6 +948,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - return -EPERM; - - /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (secure_modules()) -+ return -EPERM; -+ -+ /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. - */ --- -2.0.4 - - -From 2e30f7a56dcccf68c9c62dfdc791664f07737e94 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is - restricted - -Writing to MSRs should not be allowed if module loading is restricted, -since it could lead to execution of arbitrary code in kernel mode. Based -on a patch by Kees Cook. - -Cc: Kees Cook <keescook@chromium.org> -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index c9603ac80de5..8bef43fc3f40 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (secure_modules()) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; --- -2.0.4 - - -From f3437ca79d1ddd12ebdff439c4c3931ba0081a1e Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/14] Add option to automatically enforce module signatures - when in Secure Boot mode - -UEFI Secure Boot provides a mechanism for ensuring that the firmware will -only load signed bootloaders and kernels. Certain use cases may also -require that all kernel modules also be signed. Add a configuration option -that enforces this automatically when enabled. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - Documentation/x86/zero-page.txt | 2 ++ - arch/x86/Kconfig | 10 ++++++++++ - arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ - arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 6 ++++++ - include/linux/module.h | 6 ++++++ - kernel/module.c | 7 +++++++ - 7 files changed, 69 insertions(+), 1 deletion(-) - -diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 199f453cb4de..ec38acf00b40 100644 ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Secure boot is enabled in the firmware - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 6b71f0417293..67e25e3c8583 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1559,6 +1559,16 @@ config EFI_MIXED - - If unsure, say N. - -+config EFI_SECURE_BOOT_SIG_ENFORCE -+ def_bool n -+ prompt "Force module signing when UEFI Secure Boot is enabled" -+ ---help--- -+ UEFI Secure Boot provides a mechanism for ensuring that the -+ firmware will only load signed bootloaders and kernels. Certain -+ use cases may also require that all kernel modules also be signed. -+ Say Y here to automatically enable module signature enforcement -+ when a system boots with UEFI Secure Boot enabled. -+ - config SECCOMP - def_bool y - prompt "Enable seccomp to safely compute untrusted bytecode" -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index f277184e2ac1..88edd48f03e9 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -12,6 +12,7 @@ - #include <asm/efi.h> - #include <asm/setup.h> - #include <asm/desc.h> -+#include <asm/bootparam_utils.h> - - #undef memcpy /* Use memcpy from misc.c */ - -@@ -803,6 +804,37 @@ out: - return status; - } - -+static int get_secure_boot(void) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ -+ - /* - * See if we have Graphics Output Protocol - */ -@@ -1374,6 +1406,10 @@ struct boot_params *efi_main(struct efi_config *c, - else - setup_boot_services32(efi_early); - -+ sanitize_boot_params(boot_params); -+ -+ boot_params->secure_boot = get_secure_boot(); -+ - setup_graphics(boot_params); - - status = setup_efi_pci(boot_params); -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 225b0988043a..90dbfb73e11f 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -133,7 +133,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ - /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 41ead8d3bc0b..5a5cf7395724 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE -+ if (boot_params.secure_boot) { -+ enforce_signed_modules(); -+ } -+#endif -+ - /* - * Parse the ACPI tables for possible boot-time SMP configuration. - */ -diff --git a/include/linux/module.h b/include/linux/module.h -index fc9b54eb779e..7377bc851461 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); - - struct notifier_block; - -+#ifdef CONFIG_MODULE_SIG -+extern void enforce_signed_modules(void); -+#else -+static inline void enforce_signed_modules(void) {}; -+#endif -+ - #ifdef CONFIG_MODULES - - extern int modules_disabled; /* for sysctl */ -diff --git a/kernel/module.c b/kernel/module.c -index e8909e2a8b96..7d5b301efa01 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3840,6 +3840,13 @@ void module_layout(struct module *mod, - EXPORT_SYMBOL(module_layout); - #endif - -+#ifdef CONFIG_MODULE_SIG -+void enforce_signed_modules(void) -+{ -+ sig_enforce = true; -+} -+#endif -+ - bool secure_modules(void) - { - #ifdef CONFIG_MODULE_SIG --- -2.0.4 - - -From ad56618c3851b102d59bab12d946bcce41caa48f Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 88edd48f03e9..3b18ef2b534c 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -806,8 +806,9 @@ out: - - static int get_secure_boot(void) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -831,6 +832,23 @@ static int get_secure_boot(void) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -2.0.4 - - -From d3bcd51e1e47252afa3b2bb4da781b358da7d3d0 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - -The functionality of the config option is dependent upon the platform being -UEFI based. Reflect this in the config deps. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/Kconfig | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 67e25e3c8583..a46be2f21b95 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1560,7 +1560,8 @@ config EFI_MIXED - If unsure, say N. - - config EFI_SECURE_BOOT_SIG_ENFORCE -- def_bool n -+ def_bool n -+ depends on EFI - prompt "Force module signing when UEFI Secure Boot is enabled" - ---help--- - UEFI Secure Boot provides a mechanism for ensuring that the --- -2.0.4 - - -From 3d30f2c07daac85befa76ac44b4dc4db3d64a018 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit - -UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit -for use with efi_enabled. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/kernel/setup.c | 2 ++ - include/linux/efi.h | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 5a5cf7395724..fb282ff6a802 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p) - - #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE - if (boot_params.secure_boot) { -+ set_bit(EFI_SECURE_BOOT, &efi.flags); - enforce_signed_modules(); -+ pr_info("Secure boot enabled\n"); - } - #endif - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index efc681fd5895..3f683a13d7aa 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -923,6 +923,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_64BIT 5 /* Is the firmware 64-bit? */ - #define EFI_PARAVIRT 6 /* Access is via a paravirt interface */ - #define EFI_ARCH_1 7 /* First arch-specific bit */ -+#define EFI_SECURE_BOOT 8 /* Are we in Secure Boot mode? */ - - #ifdef CONFIG_EFI - /* --- -2.0.4 - - -From f19107379dbcfced86458de8ad9cf8a6443567e9 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it in -a secure modules environment. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - kernel/power/hibernate.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index a9dfa79b6bab..14c7356ff53a 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -28,6 +28,7 @@ - #include <linux/syscore_ops.h> - #include <linux/ctype.h> - #include <linux/genhd.h> -+#include <linux/module.h> - #include <trace/events/power.h> - - #include "power.h" -@@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - - bool hibernation_available(void) - { -- return (nohibernate == 0); -+ return ((nohibernate == 0) && !secure_modules()); - } - - /** --- -2.0.4 - diff --git a/silence-fbcon-logo.patch b/silence-fbcon-logo.patch index ccb76386c..263548142 100644 --- a/silence-fbcon-logo.patch +++ b/silence-fbcon-logo.patch @@ -1,11 +1,19 @@ +From b0c75b1839a0ccf645329a0ee2b268109300c2b0 Mon Sep 17 00:00:00 2001 +From: "kernel-team@fedoraproject.org" <kernel-team@fedoraproject.org> +Date: Thu, 29 Jul 2010 16:46:31 -0700 +Subject: [PATCH] silence fbcon logo + Bugzilla: N/A Upstream-status: Fedora mustard +--- + drivers/video/console/fbcon.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c -index 1657b96..4c5c2be 100644 +index 57b1d44acbfe..31048a85713d 100644 --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c -@@ -631,13 +631,15 @@ static void fbcon_prepare_logo(struct vc_data *vc, struct fb_info *info, +@@ -638,13 +638,15 @@ static void fbcon_prepare_logo(struct vc_data *vc, struct fb_info *info, kfree(save); } @@ -28,7 +36,7 @@ index 1657b96..4c5c2be 100644 } } #endif /* MODULE */ -@@ -3489,6 +3491,14 @@ static int __init fb_console_init(void) +@@ -3625,6 +3627,14 @@ static int __init fb_console_init(void) return 0; } @@ -43,3 +51,6 @@ index 1657b96..4c5c2be 100644 module_init(fb_console_init); #ifdef MODULE +-- +1.9.3 + diff --git a/tegra-powergate-header-move.patch b/tegra-powergate-header-move.patch index 2f053c871..17b9264ea 100644 --- a/tegra-powergate-header-move.patch +++ b/tegra-powergate-header-move.patch @@ -1,5 +1,15 @@ +From fff8a8a8830bc36b093ba123b136fd1ec6bf4fa3 Mon Sep 17 00:00:00 2001 +From: Kyle McMartin <kmcmarti@redhat.com> +Date: Tue, 12 Aug 2014 15:28:06 -0400 +Subject: [PATCH] tegra-powergate: header move + +deal with armv7hl breakage +--- + drivers/ata/ahci_tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + diff --git a/drivers/ata/ahci_tegra.c b/drivers/ata/ahci_tegra.c -index fc3df47..4392190 100644 +index fc3df47fca35..7194835bc316 100644 --- a/drivers/ata/ahci_tegra.c +++ b/drivers/ata/ahci_tegra.c @@ -24,7 +24,7 @@ @@ -11,3 +21,6 @@ index fc3df47..4392190 100644 #include <linux/regulator/consumer.h> #include "ahci.h" +-- +1.9.3 + diff --git a/nowatchdog-on-virt.patch b/watchdog-Disable-watchdog-on-virtual-machines.patch index d8cf87953..41b21e344 100644 --- a/nowatchdog-on-virt.patch +++ b/watchdog-Disable-watchdog-on-virtual-machines.patch @@ -1,10 +1,7 @@ -Bugzilla: 971139 -Upstream-status: Fedora mustard for now - -From 17109685bfce322c73a816e097b137458fbd55ae Mon Sep 17 00:00:00 2001 +From bfe8bae33c1a3ce1695ac83052f1c48d1757079c Mon Sep 17 00:00:00 2001 From: Dave Jones <davej@redhat.com> Date: Tue, 24 Jun 2014 08:43:34 -0400 -Subject: [PATCH] Disable watchdog on virtual machines. +Subject: [PATCH] watchdog: Disable watchdog on virtual machines. For various reasons, VMs seem to trigger the soft lockup detector a lot, in cases where it's just not possible for a lockup to occur. @@ -15,13 +12,16 @@ the VM for a very long time (Could be the host was under heavy load). Just disable the detector on VMs. +Bugzilla: 971139 +Upstream-status: Fedora mustard for now + Signed-off-by: Dave Jones <davej@redhat.com> --- kernel/watchdog.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/kernel/watchdog.c b/kernel/watchdog.c -index c3319bd1b040..0e3687675aaa 100644 +index a8d6914030fe..d0a8c308170d 100644 --- a/kernel/watchdog.c +++ b/kernel/watchdog.c @@ -24,6 +24,7 @@ @@ -65,7 +65,7 @@ index c3319bd1b040..0e3687675aaa 100644 /* * Hard-lockup warnings should be triggered after just a few seconds. Soft- * lockups can have false positives under extreme conditions. So we generally -@@ -641,6 +668,8 @@ out: +@@ -644,6 +671,8 @@ out: void __init lockup_detector_init(void) { diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch new file mode 100644 index 000000000..7f54e1cb5 --- /dev/null +++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -0,0 +1,71 @@ +From d27eea3ac26af4673f829ab50c90f8879715d739 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Thu, 8 Mar 2012 10:35:59 -0500 +Subject: [PATCH] x86: Lock down IO port access when module security is enabled + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO register +space. This would potentially permit root to trigger arbitrary DMA, so lock +it down by default. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + arch/x86/kernel/ioport.c | 5 +++-- + drivers/char/mem.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 4ddaf66ea35f..00b440307419 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -15,6 +15,7 @@ + #include <linux/thread_info.h> + #include <linux/syscalls.h> + #include <linux/bitmap.h> ++#include <linux/module.h> + #include <asm/syscalls.h> + + /* +@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) + return -EPERM; + + /* +@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 917403fe10da..cdf839f9defe 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -27,6 +27,7 @@ + #include <linux/export.h> + #include <linux/io.h> + #include <linux/aio.h> ++#include <linux/module.h> + + #include <asm/uaccess.h> + +@@ -568,6 +569,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, + unsigned long i = *ppos; + const char __user *tmp = buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!access_ok(VERIFY_READ, buf, count)) + return -EFAULT; + while (count-- > 0 && i < 65536) { +-- +1.9.3 + diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch new file mode 100644 index 000000000..143ccf149 --- /dev/null +++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -0,0 +1,43 @@ +From 81f5d112eeb6998c51c7c0410bf277bf49e66a8a Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 8 Feb 2013 11:12:13 -0800 +Subject: [PATCH] x86: Restrict MSR access when module loading is restricted + +Writing to MSRs should not be allowed if module loading is restricted, +since it could lead to execution of arbitrary code in kernel mode. Based +on a patch by Kees Cook. + +Cc: Kees Cook <keescook@chromium.org> +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + arch/x86/kernel/msr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index c9603ac80de5..8bef43fc3f40 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EBADF; + break; + } ++ if (secure_modules()) { ++ err = -EPERM; ++ break; ++ } + if (copy_from_user(®s, uregs, sizeof regs)) { + err = -EFAULT; + break; +-- +1.9.3 + |