diff options
-rwxr-xr-x | mod-extra-blacklist.sh | 56 | ||||
-rw-r--r-- | mod-extra.list | 196 | ||||
-rw-r--r-- | mod-extra.list.rhel | 191 | ||||
-rwxr-xr-x | mod-extra.sh | 86 | ||||
-rw-r--r-- | redhatsecureboot301.cer | bin | 0 -> 899 bytes | |||
-rw-r--r-- | redhatsecureboot501.cer | bin | 0 -> 964 bytes | |||
-rw-r--r-- | redhatsecurebootca1.cer | bin | 0 -> 977 bytes | |||
-rw-r--r-- | redhatsecurebootca5.cer | bin | 0 -> 920 bytes | |||
-rw-r--r-- | secureboot_ppc.cer | bin | 0 -> 899 bytes | |||
-rw-r--r-- | secureboot_s390.cer | bin | 0 -> 899 bytes |
10 files changed, 338 insertions, 191 deletions
diff --git a/mod-extra-blacklist.sh b/mod-extra-blacklist.sh new file mode 100755 index 000000000..c4c4f8f6d --- /dev/null +++ b/mod-extra-blacklist.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +buildroot="$1" +kernel_base="$2" + +blacklist() +{ + cat > "$buildroot/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__ + # This kernel module can be automatically loaded by non-root users. To + # enhance system security, the module is blacklisted by default to ensure + # system administrators make the module available for use as needed. + # See https://access.redhat.com/articles/3760101 for more details. + # + # Remove the blacklist by adding a comment # at the start of the line. + blacklist $1 +__EOF__ +} + +check_blacklist() +{ + if modinfo "$1" | grep -q '^alias:\s\+net-'; then + mod="${1##*/}" + mod="${mod%.ko*}" + echo "$mod has an alias that allows auto-loading. Blacklisting." + blacklist "$mod" + fi +} + +foreachp() +{ + P=$(nproc) + bgcount=0 + while read mod; do + $1 "$mod" & + + bgcount=$((bgcount + 1)) + if [ $bgcount -eq $P ]; then + wait -n + bgcount=$((bgcount - 1)) + fi + done + + wait +} + +[ -d "$buildroot/etc/modprobe.d/" ] || mkdir -p "$buildroot/etc/modprobe.d/" +find "$buildroot/$kernel_base/extra" -name "*.ko*" | \ + foreachp check_blacklist + +# Many BIOS-es export a PNP-id which causes the floppy driver to autoload +# even though most modern systems don't have a 3.5" floppy driver anymore +# this replaces the old die_floppy_die.patch which removed the PNP-id from +# the module +if [ -f $buildroot/$kernel_base/extra/drivers/block/floppy.ko* ]; then + blacklist "floppy" +fi diff --git a/mod-extra.list b/mod-extra.list new file mode 100644 index 000000000..8140f5c9e --- /dev/null +++ b/mod-extra.list @@ -0,0 +1,196 @@ +6pack.ko +a3d.ko +act200l-sir.ko +actisys-sir.ko +adi.ko +aer_inject.ko +af_802154.ko +affs.ko +ali-ircc.ko +analog.ko +appletalk.ko +atm.ko +avma1_cs.ko +avm_cs.ko +avmfritz.ko +ax25.ko +b1.ko +bas_gigaset.ko +batman-adv.ko +baycom_par.ko +baycom_ser_fdx.ko +baycom_ser_hdx.ko +befs.ko +bpqether.ko +br2684.ko +capi.ko +c_can.ko +c_can_platform.ko +clip.ko +cobra.ko +coda.ko +cuse.ko +db9.ko +dccp_diag.ko +dccp_ipv4.ko +dccp_ipv6.ko +dccp.ko +dccp_probe.ko +diva_idi.ko +divas.ko +dlm.ko +ds1wm.ko +ds2482.ko +ds2490.ko +dss1_divert.ko +elsa_cs.ko +ems_pci.ko +ems_usb.ko +esd_usb2.ko +esi-sir.ko +floppy.ko +gamecon.ko +gf2k.ko +gfs2.ko +gigaset.ko +girbil-sir.ko +grip.ko +grip_mp.ko +guillemot.ko +hdlcdrv.ko +hfc4s8s_l1.ko +hfcmulti.ko +hfcpci.ko +hisax.ko +hwa-rc.ko +hysdn.ko +i2400m.ko +i2400m-sdio.ko +i2400m-usb.ko +ieee802154.ko +iforce.ko +interact.ko +ipddp.ko +ipx.ko +isdn.ko +joydump.ko +kingsun-sir.ko +ks959-sir.ko +ksdazzle-sir.ko +kvaser_pci.ko +l2tp_core.ko +l2tp_debugfs.ko +l2tp_eth.ko +l2tp_ip.ko +l2tp_netlink.ko +l2tp_ppp.ko +lec.ko +ma600-sir.ko +magellan.ko +mcp2120-sir.ko +mISDN_core.ko +mISDN_dsp.ko +mkiss.ko +mptbase.ko +mptctl.ko +mptfc.ko +nci.ko +ncpfs.ko +netjet.ko +netrom.ko +nfc.ko +nilfs2.ko +ocfs2_dlmfs.ko +ocfs2_dlm.ko +ocfs2.ko +ocfs2_nodemanager.ko +ocfs2_stackglue.ko +ocfs2_stack_o2cb.ko +ocfs2_stack_user.ko +old_belkin-sir.ko +orinoco_cs.ko +orinoco.ko +orinoco_nortel.ko +orinoco_pci.ko +orinoco_plx.ko +orinoco_usb.ko +pcspkr.ko +plx_pci.ko +pn_pep.ko +pppoatm.ko +rds.ko +rds_rdma.ko +rds_tcp.ko +rose.ko +sch_atm.ko +sch_cbq.ko +sch_choke.ko +sch_drr.ko +sch_dsmark.ko +sch_etf.ko +sch_gred.ko +sch_mqprio.ko +sch_multiq.ko +sch_netem.ko +sch_qfq.ko +sch_red.ko +sch_sfb.ko +sch_teql.ko +sctp.ko +sctp_probe.ko +sidewinder.ko +sja1000.ko +sja1000_platform.ko +slcan.ko +slip.ko +softing_cs.ko +softing.ko +spaceball.ko +spaceorb.ko +stinger.ko +sysv.ko +tcp_bic.ko +tcp_highspeed.ko +tcp_htcp.ko +tcp_hybla.ko +tcp_illinois.ko +tcp_lp.ko +tcp_scalable.ko +tcp_vegas.ko +tcp_veno.ko +tcp_westwood.ko +tcp_yeah.ko +tekram-sir.ko +tmdc.ko +toim3232-sir.ko +trancevibrator.ko +turbografx.ko +twidjoy.ko +ubifs.ko +ufs.ko +umc.ko +usbip-core.ko +usbip-host.ko +uwb.ko +vcan.ko +vhci-hcd.ko +w1_bq27000.ko +w1_ds2408.ko +w1_ds2423.ko +w1_ds2431.ko +w1_ds2433.ko +w1_ds2760.ko +w1_ds2780.ko +w1_ds2781.ko +w1_ds28e04.ko +w1_smem.ko +w1_therm.ko +w6692.ko +walkera0701.ko +wanrouter.ko +warrior.ko +whci.ko +wire.ko +xpad.ko +yam.ko +zhenhua.ko diff --git a/mod-extra.list.rhel b/mod-extra.list.rhel index c0c730e56..e69de29bb 100644 --- a/mod-extra.list.rhel +++ b/mod-extra.list.rhel @@ -1,191 +0,0 @@ -6pack.ko -a3d.ko -act200l-sir.ko -actisys-sir.ko -adi.ko -aer_inject.ko -af_802154.ko -affs.ko -ali-ircc.ko -analog.ko -appletalk.ko -atm.ko -avma1_cs.ko -avm_cs.ko -avmfritz.ko -ax25.ko -b1.ko -bas_gigaset.ko -batman-adv.ko -baycom_par.ko -baycom_ser_fdx.ko -baycom_ser_hdx.ko -befs.ko -bpqether.ko -br2684.ko -capi.ko -c_can.ko -c_can_platform.ko -clip.ko -cobra.ko -coda.ko -cuse.ko -db9.ko -dccp_diag.ko -dccp_ipv4.ko -dccp_ipv6.ko -dccp.ko -dccp_probe.ko -diva_idi.ko -divas.ko -ds1wm.ko -ds2482.ko -ds2490.ko -dss1_divert.ko -elsa_cs.ko -ems_pci.ko -ems_usb.ko -esd_usb2.ko -esi-sir.ko -gamecon.ko -gf2k.ko -gigaset.ko -girbil-sir.ko -grip.ko -grip_mp.ko -guillemot.ko -hdlcdrv.ko -hfc4s8s_l1.ko -hfcmulti.ko -hfcpci.ko -hisax.ko -hwa-rc.ko -hysdn.ko -i2400m.ko -i2400m-sdio.ko -i2400m-usb.ko -ieee802154.ko -iforce.ko -interact.ko -ipddp.ko -ipx.ko -isdn.ko -joydump.ko -kingsun-sir.ko -ks959-sir.ko -ksdazzle-sir.ko -kvaser_pci.ko -l2tp_core.ko -l2tp_debugfs.ko -l2tp_eth.ko -l2tp_ip.ko -l2tp_netlink.ko -l2tp_ppp.ko -lec.ko -ma600-sir.ko -magellan.ko -mcp2120-sir.ko -mISDN_core.ko -mISDN_dsp.ko -mkiss.ko -mptbase.ko -mptctl.ko -mptfc.ko -nci.ko -ncpfs.ko -netjet.ko -netrom.ko -nfc.ko -nilfs2.ko -ocfs2_dlmfs.ko -ocfs2_dlm.ko -ocfs2.ko -ocfs2_nodemanager.ko -ocfs2_stackglue.ko -ocfs2_stack_o2cb.ko -ocfs2_stack_user.ko -old_belkin-sir.ko -orinoco_cs.ko -orinoco.ko -orinoco_nortel.ko -orinoco_pci.ko -orinoco_plx.ko -orinoco_usb.ko -plx_pci.ko -pn_pep.ko -pppoatm.ko -rds.ko -rds_rdma.ko -rds_tcp.ko -rose.ko -sch_atm.ko -sch_cbq.ko -sch_choke.ko -sch_drr.ko -sch_dsmark.ko -sch_gred.ko -sch_mqprio.ko -sch_multiq.ko -sch_netem.ko -sch_qfq.ko -sch_red.ko -sch_sfb.ko -sch_teql.ko -sctp.ko -sctp_probe.ko -sidewinder.ko -sja1000.ko -sja1000_platform.ko -slcan.ko -slip.ko -softing_cs.ko -softing.ko -spaceball.ko -spaceorb.ko -stinger.ko -sysv.ko -tcp_bic.ko -tcp_highspeed.ko -tcp_htcp.ko -tcp_hybla.ko -tcp_illinois.ko -tcp_lp.ko -tcp_scalable.ko -tcp_vegas.ko -tcp_veno.ko -tcp_westwood.ko -tcp_yeah.ko -tekram-sir.ko -tmdc.ko -toim3232-sir.ko -trancevibrator.ko -turbografx.ko -twidjoy.ko -ubifs.ko -ufs.ko -umc.ko -usbip-core.ko -usbip-host.ko -uwb.ko -vcan.ko -vhci-hcd.ko -w1_bq27000.ko -w1_ds2408.ko -w1_ds2423.ko -w1_ds2431.ko -w1_ds2433.ko -w1_ds2760.ko -w1_ds2780.ko -w1_ds2781.ko -w1_ds28e04.ko -w1_smem.ko -w1_therm.ko -w6692.ko -walkera0701.ko -wanrouter.ko -warrior.ko -whci.ko -wire.ko -xpad.ko -yam.ko -zhenhua.ko diff --git a/mod-extra.sh b/mod-extra.sh new file mode 100755 index 000000000..7dc075b98 --- /dev/null +++ b/mod-extra.sh @@ -0,0 +1,86 @@ +#! /bin/bash + +Dir=$1 +List=$2 +Dest="extra" + +# Destination was specified on the command line +test -n "$3" && Dest="$3" + +pushd $Dir +rm -rf modnames +find . -name "*.ko" -type f > modnames +# Look through all of the modules, and throw any that have a dependency in +# our list into the list as well. +rm -rf dep.list dep2.list +rm -rf req.list req2.list +touch dep.list req.list +cp "$List" . + +# This variable needs to be exported because it is used in sub-script +# executed by xargs +export ListName=$(basename "$List") + +# NB: this loop runs 2000+ iterations. Try to be fast. +NPROC=`nproc` +[ -z "$NPROC" ] && NPROC=1 +cat modnames | xargs -r -n1 -P $NPROC sh -c ' + dep=$1 + depends=`modinfo $dep | sed -n -e "/^depends/ s/^depends:[ \t]*//p"` + [ -z "$depends" ] && exit + for mod in ${depends//,/ } + do + match=$(grep "^$mod.ko" "$ListName") + [ -z "$match" ] && continue + # check if the module we are looking at is in mod-extra too. + # if so we do not need to mark the dep as required. + mod2=${dep##*/} # same as `basename $dep`, but faster + match2=$(grep "^$mod2" "$ListName") + if [ -n "$match2" ] + then + #echo $mod2 >> notreq.list + continue + fi + echo $mod.ko >> req.list + done +' DUMMYARG0 # xargs appends MODNAME, which becomes $dep in the script above + +sort -u req.list > req2.list +sort -u "$ListName" > modules2.list +join -v 1 modules2.list req2.list > modules3.list + +for mod in $(cat modules3.list) +do + # get the path for the module + modpath=`grep /$mod modnames` + [ -z "$modpath" ] && continue + echo $modpath >> dep.list +done + +sort -u dep.list > dep2.list + +# now move the modules into the extra/ directory +for mod in `cat dep2.list` +do + newpath=`dirname $mod | sed -e "s/kernel\\//$Dest\//"` + mkdir -p $newpath + mv $mod $newpath +done + +popd + +# If we're signing modules, we can't leave the .mod files for the .ko files +# we've moved in .tmp_versions/. Remove them so the Kbuild 'modules_sign' +# target doesn't try to sign a non-existent file. This is kinda ugly, but +# so is modules-extra. + +for mod in `cat ${Dir}/dep2.list` +do + modfile=`basename $mod | sed -e 's/.ko/.mod/'` + rm .tmp_versions/$modfile +done + +pushd $Dir +rm modnames dep.list dep2.list req.list req2.list +rm "$ListName" modules2.list modules3.list +popd diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer Binary files differnew file mode 100644 index 000000000..20e660479 --- /dev/null +++ b/redhatsecureboot301.cer diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer Binary files differnew file mode 100644 index 000000000..dfa7afb46 --- /dev/null +++ b/redhatsecureboot501.cer diff --git a/redhatsecurebootca1.cer b/redhatsecurebootca1.cer Binary files differnew file mode 100644 index 000000000..b2354007b --- /dev/null +++ b/redhatsecurebootca1.cer diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer Binary files differnew file mode 100644 index 000000000..dfb028495 --- /dev/null +++ b/redhatsecurebootca5.cer diff --git a/secureboot_ppc.cer b/secureboot_ppc.cer Binary files differnew file mode 100644 index 000000000..2c0087dbc --- /dev/null +++ b/secureboot_ppc.cer diff --git a/secureboot_s390.cer b/secureboot_s390.cer Binary files differnew file mode 100644 index 000000000..137d3858f --- /dev/null +++ b/secureboot_s390.cer |