summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xmod-extra-blacklist.sh56
-rw-r--r--mod-extra.list196
-rw-r--r--mod-extra.list.rhel191
-rwxr-xr-xmod-extra.sh86
-rw-r--r--redhatsecureboot301.cerbin0 -> 899 bytes
-rw-r--r--redhatsecureboot501.cerbin0 -> 964 bytes
-rw-r--r--redhatsecurebootca1.cerbin0 -> 977 bytes
-rw-r--r--redhatsecurebootca5.cerbin0 -> 920 bytes
-rw-r--r--secureboot_ppc.cerbin0 -> 899 bytes
-rw-r--r--secureboot_s390.cerbin0 -> 899 bytes
10 files changed, 338 insertions, 191 deletions
diff --git a/mod-extra-blacklist.sh b/mod-extra-blacklist.sh
new file mode 100755
index 000000000..c4c4f8f6d
--- /dev/null
+++ b/mod-extra-blacklist.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+buildroot="$1"
+kernel_base="$2"
+
+blacklist()
+{
+ cat > "$buildroot/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__
+ # This kernel module can be automatically loaded by non-root users. To
+ # enhance system security, the module is blacklisted by default to ensure
+ # system administrators make the module available for use as needed.
+ # See https://access.redhat.com/articles/3760101 for more details.
+ #
+ # Remove the blacklist by adding a comment # at the start of the line.
+ blacklist $1
+__EOF__
+}
+
+check_blacklist()
+{
+ if modinfo "$1" | grep -q '^alias:\s\+net-'; then
+ mod="${1##*/}"
+ mod="${mod%.ko*}"
+ echo "$mod has an alias that allows auto-loading. Blacklisting."
+ blacklist "$mod"
+ fi
+}
+
+foreachp()
+{
+ P=$(nproc)
+ bgcount=0
+ while read mod; do
+ $1 "$mod" &
+
+ bgcount=$((bgcount + 1))
+ if [ $bgcount -eq $P ]; then
+ wait -n
+ bgcount=$((bgcount - 1))
+ fi
+ done
+
+ wait
+}
+
+[ -d "$buildroot/etc/modprobe.d/" ] || mkdir -p "$buildroot/etc/modprobe.d/"
+find "$buildroot/$kernel_base/extra" -name "*.ko*" | \
+ foreachp check_blacklist
+
+# Many BIOS-es export a PNP-id which causes the floppy driver to autoload
+# even though most modern systems don't have a 3.5" floppy driver anymore
+# this replaces the old die_floppy_die.patch which removed the PNP-id from
+# the module
+if [ -f $buildroot/$kernel_base/extra/drivers/block/floppy.ko* ]; then
+ blacklist "floppy"
+fi
diff --git a/mod-extra.list b/mod-extra.list
new file mode 100644
index 000000000..8140f5c9e
--- /dev/null
+++ b/mod-extra.list
@@ -0,0 +1,196 @@
+6pack.ko
+a3d.ko
+act200l-sir.ko
+actisys-sir.ko
+adi.ko
+aer_inject.ko
+af_802154.ko
+affs.ko
+ali-ircc.ko
+analog.ko
+appletalk.ko
+atm.ko
+avma1_cs.ko
+avm_cs.ko
+avmfritz.ko
+ax25.ko
+b1.ko
+bas_gigaset.ko
+batman-adv.ko
+baycom_par.ko
+baycom_ser_fdx.ko
+baycom_ser_hdx.ko
+befs.ko
+bpqether.ko
+br2684.ko
+capi.ko
+c_can.ko
+c_can_platform.ko
+clip.ko
+cobra.ko
+coda.ko
+cuse.ko
+db9.ko
+dccp_diag.ko
+dccp_ipv4.ko
+dccp_ipv6.ko
+dccp.ko
+dccp_probe.ko
+diva_idi.ko
+divas.ko
+dlm.ko
+ds1wm.ko
+ds2482.ko
+ds2490.ko
+dss1_divert.ko
+elsa_cs.ko
+ems_pci.ko
+ems_usb.ko
+esd_usb2.ko
+esi-sir.ko
+floppy.ko
+gamecon.ko
+gf2k.ko
+gfs2.ko
+gigaset.ko
+girbil-sir.ko
+grip.ko
+grip_mp.ko
+guillemot.ko
+hdlcdrv.ko
+hfc4s8s_l1.ko
+hfcmulti.ko
+hfcpci.ko
+hisax.ko
+hwa-rc.ko
+hysdn.ko
+i2400m.ko
+i2400m-sdio.ko
+i2400m-usb.ko
+ieee802154.ko
+iforce.ko
+interact.ko
+ipddp.ko
+ipx.ko
+isdn.ko
+joydump.ko
+kingsun-sir.ko
+ks959-sir.ko
+ksdazzle-sir.ko
+kvaser_pci.ko
+l2tp_core.ko
+l2tp_debugfs.ko
+l2tp_eth.ko
+l2tp_ip.ko
+l2tp_netlink.ko
+l2tp_ppp.ko
+lec.ko
+ma600-sir.ko
+magellan.ko
+mcp2120-sir.ko
+mISDN_core.ko
+mISDN_dsp.ko
+mkiss.ko
+mptbase.ko
+mptctl.ko
+mptfc.ko
+nci.ko
+ncpfs.ko
+netjet.ko
+netrom.ko
+nfc.ko
+nilfs2.ko
+ocfs2_dlmfs.ko
+ocfs2_dlm.ko
+ocfs2.ko
+ocfs2_nodemanager.ko
+ocfs2_stackglue.ko
+ocfs2_stack_o2cb.ko
+ocfs2_stack_user.ko
+old_belkin-sir.ko
+orinoco_cs.ko
+orinoco.ko
+orinoco_nortel.ko
+orinoco_pci.ko
+orinoco_plx.ko
+orinoco_usb.ko
+pcspkr.ko
+plx_pci.ko
+pn_pep.ko
+pppoatm.ko
+rds.ko
+rds_rdma.ko
+rds_tcp.ko
+rose.ko
+sch_atm.ko
+sch_cbq.ko
+sch_choke.ko
+sch_drr.ko
+sch_dsmark.ko
+sch_etf.ko
+sch_gred.ko
+sch_mqprio.ko
+sch_multiq.ko
+sch_netem.ko
+sch_qfq.ko
+sch_red.ko
+sch_sfb.ko
+sch_teql.ko
+sctp.ko
+sctp_probe.ko
+sidewinder.ko
+sja1000.ko
+sja1000_platform.ko
+slcan.ko
+slip.ko
+softing_cs.ko
+softing.ko
+spaceball.ko
+spaceorb.ko
+stinger.ko
+sysv.ko
+tcp_bic.ko
+tcp_highspeed.ko
+tcp_htcp.ko
+tcp_hybla.ko
+tcp_illinois.ko
+tcp_lp.ko
+tcp_scalable.ko
+tcp_vegas.ko
+tcp_veno.ko
+tcp_westwood.ko
+tcp_yeah.ko
+tekram-sir.ko
+tmdc.ko
+toim3232-sir.ko
+trancevibrator.ko
+turbografx.ko
+twidjoy.ko
+ubifs.ko
+ufs.ko
+umc.ko
+usbip-core.ko
+usbip-host.ko
+uwb.ko
+vcan.ko
+vhci-hcd.ko
+w1_bq27000.ko
+w1_ds2408.ko
+w1_ds2423.ko
+w1_ds2431.ko
+w1_ds2433.ko
+w1_ds2760.ko
+w1_ds2780.ko
+w1_ds2781.ko
+w1_ds28e04.ko
+w1_smem.ko
+w1_therm.ko
+w6692.ko
+walkera0701.ko
+wanrouter.ko
+warrior.ko
+whci.ko
+wire.ko
+xpad.ko
+yam.ko
+zhenhua.ko
diff --git a/mod-extra.list.rhel b/mod-extra.list.rhel
index c0c730e56..e69de29bb 100644
--- a/mod-extra.list.rhel
+++ b/mod-extra.list.rhel
@@ -1,191 +0,0 @@
-6pack.ko
-a3d.ko
-act200l-sir.ko
-actisys-sir.ko
-adi.ko
-aer_inject.ko
-af_802154.ko
-affs.ko
-ali-ircc.ko
-analog.ko
-appletalk.ko
-atm.ko
-avma1_cs.ko
-avm_cs.ko
-avmfritz.ko
-ax25.ko
-b1.ko
-bas_gigaset.ko
-batman-adv.ko
-baycom_par.ko
-baycom_ser_fdx.ko
-baycom_ser_hdx.ko
-befs.ko
-bpqether.ko
-br2684.ko
-capi.ko
-c_can.ko
-c_can_platform.ko
-clip.ko
-cobra.ko
-coda.ko
-cuse.ko
-db9.ko
-dccp_diag.ko
-dccp_ipv4.ko
-dccp_ipv6.ko
-dccp.ko
-dccp_probe.ko
-diva_idi.ko
-divas.ko
-ds1wm.ko
-ds2482.ko
-ds2490.ko
-dss1_divert.ko
-elsa_cs.ko
-ems_pci.ko
-ems_usb.ko
-esd_usb2.ko
-esi-sir.ko
-gamecon.ko
-gf2k.ko
-gigaset.ko
-girbil-sir.ko
-grip.ko
-grip_mp.ko
-guillemot.ko
-hdlcdrv.ko
-hfc4s8s_l1.ko
-hfcmulti.ko
-hfcpci.ko
-hisax.ko
-hwa-rc.ko
-hysdn.ko
-i2400m.ko
-i2400m-sdio.ko
-i2400m-usb.ko
-ieee802154.ko
-iforce.ko
-interact.ko
-ipddp.ko
-ipx.ko
-isdn.ko
-joydump.ko
-kingsun-sir.ko
-ks959-sir.ko
-ksdazzle-sir.ko
-kvaser_pci.ko
-l2tp_core.ko
-l2tp_debugfs.ko
-l2tp_eth.ko
-l2tp_ip.ko
-l2tp_netlink.ko
-l2tp_ppp.ko
-lec.ko
-ma600-sir.ko
-magellan.ko
-mcp2120-sir.ko
-mISDN_core.ko
-mISDN_dsp.ko
-mkiss.ko
-mptbase.ko
-mptctl.ko
-mptfc.ko
-nci.ko
-ncpfs.ko
-netjet.ko
-netrom.ko
-nfc.ko
-nilfs2.ko
-ocfs2_dlmfs.ko
-ocfs2_dlm.ko
-ocfs2.ko
-ocfs2_nodemanager.ko
-ocfs2_stackglue.ko
-ocfs2_stack_o2cb.ko
-ocfs2_stack_user.ko
-old_belkin-sir.ko
-orinoco_cs.ko
-orinoco.ko
-orinoco_nortel.ko
-orinoco_pci.ko
-orinoco_plx.ko
-orinoco_usb.ko
-plx_pci.ko
-pn_pep.ko
-pppoatm.ko
-rds.ko
-rds_rdma.ko
-rds_tcp.ko
-rose.ko
-sch_atm.ko
-sch_cbq.ko
-sch_choke.ko
-sch_drr.ko
-sch_dsmark.ko
-sch_gred.ko
-sch_mqprio.ko
-sch_multiq.ko
-sch_netem.ko
-sch_qfq.ko
-sch_red.ko
-sch_sfb.ko
-sch_teql.ko
-sctp.ko
-sctp_probe.ko
-sidewinder.ko
-sja1000.ko
-sja1000_platform.ko
-slcan.ko
-slip.ko
-softing_cs.ko
-softing.ko
-spaceball.ko
-spaceorb.ko
-stinger.ko
-sysv.ko
-tcp_bic.ko
-tcp_highspeed.ko
-tcp_htcp.ko
-tcp_hybla.ko
-tcp_illinois.ko
-tcp_lp.ko
-tcp_scalable.ko
-tcp_vegas.ko
-tcp_veno.ko
-tcp_westwood.ko
-tcp_yeah.ko
-tekram-sir.ko
-tmdc.ko
-toim3232-sir.ko
-trancevibrator.ko
-turbografx.ko
-twidjoy.ko
-ubifs.ko
-ufs.ko
-umc.ko
-usbip-core.ko
-usbip-host.ko
-uwb.ko
-vcan.ko
-vhci-hcd.ko
-w1_bq27000.ko
-w1_ds2408.ko
-w1_ds2423.ko
-w1_ds2431.ko
-w1_ds2433.ko
-w1_ds2760.ko
-w1_ds2780.ko
-w1_ds2781.ko
-w1_ds28e04.ko
-w1_smem.ko
-w1_therm.ko
-w6692.ko
-walkera0701.ko
-wanrouter.ko
-warrior.ko
-whci.ko
-wire.ko
-xpad.ko
-yam.ko
-zhenhua.ko
diff --git a/mod-extra.sh b/mod-extra.sh
new file mode 100755
index 000000000..7dc075b98
--- /dev/null
+++ b/mod-extra.sh
@@ -0,0 +1,86 @@
+#! /bin/bash
+
+Dir=$1
+List=$2
+Dest="extra"
+
+# Destination was specified on the command line
+test -n "$3" && Dest="$3"
+
+pushd $Dir
+rm -rf modnames
+find . -name "*.ko" -type f > modnames
+# Look through all of the modules, and throw any that have a dependency in
+# our list into the list as well.
+rm -rf dep.list dep2.list
+rm -rf req.list req2.list
+touch dep.list req.list
+cp "$List" .
+
+# This variable needs to be exported because it is used in sub-script
+# executed by xargs
+export ListName=$(basename "$List")
+
+# NB: this loop runs 2000+ iterations. Try to be fast.
+NPROC=`nproc`
+[ -z "$NPROC" ] && NPROC=1
+cat modnames | xargs -r -n1 -P $NPROC sh -c '
+ dep=$1
+ depends=`modinfo $dep | sed -n -e "/^depends/ s/^depends:[ \t]*//p"`
+ [ -z "$depends" ] && exit
+ for mod in ${depends//,/ }
+ do
+ match=$(grep "^$mod.ko" "$ListName")
+ [ -z "$match" ] && continue
+ # check if the module we are looking at is in mod-extra too.
+ # if so we do not need to mark the dep as required.
+ mod2=${dep##*/} # same as `basename $dep`, but faster
+ match2=$(grep "^$mod2" "$ListName")
+ if [ -n "$match2" ]
+ then
+ #echo $mod2 >> notreq.list
+ continue
+ fi
+ echo $mod.ko >> req.list
+ done
+' DUMMYARG0 # xargs appends MODNAME, which becomes $dep in the script above
+
+sort -u req.list > req2.list
+sort -u "$ListName" > modules2.list
+join -v 1 modules2.list req2.list > modules3.list
+
+for mod in $(cat modules3.list)
+do
+ # get the path for the module
+ modpath=`grep /$mod modnames`
+ [ -z "$modpath" ] && continue
+ echo $modpath >> dep.list
+done
+
+sort -u dep.list > dep2.list
+
+# now move the modules into the extra/ directory
+for mod in `cat dep2.list`
+do
+ newpath=`dirname $mod | sed -e "s/kernel\\//$Dest\//"`
+ mkdir -p $newpath
+ mv $mod $newpath
+done
+
+popd
+
+# If we're signing modules, we can't leave the .mod files for the .ko files
+# we've moved in .tmp_versions/. Remove them so the Kbuild 'modules_sign'
+# target doesn't try to sign a non-existent file. This is kinda ugly, but
+# so is modules-extra.
+
+for mod in `cat ${Dir}/dep2.list`
+do
+ modfile=`basename $mod | sed -e 's/.ko/.mod/'`
+ rm .tmp_versions/$modfile
+done
+
+pushd $Dir
+rm modnames dep.list dep2.list req.list req2.list
+rm "$ListName" modules2.list modules3.list
+popd
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
new file mode 100644
index 000000000..20e660479
--- /dev/null
+++ b/redhatsecureboot301.cer
Binary files differ
diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer
new file mode 100644
index 000000000..dfa7afb46
--- /dev/null
+++ b/redhatsecureboot501.cer
Binary files differ
diff --git a/redhatsecurebootca1.cer b/redhatsecurebootca1.cer
new file mode 100644
index 000000000..b2354007b
--- /dev/null
+++ b/redhatsecurebootca1.cer
Binary files differ
diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
new file mode 100644
index 000000000..dfb028495
--- /dev/null
+++ b/redhatsecurebootca5.cer
Binary files differ
diff --git a/secureboot_ppc.cer b/secureboot_ppc.cer
new file mode 100644
index 000000000..2c0087dbc
--- /dev/null
+++ b/secureboot_ppc.cer
Binary files differ
diff --git a/secureboot_s390.cer b/secureboot_s390.cer
new file mode 100644
index 000000000..137d3858f
--- /dev/null
+++ b/secureboot_s390.cer
Binary files differ