summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Add-EFI-signature-data-types.patch10
-rw-r--r--Add-an-EFI-signature-blob-parser-and-key-loader.patch14
-rw-r--r--Add-option-to-automatically-enforce-module-signature.patch32
-rw-r--r--Add-sysrq-option-to-disable-secure-boot-mode.patch38
-rw-r--r--KEYS-Add-a-system-blacklist-keyring.patch77
-rw-r--r--MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch81
-rw-r--r--MODSIGN-Support-not-importing-certs-from-db.patch20
-rw-r--r--config-arm-generic1
-rw-r--r--config-arm642
-rw-r--r--config-armv73
-rw-r--r--config-armv7-generic1
-rw-r--r--config-generic4
-rw-r--r--config-powerpc64-generic2
-rw-r--r--config-s390x2
-rw-r--r--config-x86-generic1
-rw-r--r--config-x86_64-generic6
-rw-r--r--drm-i915-hush-check-crtc-state.patch24
-rw-r--r--efi-Add-EFI_SECURE_BOOT-bit.patch14
-rw-r--r--efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch12
-rw-r--r--gitrev2
-rw-r--r--hibernate-Disable-in-a-signed-modules-environment.patch8
-rw-r--r--kernel.spec11
-rw-r--r--sources2
23 files changed, 213 insertions, 154 deletions
diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch
index dd1840817..094c5a34c 100644
--- a/Add-EFI-signature-data-types.patch
+++ b/Add-EFI-signature-data-types.patch
@@ -1,7 +1,7 @@
-From 6fb2a60e6bfb5ce2d3a4964e7b47ac5c7ecd6f82 Mon Sep 17 00:00:00 2001
+From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH] Add EFI signature data types
+Subject: [PATCH 4/9] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
@@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 20 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fb0734f..b80227a 100644
+index 8cb38cfcba74..8c274b4ea8e6 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -653,6 +653,12 @@ void efi_native_runtime_setup(void);
+@@ -647,6 +647,12 @@ void efi_native_runtime_setup(void);
EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, \
0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
@@ -31,7 +31,7 @@ index fb0734f..b80227a 100644
typedef struct {
efi_guid_t guid;
u64 table;
-@@ -885,6 +891,20 @@ typedef struct {
+@@ -879,6 +885,20 @@ typedef struct {
efi_memory_desc_t entry[0];
} efi_memory_attributes_table_t;
diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
index 78f482b39..3697a4b74 100644
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@@ -1,7 +1,7 @@
-From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
+From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
create mode 100644 crypto/asymmetric_keys/efi_parser.c
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index e28e912..94024e8 100644
+index e28e912000a7..94024e8aedaa 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
@@ -34,7 +34,7 @@ index e28e912..94024e8 100644
+
endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index 6516855..c099fe1 100644
+index 6516855bec18..c099fe15ed6d 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -10,6 +10,7 @@ asymmetric_keys-y := \
@@ -47,7 +47,7 @@ index 6516855..c099fe1 100644
# X.509 Certificate handling
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
new file mode 100644
-index 0000000..636feb1
+index 000000000000..636feb18b733
--- /dev/null
+++ b/crypto/asymmetric_keys/efi_parser.c
@@ -0,0 +1,108 @@
@@ -160,10 +160,10 @@ index 0000000..636feb1
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index b80227a..18443e3 100644
+index 8c274b4ea8e6..ff1877145aa4 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
+@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
char * __init efi_md_typeattr_format(char *buf, size_t size,
const efi_memory_desc_t *md);
diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch
index d3fab0297..aa1983377 100644
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@@ -1,7 +1,8 @@
-From 8802c7e62531b3867580068ee8b50415b966d22c Mon Sep 17 00:00:00 2001
+From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode
+Subject: [PATCH] Add option to automatically enforce module signatures when in
+ Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@@ -11,16 +12,16 @@ that enforces this automatically when enabled.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
Documentation/x86/zero-page.txt | 2 ++
- arch/x86/Kconfig | 10 ++++++
+ arch/x86/Kconfig | 11 ++++++
arch/x86/boot/compressed/eboot.c | 66 +++++++++++++++++++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/setup.c | 6 ++++
include/linux/module.h | 6 ++++
kernel/module.c | 7 ++++
- 7 files changed, 99 insertions(+), 1 deletion(-)
+ 7 files changed, 100 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 95a4d34..b8527c6 100644
+index 95a4d34af3fd..b8527c6b7646 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -31,6 +31,8 @@ Offset Proto Name Meaning
@@ -33,15 +34,16 @@ index 95a4d34..b8527c6 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2dc18605..a701d09 100644
+index 0a7b885964ba..29b8ba9ae713 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1785,6 +1785,16 @@ config EFI_MIXED
+@@ -1776,6 +1776,17 @@ config EFI_MIXED
If unsure, say N.
+config EFI_SECURE_BOOT_SIG_ENFORCE
-+ def_bool n
++ def_bool n
++ depends on EFI
+ prompt "Force module signing when UEFI Secure Boot is enabled"
+ ---help---
+ UEFI Secure Boot provides a mechanism for ensuring that the
@@ -54,7 +56,7 @@ index 2dc18605..a701d09 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 52fef60..6b8b9a7 100644
+index 52fef606bc54..6b8b9a775b46 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@@ -145,7 +147,7 @@ index 52fef60..6b8b9a7 100644
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 3292543..b61f853 100644
+index c18ce67495fa..2b3e5427097b 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -134,7 +134,8 @@ struct boot_params {
@@ -159,10 +161,10 @@ index 3292543..b61f853 100644
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 2367ae0..1a78bf7 100644
+index c4e7b3991b60..bdb9881c7afd 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
@@ -176,7 +178,7 @@ index 2367ae0..1a78bf7 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/module.h b/include/linux/module.h
-index ab13009..e072b84 100644
+index 082298a09df1..38d0597f7615 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -193,10 +195,10 @@ index ab13009..e072b84 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
-index 392ac8c..676c578 100644
+index 3c384968f553..ea484f3a35b2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod,
+@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
EXPORT_SYMBOL(module_layout);
#endif
diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch
index 4600848cf..3cecd1399 100644
--- a/Add-sysrq-option-to-disable-secure-boot-mode.patch
+++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch
@@ -1,7 +1,7 @@
-From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
+From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Fri, 30 Aug 2013 09:28:51 -0400
-Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
+Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
Bugzilla: N/A
Upstream-status: Fedora mustard
@@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
7 files changed, 64 insertions(+), 9 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f93826b8522c..41679b1aca83 100644
+index a666b6c29c77..7732c769937b 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -70,6 +70,11 @@
@@ -31,7 +31,7 @@ index f93826b8522c..41679b1aca83 100644
#include <video/edid.h>
#include <asm/mtrr.h>
-@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
+@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
#endif /* CONFIG_X86_32 */
@@ -70,10 +70,10 @@ index f93826b8522c..41679b1aca83 100644
.notifier_call = dump_kernel_offset
};
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 345df9b03aed..dea6a6c4a39b 100644
+index abe1a927b332..f4126fcec10c 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
-@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
if (!udev->dev)
return -ENOMEM;
@@ -82,10 +82,10 @@ index 345df9b03aed..dea6a6c4a39b 100644
input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index 95b330a9ea98..dfa3e154a719 100644
+index e5139402e7f8..5ef2e04a03ad 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
-@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
@@ -93,7 +93,7 @@ index 95b330a9ea98..dfa3e154a719 100644
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
-@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
@@ -102,7 +102,7 @@ index 95b330a9ea98..dfa3e154a719 100644
{
struct sysrq_key_op *op_p;
int orig_log_level;
-@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
op_p = __sysrq_get_key_op(key);
if (op_p) {
@@ -119,7 +119,7 @@ index 95b330a9ea98..dfa3e154a719 100644
pr_cont("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
-@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
void handle_sysrq(int key)
{
if (sysrq_on())
@@ -128,7 +128,7 @@ index 95b330a9ea98..dfa3e154a719 100644
}
EXPORT_SYMBOL(handle_sysrq);
-@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
+@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
@@ -137,7 +137,7 @@ index 95b330a9ea98..dfa3e154a719 100644
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
-@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
default:
if (sysrq->active && value && value != 2) {
@@ -149,7 +149,7 @@ index 95b330a9ea98..dfa3e154a719 100644
}
break;
}
-@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
if (get_user(c, buf))
return -EFAULT;
@@ -159,7 +159,7 @@ index 95b330a9ea98..dfa3e154a719 100644
return count;
diff --git a/include/linux/input.h b/include/linux/input.h
-index 82ce323b9986..9e534f228945 100644
+index 1e967694e9a5..2b56c6f9673c 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -42,6 +42,7 @@ struct input_value {
@@ -216,7 +216,7 @@ index 387fa7d05c98..4b07e30b3279 100644
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
struct sysrq_key_op *__sysrq_get_key_op(int key);
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index 4121345498e0..0ff3cef5df96 100644
+index 2a20c0dfdafc..3d17205dab77 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1968,7 +1968,7 @@ static int kdb_sr(int argc, const char **argv)
@@ -229,10 +229,10 @@ index 4121345498e0..0ff3cef5df96 100644
return 0;
diff --git a/kernel/module.c b/kernel/module.c
-index 2b403ab0ef29..7818c110e95c 100644
+index ea484f3a35b2..84b00659b0ee 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
+@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
#endif
}
@@ -242,5 +242,5 @@ index 2b403ab0ef29..7818c110e95c 100644
module_param(sig_enforce, bool_enable_only, 0644);
#endif /* !CONFIG_MODULE_SIG_FORCE */
--
-2.4.3
+2.5.5
diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch
index 469ac35ab..4f5678a15 100644
--- a/KEYS-Add-a-system-blacklist-keyring.patch
+++ b/KEYS-Add-a-system-blacklist-keyring.patch
@@ -1,7 +1,7 @@
-From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
+From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
+Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@@ -10,52 +10,48 @@ useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
- certs/system_keyring.c | 27 +++++++++++++++++++++++++++
+ certs/system_keyring.c | 22 ++++++++++++++++++++++
include/keys/system_keyring.h | 4 ++++
init/Kconfig | 9 +++++++++
- 3 files changed, 40 insertions(+)
+ 3 files changed, 35 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
-index 2570598b784d..53733822993f 100644
+index 50979d6dcecd..787eeead2f57 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
-@@ -20,6 +20,9 @@
-
- struct key *system_trusted_keyring;
- EXPORT_SYMBOL_GPL(system_trusted_keyring);
+@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ static struct key *secondary_trusted_keys;
+ #endif
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+struct key *system_blacklist_keyring;
+#endif
extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
-@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
- panic("Can't allocate system trusted keyring\n");
-
- set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
-+
-+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)
+ if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
+ panic("Can't link trusted keyrings\n");
+ #endif
++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
-+ KUIDT_INIT(0), KGIDT_INIT(0),
-+ current_cred(),
-+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-+ KEY_USR_VIEW | KEY_USR_READ,
-+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
++ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
++ KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
++ KEY_ALLOC_NOT_IN_QUOTA,
++ NULL, NULL);
+ if (IS_ERR(system_blacklist_keyring))
+ panic("Can't allocate system blacklist keyring\n");
-+
-+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
+#endif
-+
+
return 0;
}
-
-@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
- if (ret < 0)
- goto error;
-
+@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ trusted_keys = builtin_trusted_keys;
+ #endif
+ }
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
++ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
+ if (!ret) {
+ /* module is signed with a cert in the blacklist. reject */
+ pr_err("Module key is in the blacklist\n");
@@ -63,30 +59,29 @@ index 2570598b784d..53733822993f 100644
+ goto error;
+ }
+#endif
-+
- ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
- if (ret < 0)
- goto error;
+ ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+ if (ret < 0) {
+ if (ret == -ENOKEY)
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index b20cd885c1fd..51d8ddc60e0f 100644
+index fbd4647767e9..5bc291a3d261 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
-@@ -35,6 +35,10 @@ extern int system_verify_data(const void *data, unsigned long len,
- enum key_being_used_for usage);
+@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+extern struct key *system_blacklist_keyring;
+#endif
+
- #ifdef CONFIG_IMA_MOK_KEYRING
- extern struct key *ima_mok_keyring;
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;
+
diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..782d26f02885 100644
+index a9c4aefd5436..e5449d5aeff9 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
+@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
module verification, kexec image verification and firmware blob
verification.
@@ -103,5 +98,5 @@ index 02da9f1fd9df..782d26f02885 100644
bool "Profiling support"
help
--
-2.4.3
+2.5.5
diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
index 8a484b6d8..05be7a028 100644
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@@ -1,4 +1,4 @@
-From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
+From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@@ -18,18 +18,56 @@ signed with those from loading.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
- include/linux/efi.h | 6 ++++
- init/Kconfig | 9 +++++
- kernel/Makefile | 3 ++
- kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 110 insertions(+)
+ certs/system_keyring.c | 13 ++++++
+ include/keys/system_keyring.h | 1 +
+ include/linux/efi.h | 6 +++
+ init/Kconfig | 9 ++++
+ kernel/Makefile | 3 ++
+ kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 131 insertions(+)
create mode 100644 kernel/modsign_uefi.c
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 787eeead2f57..4d9123ed5c07 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
+ extern __initconst const unsigned long system_certificate_list_size;
+
+ /**
++ * get_system_keyring - Return a pointer to the system keyring
++ *
++ */
++struct key *get_system_keyring(void)
++{
++ struct key *system_keyring = NULL;
++
++ system_keyring = builtin_trusted_keys;
++ return system_keyring;
++}
++EXPORT_SYMBOL_GPL(get_system_keyring);
++
++/**
+ * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
+ *
+ * Restrict the addition of keys into a keyring based on the key-to-be-added
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index 5bc291a3d261..56ff5715ab67 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ extern struct key *system_blacklist_keyring;
+ #endif
++extern struct key *get_system_keyring(void);
+
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
+ extern struct key *ima_blacklist_keyring;
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 85ef051ac6fb..a042b2ece788 100644
+index ff1877145aa4..2483de19c719 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -600,6 +600,12 @@ typedef struct {
+@@ -658,6 +658,12 @@ typedef struct {
u64 table;
} efi_config_table_64_t;
@@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644
efi_guid_t guid;
u32 table;
diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..90c73a0564b1 100644
+index e5449d5aeff9..5408c96f6604 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
+@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
-index d4988410b410..55e886239e7e 100644
+index e2ec54e2b952..8dab549985d8 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
-@@ -47,6 +47,7 @@ endif
+@@ -57,6 +57,7 @@ endif
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
@@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
-@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
+@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
obj-$(CONFIG_HAS_IOMEM) += memremap.o
@@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644
# config_data.h contains the same information as ikconfig.h but gzipped.
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
new file mode 100644
-index 000000000000..94b0eb38a284
+index 000000000000..fe4a6f2bf10a
--- /dev/null
+++ b/kernel/modsign_uefi.c
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,99 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
@@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284
+ void *db = NULL, *dbx = NULL, *mok = NULL;
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ int rc = 0;
++ struct key *keyring = NULL;
+
+ /* Check if SB is enabled and just return if not */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
++ keyring = get_system_keyring();
++ if (!keyring) {
++ pr_err("MODSIGN: Couldn't get system keyring\n");
++ return -EINVAL;
++ }
++
+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
+ * an error if we can't get them.
+ */
@@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284
+ if (!db) {
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ } else {
-+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++ rc = parse_efi_signature_list(db, dbsize, keyring);
+ if (rc)
+ pr_err("Couldn't parse db signatures: %d\n", rc);
+ kfree(db);
@@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284
+ if (!mok) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ } else {
-+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
++ rc = parse_efi_signature_list(mok, moksize, keyring);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
@@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284
+}
+late_initcall(load_uefi_certs);
--
-2.4.3
+2.5.5
diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch
index bb5ae2a2c..3339ce76e 100644
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ b/MODSIGN-Support-not-importing-certs-from-db.patch
@@ -1,7 +1,7 @@
-From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
+From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
+Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
-index 94b0eb38a284..ae28b974d49a 100644
+index 03f601a0052c..321c79a3b282 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
@@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
{
efi_status_t status;
-@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
+@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
void *db = NULL, *dbx = NULL, *mok = NULL;
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
- int rc = 0;
+ int ignore_db, rc = 0;
+ struct key *keyring = NULL;
/* Check if SB is enabled and just return if not */
- if (!efi_enabled(EFI_SECURE_BOOT))
- return 0;
+@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
+ return -EINVAL;
+ }
+ /* See if the user has setup Ignore DB mode */
+ ignore_db = check_ignore_db();
@@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
- if (!db) {
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
- } else {
-- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+- rc = parse_efi_signature_list(db, dbsize, keyring);
- if (rc)
- pr_err("Couldn't parse db signatures: %d\n", rc);
- kfree(db);
@@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
+ if (!db) {
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ } else {
-+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++ rc = parse_efi_signature_list(db, dbsize, keyring);
+ if (rc)
+ pr_err("Couldn't parse db signatures: %d\n", rc);
+ kfree(db);
@@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--
-2.4.3
+2.5.5
diff --git a/config-arm-generic b/config-arm-generic
index 2b71fa092..3c5a9eb1b 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -116,6 +116,7 @@ CONFIG_ROCKCHIP_SARADC=m
CONFIG_ROCKCHIP_IOMMU=y
CONFIG_ROCKCHIP_THERMAL=m
CONFIG_DRM_ROCKCHIP=m
+CONFIG_ROCKCHIP_ANALOGIX_DP=m
CONFIG_ROCKCHIP_DW_HDMI=m
CONFIG_ROCKCHIP_DW_MIPI_DSI=y
CONFIG_ROCKCHIP_INNO_HDMI=m
diff --git a/config-arm64 b/config-arm64
index cc7214b89..58c2ab24d 100644
--- a/config-arm64
+++ b/config-arm64
@@ -159,6 +159,8 @@ CONFIG_PHY_HI6220_USB=m
CONFIG_COMMON_RESET_HI6220=m
CONFIG_HI6220_MBOX=m
# CONFIG_RESET_HISI is not set
+CONFIG_DRM_HISI_KIRIN=m
+CONFIG_HISI_KIRIN_DW_DSI=m
# Tegra
CONFIG_ARCH_TEGRA_132_SOC=y
diff --git a/config-armv7 b/config-armv7
index d2191cee9..c3d64fafb 100644
--- a/config-armv7
+++ b/config-armv7
@@ -318,6 +318,8 @@ CONFIG_PHY_QCOM_IPQ806X_SATA=m
CONFIG_DWMAC_IPQ806X=m
CONFIG_CRYPTO_DEV_QCE=m
CONFIG_DRM_MSM=m
+# CONFIG_DRM_MSM_REGISTER_LOGGING is not set
+CONFIG_DRM_MSM_HDMI_HDCP=y
CONFIG_USB_EHCI_MSM=m
CONFIG_MFD_PM8XXX=m
CONFIG_KEYBOARD_PMIC8XXX=m
@@ -325,7 +327,6 @@ CONFIG_INPUT_PM8XXX_VIBRATOR=m
CONFIG_INPUT_PMIC8XXX_PWRKEY=m
CONFIG_INPUT_PM8941_PWRKEY=m
CONFIG_RTC_DRV_PM8XXX=m
-# CONFIG_DRM_MSM_REGISTER_LOGGING is not set
CONFIG_QCOM_WDT=m
CONFIG_MFD_SPMI_PMIC=m
CONFIG_SPMI=m
diff --git a/config-armv7-generic b/config-armv7-generic
index 5baab4acb..3e9afc353 100644
--- a/config-armv7-generic
+++ b/config-armv7-generic
@@ -206,6 +206,7 @@ CONFIG_MACH_SUN8I=y
CONFIG_SUNXI_SRAM=y
CONFIG_DMA_SUN4I=m
CONFIG_DMA_SUN6I=m
+CONFIG_DRM_SUN4I=m
CONFIG_SUNXI_WATCHDOG=m
CONFIG_NET_VENDOR_ALLWINNER=y
CONFIG_RTC_DRV_SUNXI=m
diff --git a/config-generic b/config-generic
index b94ee30f7..c08fb2e99 100644
--- a/config-generic
+++ b/config-generic
@@ -598,6 +598,7 @@ CONFIG_ATA_BMDMA=y
CONFIG_ATA_VERBOSE_ERROR=y
CONFIG_ATA_SFF=y
CONFIG_ATA_PIIX=y
+# CONFIG_SATA_DWC is not set
# CONFIG_SATA_HIGHBANK is not set
CONFIG_ATA_ACPI=y
CONFIG_BLK_DEV_SX8=m
@@ -3346,6 +3347,8 @@ CONFIG_VGA_ARB_MAX_GPUS=16
CONFIG_DRM=m
+CONFIG_DRM_ANALOGIX_ANX78XX=m
+# CONFIG_DRM_ARCPGU is not set
CONFIG_DRM_DP_AUX_CHARDEV=y
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_LOAD_EDID_FIRMWARE=y
@@ -3359,6 +3362,7 @@ CONFIG_DRM_AMDGPU=m
CONFIG_DRM_AMD_ACP=y
# CONFIG_DRM_AMDGPU_CIK is not set
CONFIG_DRM_AMDGPU_USERPTR=y
+# CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
CONFIG_DRM_AMD_POWERPLAY=y
# CONFIG_DRM_I810 is not set
# CONFIG_DRM_MGA is not set
diff --git a/config-powerpc64-generic b/config-powerpc64-generic
index 32fa17ff9..af4bbb251 100644
--- a/config-powerpc64-generic
+++ b/config-powerpc64-generic
@@ -56,7 +56,7 @@ CONFIG_PPC_64K_PAGES=y
CONFIG_PPC_SUBPAGE_PROT=y
CONFIG_SCHED_SMT=y
CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
CONFIG_MEMORY_HOTREMOVE=y
CONFIG_PPC64_SUPPORTS_MEMORY_FAILURE=y
diff --git a/config-s390x b/config-s390x
index e6e2f85a9..d559c6570 100644
--- a/config-s390x
+++ b/config-s390x
@@ -183,7 +183,7 @@ CONFIG_VIRTIO_CONSOLE=y
CONFIG_MEMORY_HOTPLUG=y
CONFIG_MEMORY_HOTREMOVE=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
CONFIG_CHSC_SCH=m
# drivers/isdn/hardware/mISDN/hfcmulti.c:5255:2: error: #error "not running on big endian machines now"
diff --git a/config-x86-generic b/config-x86-generic
index 5418ee7ab..ee027a425 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -361,7 +361,6 @@ CONFIG_DMI_SYSFS=y
CONFIG_ISCSI_IBFT_FIND=y
CONFIG_ISCSI_IBFT=m
-CONFIG_DMADEVICES=y
CONFIG_INTEL_IOATDMA=m
CONFIG_INTEL_IDMA64=m
diff --git a/config-x86_64-generic b/config-x86_64-generic
index 82e99a062..0614913aa 100644
--- a/config-x86_64-generic
+++ b/config-x86_64-generic
@@ -117,7 +117,7 @@ CONFIG_SPARSEMEM_EXTREME=y
CONFIG_SPARSEMEM_VMEMMAP=y
# CONFIG_MOVABLE_NODE is not set
CONFIG_MEMORY_HOTPLUG=y
-# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
# CONFIG_ARCH_MEMORY_PROBE is not set
CONFIG_MEMORY_HOTREMOVE=y
# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
@@ -223,8 +223,12 @@ CONFIG_CMA_AREAS=7
CONFIG_ZONE_DMA=y
CONFIG_ZONE_DEVICE=y
CONFIG_NVDIMM_PFN=y
+CONFIG_NVDIMM_DAX=y
CONFIG_ND_PFN=m
+CONFIG_DEV_DAX=m
+CONFIG_DEV_DAX_PMEM=m
+
# Staging
CONFIG_STAGING_RDMA=y
CONFIG_INFINIBAND_HFI1=m
diff --git a/drm-i915-hush-check-crtc-state.patch b/drm-i915-hush-check-crtc-state.patch
index fa4baffbf..acf05056c 100644
--- a/drm-i915-hush-check-crtc-state.patch
+++ b/drm-i915-hush-check-crtc-state.patch
@@ -1,4 +1,4 @@
-From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001
+From 5550f20b5f9becb485fb3a67bf0193025d40bc6f Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 13 Nov 2013 10:17:24 -0500
Subject: [PATCH] drm/i915: hush check crtc state
@@ -15,18 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index ca9278be49f7..308ac0539a87 100644
+index 46f9be3ad5a2..ad2e62e4cdba 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state)
- sw_config = to_intel_crtc_state(crtc->state);
- if (!intel_pipe_config_compare(dev, sw_config,
- pipe_config, false)) {
-- I915_STATE_WARN(1, "pipe state doesn't match!\n");
-+ DRM_DEBUG_KMS("pipe state doesn't match!\n");
- intel_dump_pipe_config(intel_crtc, pipe_config,
- "[hw state]");
- intel_dump_pipe_config(intel_crtc, sw_config,
+@@ -12970,7 +12970,7 @@ verify_crtc_state(struct drm_crtc *crtc,
+ sw_config = to_intel_crtc_state(crtc->state);
+ if (!intel_pipe_config_compare(dev, sw_config,
+ pipe_config, false)) {
+- I915_STATE_WARN(1, "pipe state doesn't match!\n");
++ DRM_DEBUG_KMS("pipe state doesn't match!\n");
+ intel_dump_pipe_config(intel_crtc, pipe_config,
+ "[hw state]");
+ intel_dump_pipe_config(intel_crtc, sw_config,
--
-2.4.3
+2.5.5
diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch
index 89b9664c7..dca2eb296 100644
--- a/efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,7 +1,7 @@
-From c01ff700ea4192ae04b306fef725d62189550236 Mon Sep 17 00:00:00 2001
+From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f3b804f..a401ff8 100644
+index bdb9881c7afd..a666b6c29c77 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
@@ -27,10 +27,10 @@ index f3b804f..a401ff8 100644
#endif
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 569b5a8..4dc970e 100644
+index c2db3ca22217..8cb38cfcba74 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_ARCH_1 7 /* First arch-specific bit */
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
@@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644
#ifdef CONFIG_EFI
/*
--
-2.5.0
+2.5.5
diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
index ba2f3cefa..7d4a46e15 100644
--- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
@@ -1,7 +1,7 @@
-From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
+From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index b4de3faa3f29..5cc2ef570390 100644
+index 6b8b9a775b46..b3a5364d31c6 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -830,8 +830,9 @@ out:
+@@ -574,8 +574,9 @@ free_handle:
static int get_secure_boot(void)
{
@@ -29,7 +29,7 @@ index b4de3faa3f29..5cc2ef570390 100644
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
-@@ -855,6 +856,23 @@ static int get_secure_boot(void)
+@@ -599,6 +600,23 @@ static int get_secure_boot(void)
if (setup == 1)
return 0;
@@ -54,5 +54,5 @@ index b4de3faa3f29..5cc2ef570390 100644
}
--
-2.4.3
+2.5.5
diff --git a/gitrev b/gitrev
index d8cc6d462..7e7164661 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-7639dad93a5564579987abded4ec05e3db13659d
+84787c572d402644dca4874aba73324d9f8e3948
diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch
index f62ea08b0..bea2892ee 100644
--- a/hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/hibernate-Disable-in-a-signed-modules-environment.patch
@@ -1,7 +1,7 @@
-From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
+From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
+Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 690f78f210f2..037303a1cba9 100644
+index fca9254280ee..ffd8644078b2 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -29,6 +29,7 @@
@@ -35,5 +35,5 @@ index 690f78f210f2..037303a1cba9 100644
/**
--
-2.4.3
+2.5.5
diff --git a/kernel.spec b/kernel.spec
index 1421ffc10..405987061 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 0
# The git snapshot level
-%define gitrev 6
+%define gitrev 7
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@@ -553,8 +553,6 @@ Patch482: Add-option-to-automatically-enforce-module-signature.patch
Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
-Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
-
Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
Patch486: hibernate-Disable-in-a-signed-modules-environment.patch
@@ -566,7 +564,7 @@ Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
# This doesn't apply. It seems like it could be replaced by
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
# which has an explicit line about blacklisting
-# Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+Patch489: KEYS-Add-a-system-blacklist-keyring.patch
Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@@ -2135,6 +2133,11 @@ fi
#
#
%changelog
+* Tue May 24 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.7.0-0.rc0.git7.1
+- Linux v4.6-10203-g84787c572d40
+- Enable CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE (rhbz 1339281)
+- Fixup SB patchset to work with upstream changes
+
* Mon May 23 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git6.1
- Linux v4.6-8907-g7639dad
- trace, f2fs, btrfs, rtc, mailbox, akpm, staging, driver core, char, usb,
diff --git a/sources b/sources
index 7bbde5150..9c83b38f3 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz
fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz
-4c4f2eb647eef6e04a1dbb843e4fd72d patch-4.6-git6.xz
+3dd9be4fbde8316efd366f735a30d1f1 patch-4.6-git7.xz