diff options
-rw-r--r-- | 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch | 85 | ||||
-rw-r--r-- | 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch | 98 | ||||
-rw-r--r-- | 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch | 365 | ||||
-rw-r--r-- | kernel.spec | 13 |
4 files changed, 560 insertions, 1 deletions
diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch new file mode 100644 index 000000000..816c4f0ea --- /dev/null +++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch @@ -0,0 +1,85 @@ +From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:28 +0800 +Subject: [PATCH] integrity, KEYS: add a reference to platform keyring + +commit 9dc92c45177a ("integrity: Define a trusted platform keyring") +introduced a .platform keyring for storing preboot keys, used for +verifying kernel image signatures. Currently only IMA-appraisal is able +to use the keyring to verify kernel images that have their signature +stored in xattr. + +This patch exposes the .platform keyring, making it accessible for +verifying PE signed kernel images as well. + +Suggested-by: Mimi Zohar <zohar@linux.ibm.com> +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + certs/system_keyring.c | 10 ++++++++++ + include/keys/system_keyring.h | 8 ++++++++ + security/integrity/digsig.c | 3 +++ + 3 files changed, 21 insertions(+) + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 81728717523d..da055e901df4 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + static struct key *secondary_trusted_keys; + #endif ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++static struct key *platform_trusted_keys; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; +@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len, + EXPORT_SYMBOL_GPL(verify_pkcs7_signature); + + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ ++ ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++void __init set_platform_trusted_keys(struct key *keyring) ++{ ++ platform_trusted_keys = keyring; ++} ++#endif +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 359c2f936004..42a93eda331c 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) + } + #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ + ++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ ++ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) ++extern void __init set_platform_trusted_keys(struct key *keyring); ++#else ++static inline void set_platform_trusted_keys(struct key *keyring) ++{ ++} ++#endif + + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index f45d6edecf99..e19c2eb72c51 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, + pr_info("Can't allocate %s keyring (%d)\n", + keyring_name[id], err); + keyring[id] = NULL; ++ } else { ++ if (id == INTEGRITY_KEYRING_PLATFORM) ++ set_platform_trusted_keys(keyring[id]); + } + + return err; +-- +2.20.1 + diff --git a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch new file mode 100644 index 000000000..af0d926e7 --- /dev/null +++ b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch @@ -0,0 +1,98 @@ +From 278311e417be60f7caef6fcb12bda4da2711ceff Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:29 +0800 +Subject: [PATCH] kexec, KEYS: Make use of platform keyring for signature + verify + +This patch allows the kexec_file_load syscall to verify the PE signed +kernel image signature based on the preboot keys stored in the .platform +keyring, as fall back, if the signature verification failed due to not +finding the public key in the secondary or builtin keyrings. + +This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous +VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature +should verify the signature using platform keyring. Also, decrease +the error message log level when verification failed with -ENOKEY, +so that if called tried multiple time with different keyring it +won't generate extra noises. + +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part) +[zohar@linux.ibm.com: tweaked the first paragraph of the patch description, + and fixed checkpatch warning.] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + arch/x86/kernel/kexec-bzimage64.c | 14 +++++++++++--- + certs/system_keyring.c | 13 ++++++++++++- + include/linux/verification.h | 1 + + 3 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 278cd07228dd..e1215a600064 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data) + #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { +- return verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); ++ int ret; ++ ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ } ++ return ret; + } + #endif + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index da055e901df4..c05c29ae4d5d 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len, + #else + trusted_keys = builtin_trusted_keys; + #endif ++ } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) { ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++ trusted_keys = platform_trusted_keys; ++#else ++ trusted_keys = NULL; ++#endif ++ if (!trusted_keys) { ++ ret = -ENOKEY; ++ pr_devel("PKCS#7 platform keyring is not available\n"); ++ goto error; ++ } + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { + if (ret == -ENOKEY) +- pr_err("PKCS#7 signature not signed with a trusted key\n"); ++ pr_devel("PKCS#7 signature not signed with a trusted key\n"); + goto error; + } + +diff --git a/include/linux/verification.h b/include/linux/verification.h +index cfa4730d607a..018fb5f13d44 100644 +--- a/include/linux/verification.h ++++ b/include/linux/verification.h +@@ -17,6 +17,7 @@ + * should be used. + */ + #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) ++#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) + + /* + * The use to which an asymmetric key is being put. +-- +2.20.1 + diff --git a/0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch b/0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch new file mode 100644 index 000000000..5ecaffc1a --- /dev/null +++ b/0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch @@ -0,0 +1,365 @@ +From de5d850913e9d5fb272f386fb36ef5f5776afb0c Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Mon, 29 Apr 2019 15:11:26 +0200 +Subject: [PATCH] platform/x86: ideapad-laptop: Remove no_hw_rfkill_list + +When the ideapad-laptop driver was first written it was written for laptops +which had a hardware rfkill switch. So when the first ideapad laptops +showed up without a hw rfkill switch and it turned out that in this case +the ideapad firmware interface would always report the wifi being hardware- +blocked, a DMI id list of models which lack a hw rfkill switch was started +(by yours truly). Things were done this way to avoid regressing existing +models with a hw rfkill switch. In hindsight this was a mistake. + +Lenovo releases a lot of ideapad models every year and even the latest +models still use the "VPC2004" ACPI interface the ideapad-laptop driver +binds to. Having a hw rfkill switch is quite rare on modern hardware, so +all these new models need to be added to the no_hw_rfkill_list, leading +to a never ending game of whack a mole. + +Worse the failure mode when not present on the list, is very bad. In this +case the ideapad-laptop driver will report the wifi as being hw-blocked, +at which points NetworkManager does not even try to use it and the user +ends up with non working wifi. + +This leads to various Linux fora on the internet being filled with +wifi not working on ideapad laptops stories, which does not make Linux +look good. + +The failure mode when we flip the default to assuming that a hw rfkill +switch is not present OTOH is quite benign. When we properly report the +wifi as being hw-blocked on ideapads which do have the hw-switch; and it +is in the wifi-off position, then at least when using NetworkManager + +GNOME3 the user will get a "wifi disabled in hardware" message when trying +to connect to the wifi from the UI. If OTOH we assume there is no hardware +rfkill switch, then the user will get an empty list for the list of +available networks. Although the empty list vs the "wifi disabled in +hardware" message is a regression, it is a very minor regression and it +can easily be fixed on a model by model basis by filling the new +hw_rfkill_list this commit introduces. + +Therefor this commit removes the ever growing no_hw_rfkill_list, flipping +the default to assuming there is no hw rfkill switch and adding a new +hw_rfkill_list. Thereby fixing the wifi not working on all the current +ideapad and yoga models which are not on the list yet and also fixing it +for all future ideapad and yoga models using the "VPC2004" ACPI interface. + +Note once this patch has been accepted upstream. I plan to write a blog +post asking for users of ideapads and yoga's with a hw rfkill switch to +step forward, so that we can populate the new hw_rfkill_list with the few +older yoga and ideapad models which actually have a hw rfkill switch. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1703338 +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +--- + drivers/platform/x86/ideapad-laptop.c | 321 ++------------------------ + 1 file changed, 15 insertions(+), 306 deletions(-) + +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index c53ae86b59c7..2d94536dea88 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -980,277 +980,21 @@ static void ideapad_wmi_notify(u32 value, void *context) + #endif + + /* +- * Some ideapads don't have a hardware rfkill switch, reading VPCCMD_R_RF +- * always results in 0 on these models, causing ideapad_laptop to wrongly +- * report all radios as hardware-blocked. ++ * Some ideapads have a hardware rfkill switch, but most do not have one. ++ * Reading VPCCMD_R_RF always results in 0 on models without a hardware rfkill, ++ * switch causing ideapad_laptop to wrongly report all radios as hw-blocked. ++ * There used to be a long list of DMI ids for models without a hw rfkill ++ * switch here, but that resulted in playing whack a mole. ++ * More importantly wrongly reporting the wifi radio as hw-blocked, results in ++ * non working wifi. Whereas not reporting it hw-blocked, when it actually is ++ * hw-blocked results in an empty SSID list, which is a much more benign ++ * failure mode. ++ * So the default now is the much safer option of assuming there is no ++ * hardware rfkill switch. This default also actually matches most hardware, ++ * since having a hw rfkill switch is quite rare on modern hardware, so this ++ * also leads to a much shorter list. + */ +-static const struct dmi_system_id no_hw_rfkill_list[] = { +- { +- .ident = "Lenovo RESCUER R720-15IKBN", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo R720-15IKBN"), +- }, +- }, +- { +- .ident = "Lenovo G40-30", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G40-30"), +- }, +- }, +- { +- .ident = "Lenovo G50-30", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G50-30"), +- }, +- }, +- { +- .ident = "Lenovo V310-14IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14IKB"), +- }, +- }, +- { +- .ident = "Lenovo V310-14ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14ISK"), +- }, +- }, +- { +- .ident = "Lenovo V310-15IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15IKB"), +- }, +- }, +- { +- .ident = "Lenovo V310-15ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15ISK"), +- }, +- }, +- { +- .ident = "Lenovo V510-15IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V510-15IKB"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 300-15IBR", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IBR"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 300-15IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IKB"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 300S-11IBR", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300S-11BR"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 310-15ABR", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ABR"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 310-15IAP", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IAP"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 310-15IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IKB"), +- }, +- }, +- { +- .ident = "Lenovo ideapad 310-15ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ISK"), +- }, +- }, +- { +- .ident = "Lenovo ideapad Y700-14ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-14ISK"), +- }, +- }, +- { +- .ident = "Lenovo ideapad Y700-15ACZ", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ACZ"), +- }, +- }, +- { +- .ident = "Lenovo ideapad Y700-15ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"), +- }, +- }, +- { +- .ident = "Lenovo ideapad Y700 Touch-15ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"), +- }, +- }, +- { +- .ident = "Lenovo ideapad Y700-17ISK", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"), +- }, +- }, +- { +- .ident = "Lenovo ideapad MIIX 720-12IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "MIIX 720-12IKB"), +- }, +- }, +- { +- .ident = "Lenovo Legion Y520-15IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKB"), +- }, +- }, +- { +- .ident = "Lenovo Y520-15IKBM", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKBM"), +- }, +- }, +- { +- .ident = "Lenovo Legion Y530-15ICH", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Legion Y530-15ICH"), +- }, +- }, +- { +- .ident = "Lenovo Legion Y720-15IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKB"), +- }, +- }, +- { +- .ident = "Lenovo Legion Y720-15IKBN", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBN"), +- }, +- }, +- { +- .ident = "Lenovo Y720-15IKBM", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBM"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 2 11 / 13 / Pro", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 2 11 / 13 / Pro", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_BOARD_NAME, "Yoga2"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 2 13", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Yoga 2 13"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 3 1170 / 1470", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 3"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 3 Pro 1370", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 700", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 700"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 900", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 900"), +- }, +- }, +- { +- .ident = "Lenovo Yoga 900", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_BOARD_NAME, "VIUU4"), +- }, +- }, +- { +- .ident = "Lenovo YOGA 910-13IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 910-13IKB"), +- }, +- }, +- { +- .ident = "Lenovo YOGA 920-13IKB", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 920-13IKB"), +- }, +- }, +- { +- .ident = "Lenovo Zhaoyang E42-80", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "ZHAOYANG E42-80"), +- }, +- }, ++static const struct dmi_system_id hw_rfkill_list[] = { + {} + }; + +@@ -1311,7 +1020,7 @@ static int ideapad_acpi_add(struct platform_device *pdev) + priv->cfg = cfg; + priv->adev = adev; + priv->platform_device = pdev; +- priv->has_hw_rfkill_switch = !dmi_check_system(no_hw_rfkill_list); ++ priv->has_hw_rfkill_switch = dmi_check_system(hw_rfkill_list); + + ret = ideapad_sysfs_init(priv); + if (ret) +-- +2.21.0 + diff --git a/kernel.spec b/kernel.spec index 98f1ebff8..1fca90695 100644 --- a/kernel.spec +++ b/kernel.spec @@ -647,12 +647,17 @@ Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1701096 +Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch +Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch # Submitted upstream at https://lkml.org/lkml/2019/4/23/89 -Patch521: KEYS-Make-use-of-platform-keyring-for-module-signature.patch +Patch523: KEYS-Make-use-of-platform-keyring-for-module-signature.patch # CVE-2019-3900 rhbz 1698757 1702940 Patch524: net-vhost_net-fix-possible-infinite-loop.patch +# Fix wifi on various ideapad models not working (rhbz#1703338) +Patch525: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch + # END OF PATCH DEFINITIONS %endif @@ -1943,6 +1948,12 @@ fi # # %changelog +* Tue Apr 30 2019 Hans de Goede <hdegoede@redhat.com> +- Fix wifi on various ideapad models not working (rhbz#1703338) + +* Mon Apr 29 2019 Laura Abbott <labbott@redhat.com> - 5.0.10-100 +- Linux v5.0.10 + * Thu Apr 25 2019 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2019-3900 (rhbz 1698757 1702940) |