summaryrefslogtreecommitdiffstats
path: root/Add-option-to-automatically-enforce-module-signature.patch
diff options
context:
space:
mode:
Diffstat (limited to 'Add-option-to-automatically-enforce-module-signature.patch')
-rw-r--r--Add-option-to-automatically-enforce-module-signature.patch32
1 files changed, 17 insertions, 15 deletions
diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch
index d3fab0297..aa1983377 100644
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@@ -1,7 +1,8 @@
-From 8802c7e62531b3867580068ee8b50415b966d22c Mon Sep 17 00:00:00 2001
+From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode
+Subject: [PATCH] Add option to automatically enforce module signatures when in
+ Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@@ -11,16 +12,16 @@ that enforces this automatically when enabled.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
Documentation/x86/zero-page.txt | 2 ++
- arch/x86/Kconfig | 10 ++++++
+ arch/x86/Kconfig | 11 ++++++
arch/x86/boot/compressed/eboot.c | 66 +++++++++++++++++++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/setup.c | 6 ++++
include/linux/module.h | 6 ++++
kernel/module.c | 7 ++++
- 7 files changed, 99 insertions(+), 1 deletion(-)
+ 7 files changed, 100 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 95a4d34..b8527c6 100644
+index 95a4d34af3fd..b8527c6b7646 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -31,6 +31,8 @@ Offset Proto Name Meaning
@@ -33,15 +34,16 @@ index 95a4d34..b8527c6 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2dc18605..a701d09 100644
+index 0a7b885964ba..29b8ba9ae713 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1785,6 +1785,16 @@ config EFI_MIXED
+@@ -1776,6 +1776,17 @@ config EFI_MIXED
If unsure, say N.
+config EFI_SECURE_BOOT_SIG_ENFORCE
-+ def_bool n
++ def_bool n
++ depends on EFI
+ prompt "Force module signing when UEFI Secure Boot is enabled"
+ ---help---
+ UEFI Secure Boot provides a mechanism for ensuring that the
@@ -54,7 +56,7 @@ index 2dc18605..a701d09 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 52fef60..6b8b9a7 100644
+index 52fef606bc54..6b8b9a775b46 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@@ -145,7 +147,7 @@ index 52fef60..6b8b9a7 100644
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 3292543..b61f853 100644
+index c18ce67495fa..2b3e5427097b 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -134,7 +134,8 @@ struct boot_params {
@@ -159,10 +161,10 @@ index 3292543..b61f853 100644
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 2367ae0..1a78bf7 100644
+index c4e7b3991b60..bdb9881c7afd 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
@@ -176,7 +178,7 @@ index 2367ae0..1a78bf7 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/module.h b/include/linux/module.h
-index ab13009..e072b84 100644
+index 082298a09df1..38d0597f7615 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -193,10 +195,10 @@ index ab13009..e072b84 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
-index 392ac8c..676c578 100644
+index 3c384968f553..ea484f3a35b2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod,
+@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
EXPORT_SYMBOL(module_layout);
#endif