diff options
Diffstat (limited to 'Add-sysrq-option-to-disable-secure-boot-mode.patch')
-rw-r--r-- | Add-sysrq-option-to-disable-secure-boot-mode.patch | 249 |
1 files changed, 249 insertions, 0 deletions
diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch new file mode 100644 index 000000000..ec0b5d770 --- /dev/null +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -0,0 +1,249 @@ +From fa99247d0a0867fdaa29a3a2df56d388e605f543 Mon Sep 17 00:00:00 2001 +From: Kyle McMartin <kyle@redhat.com> +Date: Fri, 30 Aug 2013 09:28:51 -0400 +Subject: [PATCH] Add sysrq option to disable secure boot mode + +Bugzilla: N/A +Upstream-status: Fedora mustard +--- + arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 +++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + kernel/module.c | 4 ++-- + 7 files changed, 65 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index fb282ff6a802..d291d16ba257 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -70,6 +70,11 @@ + #include <linux/tboot.h> + #include <linux/jiffies.h> + ++#include <linux/fips.h> ++#include <linux/cred.h> ++#include <linux/sysrq.h> ++#include <linux/init_task.h> ++ + #include <video/edid.h> + + #include <asm/mtrr.h> +@@ -1268,6 +1273,37 @@ void __init i386_reserve_resources(void) + + #endif /* CONFIG_X86_32 */ + ++#ifdef CONFIG_MAGIC_SYSRQ ++#ifdef CONFIG_MODULE_SIG ++extern bool sig_enforce; ++#endif ++ ++static void sysrq_handle_secure_boot(int key) ++{ ++ if (!efi_enabled(EFI_SECURE_BOOT)) ++ return; ++ ++ pr_info("Secure boot disabled\n"); ++#ifdef CONFIG_MODULE_SIG ++ sig_enforce = fips_enabled; ++#endif ++} ++static struct sysrq_key_op secure_boot_sysrq_op = { ++ .handler = sysrq_handle_secure_boot, ++ .help_msg = "unSB(x)", ++ .action_msg = "Disabling Secure Boot restrictions", ++ .enable_mask = SYSRQ_DISABLE_USERSPACE, ++}; ++static int __init secure_boot_sysrq(void) ++{ ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ register_sysrq_key('x', &secure_boot_sysrq_op); ++ return 0; ++} ++late_initcall(secure_boot_sysrq); ++#endif /*CONFIG_MAGIC_SYSRQ*/ ++ ++ + static struct notifier_block kernel_offset_notifier = { + .notifier_call = dump_kernel_offset + }; +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index 421e29e4cd81..61c1eb97806c 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev) + if (!udev->dev) + return -ENOMEM; + ++ udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; + udev->dev->event = uinput_dev_event; + input_set_drvdata(udev->dev, udev); + +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c +index 42bad18c66c9..496e073b09d7 100644 +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -463,6 +463,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { + &sysrq_showstate_blocked_op, /* w */ + /* x: May be registered on ppc/powerpc for xmon */ + /* x: May be registered on sparc64 for global PMU dump */ ++ /* x: May be registered on x86_64 for disabling secure boot */ + NULL, /* x */ + /* y: May be registered on sparc64 for global register dump */ + NULL, /* y */ +@@ -506,7 +507,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) + sysrq_key_table[i] = op_p; + } + +-void __handle_sysrq(int key, bool check_mask) ++void __handle_sysrq(int key, int from) + { + struct sysrq_key_op *op_p; + int orig_log_level; +@@ -526,11 +527,15 @@ void __handle_sysrq(int key, bool check_mask) + + op_p = __sysrq_get_key_op(key); + if (op_p) { ++ /* Ban synthetic events from some sysrq functionality */ ++ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && ++ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) ++ printk("This sysrq operation is disabled from userspace.\n"); + /* + * Should we check for enabled operations (/proc/sysrq-trigger + * should not) and is the invoked operation enabled? + */ +- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { ++ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + printk("%s\n", op_p->action_msg); + console_loglevel = orig_log_level; + op_p->handler(key); +@@ -562,7 +567,7 @@ void __handle_sysrq(int key, bool check_mask) + void handle_sysrq(int key) + { + if (sysrq_on()) +- __handle_sysrq(key, true); ++ __handle_sysrq(key, SYSRQ_FROM_KERNEL); + } + EXPORT_SYMBOL(handle_sysrq); + +@@ -642,7 +647,7 @@ static void sysrq_do_reset(unsigned long _state) + static void sysrq_handle_reset_request(struct sysrq_state *state) + { + if (state->reset_requested) +- __handle_sysrq(sysrq_xlate[KEY_B], false); ++ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); + + if (sysrq_reset_downtime_ms) + mod_timer(&state->keyreset_timer, +@@ -793,8 +798,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, + + default: + if (sysrq->active && value && value != 2) { ++ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? ++ SYSRQ_FROM_SYNTHETIC : 0; + sysrq->need_reinject = false; +- __handle_sysrq(sysrq_xlate[code], true); ++ __handle_sysrq(sysrq_xlate[code], from); + } + break; + } +@@ -1089,7 +1096,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, + + if (get_user(c, buf)) + return -EFAULT; +- __handle_sysrq(c, false); ++ __handle_sysrq(c, SYSRQ_FROM_PROC); + } + + return count; +diff --git a/include/linux/input.h b/include/linux/input.h +index 82ce323b9986..9e534f228945 100644 +--- a/include/linux/input.h ++++ b/include/linux/input.h +@@ -42,6 +42,7 @@ struct input_value { + * @phys: physical path to the device in the system hierarchy + * @uniq: unique identification code for the device (if device has it) + * @id: id of the device (struct input_id) ++ * @flags: input device flags (SYNTHETIC, etc.) + * @propbit: bitmap of device properties and quirks + * @evbit: bitmap of types of events supported by the device (EV_KEY, + * EV_REL, etc.) +@@ -124,6 +125,8 @@ struct input_dev { + const char *uniq; + struct input_id id; + ++ unsigned int flags; ++ + unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; + + unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; +@@ -190,6 +193,8 @@ struct input_dev { + }; + #define to_input_dev(d) container_of(d, struct input_dev, dev) + ++#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 ++ + /* + * Verify that we are in sync with input_device_id mod_devicetable.h #defines + */ +diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h +index 387fa7d05c98..4b07e30b3279 100644 +--- a/include/linux/sysrq.h ++++ b/include/linux/sysrq.h +@@ -28,6 +28,8 @@ + #define SYSRQ_ENABLE_BOOT 0x0080 + #define SYSRQ_ENABLE_RTNICE 0x0100 + ++#define SYSRQ_DISABLE_USERSPACE 0x00010000 ++ + struct sysrq_key_op { + void (*handler)(int); + char *help_msg; +@@ -42,8 +44,12 @@ struct sysrq_key_op { + * are available -- else NULL's). + */ + ++#define SYSRQ_FROM_KERNEL 0x0001 ++#define SYSRQ_FROM_PROC 0x0002 ++#define SYSRQ_FROM_SYNTHETIC 0x0004 ++ + void handle_sysrq(int key); +-void __handle_sysrq(int key, bool check_mask); ++void __handle_sysrq(int key, int from); + int register_sysrq_key(int key, struct sysrq_key_op *op); + int unregister_sysrq_key(int key, struct sysrq_key_op *op); + struct sysrq_key_op *__sysrq_get_key_op(int key); +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index 379650b984f8..070f29fefdc2 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1924,7 +1924,7 @@ static int kdb_sr(int argc, const char **argv) + if (argc != 1) + return KDB_ARGCOUNT; + kdb_trap_printk++; +- __handle_sysrq(*argv[1], false); ++ __handle_sysrq(*argv[1], SYSRQ_FROM_KERNEL); + kdb_trap_printk--; + + return 0; +diff --git a/kernel/module.c b/kernel/module.c +index 866417ecc76a..d7ca95c5a349 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -108,9 +108,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ + + #ifdef CONFIG_MODULE_SIG + #ifdef CONFIG_MODULE_SIG_FORCE +-static bool sig_enforce = true; ++bool sig_enforce = true; + #else +-static bool sig_enforce = false; ++bool sig_enforce = false; + + static int param_set_bool_enable_only(const char *val, + const struct kernel_param *kp) +-- +1.9.3 + |