diff options
Diffstat (limited to 'secure-modules.patch')
| -rw-r--r-- | secure-modules.patch | 110 |
1 files changed, 55 insertions, 55 deletions
diff --git a/secure-modules.patch b/secure-modules.patch index 9d01b9356..025bf4fb6 100644 --- a/secure-modules.patch +++ b/secure-modules.patch @@ -1,4 +1,4 @@ -From 8dea807503a1ba88d9e27595daae7f86ec968711 Mon Sep 17 00:00:00 2001 +From 0fc411ee00c81b8a18b1417d31f2736fad155d89 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/14] Add secure_modules() call @@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 2 files changed, 17 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index 46f1ea0..0c266b2 100644 +index 05f2447..de97e77 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block * nb); +@@ -515,6 +515,8 @@ int unregister_module_notifier(struct notifier_block * nb); extern void print_modules(void); @@ -26,7 +26,7 @@ index 46f1ea0..0c266b2 100644 #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb) +@@ -625,6 +627,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb) static inline void print_modules(void) { } @@ -39,10 +39,10 @@ index 46f1ea0..0c266b2 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 2069158..0e94acf 100644 +index dc58274..81206c1 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3852,3 +3852,13 @@ void module_layout(struct module *mod, +@@ -3860,3 +3860,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -60,7 +60,7 @@ index 2069158..0e94acf 100644 1.8.3.1 -From 9b7b3f6283bf784e4ea1c34e52646b12971b2823 Mon Sep 17 00:00:00 2001 +From b94942e55b519e70366e970cea3665c464d1b7da Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is @@ -80,7 +80,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index c0dbe1f..cd4e35f 100644 +index d8eb880..a851ad6 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -29,6 +29,7 @@ @@ -91,7 +91,7 @@ index c0dbe1f..cd4e35f 100644 #include "pci.h" static int sysfs_initialized; /* = 0 */ -@@ -624,6 +625,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, +@@ -644,6 +645,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8*) buf; @@ -101,7 +101,7 @@ index c0dbe1f..cd4e35f 100644 if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -930,6 +934,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -950,6 +954,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; @@ -111,7 +111,7 @@ index c0dbe1f..cd4e35f 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1037,6 +1044,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1057,6 +1064,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -179,7 +179,7 @@ index e1c1ec5..bffbf71 100644 1.8.3.1 -From aac2425a2664c09c2a369e1eec6e7a5bc2713cb1 Mon Sep 17 00:00:00 2001 +From 36f34509fe52cc49e1b1f6815a3f235040f64a03 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is @@ -252,7 +252,7 @@ index f895a8c..1af8664 100644 1.8.3.1 -From e7f9789c7eedf291972666befee726ff8e7126f6 Mon Sep 17 00:00:00 2001 +From 67d9800dcf60467e076587b0aac67bcdc516cfe2 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/14] ACPI: Limit access to custom_method @@ -284,7 +284,7 @@ index 12b62f2..50647b3 100644 1.8.3.1 -From d81cd6628c821d47bd086354cbc57b1474f3c1a8 Mon Sep 17 00:00:00 2001 +From bdf3761573167c20c72b151c1088b24fd24869ac Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module @@ -339,7 +339,7 @@ index 19c313b..db18ef66 100644 1.8.3.1 -From df75e984729ef50bb691b4d15472529fcd81580b Mon Sep 17 00:00:00 2001 +From 65d88af5a2c6bb6d01da17819d8ba782bd208837 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is @@ -382,7 +382,7 @@ index 1af8664..61406c8 100644 1.8.3.1 -From 78955913cc46cc5e5c7f2c71c1b07a5c18e06456 Mon Sep 17 00:00:00 2001 +From 4aa42b7fa5d7f79eb1d179e728ffa561fd9cf354 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module @@ -398,7 +398,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 6ab2c35..e4c4410 100644 +index e5f416c..9311c00 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -45,6 +45,7 @@ @@ -409,7 +409,7 @@ index 6ab2c35..e4c4410 100644 #include <asm/io.h> #include <asm/uaccess.h> -@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -249,7 +250,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -422,7 +422,7 @@ index 6ab2c35..e4c4410 100644 1.8.3.1 -From 23aae9143fbece326b3a26bf5ba48956c99cabe4 Mon Sep 17 00:00:00 2001 +From c9e62c2ce588d98a774a3853e56d95e48b9df98c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module @@ -438,7 +438,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 59f7b55..3e2b63a 100644 +index 2a74f30..13601e3 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -32,6 +32,7 @@ @@ -467,7 +467,7 @@ index 59f7b55..3e2b63a 100644 1.8.3.1 -From 218cd49aa2d6a085c5c4edc0396200864f0b54ad Mon Sep 17 00:00:00 2001 +From d0e3cb2c13dc9634849ddacf75b6f0d94147516a Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Tue, 3 Sep 2013 11:23:29 -0400 Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted @@ -482,7 +482,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 4 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c -index 4ed81e7..15cb72f 100644 +index 957f061..e570609d 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -24,6 +24,7 @@ @@ -493,7 +493,7 @@ index 4ed81e7..15cb72f 100644 #include <asm/uaccess.h> -@@ -48,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) +@@ -49,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) struct snapshot_data *data; int error; @@ -507,7 +507,7 @@ index 4ed81e7..15cb72f 100644 1.8.3.1 -From beeaac053d4ae57dc65be1da8b46e5d4bc6542b8 Mon Sep 17 00:00:00 2001 +From b238417ed3c5a0b21bbfcac84f6c70011b8977c0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is @@ -524,7 +524,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 88458fa..d08f7e3 100644 +index 05266b5..e2bd647 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -552,7 +552,7 @@ index 88458fa..d08f7e3 100644 1.8.3.1 -From b4331711c52aff0a6a9cef0f4b52fe261874d6f2 Mon Sep 17 00:00:00 2001 +From c3a9afb3b580b4f721d245fc5d13e378b99b9cd8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 11/14] Add option to automatically enforce module signatures @@ -588,12 +588,12 @@ index 199f453..ec38acf 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index b32ebf9..6a6c19b 100644 +index 725e157..fe212ef 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1581,6 +1581,16 @@ config EFI_STUB +@@ -1604,6 +1604,16 @@ config EFI_STUB - See Documentation/x86/efi-stub.txt for more information. + See Documentation/efi-stub.txt for more information. +config EFI_SECURE_BOOT_SIG_ENFORCE + def_bool n @@ -609,7 +609,7 @@ index b32ebf9..6a6c19b 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index b7388a4..53bfe4f 100644 +index a7677ba..4e172e9 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -620,10 +620,10 @@ index b7388a4..53bfe4f 100644 #undef memcpy /* Use memcpy from misc.c */ -@@ -861,6 +862,37 @@ fail: - return status; +@@ -741,6 +742,37 @@ free_mem_map: } + +static int get_secure_boot(void) +{ + u8 sb, setup; @@ -656,9 +656,9 @@ index b7388a4..53bfe4f 100644 + + /* - * Because the x86 boot code expects to be passed a boot_params we - * need to create one ourselves (usually the bootloader would create -@@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, + * On success we return a pointer to a boot_params structure, and NULL + * on failure. +@@ -760,6 +792,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) goto fail; @@ -670,7 +670,7 @@ index b7388a4..53bfe4f 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index c15ddaf..85d7685 100644 +index 9c3733c..a7ba210 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -131,7 +131,8 @@ struct boot_params { @@ -684,10 +684,10 @@ index c15ddaf..85d7685 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index f8ec578..deeb7bc 100644 +index 918d489..fe429c1 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1127,6 +1127,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -701,10 +701,10 @@ index f8ec578..deeb7bc 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index 0c266b2..5a6374a 100644 +index de97e77..d69fe19 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -184,6 +184,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -190,6 +190,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); struct notifier_block; @@ -718,10 +718,10 @@ index 0c266b2..5a6374a 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 0e94acf..974139b 100644 +index 81206c1..e1428f0 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3853,6 +3853,13 @@ void module_layout(struct module *mod, +@@ -3861,6 +3861,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -739,7 +739,7 @@ index 0e94acf..974139b 100644 1.8.3.1 -From bb28516d346e6511f1e012321c48eb142763e539 Mon Sep 17 00:00:00 2001 +From 27a1aa77c7fbaaae8c6a776190a38dcbf3c3d6d2 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode @@ -756,10 +756,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 53bfe4f..946028b 100644 +index 4e172e9..4905f4d 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -864,8 +864,9 @@ fail: +@@ -744,8 +744,9 @@ free_mem_map: static int get_secure_boot(void) { @@ -770,7 +770,7 @@ index 53bfe4f..946028b 100644 efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; efi_status_t status; -@@ -889,6 +890,23 @@ static int get_secure_boot(void) +@@ -769,6 +770,23 @@ static int get_secure_boot(void) if (setup == 1) return 0; @@ -798,7 +798,7 @@ index 53bfe4f..946028b 100644 1.8.3.1 -From 4c8824bac8d4284e66c39c365ba84151f2d78e87 Mon Sep 17 00:00:00 2001 +From 2a445ca2c187da4497ef5f68f111574fd2b0d419 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -812,11 +812,11 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 6a6c19b..10498ec 100644 +index fe212ef..bf83fd3 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1582,7 +1582,8 @@ config EFI_STUB - See Documentation/x86/efi-stub.txt for more information. +@@ -1605,7 +1605,8 @@ config EFI_STUB + See Documentation/efi-stub.txt for more information. config EFI_SECURE_BOOT_SIG_ENFORCE - def_bool n @@ -829,7 +829,7 @@ index 6a6c19b..10498ec 100644 1.8.3.1 -From 871b0ed1847c3c5413a4ca72ecf18735858f7708 Mon Sep 17 00:00:00 2001 +From b1c533cc1d1ca7a03497cc4f2e1b029bde95633c Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit @@ -844,10 +844,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index deeb7bc..08dc16e 100644 +index fe429c1..469fbf0 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1131,7 +1131,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1129,7 +1129,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -858,10 +858,10 @@ index deeb7bc..08dc16e 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 5f8f176..eed2202 100644 +index bc5687d..b010a2e 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -634,6 +634,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -653,6 +653,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ #define EFI_64BIT 5 /* Is the firmware 64-bit? */ |