From c7a5157d4de03982fcd2e3cd1f035858153ab349 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 17 Mar 2021 12:44:57 -0500 Subject: kernel-5.11.7-9 * Wed Mar 17 2021 Justin M. Forbes [5.11.7-9] - Disable weak-modules again rhbz 1828455 (Justin M. Forbes) - More config updates for gcc-plugin turn off (Justin M. Forbes) - fedora: the PCH_CAN driver is x86-32 only (Peter Robinson) - common: disable legacy CAN device support (Peter Robinson) - common: Enable Microchip MCP251x/MCP251xFD CAN controllers (Peter Robinson) - common: Bosch MCAN support for Intel Elkhart Lake (Peter Robinson) - common: enable CAN_PEAK_PCIEFD PCI-E driver (Peter Robinson) - common: disable CAN_PEAK_PCIEC PCAN-ExpressCard (Peter Robinson) - common: enable common CAN layer 2 protocols (Peter Robinson) - ark: disable CAN_LEDS option (Peter Robinson) Resolves: rhbz# Signed-off-by: Justin M. Forbes --- ...wn-the-kernel-if-booted-in-secure-boot-mo.patch | 72 ---------------------- 1 file changed, 72 deletions(-) delete mode 100644 0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch (limited to '0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch') diff --git a/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch deleted file mode 100644 index 0a3099d65..000000000 --- a/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 30 Sep 2019 21:28:16 +0000 -Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode - -UEFI Secure Boot provides a mechanism for ensuring that the firmware -will only load signed bootloaders and kernels. Certain use cases may -also require that all kernel modules also be signed. Add a -configuration option that to lock down the kernel - which includes -requiring validly signed modules - if the kernel is secure-booted. - -Upstream Status: RHEL only -Signed-off-by: David Howells -Signed-off-by: Jeremy Cline ---- - arch/x86/kernel/setup.c | 8 ++++++++ - security/lockdown/Kconfig | 13 +++++++++++++ - 2 files changed, 21 insertions(+) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index c9de4b36ca51..a1a012702915 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1104,6 +1105,13 @@ void __init setup_arch(char **cmdline_p) - if (efi_enabled(EFI_BOOT)) - efi_init(); - -+ efi_set_secure_boot(boot_params.secure_boot); -+ -+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT -+ if (efi_enabled(EFI_SECURE_BOOT)) -+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); -+#endif -+ - dmi_setup(); - - /* -diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig -index e84ddf484010..d0501353a4b9 100644 ---- a/security/lockdown/Kconfig -+++ b/security/lockdown/Kconfig -@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY - subsystem is fully initialised. If enabled, lockdown will - unconditionally be called before any other LSMs. - -+config LOCK_DOWN_IN_EFI_SECURE_BOOT -+ bool "Lock down the kernel in EFI Secure Boot mode" -+ default n -+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY -+ help -+ UEFI Secure Boot provides a mechanism for ensuring that the firmware -+ will only load signed bootloaders and kernels. Secure boot mode may -+ be determined from EFI variables provided by the system firmware if -+ not indicated by the boot parameters. -+ -+ Enabling this option results in kernel lockdown being triggered if -+ EFI Secure Boot is set. -+ - choice - prompt "Kernel default lockdown mode" - default LOCK_DOWN_KERNEL_FORCE_NONE --- -2.28.0 - -- cgit