[kernel] Update modsign and include secure boot
Josh Boyer
jwboyer at fedoraproject.org
Tue Jul 24 15:23:40 UTC 2012
commit 306dfccc03842b8b0238c2c4ec13198f8b8ea2a3
Author: Josh Boyer <jwboyer at redhat.com>
Date: Tue Jul 24 11:22:32 2012 -0400
Update modsign and include secure boot
- Update modsign patch to latest upstream
- Add initial UEFI Secure Boot patchset. Work in progress.
kernel.spec | 16 +-
modsign-20120718.patch => modsign-20120724.patch | 634 ++++++------
secure-boot-20120724.patch | 1161 ++++++++++++++++++++++
3 files changed, 1494 insertions(+), 317 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index fe8ba5e..6f3a9c6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 1
+%global baserelease 2
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -672,7 +672,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch
# crypto/
-Patch900: modsign-20120718.patch
+Patch900: modsign-20120724.patch
+
+# secure boot
+Patch1000: secure-boot-20120724.patch
# virt + ksm patches
Patch1555: fix_xen_guest_on_old_EC2.patch
@@ -1374,7 +1377,10 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# crypto/
-ApplyPatch modsign-20120718.patch
+ApplyPatch modsign-20120724.patch
+
+# secure boot
+ApplyPatch secure-boot-20120724.patch
# Assorted Virt Fixes
ApplyPatch fix_xen_guest_on_old_EC2.patch
@@ -2295,6 +2301,10 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Jul 24 2012 Josh Boyer <jwboyer at redhat.com>
+- Update modsign patch to latest upstream
+- Add initial UEFI Secure Boot patchset. Work in progress.
+
* Tue Jul 24 2012 Justin M. Forbes <jforbes at redhat.com> - 3.6.0-0.rc0.git1.1
- Linux v3.5-1643-gf0a08fc
diff --git a/modsign-20120718.patch b/modsign-20120724.patch
similarity index 94%
rename from modsign-20120718.patch
rename to modsign-20120724.patch
index 0630014..d37497d 100644
--- a/modsign-20120718.patch
+++ b/modsign-20120724.patch
@@ -1,6 +1,6 @@
-From d1ff3781d12ad616073b4f1f3b04cef22d8c7c21 Mon Sep 17 00:00:00 2001
+From d012ed16fd7eff5498ddd9be8ad9960a644db518 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 13:12:20 +0100
+Date: Tue, 24 Jul 2012 13:59:15 +0100
Subject: [PATCH 01/27] MPILIB: Provide count_leading/trailing_zeros() based
on arch functions
@@ -17,14 +17,11 @@ Cc: David S. Miller <davem at davemloft.net>
Cc: Dmitry Kasatkin <dmitry.kasatkin at intel.com>
Cc: Arnd Bergmann <arnd at arndb.com>
---
- include/asm-generic/bitops/count_zeros.h | 57 ++++++++++++
- lib/mpi/longlong.h | 138 +-----------------------------
- lib/mpi/mpi-bit.c | 2 +-
- lib/mpi/mpi-div.c | 2 +-
- lib/mpi/mpi-pow.c | 4 +-
- lib/mpi/mpi-scan.c | 2 +-
- lib/mpi/mpih-div.c | 8 +-
- 7 files changed, 68 insertions(+), 145 deletions(-)
+ include/asm-generic/bitops/count_zeros.h | 57 +++++++++++++
+ lib/mpi/longlong.h | 138 +------------------------------
+ lib/mpi/mpi-bit.c | 2 +-
+ lib/mpi/mpi-pow.c | 4 +-
+ 4 files changed, 62 insertions(+), 139 deletions(-)
create mode 100644 include/asm-generic/bitops/count_zeros.h
diff --git a/include/asm-generic/bitops/count_zeros.h b/include/asm-generic/bitops/count_zeros.h
@@ -324,7 +321,7 @@ index 29f9862..678ce4f 100644
#define UDIV_NEEDS_NORMALIZATION 0
#endif
diff --git a/lib/mpi/mpi-bit.c b/lib/mpi/mpi-bit.c
-index 0c50536..3fc00bf 100644
+index 5687248..503537e 100644
--- a/lib/mpi/mpi-bit.c
+++ b/lib/mpi/mpi-bit.c
@@ -45,7 +45,7 @@ unsigned mpi_get_nbits(MPI a)
@@ -336,19 +333,6 @@ index 0c50536..3fc00bf 100644
else
n = BITS_PER_MPI_LIMB;
n = BITS_PER_MPI_LIMB - n + (a->nlimbs - 1) * BITS_PER_MPI_LIMB;
-diff --git a/lib/mpi/mpi-div.c b/lib/mpi/mpi-div.c
-index f68cbbb..51f105c 100644
---- a/lib/mpi/mpi-div.c
-+++ b/lib/mpi/mpi-div.c
-@@ -217,7 +217,7 @@ int mpi_tdiv_qr(MPI quot, MPI rem, MPI num, MPI den)
- } else /* Put quotient at top of remainder. */
- qp = rp + dsize;
-
-- count_leading_zeros(normalization_steps, dp[dsize - 1]);
-+ normalization_steps = count_leading_zeros(dp[dsize - 1]);
-
- /* Normalize the denominator, i.e. make its most significant bit set by
- * shifting it NORMALIZATION_STEPS bits to the left. Also shift the
diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
index 67f3e79..5464c87 100644
--- a/lib/mpi/mpi-pow.c
@@ -371,66 +355,13 @@ index 67f3e79..5464c87 100644
e = (e << c) << 1; /* shift the exp bits to the left, lose msb */
c = BITS_PER_MPI_LIMB - 1 - c;
-diff --git a/lib/mpi/mpi-scan.c b/lib/mpi/mpi-scan.c
-index b2da5ad..58556b5 100644
---- a/lib/mpi/mpi-scan.c
-+++ b/lib/mpi/mpi-scan.c
-@@ -125,7 +125,7 @@ unsigned mpi_trailing_zeros(const MPI a)
- unsigned nn;
- mpi_limb_t alimb = a->d[n];
-
-- count_trailing_zeros(nn, alimb);
-+ nn = count_trailing_zeros(alimb);
- count += nn;
- break;
- }
-diff --git a/lib/mpi/mpih-div.c b/lib/mpi/mpih-div.c
-index cde1aae..d6483792 100644
---- a/lib/mpi/mpih-div.c
-+++ b/lib/mpi/mpih-div.c
-@@ -65,7 +65,7 @@ mpihelp_mod_1(mpi_ptr_t dividend_ptr, mpi_size_t dividend_size,
- && (UDIV_TIME - (2 * UMUL_TIME + 6)) * dividend_size > UDIV_TIME) {
- int normalization_steps;
-
-- count_leading_zeros(normalization_steps, divisor_limb);
-+ normalization_steps = count_leading_zeros(divisor_limb);
- if (normalization_steps) {
- mpi_limb_t divisor_limb_inverted;
-
-@@ -142,7 +142,7 @@ mpihelp_mod_1(mpi_ptr_t dividend_ptr, mpi_size_t dividend_size,
- if (UDIV_NEEDS_NORMALIZATION) {
- int normalization_steps;
-
-- count_leading_zeros(normalization_steps, divisor_limb);
-+ normalization_steps = count_leading_zeros(divisor_limb);
- if (normalization_steps) {
- divisor_limb <<= normalization_steps;
-
-@@ -421,7 +421,7 @@ mpihelp_divmod_1(mpi_ptr_t quot_ptr,
- && (UDIV_TIME - (2 * UMUL_TIME + 6)) * dividend_size > UDIV_TIME) {
- int normalization_steps;
-
-- count_leading_zeros(normalization_steps, divisor_limb);
-+ normalization_steps = count_leading_zeros(divisor_limb);
- if (normalization_steps) {
- mpi_limb_t divisor_limb_inverted;
-
-@@ -496,7 +496,7 @@ mpihelp_divmod_1(mpi_ptr_t quot_ptr,
- if (UDIV_NEEDS_NORMALIZATION) {
- int normalization_steps;
-
-- count_leading_zeros(normalization_steps, divisor_limb);
-+ normalization_steps = count_leading_zeros(divisor_limb);
- if (normalization_steps) {
- divisor_limb <<= normalization_steps;
-
--
-1.7.10.4
+1.7.11.2
-From 7611bb8e543cb2255c69bfb5edd85ed0d2cdb9e9 Mon Sep 17 00:00:00 2001
+From e2faf6ee3cc2f8cfe1c18e8d31eaf01fa653fd79 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 13:12:20 +0100
+Date: Tue, 24 Jul 2012 13:59:51 +0100
Subject: [PATCH 02/27] KEYS: Create a key type that can be used for general
cryptographic operations
@@ -442,15 +373,15 @@ algorithms.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- Documentation/security/keys-crypto.txt | 181 +++++++++++++++++++++++++
- include/keys/crypto-subtype.h | 56 ++++++++
- include/keys/crypto-type.h | 25 ++++
- security/keys/Kconfig | 2 +
- security/keys/Makefile | 1 +
- security/keys/crypto/Kconfig | 7 +
- security/keys/crypto/Makefile | 7 +
- security/keys/crypto/crypto_keys.h | 28 ++++
- security/keys/crypto/crypto_type.c | 228 ++++++++++++++++++++++++++++++++
+ Documentation/security/keys-crypto.txt | 181 ++++++++++++++++++++++++++
+ include/keys/crypto-subtype.h | 56 ++++++++
+ include/keys/crypto-type.h | 25 ++++
+ security/keys/Kconfig | 2 +
+ security/keys/Makefile | 1 +
+ security/keys/crypto/Kconfig | 7 +
+ security/keys/crypto/Makefile | 7 +
+ security/keys/crypto/crypto_keys.h | 28 ++++
+ security/keys/crypto/crypto_type.c | 228 +++++++++++++++++++++++++++++++++
9 files changed, 535 insertions(+)
create mode 100644 Documentation/security/keys-crypto.txt
create mode 100644 include/keys/crypto-subtype.h
@@ -1054,12 +985,12 @@ index 0000000..33d279b
+module_init(crypto_key_init);
+module_exit(crypto_key_cleanup);
--
-1.7.10.4
+1.7.11.2
-From 23d7c6d8927420846af94823a90de1c24120bfea Mon Sep 17 00:00:00 2001
+From f7b41b16f3c6d24b46100b259a83c50615be5a23 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 13:12:20 +0100
+Date: Tue, 24 Jul 2012 13:59:51 +0100
Subject: [PATCH 03/27] KEYS: Add signature verification facility
Add a facility whereby a key subtype may be asked to verify a signature against
@@ -1092,11 +1023,11 @@ This adds four routines:
Signed-off-by: David Howells <dhowells at redhat.com>
---
- Documentation/security/keys-crypto.txt | 101 ++++++++++++++++++++++++++++
- include/keys/crypto-subtype.h | 21 ++++++
- include/keys/crypto-type.h | 9 +++
- security/keys/crypto/Makefile | 2 +-
- security/keys/crypto/crypto_verify.c | 112 ++++++++++++++++++++++++++++++++
+ Documentation/security/keys-crypto.txt | 101 +++++++++++++++++++++++++++++
+ include/keys/crypto-subtype.h | 21 +++++++
+ include/keys/crypto-type.h | 9 +++
+ security/keys/crypto/Makefile | 2 +-
+ security/keys/crypto/crypto_verify.c | 112 +++++++++++++++++++++++++++++++++
5 files changed, 244 insertions(+), 1 deletion(-)
create mode 100644 security/keys/crypto/crypto_verify.c
@@ -1428,12 +1359,12 @@ index 0000000..3f2964b
+}
+EXPORT_SYMBOL_GPL(verify_sig_cancel);
--
-1.7.10.4
+1.7.11.2
-From 2fd136dec4682c1fa2609a7a94cf0353c334615c Mon Sep 17 00:00:00 2001
+From dfa8292f4527f46cabbbd64bd89766ac1dbe6546 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 13:12:20 +0100
+Date: Tue, 24 Jul 2012 13:59:52 +0100
Subject: [PATCH 04/27] KEYS: Asymmetric public-key algorithm crypto key
subtype
@@ -1442,10 +1373,10 @@ as DSA (FIPS-186) and RSA (PKCS#1 / RFC1337).
Signed-off-by: David Howells <dhowells at redhat.com>
---
- security/keys/crypto/Kconfig | 10 ++++
- security/keys/crypto/Makefile | 3 +-
- security/keys/crypto/public_key.c | 55 +++++++++++++++++++
- security/keys/crypto/public_key.h | 106 +++++++++++++++++++++++++++++++++++++
+ security/keys/crypto/Kconfig | 10 ++++
+ security/keys/crypto/Makefile | 3 +-
+ security/keys/crypto/public_key.c | 55 ++++++++++++++++++++
+ security/keys/crypto/public_key.h | 106 ++++++++++++++++++++++++++++++++++++++
4 files changed, 173 insertions(+), 1 deletion(-)
create mode 100644 security/keys/crypto/public_key.c
create mode 100644 security/keys/crypto/public_key.h
@@ -1654,45 +1585,120 @@ index 0000000..81ed603
+
+#endif /* _LINUX_PUBLIC_KEY_H */
--
-1.7.10.4
+1.7.11.2
-From ba785b97c90fc4403b2124dc2cecc842ba49be54 Mon Sep 17 00:00:00 2001
+From 0a8e7f4cc41d3cddf8a2367b1f0ed2bb1f6ccc91 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 13:12:21 +0100
-Subject: [PATCH 05/27] KEYS: RSA: Add exports from MPILIB
+Date: Tue, 24 Jul 2012 14:10:37 +0100
+Subject: [PATCH 05/27] MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA
+ signature verification
-Export mpi_cmp() and mpi_cmp_ui() from the MPI library for use by RSA.
+Reinstate and export mpi_cmp() and mpi_cmp_ui() from the MPI library for use by
+RSA signature verification as per RFC3447 section 5.2.2 step 1.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- lib/mpi/mpi-cmp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
+ lib/mpi/Makefile | 1 +
+ lib/mpi/mpi-cmp.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+)
+ create mode 100644 lib/mpi/mpi-cmp.c
+
+diff --git a/lib/mpi/Makefile b/lib/mpi/Makefile
+index 45ca90a..019a68c 100644
+--- a/lib/mpi/Makefile
++++ b/lib/mpi/Makefile
+@@ -14,6 +14,7 @@ mpi-y = \
+ generic_mpih-add1.o \
+ mpicoder.o \
+ mpi-bit.o \
++ mpi-cmp.o \
+ mpih-cmp.o \
+ mpih-div.o \
+ mpih-mul.o \
diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c
-index 914bc42..1871e7b 100644
---- a/lib/mpi/mpi-cmp.c
+new file mode 100644
+index 0000000..1871e7b
+--- /dev/null
+++ b/lib/mpi/mpi-cmp.c
-@@ -39,6 +39,7 @@ int mpi_cmp_ui(MPI u, unsigned long v)
- else
- return -1;
- }
+@@ -0,0 +1,70 @@
++/* mpi-cmp.c - MPI functions
++ * Copyright (C) 1998, 1999 Free Software Foundation, Inc.
++ *
++ * This file is part of GnuPG.
++ *
++ * GnuPG is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuPG is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
++ */
++
++#include "mpi-internal.h"
++
++int mpi_cmp_ui(MPI u, unsigned long v)
++{
++ mpi_limb_t limb = v;
++
++ mpi_normalize(u);
++ if (!u->nlimbs && !limb)
++ return 0;
++ if (u->sign)
++ return -1;
++ if (u->nlimbs > 1)
++ return 1;
++
++ if (u->d[0] == limb)
++ return 0;
++ else if (u->d[0] > limb)
++ return 1;
++ else
++ return -1;
++}
+EXPORT_SYMBOL_GPL(mpi_cmp_ui);
-
- int mpi_cmp(MPI u, MPI v)
- {
-@@ -66,3 +67,4 @@ int mpi_cmp(MPI u, MPI v)
- return 1;
- return -1;
- }
++
++int mpi_cmp(MPI u, MPI v)
++{
++ mpi_size_t usize, vsize;
++ int cmp;
++
++ mpi_normalize(u);
++ mpi_normalize(v);
++ usize = u->nlimbs;
++ vsize = v->nlimbs;
++ if (!u->sign && v->sign)
++ return 1;
++ if (u->sign && !v->sign)
++ return -1;
++ if (usize != vsize && !u->sign && !v->sign)
++ return usize - vsize;
++ if (usize != vsize && u->sign && v->sign)
++ return vsize + usize;
++ if (!usize)
++ return 0;
++ cmp = mpihelp_cmp(u->d, v->d, usize);
++ if (!cmp)
++ return 0;
++ if ((cmp < 0 ? 1 : 0) == (u->sign ? 1 : 0))
++ return 1;
++ return -1;
++}
+EXPORT_SYMBOL_GPL(mpi_cmp);
--
-1.7.10.4
+1.7.11.2
-From 650edd748b92eea0622ecb26a5ee81c7b582d04c Mon Sep 17 00:00:00 2001
+From de86fda3085f6586bfd28517c07a2cd8cd4f9893 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:15:36 +0100
+Date: Tue, 24 Jul 2012 14:10:39 +0100
Subject: [PATCH 06/27] KEYS: RSA: Implement signature verification algorithm
[PKCS#1 / RFC3447]
@@ -1702,10 +1708,10 @@ public key subtype to hold its key data.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- security/keys/crypto/Kconfig | 7 +
- security/keys/crypto/Makefile | 1 +
- security/keys/crypto/crypto_rsa.c | 264 +++++++++++++++++++++++++++++++++++++
- security/keys/crypto/public_key.h | 2 +
+ security/keys/crypto/Kconfig | 7 +
+ security/keys/crypto/Makefile | 1 +
+ security/keys/crypto/crypto_rsa.c | 264 ++++++++++++++++++++++++++++++++++++++
+ security/keys/crypto/public_key.h | 2 +
4 files changed, 274 insertions(+)
create mode 100644 security/keys/crypto/crypto_rsa.c
@@ -2017,12 +2023,12 @@ index 81ed603..7913615 100644
* Asymmetric public key data
*/
--
-1.7.10.4
+1.7.11.2
-From 7da10c257377762e1a6ac747b48791cf610ba4c5 Mon Sep 17 00:00:00 2001
+From 2363851f3eeae9ec32ee6d5f868085eb11afa717 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:15:39 +0100
+Date: Tue, 24 Jul 2012 14:11:19 +0100
Subject: [PATCH 07/27] KEYS: RSA: Fix signature verification for shorter
signatures
@@ -2038,7 +2044,7 @@ Thanks to Tomas Mraz and Miloslav Trmac for help.
Signed-off-by: Milan Broz <mbroz at redhat.com>
Signed-off-by: David Howells <dhowells at redhat.com>
---
- security/keys/crypto/crypto_rsa.c | 14 +++++++++++---
+ security/keys/crypto/crypto_rsa.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/security/keys/crypto/crypto_rsa.c b/security/keys/crypto/crypto_rsa.c
@@ -2073,12 +2079,12 @@ index 845285c..a4a63be 100644
ret = RSAVP1(key, sig->rsa.s, &m);
if (ret < 0)
--
-1.7.10.4
+1.7.11.2
-From 4366c59a624398d1aba4d6651191ba880da9e694 Mon Sep 17 00:00:00 2001
+From edfd057d757164e207edfb3d3affa87cf0b126e6 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:15:52 +0100
+Date: Tue, 24 Jul 2012 14:11:19 +0100
Subject: [PATCH 08/27] PGPLIB: PGP definitions (RFC 4880)
Provide some useful PGP definitions from RFC 4880. These describe details of
@@ -2087,7 +2093,7 @@ verification.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- include/linux/pgp.h | 206 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/pgp.h | 206 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 206 insertions(+)
create mode 100644 include/linux/pgp.h
@@ -2304,12 +2310,12 @@ index 0000000..1359f64
+
+#endif /* _LINUX_PGP_H */
--
-1.7.10.4
+1.7.11.2
-From 0409a338e01de5025cec2a1b291442651163aafd Mon Sep 17 00:00:00 2001
+From 36f2b76a6ee5c6d86f6d7725ead9e5252b1d29a6 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:17:46 +0100
+Date: Tue, 24 Jul 2012 14:11:20 +0100
Subject: [PATCH 09/27] PGPLIB: Basic packet parser
Provide a simple parser that extracts the packets from a PGP packet blob and
@@ -2331,10 +2337,10 @@ This is configured on with CONFIG_PGP_LIBRARY.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- include/linux/pgplib.h | 47 +++++++
- security/keys/crypto/Kconfig | 6 +
- security/keys/crypto/Makefile | 1 +
- security/keys/crypto/pgp_library.c | 268 ++++++++++++++++++++++++++++++++++++
+ include/linux/pgplib.h | 47 +++++++
+ security/keys/crypto/Kconfig | 6 +
+ security/keys/crypto/Makefile | 1 +
+ security/keys/crypto/pgp_library.c | 268 +++++++++++++++++++++++++++++++++++++
4 files changed, 322 insertions(+)
create mode 100644 include/linux/pgplib.h
create mode 100644 security/keys/crypto/pgp_library.c
@@ -2690,12 +2696,12 @@ index 0000000..af396d6
+}
+EXPORT_SYMBOL_GPL(pgp_parse_public_key);
--
-1.7.10.4
+1.7.11.2
-From 2a76433139dbdc6d57d38da6ceb79ce05ab603a4 Mon Sep 17 00:00:00 2001
+From 6f830b85b1e32e44291c2bdff6b936025c48b40d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:21:24 +0100
+Date: Tue, 24 Jul 2012 14:11:20 +0100
Subject: [PATCH 10/27] PGPLIB: Signature parser
Provide some PGP signature parsing helpers:
@@ -2714,8 +2720,8 @@ Provide some PGP signature parsing helpers:
Signed-off-by: David Howells <dhowells at redhat.com>
---
- include/linux/pgplib.h | 25 ++++
- security/keys/crypto/pgp_library.c | 280 ++++++++++++++++++++++++++++++++++++
+ include/linux/pgplib.h | 25 ++++
+ security/keys/crypto/pgp_library.c | 280 +++++++++++++++++++++++++++++++++++++
2 files changed, 305 insertions(+)
diff --git a/include/linux/pgplib.h b/include/linux/pgplib.h
@@ -3043,12 +3049,12 @@ index af396d6..c9218df 100644
+}
+EXPORT_SYMBOL_GPL(pgp_parse_sig_params);
--
-1.7.10.4
+1.7.11.2
-From 91a05bc308c1e177410882a119f388d3b6b53c22 Mon Sep 17 00:00:00 2001
+From c0e901a1ce72ddf259de219506327271cf3bb700 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:21:26 +0100
+Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 11/27] KEYS: PGP data parser
Implement a PGP data parser for the crypto key type to use when instantiating a
@@ -3066,10 +3072,10 @@ some errors.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- security/keys/crypto/Kconfig | 12 ++
- security/keys/crypto/Makefile | 4 +
- security/keys/crypto/pgp_parser.h | 23 +++
- security/keys/crypto/pgp_public_key.c | 348 +++++++++++++++++++++++++++++++++
+ security/keys/crypto/Kconfig | 12 ++
+ security/keys/crypto/Makefile | 4 +
+ security/keys/crypto/pgp_parser.h | 23 +++
+ security/keys/crypto/pgp_public_key.c | 348 ++++++++++++++++++++++++++++++++++
4 files changed, 387 insertions(+)
create mode 100644 security/keys/crypto/pgp_parser.h
create mode 100644 security/keys/crypto/pgp_public_key.c
@@ -3490,12 +3496,12 @@ index 0000000..8a8b7c0
+module_init(pgp_key_init);
+module_exit(pgp_key_exit);
--
-1.7.10.4
+1.7.11.2
-From 14191eaae2f9ccba2563a4bf9c30ffcbf153f521 Mon Sep 17 00:00:00 2001
+From b830627f3b864530540ad88df21d2ceefcba7459 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:22:19 +0100
+Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 12/27] KEYS: PGP-based public key signature verification
Provide handlers for PGP-based public-key algorithm signature verification.
@@ -3508,9 +3514,9 @@ patch provides.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- security/keys/crypto/Makefile | 3 +-
- security/keys/crypto/pgp_parser.h | 6 +
- security/keys/crypto/pgp_sig_verify.c | 325 +++++++++++++++++++++++++++++++++
+ security/keys/crypto/Makefile | 3 +-
+ security/keys/crypto/pgp_parser.h | 6 +
+ security/keys/crypto/pgp_sig_verify.c | 325 ++++++++++++++++++++++++++++++++++
3 files changed, 333 insertions(+), 1 deletion(-)
create mode 100644 security/keys/crypto/pgp_sig_verify.c
@@ -3871,12 +3877,12 @@ index 0000000..82c89da
+ kleave("");
+}
--
-1.7.10.4
+1.7.11.2
-From 3ca6d54c9bbd0633b7f8e1b033c7d8b2ebe85489 Mon Sep 17 00:00:00 2001
+From fbd1b578b58a197da42428fda49654d38c794f31 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:22:40 +0100
+Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 13/27] KEYS: PGP format signature parser
Implement a signature parser that will attempt to parse a signature blob as a
@@ -3885,10 +3891,10 @@ and set the public-key algorithm according to the data in the signature.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- security/keys/crypto/Makefile | 1 +
- security/keys/crypto/pgp_parser.h | 6 ++
- security/keys/crypto/pgp_public_key.c | 1 +
- security/keys/crypto/pgp_sig_parser.c | 114 +++++++++++++++++++++++++++++++++
+ security/keys/crypto/Makefile | 1 +
+ security/keys/crypto/pgp_parser.h | 6 ++
+ security/keys/crypto/pgp_public_key.c | 1 +
+ security/keys/crypto/pgp_sig_parser.c | 114 ++++++++++++++++++++++++++++++++++
4 files changed, 122 insertions(+)
create mode 100644 security/keys/crypto/pgp_sig_parser.c
@@ -4052,12 +4058,12 @@ index 0000000..f5feb2b
+ return ctx;
+}
--
-1.7.10.4
+1.7.11.2
-From 30a028f485bd476ef3ad73fbb042a55b4851c966 Mon Sep 17 00:00:00 2001
+From a04615b5ce4ae2e6e0f1932cd697b6a3d41cb9f8 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:22:59 +0100
+Date: Tue, 24 Jul 2012 14:11:21 +0100
Subject: [PATCH 14/27] KEYS: Provide a function to load keys from a PGP
keyring blob
@@ -4083,11 +4089,11 @@ out some errors.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- Documentation/security/keys-crypto.txt | 20 +++++++
- include/keys/crypto-type.h | 3 +
- security/keys/crypto/Kconfig | 9 +++
- security/keys/crypto/Makefile | 1 +
- security/keys/crypto/pgp_preload.c | 96 ++++++++++++++++++++++++++++++++
+ Documentation/security/keys-crypto.txt | 20 +++++++
+ include/keys/crypto-type.h | 3 ++
+ security/keys/crypto/Kconfig | 9 ++++
+ security/keys/crypto/Makefile | 1 +
+ security/keys/crypto/pgp_preload.c | 96 ++++++++++++++++++++++++++++++++++
5 files changed, 129 insertions(+)
create mode 100644 security/keys/crypto/pgp_preload.c
@@ -4270,12 +4276,12 @@ index 0000000..9028788
+ return pgp_parse_packets(pgpdata, pgpdatalen, &ctx.pgp);
+}
--
-1.7.10.4
+1.7.11.2
-From 13b8bd0afb58d1000c74741f176862efb6d1bcc9 Mon Sep 17 00:00:00 2001
+From d0e5635f09c91ca12fa5a508c2ba5197372d7487 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:25:41 +0100
+Date: Tue, 24 Jul 2012 14:13:56 +0100
Subject: [PATCH 15/27] Make most arch asm/module.h files use
asm-generic/module.h
@@ -4315,62 +4321,62 @@ unsupported type of relocation record as that's now handled centrally.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- arch/Kconfig | 19 +++++++++++++++++
- arch/alpha/Kconfig | 2 ++
- arch/alpha/include/asm/module.h | 10 ++-------
- arch/arm/Kconfig | 2 ++
- arch/arm/include/asm/module.h | 8 ++------
- arch/avr32/Kconfig | 2 ++
- arch/avr32/include/asm/module.h | 6 ++----
- arch/blackfin/Kconfig | 2 ++
- arch/blackfin/include/asm/module.h | 4 +---
- arch/c6x/Kconfig | 1 +
- arch/c6x/include/asm/module.h | 12 +----------
- arch/cris/Kconfig | 1 +
- arch/cris/include/asm/Kbuild | 2 ++
- arch/cris/include/asm/module.h | 9 --------
- arch/frv/include/asm/module.h | 8 +-------
- arch/h8300/Kconfig | 1 +
- arch/h8300/include/asm/Kbuild | 2 ++
- arch/h8300/include/asm/module.h | 11 ----------
- arch/hexagon/Kconfig | 1 +
- arch/ia64/Kconfig | 2 ++
- arch/ia64/include/asm/module.h | 6 ++----
- arch/m32r/Kconfig | 1 +
- arch/m32r/include/asm/Kbuild | 2 ++
- arch/m32r/include/asm/module.h | 10 ---------
- arch/m32r/kernel/module.c | 15 --------------
- arch/m68k/Kconfig | 3 +++
- arch/m68k/include/asm/module.h | 6 ++----
- arch/microblaze/Kconfig | 1 +
- arch/mips/Kconfig | 3 +++
- arch/mips/include/asm/module.h | 10 +++++++--
- arch/mips/kernel/module.c | 2 ++
- arch/mn10300/Kconfig | 1 +
- arch/mn10300/include/asm/module.h | 7 +------
- arch/openrisc/Kconfig | 1 +
- arch/parisc/Kconfig | 2 ++
- arch/parisc/include/asm/module.h | 16 +++------------
- arch/powerpc/Kconfig | 2 ++
- arch/powerpc/include/asm/module.h | 7 +------
- arch/s390/Kconfig | 2 ++
- arch/s390/include/asm/module.h | 18 +++-------------
- arch/score/Kconfig | 2 ++
- arch/score/include/asm/module.h | 6 +-----
- arch/score/kernel/module.c | 10 ---------
- arch/sh/Kconfig | 2 ++
- arch/sh/include/asm/module.h | 14 +++----------
- arch/sparc/Kconfig | 1 +
- arch/sparc/include/asm/Kbuild | 1 +
- arch/sparc/include/asm/module.h | 24 ----------------------
- arch/tile/Kconfig | 1 +
- arch/unicore32/Kconfig | 1 +
- arch/x86/Kconfig | 2 ++
- arch/xtensa/Kconfig | 1 +
- arch/xtensa/include/asm/module.h | 9 +-------
- include/asm-generic/module.h | 40 +++++++++++++++++++++++++++++-------
- include/linux/moduleloader.h | 36 ++++++++++++++++++++++++++++----
- kernel/module.c | 20 ------------------
+ arch/Kconfig | 19 ++++++++++++++++++
+ arch/alpha/Kconfig | 2 ++
+ arch/alpha/include/asm/module.h | 10 ++--------
+ arch/arm/Kconfig | 2 ++
+ arch/arm/include/asm/module.h | 8 ++------
+ arch/avr32/Kconfig | 2 ++
+ arch/avr32/include/asm/module.h | 6 ++----
+ arch/blackfin/Kconfig | 2 ++
+ arch/blackfin/include/asm/module.h | 4 +---
+ arch/c6x/Kconfig | 1 +
+ arch/c6x/include/asm/module.h | 12 +-----------
+ arch/cris/Kconfig | 1 +
+ arch/cris/include/asm/Kbuild | 2 ++
+ arch/cris/include/asm/module.h | 9 ---------
+ arch/frv/include/asm/module.h | 8 +-------
+ arch/h8300/Kconfig | 1 +
+ arch/h8300/include/asm/Kbuild | 2 ++
+ arch/h8300/include/asm/module.h | 11 -----------
+ arch/hexagon/Kconfig | 1 +
+ arch/ia64/Kconfig | 2 ++
+ arch/ia64/include/asm/module.h | 6 ++----
+ arch/m32r/Kconfig | 1 +
+ arch/m32r/include/asm/Kbuild | 2 ++
+ arch/m32r/include/asm/module.h | 10 ----------
+ arch/m32r/kernel/module.c | 15 --------------
+ arch/m68k/Kconfig | 3 +++
+ arch/m68k/include/asm/module.h | 6 ++----
+ arch/microblaze/Kconfig | 1 +
+ arch/mips/Kconfig | 3 +++
+ arch/mips/include/asm/module.h | 10 ++++++++--
+ arch/mips/kernel/module.c | 2 ++
+ arch/mn10300/Kconfig | 1 +
+ arch/mn10300/include/asm/module.h | 7 +------
+ arch/openrisc/Kconfig | 1 +
+ arch/parisc/Kconfig | 2 ++
+ arch/parisc/include/asm/module.h | 16 +++------------
+ arch/powerpc/Kconfig | 2 ++
+ arch/powerpc/include/asm/module.h | 7 +------
+ arch/s390/Kconfig | 2 ++
+ arch/s390/include/asm/module.h | 18 +++--------------
+ arch/score/Kconfig | 2 ++
+ arch/score/include/asm/module.h | 6 +-----
+ arch/score/kernel/module.c | 10 ----------
+ arch/sh/Kconfig | 2 ++
+ arch/sh/include/asm/module.h | 14 +++----------
+ arch/sparc/Kconfig | 1 +
+ arch/sparc/include/asm/Kbuild | 1 +
+ arch/sparc/include/asm/module.h | 24 -----------------------
+ arch/tile/Kconfig | 1 +
+ arch/unicore32/Kconfig | 1 +
+ arch/x86/Kconfig | 2 ++
+ arch/xtensa/Kconfig | 1 +
+ arch/xtensa/include/asm/module.h | 9 +--------
+ include/asm-generic/module.h | 40 +++++++++++++++++++++++++++++++-------
+ include/linux/moduleloader.h | 36 ++++++++++++++++++++++++++++++----
+ kernel/module.c | 20 -------------------
56 files changed, 167 insertions(+), 223 deletions(-)
delete mode 100644 arch/cris/include/asm/module.h
delete mode 100644 arch/h8300/include/asm/module.h
@@ -4445,7 +4451,7 @@ index 7b63743..9cd13b5 100644
#ifdef MODULE
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index a91009c..af8bf36 100644
+index c7e6d20..5fc742e 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -45,6 +45,8 @@ config ARM
@@ -4837,7 +4843,7 @@ index 0bf4423..ee395d3 100644
config SWAP
def_bool n
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
-index 09ab87e..2901b41 100644
+index b3e10fd..5972ebd 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -34,6 +34,9 @@ config MIPS
@@ -4991,7 +4997,7 @@ index 1f41234..bab37e9 100644
struct unwind_table;
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 050cb37..17d3267 100644
+index 9a5d3cd..5a91b5b 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -137,6 +137,8 @@ config PPC
@@ -5137,7 +5143,7 @@ index 469e3b6..1378d99 100644
const struct exception_table_entry *search_module_dbetables(unsigned long addr)
{
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
-index 31d9db7..22c02bb 100644
+index a24595d..365ecf5 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -34,6 +34,8 @@ config SUPERH
@@ -5231,10 +5237,10 @@ index ff8e02d..0000000
-
-#endif /* __SPARC_MODULE_H */
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
-index fe12881..2d8bc27 100644
+index 932e443..1603f30 100644
--- a/arch/tile/Kconfig
+++ b/arch/tile/Kconfig
-@@ -15,6 +15,7 @@ config TILE
+@@ -17,6 +17,7 @@ config TILE
select SYS_HYPERVISOR
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select GENERIC_CLOCKEVENTS
@@ -5357,7 +5363,7 @@ index ed5b44d..14dc41d 100644
#endif /* __ASM_GENERIC_MODULE_H */
diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
-index b2be02e..b85dda8 100644
+index b2be02e..560ca53 100644
--- a/include/linux/moduleloader.h
+++ b/include/linux/moduleloader.h
@@ -28,21 +28,49 @@ void *module_alloc(unsigned long size);
@@ -5383,7 +5389,7 @@ index b2be02e..b85dda8 100644
+ unsigned int relsec,
+ struct module *me)
+{
-+ pr_err("module %s: REL relocation unsupported\n", me->name);
++ printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name);
+ return -ENOEXEC;
+}
+#endif
@@ -5407,7 +5413,7 @@ index b2be02e..b85dda8 100644
+ unsigned int relsec,
+ struct module *me)
+{
-+ pr_err("module %s: RELA relocation unsupported\n", me->name);
++ printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name);
+ return -ENOEXEC;
+}
+#endif
@@ -5446,12 +5452,12 @@ index 4edbd9c..087aeed 100644
{
unsigned int i;
--
-1.7.10.4
+1.7.11.2
-From 69bdeeb86f28489efa7d5f414867bd07b9516c10 Mon Sep 17 00:00:00 2001
+From 3ad621a6fe31c4b1e73675facc39b2b34eaba3a3 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:26:33 +0100
+Date: Tue, 24 Jul 2012 14:13:57 +0100
Subject: [PATCH 16/27] Provide macros for forming the name of an ELF note and
its section
@@ -5460,7 +5466,7 @@ appropriately so that the macro can be used in both C and assembly.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- include/linux/elfnote.h | 4 ++++
+ include/linux/elfnote.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/elfnote.h b/include/linux/elfnote.h
@@ -5486,12 +5492,12 @@ index 278e3ef..949d494 100644
#endif /* _LINUX_ELFNOTE_H */
--
-1.7.10.4
+1.7.11.2
-From 5191f0bcbe03426b90b0a53c9ea960fafba7c269 Mon Sep 17 00:00:00 2001
+From ebd84cbe7656bb091c8101af3d302ea7c14e7ecf Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:27:05 +0100
+Date: Tue, 24 Jul 2012 14:14:00 +0100
Subject: [PATCH 17/27] MODSIGN: Provide gitignore and make clean rules for
extra files
@@ -5502,9 +5508,9 @@ to be signed.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- .gitignore | 12 ++++++++++++
- Makefile | 1 +
- scripts/mod/.gitignore | 1 +
+ .gitignore | 12 ++++++++++++
+ Makefile | 1 +
+ scripts/mod/.gitignore | 1 +
3 files changed, 14 insertions(+)
diff --git a/.gitignore b/.gitignore
@@ -5535,7 +5541,7 @@ index 57af07c..7948eeb 100644
+random_seed
+trustdb.gpg
diff --git a/Makefile b/Makefile
-index aa8e315..4a4a11f 100644
+index 4bb09e1..5afb466 100644
--- a/Makefile
+++ b/Makefile
@@ -1239,6 +1239,7 @@ clean: $(clean-dirs)
@@ -5557,12 +5563,12 @@ index e9b7abe..223dfd6 100644
+mod-extract
--
-1.7.10.4
+1.7.11.2
-From bf067003ae6304d90c278118b5d65d905be16e53 Mon Sep 17 00:00:00 2001
+From 5071caadfaf48a29826bb0fb934bf8046878ca00 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:27:16 +0100
+Date: Tue, 24 Jul 2012 14:14:01 +0100
Subject: [PATCH 18/27] MODSIGN: Provide Documentation and Kconfig options
Provide documentation and kernel configuration options for module signing.
@@ -5596,9 +5602,9 @@ The following configuration options are added:
Signed-off-by: David Howells <dhowells at redhat.com>
---
- Documentation/module-signing.txt | 194 ++++++++++++++++++++++++++++++++++++++
- include/linux/modsign.h | 27 ++++++
- init/Kconfig | 54 +++++++++++
+ Documentation/module-signing.txt | 194 +++++++++++++++++++++++++++++++++++++++
+ include/linux/modsign.h | 27 ++++++
+ init/Kconfig | 54 +++++++++++
3 files changed, 275 insertions(+)
create mode 100644 Documentation/module-signing.txt
create mode 100644 include/linux/modsign.h
@@ -5902,12 +5908,12 @@ index d07dcf9..1d1a056 100644
config INIT_ALL_POSSIBLE
--
-1.7.10.4
+1.7.11.2
-From 19c2fd74747b84e445b0a4eb7f7308a238267aec Mon Sep 17 00:00:00 2001
+From 506ebdd9cc53b7e1fe5c1a1351bf1e42cce4c856 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:27:38 +0100
+Date: Tue, 24 Jul 2012 14:14:01 +0100
Subject: [PATCH 19/27] MODSIGN: Sign modules during the build process
If CONFIG_MODULE_SIG is set, then this patch will cause the module to get a
@@ -5947,10 +5953,10 @@ will appear in the build log. If it is skipped, the following will be seen:
Signed-off-by: David Howells <dhowells at redhat.com>
---
- scripts/Makefile.modpost | 87 ++++-
- scripts/mod/Makefile | 2 +-
- scripts/mod/mod-extract.c | 913 +++++++++++++++++++++++++++++++++++++++++++
- scripts/mod/modsign-note.sh | 16 +
+ scripts/Makefile.modpost | 87 ++++-
+ scripts/mod/Makefile | 2 +-
+ scripts/mod/mod-extract.c | 913 ++++++++++++++++++++++++++++++++++++++++++++
+ scripts/mod/modsign-note.sh | 16 +
4 files changed, 1016 insertions(+), 2 deletions(-)
create mode 100644 scripts/mod/mod-extract.c
create mode 100644 scripts/mod/modsign-note.sh
@@ -7027,12 +7033,12 @@ index 0000000..bca67c0
+
+exit 0
--
-1.7.10.4
+1.7.11.2
-From 05f68f1852611dd7f2f7d28c677b1205b66d4337 Mon Sep 17 00:00:00 2001
+From c075a55ef7dd94b37406e09c542f69994e73424c Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:27:49 +0100
+Date: Tue, 24 Jul 2012 14:14:01 +0100
Subject: [PATCH 20/27] MODSIGN: Module signature verification stub
Create a stub for the module signature verifier and link it into module.c so
@@ -7063,12 +7069,12 @@ This table indicates the behaviours in the various situations:
Signed-off-by: David Howells <dhowells at redhat.com>
---
- include/linux/module.h | 3 ++
- kernel/Makefile | 1 +
- kernel/module-verify-defs.h | 77 ++++++++++++++++++++++++++++++
- kernel/module-verify.c | 110 +++++++++++++++++++++++++++++++++++++++++++
- kernel/module-verify.h | 20 ++++++++
- kernel/module.c | 26 ++++++++--
+ include/linux/module.h | 3 ++
+ kernel/Makefile | 1 +
+ kernel/module-verify-defs.h | 77 +++++++++++++++++++++++++++++++
+ kernel/module-verify.c | 110 ++++++++++++++++++++++++++++++++++++++++++++
+ kernel/module-verify.h | 20 ++++++++
+ kernel/module.c | 26 +++++++++--
6 files changed, 232 insertions(+), 5 deletions(-)
create mode 100644 kernel/module-verify-defs.h
create mode 100644 kernel/module-verify.c
@@ -7415,12 +7421,12 @@ index 087aeed..a59a9da 100644
if (last_unloaded_module[0])
printk(" [last unloaded: %s]", last_unloaded_module);
--
-1.7.10.4
+1.7.11.2
-From a8622506bccd42aecd271d2735f6734e539125ac Mon Sep 17 00:00:00 2001
+From 632507c5c70caad4ac7000d573b60236e405247b Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:28:33 +0100
+Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 21/27] MODSIGN: Automatically generate module signing keys if
missing
@@ -7436,7 +7442,7 @@ if the keyrings change.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/Makefile | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
+ kernel/Makefile | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/kernel/Makefile b/kernel/Makefile
@@ -7497,12 +7503,12 @@ index cec222a..28cd248 100644
+endif
+CLEAN_FILES += modsign.pub modsign.sec genkey random_seed
--
-1.7.10.4
+1.7.11.2
-From 2bde4c453e0b5ec52fe95c3fb800af86fdc38546 Mon Sep 17 00:00:00 2001
+From bbbe230903a8c8f1d3aa7d2cc7f850930ff1539f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:28:41 +0100
+Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 22/27] MODSIGN: Provide module signing public keys to the
kernel
@@ -7523,10 +7529,10 @@ their removal and preventing further modules from being loaded with that key.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/Makefile | 25 ++++++++-------
- kernel/modsign-pubkey.c | 75 +++++++++++++++++++++++++++++++++++++++++++
- kernel/module-verify-defs.h | 4 +++
- kernel/module-verify.c | 2 --
+ kernel/Makefile | 25 ++++++++-------
+ kernel/modsign-pubkey.c | 75 +++++++++++++++++++++++++++++++++++++++++++++
+ kernel/module-verify-defs.h | 4 +++
+ kernel/module-verify.c | 2 --
4 files changed, 93 insertions(+), 13 deletions(-)
create mode 100644 kernel/modsign-pubkey.c
@@ -7683,12 +7689,12 @@ index 4bf857e..05473e6 100644
#include <linux/moduleparam.h>
#include <keys/crypto-type.h>
--
-1.7.10.4
+1.7.11.2
-From 689ea2a8739a5d61b7c55cd9084dd3096585c6de Mon Sep 17 00:00:00 2001
+From e4f50fd14864d574dfa77002da3bc51bbb0046bc Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:29:17 +0100
+Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 23/27] MODSIGN: Check the ELF container
Check the ELF container of the kernel module to prevent the kernel from
@@ -7767,7 +7773,7 @@ code, presumably because some local variables can be discarded.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/module-verify.c | 230 ++++++++++++++++++++++++++++++++++++++++++++++++
+ kernel/module-verify.c | 230 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 230 insertions(+)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
@@ -8019,12 +8025,12 @@ index 05473e6..2161d11 100644
/* Deal with an unsigned module */
if (modsign_signedonly) {
--
-1.7.10.4
+1.7.11.2
-From 4e90f1f1f04b2efb070f15211e644a8a86a2142e Mon Sep 17 00:00:00 2001
+From b9e2653685ab246ee774d4ea0d178f9d43b003f8 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:29:43 +0100
+Date: Tue, 24 Jul 2012 14:14:02 +0100
Subject: [PATCH 24/27] MODSIGN: Produce a filtered and canonicalised section
list
@@ -8040,7 +8046,7 @@ Canonicalisation is done by sorting the filtered list in order of section name.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/module-verify.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++
+ kernel/module-verify.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
@@ -8143,12 +8149,12 @@ index 2161d11..646b104 100644
out:
switch (ret) {
--
-1.7.10.4
+1.7.11.2
-From 5f48916c06318abb0821b41bc06f457248ed87eb Mon Sep 17 00:00:00 2001
+From 425b80d71cb3d29ad9a5d1573b1ba62e8acc9846 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:30:02 +0100
+Date: Tue, 24 Jul 2012 14:14:03 +0100
Subject: [PATCH 25/27] MODSIGN: Create digest of module content and check
signature
@@ -8192,8 +8198,8 @@ somewhat smaller code.
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/module-verify-defs.h | 11 +-
- kernel/module-verify.c | 332 ++++++++++++++++++++++++++++++++++++++++++-
+ kernel/module-verify-defs.h | 11 +-
+ kernel/module-verify.c | 332 +++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 337 insertions(+), 6 deletions(-)
diff --git a/kernel/module-verify-defs.h b/kernel/module-verify-defs.h
@@ -8580,12 +8586,12 @@ index 646b104..e275759 100644
out:
--
-1.7.10.4
+1.7.11.2
-From 25841b75e473511f1dbe84cfb333ef2b748d2ec6 Mon Sep 17 00:00:00 2001
+From 83b8771f504bdb2d75df57697445211ca312a08b Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:30:22 +0100
+Date: Tue, 24 Jul 2012 14:14:03 +0100
Subject: [PATCH 26/27] MODSIGN: Suppress some redundant ELF checks
Suppress some redundant ELF checks in module_verify_elf() that are also done
@@ -8594,7 +8600,7 @@ module_verify().
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/module-verify.c | 6 +++---
+ kernel/module-verify.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
@@ -8617,12 +8623,12 @@ index e275759..bfd1286 100644
/* Validate the section table contents */
mvdata->nsects = hdr->e_shnum;
--
-1.7.10.4
+1.7.11.2
-From 3ac2defabc1996584fac06b76070138fe56753e6 Mon Sep 17 00:00:00 2001
+From a7ec988440e9c8b0deaf769c79b4b3cfe45eb411 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
-Date: Wed, 18 Jul 2012 16:30:40 +0100
+Date: Tue, 24 Jul 2012 14:14:03 +0100
Subject: [PATCH 27/27] MODSIGN: Panic the kernel if FIPS is enabled upon
module signing failure
@@ -8633,7 +8639,7 @@ shouldn't happen on cases like ENOMEM.
Reported-by: Stephan Mueller <stephan.mueller at atsec.com>
Signed-off-by: David Howells <dhowells at redhat.com>
---
- kernel/module-verify.c | 5 +++++
+ kernel/module-verify.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
@@ -8660,5 +8666,5 @@ index bfd1286..b9c3955 100644
case 0: /* Good signature */
*_gpgsig_ok = true;
--
-1.7.10.4
+1.7.11.2
diff --git a/secure-boot-20120724.patch b/secure-boot-20120724.patch
new file mode 100644
index 0000000..862e7e0
--- /dev/null
+++ b/secure-boot-20120724.patch
@@ -0,0 +1,1161 @@
+From 56ce13afe1b17cd2817c596b3a9e25e51937a328 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt.fleming at intel.com>
+Date: Thu, 19 Jul 2012 10:23:48 +0100
+Subject: [PATCH 01/14] x86, efi: Handover Protocol
+
+As things currently stand, traditional EFI boot loaders and the EFI
+boot stub are carrying essentially the same initialisation code
+required to setup an EFI machine for booting a kernel. There's really
+no need to have this code in two places and the hope is that, with
+this new protocol, initialisation and booting of the kernel can be
+left solely to the kernel's EFI boot stub. The responsibilities of the
+boot loader then become,
+
+ o Loading the kernel image from boot media
+
+File system code still needs to be carried by boot loaders for the
+scenario where the kernel and initrd files reside on a file system
+that the EFI firmware doesn't natively understand, such as ext4, etc.
+
+ o Providing a user interface
+
+Boot loaders still need to display any menus/interfaces, for example
+to allow the user to select from a list of kernels.
+
+Bump the boot protocol number because we added the 'handover_offset'
+field to indicate the location of the handover protocol entry point.
+
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Matthew Garrett <mjg at redhat.com>
+Cc: Peter Jones <pjones at redhat.com>
+Cc: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Matt Fleming <matt.fleming at intel.com>
+---
+ Documentation/x86/boot.txt | 41 ++++++++
+ arch/x86/boot/compressed/eboot.c | 198 ++++++++++++++++++++++---------------
+ arch/x86/boot/compressed/head_32.S | 10 ++
+ arch/x86/boot/compressed/head_64.S | 10 ++
+ arch/x86/boot/header.S | 4 +-
+ arch/x86/include/asm/bootparam.h | 1 +
+ 6 files changed, 185 insertions(+), 79 deletions(-)
+
+diff --git a/Documentation/x86/boot.txt b/Documentation/x86/boot.txt
+index 7c3a880..c6539a4 100644
+--- a/Documentation/x86/boot.txt
++++ b/Documentation/x86/boot.txt
+@@ -54,6 +54,9 @@ Protocol 2.10: (Kernel 2.6.31) Added a protocol for relaxed alignment
+ beyond the kernel_alignment added, new init_size and
+ pref_address fields. Added extended boot loader IDs.
+
++Protocol 2.11: (Kernel 3.6) Added a field for offset of EFI handover
++ protocol entry point.
++
+ **** MEMORY LAYOUT
+
+ The traditional memory map for the kernel loader, used for Image or
+@@ -189,6 +192,7 @@ Offset Proto Name Meaning
+ of struct setup_data
+ 0258/8 2.10+ pref_address Preferred loading address
+ 0260/4 2.10+ init_size Linear memory required during initialization
++0264/4 2.11+ handover_offset Offset of handover entry point
+
+ (1) For backwards compatibility, if the setup_sects field contains 0, the
+ real value is 4.
+@@ -690,6 +694,16 @@ Offset/size: 0x260/4
+ else
+ runtime_start = pref_address
+
++Field name: handover_offset
++Type: read
++Offset/size: 0x264/4
++
++ This field is the offset from the beginning of the kernel image to
++ the EFI handover protocol entry point. Boot loaders using the EFI
++ handover protocol to boot the kernel should jump to this offset.
++
++ See EFI HANDOVER PROTOCOL below for more details.
++
+
+ **** THE IMAGE CHECKSUM
+
+@@ -1010,3 +1024,30 @@ segment; __BOOS_CS must have execute/read permission, and __BOOT_DS
+ must have read/write permission; CS must be __BOOT_CS and DS, ES, SS
+ must be __BOOT_DS; interrupt must be disabled; %esi must hold the base
+ address of the struct boot_params; %ebp, %edi and %ebx must be zero.
++
++**** EFI HANDOVER PROTOCOL
++
++This protocol allows boot loaders to defer initialisation to the EFI
++boot stub. The boot loader is required to load the kernel/initrd(s)
++from the boot media and jump to the EFI handover protocol entry point
++which is hdr->handover_offset bytes from the beginning of
++startup_{32,64}.
++
++The function prototype for the handover entry point looks like this,
++
++ efi_main(void *handle, efi_system_table_t *table, struct boot_params *bp)
++
++'handle' is the EFI image handle passed to the boot loader by the EFI
++firmware, 'table' is the EFI system table - these are the first two
++arguments of the "handoff state" as described in section 2.3 of the
++UEFI specification. 'bp' is the boot loader-allocated boot params.
++
++The boot loader *must* fill out the following fields in bp,
++
++ o hdr.code32_start
++ o hdr.cmd_line_ptr
++ o hdr.cmdline_size
++ o hdr.ramdisk_image (if applicable)
++ o hdr.ramdisk_size (if applicable)
++
++All other fields should be zero.
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 4e85f5f..b3e0227 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -729,32 +729,68 @@ fail:
+ * need to create one ourselves (usually the bootloader would create
+ * one for us).
+ */
+-static efi_status_t make_boot_params(struct boot_params *boot_params,
+- efi_loaded_image_t *image,
+- void *handle)
++struct boot_params *make_boot_params(void *handle, efi_system_table_t *_table)
+ {
+- struct efi_info *efi = &boot_params->efi_info;
+- struct apm_bios_info *bi = &boot_params->apm_bios_info;
+- struct sys_desc_table *sdt = &boot_params->sys_desc_table;
+- struct e820entry *e820_map = &boot_params->e820_map[0];
+- struct e820entry *prev = NULL;
+- struct setup_header *hdr = &boot_params->hdr;
+- unsigned long size, key, desc_size, _size;
+- efi_memory_desc_t *mem_map;
+- void *options = image->load_options;
+- u32 load_options_size = image->load_options_size / 2; /* ASCII */
++ struct boot_params *boot_params;
++ struct sys_desc_table *sdt;
++ struct apm_bios_info *bi;
++ struct setup_header *hdr;
++ struct efi_info *efi;
++ efi_loaded_image_t *image;
++ void *options;
++ u32 load_options_size;
++ efi_guid_t proto = LOADED_IMAGE_PROTOCOL_GUID;
+ int options_size = 0;
+ efi_status_t status;
+- __u32 desc_version;
+ unsigned long cmdline;
+- u8 nr_entries;
+ u16 *s2;
+ u8 *s1;
+ int i;
+
++ sys_table = _table;
++
++ /* Check if we were booted by the EFI firmware */
++ if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
++ return NULL;
++
++ status = efi_call_phys3(sys_table->boottime->handle_protocol,
++ handle, &proto, (void *)&image);
++ if (status != EFI_SUCCESS) {
++ efi_printk("Failed to get handle for LOADED_IMAGE_PROTOCOL\n");
++ return NULL;
++ }
++
++ status = low_alloc(0x4000, 1, (unsigned long *)&boot_params);
++ if (status != EFI_SUCCESS) {
++ efi_printk("Failed to alloc lowmem for boot params\n");
++ return NULL;
++ }
++
++ memset(boot_params, 0x0, 0x4000);
++
++ hdr = &boot_params->hdr;
++ efi = &boot_params->efi_info;
++ bi = &boot_params->apm_bios_info;
++ sdt = &boot_params->sys_desc_table;
++
++ /* Copy the second sector to boot_params */
++ memcpy(&hdr->jump, image->image_base + 512, 512);
++
++ /*
++ * Fill out some of the header fields ourselves because the
++ * EFI firmware loader doesn't load the first sector.
++ */
++ hdr->root_flags = 1;
++ hdr->vid_mode = 0xffff;
++ hdr->boot_flag = 0xAA55;
++
++ hdr->code32_start = (__u64)(unsigned long)image->image_base;
++
+ hdr->type_of_loader = 0x21;
+
+ /* Convert unicode cmdline to ascii */
++ options = image->load_options;
++ load_options_size = image->load_options_size / 2; /* ASCII */
+ cmdline = 0;
+ s2 = (u16 *)options;
+
+@@ -791,18 +827,36 @@ static efi_status_t make_boot_params(struct boot_params *boot_params,
+ hdr->ramdisk_image = 0;
+ hdr->ramdisk_size = 0;
+
+- status = handle_ramdisks(image, hdr);
+- if (status != EFI_SUCCESS)
+- goto free_cmdline;
+-
+- setup_graphics(boot_params);
+-
+ /* Clear APM BIOS info */
+ memset(bi, 0, sizeof(*bi));
+
+ memset(sdt, 0, sizeof(*sdt));
+
+- memcpy(&efi->efi_loader_signature, EFI_LOADER_SIGNATURE, sizeof(__u32));
++ status = handle_ramdisks(image, hdr);
++ if (status != EFI_SUCCESS)
++ goto fail2;
++
++ return boot_params;
++fail2:
++ if (options_size)
++ low_free(options_size, hdr->cmd_line_ptr);
++fail:
++ low_free(0x4000, (unsigned long)boot_params);
++ return NULL;
++}
++
++static efi_status_t exit_boot(struct boot_params *boot_params,
++ void *handle)
++{
++ struct efi_info *efi = &boot_params->efi_info;
++ struct e820entry *e820_map = &boot_params->e820_map[0];
++ struct e820entry *prev = NULL;
++ unsigned long size, key, desc_size, _size;
++ efi_memory_desc_t *mem_map;
++ efi_status_t status;
++ __u32 desc_version;
++ u8 nr_entries;
++ int i;
+
+ size = sizeof(*mem_map) * 32;
+
+@@ -811,7 +865,7 @@ again:
+ _size = size;
+ status = low_alloc(size, 1, (unsigned long *)&mem_map);
+ if (status != EFI_SUCCESS)
+- goto free_cmdline;
++ return status;
+
+ status = efi_call_phys5(sys_table->boottime->get_memory_map, &size,
+ mem_map, &key, &desc_size, &desc_version);
+@@ -823,6 +877,7 @@ again:
+ if (status != EFI_SUCCESS)
+ goto free_mem_map;
+
++ memcpy(&efi->efi_loader_signature, EFI_LOADER_SIGNATURE, sizeof(__u32));
+ efi->efi_systab = (unsigned long)sys_table;
+ efi->efi_memdesc_size = desc_size;
+ efi->efi_memdesc_version = desc_version;
+@@ -906,61 +961,13 @@ again:
+
+ free_mem_map:
+ low_free(_size, (unsigned long)mem_map);
+-free_cmdline:
+- if (options_size)
+- low_free(options_size, hdr->cmd_line_ptr);
+-fail:
+ return status;
+ }
+
+-/*
+- * On success we return a pointer to a boot_params structure, and NULL
+- * on failure.
+- */
+-struct boot_params *efi_main(void *handle, efi_system_table_t *_table)
++static efi_status_t relocate_kernel(struct setup_header *hdr)
+ {
+- struct boot_params *boot_params;
+ unsigned long start, nr_pages;
+- struct desc_ptr *gdt, *idt;
+- efi_loaded_image_t *image;
+- struct setup_header *hdr;
+ efi_status_t status;
+- efi_guid_t proto = LOADED_IMAGE_PROTOCOL_GUID;
+- struct desc_struct *desc;
+-
+- sys_table = _table;
+-
+- /* Check if we were booted by the EFI firmware */
+- if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
+- goto fail;
+-
+- status = efi_call_phys3(sys_table->boottime->handle_protocol,
+- handle, &proto, (void *)&image);
+- if (status != EFI_SUCCESS) {
+- efi_printk("Failed to get handle for LOADED_IMAGE_PROTOCOL\n");
+- goto fail;
+- }
+-
+- status = low_alloc(0x4000, 1, (unsigned long *)&boot_params);
+- if (status != EFI_SUCCESS) {
+- efi_printk("Failed to alloc lowmem for boot params\n");
+- goto fail;
+- }
+-
+- memset(boot_params, 0x0, 0x4000);
+-
+- hdr = &boot_params->hdr;
+-
+- /* Copy the second sector to boot_params */
+- memcpy(&hdr->jump, image->image_base + 512, 512);
+-
+- /*
+- * Fill out some of the header fields ourselves because the
+- * EFI firmware loader doesn't load the first sector.
+- */
+- hdr->root_flags = 1;
+- hdr->vid_mode = 0xffff;
+- hdr->boot_flag = 0xAA55;
+
+ /*
+ * The EFI firmware loader could have placed the kernel image
+@@ -978,16 +985,40 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table)
+ if (status != EFI_SUCCESS) {
+ status = low_alloc(hdr->init_size, hdr->kernel_alignment,
+ &start);
+- if (status != EFI_SUCCESS) {
++ if (status != EFI_SUCCESS)
+ efi_printk("Failed to alloc mem for kernel\n");
+- goto fail;
+- }
+ }
+
++ if (status == EFI_SUCCESS)
++ memcpy((void *)start, (void *)(unsigned long)hdr->code32_start,
++ hdr->init_size);
++
++ hdr->pref_address = hdr->code32_start;
+ hdr->code32_start = (__u32)start;
+- hdr->pref_address = (__u64)(unsigned long)image->image_base;
+
+- memcpy((void *)start, image->image_base, image->image_size);
++ return status;
++}
++
++/*
++ * On success we return a pointer to a boot_params structure, and NULL
++ * on failure.
++ */
++struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
++ struct boot_params *boot_params)
++{
++ struct desc_ptr *gdt, *idt;
++ efi_loaded_image_t *image;
++ struct setup_header *hdr = &boot_params->hdr;
++ efi_status_t status;
++ struct desc_struct *desc;
++
++ sys_table = _table;
++
++ /* Check if we were booted by the EFI firmware */
++ if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
++ goto fail;
++
++ setup_graphics(boot_params);
+
+ status = efi_call_phys3(sys_table->boottime->allocate_pool,
+ EFI_LOADER_DATA, sizeof(*gdt),
+@@ -1015,7 +1046,18 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table)
+ idt->size = 0;
+ idt->address = 0;
+
+- status = make_boot_params(boot_params, image, handle);
++ /*
++ * If the kernel isn't already loaded at the preferred load
++ * address, relocate it.
++ */
++ if (hdr->pref_address != hdr->code32_start) {
++ status = relocate_kernel(hdr);
++
++ if (status != EFI_SUCCESS)
++ goto fail;
++ }
++
++ status = exit_boot(boot_params, handle);
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
+index c85e3ac..aa4aaf1 100644
+--- a/arch/x86/boot/compressed/head_32.S
++++ b/arch/x86/boot/compressed/head_32.S
+@@ -42,6 +42,16 @@ ENTRY(startup_32)
+ */
+ add $0x4, %esp
+
++ call make_boot_params
++ cmpl $0, %eax
++ je 1f
++ movl 0x4(%esp), %esi
++ movl (%esp), %ecx
++ pushl %eax
++ pushl %esi
++ pushl %ecx
++
++ .org 0x30,0x90
+ call efi_main
+ cmpl $0, %eax
+ movl %eax, %esi
+diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
+index 87e03a1..2c4b171 100644
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -209,6 +209,16 @@ ENTRY(startup_64)
+ .org 0x210
+ mov %rcx, %rdi
+ mov %rdx, %rsi
++ pushq %rdi
++ pushq %rsi
++ call make_boot_params
++ cmpq $0,%rax
++ je 1f
++ mov %rax, %rdx
++ popq %rsi
++ popq %rdi
++
++ .org 0x230,0x90
+ call efi_main
+ movq %rax,%rsi
+ cmpq $0,%rax
+diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
+index efe5acf..cd921fe 100644
+--- a/arch/x86/boot/header.S
++++ b/arch/x86/boot/header.S
+@@ -283,7 +283,7 @@ _start:
+ # Part 2 of the header, from the old setup.S
+
+ .ascii "HdrS" # header signature
+- .word 0x020a # header version number (>= 0x0105)
++ .word 0x020b # header version number (>= 0x0105)
+ # or else old loadlin-1.5 will fail)
+ .globl realmode_swtch
+ realmode_swtch: .word 0, 0 # default_switch, SETUPSEG
+@@ -401,6 +401,8 @@ pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
+ #define INIT_SIZE VO_INIT_SIZE
+ #endif
+ init_size: .long INIT_SIZE # kernel initialization size
++handover_offset: .long 0x30 # offset to the handover
++ # protocol entry point
+
+ # End of setup header #####################################################
+
+diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h
+index eb45aa6..2ad874c 100644
+--- a/arch/x86/include/asm/bootparam.h
++++ b/arch/x86/include/asm/bootparam.h
+@@ -66,6 +66,7 @@ struct setup_header {
+ __u64 setup_data;
+ __u64 pref_address;
+ __u32 init_size;
++ __u32 handover_offset;
+ } __attribute__((packed));
+
+ struct sys_desc_table {
+--
+1.7.11.2
+
+
+From 948fbe310f85f3a51a101ea23f38c59c70792832 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Thu, 8 Mar 2012 09:56:33 -0500
+Subject: [PATCH 02/14] Secure boot: Add new capability
+
+Secure boot adds certain policy requirements, including that root must not
+be able to do anything that could cause the kernel to execute arbitrary code.
+The simplest way to handle this would seem to be to add a new capability
+and gate various functionality on that. We'll then strip it from the initial
+capability set if required.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ include/linux/capability.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/capability.h b/include/linux/capability.h
+index d10b7ed..6a39163 100644
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -364,7 +364,11 @@ struct cpu_vfs_cap_data {
+
+ #define CAP_BLOCK_SUSPEND 36
+
+-#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
++/* Allow things that are dangerous under secure boot */
++
++#define CAP_SECURE_FIRMWARE 37
++
++#define CAP_LAST_CAP CAP_SECURE_FIRMWARE
+
+ #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
+
+--
+1.7.11.2
+
+
+From 56150c6ad369f31e34e438744d34c505751a8b78 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Thu, 8 Mar 2012 10:10:38 -0500
+Subject: [PATCH 03/14] PCI: Lock down BAR access in secure boot environments
+
+Any hardware that can potentially generate DMA has to be locked down from
+userspace in order to avoid it being possible for an attacker to cause
+arbitrary kernel behaviour. Default to paranoid - in future we can
+potentially relax this for sufficiently IOMMU-isolated devices.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ drivers/pci/pci-sysfs.c | 9 +++++++++
+ drivers/pci/proc.c | 8 +++++++-
+ drivers/pci/syscall.c | 2 +-
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index 86c63fe..d3adb7b 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -513,6 +513,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
+ loff_t init_off = off;
+ u8 *data = (u8*) buf;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ if (off > dev->cfg_size)
+ return 0;
+ if (off + count > dev->cfg_size) {
+@@ -815,6 +818,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+ resource_size_t start, end;
+ int i;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ for (i = 0; i < PCI_ROM_RESOURCE; i++)
+ if (res == &pdev->resource[i])
+ break;
+@@ -922,6 +928,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
+ struct bin_attribute *attr, char *buf,
+ loff_t off, size_t count)
+ {
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ return pci_resource_io(filp, kobj, attr, buf, off, count, true);
+ }
+
+diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
+index 27911b5..01d4753 100644
+--- a/drivers/pci/proc.c
++++ b/drivers/pci/proc.c
+@@ -135,6 +135,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
+ int size = dp->size;
+ int cnt;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ if (pos >= size)
+ return 0;
+ if (nbytes >= size)
+@@ -211,6 +214,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
+ #endif /* HAVE_PCI_MMAP */
+ int ret = 0;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ switch (cmd) {
+ case PCIIOC_CONTROLLER:
+ ret = pci_domain_nr(dev->bus);
+@@ -251,7 +257,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
+ struct pci_filp_private *fpriv = file->private_data;
+ int i, ret;
+
+- if (!capable(CAP_SYS_RAWIO))
++ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))
+ return -EPERM;
+
+ /* Make sure the caller is mapping a real resource for this device */
+diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
+index e1c1ec5..a778ba9 100644
+--- a/drivers/pci/syscall.c
++++ b/drivers/pci/syscall.c
+@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+ u32 dword;
+ int err = 0;
+
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SECURE_FIRMWARE))
+ return -EPERM;
+
+ dev = pci_get_bus_and_slot(bus, dfn);
+--
+1.7.11.2
+
+
+From 888347d81b1ddcdcd5989cba1c212aed549928eb Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Thu, 8 Mar 2012 10:35:59 -0500
+Subject: [PATCH 04/14] x86: Lock down IO port access in secure boot
+ environments
+
+IO port access would permit users to gain access to PCI configuration
+registers, which in turn (on a lot of hardware) give access to MMIO register
+space. This would potentially permit root to trigger arbitrary DMA, so lock
+it down by default.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ arch/x86/kernel/ioport.c | 4 ++--
+ drivers/char/mem.c | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
+index 8c96897..c3a1bb2 100644
+--- a/arch/x86/kernel/ioport.c
++++ b/arch/x86/kernel/ioport.c
+@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
+
+ if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ return -EINVAL;
+- if (turn_on && !capable(CAP_SYS_RAWIO))
++ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE)))
+ return -EPERM;
+
+ /*
+@@ -102,7 +102,7 @@ long sys_iopl(unsigned int level, struct pt_regs *regs)
+ return -EINVAL;
+ /* Trying to gain more privileges? */
+ if (level > old) {
+- if (!capable(CAP_SYS_RAWIO))
++ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))
+ return -EPERM;
+ }
+ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index e5eedfa..8f5f872 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+ unsigned long i = *ppos;
+ const char __user * tmp = buf;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ if (!access_ok(VERIFY_READ, buf, count))
+ return -EFAULT;
+ while (count-- > 0 && i < 65536) {
+--
+1.7.11.2
+
+
+From a02e91ca8639c6a3a43c684892e2802973c02efc Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Fri, 9 Mar 2012 08:39:37 -0500
+Subject: [PATCH 05/14] ACPI: Limit access to custom_method
+
+It must be impossible for even root to get code executed in kernel context
+under a secure boot environment. custom_method effectively allows arbitrary
+access to system memory, so it needs to have a capability check here.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ drivers/acpi/custom_method.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
+index 5d42c24..3e78014 100644
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
+ struct acpi_table_header table;
+ acpi_status status;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ if (!(*ppos)) {
+ /* parse the table header to get the table length */
+ if (count <= sizeof(struct acpi_table_header))
+--
+1.7.11.2
+
+
+From c523e4918f56e5c17e39c0a5997cc1e741c0f42b Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Fri, 9 Mar 2012 08:46:50 -0500
+Subject: [PATCH 06/14] asus-wmi: Restrict debugfs interface
+
+We have no way of validating what all of the Asus WMI methods do on a
+given machine, and there's a risk that some will allow hardware state to
+be manipulated in such a way that arbitrary code can be executed in the
+kernel. Add a capability check to prevent that.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ drivers/platform/x86/asus-wmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index 77aadde..ba715c0 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -1504,6 +1504,9 @@ static int show_dsts(struct seq_file *m, void *data)
+ int err;
+ u32 retval = -1;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
+
+ if (err < 0)
+@@ -1520,6 +1523,9 @@ static int show_devs(struct seq_file *m, void *data)
+ int err;
+ u32 retval = -1;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
+ &retval);
+
+@@ -1544,6 +1550,9 @@ static int show_call(struct seq_file *m, void *data)
+ union acpi_object *obj;
+ acpi_status status;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
+ 1, asus->debug.method_id,
+ &input, &output);
+--
+1.7.11.2
+
+
+From 5dc9f0a45d092e5aec177eac1e5e19b62fb28cb2 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Fri, 9 Mar 2012 09:28:15 -0500
+Subject: [PATCH 07/14] Restrict /dev/mem and /dev/kmem in secure boot setups
+
+Allowing users to write to address space makes it possible for the kernel
+to be subverted. Restrict this when we need to protect the kernel.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ drivers/char/mem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index 8f5f872..c1de8e1 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+ unsigned long copied;
+ void *ptr;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ if (!valid_phys_addr_range(p, count))
+ return -EFAULT;
+
+@@ -530,6 +533,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+ char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+ int err = 0;
+
++ if (!capable(CAP_SECURE_FIRMWARE))
++ return -EPERM;
++
+ if (p < (unsigned long) high_memory) {
+ unsigned long to_write = min_t(unsigned long, count,
+ (unsigned long)high_memory - p);
+--
+1.7.11.2
+
+
+From 16a693dde4c4dca871d920e15fe9dda01000ef86 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Fri, 9 Mar 2012 11:47:56 -0500
+Subject: [PATCH 08/14] kexec: Disable in a secure boot environment
+
+kexec could be used as a vector for a malicious user to use a signed kernel
+to circumvent the secure boot trust model. In the long run we'll want to
+support signed kexec payloads, but for the moment we should just disable
+loading entirely in that situation.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ kernel/kexec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/kexec.c b/kernel/kexec.c
+index 4e2e472..35051f9 100644
+--- a/kernel/kexec.c
++++ b/kernel/kexec.c
+@@ -944,7 +944,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+ int result;
+
+ /* We only trust the superuser with rebooting the system. */
+- if (!capable(CAP_SYS_BOOT))
++ if (!capable(CAP_SYS_BOOT) || !capable(CAP_SECURE_FIRMWARE))
+ return -EPERM;
+
+ /*
+--
+1.7.11.2
+
+
+From 82fe599f1192ba0bae968a8e05d8cddbbadd57bc Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Mon, 25 Jun 2012 19:45:15 -0400
+Subject: [PATCH 09/14] Secure boot: Add a dummy kernel parameter that will
+ switch on Secure Boot mode
+
+This forcibly drops CAP_SECURE_FIRMWARE from both cap_permitted and cap_bset
+in the init_cred struct, which everything else inherits from. This works on
+any machine and can be used to develop even if the box doesn't have UEFI.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ kernel/cred.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/kernel/cred.c b/kernel/cred.c
+index de728ac..0d71d02 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -623,6 +623,20 @@ void __init cred_init(void)
+ 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
+ }
+
++/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
++static int __init secureboot_enable(char *str)
++{
++
++ int sb_enable = !!simple_strtol(str, NULL, 0);
++ pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled"));
++ if (sb_enable) {
++ cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
++ cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
++ }
++ return 1;
++}
++__setup("secureboot_enable=", secureboot_enable);
++
+ /**
+ * prepare_kernel_cred - Prepare a set of credentials for a kernel service
+ * @daemon: A userspace daemon to be used as a reference
+--
+1.7.11.2
+
+
+From 5aa21bbaad50af58a54cc339f6ab7bf5c163d64f Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Wed, 18 Jul 2012 11:28:00 -0400
+Subject: [PATCH 10/14] efi: Enable secure boot lockdown automatically when
+ enabled in firmware
+
+The firmware has a set of flags that indicate whether secure boot is enabled
+and enforcing. Use them to indicate whether the kernel should lock itself
+down.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+---
+ arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
+ arch/x86/include/asm/bootparam.h | 3 ++-
+ arch/x86/kernel/setup.c | 3 +++
+ include/linux/cred.h | 2 ++
+ kernel/cred.c | 18 +++++++++++-------
+ 5 files changed, 50 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index b3e0227..3789356 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -724,6 +724,36 @@ fail:
+ return status;
+ }
+
++static int get_secure_boot(efi_system_table_t *_table)
++{
++ u8 sb, setup;
++ unsigned long datasize = sizeof(sb);
++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
++ efi_status_t status;
++
++ status = efi_call_phys5(sys_table->runtime->get_variable,
++ L"SecureBoot", &var_guid, NULL, &datasize, &sb);
++
++ if (status != EFI_SUCCESS)
++ return 0;
++
++ if (sb == 0)
++ return 0;
++
++
++ status = efi_call_phys5(sys_table->runtime->get_variable,
++ L"SetupMode", &var_guid, NULL, &datasize,
++ &setup);
++
++ if (status != EFI_SUCCESS)
++ return 0;
++
++ if (setup == 1)
++ return 0;
++
++ return 1;
++}
++
+ /*
+ * Because the x86 boot code expects to be passed a boot_params we
+ * need to create one ourselves (usually the bootloader would create
+@@ -1018,6 +1048,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
+ if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
+ goto fail;
+
++ boot_params->secure_boot = get_secure_boot(sys_table);
++
+ setup_graphics(boot_params);
+
+ status = efi_call_phys3(sys_table->boottime->allocate_pool,
+diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h
+index 2ad874c..c7338e0 100644
+--- a/arch/x86/include/asm/bootparam.h
++++ b/arch/x86/include/asm/bootparam.h
+@@ -114,7 +114,8 @@ struct boot_params {
+ __u8 eddbuf_entries; /* 0x1e9 */
+ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */
+ __u8 kbd_status; /* 0x1eb */
+- __u8 _pad6[5]; /* 0x1ec */
++ __u8 secure_boot; /* 0x1ec */
++ __u8 _pad6[4]; /* 0x1ed */
+ struct setup_header hdr; /* setup header */ /* 0x1f1 */
+ __u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)];
+ __u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index f4b9b80..239bf2a 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -947,6 +947,9 @@ void __init setup_arch(char **cmdline_p)
+
+ io_delay_init();
+
++ if (boot_params.secure_boot)
++ secureboot_enable();
++
+ /*
+ * Parse the ACPI tables for possible boot-time SMP configuration.
+ */
+diff --git a/include/linux/cred.h b/include/linux/cred.h
+index ebbed2c..a24faf1 100644
+--- a/include/linux/cred.h
++++ b/include/linux/cred.h
+@@ -170,6 +170,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *);
+ extern int set_create_files_as(struct cred *, struct inode *);
+ extern void __init cred_init(void);
+
++extern void secureboot_enable(void);
++
+ /*
+ * check for validity of credentials
+ */
+diff --git a/kernel/cred.c b/kernel/cred.c
+index 0d71d02..c43e2b0 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -623,19 +623,23 @@ void __init cred_init(void)
+ 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
+ }
+
++void __init secureboot_enable()
++{
++ pr_info("Secure boot enabled\n");
++ cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
++ cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
++}
++
+ /* Dummy Secure Boot enable option to fake out UEFI SB=1 */
+-static int __init secureboot_enable(char *str)
++static int __init secureboot_enable_opt(char *str)
+ {
+
+ int sb_enable = !!simple_strtol(str, NULL, 0);
+- pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled"));
+- if (sb_enable) {
+- cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
+- cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
+- }
++ if (sb_enable)
++ secureboot_enable();
+ return 1;
+ }
+-__setup("secureboot_enable=", secureboot_enable);
++__setup("secureboot_enable=", secureboot_enable_opt);
+
+ /**
+ * prepare_kernel_cred - Prepare a set of credentials for a kernel service
+--
+1.7.11.2
+
+
+From 7b875c254033d29fa05b0c026b8097f8e5e1b96c Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Mon, 25 Jun 2012 19:57:30 -0400
+Subject: [PATCH 11/14] acpi: Ignore acpi_rsdp kernel parameter in a secure
+ boot environment
+
+This option allows userspace to pass the RSDP address to the kernel. This
+could potentially be used to circumvent the secure boot trust model.
+We ignore the setting if we don't have the CAP_SECURE_FIRMWARE capability.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ drivers/acpi/osl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
+index c3881b2..fb84388 100644
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+ acpi_physical_address __init acpi_os_get_root_pointer(void)
+ {
+ #ifdef CONFIG_KEXEC
+- if (acpi_rsdp)
++ if (acpi_rsdp && capable(CAP_SECURE_FIRMWARE))
+ return acpi_rsdp;
+ #endif
+
+--
+1.7.11.2
+
+
+From 5ba183ef3e556bf11bbe73abd2cba50dc097881d Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Mon, 25 Jun 2012 21:29:46 -0400
+Subject: [PATCH 12/14] Documentation: kernel-parameters.txt remove
+ capability.disable
+
+Remove the documentation for capability.disable. The code supporting this
+parameter was removed with:
+
+ commit 5915eb53861c5776cfec33ca4fcc1fd20d66dd27
+ Author: Miklos Szeredi <mszeredi at suse.cz>
+ Date: Thu Jul 3 20:56:05 2008 +0200
+
+ security: remove dummy module
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ Documentation/kernel-parameters.txt | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 12783fa..cec4bf2 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -446,12 +446,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ possible to determine what the correct size should be.
+ This option provides an override for these situations.
+
+- capability.disable=
+- [SECURITY] Disable capabilities. This would normally
+- be used only if an alternative security model is to be
+- configured. Potentially dangerous and should only be
+- used if you are entirely sure of the consequences.
+-
+ ccw_timeout_log [S390]
+ See Documentation/s390/CommonIO for details.
+
+--
+1.7.11.2
+
+
+From 220f3a8cc351d220156e4903bf03c28ab44db6e3 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Tue, 26 Jun 2012 14:15:51 -0400
+Subject: [PATCH 13/14] SELinux: define mapping for new Secure Boot capability
+
+Add the name of the new Secure Boot capability. This allows SELinux
+policies to properly map CAP_SECURE_FIRMWARE to the appropriate
+capability class.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ security/selinux/include/classmap.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
+index df2de54..0a1e348 100644
+--- a/security/selinux/include/classmap.h
++++ b/security/selinux/include/classmap.h
+@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
+ { "memprotect", { "mmap_zero", NULL } },
+ { "peer", { "recv", NULL } },
+ { "capability2",
+- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
+- NULL } },
++ { "mac_override", "mac_admin", "syslog", "wake_alarm",
++ "block_suspend", "secure_firmware", NULL } },
+ { "kernel_service", { "use_as_override", "create_files_as", NULL } },
+ { "tun_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+--
+1.7.11.2
+
+
+From e5df15082c685dbf5c6917b891af73106342c0bb Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Tue, 26 Jun 2012 16:27:26 -0400
+Subject: [PATCH 14/14] modsign: Reject unsigned modules in a Secure Boot
+ environment
+
+If a machine is booted into a Secure Boot environment, we need to
+protect the trust model. This requires that all modules be signed
+with a key that is in the kernel's _modsign keyring. We add a
+capability check and reject modules that are not signed.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ kernel/module-verify.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/module-verify.c b/kernel/module-verify.c
+index b9c3955..f35532a 100644
+--- a/kernel/module-verify.c
++++ b/kernel/module-verify.c
+@@ -31,6 +31,7 @@
+ #include <linux/modsign.h>
+ #include <linux/moduleparam.h>
+ #include <linux/fips.h>
++#include <linux/capability.h>
+ #include <keys/crypto-type.h>
+ #include "module-verify.h"
+ #include "module-verify-defs.h"
+@@ -699,7 +700,7 @@ int module_verify(const Elf_Ehdr *hdr, size_t size, bool *_gpgsig_ok)
+ /* The ELF checker found the sig for us if it exists */
+ if (mvdata.sig_index <= 0) {
+ /* Deal with an unsigned module */
+- if (modsign_signedonly) {
++ if (modsign_signedonly || !capable(CAP_SECURE_FIRMWARE)) {
+ pr_err("An attempt to load unsigned module was rejected\n");
+ return -EKEYREJECTED;
+ } else {
+--
+1.7.11.2
+
More information about the scm-commits
mailing list