[kernel/f18] update secure boot patchset
Dave Jones
davej at fedoraproject.org
Wed Feb 27 19:08:48 UTC 2013
commit d3a4ba3dbfb0c4b5db0d2669b15373f06d842cef
Author: Dave Jones <davej at redhat.com>
Date: Wed Feb 27 14:08:29 2013 -0500
update secure boot patchset
kernel.spec | 5 +-
...ot-20130219.patch => secure-boot-20130218.patch | 198 ++++++++++----------
2 files changed, 99 insertions(+), 104 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 49039c5..98a9edb 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -685,7 +685,7 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch
# secure boot
-Patch1000: secure-boot-20130219.patch
+Patch1000: secure-boot-20130218.patch
# virt + ksm patches
@@ -1433,7 +1433,7 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# secure boot
-#ApplyPatch secure-boot-20130219.patch
+ApplyPatch secure-boot-20130218.patch
# Assorted Virt Fixes
@@ -2413,7 +2413,6 @@ fi
- arm-tegra-nvec-kconfig.patch
- arm-tegra-sdhci-module-fix.patch
Needs reworking:
- - secure-boot
- alps-v2-3.7.patch
- usb-cypress-supertop.patch
- Bluetooth-Add-support-for-Foxconn-Hon-Hai-0489-e056.patch
diff --git a/secure-boot-20130219.patch b/secure-boot-20130218.patch
similarity index 89%
rename from secure-boot-20130219.patch
rename to secure-boot-20130218.patch
index 48ef2e7..29ac46c 100644
--- a/secure-boot-20130219.patch
+++ b/secure-boot-20130218.patch
@@ -1,4 +1,4 @@
-From 33ecf899ae618a163e553c24674a48bd0cb4dd17 Mon Sep 17 00:00:00 2001
+From 0c5837031a4e996877930fd023a5877dd1d615ba Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:40:56 -0400
Subject: [PATCH 01/19] Secure boot: Add new capability
@@ -35,7 +35,7 @@ index ba478fa..7109e65 100644
1.8.1.2
-From 0867a7288326c109ac3f1a52a342f577e1f77618 Mon Sep 17 00:00:00 2001
+From 87c8fddbcb3042fc4174b53763adbf66045a12be Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Thu, 20 Sep 2012 10:41:05 -0400
Subject: [PATCH 02/19] SELinux: define mapping for new Secure Boot capability
@@ -50,7 +50,7 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
-index df2de54..70e2834 100644
+index 14d04e6..ed99a2d 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
@@ -63,12 +63,12 @@ index df2de54..70e2834 100644
+ "block_suspend", "compromise_kernel", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
- { COMMON_SOCK_PERMS, NULL } },
+ { COMMON_SOCK_PERMS, "attach_queue", NULL } },
--
1.8.1.2
-From 23873817d2cec32d4af90fc7038b53c949e3f5a6 Mon Sep 17 00:00:00 2001
+From df14b5319bf3ed2110839e233ac61e6136745be8 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Thu, 20 Sep 2012 10:41:02 -0400
Subject: [PATCH 03/19] Secure boot: Add a dummy kernel parameter that will
@@ -85,10 +85,10 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
2 files changed, 24 insertions(+)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 9776f06..0d6c28d 100644
+index 6c72381..7dffdd5 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -2599,6 +2599,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
Note: increases power consumption, thus should only be
enabled if running jitter sensitive (HPC/RT) workloads.
@@ -103,10 +103,10 @@ index 9776f06..0d6c28d 100644
If this boot parameter is not specified, only the first
security module asking for security registration will be
diff --git a/kernel/cred.c b/kernel/cred.c
-index 48cea3d..3f5be65 100644
+index e0573a4..c3f4e3e 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
-@@ -623,6 +623,23 @@ void __init cred_init(void)
+@@ -565,6 +565,23 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
@@ -134,7 +134,7 @@ index 48cea3d..3f5be65 100644
1.8.1.2
-From 6e786fc19b3dc3aa53e6f556af2baf261573321f Mon Sep 17 00:00:00 2001
+From 49c76a665e8a09da48cbe271ea40266ca1a226c0 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:41:03 -0400
Subject: [PATCH 04/19] efi: Enable secure boot lockdown automatically when
@@ -148,32 +148,32 @@ EFI_SECURE_BOOT bit for use with efi_enabled.
Signed-off-by: Matthew Garrett <mjg at redhat.com>
Signed-off-by: Josh Boyer <jwboyer at redhat.com>
---
- Documentation/x86/zero-page.txt | 2 ++
- arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
- arch/x86/include/asm/bootparam.h | 3 ++-
- arch/x86/kernel/setup.c | 5 +++++
- include/linux/cred.h | 2 ++
- include/linux/efi.h | 1 +
- 6 files changed, 44 insertions(+), 1 deletion(-)
+ Documentation/x86/zero-page.txt | 2 ++
+ arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
+ arch/x86/include/uapi/asm/bootparam.h | 3 ++-
+ arch/x86/kernel/setup.c | 7 +++++++
+ include/linux/cred.h | 2 ++
+ include/linux/efi.h | 1 +
+ 6 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index cf5437d..7f9ed48 100644
+index 199f453..ff651d3 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
-@@ -27,6 +27,8 @@ Offset Proto Name Meaning
+@@ -30,6 +30,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
+1EB/001 ALL kbd_status Numlock is enabled
+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns
+ 1EF/001 ALL sentinel Used to detect broken bootloaders
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
- (array of struct e820entry)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index ccae7e2..4983e43 100644
+index f8fa411..96bd86b 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -731,6 +731,36 @@ fail:
+@@ -849,6 +849,36 @@ fail:
return status;
}
@@ -210,7 +210,7 @@ index ccae7e2..4983e43 100644
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
-@@ -1025,6 +1055,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
+@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
goto fail;
@@ -218,31 +218,33 @@ index ccae7e2..4983e43 100644
+
setup_graphics(boot_params);
- status = efi_call_phys3(sys_table->boottime->allocate_pool,
-diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h
-index 2ad874c..c7338e0 100644
---- a/arch/x86/include/asm/bootparam.h
-+++ b/arch/x86/include/asm/bootparam.h
-@@ -114,7 +114,8 @@ struct boot_params {
+ setup_efi_pci(boot_params);
+diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
+index c15ddaf..85d7685 100644
+--- a/arch/x86/include/uapi/asm/bootparam.h
++++ b/arch/x86/include/uapi/asm/bootparam.h
+@@ -131,7 +131,8 @@ struct boot_params {
__u8 eddbuf_entries; /* 0x1e9 */
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
__u8 kbd_status; /* 0x1eb */
-- __u8 _pad6[5]; /* 0x1ec */
+- __u8 _pad5[3]; /* 0x1ec */
+ __u8 secure_boot; /* 0x1ec */
-+ __u8 _pad6[4]; /* 0x1ed */
- struct setup_header hdr; /* setup header */ /* 0x1f1 */
- __u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)];
- __u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */
++ __u8 _pad5[2]; /* 0x1ed */
+ /*
+ * The sentinel is set to a nonzero value (0xff) in header.S.
+ *
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index aeacb0e..a196a7e 100644
+index 8b24289..d74b441 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1042,6 +1042,11 @@ void __init setup_arch(char **cmdline_p)
+@@ -1042,6 +1042,13 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
+ if (boot_params.secure_boot) {
++#ifdef CONFIG_EFI
+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility);
++#endif
+ secureboot_enable();
+ }
+
@@ -250,10 +252,10 @@ index aeacb0e..a196a7e 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/cred.h b/include/linux/cred.h
-index ebbed2c..a24faf1 100644
+index 04421e8..9e69542 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
-@@ -170,6 +170,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *);
+@@ -156,6 +156,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *);
extern int set_create_files_as(struct cred *, struct inode *);
extern void __init cred_init(void);
@@ -263,10 +265,10 @@ index ebbed2c..a24faf1 100644
* check for validity of credentials
*/
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index b424f64..fef4ca6 100644
+index 7a9498a..1ae16b6 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -551,6 +551,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */
#define EFI_MEMMAP 4 /* Can we use EFI memory map? */
#define EFI_64BIT 5 /* Is the firmware 64-bit? */
@@ -278,7 +280,7 @@ index b424f64..fef4ca6 100644
1.8.1.2
-From 7f17830b2d2e02a1d8614ed06d2eaf37f4a2b9d1 Mon Sep 17 00:00:00 2001
+From d4d1b3ad3e1a553c807b4ecafcbde4bf816e4db2 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells at redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 05/19] Add EFI signature data types
@@ -292,10 +294,10 @@ Signed-off-by: David Howells <dhowells at redhat.com>
1 file changed, 20 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fef4ca6..a5dab3c 100644
+index 1ae16b6..de7021d 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -312,6 +312,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
+@@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
#define EFI_FILE_SYSTEM_GUID \
EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b )
@@ -308,7 +310,7 @@ index fef4ca6..a5dab3c 100644
typedef struct {
efi_guid_t guid;
u64 table;
-@@ -447,6 +453,20 @@ typedef struct {
+@@ -523,6 +529,20 @@ typedef struct {
#define EFI_INVALID_TABLE_ADDR (~0UL)
@@ -333,7 +335,7 @@ index fef4ca6..a5dab3c 100644
1.8.1.2
-From f6e6bcac73c2c4dd0295a528f80d3c6660e9e279 Mon Sep 17 00:00:00 2001
+From 3cffca89eadf7e0f0a266c370f8034f33723831a Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells at redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 06/19] Add an EFI signature blob parser and key loader.
@@ -494,10 +496,10 @@ index 0000000..636feb1
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index a5dab3c..7bfc4f2 100644
+index de7021d..64b3e55 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -536,6 +536,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime);
+@@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime);
extern void efi_reserve_boot_services(void);
extern struct efi_memory_map memmap;
@@ -512,7 +514,7 @@ index a5dab3c..7bfc4f2 100644
1.8.1.2
-From 26e3eaf96f1433fbb5f0d617b80b5d00e16aeb2c Mon Sep 17 00:00:00 2001
+From 89ea7424726ae4f7265ab84e703cf2da77acda57 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 07/19] MODSIGN: Add module certificate blacklist keyring
@@ -525,16 +527,16 @@ useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer <jwboyer at redhat.com>
---
init/Kconfig | 8 ++++++++
- kernel/modsign_pubkey.c | 17 +++++++++++++++++
+ kernel/modsign_pubkey.c | 14 ++++++++++++++
kernel/module-internal.h | 3 +++
kernel/module_signing.c | 12 ++++++++++++
- 4 files changed, 40 insertions(+)
+ 4 files changed, 37 insertions(+)
diff --git a/init/Kconfig b/init/Kconfig
-index 6fdd6e3..7a9bf00 100644
+index be8b7f5..d972b77 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1602,6 +1602,14 @@ config MODULE_SIG_FORCE
+@@ -1665,6 +1665,14 @@ config MODULE_SIG_FORCE
Reject unsigned modules or signed modules for which we don't have a
key. Without this, such modules will simply taint the kernel.
@@ -550,7 +552,7 @@ index 6fdd6e3..7a9bf00 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
-index 767e559..d99cd51 100644
+index 2b6e699..4cd408d 100644
--- a/kernel/modsign_pubkey.c
+++ b/kernel/modsign_pubkey.c
@@ -17,6 +17,9 @@
@@ -563,22 +565,19 @@ index 767e559..d99cd51 100644
extern __initdata const u8 modsign_certificate_list[];
extern __initdata const u8 modsign_certificate_list_end[];
-@@ -52,6 +55,20 @@ static __init int module_verify_init(void)
- if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0)
- panic("Can't instantiate module signing keyring\n");
+@@ -43,6 +46,17 @@ static __init int module_verify_init(void)
+ if (IS_ERR(modsign_keyring))
+ panic("Can't allocate module signing keyring\n");
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
-+ modsign_blacklist = key_alloc(&key_type_keyring, ".modsign_blacklist",
++ modsign_blacklist = keyring_alloc(".modsign_blacklist",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
-+ KEY_ALLOC_NOT_IN_QUOTA);
++ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ if (IS_ERR(modsign_blacklist))
+ panic("Can't allocate module signing blacklist keyring\n");
-+
-+ if (key_instantiate_and_link(modsign_blacklist, NULL, 0, NULL, NULL) < 0)
-+ panic("Can't instantiate module blacklist keyring\n");
+#endif
+
return 0;
@@ -624,7 +623,7 @@ index f2970bd..5423195 100644
1.8.1.2
-From ec7d8de0b4b29fa052dd9408fab20ce46857b486 Mon Sep 17 00:00:00 2001
+From 733a5c25b896d8d5fa0051825a671911b50cb47d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 08/19] MODSIGN: Import certificates from UEFI Secure Boot
@@ -652,10 +651,10 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
create mode 100644 kernel/modsign_uefi.c
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 7bfc4f2..014a013 100644
+index 64b3e55..76fe526 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -318,6 +318,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
+@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
#define EFI_CERT_X509_GUID \
EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
@@ -669,10 +668,10 @@ index 7bfc4f2..014a013 100644
efi_guid_t guid;
u64 table;
diff --git a/init/Kconfig b/init/Kconfig
-index 7a9bf00..51aa170 100644
+index d972b77..27e3a82 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1610,6 +1610,15 @@ config MODULE_SIG_BLACKLIST
+@@ -1673,6 +1673,15 @@ config MODULE_SIG_BLACKLIST
should not pass module signature verification. If a module is
signed with something in this keyring, the load will be rejected.
@@ -689,18 +688,18 @@ index 7a9bf00..51aa170 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
-index 86e3285..12e17ab 100644
+index 6c072b6..8848829 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o
- obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o
+ obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
-@@ -113,6 +114,8 @@ obj-$(CONFIG_JUMP_LABEL) += jump_label.o
+@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
$(obj)/configs.o: $(obj)/config_data.h
@@ -809,7 +808,7 @@ index 0000000..b9237d7
1.8.1.2
-From ff5f0af5e29e73ba00c04bc67978086d5ed811bd Mon Sep 17 00:00:00 2001
+From 16027d676baed34a9de804dac68d48096a688b39 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:40:57 -0400
Subject: [PATCH 09/19] PCI: Lock down BAR access in secure boot environments
@@ -827,10 +826,10 @@ Signed-off-by: Matthew Garrett <mjg at redhat.com>
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index f39378d..1db1e74 100644
+index 9c6e9bb..b966089 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
-@@ -546,6 +546,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
+@@ -622,6 +622,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8*) buf;
@@ -840,7 +839,7 @@ index f39378d..1db1e74 100644
if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
-@@ -852,6 +855,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -928,6 +931,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;
@@ -850,7 +849,7 @@ index f39378d..1db1e74 100644
for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
-@@ -959,6 +965,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1035,6 +1041,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
@@ -910,7 +909,7 @@ index e1c1ec5..97e785f 100644
1.8.1.2
-From f6a7b0b3c9ca8b0814d03daed9f98fb009a57cc7 Mon Sep 17 00:00:00 2001
+From 9ff1537bbe8c22bbf7f992027da43d4fe8da0860 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:40:58 -0400
Subject: [PATCH 10/19] x86: Lock down IO port access in secure boot
@@ -950,7 +949,7 @@ index 8c96897..a2578c4 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 0537903..47501fc 100644
+index c6fa3bc..fc28099 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
@@ -967,7 +966,7 @@ index 0537903..47501fc 100644
1.8.1.2
-From 014664ed0733041ae2e6ddacd21f8eb8ed94d6e9 Mon Sep 17 00:00:00 2001
+From 3b27408b1ced1ec83a3ce27f9d51161dbf7cea9a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:40:59 -0400
Subject: [PATCH 11/19] ACPI: Limit access to custom_method
@@ -999,7 +998,7 @@ index 5d42c24..247d58b 100644
1.8.1.2
-From f1262b9e78f41307e0be23aa6c54f79dfc5c8d39 Mon Sep 17 00:00:00 2001
+From fb618a04089d454b7ade68c00a2b9c7dbac013f9 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:41:00 -0400
Subject: [PATCH 12/19] asus-wmi: Restrict debugfs interface
@@ -1015,7 +1014,7 @@ Signed-off-by: Matthew Garrett <mjg at redhat.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index c0e9ff4..3c10167 100644
+index f80ae4d..059195f 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1521,6 +1521,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -1052,7 +1051,7 @@ index c0e9ff4..3c10167 100644
1.8.1.2
-From f31dc86516ee8088177a5a82869a3633a6e555b1 Mon Sep 17 00:00:00 2001
+From e515bbd5410d00835390fd8981aa9029e7b22b73 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Thu, 20 Sep 2012 10:41:01 -0400
Subject: [PATCH 13/19] Restrict /dev/mem and /dev/kmem in secure boot setups
@@ -1066,7 +1065,7 @@ Signed-off-by: Matthew Garrett <mjg at redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 47501fc..8817cdc 100644
+index fc28099..b5df7a8 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -1093,7 +1092,7 @@ index 47501fc..8817cdc 100644
1.8.1.2
-From e5724ed32b15d5dec9a239036598d9273b105506 Mon Sep 17 00:00:00 2001
+From fe27dd192ef250abcbaba973a14d43b21d7be497 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Thu, 20 Sep 2012 10:41:04 -0400
Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
@@ -1101,10 +1100,7 @@ Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
This option allows userspace to pass the RSDP address to the kernel. This
could potentially be used to circumvent the secure boot trust model.
-This is setup through the setup_arch function, which is called before the
-security_init function sets up the security_ops, so we cannot use a
-capable call here. We ignore the setting if we are booted in Secure Boot
-mode.
+We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability.
Signed-off-by: Josh Boyer <jwboyer at redhat.com>
---
@@ -1112,7 +1108,7 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 251435a..eef0b89 100644
+index bd22f86..88251d2 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@@ -1120,7 +1116,7 @@ index 251435a..eef0b89 100644
{
#ifdef CONFIG_KEXEC
- if (acpi_rsdp)
-+ if (acpi_rsdp && !efi_enabled(EFI_SECURE_BOOT))
++ if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL))
return acpi_rsdp;
#endif
@@ -1128,7 +1124,7 @@ index 251435a..eef0b89 100644
1.8.1.2
-From 1bc68fa7cb2ea5983ab1de20fd881eed74e214cb Mon Sep 17 00:00:00 2001
+From c937b2c8e179bfdadb6617c0028f558e4d701e46 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Tue, 4 Sep 2012 11:55:13 -0400
Subject: [PATCH 15/19] kexec: Disable in a secure boot environment
@@ -1160,7 +1156,7 @@ index 5e4bd78..dd464e0 100644
1.8.1.2
-From b6ec4b0890d4cb00c17b4a1dee6da84bb5fff597 Mon Sep 17 00:00:00 2001
+From f08e390045266d53543a55afa16ca4be5a1c6316 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Fri, 5 Oct 2012 10:12:48 -0400
Subject: [PATCH 16/19] MODSIGN: Always enforce module signing in a Secure Boot
@@ -1179,10 +1175,10 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/kernel/cred.c b/kernel/cred.c
-index 3f5be65..a381e27 100644
+index c3f4e3e..c5554e0 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
-@@ -623,11 +623,19 @@ void __init cred_init(void)
+@@ -565,11 +565,19 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
@@ -1203,10 +1199,10 @@ index 3f5be65..a381e27 100644
/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
diff --git a/kernel/module.c b/kernel/module.c
-index 3e544f4..7a9a802 100644
+index eab0827..93a16dc 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -106,9 +106,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
+@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
@@ -1222,7 +1218,7 @@ index 3e544f4..7a9a802 100644
1.8.1.2
-From 19d340a563439ab3892159510bb3ba7730bf9ea9 Mon Sep 17 00:00:00 2001
+From 54ba1eec5847d964b1d458a240b50271b9a356a4 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Fri, 26 Oct 2012 14:02:09 -0400
Subject: [PATCH 17/19] hibernate: Disable in a Secure Boot environment
@@ -1294,7 +1290,7 @@ index b26f5f1..7f63cb4 100644
len = p ? p - buf : n;
diff --git a/kernel/power/main.c b/kernel/power/main.c
-index f458238..734bc26 100644
+index 1c16f91..4f915fc 100644
--- a/kernel/power/main.c
+++ b/kernel/power/main.c
@@ -15,6 +15,7 @@
@@ -1336,7 +1332,7 @@ index 4ed81e7..b11a0f4 100644
1.8.1.2
-From a0f61de745510aade63ef7694cecf11cb98559cf Mon Sep 17 00:00:00 2001
+From 686090054f6c3784218b318c7adcc3c1f0ca5069 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 18/19] efi: Disable secure boot if shim is in insecure mode
@@ -1353,10 +1349,10 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 4983e43..eea615a 100644
+index 96bd86b..6e1331c 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -733,8 +733,9 @@ fail:
+@@ -851,8 +851,9 @@ fail:
static int get_secure_boot(efi_system_table_t *_table)
{
@@ -1367,7 +1363,7 @@ index 4983e43..eea615a 100644
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
-@@ -758,6 +759,23 @@ static int get_secure_boot(efi_system_table_t *_table)
+@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table)
if (setup == 1)
return 0;
@@ -1395,7 +1391,7 @@ index 4983e43..eea615a 100644
1.8.1.2
-From 5467b18cc9b3475658328a38ad6922d6b32c87ca Mon Sep 17 00:00:00 2001
+From df607d2d5061b04f8a686cd74edd72c1f2836d8c Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 19/19] x86: Lock down MSR writing in secure boot
More information about the scm-commits
mailing list