[kernel/f18] Fix regression in secure-boot acpi_rsdp patch (rhbz 906225)
Josh Boyer
jwboyer at fedoraproject.org
Wed Mar 6 14:00:56 UTC 2013
commit c1caf663bff8ee1b777edf277c54597fafa10fc7
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Mar 6 09:00:46 2013 -0500
Fix regression in secure-boot acpi_rsdp patch (rhbz 906225)
kernel.spec | 5 ++-
...ot-20130218.patch => secure-boot-20130219.patch | 21 +++++++++++--------
2 files changed, 15 insertions(+), 11 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 8686d86..496da7e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -669,7 +669,7 @@ Patch541: silence-tty-null.patch
Patch800: crash-driver.patch
# secure boot
-Patch1000: secure-boot-20130218.patch
+Patch1000: secure-boot-20130219.patch
# virt + ksm patches
@@ -1401,7 +1401,7 @@ ApplyPatch silence-tty-null.patch
ApplyPatch crash-driver.patch
# secure boot
-ApplyPatch secure-boot-20130218.patch
+ApplyPatch secure-boot-20130219.patch
# Assorted Virt Fixes
@@ -2342,6 +2342,7 @@ fi
# || ||
%changelog
* Wed Mar 06 2013 Josh Boyer <jwboyer at redhat.com>
+- Fix regression in secure-boot acpi_rsdp patch (rhbz 906225)
- crypto: info leaks in report API (rhbz 918512 918521)
* Tue Mar 5 2013 Peter Robinson <pbrobinson at fedoraproject.org>
diff --git a/secure-boot-20130218.patch b/secure-boot-20130219.patch
similarity index 98%
rename from secure-boot-20130218.patch
rename to secure-boot-20130219.patch
index 29ac46c..368cfed 100644
--- a/secure-boot-20130218.patch
+++ b/secure-boot-20130219.patch
@@ -1092,7 +1092,7 @@ index fc28099..b5df7a8 100644
1.8.1.2
-From fe27dd192ef250abcbaba973a14d43b21d7be497 Mon Sep 17 00:00:00 2001
+From 19640bebdcabe48ce1789ce7a6a0d0d5b925f0b5 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Thu, 20 Sep 2012 10:41:04 -0400
Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
@@ -1100,7 +1100,10 @@ Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
This option allows userspace to pass the RSDP address to the kernel. This
could potentially be used to circumvent the secure boot trust model.
-We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability.
+This is setup through the setup_arch function, which is called before the
+security_init function sets up the security_ops, so we cannot use a
+capable call here. We ignore the setting if we are booted in Secure Boot
+mode.
Signed-off-by: Josh Boyer <jwboyer at redhat.com>
---
@@ -1108,7 +1111,7 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index bd22f86..88251d2 100644
+index bd22f86..d68c04f 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@@ -1116,7 +1119,7 @@ index bd22f86..88251d2 100644
{
#ifdef CONFIG_KEXEC
- if (acpi_rsdp)
-+ if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL))
++ if (acpi_rsdp && !efi_enabled(EFI_SECURE_BOOT))
return acpi_rsdp;
#endif
@@ -1124,7 +1127,7 @@ index bd22f86..88251d2 100644
1.8.1.2
-From c937b2c8e179bfdadb6617c0028f558e4d701e46 Mon Sep 17 00:00:00 2001
+From b9ab9c0b3356d9cde36f3ef3a0719623df2ee2d3 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg at redhat.com>
Date: Tue, 4 Sep 2012 11:55:13 -0400
Subject: [PATCH 15/19] kexec: Disable in a secure boot environment
@@ -1156,7 +1159,7 @@ index 5e4bd78..dd464e0 100644
1.8.1.2
-From f08e390045266d53543a55afa16ca4be5a1c6316 Mon Sep 17 00:00:00 2001
+From 23e0646e1df8a0b4c31333b71796294801355032 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Fri, 5 Oct 2012 10:12:48 -0400
Subject: [PATCH 16/19] MODSIGN: Always enforce module signing in a Secure Boot
@@ -1218,7 +1221,7 @@ index eab0827..93a16dc 100644
1.8.1.2
-From 54ba1eec5847d964b1d458a240b50271b9a356a4 Mon Sep 17 00:00:00 2001
+From 833c54471c85e70e46d76f9f7ffa30197b9f135d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Fri, 26 Oct 2012 14:02:09 -0400
Subject: [PATCH 17/19] hibernate: Disable in a Secure Boot environment
@@ -1332,7 +1335,7 @@ index 4ed81e7..b11a0f4 100644
1.8.1.2
-From 686090054f6c3784218b318c7adcc3c1f0ca5069 Mon Sep 17 00:00:00 2001
+From 1a9afaa05489b817ebe84c61d22e958856aa0737 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 18/19] efi: Disable secure boot if shim is in insecure mode
@@ -1391,7 +1394,7 @@ index 96bd86b..6e1331c 100644
1.8.1.2
-From df607d2d5061b04f8a686cd74edd72c1f2836d8c Mon Sep 17 00:00:00 2001
+From 763f18d6a1e2d5f4d84ce3382ef91434240c80d6 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 19/19] x86: Lock down MSR writing in secure boot
More information about the scm-commits
mailing list