rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.8-9456-g309667e

This commit is contained in:
Josh Boyer 2013-02-27 16:07:47 -05:00
parent 0ace7eb5e6
commit 0a85b3e682
3 changed files with 72 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

268
devel-pekey-secure-boot-20130226.patch → devel-pekey-secure-boot-20130227.patch
View File

@ -1,4 +1,4 @@
From d8cfe24ede3c3d8ce48d9c8ea791984777d783fc Mon Sep 17 00:00:00 2001
From f31ce451f73d8e68ab5c3dca068ef602bb9f1dfa Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 18 Jan 2013 13:53:35 +0000
Subject: [PATCH 01/47] KEYS: Load *.x509 files into kernel keyring
@ -15,11 +15,11 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index eceac38..2c83d21 100644
index 05949c0..f6dbf33 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -134,17 +134,40 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
$(call if_changed,timeconst)
@@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
$(call if_changed,bc)
ifeq ($(CONFIG_MODULE_SIG),y)
+###############################################################################
@ -81,7 +81,7 @@ index 246b4c6..0a60203 100644
1.8.1.2
From 45078a904bc6488f2e3a69b71213950e0ff04db0 Mon Sep 17 00:00:00 2001
From 01fb4a2a794782fc54d7ea8dc61c7b205a7748c1 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 18:39:54 +0000
Subject: [PATCH 02/47] KEYS: Separate the kernel signature checking keyring
@ -95,16 +95,12 @@ Signed-off-by: David Howells <dhowells@redhat.com>
include/keys/system_keyring.h | 23 ++++++++++
init/Kconfig | 13 ++++++
kernel/Makefile | 17 ++++---
kernel/modsign_certificate.S | 18 --------
kernel/modsign_pubkey.c | 104 ------------------------------------------
kernel/module-internal.h | 2 -
kernel/module_signing.c | 3 +-
kernel/system_certificates.S | 18 ++++++++
kernel/system_keyring.c | 101 ++++++++++++++++++++++++++++++++++++++++
9 files changed, 168 insertions(+), 131 deletions(-)
kernel/system_keyring.c | 101 ++++++++++++++++++++++++++++++++++++++++++
7 files changed, 168 insertions(+), 9 deletions(-)
create mode 100644 include/keys/system_keyring.h
delete mode 100644 kernel/modsign_certificate.S
delete mode 100644 kernel/modsign_pubkey.c
create mode 100644 kernel/system_certificates.S
create mode 100644 kernel/system_keyring.c
@ -169,7 +165,7 @@ index 0a5e80f..053072f 100644
select CRYPTO
select ASYMMETRIC_KEY_TYPE
diff --git a/kernel/Makefile b/kernel/Makefile
index 2c83d21..454ce54 100644
index f6dbf33..f273c0e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -53,8 +53,9 @@ obj-$(CONFIG_SMP) += spinlock.o
@ -183,9 +179,9 @@ index 2c83d21..454ce54 100644
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
@@ -133,13 +134,14 @@ targets += timeconst.h
$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
$(call if_changed,timeconst)
@@ -141,13 +142,14 @@ targets += timeconst.h
$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
$(call if_changed,bc)
-ifeq ($(CONFIG_MODULE_SIG),y)
###############################################################################
@ -201,7 +197,7 @@ index 2c83d21..454ce54 100644
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
@@ -155,10 +157,11 @@ $(shell rm $(obj)/.x509.list)
@@ -163,10 +165,11 @@ $(shell rm $(obj)/.x509.list)
endif
endif
@ -215,7 +211,7 @@ index 2c83d21..454ce54 100644
targets += $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
$(call if_changed,x509certs)
@@ -168,7 +171,9 @@ $(obj)/.x509.list:
@@ -176,7 +179,9 @@ $(obj)/.x509.list:
@echo $(X509_CERTIFICATES) >$@
clean-files := x509_certificate_list .x509.list
@ -225,140 +221,6 @@ index 2c83d21..454ce54 100644
###############################################################################
#
# If module signing is requested, say by allyesconfig, but a key has not been
diff --git a/kernel/modsign_certificate.S b/kernel/modsign_certificate.S
deleted file mode 100644
index 0a60203..0000000
--- a/kernel/modsign_certificate.S
+++ /dev/null
@@ -1,18 +0,0 @@
-/* SYMBOL_PREFIX defined on commandline from CONFIG_SYMBOL_PREFIX */
-#ifndef SYMBOL_PREFIX
-#define ASM_SYMBOL(sym) sym
-#else
-#define PASTE2(x,y) x##y
-#define PASTE(x,y) PASTE2(x,y)
-#define ASM_SYMBOL(sym) PASTE(SYMBOL_PREFIX, sym)
-#endif
-
-#define GLOBAL(name) \
- .globl ASM_SYMBOL(name); \
- ASM_SYMBOL(name):
-
- .section ".init.data","aw"
-
-GLOBAL(modsign_certificate_list)
- .incbin "kernel/x509_certificate_list"
-GLOBAL(modsign_certificate_list_end)
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
deleted file mode 100644
index 2b6e699..0000000
--- a/kernel/modsign_pubkey.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/* Public keys for module signature verification
- *
- * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
- */
-
-#include <linux/kernel.h>
-#include <linux/sched.h>
-#include <linux/cred.h>
-#include <linux/err.h>
-#include <keys/asymmetric-type.h>
-#include "module-internal.h"
-
-struct key *modsign_keyring;
-
-extern __initdata const u8 modsign_certificate_list[];
-extern __initdata const u8 modsign_certificate_list_end[];
-
-/*
- * We need to make sure ccache doesn't cache the .o file as it doesn't notice
- * if modsign.pub changes.
- */
-static __initdata const char annoy_ccache[] = __TIME__ "foo";
-
-/*
- * Load the compiled-in keys
- */
-static __init int module_verify_init(void)
-{
- pr_notice("Initialise module verification\n");
-
- modsign_keyring = keyring_alloc(".module_sign",
- KUIDT_INIT(0), KGIDT_INIT(0),
- current_cred(),
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ),
- KEY_ALLOC_NOT_IN_QUOTA, NULL);
- if (IS_ERR(modsign_keyring))
- panic("Can't allocate module signing keyring\n");
-
- return 0;
-}
-
-/*
- * Must be initialised before we try and load the keys into the keyring.
- */
-device_initcall(module_verify_init);
-
-/*
- * Load the compiled-in keys
- */
-static __init int load_module_signing_keys(void)
-{
- key_ref_t key;
- const u8 *p, *end;
- size_t plen;
-
- pr_notice("Loading module verification certificates\n");
-
- end = modsign_certificate_list_end;
- p = modsign_certificate_list;
- while (p < end) {
- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- * than 256 bytes in size.
- */
- if (end - p < 4)
- goto dodgy_cert;
- if (p[0] != 0x30 &&
- p[1] != 0x82)
- goto dodgy_cert;
- plen = (p[2] << 8) | p[3];
- plen += 4;
- if (plen > end - p)
- goto dodgy_cert;
-
- key = key_create_or_update(make_key_ref(modsign_keyring, 1),
- "asymmetric",
- NULL,
- p,
- plen,
- (KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW,
- KEY_ALLOC_NOT_IN_QUOTA);
- if (IS_ERR(key))
- pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n",
- PTR_ERR(key));
- else
- pr_notice("MODSIGN: Loaded cert '%s'\n",
- key_ref_to_ptr(key)->description);
- p += plen;
- }
-
- return 0;
-
-dodgy_cert:
- pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n");
- return 0;
-}
-late_initcall(load_module_signing_keys);
diff --git a/kernel/module-internal.h b/kernel/module-internal.h
index 24f9247..915e123 100644
--- a/kernel/module-internal.h
@ -526,7 +388,7 @@ index 0000000..a3ca76f
1.8.1.2
From cde17a931bb2f8631cfd6576f07f77857a383248 Mon Sep 17 00:00:00 2001
From a374634f4c6582740c91ccfb7cdc49aa26445090 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Thu, 17 Jan 2013 16:25:00 +0000
Subject: [PATCH 03/47] KEYS: Add a 'trusted' flag and a 'trusted only' flag
@ -655,7 +517,7 @@ index 6ece7f2..f18d7ff 100644
1.8.1.2
From 2e5ee12060b914772094d038b7bd9c2e486d339f Mon Sep 17 00:00:00 2001
From 654c4260b94ab07936e4e1a697eddb082b0915a1 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:32 +0000
Subject: [PATCH 04/47] KEYS: Rename public key parameter name arrays
@ -810,7 +672,7 @@ index 0034e36..0b6b870 100644
1.8.1.2
From d823c31e932ecd1e1c24435b447b35bbe9e3ee9d Mon Sep 17 00:00:00 2001
From a34e52cba48a0b78902a677bb15b927581021cc0 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:33 +0000
Subject: [PATCH 05/47] KEYS: Move the algorithm pointer array from x509 to
@ -892,7 +754,7 @@ index 619d570..46bde25 100644
1.8.1.2
From cd2153b3e5b694e88fe4a136b9bae70c16b72fd0 Mon Sep 17 00:00:00 2001
From 63aec95cc6af50218892f9b870a952a28de04665 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:33 +0000
Subject: [PATCH 06/47] KEYS: Store public key algo ID in public_key struct
@ -977,7 +839,7 @@ index 46bde25..05778df 100644
1.8.1.2
From 120a94c9b259d1d19ab64c82737121dcc23e50ea Mon Sep 17 00:00:00 2001
From bf77135946a15f3833928cdf9a97f481a4b7f29b Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:34 +0000
Subject: [PATCH 07/47] KEYS: Split public_key_verify_signature() and make
@ -1093,7 +955,7 @@ index fac574c..8cb2f70 100644
1.8.1.2
From 2fc59e9f40053886e23c7bbed0841676472d0641 Mon Sep 17 00:00:00 2001
From d05eeaba52cdd6ddff9620186aa3a221e5909430 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:35 +0000
Subject: [PATCH 08/47] KEYS: Store public key algo ID in public_key_signature
@ -1126,7 +988,7 @@ index 05778df..b34fda4 100644
1.8.1.2
From 8de67c627dbfc895797320c82a3ebf87f5b8d446 Mon Sep 17 00:00:00 2001
From 3e2fb1075b17dc005721b2d63ae6a3c146fa529a Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:35 +0000
Subject: [PATCH 09/47] X.509: struct x509_certificate needs struct tm
@ -1158,7 +1020,7 @@ index e583ad0..2d01182 100644
1.8.1.2
From 074c5a12ea0152b2a3331174ad02f3ccc8ac9915 Mon Sep 17 00:00:00 2001
From 5c9dbeecb8faff88eb009d329c37831b8ec112ba Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:35 +0000
Subject: [PATCH 10/47] X.509: Add bits needed for PKCS#7
@ -1256,7 +1118,7 @@ index 2d01182..a6ce46f 100644
1.8.1.2
From 539f6dc3de1679495b7ce4f252e815d8373ffcef Mon Sep 17 00:00:00 2001
From 11a3d86669eb5fd71c756777cff053221de851a2 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:36 +0000
Subject: [PATCH 11/47] X.509: Embed public_key_signature struct and create
@ -1524,7 +1386,7 @@ index 8cb2f70..b7c81d8 100644
1.8.1.2
From 760bd4c7f0be3da4191b737a480af92df125431e Mon Sep 17 00:00:00 2001
From 09ba17965bed337bfb88ef9dc2d0b8c918eb5c01 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:36 +0000
Subject: [PATCH 12/47] X.509: Check the algorithm IDs obtained from parsing an
@ -1565,7 +1427,7 @@ index b7c81d8..eb368d4 100644
1.8.1.2
From 5f7f7268ce26dfdd754f9bcb081c380b5409b072 Mon Sep 17 00:00:00 2001
From 293744b6e8bfb316b3d3545984eed2f4cb0b09bc Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:37 +0000
Subject: [PATCH 13/47] X.509: Handle certificates that lack an
@ -1612,7 +1474,7 @@ index eb368d4..0f55e3b 100644
1.8.1.2
From e2d27f7dd12e2368b03a2007b435c5ae35020218 Mon Sep 17 00:00:00 2001
From 176a9c3ef9b6b4faf0a82600e70e03b8446a2590 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:37 +0000
Subject: [PATCH 14/47] X.509: Export certificate parse and free functions
@ -1658,7 +1520,7 @@ index 931f069..9cf0e16 100644
1.8.1.2
From b6c2806dcc10f6377cafcde2b74d49419266fba8 Mon Sep 17 00:00:00 2001
From 962c8a1468e2ae96c417be0c85871218e542284d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:38 +0000
Subject: [PATCH 15/47] PKCS#7: Implement a parser [RFC 2315]
@ -2271,7 +2133,7 @@ index 6926db7..edeff85 100644
1.8.1.2
From 0aa7a27b37790e737bbd80f61ccc12184baed13c Mon Sep 17 00:00:00 2001
From a6bd28571756d205a02bf45b1f92b481a5219418 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:38 +0000
Subject: [PATCH 16/47] PKCS#7: Digest the data in a signed-data message
@ -2445,7 +2307,7 @@ index 0000000..2f9f26c
1.8.1.2
From e84f2d2018594d3b5c4ecbe45e29ca7eb0b50909 Mon Sep 17 00:00:00 2001
From 2bf1ddcd0d3d9d4e578b1024252383d6bfa2e426 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:39 +0000
Subject: [PATCH 17/47] PKCS#7: Find the right key in the PKCS#7 key list and
@ -2544,7 +2406,7 @@ index 2f9f26c..3f6f0e2 100644
1.8.1.2
From d64d4625334797a96891b93cffb0899f3dd6218d Mon Sep 17 00:00:00 2001
From 88c5376101756187b5240a2ff2d87a3b9ab9b7ff Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:39 +0000
Subject: [PATCH 18/47] PKCS#7: Verify internal certificate chain
@ -2660,7 +2522,7 @@ index 6b1d877..5e35fba 100644
1.8.1.2
From 051964867e90089bcd643cce929e1a6494abe20b Mon Sep 17 00:00:00 2001
From 4b7bd5ef637b260f03d6ccf05d4f8cbe50a32302 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:42 +0000
Subject: [PATCH 19/47] PKCS#7: Find intersection between PKCS#7 message and
@ -2867,7 +2729,7 @@ index 0000000..cc226f5
1.8.1.2
From 7cbe9a52ec426f2d1e2bdaefda34a16987114a98 Mon Sep 17 00:00:00 2001
From 65da0a66d93e032f86253083074cf127a8a07ec8 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:39 +0000
Subject: [PATCH 20/47] Provide PE binary definitions
@ -3340,7 +3202,7 @@ index 0000000..9234aef
1.8.1.2
From 63bfd5e0dbf914df3e39011ea0bc0e3fa056420b Mon Sep 17 00:00:00 2001
From bef62c421fe0342e0d4132441a1ba7012d552c46 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:40 +0000
Subject: [PATCH 21/47] pefile: Parse a PE binary to find a key and a signature
@ -3634,7 +3496,7 @@ index 0000000..82bcaf6
1.8.1.2
From 82101ad57553b695c00e1b1c686d61ae4be27ab2 Mon Sep 17 00:00:00 2001
From e5328cdb361123e2126ec76844b1eccb1eccb2e2 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:40 +0000
Subject: [PATCH 22/47] pefile: Strip the wrapper off of the cert data block
@ -3738,7 +3600,7 @@ index fb80cf0..f2d4df0 100644
1.8.1.2
From 1e9df8e0c3ac669a43ca856f15e377f3ac671ae0 Mon Sep 17 00:00:00 2001
From 743500a93b4b74a7444d8cb8a3ff09f73e6440ee Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:40 +0000
Subject: [PATCH 23/47] pefile: Parse the presumed PKCS#7 content of the
@ -3792,7 +3654,7 @@ index f2d4df0..056500f 100644
1.8.1.2
From 99df31e182eafe3473eec9805d08847411527c79 Mon Sep 17 00:00:00 2001
From 9432dceca505e7d9b8c420059ebcce7047c62375 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:41 +0000
Subject: [PATCH 24/47] pefile: Parse the "Microsoft individual code signing"
@ -4035,7 +3897,7 @@ index edeff85..332dcf5 100644
1.8.1.2
From dcebe53a75f108c10ac0c429d2b63f3f1f02c109 Mon Sep 17 00:00:00 2001
From f1be79950932727d4f1517a4ca2a6c8d8babdf6d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:41 +0000
Subject: [PATCH 25/47] pefile: Digest the PE binary and compare to the PKCS#7
@ -4271,7 +4133,7 @@ index f1c8cc1..dfdb85e 100644
1.8.1.2
From 3aa52815d5d27045e66b9a3970ff2af8b707bfa6 Mon Sep 17 00:00:00 2001
From d11766cd96997c0c8dd8511939fa05485c0ba564 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 18 Jan 2013 13:58:35 +0000
Subject: [PATCH 26/47] PEFILE: Validate PKCS#7 trust chain
@ -4323,7 +4185,7 @@ index dfdb85e..edad948 100644
1.8.1.2
From 125d3794df049a715905529e05b6400db1309ec5 Mon Sep 17 00:00:00 2001
From 8247b08630ee7d8da1b82a1c52656e53b0698a5f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 15 Jan 2013 15:33:42 +0000
Subject: [PATCH 27/47] PEFILE: Load the contained key if we consider the
@ -4414,7 +4276,7 @@ index 0f55e3b..c3e5a6d 100644
1.8.1.2
From f8089a0ae1983d8a079510126d7f21bd01d3a971 Mon Sep 17 00:00:00 2001
From e0de67120b1a027658c1195cbf9648a0ff97d082 Mon Sep 17 00:00:00 2001
From: Chun-Yi Lee <joeyli.kernel@gmail.com>
Date: Thu, 21 Feb 2013 19:23:49 +0800
Subject: [PATCH 28/47] MODSIGN: Fix including certificate twice when the
@ -4450,10 +4312,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index 454ce54..9824a86 100644
index f273c0e..9777222 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -142,7 +142,10 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
@@ -150,7 +150,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
@ -4469,7 +4331,7 @@ index 454ce54..9824a86 100644
1.8.1.2
From 26909a21e7274b6d9e04374e2a11e4fbc07713f3 Mon Sep 17 00:00:00 2001
From 09f8eba451f2ddd3eb5b8ba2dfc5153087ebaa78 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:56 -0400
Subject: [PATCH 29/47] Secure boot: Add new capability
@ -4506,7 +4368,7 @@ index ba478fa..7109e65 100644
1.8.1.2
From ea9b455fe0e2c2f133ab26e24cc3c1e83fd2a0e4 Mon Sep 17 00:00:00 2001
From 75cab5d8cd111497c16a92a6d7060bff22b87c2b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:05 -0400
Subject: [PATCH 30/47] SELinux: define mapping for new Secure Boot capability
@ -4539,7 +4401,7 @@ index 14d04e6..ed99a2d 100644
1.8.1.2
From f945b0d4c7653109a2cca48de11faa8c44e4c503 Mon Sep 17 00:00:00 2001
From 69dc786f5679c66ad0afaa235ee52c59308281d2 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:02 -0400
Subject: [PATCH 31/47] Secure boot: Add a dummy kernel parameter that will
@ -4605,7 +4467,7 @@ index e0573a4..c3f4e3e 100644
1.8.1.2
From eb90b28185e0a14b4d585713078229f1416fbf0c Mon Sep 17 00:00:00 2001
From 1a22bfc73b9fddc1a4addb3d485f5473950d984a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:03 -0400
Subject: [PATCH 32/47] efi: Enable secure boot lockdown automatically when
@ -4751,7 +4613,7 @@ index 9bf2f1f..1bf382b 100644
1.8.1.2
From 32e9fbbf1bc41283c3af2ed24044edff8fcf1c69 Mon Sep 17 00:00:00 2001
From 5d18a80e7f10e03229d46ffa409ff82af034448b Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 33/47] Add EFI signature data types
@ -4806,7 +4668,7 @@ index 1bf382b..8902faf 100644
1.8.1.2
From a040224f153348fa8df70f6c2cefd107d5ea004f Mon Sep 17 00:00:00 2001
From 891ffe35209bd889a2c01d733f0b255cdf4e6ebe Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 34/47] Add an EFI signature blob parser and key loader.
@ -4986,7 +4848,7 @@ index 8902faf..ff3c599 100644
1.8.1.2
From e096ebf28fdc1a96055a1e2a8b3a194c64560e77 Mon Sep 17 00:00:00 2001
From 0f5c163a734890d86611bed2717457551c5a0b30 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 35/47] KEYS: Add a system blacklist keyring
@ -5101,7 +4963,7 @@ index dae8778..2913c70 100644
1.8.1.2
From 8ae4ff8d17e43538f4b5aca9758c461dbd4e26f3 Mon Sep 17 00:00:00 2001
From 1fda98f6edb36b6713df3a7e4578c27c1aa03d89 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 36/47] MODSIGN: Import certificates from UEFI Secure Boot
@ -5166,7 +5028,7 @@ index e82c950..e15c960 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
index 9824a86..ac803d0 100644
index 9777222..2cbb45b 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o
@ -5287,7 +5149,7 @@ index 0000000..df831ff
1.8.1.2
From a7aa88c97e85e0a9fdd95b1a0ba3605b36f4313a Mon Sep 17 00:00:00 2001
From 737ae51d4157b099037609127117102b56f196d1 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:57 -0400
Subject: [PATCH 37/47] PCI: Lock down BAR access in secure boot environments
@ -5339,7 +5201,7 @@ index 9c6e9bb..b966089 100644
}
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 9b8505c..35580bc 100644
index 0b00947..7639f68 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -139,6 +139,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
@ -5388,7 +5250,7 @@ index e1c1ec5..97e785f 100644
1.8.1.2
From 3ab26acbd1042405f65bf72f44c857511d953b83 Mon Sep 17 00:00:00 2001
From 6cf45d0803d6d3f544e4033cf95c1357b34896f2 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:58 -0400
Subject: [PATCH 38/47] x86: Lock down IO port access in secure boot
@ -5428,7 +5290,7 @@ index 4ddaf66..f505995 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6f6e92a..9362b9b 100644
index 2c644af..7eee4d8 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
@ -5445,7 +5307,7 @@ index 6f6e92a..9362b9b 100644
1.8.1.2
From c05363da5dfcc35d9717c2cd6cc47690f92e9cdc Mon Sep 17 00:00:00 2001
From ebb40a7c6dc438afd6050c20c0b5f81e9701d985 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:59 -0400
Subject: [PATCH 39/47] ACPI: Limit access to custom_method
@ -5477,7 +5339,7 @@ index 12b62f2..edf0710 100644
1.8.1.2
From 47f48642c2e767b8f1219a6692a90262e2dfaee6 Mon Sep 17 00:00:00 2001
From cb35d821b7591fe9fed20db28d50addfe00fb128 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:00 -0400
Subject: [PATCH 40/47] asus-wmi: Restrict debugfs interface
@ -5530,7 +5392,7 @@ index f80ae4d..059195f 100644
1.8.1.2
From a18dec77f42e30d986a29f51d2f0933d2c30b9c3 Mon Sep 17 00:00:00 2001
From 6bfdb84e12b802d4a31f1a7c238bb3e91421e3af Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:01 -0400
Subject: [PATCH 41/47] Restrict /dev/mem and /dev/kmem in secure boot setups
@ -5544,7 +5406,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 9362b9b..3c55828 100644
index 7eee4d8..772ee2b 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@ -5571,7 +5433,7 @@ index 9362b9b..3c55828 100644
1.8.1.2
From b03691364e9bee51a92a32887bdb783a8210364c Mon Sep 17 00:00:00 2001
From 1f0241ccbc1a54954e66b8426b33cfdd49861208 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:04 -0400
Subject: [PATCH 42/47] acpi: Ignore acpi_rsdp kernel parameter in a secure
@ -5606,7 +5468,7 @@ index 586e7e9..8950454 100644
1.8.1.2
From febf4b93d82db4e575014ff518f500ae988ef2aa Mon Sep 17 00:00:00 2001
From 3d141f6e5ead9ec80412001f646c09dbef90827b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Tue, 4 Sep 2012 11:55:13 -0400
Subject: [PATCH 43/47] kexec: Disable in a secure boot environment
@ -5638,7 +5500,7 @@ index 2436ffc..a78e71a 100644
1.8.1.2
From 99a767e78759ad32c78e79690f6aabd72caf5969 Mon Sep 17 00:00:00 2001
From 8c6131a869a749322a94b578c99204353d3a3820 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 5 Oct 2012 10:12:48 -0400
Subject: [PATCH 44/47] MODSIGN: Always enforce module signing in a Secure Boot
@ -5681,7 +5543,7 @@ index c3f4e3e..c5554e0 100644
/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
diff --git a/kernel/module.c b/kernel/module.c
index 921bed4..2ee8a7c 100644
index 0925c9a..af4a476 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
@ -5700,7 +5562,7 @@ index 921bed4..2ee8a7c 100644
1.8.1.2
From 9a3364262073f8ae3f00a4bad626823811fedffa Mon Sep 17 00:00:00 2001
From d1f48eaf24be97f7bd86f4680ed7d64c6238787f Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 14:02:09 -0400
Subject: [PATCH 45/47] hibernate: Disable in a Secure Boot environment
@ -5814,7 +5676,7 @@ index 4ed81e7..b11a0f4 100644
1.8.1.2
From 74bfbcb7c06c502b536d0d0e2eab3f4423452e11 Mon Sep 17 00:00:00 2001
From 8816b7dc8421fb97a2423cb245c28eec978009fe Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 46/47] efi: Disable secure boot if shim is in insecure mode
@ -5873,7 +5735,7 @@ index 96bd86b..6e1331c 100644
1.8.1.2
From f472a81527c0f2efbb8f2ad9c799b3fd13a79806 Mon Sep 17 00:00:00 2001
From af08e556b6c214021bda6d601fcc4a23f8cbd1a5 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 47/47] x86: Lock down MSR writing in secure boot

9
kernel.spec
View File

@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 0
# The git snapshot level
%define gitrev 10
%define gitrev 11
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -667,7 +667,7 @@ Patch800: crash-driver.patch
# crypto/
# secure boot
Patch1000: devel-pekey-secure-boot-20130226.patch
Patch1000: devel-pekey-secure-boot-20130227.patch
# virt + ksm patches
@ -1374,7 +1374,7 @@ ApplyPatch crash-driver.patch
# crypto/
# secure boot
ApplyPatch devel-pekey-secure-boot-20130226.patch
ApplyPatch devel-pekey-secure-boot-20130227.patch
# Assorted Virt Fixes
@ -2296,6 +2296,9 @@ fi
# ||----w |
# || ||
%changelog
* Wed Feb 27 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git11.1
- Linux v3.8-9456-g309667e
* Wed Feb 27 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git10.1
- Linux v3.8-9405-gd895cb1

2
sources
View File

@ -1,2 +1,2 @@
1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz
bbe8c6f353b542e8220587f01b72009d patch-3.8-git10.xz
7bd46bc54ccefe22b8153f8e491ede8b patch-3.8-git11.xz