Linux v4.2-10637-ga794b4f32921

- Rework secure boot patchset

ACPI-Limit-access-to-custom_method.patch

@@ -1,6 +1,7 @@
+From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH] ACPI: Limit access to custom_method
+Subject: [PATCH 04/20] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
@@ -25,3 +26,6 @@ index c68e72414a67..4277938af700 100644
  	if (!(*ppos)) {
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
+-- 
+2.4.3
+

Add-EFI-signature-data-types.patch

@@ -1,6 +1,7 @@
+From 34e3e23e08fdccbf4637deab0cf03070d4f2226d Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH] Add EFI signature data types
+Subject: [PATCH 15/20] Add EFI signature data types
 
 Add the data types that are used for containing hashes, keys and certificates
 for cryptographic verification.
@@ -51,3 +52,6 @@ index de3e45088d4a..fac43c611614 100644
  /*
   * All runtime access to EFI goes through this structure:
   */
+-- 
+2.4.3
+

Add-an-EFI-signature-blob-parser-and-key-loader.patch

@@ -1,6 +1,7 @@
+From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
 
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
@@ -32,7 +33,7 @@ index 4870f28403f5..4a1b50d73b80 100644
 +
  endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index e47fcd9ac5e8..6512f6596785 100644
+index cd1406f9b14a..d9db380bbe53 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
 @@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o
@@ -173,3 +174,6 @@ index fac43c611614..414c3c3d988d 100644
  /**
   * efi_range_is_wc - check the WC bit on an address range
   * @start: starting kvirt address
+-- 
+2.4.3
+

Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,8 @@
+From 37431394b3eeb1ef6d38d0e6b2693210606c2c2c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH] Add option to automatically enforce module signatures when in
- Secure Boot mode
+Subject: [PATCH 10/20] Add option to automatically enforce module signatures
+ when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels. Certain use cases may also
@@ -20,10 +21,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  7 files changed, 69 insertions(+), 1 deletion(-)
 
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 82fbdbc1e0b0..a811210ad486 100644
+index 95a4d34af3fd..b8527c6b7646 100644
 --- a/Documentation/x86/zero-page.txt
 +++ b/Documentation/x86/zero-page.txt
-@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
+@@ -31,6 +31,8 @@ Offset	Proto	Name		Meaning
  1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
  1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
  				(below)
@@ -33,10 +34,10 @@ index 82fbdbc1e0b0..a811210ad486 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 3dbb7e7909ca..4da6644b1fd0 100644
+index cc0d73eac047..14db458f4774 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1703,6 +1703,16 @@ config EFI_MIXED
+@@ -1734,6 +1734,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -54,7 +55,7 @@ index 3dbb7e7909ca..4da6644b1fd0 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 2c82bd150d43..1ef8ea7f8ed9 100644
+index ee1b6d346b98..b4de3faa3f29 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -115,7 +116,7 @@ index 2c82bd150d43..1ef8ea7f8ed9 100644
  
  	setup_efi_pci(boot_params);
 diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index ab456dc233b5..74ba4083e7ce 100644
+index 329254373479..b61f8533c0fd 100644
 --- a/arch/x86/include/uapi/asm/bootparam.h
 +++ b/arch/x86/include/uapi/asm/bootparam.h
 @@ -134,7 +134,8 @@ struct boot_params {
@@ -129,10 +130,10 @@ index ab456dc233b5..74ba4083e7ce 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 80f874bf999e..c2e4f52cad30 100644
+index baadbf90a7c5..1ac118146e90 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -146,10 +147,10 @@ index 80f874bf999e..c2e4f52cad30 100644
  	 * Parse the ACPI tables for possible boot-time SMP configuration.
  	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index 57474384b66b..b69d657c3700 100644
+index db386349cd01..4b8df91f03cd 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -189,6 +189,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
+@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
  
  struct notifier_block;
  
@@ -163,10 +164,10 @@ index 57474384b66b..b69d657c3700 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index e9869c497175..87fa14fedc88 100644
+index 7f045246e123..2b403ab0ef29 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4084,6 +4084,13 @@ void module_layout(struct module *mod,
+@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  
@@ -180,3 +181,6 @@ index e9869c497175..87fa14fedc88 100644
  bool secure_modules(void)
  {
  #ifdef CONFIG_MODULE_SIG
+-- 
+2.4.3
+

Add-secure_modules-call.patch

@@ -1,6 +1,7 @@
+From a1aaf20cffb1a949c5d6b1198690c7c30cfda4d5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH] Add secure_modules() call
+Subject: [PATCH 01/20] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@@ -16,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  2 files changed, 16 insertions(+)
 
 diff --git a/include/linux/module.h b/include/linux/module.h
-index d67b1932cc59..57474384b66b 100644
+index 3a19c79918e0..db386349cd01 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -551,6 +551,8 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module)
  	return module && module->async_probe_requested;
  }
  
@@ -28,7 +29,7 @@ index d67b1932cc59..57474384b66b 100644
  #else /* !CONFIG_MODULES... */
  
  /* Given an address, look for it in the exception tables. */
-@@ -667,6 +669,10 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module)
  	return false;
  }
  
@@ -40,10 +41,10 @@ index d67b1932cc59..57474384b66b 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 4d2b82e610e2..e9869c497175 100644
+index b86b7bf1be38..7f045246e123 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4083,3 +4083,13 @@ void module_layout(struct module *mod,
+@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif
@@ -57,3 +58,6 @@ index 4d2b82e610e2..e9869c497175 100644
 +#endif
 +}
 +EXPORT_SYMBOL(secure_modules);
+-- 
+2.4.3
+

Add-sysrq-option-to-disable-secure-boot-mode.patch

@@ -1,6 +1,7 @@
+From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@redhat.com>
 Date: Fri, 30 Aug 2013 09:28:51 -0400
-Subject: [PATCH] Add sysrq option to disable secure boot mode
+Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
 
 Bugzilla: N/A
 Upstream-status: Fedora mustard
@@ -15,7 +16,7 @@ Upstream-status: Fedora mustard
  7 files changed, 64 insertions(+), 9 deletions(-)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 5def6b4143fa..1eac9d22cb0b 100644
+index f93826b8522c..41679b1aca83 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -70,6 +70,11 @@
@@ -30,7 +31,7 @@ index 5def6b4143fa..1eac9d22cb0b 100644
  #include <video/edid.h>
  
  #include <asm/mtrr.h>
-@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void)
+@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void)
  
  #endif /* CONFIG_X86_32 */
  
@@ -69,10 +70,10 @@ index 5def6b4143fa..1eac9d22cb0b 100644
  	.notifier_call = dump_kernel_offset
  };
 diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 421e29e4cd81..61c1eb97806c 100644
+index 345df9b03aed..dea6a6c4a39b 100644
 --- a/drivers/input/misc/uinput.c
 +++ b/drivers/input/misc/uinput.c
-@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
  	if (!udev->dev)
  		return -ENOMEM;
  
@@ -81,10 +82,10 @@ index 421e29e4cd81..61c1eb97806c 100644
  	input_set_drvdata(udev->dev, udev);
  
 diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index b5b427888b24..289c7898a3b0 100644
+index 95b330a9ea98..dfa3e154a719 100644
 --- a/drivers/tty/sysrq.c
 +++ b/drivers/tty/sysrq.c
-@@ -465,6 +465,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
  	/* x: May be registered on mips for TLB dump */
  	/* x: May be registered on ppc/powerpc for xmon */
  	/* x: May be registered on sparc64 for global PMU dump */
@@ -92,7 +93,7 @@ index b5b427888b24..289c7898a3b0 100644
  	NULL,				/* x */
  	/* y: May be registered on sparc64 for global register dump */
  	NULL,				/* y */
-@@ -508,7 +509,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
                  sysrq_key_table[i] = op_p;
  }
  
@@ -101,7 +102,7 @@ index b5b427888b24..289c7898a3b0 100644
  {
  	struct sysrq_key_op *op_p;
  	int orig_log_level;
-@@ -528,11 +529,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask)
  
          op_p = __sysrq_get_key_op(key);
          if (op_p) {
@@ -118,7 +119,7 @@ index b5b427888b24..289c7898a3b0 100644
  			pr_cont("%s\n", op_p->action_msg);
  			console_loglevel = orig_log_level;
  			op_p->handler(key);
-@@ -564,7 +569,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask)
  void handle_sysrq(int key)
  {
  	if (sysrq_on())
@@ -127,7 +128,7 @@ index b5b427888b24..289c7898a3b0 100644
  }
  EXPORT_SYMBOL(handle_sysrq);
  
-@@ -645,7 +650,7 @@ static void sysrq_do_reset(unsigned long _state)
+@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state)
  static void sysrq_handle_reset_request(struct sysrq_state *state)
  {
  	if (state->reset_requested)
@@ -136,7 +137,7 @@ index b5b427888b24..289c7898a3b0 100644
  
  	if (sysrq_reset_downtime_ms)
  		mod_timer(&state->keyreset_timer,
-@@ -796,8 +801,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
  
  	default:
  		if (sysrq->active && value && value != 2) {
@@ -148,7 +149,7 @@ index b5b427888b24..289c7898a3b0 100644
  		}
  		break;
  	}
-@@ -1077,7 +1084,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
  
  		if (get_user(c, buf))
  			return -EFAULT;
@@ -228,7 +229,7 @@ index 4121345498e0..0ff3cef5df96 100644
  
  	return 0;
 diff --git a/kernel/module.c b/kernel/module.c
-index 87fa14fedc88..61385e686d49 100644
+index 2b403ab0ef29..7818c110e95c 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
 @@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void)
@@ -240,3 +241,6 @@ index 87fa14fedc88..61385e686d49 100644
  #ifndef CONFIG_MODULE_SIG_FORCE
  module_param(sig_enforce, bool_enable_only, 0644);
  #endif /* !CONFIG_MODULE_SIG_FORCE */
+-- 
+2.4.3
+

KEYS-Add-a-system-blacklist-keyring.patch

@@ -1,6 +1,7 @@
+From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH] KEYS: Add a system blacklist keyring
+Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
 
 This adds an additional keyring that is used to store certificates that
 are blacklisted.  This keyring is searched first when loading signed modules
@@ -9,72 +10,15 @@ useful in cases where third party certificates are used for module signing.
 
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
+ certs/system_keyring.c        | 27 +++++++++++++++++++++++++++
  include/keys/system_keyring.h |  4 ++++
  init/Kconfig                  |  9 +++++++++
- kernel/module_signing.c       | 12 ++++++++++++
- kernel/system_keyring.c       | 17 +++++++++++++++++
- 4 files changed, 42 insertions(+)
+ 3 files changed, 40 insertions(+)
 
-diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index 72665eb80692..2c7b80d31366 100644
---- a/include/keys/system_keyring.h
-+++ b/include/keys/system_keyring.h
-@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void)
- }
- #endif
- 
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+extern struct key *system_blacklist_keyring;
-+#endif
-+
- #endif /* _KEYS_SYSTEM_KEYRING_H */
-diff --git a/init/Kconfig b/init/Kconfig
-index af09b4fb43d2..62f6fd191e4f 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1752,6 +1752,15 @@ config SYSTEM_TRUSTED_KEYRING
- 
- 	  Keys in this keyring are used by module signature checking.
- 
-+config SYSTEM_BLACKLIST_KEYRING
-+	bool "Provide system-wide ring of blacklisted keys"
-+	depends on KEYS
-+	help
-+	  Provide a system keyring to which blacklisted keys can be added.
-+	  Keys in the keyring are considered entirely untrusted.  Keys in this
-+	  keyring are used by the module signature checking to reject loading
-+	  of modules signed with a blacklisted key.
-+
- config PROFILING
- 	bool "Profiling support"
- 	help
-diff --git a/kernel/module_signing.c b/kernel/module_signing.c
-index be5b8fac4bd0..fed815fcdaf2 100644
---- a/kernel/module_signing.c
-+++ b/kernel/module_signing.c
-@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
- 
- 	pr_debug("Look up: \"%s\"\n", id);
- 
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+	key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
-+				   &key_type_asymmetric, id);
-+	if (!IS_ERR(key)) {
-+		/* module is signed with a cert in the blacklist.  reject */
-+		pr_err("Module key '%s' is in blacklist\n", id);
-+		key_ref_put(key);
-+		kfree(id);
-+		return ERR_PTR(-EKEYREJECTED);
-+	}
-+#endif
-+
- 	key = keyring_search(make_key_ref(system_trusted_keyring, 1),
- 			     &key_type_asymmetric, id);
- 	if (IS_ERR(key))
-diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
-index 875f64e8935b..c15e93f5a418 100644
---- a/kernel/system_keyring.c
-+++ b/kernel/system_keyring.c
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 2570598b784d..53733822993f 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
 @@ -20,6 +20,9 @@
  
  struct key *system_trusted_keyring;
@@ -90,7 +34,7 @@ index 875f64e8935b..c15e93f5a418 100644
  
  	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
 +
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
++	#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 +	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
 +				    KUIDT_INIT(0), KGIDT_INIT(0),
 +				    current_cred(),
@@ -106,3 +50,56 @@ index 875f64e8935b..c15e93f5a418 100644
  	return 0;
  }
  
+@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
+ 	if (ret < 0)
+ 		goto error;
+ 
++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
++	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
++	if (!ret) {
++		/* module is signed with a cert in the blacklist.  reject */
++		pr_err("Module key is in the blacklist\n");
++		ret = -EKEYREJECTED;
++		goto error;
++	}
++#endif
++
+ 	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
+ 	if (ret < 0)
+ 		goto error;
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index b20cd885c1fd..51d8ddc60e0f 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -35,4 +35,8 @@ extern int system_verify_data(const void *data, unsigned long len,
+ 			      enum key_being_used_for usage);
+ #endif
+ 
++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
++extern struct key *system_blacklist_keyring;
++#endif
++
+ #endif /* _KEYS_SYSTEM_KEYRING_H */
+diff --git a/init/Kconfig b/init/Kconfig
+index 02da9f1fd9df..782d26f02885 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
+ 	  module verification, kexec image verification and firmware blob
+ 	  verification.
+ 
++config SYSTEM_BLACKLIST_KEYRING
++	bool "Provide system-wide ring of blacklisted keys"
++	depends on KEYS
++	help
++	  Provide a system keyring to which blacklisted keys can be added.
++	  Keys in the keyring are considered entirely untrusted.  Keys in this
++	  keyring are used by the module signature checking to reject loading
++	  of modules signed with a blacklisted key.
++
+ config PROFILING
+ 	bool "Profiling support"
+ 	help
+-- 
+2.4.3
+

MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch

@@ -1,3 +1,4 @@
+From b890a85619bee4262876ad131eb0565014ae82b0 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@@ -42,10 +43,10 @@ index 414c3c3d988d..d920a6be6c8b 100644
  	efi_guid_t guid;
  	u64 table;
 diff --git a/init/Kconfig b/init/Kconfig
-index 62f6fd191e4f..648bb79d6b73 100644
+index 782d26f02885..bcc71c2f4b80 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1906,6 +1906,15 @@ config MODULE_SIG_ALL
+@@ -1933,6 +1933,15 @@ config MODULE_SIG_ALL
  comment "Do not forget to sign required modules with scripts/sign-file"
  	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
  
@@ -62,11 +63,11 @@ index 62f6fd191e4f..648bb79d6b73 100644
  	prompt "Which hash algorithm should modules be signed with?"
  	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index 43c4c920f30a..3193574387ac 100644
+index e0d7587e7684..566ac6bb720c 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -48,6 +48,7 @@ obj-$(CONFIG_UID16) += uid16.o
- obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
+@@ -47,6 +47,7 @@ endif
+ obj-$(CONFIG_UID16) += uid16.o
  obj-$(CONFIG_MODULES) += module.o
  obj-$(CONFIG_MODULE_SIG) += module_signing.o
 +obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
@@ -75,13 +76,13 @@ index 43c4c920f30a..3193574387ac 100644
  obj-$(CONFIG_KEXEC) += kexec.o
 @@ -101,6 +102,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
  
- $(obj)/configs.o: $(obj)/config_data.h
+ obj-$(CONFIG_HAS_IOMEM) += memremap.o
  
 +$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar
 +
+ $(obj)/configs.o: $(obj)/config_data.h
+ 
  # config_data.h contains the same information as ikconfig.h but gzipped.
- # Info from config_data can be extracted from /proc/config*
- targets += config_data.gz
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
 new file mode 100644
 index 000000000000..94b0eb38a284
@@ -180,3 +181,6 @@ index 000000000000..94b0eb38a284
 +	return rc;
 +}
 +late_initcall(load_uefi_certs);
+-- 
+2.4.3
+

MODSIGN-Support-not-importing-certs-from-db.patch

@@ -1,6 +1,7 @@
+From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH] MODSIGN: Support not importing certs from db
+Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
 
 If a user tells shim to not use the certs/hashes in the UEFI db variable
 for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@@ -78,3 +79,6 @@ index 94b0eb38a284..ae28b974d49a 100644
  	}
  
  	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+-- 
+2.4.3
+

PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,6 +1,8 @@
+From 655fbf360e1481db4f06001f893d388c15ac307f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
+Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
+ enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
 userspace in order to avoid it being possible for an attacker to modify
@@ -111,3 +113,6 @@ index b91c4da68365..98f5637304d1 100644
  		return -EPERM;
  
  	dev = pci_get_bus_and_slot(bus, dfn);
+-- 
+2.4.3
+

Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,6 +1,7 @@
+From d4ae417828427de74e9f857f9caa49580aecf1fe Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
@@ -36,3 +37,6 @@ index 53fe675f9bd7..b52c88860532 100644
  	if (p < (unsigned long) high_memory) {
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
+-- 
+2.4.3
+

acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,8 @@
+From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading
- is restricted
+Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
+ loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
 makes it possible for a user to circumvent any restrictions imposed on
@@ -13,10 +14,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 3b8963f21b36..a5ae6a7fef5e 100644
+index 739a4a6b3b9b..9ef2a020a7a9 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
-@@ -44,6 +44,7 @@
+@@ -40,6 +40,7 @@
  #include <linux/list.h>
  #include <linux/jiffies.h>
  #include <linux/semaphore.h>
@@ -24,7 +25,7 @@ index 3b8963f21b36..a5ae6a7fef5e 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC
@@ -33,3 +34,6 @@ index 3b8963f21b36..a5ae6a7fef5e 100644
  		return acpi_rsdp;
  #endif
  
+-- 
+2.4.3
+

asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,8 @@
+From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is
- restricted
+Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
+ loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
 given machine, and there's a risk that some will allow hardware state to
@@ -48,3 +49,6 @@ index efbc3f0c592b..071171be4b7f 100644
  	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
  				     1, asus->debug.method_id,
  				     &input, &output);
+-- 
+2.4.3
+

config-arm-generic

@@ -218,6 +218,7 @@ CONFIG_I2C_MUX_GPIO=m
 CONFIG_I2C_MUX_PINCTRL=m
 CONFIG_I2C_MUX_PCA9541=m
 CONFIG_I2C_MUX_PCA954x=m
+CONFIG_I2C_MUX_REG=m
 
 # spi
 CONFIG_SPI_PL022=m

config-generic

@@ -146,6 +146,8 @@ CONFIG_MMC_TIFM_SD=m
 CONFIG_MMC_WBSD=m
 CONFIG_MMC_VIA_SDMMC=m
 CONFIG_MMC_SDHCI_PLTFM=m
+# CONFIG_MMC_SDHCI_OF is not set
+# CONFIG_MMC_SDHCI_OF_AT91 is not set
 CONFIG_MMC_CB710=m
 CONFIG_MMC_RICOH_MMC=y
 CONFIG_MMC_USHC=m
@@ -2571,6 +2573,7 @@ CONFIG_I2C_CHARDEV=m
 # CONFIG_I2C_MUX_GPIO is not set
 # CONFIG_I2C_MUX_PCA9541 is not set
 # CONFIG_I2C_MUX_PINCTRL is not set
+# CONFIG_I2C_MUX_REG is not set
 #
 
 #
@@ -2599,6 +2602,7 @@ CONFIG_I2C_ALGOPCA=m
 # CONFIG_I2C_NFORCE2_S4985 is not set
 # CONFIG_I2C_EG20T is not set
 # CONFIG_I2C_CBUS_GPIO is not set
+# CONFIG_I2C_EMEV2 is not set
 CONFIG_I2C_VIPERBOARD=m
 
 CONFIG_EEPROM_AT24=m
@@ -3139,6 +3143,7 @@ CONFIG_RTC_DRV_PCF85063=m
 # CONFIG_RTC_DRV_ISL12057 is not set
 # CONFIG_RTC_DRV_XGENE is not set
 # CONFIG_RTC_DRV_ABB5ZES3 is not set
+# CONFIG_RTC_DRV_ZYNQMP is not set
 
 CONFIG_R3964=m
 # CONFIG_APPLICOM is not set

config-x86-generic

@@ -314,6 +314,7 @@ CONFIG_XEN_PCIDEV_BACKEND=m
 CONFIG_XEN_ACPI_PROCESSOR=m
 # CONFIG_XEN_SCSI_FRONTEND is not set
 # CONFIG_XEN_SCSI_BACKEND is not set
+CONFIG_XEN_SYMS=y
 
 CONFIG_MTD_ESB2ROM=m
 CONFIG_MTD_CK804XROM=m
@@ -461,6 +462,8 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m
 
 CONFIG_HP_ACCEL=m
 
+CONFIG_SURFACE_PRO3_BUTTON=m
+
 # CONFIG_RAPIDIO is not set
 
 CONFIG_SCHED_SMT=y
@@ -562,6 +565,8 @@ CONFIG_MODULE_SIG_ALL=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS=""
 CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
 CONFIG_EFI_SIGNATURE_LIST_PARSER=y
 

config-x86_64-generic

@@ -136,6 +136,7 @@ CONFIG_XEN_SYS_HYPERVISOR=y
 # CONFIG_XEN_MCE_LOG is not set
 # CONFIG_XEN_STUB is not set
 # CONFIG_XEN_PVH is not set
+CONFIG_XEN_512GB=y
 
 CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
 

efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,6 +1,7 @@
+From b4467813ec088c13bd8c9f1eafb7c29d889d7c8f Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -12,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index c2e4f52cad30..5def6b4143fa 100644
+index 1ac118146e90..f93826b8522c 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p)
  
  #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
  	if (boot_params.secure_boot) {
@@ -37,3 +38,6 @@ index 85ef051ac6fb..de3e45088d4a 100644
  
  #ifdef CONFIG_EFI
  /*
+-- 
+2.4.3
+

efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

@@ -1,6 +1,7 @@
+From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
+Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
 
 A user can manually tell the shim boot loader to disable validation of
 images it loads.  When a user does this, it creates a UEFI variable called
@@ -14,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 19 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 1ef8ea7f8ed9..d82dc9c1c19e 100644
+index b4de3faa3f29..5cc2ef570390 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -830,8 +830,9 @@ out:
@@ -52,3 +53,6 @@ index 1ef8ea7f8ed9..d82dc9c1c19e 100644
  	return 1;
  }
  
+-- 
+2.4.3
+

efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,6 +1,7 @@
+From 0081083434db41c15b72eced975da0bd9b80566b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 12/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@@ -11,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 4da6644b1fd0..341a1457f7c7 100644
+index 14db458f4774..f6ff0a86d841 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1704,7 +1704,8 @@ config EFI_MIXED
+@@ -1735,7 +1735,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE
@@ -24,3 +25,6 @@ index 4da6644b1fd0..341a1457f7c7 100644
  	prompt "Force module signing when UEFI Secure Boot is enabled"
  	---help---
  	  UEFI Secure Boot provides a mechanism for ensuring that the
+-- 
+2.4.3
+

hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,6 +1,7 @@
+From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH] hibernate: Disable in a signed modules environment
+Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -33,3 +34,6 @@ index 690f78f210f2..037303a1cba9 100644
  }
  
  /**
+-- 
+2.4.3
+

kernel.spec

@@ -67,7 +67,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 9
+%define gitrev 10
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -389,7 +389,7 @@ BuildRequires: rpm-build, elfutils
 %endif
 
 %if %{signmodules}
-BuildRequires: openssl
+BuildRequires: openssl-devel
 BuildRequires: pesign >= 0.10-4
 %endif
 
@@ -1304,11 +1304,9 @@ BuildKernel() {
     cp configs/$Config .config
 
     %if %{signmodules}
-    cp %{SOURCE11} .
+    cp %{SOURCE11} certs/.
     %endif
 
-    chmod +x scripts/sign-file
-
     Arch=`head -1 .config | cut -b 3-`
     echo USING ARCH=$Arch
 
@@ -1550,8 +1548,8 @@ BuildKernel() {
 
 %if %{signmodules}
     # Save the signing keys so we can sign the modules in __modsign_install_post
-    cp signing_key.priv signing_key.priv.sign${Flav}
-    cp signing_key.x509 signing_key.x509.sign${Flav}
+    cp certs/signing_key.pem certs/signing_key.pem.sign${Flav}
+    cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav}
 %endif
 
     # Move the devel headers out of the root file system
@@ -1646,16 +1644,16 @@ popd
 %define __modsign_install_post \
   if [ "%{signmodules}" -eq "1" ]; then \
     if [ "%{with_pae}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
     fi \
     if [ "%{with_debug}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
     fi \
     if [ "%{with_pae_debug}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
     fi \
     if [ "%{with_up}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
+      %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
     fi \
   fi \
   if [ "%{zipmodules}" -eq "1" ]; then \
@@ -2046,6 +2044,10 @@ fi
 #
 # 
 %changelog
+* Wed Sep 09 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.0-0.rc0.git10.1
+- Linux v4.2-10637-ga794b4f32921
+- Rework secure boot patchset
+
 * Tue Sep  8 2015 Peter Robinson <pbrobinson@fedoraproject.org>
 - Config updates for ARMv7/aarch64
 

kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,6 +1,7 @@
+From 1fc498d024c07e39105c060603e40cb7bc6bd5b8 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
@@ -38,3 +39,6 @@ index a785c1015e25..81d6b404f33c 100644
  	 * Verify we have a legal set of flags
  	 * This leaves us room for future extensions.
  	 */
+-- 
+2.4.3
+

sources

@@ -1,3 +1,4 @@
 3d5ea06d767e2f35c999eeadafc76523  linux-4.2.tar.xz
 4c964bfba54d65b5b54cc898baddecad  perf-man-4.2.tar.gz
 6a9a3a0d7627f69cff33dcbb902fb967  patch-4.2-git9.xz
+03499f6f8de1a578e3f9884a3a6cbd18  patch-4.2-git10.xz

x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,6 +1,8 @@
+From 7a3cdd26e6d38031338a6cb591ec2f3faaa9234b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH] x86: Lock down IO port access when module security is enabled
+Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
+ enabled
 
 IO port access would permit users to gain access to PCI configuration
 registers, which in turn (on a lot of hardware) give access to MMIO register
@@ -65,3 +67,6 @@ index 6b1721f978c2..53fe675f9bd7 100644
  	if (!access_ok(VERIFY_READ, buf, count))
  		return -EFAULT;
  	while (count-- > 0 && i < 65536) {
+-- 
+2.4.3
+

x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,6 +1,8 @@
+From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH] x86: Restrict MSR access when module loading is restricted
+Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
+ restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,
 since it could lead to execution of arbitrary code in kernel mode. Based
@@ -37,3 +39,6 @@ index 113e70784854..26c2f83fc470 100644
  		if (copy_from_user(&regs, uregs, sizeof regs)) {
  			err = -EFAULT;
  			break;
+-- 
+2.4.3
+