diff --git a/Makefile.rhelver b/Makefile.rhelver index 931d6835d..913f12fc1 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 99 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 54 +RHEL_RELEASE = 55 # # RHEL_REBASE_NUM diff --git a/Patchlist.changelog b/Patchlist.changelog index 9bc82bcf9..86fe440ec 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,9 @@ +"https://gitlab.com/cki-project/kernel-ark/-/commit"/1820b71069f04d9347e71caeb9fe49e095dd28ec + 1820b71069f04d9347e71caeb9fe49e095dd28ec crypto: rng - Override drivers/char/random in FIPS mode + +"https://gitlab.com/cki-project/kernel-ark/-/commit"/325cfb22f086df02e268cfbfa6ff96d89d0acd5d + 325cfb22f086df02e268cfbfa6ff96d89d0acd5d random: Add hook to override device reads and getrandom(2) + "https://gitlab.com/cki-project/kernel-ark/-/commit"/8374deeb36ca291927f714ba4b78349fb3a6e3b1 8374deeb36ca291927f714ba4b78349fb3a6e3b1 [redhat] kernel/rh_messages.c: move hardware tables to rh_messages.h diff --git a/kernel-aarch64-64k-debug-rhel.config b/kernel-aarch64-64k-debug-rhel.config index e7635196e..070f3a4c5 100644 --- a/kernel-aarch64-64k-debug-rhel.config +++ b/kernel-aarch64-64k-debug-rhel.config @@ -7855,7 +7855,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-aarch64-64k-rhel.config b/kernel-aarch64-64k-rhel.config index 4bcd1adf8..72f9a0352 100644 --- a/kernel-aarch64-64k-rhel.config +++ b/kernel-aarch64-64k-rhel.config @@ -7830,7 +7830,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config index 7a0a5152d..738452657 100644 --- a/kernel-aarch64-debug-rhel.config +++ b/kernel-aarch64-debug-rhel.config @@ -7851,7 +7851,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config index 7a944e1ce..745494d7c 100644 --- a/kernel-aarch64-rhel.config +++ b/kernel-aarch64-rhel.config @@ -7826,7 +7826,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-aarch64-rt-debug-rhel.config b/kernel-aarch64-rt-debug-rhel.config index 054bc060d..e0b5cc300 100644 --- a/kernel-aarch64-rt-debug-rhel.config +++ b/kernel-aarch64-rt-debug-rhel.config @@ -7907,7 +7907,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-aarch64-rt-rhel.config b/kernel-aarch64-rt-rhel.config index f621a441d..fd41082c2 100644 --- a/kernel-aarch64-rt-rhel.config +++ b/kernel-aarch64-rt-rhel.config @@ -7882,7 +7882,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config index 238d46fba..1b139402c 100644 --- a/kernel-ppc64le-debug-rhel.config +++ b/kernel-ppc64le-debug-rhel.config @@ -7330,7 +7330,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config index 73c997f44..afafc4cbe 100644 --- a/kernel-ppc64le-rhel.config +++ b/kernel-ppc64le-rhel.config @@ -7307,7 +7307,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config index 145fe11c5..c6ac2f7a1 100644 --- a/kernel-s390x-debug-rhel.config +++ b/kernel-s390x-debug-rhel.config @@ -7315,7 +7315,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config index d612db24f..f3ce886f5 100644 --- a/kernel-s390x-rhel.config +++ b/kernel-s390x-rhel.config @@ -7292,7 +7292,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config index 7a722374e..44699f8ee 100644 --- a/kernel-s390x-zfcpdump-rhel.config +++ b/kernel-s390x-zfcpdump-rhel.config @@ -7315,7 +7315,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set # CONFIG_XFS_FS is not set # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index 108ce715a..d87b0df0e 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -7665,7 +7665,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index 3a0e82893..38a7bec5b 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -7641,7 +7641,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config index 0fcfb8c7a..1bba74766 100644 --- a/kernel-x86_64-rt-debug-rhel.config +++ b/kernel-x86_64-rt-debug-rhel.config @@ -7722,7 +7722,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config index 76a870e38..9547b32b8 100644 --- a/kernel-x86_64-rt-rhel.config +++ b/kernel-x86_64-rt-rhel.config @@ -7698,7 +7698,6 @@ CONFIG_XFRM_SUB_POLICY=y # CONFIG_XFRM_USER_COMPAT is not set CONFIG_XFRM_USER=y CONFIG_XFRM=y -CONFIG_XFS_ASSERT_FATAL=y # CONFIG_XFS_DEBUG is not set CONFIG_XFS_FS=m # CONFIG_XFS_ONLINE_REPAIR is not set diff --git a/kernel.spec b/kernel.spec index b73d5543a..eb6b461db 100644 --- a/kernel.spec +++ b/kernel.spec @@ -163,13 +163,13 @@ Summary: The Linux kernel %define specrpmversion 6.6.0 %define specversion 6.6.0 %define patchversion 6.6 -%define pkgrelease 0.rc7.54 +%define pkgrelease 0.rc7.20231024gitd88520ad73b7.55 %define kversion 6 -%define tarfile_release 6.6-rc7 +%define tarfile_release 6.6-rc7-18-gd88520ad73b7 # This is needed to do merge window version magic %define patchlevel 6 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc7.54%{?buildid}%{?dist} +%define specrelease 0.rc7.20231024gitd88520ad73b7.55%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.6.0 @@ -3709,6 +3709,13 @@ fi\ # # %changelog +* Tue Oct 24 2023 Fedora Kernel Team [6.6.0-0.rc7.d88520ad73b7.55] +- redhat: remove pending-rhel CONFIG_XFS_ASSERT_FATAL file (Patrick Talbert) +- New configs in fs/xfs (Fedora Kernel Team) +- crypto: rng - Override drivers/char/random in FIPS mode (Herbert Xu) +- random: Add hook to override device reads and getrandom(2) (Herbert Xu) +- Linux v6.6.0-0.rc7.d88520ad73b7 + * Mon Oct 23 2023 Fedora Kernel Team [6.6.0-0.rc7.54] - Linux v6.6.0-0.rc7 diff --git a/patch-6.6-redhat.patch b/patch-6.6-redhat.patch index fb736634b..3c431a230 100644 --- a/patch-6.6-redhat.patch +++ b/patch-6.6-redhat.patch @@ -9,12 +9,15 @@ arch/s390/kernel/setup.c | 4 + arch/x86/kernel/cpu/common.c | 1 + arch/x86/kernel/setup.c | 68 ++- + crypto/drbg.c | 18 +- + crypto/rng.c | 149 +++++- drivers/acpi/apei/hest.c | 8 + drivers/acpi/irq.c | 17 +- drivers/acpi/scan.c | 9 + drivers/ata/libahci.c | 18 + drivers/char/ipmi/ipmi_dmi.c | 15 + drivers/char/ipmi/ipmi_msghandler.c | 16 +- + drivers/char/random.c | 122 +++++ drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/efi.c | 124 +++-- drivers/firmware/efi/secureboot.c | 38 ++ @@ -41,12 +44,14 @@ drivers/scsi/sd.c | 10 + drivers/usb/core/hub.c | 7 + fs/afs/main.c | 3 + + include/linux/crypto.h | 1 + include/linux/efi.h | 22 +- include/linux/kernel.h | 14 + include/linux/lsm_hook_defs.h | 2 + include/linux/module.h | 5 + include/linux/panic.h | 18 +- include/linux/pci.h | 5 + + include/linux/random.h | 10 + include/linux/rh_kabi.h | 515 +++++++++++++++++++++ include/linux/rmi.h | 1 + include/linux/security.h | 5 + @@ -64,7 +69,7 @@ security/lockdown/Kconfig | 13 + security/lockdown/lockdown.c | 1 + security/security.c | 12 + - 66 files changed, 1779 insertions(+), 188 deletions(-) + 71 files changed, 2060 insertions(+), 207 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0a1731a0f0ef..7015d8d057a0 100644 @@ -359,6 +364,280 @@ index b098b1fa2470..6b936d786590 100644 unwind_init(); } +diff --git a/crypto/drbg.c b/crypto/drbg.c +index ff4ebbc68efa..2410034cca4f 100644 +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -1510,13 +1510,14 @@ static int drbg_generate(struct drbg_state *drbg, + * Wrapper around drbg_generate which can pull arbitrary long strings + * from the DRBG without hitting the maximum request limitation. + * +- * Parameters: see drbg_generate ++ * Parameters: see drbg_generate, except @reseed, which triggers reseeding + * Return codes: see drbg_generate -- if one drbg_generate request fails, + * the entire drbg_generate_long request fails + */ + static int drbg_generate_long(struct drbg_state *drbg, + unsigned char *buf, unsigned int buflen, +- struct drbg_string *addtl) ++ struct drbg_string *addtl, ++ bool reseed) + { + unsigned int len = 0; + unsigned int slice = 0; +@@ -1526,6 +1527,8 @@ static int drbg_generate_long(struct drbg_state *drbg, + slice = ((buflen - len) / drbg_max_request_bytes(drbg)); + chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); + mutex_lock(&drbg->drbg_mutex); ++ if (reseed) ++ drbg->seeded = DRBG_SEED_STATE_UNSEEDED; + err = drbg_generate(drbg, buf + len, chunk, addtl); + mutex_unlock(&drbg->drbg_mutex); + if (0 > err) +@@ -1952,6 +1955,7 @@ static int drbg_kcapi_random(struct crypto_rng *tfm, + struct drbg_state *drbg = crypto_rng_ctx(tfm); + struct drbg_string *addtl = NULL; + struct drbg_string string; ++ int err; + + if (slen) { + /* linked list variable is now local to allow modification */ +@@ -1959,7 +1963,15 @@ static int drbg_kcapi_random(struct crypto_rng *tfm, + addtl = &string; + } + +- return drbg_generate_long(drbg, dst, dlen, addtl); ++ err = drbg_generate_long(drbg, dst, dlen, addtl, ++ (crypto_tfm_get_flags(crypto_rng_tfm(tfm)) & ++ CRYPTO_TFM_REQ_NEED_RESEED) == ++ CRYPTO_TFM_REQ_NEED_RESEED); ++ ++ crypto_tfm_clear_flags(crypto_rng_tfm(tfm), ++ CRYPTO_TFM_REQ_NEED_RESEED); ++ ++ return err; + } + + /* +diff --git a/crypto/rng.c b/crypto/rng.c +index 279dffdebf59..d24dd37205cd 100644 +--- a/crypto/rng.c ++++ b/crypto/rng.c +@@ -12,10 +12,13 @@ + #include + #include + #include ++#include + #include + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -23,7 +26,9 @@ + + #include "internal.h" + +-static DEFINE_MUTEX(crypto_default_rng_lock); ++static ____cacheline_aligned_in_smp DEFINE_MUTEX(crypto_reseed_rng_lock); ++static struct crypto_rng *crypto_reseed_rng; ++static ____cacheline_aligned_in_smp DEFINE_MUTEX(crypto_default_rng_lock); + struct crypto_rng *crypto_default_rng; + EXPORT_SYMBOL_GPL(crypto_default_rng); + static int crypto_default_rng_refcnt; +@@ -136,31 +141,37 @@ struct crypto_rng *crypto_alloc_rng(const char *alg_name, u32 type, u32 mask) + } + EXPORT_SYMBOL_GPL(crypto_alloc_rng); + +-int crypto_get_default_rng(void) ++static int crypto_get_rng(struct crypto_rng **rngp) + { + struct crypto_rng *rng; + int err; + +- mutex_lock(&crypto_default_rng_lock); +- if (!crypto_default_rng) { ++ if (!*rngp) { + rng = crypto_alloc_rng("stdrng", 0, 0); + err = PTR_ERR(rng); + if (IS_ERR(rng)) +- goto unlock; ++ return err; + + err = crypto_rng_reset(rng, NULL, crypto_rng_seedsize(rng)); + if (err) { + crypto_free_rng(rng); +- goto unlock; ++ return err; + } + +- crypto_default_rng = rng; ++ *rngp = rng; + } + +- crypto_default_rng_refcnt++; +- err = 0; ++ return 0; ++} ++ ++int crypto_get_default_rng(void) ++{ ++ int err; + +-unlock: ++ mutex_lock(&crypto_default_rng_lock); ++ err = crypto_get_rng(&crypto_default_rng); ++ if (!err) ++ crypto_default_rng_refcnt++; + mutex_unlock(&crypto_default_rng_lock); + + return err; +@@ -176,24 +187,33 @@ void crypto_put_default_rng(void) + EXPORT_SYMBOL_GPL(crypto_put_default_rng); + + #if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE) +-int crypto_del_default_rng(void) ++static int crypto_del_rng(struct crypto_rng **rngp, int *refcntp, ++ struct mutex *lock) + { + int err = -EBUSY; + +- mutex_lock(&crypto_default_rng_lock); +- if (crypto_default_rng_refcnt) ++ mutex_lock(lock); ++ if (refcntp && *refcntp) + goto out; + +- crypto_free_rng(crypto_default_rng); +- crypto_default_rng = NULL; ++ crypto_free_rng(*rngp); ++ *rngp = NULL; + + err = 0; + + out: +- mutex_unlock(&crypto_default_rng_lock); ++ mutex_unlock(lock); + + return err; + } ++ ++int crypto_del_default_rng(void) ++{ ++ return crypto_del_rng(&crypto_default_rng, &crypto_default_rng_refcnt, ++ &crypto_default_rng_lock) ?: ++ crypto_del_rng(&crypto_reseed_rng, NULL, ++ &crypto_reseed_rng_lock); ++} + EXPORT_SYMBOL_GPL(crypto_del_default_rng); + #endif + +@@ -251,5 +271,102 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count) + } + EXPORT_SYMBOL_GPL(crypto_unregister_rngs); + ++static ssize_t crypto_devrandom_read_iter(struct iov_iter *iter, bool reseed) ++{ ++ struct crypto_rng *rng; ++ u8 tmp[256]; ++ ssize_t ret; ++ ++ if (unlikely(!iov_iter_count(iter))) ++ return 0; ++ ++ if (reseed) { ++ u32 flags = 0; ++ ++ /* If reseeding is requested, acquire a lock on ++ * crypto_reseed_rng so it is not swapped out until ++ * the initial random bytes are generated. ++ * ++ * The algorithm implementation is also protected with ++ * a separate mutex (drbg->drbg_mutex) around the ++ * reseed-and-generate operation. ++ */ ++ mutex_lock(&crypto_reseed_rng_lock); ++ ++ /* If crypto_default_rng is not set, it will be seeded ++ * at creation in __crypto_get_default_rng and thus no ++ * reseeding is needed. ++ */ ++ if (crypto_reseed_rng) ++ flags |= CRYPTO_TFM_REQ_NEED_RESEED; ++ ++ ret = crypto_get_rng(&crypto_reseed_rng); ++ if (ret) { ++ mutex_unlock(&crypto_reseed_rng_lock); ++ return ret; ++ } ++ ++ rng = crypto_reseed_rng; ++ crypto_tfm_set_flags(crypto_rng_tfm(rng), flags); ++ } else { ++ ret = crypto_get_default_rng(); ++ if (ret) ++ return ret; ++ rng = crypto_default_rng; ++ } ++ ++ for (;;) { ++ size_t i, copied; ++ int err; ++ ++ i = min_t(size_t, iov_iter_count(iter), sizeof(tmp)); ++ err = crypto_rng_get_bytes(rng, tmp, i); ++ if (err) { ++ ret = err; ++ break; ++ } ++ ++ copied = copy_to_iter(tmp, i, iter); ++ ret += copied; ++ ++ if (!iov_iter_count(iter)) ++ break; ++ ++ if (need_resched()) { ++ if (signal_pending(current)) ++ break; ++ schedule(); ++ } ++ } ++ ++ if (reseed) ++ mutex_unlock(&crypto_reseed_rng_lock); ++ else ++ crypto_put_default_rng(); ++ memzero_explicit(tmp, sizeof(tmp)); ++ ++ return ret; ++} ++ ++static const struct random_extrng crypto_devrandom_rng = { ++ .extrng_read_iter = crypto_devrandom_read_iter, ++ .owner = THIS_MODULE, ++}; ++ ++static int __init crypto_rng_init(void) ++{ ++ if (fips_enabled) ++ random_register_extrng(&crypto_devrandom_rng); ++ return 0; ++} ++ ++static void __exit crypto_rng_exit(void) ++{ ++ random_unregister_extrng(); ++} ++ ++late_initcall(crypto_rng_init); ++module_exit(crypto_rng_exit); ++ + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Random Number Generator"); diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c index 6aef1ee5e1bd..8f146b1b4972 100644 --- a/drivers/acpi/apei/hest.c @@ -531,6 +810,203 @@ index 186f1fee7534..93e3a76596ff 100644 mutex_lock(&ipmi_interfaces_mutex); rv = ipmi_register_driver(); mutex_unlock(&ipmi_interfaces_mutex); +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 3cb37760dfec..20aa9f3b8b48 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -309,6 +310,11 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], + memzero_explicit(first_block, sizeof(first_block)); + } + ++/* ++ * Hook for external RNG. ++ */ ++static const struct random_extrng __rcu *extrng; ++ + /* + * This function returns a ChaCha state that you may use for generating + * random data. It also returns up to 32 bytes on its own of random data +@@ -739,6 +745,9 @@ static void __cold _credit_init_bits(size_t bits) + } + + ++static const struct file_operations extrng_random_fops; ++static const struct file_operations extrng_urandom_fops; ++ + /********************************************************************** + * + * Entropy collection routines. +@@ -956,6 +965,19 @@ void __init add_bootloader_randomness(const void *buf, size_t len) + credit_init_bits(len * 8); + } + ++void random_register_extrng(const struct random_extrng *rng) ++{ ++ rcu_assign_pointer(extrng, rng); ++} ++EXPORT_SYMBOL_GPL(random_register_extrng); ++ ++void random_unregister_extrng(void) ++{ ++ RCU_INIT_POINTER(extrng, NULL); ++ synchronize_rcu(); ++} ++EXPORT_SYMBOL_GPL(random_unregister_extrng); ++ + #if IS_ENABLED(CONFIG_VMGENID) + static BLOCKING_NOTIFIER_HEAD(vmfork_chain); + +@@ -1366,6 +1388,7 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags + struct iov_iter iter; + struct iovec iov; + int ret; ++ const struct random_extrng *rng; + + if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) + return -EINVAL; +@@ -1377,6 +1400,21 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags + if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) + return -EINVAL; + ++ rcu_read_lock(); ++ rng = rcu_dereference(extrng); ++ if (rng && !try_module_get(rng->owner)) ++ rng = NULL; ++ rcu_read_unlock(); ++ ++ if (rng) { ++ ret = import_single_range(ITER_DEST, ubuf, len, &iov, &iter); ++ if (unlikely(ret)) ++ return ret; ++ ret = rng->extrng_read_iter(&iter, !!(flags & GRND_RANDOM)); ++ module_put(rng->owner); ++ return ret; ++ } ++ + if (!crng_ready() && !(flags & GRND_INSECURE)) { + if (flags & GRND_NONBLOCK) + return -EAGAIN; +@@ -1397,6 +1435,12 @@ static __poll_t random_poll(struct file *file, poll_table *wait) + return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; + } + ++static __poll_t extrng_poll(struct file *file, poll_table * wait) ++{ ++ /* extrng pool is always full, always read, no writes */ ++ return EPOLLIN | EPOLLRDNORM; ++} ++ + static ssize_t write_pool_user(struct iov_iter *iter) + { + u8 block[BLAKE2S_BLOCK_SIZE]; +@@ -1538,7 +1582,58 @@ static int random_fasync(int fd, struct file *filp, int on) + return fasync_helper(fd, filp, on, &fasync); + } + ++static int random_open(struct inode *inode, struct file *filp) ++{ ++ const struct random_extrng *rng; ++ ++ rcu_read_lock(); ++ rng = rcu_dereference(extrng); ++ if (rng && !try_module_get(rng->owner)) ++ rng = NULL; ++ rcu_read_unlock(); ++ ++ if (!rng) ++ return 0; ++ ++ filp->f_op = &extrng_random_fops; ++ filp->private_data = rng->owner; ++ ++ return 0; ++} ++ ++static int urandom_open(struct inode *inode, struct file *filp) ++{ ++ const struct random_extrng *rng; ++ ++ rcu_read_lock(); ++ rng = rcu_dereference(extrng); ++ if (rng && !try_module_get(rng->owner)) ++ rng = NULL; ++ rcu_read_unlock(); ++ ++ if (!rng) ++ return 0; ++ ++ filp->f_op = &extrng_urandom_fops; ++ filp->private_data = rng->owner; ++ ++ return 0; ++} ++ ++static int extrng_release(struct inode *inode, struct file *filp) ++{ ++ module_put(filp->private_data); ++ return 0; ++} ++ ++static ssize_t ++extrng_read_iter(struct kiocb *kiocb, struct iov_iter *iter) ++{ ++ return rcu_dereference_raw(extrng)->extrng_read_iter(iter, false); ++} ++ + const struct file_operations random_fops = { ++ .open = random_open, + .read_iter = random_read_iter, + .write_iter = random_write_iter, + .poll = random_poll, +@@ -1551,6 +1646,7 @@ const struct file_operations random_fops = { + }; + + const struct file_operations urandom_fops = { ++ .open = urandom_open, + .read_iter = urandom_read_iter, + .write_iter = random_write_iter, + .unlocked_ioctl = random_ioctl, +@@ -1561,6 +1657,32 @@ const struct file_operations urandom_fops = { + .splice_write = iter_file_splice_write, + }; + ++static const struct file_operations extrng_random_fops = { ++ .open = random_open, ++ .read_iter = extrng_read_iter, ++ .write_iter = random_write_iter, ++ .poll = extrng_poll, ++ .unlocked_ioctl = random_ioctl, ++ .compat_ioctl = compat_ptr_ioctl, ++ .fasync = random_fasync, ++ .llseek = noop_llseek, ++ .release = extrng_release, ++ .splice_read = copy_splice_read, ++ .splice_write = iter_file_splice_write, ++}; ++ ++static const struct file_operations extrng_urandom_fops = { ++ .open = urandom_open, ++ .read_iter = extrng_read_iter, ++ .write_iter = random_write_iter, ++ .unlocked_ioctl = random_ioctl, ++ .compat_ioctl = compat_ptr_ioctl, ++ .fasync = random_fasync, ++ .llseek = noop_llseek, ++ .release = extrng_release, ++ .splice_read = copy_splice_read, ++ .splice_write = iter_file_splice_write, ++}; + + /******************************************************************** + * diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index e489fefd23da..f2dfae764fb5 100644 --- a/drivers/firmware/efi/Makefile @@ -1704,6 +2180,18 @@ index eae288c8d40a..8b8bf447cedc 100644 return ret; error_proc: +diff --git a/include/linux/crypto.h b/include/linux/crypto.h +index 31f6fee0c36c..b099200de233 100644 +--- a/include/linux/crypto.h ++++ b/include/linux/crypto.h +@@ -135,6 +135,7 @@ + #define CRYPTO_TFM_REQ_FORBID_WEAK_KEYS 0x00000100 + #define CRYPTO_TFM_REQ_MAY_SLEEP 0x00000200 + #define CRYPTO_TFM_REQ_MAY_BACKLOG 0x00000400 ++#define CRYPTO_TFM_REQ_NEED_RESEED 0x00000800 + + /* + * Miscellaneous stuff. diff --git a/include/linux/efi.h b/include/linux/efi.h index 80b21d1c6eaf..b66c0683f2fc 100644 --- a/include/linux/efi.h @@ -1881,6 +2369,34 @@ index 8c7c2c3c6c65..ee66c86fc538 100644 #if defined(CONFIG_PCIEPORTBUS) || defined(CONFIG_EEH) void pci_uevent_ers(struct pci_dev *pdev, enum pci_ers_result err_type); #endif +diff --git a/include/linux/random.h b/include/linux/random.h +index b0a940af4fff..8a52424fd0d5 100644 +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -9,6 +9,13 @@ + + #include + ++struct iov_iter; ++ ++struct random_extrng { ++ ssize_t (*extrng_read_iter)(struct iov_iter *iter, bool reseed); ++ struct module *owner; ++}; ++ + struct notifier_block; + + void add_device_randomness(const void *buf, size_t len); +@@ -157,6 +164,9 @@ int random_prepare_cpu(unsigned int cpu); + int random_online_cpu(unsigned int cpu); + #endif + ++void random_register_extrng(const struct random_extrng *rng); ++void random_unregister_extrng(void); ++ + #ifndef MODULE + extern const struct file_operations random_fops, urandom_fops; + #endif diff --git a/include/linux/rh_kabi.h b/include/linux/rh_kabi.h new file mode 100644 index 000000000000..c7b42c1f1681 diff --git a/sources b/sources index 0eabfc7a2..204296f20 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-6.6-rc7.tar.xz) = c554605c021dc569a22d5479a0792f5fc23a949a9fb76343ee3594b72514f2950611db69d4f1ab5a8d390ed979fd41a87aee080bbebf78c9cfc882e608ab63e3 -SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 896b1b24617e3a6905c26dd2a50b23ff2e2c7627f6b6dc12b328d5f74109016722b4ba050c5051886cb597308a793366346a34d7ec82a658b646d5288b347ae7 -SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = f98c14408c8434ecd253c6781c4f918cf1497da7bd55a79382fcf9dc67512d48e9357825c99a960616d2a9403d55be46989344cd201f762fd5450a2115e43c2a +SHA512 (linux-6.6-rc7-18-gd88520ad73b7.tar.xz) = def0ee2feec1780c60049aa4fdb8d06fc16052a680712044750f0338af2a07d1c08e03db2fcae2163ea2196e935013740fee692fd72a82efa0bf83d24a8b248e +SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = e71711bc322fd6c936efc31ee25054dfc85e21dd7cdbecf151dcff39eadcd3ac32d769667957687d7816c733c824ef8d5d8af30a3bcf4725b28833194a926ec8 +SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 7ba67c6e5874e4336adfa4dbe459d27c256367e0355d77d4b02ca067ee3a65dd1876aa58b7c1d93c5a293d86b6041403f2aca9bfb58564ccd4b393cce468bbef