add devel-sysrq-secure-boot-20130717.patch

devel-sysrq-secure-boot-20130717.patch

@@ -0,0 +1,284 @@
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 6ad8292..e7b9374 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -2784,7 +2784,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 			Note: increases power consumption, thus should only be
+ 			enabled if running jitter sensitive (HPC/RT) workloads.
+ 
+-	secureboot_enable=
++	secureboot_enable
+ 			[KNL] Enables an emulated UEFI Secure Boot mode.  This
+ 			locks down various aspects of the kernel guarded by the
+ 			CAP_COMPROMISE_KERNEL capability.  This includes things
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 167ca34..ba3c8f2 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -70,6 +70,11 @@
+ #include <linux/tboot.h>
+ #include <linux/jiffies.h>
+ 
++#include <linux/fips.h>
++#include <linux/cred.h>
++#include <linux/sysrq.h>
++#include <linux/init_task.h>
++
+ #include <video/edid.h>
+ 
+ #include <asm/mtrr.h>
+@@ -1252,3 +1257,59 @@ void __init i386_reserve_resources(void)
+ }
+ 
+ #endif /* CONFIG_X86_32 */
++
++#ifdef CONFIG_MODULE_SIG
++extern bool sig_enforce;
++#endif
++
++int sb_enabled;
++
++void __init secureboot_enable()
++{
++	pr_info("Secure boot enabled\n");
++	cap_lower(init_cred.cap_bset, CAP_COMPROMISE_KERNEL);
++	cap_lower(init_cred.cap_permitted, CAP_COMPROMISE_KERNEL);
++#ifdef CONFIG_MODULE_SIG
++	/* Enable module signature enforcing */
++	sig_enforce = true;
++#endif
++	sb_enabled = 1;
++}
++
++/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
++static int __init secureboot_enable_opt(char *__unused)
++{
++	secureboot_enable();
++	return 1;
++}
++__setup("secureboot_enable", secureboot_enable_opt);
++
++#ifdef CONFIG_MAGIC_SYSRQ
++extern int sb_enabled;
++static void sysrq_handle_secure_boot(int key)
++{
++	if (!sb_enabled)
++		return;
++
++	pr_info("Secure boot disabled\n");
++	cap_raise(init_cred.cap_bset, CAP_COMPROMISE_KERNEL);
++	cap_raise(init_cred.cap_permitted, CAP_COMPROMISE_KERNEL);
++#ifdef CONFIG_MODULE_SIG
++	sig_enforce = fips_enabled;
++#endif
++	sb_enabled = 0;
++}
++static struct sysrq_key_op secure_boot_sysrq_op = {
++	.handler	=	sysrq_handle_secure_boot,
++	.help_msg	=	"unSB(x)",
++	.action_msg	=	"Disabling Secure Boot restrictions",
++	.enable_mask	=	SYSRQ_DISABLE_USERSPACE,
++};
++static int __init secure_boot_sysrq(void)
++{
++	if (sb_enabled)
++		register_sysrq_key('x', &secure_boot_sysrq_op);
++	return 0;
++}
++late_initcall(secure_boot_sysrq);
++#endif /*CONFIG_MAGIC_SYSRQ*/
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index a0a4bba..3327cc3 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -351,6 +351,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
+ 	if (!udev->dev)
+ 		return -ENOMEM;
+ 
++	udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
+ 	udev->dev->event = uinput_dev_event;
+ 	input_set_drvdata(udev->dev, udev);
+ 
+diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
+index d5cc3ac..05b33f5 100644
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -461,6 +461,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+ 	&sysrq_showstate_blocked_op,	/* w */
+ 	/* x: May be registered on ppc/powerpc for xmon */
+ 	/* x: May be registered on sparc64 for global PMU dump */
++	/* x: May be registered on x86_64 for disabling secure boot */
+ 	NULL,				/* x */
+ 	/* y: May be registered on sparc64 for global register dump */
+ 	NULL,				/* y */
+@@ -504,7 +505,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+                 sysrq_key_table[i] = op_p;
+ }
+ 
+-void __handle_sysrq(int key, bool check_mask)
++void __handle_sysrq(int key, int from)
+ {
+ 	struct sysrq_key_op *op_p;
+ 	int orig_log_level;
+@@ -524,11 +525,15 @@ void __handle_sysrq(int key, bool check_mask)
+ 
+         op_p = __sysrq_get_key_op(key);
+         if (op_p) {
++		/* Ban synthetic events from some sysrq functionality */
++		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
++		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
++			printk("This sysrq operation is disabled from userspace.\n");
+ 		/*
+ 		 * Should we check for enabled operations (/proc/sysrq-trigger
+ 		 * should not) and is the invoked operation enabled?
+ 		 */
+-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
++		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+ 			printk("%s\n", op_p->action_msg);
+ 			console_loglevel = orig_log_level;
+ 			op_p->handler(key);
+@@ -559,7 +564,7 @@ void __handle_sysrq(int key, bool check_mask)
+ void handle_sysrq(int key)
+ {
+ 	if (sysrq_on())
+-		__handle_sysrq(key, true);
++		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
+ }
+ EXPORT_SYMBOL(handle_sysrq);
+ 
+@@ -639,7 +644,7 @@ static void sysrq_do_reset(unsigned long _state)
+ static void sysrq_handle_reset_request(struct sysrq_state *state)
+ {
+ 	if (state->reset_requested)
+-		__handle_sysrq(sysrq_xlate[KEY_B], false);
++		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
+ 
+ 	if (sysrq_reset_downtime_ms)
+ 		mod_timer(&state->keyreset_timer,
+@@ -756,8 +761,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+ 
+ 	default:
+ 		if (sysrq->active && value && value != 2) {
++			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
++					SYSRQ_FROM_SYNTHETIC : 0;
+ 			sysrq->need_reinject = false;
+-			__handle_sysrq(sysrq_xlate[code], true);
++			__handle_sysrq(sysrq_xlate[code], from);
+ 		}
+ 		break;
+ 	}
+@@ -1038,7 +1045,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+ 
+ 		if (get_user(c, buf))
+ 			return -EFAULT;
+-		__handle_sysrq(c, false);
++		__handle_sysrq(c, SYSRQ_FROM_PROC);
+ 	}
+ 
+ 	return count;
+diff --git a/include/linux/input.h b/include/linux/input.h
+index 82ce323..9e534f2 100644
+--- a/include/linux/input.h
++++ b/include/linux/input.h
+@@ -42,6 +42,7 @@ struct input_value {
+  * @phys: physical path to the device in the system hierarchy
+  * @uniq: unique identification code for the device (if device has it)
+  * @id: id of the device (struct input_id)
++ * @flags: input device flags (SYNTHETIC, etc.)
+  * @propbit: bitmap of device properties and quirks
+  * @evbit: bitmap of types of events supported by the device (EV_KEY,
+  *	EV_REL, etc.)
+@@ -124,6 +125,8 @@ struct input_dev {
+ 	const char *uniq;
+ 	struct input_id id;
+ 
++	unsigned int flags;
++
+ 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
+ 
+ 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
+@@ -190,6 +193,8 @@ struct input_dev {
+ };
+ #define to_input_dev(d) container_of(d, struct input_dev, dev)
+ 
++#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
++
+ /*
+  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
+  */
+diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
+index 7faf933..87ae634 100644
+--- a/include/linux/sysrq.h
++++ b/include/linux/sysrq.h
+@@ -31,6 +31,8 @@
+ #define SYSRQ_ENABLE_BOOT	0x0080
+ #define SYSRQ_ENABLE_RTNICE	0x0100
+ 
++#define SYSRQ_DISABLE_USERSPACE	0x00010000
++
+ struct sysrq_key_op {
+ 	void (*handler)(int);
+ 	char *help_msg;
+@@ -45,8 +47,12 @@ struct sysrq_key_op {
+  * are available -- else NULL's).
+  */
+ 
++#define SYSRQ_FROM_KERNEL	0x0001
++#define SYSRQ_FROM_PROC		0x0002
++#define SYSRQ_FROM_SYNTHETIC	0x0004
++
+ void handle_sysrq(int key);
+-void __handle_sysrq(int key, bool check_mask);
++void __handle_sysrq(int key, int from);
+ int register_sysrq_key(int key, struct sysrq_key_op *op);
+ int unregister_sysrq_key(int key, struct sysrq_key_op *op);
+ struct sysrq_key_op *__sysrq_get_key_op(int key);
+diff --git a/kernel/cred.c b/kernel/cred.c
+index c5554e0..e0573a4 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -565,31 +565,6 @@ void __init cred_init(void)
+ 				     0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
+ }
+ 
+-#ifdef CONFIG_MODULE_SIG
+-extern bool sig_enforce;
+-#endif
+-
+-void __init secureboot_enable()
+-{
+-	pr_info("Secure boot enabled\n");
+-	cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL);
+-	cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL);
+-#ifdef CONFIG_MODULE_SIG
+-	/* Enable module signature enforcing */
+-	sig_enforce = true;
+-#endif
+-}
+-
+-/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
+-static int __init secureboot_enable_opt(char *str)
+-{
+-	int sb_enable = !!simple_strtol(str, NULL, 0);
+-	if (sb_enable)
+-		secureboot_enable();
+-	return 1;
+-}
+-__setup("secureboot_enable=", secureboot_enable_opt);
+-
+ /**
+  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
+  * @daemon: A userspace daemon to be used as a reference
+diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
+index 00eb8f7..54fbbcc 100644
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -1921,7 +1921,7 @@ static int kdb_sr(int argc, const char **argv)
+ 	if (argc != 1)
+ 		return KDB_ARGCOUNT;
+ 	kdb_trap_printk++;
+-	__handle_sysrq(*argv[1], false);
++	__handle_sysrq(*argv[1], SYSRQ_FROM_KERNEL);
+ 	kdb_trap_printk--;
+ 
+ 	return 0;

kernel.spec

@@ -676,6 +676,7 @@ Patch800: crash-driver.patch
 
 # secure boot
 Patch1000: devel-pekey-secure-boot-20130502.patch
+Patch1001: devel-sysrq-secure-boot-20130717.patch
 
 # virt + ksm patches
 
@@ -1394,6 +1395,7 @@ ApplyPatch crash-driver.patch
 
 # secure boot
 ApplyPatch devel-pekey-secure-boot-20130502.patch
+ApplyPatch devel-sysrq-secure-boot-20130717.patch
 
 # Assorted Virt Fixes
 
@@ -2265,6 +2267,11 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Jul 18 2013 Kyle McMartin <kyle@redhat.com>
+- devel-sysrq-secure-boot-20130717.patch: add a patch that allows the user to
+  disable secure boot restrictions from the local console or local serial
+  (but not /proc/sysrq-trigger or via uinput) by using SysRQ-x.
+
 * Wed Jul 17 2013 Kyle McMartin <kyle@redhat.com> - 3.11.0-0.rc1.git1.1
 - Linux v3.11-rc1-19-gc0d15cc
 - Reenable debugging options.