From a8e5aec61fa20ccf7d513488b6d8574603dee9f6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 24 Jan 2013 16:56:31 -0500 Subject: [PATCH] Update secure-boot patchset --- kernel.spec | 9 +- ...130116.patch => secure-boot-20130124.patch | 767 ++++++++++++++---- 2 files changed, 634 insertions(+), 142 deletions(-) rename secure-boot-20130116.patch => secure-boot-20130124.patch (66%) diff --git a/kernel.spec b/kernel.spec index 9e6b3d6c5..6e040d94c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -670,7 +670,7 @@ Patch800: crash-driver.patch # crypto/ # secure boot -Patch1000: secure-boot-20130116.patch +Patch1000: secure-boot-20130124.patch Patch1001: efivarfs-nlink-fix.patch # virt + ksm patches @@ -1384,7 +1384,7 @@ ApplyPatch crash-driver.patch # crypto/ # secure boot -ApplyPatch secure-boot-20130116.patch +ApplyPatch secure-boot-20130124.patch ApplyPatch efivarfs-nlink-fix.patch # Assorted Virt Fixes @@ -2312,6 +2312,9 @@ fi # ||----w | # || || %changelog +* Thu Jan 24 2013 Josh Boyer +- Update secure-boot patchset + * Thu Jan 24 2013 Justin M. Forbes - 3.8.0-0.rc4.git4.1 - Linux v3.8-rc4-183-gff7532c - Enable lockdep diff --git a/secure-boot-20130116.patch b/secure-boot-20130124.patch similarity index 66% rename from secure-boot-20130116.patch rename to secure-boot-20130124.patch index c2fb23a69..84247c87c 100644 --- a/secure-boot-20130116.patch +++ b/secure-boot-20130124.patch @@ -1,7 +1,551 @@ -From 6f37ec98c44d2985746d3eeaea874ce6a684c0ac Mon Sep 17 00:00:00 2001 +From 10271230f790bda30cd4f6767fce25ad6da4a9cf Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Wed, 14 Nov 2012 09:42:35 +0000 +Subject: [PATCH 1/2] efi: Make 'efi_enabled' a function to query EFI + facilities + +Originally 'efi_enabled' indicated whether a kernel was booted from +EFI firmware. Over time its semantics have changed, and it now +indicates whether or not we are booted on an EFI machine with +bit-native firmware, e.g. 64-bit kernel with 64-bit firmware. + +The immediate motivation for this patch is the bug report at, + + https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557 + +which details how running a platform driver on an EFI machine that is +designed to run under BIOS can cause the machine to become +bricked. Also, the following report, + + https://bugzilla.kernel.org/show_bug.cgi?id=47121 + +details how running said driver can also cause Machine Check +Exceptions. Drivers need a new means of detecting whether they're +running on an EFI machine, as sadly the expression, + + if (!efi_enabled) + +hasn't been a sufficient condition for quite some time. + +Users actually want to query 'efi_enabled' for different reasons - +what they really want access to is the list of available EFI +facilities. + +For instance, the x86 reboot code needs to know whether it can invoke +the ResetSystem() function provided by the EFI runtime services, while +the ACPI OSL code wants to know whether the EFI config tables were +mapped successfully. There are also checks in some of the platform +driver code to simply see if they're running on an EFI machine (which +would make it a bad idea to do BIOS-y things). + +Cc: David Airlie +Cc: H. Peter Anvin +Cc: Corentin Chary +Cc: Matthew Garrett +Cc: Dave Jiang +Cc: Olof Johansson +Cc: Peter Jones +Cc: Colin Ian King +Cc: Steve Langasek +Cc: Tony Luck +Cc: Konrad Rzeszutek Wilk +Cc: Rafael J. Wysocki +Cc: stable@vger.kernel.org +Signed-off-by: Matt Fleming +--- + arch/x86/include/asm/efi.h | 1 + + arch/x86/kernel/reboot.c | 2 +- + arch/x86/kernel/setup.c | 28 ++++++++--------- + arch/x86/platform/efi/efi.c | 57 ++++++++++++++++++++-------------- + drivers/acpi/osl.c | 2 +- + drivers/firmware/dmi_scan.c | 2 +- + drivers/firmware/efivars.c | 4 +-- + drivers/firmware/iscsi_ibft_find.c | 2 +- + drivers/gpu/drm/radeon/radeon_device.c | 3 +- + drivers/platform/x86/ibm_rtl.c | 2 +- + drivers/scsi/isci/init.c | 2 +- + include/linux/efi.h | 24 ++++++++++---- + init/main.c | 4 +-- + 13 files changed, 79 insertions(+), 54 deletions(-) + +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 6e8fdf5..28677c5 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -94,6 +94,7 @@ extern void __iomem *efi_ioremap(unsigned long addr, unsigned long size, + #endif /* CONFIG_X86_32 */ + + extern int add_efi_memmap; ++extern unsigned long x86_efi_facility; + extern void efi_set_executable(efi_memory_desc_t *md, bool executable); + extern int efi_memblock_x86_reserve_range(void); + extern void efi_call_phys_prelog(void); +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 4e8ba39..76fa1e9 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -584,7 +584,7 @@ static void native_machine_emergency_restart(void) + break; + + case BOOT_EFI: +- if (efi_enabled) ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) + efi.reset_system(reboot_mode ? + EFI_RESET_WARM : + EFI_RESET_COLD, +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 23ddd55..dbc7369 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -729,15 +729,15 @@ void __init setup_arch(char **cmdline_p) + #ifdef CONFIG_EFI + if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature, + "EL32", 4)) { +- efi_enabled = 1; +- efi_64bit = false; ++ set_bit(EFI_BOOT, &x86_efi_facility); + } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature, + "EL64", 4)) { +- efi_enabled = 1; +- efi_64bit = true; ++ set_bit(EFI_BOOT, &x86_efi_facility); ++ set_bit(EFI_64BIT, &x86_efi_facility); + } +- if (efi_enabled && efi_memblock_x86_reserve_range()) +- efi_enabled = 0; ++ ++ if (efi_enabled(EFI_BOOT)) ++ efi_memblock_x86_reserve_range(); + #endif + + x86_init.oem.arch_setup(); +@@ -810,7 +810,7 @@ void __init setup_arch(char **cmdline_p) + + finish_e820_parsing(); + +- if (efi_enabled) ++ if (efi_enabled(EFI_BOOT)) + efi_init(); + + dmi_scan_machine(); +@@ -893,7 +893,7 @@ void __init setup_arch(char **cmdline_p) + * The EFI specification says that boot service code won't be called + * after ExitBootServices(). This is, in fact, a lie. + */ +- if (efi_enabled) ++ if (efi_enabled(EFI_MEMMAP)) + efi_reserve_boot_services(); + + /* preallocate 4k for mptable mpc */ +@@ -1034,7 +1034,7 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_VT + #if defined(CONFIG_VGA_CONSOLE) +- if (!efi_enabled || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY)) ++ if (!efi_enabled(EFI_BOOT) || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY)) + conswitchp = &vga_con; + #elif defined(CONFIG_DUMMY_CONSOLE) + conswitchp = &dummy_con; +@@ -1051,14 +1051,14 @@ void __init setup_arch(char **cmdline_p) + register_refined_jiffies(CLOCK_TICK_RATE); + + #ifdef CONFIG_EFI +- /* Once setup is done above, disable efi_enabled on mismatched +- * firmware/kernel archtectures since there is no support for +- * runtime services. ++ /* Once setup is done above, unmap the EFI memory map on ++ * mismatched firmware/kernel archtectures since there is no ++ * support for runtime services. + */ +- if (efi_enabled && IS_ENABLED(CONFIG_X86_64) != efi_64bit) { ++ if (efi_enabled(EFI_BOOT) && ++ IS_ENABLED(CONFIG_X86_64) != efi_enabled(EFI_64BIT)) { + pr_info("efi: Setup done, disabling due to 32/64-bit mismatch\n"); + efi_unmap_memmap(); +- efi_enabled = 0; + } + #endif + } +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index ad44391..5426e48 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -51,9 +51,6 @@ + + #define EFI_DEBUG 1 + +-int efi_enabled; +-EXPORT_SYMBOL(efi_enabled); +- + struct efi __read_mostly efi = { + .mps = EFI_INVALID_TABLE_ADDR, + .acpi = EFI_INVALID_TABLE_ADDR, +@@ -69,19 +66,28 @@ EXPORT_SYMBOL(efi); + + struct efi_memory_map memmap; + +-bool efi_64bit; +- + static struct efi efi_phys __initdata; + static efi_system_table_t efi_systab __initdata; + + static inline bool efi_is_native(void) + { +- return IS_ENABLED(CONFIG_X86_64) == efi_64bit; ++ return IS_ENABLED(CONFIG_X86_64) == efi_enabled(EFI_64BIT); ++} ++ ++unsigned long x86_efi_facility; ++ ++/* ++ * Returns 1 if 'facility' is enabled, 0 otherwise. ++ */ ++int efi_enabled(int facility) ++{ ++ return test_bit(facility, &x86_efi_facility) != 0; + } ++EXPORT_SYMBOL(efi_enabled); + + static int __init setup_noefi(char *arg) + { +- efi_enabled = 0; ++ clear_bit(EFI_BOOT, &x86_efi_facility); + return 0; + } + early_param("noefi", setup_noefi); +@@ -426,6 +432,7 @@ void __init efi_reserve_boot_services(void) + + void __init efi_unmap_memmap(void) + { ++ clear_bit(EFI_MEMMAP, &x86_efi_facility); + if (memmap.map) { + early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size); + memmap.map = NULL; +@@ -460,7 +467,7 @@ void __init efi_free_boot_services(void) + + static int __init efi_systab_init(void *phys) + { +- if (efi_64bit) { ++ if (efi_enabled(EFI_64BIT)) { + efi_system_table_64_t *systab64; + u64 tmp = 0; + +@@ -552,7 +559,7 @@ static int __init efi_config_init(u64 tables, int nr_tables) + void *config_tables, *tablep; + int i, sz; + +- if (efi_64bit) ++ if (efi_enabled(EFI_64BIT)) + sz = sizeof(efi_config_table_64_t); + else + sz = sizeof(efi_config_table_32_t); +@@ -572,7 +579,7 @@ static int __init efi_config_init(u64 tables, int nr_tables) + efi_guid_t guid; + unsigned long table; + +- if (efi_64bit) { ++ if (efi_enabled(EFI_64BIT)) { + u64 table64; + guid = ((efi_config_table_64_t *)tablep)->guid; + table64 = ((efi_config_table_64_t *)tablep)->table; +@@ -684,7 +691,6 @@ void __init efi_init(void) + if (boot_params.efi_info.efi_systab_hi || + boot_params.efi_info.efi_memmap_hi) { + pr_info("Table located above 4GB, disabling EFI.\n"); +- efi_enabled = 0; + return; + } + efi_phys.systab = (efi_system_table_t *)boot_params.efi_info.efi_systab; +@@ -694,10 +700,10 @@ void __init efi_init(void) + ((__u64)boot_params.efi_info.efi_systab_hi<<32)); + #endif + +- if (efi_systab_init(efi_phys.systab)) { +- efi_enabled = 0; ++ if (efi_systab_init(efi_phys.systab)) + return; +- } ++ ++ set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); + + /* + * Show what we know for posterity +@@ -715,10 +721,10 @@ void __init efi_init(void) + efi.systab->hdr.revision >> 16, + efi.systab->hdr.revision & 0xffff, vendor); + +- if (efi_config_init(efi.systab->tables, efi.systab->nr_tables)) { +- efi_enabled = 0; ++ if (efi_config_init(efi.systab->tables, efi.systab->nr_tables)) + return; +- } ++ ++ set_bit(EFI_CONFIG_TABLES, &x86_efi_facility); + + /* + * Note: We currently don't support runtime services on an EFI +@@ -727,15 +733,17 @@ void __init efi_init(void) + + if (!efi_is_native()) + pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n"); +- else if (efi_runtime_init()) { +- efi_enabled = 0; +- return; ++ else { ++ if (efi_runtime_init()) ++ return; ++ set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility); + } + +- if (efi_memmap_init()) { +- efi_enabled = 0; ++ if (efi_memmap_init()) + return; +- } ++ ++ set_bit(EFI_MEMMAP, &x86_efi_facility); ++ + #ifdef CONFIG_X86_32 + if (efi_is_native()) { + x86_platform.get_wallclock = efi_get_time; +@@ -969,6 +977,9 @@ u32 efi_mem_type(unsigned long phys_addr) + efi_memory_desc_t *md; + void *p; + ++ if (!efi_enabled(EFI_MEMMAP)) ++ return 0; ++ + for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) { + md = p; + if ((md->phys_addr <= phys_addr) && +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 3ff2678..bd22f86 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -250,7 +250,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) + return acpi_rsdp; + #endif + +- if (efi_enabled) { ++ if (efi_enabled(EFI_CONFIG_TABLES)) { + if (efi.acpi20 != EFI_INVALID_TABLE_ADDR) + return efi.acpi20; + else if (efi.acpi != EFI_INVALID_TABLE_ADDR) +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c +index fd3ae62..982f1f5 100644 +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -471,7 +471,7 @@ void __init dmi_scan_machine(void) + char __iomem *p, *q; + int rc; + +- if (efi_enabled) { ++ if (efi_enabled(EFI_CONFIG_TABLES)) { + if (efi.smbios == EFI_INVALID_TABLE_ADDR) + goto error; + +diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c +index 7b1c374..1065119 100644 +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -1782,7 +1782,7 @@ efivars_init(void) + printk(KERN_INFO "EFI Variables Facility v%s %s\n", EFIVARS_VERSION, + EFIVARS_DATE); + +- if (!efi_enabled) ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) + return 0; + + /* For now we'll register the efi directory at /sys/firmware/efi */ +@@ -1822,7 +1822,7 @@ err_put: + static void __exit + efivars_exit(void) + { +- if (efi_enabled) { ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) { + unregister_efivars(&__efivars); + kobject_put(efi_kobj); + } +diff --git a/drivers/firmware/iscsi_ibft_find.c b/drivers/firmware/iscsi_ibft_find.c +index 4da4eb9..2224f1d 100644 +--- a/drivers/firmware/iscsi_ibft_find.c ++++ b/drivers/firmware/iscsi_ibft_find.c +@@ -99,7 +99,7 @@ unsigned long __init find_ibft_region(unsigned long *sizep) + /* iBFT 1.03 section 1.4.3.1 mandates that UEFI machines will + * only use ACPI for this */ + +- if (!efi_enabled) ++ if (!efi_enabled(EFI_BOOT)) + find_ibft_in_mem(); + + if (ibft_addr) { +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index cd75626..9a68174 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -429,7 +429,8 @@ bool radeon_card_posted(struct radeon_device *rdev) + { + uint32_t reg; + +- if (efi_enabled && rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) ++ if (efi_enabled(EFI_BOOT) && ++ rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) + return false; + + /* first check CRTCs */ +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 7481146..97c2be1 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -244,7 +244,7 @@ static int __init ibm_rtl_init(void) { + if (force) + pr_warn("module loaded by force\n"); + /* first ensure that we are running on IBM HW */ +- else if (efi_enabled || !dmi_check_system(ibm_rtl_dmi_table)) ++ else if (efi_enabled(EFI_BOOT) || !dmi_check_system(ibm_rtl_dmi_table)) + return -ENODEV; + + /* Get the address for the Extended BIOS Data Area */ +diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c +index b74050b..9ac1e9d 100644 +--- a/drivers/scsi/isci/init.c ++++ b/drivers/scsi/isci/init.c +@@ -633,7 +633,7 @@ static int __devinit isci_pci_probe(struct pci_dev *pdev, const struct pci_devic + return -ENOMEM; + pci_set_drvdata(pdev, pci_info); + +- if (efi_enabled) ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) + orom = isci_get_efi_var(pdev); + + if (!orom) +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 8b84916..7a9498a 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -618,18 +618,30 @@ extern int __init efi_setup_pcdp_console(char *); + #endif + + /* +- * We play games with efi_enabled so that the compiler will, if possible, remove +- * EFI-related code altogether. ++ * We play games with efi_enabled so that the compiler will, if ++ * possible, remove EFI-related code altogether. + */ ++#define EFI_BOOT 0 /* Were we booted from EFI? */ ++#define EFI_SYSTEM_TABLES 1 /* Can we use EFI system tables? */ ++#define EFI_CONFIG_TABLES 2 /* Can we use EFI config tables? */ ++#define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ ++#define EFI_MEMMAP 4 /* Can we use EFI memory map? */ ++#define EFI_64BIT 5 /* Is the firmware 64-bit? */ ++ + #ifdef CONFIG_EFI + # ifdef CONFIG_X86 +- extern int efi_enabled; +- extern bool efi_64bit; ++extern int efi_enabled(int facility); + # else +-# define efi_enabled 1 ++static inline int efi_enabled(int facility) ++{ ++ return 1; ++} + # endif + #else +-# define efi_enabled 0 ++static inline int efi_enabled(int facility) ++{ ++ return 0; ++} + #endif + + /* +diff --git a/init/main.c b/init/main.c +index 85d69df..cd30179 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -604,7 +604,7 @@ asmlinkage void __init start_kernel(void) + pidmap_init(); + anon_vma_init(); + #ifdef CONFIG_X86 +- if (efi_enabled) ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) + efi_enter_virtual_mode(); + #endif + thread_info_cache_init(); +@@ -632,7 +632,7 @@ asmlinkage void __init start_kernel(void) + acpi_early_init(); /* before LAPIC and SMP init */ + sfi_init_late(); + +- if (efi_enabled) { ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) { + efi_late_init(); + efi_free_boot_services(); + } +-- +1.8.1 + +From 87123c25437f0da326b2f63cae8ab9aabac6fd6c Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Thu, 3 Jan 2013 09:02:37 +0000 +Subject: [PATCH 2/2] samsung-laptop: Disable on EFI hardware + +It has been reported that running this driver on some Samsung laptops +with EFI can cause those machines to become bricked as detailed in the +following report, + + https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557 + +There have also been reports of this driver causing Machine Check +Exceptions on recent EFI-enabled Samsung laptops, + + https://bugzilla.kernel.org/show_bug.cgi?id=47121 + +So disable it if booting from EFI since this driver relies on +grovelling around in the BIOS memory map which isn't going to work. + +Acked-by: H. Peter Anvin +Cc: Corentin Chary +Cc: Matthew Garrett +Cc: Colin Ian King +Cc: Steve Langasek +Cc: platform-driver-x86@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Matt Fleming +--- + drivers/platform/x86/samsung-laptop.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c +index dd90d15..5a89ca1 100644 +--- a/drivers/platform/x86/samsung-laptop.c ++++ b/drivers/platform/x86/samsung-laptop.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -1534,6 +1535,9 @@ static int __init samsung_init(void) + struct samsung_laptop *samsung; + int ret; + ++ if (efi_enabled(EFI_BOOT)) ++ return -ENODEV; ++ + quirks = &samsung_unknown; + if (!force && !dmi_check_system(samsung_dmi_table)) + return -ENODEV; +-- +1.8.1 + + +From 078aac950b94287072864fe8db0c690b8343f364 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:56 -0400 -Subject: [PATCH 01/18] Secure boot: Add new capability +Subject: [PATCH 03/19] Secure boot: Add new capability Secure boot adds certain policy requirements, including that root must not be able to do anything that could cause the kernel to execute arbitrary code. @@ -32,13 +576,13 @@ index ba478fa..7109e65 100644 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) -- -1.8.0.2 +1.8.1 -From 5a5dd529716bd36ea8f43e2a20dd8f80659f762a Mon Sep 17 00:00:00 2001 +From b3f043c11522faad4a0a2ed54bc204af9157f4cf Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 20 Sep 2012 10:41:05 -0400 -Subject: [PATCH 02/18] SELinux: define mapping for new Secure Boot capability +Subject: [PATCH 04/19] SELinux: define mapping for new Secure Boot capability Add the name of the new Secure Boot capability. This allows SELinux policies to properly map CAP_COMPROMISE_KERNEL to the appropriate @@ -65,13 +609,13 @@ index df2de54..70e2834 100644 { "tun_socket", { COMMON_SOCK_PERMS, NULL } }, -- -1.8.0.2 +1.8.1 -From 891f2a956ba70b3d0b1acad3e235a3327f344d13 Mon Sep 17 00:00:00 2001 +From 91a1c56865bb3c8caf452df78af91bb8c2bdee57 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 20 Sep 2012 10:41:02 -0400 -Subject: [PATCH 03/18] Secure boot: Add a dummy kernel parameter that will +Subject: [PATCH 05/19] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset @@ -131,27 +675,30 @@ index e0573a4..c3f4e3e 100644 * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- -1.8.0.2 +1.8.1 -From a98fc32f21318a7141552b6ef241407265fbecdd Mon Sep 17 00:00:00 2001 +From 39585d1c3c7fa8878889d88e00a3aa5a647c024f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:41:03 -0400 -Subject: [PATCH 04/18] efi: Enable secure boot lockdown automatically when +Subject: [PATCH 06/19] efi: Enable secure boot lockdown automatically when enabled in firmware The firmware has a set of flags that indicate whether secure boot is enabled and enforcing. Use them to indicate whether the kernel should lock itself -down. +down. We also indicate the machine is in secure boot mode by adding the +EFI_SECURE_BOOT bit for use with efi_enabled. Signed-off-by: Matthew Garrett +Signed-off-by: Josh Boyer --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 3 +++ + arch/x86/kernel/setup.c | 5 +++++ include/linux/cred.h | 2 ++ - 5 files changed, 41 insertions(+), 1 deletion(-) + include/linux/efi.h | 1 + + 6 files changed, 44 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt index cf5437d..7f9ed48 100644 @@ -167,7 +714,7 @@ index cf5437d..7f9ed48 100644 2D0/A00 ALL e820_map E820 memory map table (array of struct e820entry) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index b1942e2..1201907 100644 +index 18e329c..f44adce 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -848,6 +848,36 @@ fail: @@ -231,15 +778,17 @@ index 92862cd..422e056 100644 __u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)]; __u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */ diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 23ddd55..94203e5 100644 +index 8b24289..5355a54 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -962,6 +962,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1042,6 +1042,11 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); -+ if (boot_params.secure_boot) ++ if (boot_params.secure_boot) { ++ set_bit(EFI_SECURE_BOOT, &x86_efi_facility); + secureboot_enable(); ++ } + /* * Parse the ACPI tables for possible boot-time SMP configuration. @@ -257,86 +806,26 @@ index 04421e8..9e69542 100644 /* * check for validity of credentials */ --- -1.8.0.2 - - -From 4a5cc45467da5652b19ac27e409761c79efd56f1 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 26 Oct 2012 12:29:49 -0400 -Subject: [PATCH 05/18] EFI: Add in-kernel variable to determine if Secure Boot - is enabled - -There are a few cases where in-kernel functions may need to know if -Secure Boot is enabled. The added capability check cannot be used as the -kernel can't drop it's own capabilites, so we add a global variable -similar to efi_enabled so they can determine if Secure Boot is enabled. - -Signed-off-by: Josh Boyer ---- - arch/x86/kernel/setup.c | 6 +++++- - arch/x86/platform/efi/efi.c | 2 ++ - include/linux/efi.h | 3 +++ - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 94203e5..2b89b38 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -962,8 +962,12 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -- if (boot_params.secure_boot) -+ if (boot_params.secure_boot) { - secureboot_enable(); -+#ifdef CONFIG_EFI -+ secure_boot_enabled = 1; -+#endif -+ } - - /* - * Parse the ACPI tables for possible boot-time SMP configuration. -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index ad44391..d22bfeb 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -54,6 +54,8 @@ - int efi_enabled; - EXPORT_SYMBOL(efi_enabled); - -+int secure_boot_enabled; -+ - struct efi __read_mostly efi = { - .mps = EFI_INVALID_TABLE_ADDR, - .acpi = EFI_INVALID_TABLE_ADDR, diff --git a/include/linux/efi.h b/include/linux/efi.h -index 8b84916..7a1a53c 100644 +index 7a9498a..1ae16b6 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -625,11 +625,14 @@ extern int __init efi_setup_pcdp_console(char *); - # ifdef CONFIG_X86 - extern int efi_enabled; - extern bool efi_64bit; -+ extern int secure_boot_enabled; - # else - # define efi_enabled 1 -+# define secure_boot_enabled 0 - # endif - #else - # define efi_enabled 0 -+# define secure_boot_enabled 0 - #endif +@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ + #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ + #define EFI_64BIT 5 /* Is the firmware 64-bit? */ ++#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ - /* + #ifdef CONFIG_EFI + # ifdef CONFIG_X86 -- -1.8.0.2 +1.8.1 -From 34c2022a3b9cc4e064fe85d0ebc83b38bd6315d3 Mon Sep 17 00:00:00 2001 +From c4913bd0af536c2e752da503e34cfdbdef2ca427 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 06/18] Add EFI signature data types +Subject: [PATCH 07/19] Add EFI signature data types Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. @@ -347,7 +836,7 @@ Signed-off-by: David Howells 1 file changed, 20 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h -index 7a1a53c..887b9f3 100644 +index 1ae16b6..de7021d 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, @@ -385,13 +874,13 @@ index 7a1a53c..887b9f3 100644 * All runtime access to EFI goes through this structure: */ -- -1.8.0.2 +1.8.1 -From 13ed8f224caf51355124ceb154dd2cd1559b85d9 Mon Sep 17 00:00:00 2001 +From 714ab7855166f5cf453817de90b80ea8f132715d Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 07/18] Add an EFI signature blob parser and key loader. +Subject: [PATCH 08/19] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -549,7 +1038,7 @@ index 0000000..636feb1 + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index 887b9f3..6b78779 100644 +index de7021d..64b3e55 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime); @@ -564,13 +1053,13 @@ index 887b9f3..6b78779 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -1.8.0.2 +1.8.1 -From 8d89c8b4cc5869044f4ed78358b7d8a93f11cfac Mon Sep 17 00:00:00 2001 +From e485260e14c366644a44d2fea05fc3e7dc02a8c3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 08/18] MODSIGN: Add module certificate blacklist keyring +Subject: [PATCH 09/19] MODSIGN: Add module certificate blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -586,7 +1075,7 @@ Signed-off-by: Josh Boyer 4 files changed, 37 insertions(+) diff --git a/init/Kconfig b/init/Kconfig -index 7d30240..4a0705e 100644 +index be8b7f5..d972b77 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1665,6 +1665,14 @@ config MODULE_SIG_FORCE @@ -673,13 +1162,13 @@ index f2970bd..5423195 100644 &key_type_asymmetric, id); if (IS_ERR(key)) -- -1.8.0.2 +1.8.1 -From e4663a7c5ef224c9fb0fa74ba42f3f9c52f8ca30 Mon Sep 17 00:00:00 2001 +From 2015a3299fb6029de0c1e4da3e06bfa74e1075df Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 09/18] MODSIGN: Import certificates from UEFI Secure Boot +Subject: [PATCH 10/19] MODSIGN: Import certificates from UEFI Secure Boot Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the module signing keyring. This @@ -704,7 +1193,7 @@ Signed-off-by: Josh Boyer create mode 100644 kernel/modsign_uefi.c diff --git a/include/linux/efi.h b/include/linux/efi.h -index 6b78779..a395dff 100644 +index 64b3e55..76fe526 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, @@ -721,7 +1210,7 @@ index 6b78779..a395dff 100644 efi_guid_t guid; u64 table; diff --git a/init/Kconfig b/init/Kconfig -index 4a0705e..984b316 100644 +index d972b77..27e3a82 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1673,6 +1673,15 @@ config MODULE_SIG_BLACKLIST @@ -763,7 +1252,7 @@ index 6c072b6..8848829 100644 targets += config_data.gz diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c new file mode 100644 -index 0000000..76a5a34 +index 0000000..b9237d7 --- /dev/null +++ b/kernel/modsign_uefi.c @@ -0,0 +1,90 @@ @@ -817,7 +1306,7 @@ index 0000000..76a5a34 + int rc = 0; + + /* Check if SB is enabled and just return if not */ -+ if (!secure_boot_enabled) ++ if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + + /* Get db, MokListRT, and dbx. They might not exist, so it isn't @@ -858,13 +1347,13 @@ index 0000000..76a5a34 +} +late_initcall(load_uefi_certs); -- -1.8.0.2 +1.8.1 -From 798940ec4bc3826ef74e985cd021fc7e3db6eae7 Mon Sep 17 00:00:00 2001 +From b9003fd1d1ec55049db258832fed7736c3d72703 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:57 -0400 -Subject: [PATCH 10/18] PCI: Lock down BAR access in secure boot environments +Subject: [PATCH 11/19] PCI: Lock down BAR access in secure boot environments Any hardware that can potentially generate DMA has to be locked down from userspace in order to avoid it being possible for an attacker to cause @@ -959,13 +1448,13 @@ index e1c1ec5..97e785f 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -1.8.0.2 +1.8.1 -From b4deb668b754ffa53bc9bebf72bd4679e5f2eb62 Mon Sep 17 00:00:00 2001 +From 66b86238391bae88f1da0fd82f2516d58aa544b9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:58 -0400 -Subject: [PATCH 11/18] x86: Lock down IO port access in secure boot +Subject: [PATCH 12/19] x86: Lock down IO port access in secure boot environments IO port access would permit users to gain access to PCI configuration @@ -1016,13 +1505,13 @@ index c6fa3bc..fc28099 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -1.8.0.2 +1.8.1 -From c38e94fdbc44b0e3e8dc2a42db18c04ee25d3627 Mon Sep 17 00:00:00 2001 +From 2bae7bb333fb916824efaa8ebfff296be6b474aa Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:59 -0400 -Subject: [PATCH 12/18] ACPI: Limit access to custom_method +Subject: [PATCH 13/19] ACPI: Limit access to custom_method It must be impossible for even root to get code executed in kernel context under a secure boot environment. custom_method effectively allows arbitrary @@ -1048,13 +1537,13 @@ index 5d42c24..247d58b 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -1.8.0.2 +1.8.1 -From b935abbd7888103d6261fa49a797c3f621222593 Mon Sep 17 00:00:00 2001 +From 1020b65305173afb24a9411a9555468a5184a73d Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:41:00 -0400 -Subject: [PATCH 13/18] asus-wmi: Restrict debugfs interface +Subject: [PATCH 14/19] asus-wmi: Restrict debugfs interface We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to @@ -1101,13 +1590,13 @@ index f80ae4d..059195f 100644 1, asus->debug.method_id, &input, &output); -- -1.8.0.2 +1.8.1 -From 0e2d67fe7c9f067ebb527ce6a665e89d7a5a398b Mon Sep 17 00:00:00 2001 +From 5e940dba25d3d2614a3a745ef7c3057e058c876a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:41:01 -0400 -Subject: [PATCH 14/18] Restrict /dev/mem and /dev/kmem in secure boot setups +Subject: [PATCH 15/19] Restrict /dev/mem and /dev/kmem in secure boot setups Allowing users to write to address space makes it possible for the kernel to be subverted. Restrict this when we need to protect the kernel. @@ -1142,13 +1631,13 @@ index fc28099..b5df7a8 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -1.8.0.2 +1.8.1 -From 45f09b7aedcc79d9d315a1c3e926ad36b15edf1a Mon Sep 17 00:00:00 2001 +From b6264c3ed7a36a7a8d9c504d20a9a639850ace3b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 20 Sep 2012 10:41:04 -0400 -Subject: [PATCH 15/18] acpi: Ignore acpi_rsdp kernel parameter in a secure +Subject: [PATCH 16/19] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment This option allows userspace to pass the RSDP address to the kernel. This @@ -1161,7 +1650,7 @@ Signed-off-by: Josh Boyer 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 3ff2678..794d78b 100644 +index bd22f86..88251d2 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); @@ -1174,13 +1663,13 @@ index 3ff2678..794d78b 100644 #endif -- -1.8.0.2 +1.8.1 -From 2def5cc3c511d824af306468ff0fd15fa641c412 Mon Sep 17 00:00:00 2001 +From 4f1614d3aae4e924ad8b8d56c66a23a469b1c3d0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 4 Sep 2012 11:55:13 -0400 -Subject: [PATCH 16/18] kexec: Disable in a secure boot environment +Subject: [PATCH 17/19] kexec: Disable in a secure boot environment kexec could be used as a vector for a malicious user to use a signed kernel to circumvent the secure boot trust model. In the long run we'll want to @@ -1206,13 +1695,13 @@ index 5e4bd78..dd464e0 100644 /* -- -1.8.0.2 +1.8.1 -From 6af5862bf800c29d9b2c46bee91c463e1c0d77ab Mon Sep 17 00:00:00 2001 +From 9760ba180b98ff6e6a6e40dfe82973fc6bfcb194 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 Oct 2012 10:12:48 -0400 -Subject: [PATCH 17/18] MODSIGN: Always enforce module signing in a Secure Boot +Subject: [PATCH 18/19] MODSIGN: Always enforce module signing in a Secure Boot environment If a machine is booted into a Secure Boot environment, we need to @@ -1252,7 +1741,7 @@ index c3f4e3e..c5554e0 100644 /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ diff --git a/kernel/module.c b/kernel/module.c -index 250092c..265172a 100644 +index eab0827..93a16dc 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ @@ -1268,13 +1757,13 @@ index 250092c..265172a 100644 static int param_set_bool_enable_only(const char *val, const struct kernel_param *kp) -- -1.8.0.2 +1.8.1 -From e45330362517d08579cdaddc718febe68e2cae06 Mon Sep 17 00:00:00 2001 +From 1c6cd63017f3c745eaf4d8705f44ba5f4af1aef7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 14:02:09 -0400 -Subject: [PATCH 18/18] hibernate: Disable in a Secure Boot environment +Subject: [PATCH 19/19] hibernate: Disable in a Secure Boot environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the secure boot trust model, @@ -1289,7 +1778,7 @@ Signed-off-by: Josh Boyer 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index b26f5f1..26bdfa8 100644 +index b26f5f1..7f63cb4 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -28,6 +28,7 @@ @@ -1324,7 +1813,7 @@ index b26f5f1..26bdfa8 100644 int i; char *start = buf; -+ if (secure_boot_enabled) { ++ if (efi_enabled(EFI_SECURE_BOOT)) { + buf += sprintf(buf, "[%s]\n", "disabled"); + return buf-start; + } @@ -1343,7 +1832,7 @@ index b26f5f1..26bdfa8 100644 len = p ? p - buf : n; diff --git a/kernel/power/main.c b/kernel/power/main.c -index 1c16f91..8e3456d 100644 +index 1c16f91..4f915fc 100644 --- a/kernel/power/main.c +++ b/kernel/power/main.c @@ -15,6 +15,7 @@ @@ -1359,7 +1848,7 @@ index 1c16f91..8e3456d 100644 #endif #ifdef CONFIG_HIBERNATION - s += sprintf(s, "%s\n", "disk"); -+ if (!secure_boot_enabled) { ++ if (!efi_enabled(EFI_SECURE_BOOT)) { + s += sprintf(s, "%s\n", "disk"); + } else { + s += sprintf(s, "\n"); @@ -1382,5 +1871,5 @@ index 4ed81e7..b11a0f4 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -1.8.0.2 +1.8.1