rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update secure boot patchset

This commit is contained in:
Dave Jones 2013-02-27 14:08:29 -05:00
parent 1c0d824c48
commit d3a4ba3dbf
2 changed files with 99 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
kernel.spec
View File

@ -685,7 +685,7 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch
# secure boot
Patch1000: secure-boot-20130219.patch
Patch1000: secure-boot-20130218.patch
# virt + ksm patches
@ -1433,7 +1433,7 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# secure boot
#ApplyPatch secure-boot-20130219.patch
ApplyPatch secure-boot-20130218.patch
# Assorted Virt Fixes
@ -2413,7 +2413,6 @@ fi
- arm-tegra-nvec-kconfig.patch
- arm-tegra-sdhci-module-fix.patch
Needs reworking:
- secure-boot
- alps-v2-3.7.patch
- usb-cypress-supertop.patch
- Bluetooth-Add-support-for-Foxconn-Hon-Hai-0489-e056.patch

198
secure-boot-20130219.patch → secure-boot-20130218.patch
View File

@ -1,4 +1,4 @@
From 33ecf899ae618a163e553c24674a48bd0cb4dd17 Mon Sep 17 00:00:00 2001
From 0c5837031a4e996877930fd023a5877dd1d615ba Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:56 -0400
Subject: [PATCH 01/19] Secure boot: Add new capability
@ -35,7 +35,7 @@ index ba478fa..7109e65 100644
1.8.1.2
From 0867a7288326c109ac3f1a52a342f577e1f77618 Mon Sep 17 00:00:00 2001
From 87c8fddbcb3042fc4174b53763adbf66045a12be Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:05 -0400
Subject: [PATCH 02/19] SELinux: define mapping for new Secure Boot capability
@ -50,7 +50,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index df2de54..70e2834 100644
index 14d04e6..ed99a2d 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
@ -63,12 +63,12 @@ index df2de54..70e2834 100644
+ "block_suspend", "compromise_kernel", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
--
1.8.1.2
From 23873817d2cec32d4af90fc7038b53c949e3f5a6 Mon Sep 17 00:00:00 2001
From df14b5319bf3ed2110839e233ac61e6136745be8 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:02 -0400
Subject: [PATCH 03/19] Secure boot: Add a dummy kernel parameter that will
@ -85,10 +85,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
2 files changed, 24 insertions(+)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 9776f06..0d6c28d 100644
index 6c72381..7dffdd5 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2599,6 +2599,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
Note: increases power consumption, thus should only be
enabled if running jitter sensitive (HPC/RT) workloads.
@ -103,10 +103,10 @@ index 9776f06..0d6c28d 100644
If this boot parameter is not specified, only the first
security module asking for security registration will be
diff --git a/kernel/cred.c b/kernel/cred.c
index 48cea3d..3f5be65 100644
index e0573a4..c3f4e3e 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -623,6 +623,23 @@ void __init cred_init(void)
@@ -565,6 +565,23 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
@ -134,7 +134,7 @@ index 48cea3d..3f5be65 100644
1.8.1.2
From 6e786fc19b3dc3aa53e6f556af2baf261573321f Mon Sep 17 00:00:00 2001
From 49c76a665e8a09da48cbe271ea40266ca1a226c0 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:03 -0400
Subject: [PATCH 04/19] efi: Enable secure boot lockdown automatically when
@ -148,32 +148,32 @@ EFI_SECURE_BOOT bit for use with efi_enabled.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
Documentation/x86/zero-page.txt | 2 ++
arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
arch/x86/include/asm/bootparam.h | 3 ++-
arch/x86/kernel/setup.c | 5 +++++
include/linux/cred.h | 2 ++
include/linux/efi.h | 1 +
6 files changed, 44 insertions(+), 1 deletion(-)
Documentation/x86/zero-page.txt | 2 ++
arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
arch/x86/kernel/setup.c | 7 +++++++
include/linux/cred.h | 2 ++
include/linux/efi.h | 1 +
6 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
index cf5437d..7f9ed48 100644
index 199f453..ff651d3 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -27,6 +27,8 @@ Offset Proto Name Meaning
@@ -30,6 +30,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
+1EB/001 ALL kbd_status Numlock is enabled
+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns
1EF/001 ALL sentinel Used to detect broken bootloaders
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
(array of struct e820entry)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index ccae7e2..4983e43 100644
index f8fa411..96bd86b 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -731,6 +731,36 @@ fail:
@@ -849,6 +849,36 @@ fail:
return status;
}
@ -210,7 +210,7 @@ index ccae7e2..4983e43 100644
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
@@ -1025,6 +1055,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
goto fail;
@ -218,31 +218,33 @@ index ccae7e2..4983e43 100644
+
setup_graphics(boot_params);
status = efi_call_phys3(sys_table->boottime->allocate_pool,
diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h
index 2ad874c..c7338e0 100644
--- a/arch/x86/include/asm/bootparam.h
+++ b/arch/x86/include/asm/bootparam.h
@@ -114,7 +114,8 @@ struct boot_params {
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
index c15ddaf..85d7685 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -131,7 +131,8 @@ struct boot_params {
__u8 eddbuf_entries; /* 0x1e9 */
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
__u8 kbd_status; /* 0x1eb */
- __u8 _pad6[5]; /* 0x1ec */
- __u8 _pad5[3]; /* 0x1ec */
+ __u8 secure_boot; /* 0x1ec */
+ __u8 _pad6[4]; /* 0x1ed */
struct setup_header hdr; /* setup header */ /* 0x1f1 */
__u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)];
__u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */
+ __u8 _pad5[2]; /* 0x1ed */
/*
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index aeacb0e..a196a7e 100644
index 8b24289..d74b441 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1042,6 +1042,11 @@ void __init setup_arch(char **cmdline_p)
@@ -1042,6 +1042,13 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
+ if (boot_params.secure_boot) {
+#ifdef CONFIG_EFI
+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility);
+#endif
+ secureboot_enable();
+ }
+
@ -250,10 +252,10 @@ index aeacb0e..a196a7e 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/cred.h b/include/linux/cred.h
index ebbed2c..a24faf1 100644
index 04421e8..9e69542 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -170,6 +170,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *);
@@ -156,6 +156,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *);
extern int set_create_files_as(struct cred *, struct inode *);
extern void __init cred_init(void);
@ -263,10 +265,10 @@ index ebbed2c..a24faf1 100644
* check for validity of credentials
*/
diff --git a/include/linux/efi.h b/include/linux/efi.h
index b424f64..fef4ca6 100644
index 7a9498a..1ae16b6 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -551,6 +551,7 @@ extern int __init efi_setup_pcdp_console(char *);
@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */
#define EFI_MEMMAP 4 /* Can we use EFI memory map? */
#define EFI_64BIT 5 /* Is the firmware 64-bit? */
@ -278,7 +280,7 @@ index b424f64..fef4ca6 100644
1.8.1.2
From 7f17830b2d2e02a1d8614ed06d2eaf37f4a2b9d1 Mon Sep 17 00:00:00 2001
From d4d1b3ad3e1a553c807b4ecafcbde4bf816e4db2 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 05/19] Add EFI signature data types
@ -292,10 +294,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 20 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index fef4ca6..a5dab3c 100644
index 1ae16b6..de7021d 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -312,6 +312,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
@@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
#define EFI_FILE_SYSTEM_GUID \
EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b )
@ -308,7 +310,7 @@ index fef4ca6..a5dab3c 100644
typedef struct {
efi_guid_t guid;
u64 table;
@@ -447,6 +453,20 @@ typedef struct {
@@ -523,6 +529,20 @@ typedef struct {
#define EFI_INVALID_TABLE_ADDR (~0UL)
@ -333,7 +335,7 @@ index fef4ca6..a5dab3c 100644
1.8.1.2
From f6e6bcac73c2c4dd0295a528f80d3c6660e9e279 Mon Sep 17 00:00:00 2001
From 3cffca89eadf7e0f0a266c370f8034f33723831a Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 06/19] Add an EFI signature blob parser and key loader.
@ -494,10 +496,10 @@ index 0000000..636feb1
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index a5dab3c..7bfc4f2 100644
index de7021d..64b3e55 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -536,6 +536,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime);
@@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime);
extern void efi_reserve_boot_services(void);
extern struct efi_memory_map memmap;
@ -512,7 +514,7 @@ index a5dab3c..7bfc4f2 100644
1.8.1.2
From 26e3eaf96f1433fbb5f0d617b80b5d00e16aeb2c Mon Sep 17 00:00:00 2001
From 89ea7424726ae4f7265ab84e703cf2da77acda57 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 07/19] MODSIGN: Add module certificate blacklist keyring
@ -525,16 +527,16 @@ useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
init/Kconfig | 8 ++++++++
kernel/modsign_pubkey.c | 17 +++++++++++++++++
kernel/modsign_pubkey.c | 14 ++++++++++++++
kernel/module-internal.h | 3 +++
kernel/module_signing.c | 12 ++++++++++++
4 files changed, 40 insertions(+)
4 files changed, 37 insertions(+)
diff --git a/init/Kconfig b/init/Kconfig
index 6fdd6e3..7a9bf00 100644
index be8b7f5..d972b77 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1602,6 +1602,14 @@ config MODULE_SIG_FORCE
@@ -1665,6 +1665,14 @@ config MODULE_SIG_FORCE
Reject unsigned modules or signed modules for which we don't have a
key. Without this, such modules will simply taint the kernel.
@ -550,7 +552,7 @@ index 6fdd6e3..7a9bf00 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
index 767e559..d99cd51 100644
index 2b6e699..4cd408d 100644
--- a/kernel/modsign_pubkey.c
+++ b/kernel/modsign_pubkey.c
@@ -17,6 +17,9 @@
@ -563,22 +565,19 @@ index 767e559..d99cd51 100644
extern __initdata const u8 modsign_certificate_list[];
extern __initdata const u8 modsign_certificate_list_end[];
@@ -52,6 +55,20 @@ static __init int module_verify_init(void)
if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0)
panic("Can't instantiate module signing keyring\n");
@@ -43,6 +46,17 @@ static __init int module_verify_init(void)
if (IS_ERR(modsign_keyring))
panic("Can't allocate module signing keyring\n");
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+ modsign_blacklist = key_alloc(&key_type_keyring, ".modsign_blacklist",
+ modsign_blacklist = keyring_alloc(".modsign_blacklist",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA);
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ if (IS_ERR(modsign_blacklist))
+ panic("Can't allocate module signing blacklist keyring\n");
+
+ if (key_instantiate_and_link(modsign_blacklist, NULL, 0, NULL, NULL) < 0)
+ panic("Can't instantiate module blacklist keyring\n");
+#endif
+
return 0;
@ -624,7 +623,7 @@ index f2970bd..5423195 100644
1.8.1.2
From ec7d8de0b4b29fa052dd9408fab20ce46857b486 Mon Sep 17 00:00:00 2001
From 733a5c25b896d8d5fa0051825a671911b50cb47d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 08/19] MODSIGN: Import certificates from UEFI Secure Boot
@ -652,10 +651,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
create mode 100644 kernel/modsign_uefi.c
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 7bfc4f2..014a013 100644
index 64b3e55..76fe526 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -318,6 +318,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,
#define EFI_CERT_X509_GUID \
EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )
@ -669,10 +668,10 @@ index 7bfc4f2..014a013 100644
efi_guid_t guid;
u64 table;
diff --git a/init/Kconfig b/init/Kconfig
index 7a9bf00..51aa170 100644
index d972b77..27e3a82 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1610,6 +1610,15 @@ config MODULE_SIG_BLACKLIST
@@ -1673,6 +1673,15 @@ config MODULE_SIG_BLACKLIST
should not pass module signature verification. If a module is
signed with something in this keyring, the load will be rejected.
@ -689,18 +688,18 @@ index 7a9bf00..51aa170 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
index 86e3285..12e17ab 100644
index 6c072b6..8848829 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
@@ -113,6 +114,8 @@ obj-$(CONFIG_JUMP_LABEL) += jump_label.o
@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
$(obj)/configs.o: $(obj)/config_data.h
@ -809,7 +808,7 @@ index 0000000..b9237d7
1.8.1.2
From ff5f0af5e29e73ba00c04bc67978086d5ed811bd Mon Sep 17 00:00:00 2001
From 16027d676baed34a9de804dac68d48096a688b39 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:57 -0400
Subject: [PATCH 09/19] PCI: Lock down BAR access in secure boot environments
@ -827,10 +826,10 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index f39378d..1db1e74 100644
index 9c6e9bb..b966089 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -546,6 +546,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
@@ -622,6 +622,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8*) buf;
@ -840,7 +839,7 @@ index f39378d..1db1e74 100644
if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
@@ -852,6 +855,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
@@ -928,6 +931,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;
@ -850,7 +849,7 @@ index f39378d..1db1e74 100644
for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
@@ -959,6 +965,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
@@ -1035,6 +1041,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
@ -910,7 +909,7 @@ index e1c1ec5..97e785f 100644
1.8.1.2
From f6a7b0b3c9ca8b0814d03daed9f98fb009a57cc7 Mon Sep 17 00:00:00 2001
From 9ff1537bbe8c22bbf7f992027da43d4fe8da0860 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:58 -0400
Subject: [PATCH 10/19] x86: Lock down IO port access in secure boot
@ -950,7 +949,7 @@ index 8c96897..a2578c4 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 0537903..47501fc 100644
index c6fa3bc..fc28099 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
@ -967,7 +966,7 @@ index 0537903..47501fc 100644
1.8.1.2
From 014664ed0733041ae2e6ddacd21f8eb8ed94d6e9 Mon Sep 17 00:00:00 2001
From 3b27408b1ced1ec83a3ce27f9d51161dbf7cea9a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:40:59 -0400
Subject: [PATCH 11/19] ACPI: Limit access to custom_method
@ -999,7 +998,7 @@ index 5d42c24..247d58b 100644
1.8.1.2
From f1262b9e78f41307e0be23aa6c54f79dfc5c8d39 Mon Sep 17 00:00:00 2001
From fb618a04089d454b7ade68c00a2b9c7dbac013f9 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:00 -0400
Subject: [PATCH 12/19] asus-wmi: Restrict debugfs interface
@ -1015,7 +1014,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index c0e9ff4..3c10167 100644
index f80ae4d..059195f 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1521,6 +1521,9 @@ static int show_dsts(struct seq_file *m, void *data)
@ -1052,7 +1051,7 @@ index c0e9ff4..3c10167 100644
1.8.1.2
From f31dc86516ee8088177a5a82869a3633a6e555b1 Mon Sep 17 00:00:00 2001
From e515bbd5410d00835390fd8981aa9029e7b22b73 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 20 Sep 2012 10:41:01 -0400
Subject: [PATCH 13/19] Restrict /dev/mem and /dev/kmem in secure boot setups
@ -1066,7 +1065,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 47501fc..8817cdc 100644
index fc28099..b5df7a8 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@ -1093,7 +1092,7 @@ index 47501fc..8817cdc 100644
1.8.1.2
From e5724ed32b15d5dec9a239036598d9273b105506 Mon Sep 17 00:00:00 2001
From fe27dd192ef250abcbaba973a14d43b21d7be497 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:04 -0400
Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
@ -1101,10 +1100,7 @@ Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure
This option allows userspace to pass the RSDP address to the kernel. This
could potentially be used to circumvent the secure boot trust model.
This is setup through the setup_arch function, which is called before the
security_init function sets up the security_ops, so we cannot use a
capable call here. We ignore the setting if we are booted in Secure Boot
mode.
We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
@ -1112,7 +1108,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 251435a..eef0b89 100644
index bd22f86..88251d2 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@ -1120,7 +1116,7 @@ index 251435a..eef0b89 100644
{
#ifdef CONFIG_KEXEC
- if (acpi_rsdp)
+ if (acpi_rsdp && !efi_enabled(EFI_SECURE_BOOT))
+ if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL))
return acpi_rsdp;
#endif
@ -1128,7 +1124,7 @@ index 251435a..eef0b89 100644
1.8.1.2
From 1bc68fa7cb2ea5983ab1de20fd881eed74e214cb Mon Sep 17 00:00:00 2001
From c937b2c8e179bfdadb6617c0028f558e4d701e46 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Tue, 4 Sep 2012 11:55:13 -0400
Subject: [PATCH 15/19] kexec: Disable in a secure boot environment
@ -1160,7 +1156,7 @@ index 5e4bd78..dd464e0 100644
1.8.1.2
From b6ec4b0890d4cb00c17b4a1dee6da84bb5fff597 Mon Sep 17 00:00:00 2001
From f08e390045266d53543a55afa16ca4be5a1c6316 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 5 Oct 2012 10:12:48 -0400
Subject: [PATCH 16/19] MODSIGN: Always enforce module signing in a Secure Boot
@ -1179,10 +1175,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/kernel/cred.c b/kernel/cred.c
index 3f5be65..a381e27 100644
index c3f4e3e..c5554e0 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -623,11 +623,19 @@ void __init cred_init(void)
@@ -565,11 +565,19 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
@ -1203,10 +1199,10 @@ index 3f5be65..a381e27 100644
/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
diff --git a/kernel/module.c b/kernel/module.c
index 3e544f4..7a9a802 100644
index eab0827..93a16dc 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -106,9 +106,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
@ -1222,7 +1218,7 @@ index 3e544f4..7a9a802 100644
1.8.1.2
From 19d340a563439ab3892159510bb3ba7730bf9ea9 Mon Sep 17 00:00:00 2001
From 54ba1eec5847d964b1d458a240b50271b9a356a4 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 26 Oct 2012 14:02:09 -0400
Subject: [PATCH 17/19] hibernate: Disable in a Secure Boot environment
@ -1294,7 +1290,7 @@ index b26f5f1..7f63cb4 100644
len = p ? p - buf : n;
diff --git a/kernel/power/main.c b/kernel/power/main.c
index f458238..734bc26 100644
index 1c16f91..4f915fc 100644
--- a/kernel/power/main.c
+++ b/kernel/power/main.c
@@ -15,6 +15,7 @@
@ -1336,7 +1332,7 @@ index 4ed81e7..b11a0f4 100644
1.8.1.2
From a0f61de745510aade63ef7694cecf11cb98559cf Mon Sep 17 00:00:00 2001
From 686090054f6c3784218b318c7adcc3c1f0ca5069 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 18/19] efi: Disable secure boot if shim is in insecure mode
@ -1353,10 +1349,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 4983e43..eea615a 100644
index 96bd86b..6e1331c 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -733,8 +733,9 @@ fail:
@@ -851,8 +851,9 @@ fail:
static int get_secure_boot(efi_system_table_t *_table)
{
@ -1367,7 +1363,7 @@ index 4983e43..eea615a 100644
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
@@ -758,6 +759,23 @@ static int get_secure_boot(efi_system_table_t *_table)
@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table)
if (setup == 1)
return 0;
@ -1395,7 +1391,7 @@ index 4983e43..eea615a 100644
1.8.1.2
From 5467b18cc9b3475658328a38ad6922d6b32c87ca Mon Sep 17 00:00:00 2001
From df607d2d5061b04f8a686cd74edd72c1f2836d8c Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 19/19] x86: Lock down MSR writing in secure boot