Linux v4.20-10911-g645ff1e8e704
Dropped part of the efi-lockdown patchset for IMA until conflicts get resolved.
This commit is contained in:
Laura Abbott
parent
cca46e0b1d
commit
dd000cd2fd
|
|
@ -1,60 +0,0 @@
|
|||
From 0451d4e795929a69a0fda6d960aa4b077c5bd179 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Fri, 5 May 2017 08:21:58 +0100
|
||||
Subject: [PATCH 1/4] efi: Add EFI signature data types
|
||||
|
||||
Add the data types that are used for containing hashes, keys and
|
||||
certificates for cryptographic verification along with their corresponding
|
||||
type GUIDs.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
include/linux/efi.h | 25 +++++++++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index ec36f42..3259ad6 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -614,6 +614,10 @@ void efi_native_runtime_setup(void);
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
|
||||
#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
|
||||
|
||||
+#define EFI_CERT_SHA256_GUID EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
|
||||
+#define EFI_CERT_X509_GUID EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
|
||||
+#define EFI_CERT_X509_SHA256_GUID EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
|
||||
+
|
||||
/*
|
||||
* This GUID is used to pass to the kernel proper the struct screen_info
|
||||
* structure that was populated by the stub based on the GOP protocol instance
|
||||
@@ -873,6 +877,27 @@ typedef struct {
|
||||
efi_memory_desc_t entry[0];
|
||||
} efi_memory_attributes_table_t;
|
||||
|
||||
+typedef struct {
|
||||
+ efi_guid_t signature_owner;
|
||||
+ u8 signature_data[];
|
||||
+} efi_signature_data_t;
|
||||
+
|
||||
+typedef struct {
|
||||
+ efi_guid_t signature_type;
|
||||
+ u32 signature_list_size;
|
||||
+ u32 signature_header_size;
|
||||
+ u32 signature_size;
|
||||
+ u8 signature_header[];
|
||||
+ /* efi_signature_data_t signatures[][] */
|
||||
+} efi_signature_list_t;
|
||||
+
|
||||
+typedef u8 efi_sha256_hash_t[32];
|
||||
+
|
||||
+typedef struct {
|
||||
+ efi_sha256_hash_t to_be_signed_hash;
|
||||
+ efi_time_t time_of_revocation;
|
||||
+} efi_cert_x509_sha256_t;
|
||||
+
|
||||
/*
|
||||
* All runtime access to EFI goes through this structure:
|
||||
*/
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
From e4c62c12635a371e43bd17e8d33a936668264491 Mon Sep 17 00:00:00 2001
|
||||
From 73e105771858bf39aeabcbcd2f7b002c24ac4bb0 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Fri, 5 May 2017 08:21:58 +0100
|
||||
Subject: [PATCH 2/4] efi: Add an EFI signature blob parser
|
||||
Subject: [PATCH] efi: Add an EFI signature blob parser
|
||||
|
||||
Add a function to parse an EFI signature blob looking for elements of
|
||||
interest. A list is made up of a series of sublists, where all the
|
||||
|
|
@ -18,21 +18,20 @@ function in turn.
|
|||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
certs/Kconfig | 8 ++++
|
||||
certs/Makefile | 1 +
|
||||
certs/efi_parser.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
include/linux/efi.h | 9 +++++
|
||||
4 files changed, 130 insertions(+)
|
||||
certs/Kconfig | 8 ++++
|
||||
certs/Makefile | 1 +
|
||||
certs/efi_parser.c | 112 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 121 insertions(+)
|
||||
create mode 100644 certs/efi_parser.c
|
||||
|
||||
diff --git a/certs/Kconfig b/certs/Kconfig
|
||||
index 6ce51ed..630ae09 100644
|
||||
index c94e93d8bccf..650ffcb8db79 100644
|
||||
--- a/certs/Kconfig
|
||||
+++ b/certs/Kconfig
|
||||
@@ -82,4 +82,12 @@ config SYSTEM_BLACKLIST_HASH_LIST
|
||||
@@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST
|
||||
wrapper to incorporate the list into the kernel. Each <hash> should
|
||||
be a string of hex digits.
|
||||
|
||||
|
||||
+config EFI_SIGNATURE_LIST_PARSER
|
||||
+ bool "EFI signature list parser"
|
||||
+ depends on EFI
|
||||
|
|
@ -43,20 +42,20 @@ index 6ce51ed..630ae09 100644
|
|||
+
|
||||
endmenu
|
||||
diff --git a/certs/Makefile b/certs/Makefile
|
||||
index 4119bb3..738151a 100644
|
||||
index 5d0999b9e21b..7e5e179ac685 100644
|
||||
--- a/certs/Makefile
|
||||
+++ b/certs/Makefile
|
||||
@@ -9,6 +9,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
|
||||
@@ -10,6 +10,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
|
||||
else
|
||||
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
|
||||
endif
|
||||
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
|
||||
|
||||
|
||||
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
|
||||
|
||||
|
||||
diff --git a/certs/efi_parser.c b/certs/efi_parser.c
|
||||
new file mode 100644
|
||||
index 0000000..4e396f9
|
||||
index 000000000000..4e396f98f5c7
|
||||
--- /dev/null
|
||||
+++ b/certs/efi_parser.c
|
||||
@@ -0,0 +1,112 @@
|
||||
|
|
@ -172,26 +171,6 @@ index 0000000..4e396f9
|
|||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 3259ad6..08024c6 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1055,6 +1055,15 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
|
||||
char * __init efi_md_typeattr_format(char *buf, size_t size,
|
||||
const efi_memory_desc_t *md);
|
||||
|
||||
+
|
||||
+typedef void (*efi_element_handler_t)(const char *source,
|
||||
+ const void *element_data,
|
||||
+ size_t element_size);
|
||||
+extern int __init parse_efi_signature_list(
|
||||
+ const char *source,
|
||||
+ const void *data, size_t size,
|
||||
+ efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *));
|
||||
+
|
||||
/**
|
||||
* efi_range_is_wc - check the WC bit on an address range
|
||||
* @start: starting kvirt address
|
||||
--
|
||||
2.9.3
|
||||
2.20.1
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
|
|
@ -0,0 +1 @@
|
|||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
|
|
@ -0,0 +1 @@
|
|||
# CONFIG_IMA_ARCH_POLICY is not set
|
||||
|
|
@ -518,239 +518,6 @@ index f35ffdd096ad..2615669dbf03 100644
|
|||
--
|
||||
2.14.3
|
||||
|
||||
From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001
|
||||
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||||
Date: Mon, 9 Apr 2018 09:52:45 +0100
|
||||
Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
|
||||
|
||||
Require the "secure_boot" rules, whether or not it is specified
|
||||
on the boot command line, for both the builtin and custom policies
|
||||
in secure boot lockdown mode.
|
||||
|
||||
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------
|
||||
1 file changed, 27 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
|
||||
index 8c9499867c91..f8428f579924 100644
|
||||
--- a/security/integrity/ima/ima_policy.c
|
||||
+++ b/security/integrity/ima/ima_policy.c
|
||||
@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func)
|
||||
*/
|
||||
void __init ima_init_policy(void)
|
||||
{
|
||||
- int i, measure_entries, appraise_entries, secure_boot_entries;
|
||||
+ int i;
|
||||
+ int measure_entries = 0;
|
||||
+ int appraise_entries = 0;
|
||||
+ int secure_boot_entries = 0;
|
||||
+ bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
|
||||
|
||||
/* if !ima_policy set entries = 0 so we load NO default rules */
|
||||
- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
|
||||
- appraise_entries = ima_use_appraise_tcb ?
|
||||
- ARRAY_SIZE(default_appraise_rules) : 0;
|
||||
- secure_boot_entries = ima_use_secure_boot ?
|
||||
- ARRAY_SIZE(secure_boot_rules) : 0;
|
||||
+ if (ima_policy)
|
||||
+ measure_entries = ARRAY_SIZE(dont_measure_rules);
|
||||
+
|
||||
+ if (ima_use_appraise_tcb)
|
||||
+ appraise_entries = ARRAY_SIZE(default_appraise_rules);
|
||||
+
|
||||
+ if (ima_use_secure_boot || kernel_locked_down)
|
||||
+ secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
|
||||
|
||||
for (i = 0; i < measure_entries; i++)
|
||||
list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
|
||||
@@ -509,12 +516,25 @@ void __init ima_init_policy(void)
|
||||
|
||||
/*
|
||||
* Insert the builtin "secure_boot" policy rules requiring file
|
||||
- * signatures, prior to any other appraise rules.
|
||||
+ * signatures, prior to any other appraise rules. In secure boot
|
||||
+ * lock-down mode, also require these appraise rules for custom
|
||||
+ * policies.
|
||||
*/
|
||||
for (i = 0; i < secure_boot_entries; i++) {
|
||||
+ struct ima_rule_entry *entry;
|
||||
+
|
||||
+ /* Include for builtin policies */
|
||||
list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
|
||||
temp_ima_appraise |=
|
||||
ima_appraise_flag(secure_boot_rules[i].func);
|
||||
+
|
||||
+ /* Include for custom policies */
|
||||
+ if (kernel_locked_down) {
|
||||
+ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
|
||||
+ GFP_KERNEL);
|
||||
+ if (entry)
|
||||
+ list_add_tail(&entry->list, &ima_policy_rules);
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.17.1
|
||||
|
||||
From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 9 Apr 2018 09:52:46 +0100
|
||||
Subject: [PATCH] Enforce module signatures if the kernel is locked down
|
||||
|
||||
If the kernel is locked down, require that all modules have valid
|
||||
signatures that we can verify or that IMA can validate the file.
|
||||
|
||||
I have adjusted the errors generated:
|
||||
|
||||
(1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
|
||||
ENOKEY), then:
|
||||
|
||||
(a) If signatures are enforced then EKEYREJECTED is returned.
|
||||
|
||||
(b) If IMA will have validated the image, return 0 (okay).
|
||||
|
||||
(c) If there's no signature or we can't check it, but the kernel is
|
||||
locked down then EPERM is returned (this is then consistent with
|
||||
other lockdown cases).
|
||||
|
||||
(2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
|
||||
the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
|
||||
return the error we got.
|
||||
|
||||
Note that the X.509 code doesn't check for key expiry as the RTC might not
|
||||
be valid or might not have been transferred to the kernel's clock yet.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
|
||||
cc: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
cc: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------
|
||||
1 file changed, 43 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index b046a32520d8..3bb0722c106e 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -64,6 +64,7 @@
|
||||
#include <linux/bsearch.h>
|
||||
#include <linux/dynamic_debug.h>
|
||||
#include <linux/audit.h>
|
||||
+#include <linux/ima.h>
|
||||
#include <uapi/linux/module.h>
|
||||
#include "module-internal.h"
|
||||
|
||||
@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod,
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
-static int module_sig_check(struct load_info *info, int flags)
|
||||
+static int module_sig_check(struct load_info *info, int flags,
|
||||
+ bool can_do_ima_check)
|
||||
{
|
||||
- int err = -ENOKEY;
|
||||
+ int err = -ENODATA;
|
||||
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
|
||||
+ const char *reason;
|
||||
const void *mod = info->hdr;
|
||||
|
||||
/*
|
||||
@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags)
|
||||
err = mod_verify_sig(mod, info);
|
||||
}
|
||||
|
||||
- if (!err) {
|
||||
+ switch (err) {
|
||||
+ case 0:
|
||||
info->sig_ok = true;
|
||||
return 0;
|
||||
- }
|
||||
|
||||
- /* Not having a signature is only an error if we're strict. */
|
||||
- if (err == -ENOKEY && !is_module_sig_enforced())
|
||||
- err = 0;
|
||||
+ /* We don't permit modules to be loaded into trusted kernels
|
||||
+ * without a valid signature on them, but if we're not
|
||||
+ * enforcing, certain errors are non-fatal.
|
||||
+ */
|
||||
+ case -ENODATA:
|
||||
+ reason = "Loading of unsigned module";
|
||||
+ goto decide;
|
||||
+ case -ENOPKG:
|
||||
+ reason = "Loading of module with unsupported crypto";
|
||||
+ goto decide;
|
||||
+ case -ENOKEY:
|
||||
+ reason = "Loading of module with unavailable key";
|
||||
+ decide:
|
||||
+ if (sig_enforce) {
|
||||
+ pr_notice("%s is rejected\n", reason);
|
||||
+ return -EKEYREJECTED;
|
||||
+ }
|
||||
|
||||
- return err;
|
||||
+ if (can_do_ima_check && is_ima_appraise_enabled())
|
||||
+ return 0;
|
||||
+ if (kernel_is_locked_down(reason))
|
||||
+ return -EPERM;
|
||||
+ return 0;
|
||||
+
|
||||
+ /* All other errors are fatal, including nomem, unparseable
|
||||
+ * signatures and signature check failures - even if signatures
|
||||
+ * aren't required.
|
||||
+ */
|
||||
+ default:
|
||||
+ return err;
|
||||
+ }
|
||||
}
|
||||
#else /* !CONFIG_MODULE_SIG */
|
||||
-static int module_sig_check(struct load_info *info, int flags)
|
||||
+static int module_sig_check(struct load_info *info, int flags,
|
||||
+ bool can_do_ima_check)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
|
||||
/* Allocate and load the module: note that size of section 0 is always
|
||||
zero, and we rely on this for optional sections. */
|
||||
static int load_module(struct load_info *info, const char __user *uargs,
|
||||
- int flags)
|
||||
+ int flags, bool can_do_ima_check)
|
||||
{
|
||||
struct module *mod;
|
||||
long err = 0;
|
||||
@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
|
||||
goto free_copy;
|
||||
}
|
||||
|
||||
- err = module_sig_check(info, flags);
|
||||
+ err = module_sig_check(info, flags, can_do_ima_check);
|
||||
if (err)
|
||||
goto free_copy;
|
||||
|
||||
@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
- return load_module(&info, uargs, 0);
|
||||
+ return load_module(&info, uargs, 0, false);
|
||||
}
|
||||
|
||||
SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
|
||||
@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
|
||||
info.hdr = hdr;
|
||||
info.len = size;
|
||||
|
||||
- return load_module(&info, uargs, flags);
|
||||
+ return load_module(&info, uargs, flags, true);
|
||||
}
|
||||
|
||||
static inline int within(unsigned long addr, void *start, unsigned long size)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Mon, 9 Apr 2018 09:52:46 +0100
|
||||
|
|
|
|||
2
gitrev
2
gitrev
|
|
@ -1 +1 @@
|
|||
8e143b90e4d45cca3dc53760d3cfab988bc74571
|
||||
645ff1e8e704c4f33ab1fcd3c87f95cb9b6d7144
|
||||
|
|
|
|||
|
|
@ -2503,6 +2503,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -6287,6 +6288,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2486,6 +2486,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -6264,6 +6265,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2626,6 +2626,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -6693,6 +6694,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2495,6 +2495,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -6286,6 +6287,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2479,6 +2479,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -6264,6 +6265,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2610,6 +2610,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -6671,6 +6672,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2199,6 +2199,7 @@ CONFIG_IIO_TRIGGER=y
|
|||
# CONFIG_IKCONFIG is not set
|
||||
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
||||
# CONFIG_IMA_APPRAISE is not set
|
||||
# CONFIG_IMA_ARCH_POLICY is not set
|
||||
# CONFIG_IMA_BLACKLIST_KEYRING is not set
|
||||
CONFIG_IMA_DEFAULT_HASH_SHA1=y
|
||||
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
|
||||
|
|
@ -2331,6 +2332,7 @@ CONFIG_INT3406_THERMAL=m
|
|||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
|
@ -5871,6 +5873,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2181,6 +2181,7 @@ CONFIG_IIO_TRIGGER=y
|
|||
# CONFIG_IKCONFIG is not set
|
||||
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
||||
# CONFIG_IMA_APPRAISE is not set
|
||||
# CONFIG_IMA_ARCH_POLICY is not set
|
||||
# CONFIG_IMA_BLACKLIST_KEYRING is not set
|
||||
CONFIG_IMA_DEFAULT_HASH_SHA1=y
|
||||
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
|
||||
|
|
@ -2313,6 +2314,7 @@ CONFIG_INT3406_THERMAL=m
|
|||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
|
@ -5849,6 +5851,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2156,6 +2156,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -5537,6 +5538,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2138,6 +2138,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -5513,6 +5514,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2109,6 +2109,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -5433,6 +5434,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2091,6 +2091,7 @@ CONFIG_INPUT=y
|
|||
CONFIG_INPUT_YEALINK=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEL_IDMA64 is not set
|
||||
|
|
@ -5409,6 +5410,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2241,6 +2241,7 @@ CONFIG_IIO_TRIGGER=y
|
|||
# CONFIG_IKCONFIG is not set
|
||||
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
||||
# CONFIG_IMA_APPRAISE is not set
|
||||
# CONFIG_IMA_ARCH_POLICY is not set
|
||||
# CONFIG_IMA_BLACKLIST_KEYRING is not set
|
||||
CONFIG_IMA_DEFAULT_HASH_SHA1=y
|
||||
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
|
||||
|
|
@ -2376,6 +2377,7 @@ CONFIG_INT3406_THERMAL=m
|
|||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
|
@ -5915,6 +5917,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -2223,6 +2223,7 @@ CONFIG_IIO_TRIGGER=y
|
|||
# CONFIG_IKCONFIG is not set
|
||||
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
||||
# CONFIG_IMA_APPRAISE is not set
|
||||
# CONFIG_IMA_ARCH_POLICY is not set
|
||||
# CONFIG_IMA_BLACKLIST_KEYRING is not set
|
||||
CONFIG_IMA_DEFAULT_HASH_SHA1=y
|
||||
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
|
||||
|
|
@ -2358,6 +2359,7 @@ CONFIG_INT3406_THERMAL=m
|
|||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
|
@ -5893,6 +5895,7 @@ CONFIG_TOUCHSCREEN_MMS114=m
|
|||
CONFIG_TOUCHSCREEN_MTOUCH=m
|
||||
CONFIG_TOUCHSCREEN_PENMOUNT=m
|
||||
CONFIG_TOUCHSCREEN_PIXCIR=m
|
||||
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW is not set
|
||||
CONFIG_TOUCHSCREEN_RM_TS=m
|
||||
# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
|
||||
# CONFIG_TOUCHSCREEN_S6SY761 is not set
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ Summary: The Linux kernel
|
|||
# The rc snapshot level
|
||||
%global rcrev 0
|
||||
# The git snapshot level
|
||||
%define gitrev 5
|
||||
%define gitrev 6
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 4.%{upstream_sublevel}.0
|
||||
%endif
|
||||
|
|
@ -539,8 +539,6 @@ Patch201: efi-lockdown.patch
|
|||
|
||||
Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
|
||||
|
||||
Patch203: Add-EFI-signature-data-types.patch
|
||||
|
||||
Patch204: Add-an-EFI-signature-blob-parser-and-key-loader.patch
|
||||
|
||||
Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
|
||||
|
|
@ -1878,6 +1876,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Jan 03 2019 Laura Abbott <labbott@redhat.com> - 4.21.0-0.rc0.git6.1
|
||||
- Linux v4.20-10911-g645ff1e8e704
|
||||
|
||||
* Wed Jan 02 2019 Laura Abbott <labbott@redhat.com> - 4.21.0-0.rc0.git5.1
|
||||
- Linux v4.20-10595-g8e143b90e4d4
|
||||
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.20.tar.xz) = e282399beea5da539701aed2bc131abd5bc74a970dcd344163e9d295106dfd700180e672ed546ae5e55bc6b9ac95efd5ca1de2039015c1b7a6fc9c01ea6583d4
|
||||
SHA512 (patch-4.20-git5.xz) = 8735ac8abb204356c45534465cb14765c6e36d0b062b469bb4a439d64c1fafc81b650841ba5cfde93fc23d81266c9981b72cec52ad22777f52b96082b9b69e81
|
||||
SHA512 (patch-4.20-git6.xz) = 8529bfd268ea6edb0d958a717c70271565b85ce3a0f712d7ba72cf61c4f4c7323a346dbde886d5ab34e4dd92588f966dd36fdd327be8b1f89305bae82b3c87e7
|
||||
|
|
|
|||
Loading…
Reference in New Issue