Refresh SB patchset to fix bisectability issue

This commit is contained in:
Josh Boyer 2016-10-27 10:49:53 -04:00
parent 793d04075c
commit ea38f2f938
21 changed files with 166 additions and 146 deletions

View File

@ -1,4 +1,4 @@
From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001
From 36d02761fc952f8190fca75bb4b81c2c7b7ddf68 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH 04/20] ACPI: Limit access to custom_method
@ -27,5 +27,5 @@ index c68e72414a67..4277938af700 100644
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
--
2.4.3
2.9.3

View File

@ -1,7 +1,7 @@
From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001
From ba3f737b8521314b62edaa7d4cc4bdc9aeefe394 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 4/9] Add EFI signature data types
Subject: [PATCH 15/20] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
@ -11,14 +11,14 @@ Upstream-status: Fedora mustard for now
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/efi.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
include/linux/efi.h | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 8cb38cfcba74..8c274b4ea8e6 100644
index 5af91b58afae..190858d62fe3 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -647,6 +647,9 @@ void efi_native_runtime_setup(void);
@@ -603,6 +603,9 @@ void efi_native_runtime_setup(void);
#define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95)
#define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
@ -28,7 +28,7 @@ index 8cb38cfcba74..8c274b4ea8e6 100644
typedef struct {
efi_guid_t guid;
u64 table;
@@ -879,6 +885,20 @@ typedef struct {
@@ -853,6 +856,20 @@ typedef struct {
efi_memory_desc_t entry[0];
} efi_memory_attributes_table_t;
@ -50,5 +50,5 @@ index 8cb38cfcba74..8c274b4ea8e6 100644
* All runtime access to EFI goes through this structure:
*/
--
2.5.5
2.9.3

View File

@ -1,7 +1,7 @@
From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
From 822b4b3eb76ca451a416a51f0a7bfedfa5c5ea39 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
@ -17,10 +17,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
create mode 100644 crypto/asymmetric_keys/efi_parser.c
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index e28e912000a7..94024e8aedaa 100644
index 331f6baf2df8..5f9002d3192e 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
@@ -61,4 +61,12 @@ config SIGNED_PE_FILE_VERIFICATION
This option provides support for verifying the signature(s) on a
signed PE binary.
@ -160,10 +160,10 @@ index 000000000000..636feb18b733
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 8c274b4ea8e6..ff1877145aa4 100644
index 190858d62fe3..668aa1244885 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
@@ -1025,6 +1025,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
char * __init efi_md_typeattr_format(char *buf, size_t size,
const efi_memory_desc_t *md);
@ -175,5 +175,5 @@ index 8c274b4ea8e6..ff1877145aa4 100644
* efi_range_is_wc - check the WC bit on an address range
* @start: starting kvirt address
--
2.5.5
2.9.3

View File

@ -1,8 +1,8 @@
From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001
From 6b6203b92cfb457a0669a9c87a29b360405bffc6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
Subject: [PATCH] Add option to automatically enforce module signatures when in
Secure Boot mode
Subject: [PATCH 10/20] Add option to automatically enforce module signatures
when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@ -34,10 +34,10 @@ index 95a4d34af3fd..b8527c6b7646 100644
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0a7b885964ba..29b8ba9ae713 100644
index bada636d1065..d666ef8b616c 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1776,6 +1776,17 @@ config EFI_MIXED
@@ -1786,6 +1786,17 @@ config EFI_MIXED
If unsure, say N.
@ -56,7 +56,7 @@ index 0a7b885964ba..29b8ba9ae713 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 52fef606bc54..6b8b9a775b46 100644
index cc69e37548db..ebc85c1eefd6 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@ -67,7 +67,7 @@ index 52fef606bc54..6b8b9a775b46 100644
#include "../string.h"
#include "eboot.h"
@@ -571,6 +572,67 @@ free_handle:
@@ -537,6 +538,67 @@ static void setup_efi_pci(struct boot_params *params)
efi_call_early(free_pool, pci_handle);
}
@ -135,7 +135,7 @@ index 52fef606bc54..6b8b9a775b46 100644
static efi_status_t
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
{
@@ -1126,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
@@ -1094,6 +1156,10 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);
@ -161,10 +161,10 @@ index c18ce67495fa..2b3e5427097b 100644
* The sentinel is set to a nonzero value (0xff) in header.S.
*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index c4e7b3991b60..bdb9881c7afd 100644
index bbfbca5fea0c..d40e961753c9 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
@ -178,10 +178,10 @@ index c4e7b3991b60..bdb9881c7afd 100644
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
diff --git a/include/linux/module.h b/include/linux/module.h
index 082298a09df1..38d0597f7615 100644
index 05bd6c989a0c..32327704e18d 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \
struct notifier_block;
@ -195,10 +195,10 @@ index 082298a09df1..38d0597f7615 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
index 3c384968f553..ea484f3a35b2 100644
index cb864505d020..cb1f1da69bf4 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
@@ -4285,6 +4285,13 @@ void module_layout(struct module *mod,
EXPORT_SYMBOL(module_layout);
#endif
@ -213,5 +213,5 @@ index 3c384968f553..ea484f3a35b2 100644
{
#ifdef CONFIG_MODULE_SIG
--
2.5.5
2.9.3

View File

@ -1,7 +1,7 @@
From 3213f1513a744fb21b6b9e4d4f2650a204855b3e Mon Sep 17 00:00:00 2001
From 80d2d273b36b33d46820ab128c7a5b068389f643 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 17:58:15 -0400
Subject: [PATCH] Add secure_modules() call
Subject: [PATCH 01/20] Add secure_modules() call
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
@ -17,7 +17,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
2 files changed, 16 insertions(+)
diff --git a/include/linux/module.h b/include/linux/module.h
index 0c3207d..05bd6c9 100644
index 0c3207d26ac0..05bd6c989a0c 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -641,6 +641,8 @@ static inline bool is_livepatch_module(struct module *mod)
@ -41,10 +41,10 @@ index 0c3207d..05bd6c9 100644
#ifdef CONFIG_SYSFS
diff --git a/kernel/module.c b/kernel/module.c
index 529efae..0332fdd 100644
index f57dd63186e6..cb864505d020 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
@@ -4284,3 +4284,13 @@ void module_layout(struct module *mod,
}
EXPORT_SYMBOL(module_layout);
#endif
@ -59,5 +59,5 @@ index 529efae..0332fdd 100644
+}
+EXPORT_SYMBOL(secure_modules);
--
2.9.2
2.9.3

View File

@ -1,7 +1,7 @@
From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001
From d9e0379e8d3cb51efe4e2b1a5a60c52c2c40bdfb Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Fri, 30 Aug 2013 09:28:51 -0400
Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode
Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode
Bugzilla: N/A
Upstream-status: Fedora mustard
@ -16,7 +16,7 @@ Upstream-status: Fedora mustard
7 files changed, 64 insertions(+), 9 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index a666b6c29c77..7732c769937b 100644
index b93183336674..dab2882927c2 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -70,6 +70,11 @@
@ -70,7 +70,7 @@ index a666b6c29c77..7732c769937b 100644
.notifier_call = dump_kernel_offset
};
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index abe1a927b332..f4126fcec10c 100644
index 92595b98e7ed..894ed3f74f04 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
@ -82,10 +82,10 @@ index abe1a927b332..f4126fcec10c 100644
input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index e5139402e7f8..5ef2e04a03ad 100644
index 52bbd27e93ae..594bd731253a 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
@ -93,7 +93,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
@ -102,7 +102,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
{
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask)
@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)
op_p = __sysrq_get_key_op(key);
if (op_p) {
@ -119,7 +119,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
pr_cont("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask)
@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask)
void handle_sysrq(int key)
{
if (sysrq_on())
@ -128,7 +128,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
}
EXPORT_SYMBOL(handle_sysrq);
@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state)
@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
@ -137,7 +137,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
default:
if (sysrq->active && value && value != 2) {
@ -149,7 +149,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
}
break;
}
@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
if (get_user(c, buf))
return -EFAULT;
@ -159,7 +159,7 @@ index e5139402e7f8..5ef2e04a03ad 100644
return count;
diff --git a/include/linux/input.h b/include/linux/input.h
index 1e967694e9a5..2b56c6f9673c 100644
index a65e3b24fb18..8b0357175049 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -42,6 +42,7 @@ struct input_value {
@ -229,10 +229,10 @@ index 2a20c0dfdafc..3d17205dab77 100644
return 0;
diff --git a/kernel/module.c b/kernel/module.c
index ea484f3a35b2..84b00659b0ee 100644
index cb1f1da69bf4..5933c27ba19e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void)
@@ -270,7 +270,7 @@ static void module_assert_mutex_or_preempt(void)
#endif
}
@ -242,5 +242,5 @@ index ea484f3a35b2..84b00659b0ee 100644
module_param(sig_enforce, bool_enable_only, 0644);
#endif /* !CONFIG_MODULE_SIG_FORCE */
--
2.5.5
2.9.3

View File

@ -1,7 +1,7 @@
From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001
From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring
Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@ -78,10 +78,10 @@ index fbd4647767e9..5bc291a3d261 100644
extern struct key *ima_blacklist_keyring;
diff --git a/init/Kconfig b/init/Kconfig
index a9c4aefd5436..e5449d5aeff9 100644
index 34407f15e6d3..461ad575a608 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION
@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION
module verification, kexec image verification and firmware blob
verification.
@ -98,5 +98,5 @@ index a9c4aefd5436..e5449d5aeff9 100644
bool "Profiling support"
help
--
2.5.5
2.9.3

View File

@ -1,7 +1,7 @@
From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
From 8a4535bcfe24d317be675e53cdc8c61d22fdc7f3 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
Subject: [PATCH 18/20] MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This
@ -20,11 +20,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
certs/system_keyring.c | 13 ++++++
include/keys/system_keyring.h | 1 +
include/linux/efi.h | 6 +++
init/Kconfig | 9 ++++
kernel/Makefile | 3 ++
kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
6 files changed, 131 insertions(+)
5 files changed, 125 insertions(+)
create mode 100644 kernel/modsign_uefi.c
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
@ -63,28 +62,11 @@ index 5bc291a3d261..56ff5715ab67 100644
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;
diff --git a/include/linux/efi.h b/include/linux/efi.h
index ff1877145aa4..2483de19c719 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -658,6 +658,12 @@ typedef struct {
u64 table;
} efi_config_table_64_t;
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )
+
+#define EFI_SHIM_LOCK_GUID \
+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
+
typedef struct {
efi_guid_t guid;
u32 table;
diff --git a/init/Kconfig b/init/Kconfig
index e5449d5aeff9..5408c96f6604 100644
index 461ad575a608..93646fd7b1c8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
@@ -2009,6 +2009,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@ -101,7 +83,7 @@ index e5449d5aeff9..5408c96f6604 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
index e2ec54e2b952..8dab549985d8 100644
index eb26e12c6c2a..e0c2268cb97e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -57,6 +57,7 @@ endif
@ -227,5 +209,5 @@ index 000000000000..fe4a6f2bf10a
+}
+late_initcall(load_uefi_certs);
--
2.5.5
2.9.3

View File

@ -1,7 +1,7 @@
From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
From 9d2e5c61d5adcf7911f67ed44a1b0ff881f175bb Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index 03f601a0052c..321c79a3b282 100644
index fe4a6f2bf10a..a41da14b1ffd 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
@ -82,5 +82,5 @@ index 03f601a0052c..321c79a3b282 100644
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--
2.5.5
2.9.3

View File

@ -1,7 +1,8 @@
From 6f756b32a45b022428e33ce20181e874c73ca82e Mon Sep 17 00:00:00 2001
From 03a4ad09f20944e1917abfd24d1d0e5f107a2861 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500
Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
enabled
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
@ -17,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index bcd10c7..a950301 100644
index bcd10c795284..a950301496f3 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -30,6 +30,7 @@
@ -59,7 +60,7 @@ index bcd10c7..a950301 100644
}
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 2408abe..59f321c 100644
index 2408abe4ee8c..59f321c56c18 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@ -92,7 +93,7 @@ index 2408abe..59f321c 100644
/* Make sure the caller is mapping a real resource for this device */
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index b91c4da..98f5637 100644
index b91c4da68365..98f5637304d1 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -10,6 +10,7 @@
@ -113,5 +114,5 @@ index b91c4da..98f5637 100644
dev = pci_get_bus_and_slot(bus, dfn);
--
2.9.2
2.9.3

View File

@ -1,7 +1,7 @@
From 3dfb34906e9e57e70bd497ee21e8d59325c841d2 Mon Sep 17 00:00:00 2001
From 9f31204f829da97f99f7aacf30f0ddc26e456df7 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500
Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
restricted
Allowing users to write to address space makes it possible for the kernel
@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 5bb1985..74ee6a4 100644
index 7f1a7ab5850d..d6a6f05fbc1c 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;
@ -27,7 +27,7 @@ index 5bb1985..74ee6a4 100644
if (!valid_phys_addr_range(p, count))
return -EFAULT;
@@ -515,6 +518,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
if (!pfn_valid(PFN_DOWN(p)))
return -EIO;
@ -38,5 +38,5 @@ index 5bb1985..74ee6a4 100644
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
--
2.7.4
2.9.3

View File

@ -1,4 +1,4 @@
From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001
From ee880324686af8bb212fc088495ea528e3042cd6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 739a4a6b3b9b..9ef2a020a7a9 100644
index 416953a42510..4887e343c7fd 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -40,6 +40,7 @@
@ -25,7 +25,7 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644
#include <asm/io.h>
#include <asm/uaccess.h>
@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void)
{
#ifdef CONFIG_KEXEC
@ -35,5 +35,5 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644
#endif
--
2.4.3
2.9.3

View File

@ -1,4 +1,4 @@
From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001
From ebbd8d01acdf472594f7e43e9a4274745c402e8e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index efbc3f0c592b..071171be4b7f 100644
index ce6ca31a2d09..55d23994d6a2 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1868,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@ -29,7 +29,7 @@ index efbc3f0c592b..071171be4b7f 100644
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
if (err < 0)
@@ -1884,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data)
@@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@ -39,7 +39,7 @@ index efbc3f0c592b..071171be4b7f 100644
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);
@@ -1908,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data)
@@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;
@ -50,5 +50,5 @@ index efbc3f0c592b..071171be4b7f 100644
1, asus->debug.method_id,
&input, &output);
--
2.4.3
2.9.3

View File

@ -1,7 +1,7 @@
From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001
From a8883aff32f1e15b65e210462804aa2a9ab9a0b6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit
Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index bdb9881c7afd..a666b6c29c77 100644
index d40e961753c9..b93183336674 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
@ -27,10 +27,10 @@ index bdb9881c7afd..a666b6c29c77 100644
#endif
diff --git a/include/linux/efi.h b/include/linux/efi.h
index c2db3ca22217..8cb38cfcba74 100644
index ce943d5accfd..5af91b58afae 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
@@ -1046,6 +1046,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_ARCH_1 7 /* First arch-specific bit */
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
@ -39,5 +39,5 @@ index c2db3ca22217..8cb38cfcba74 100644
#ifdef CONFIG_EFI
/*
--
2.5.5
2.9.3

View File

@ -0,0 +1,31 @@
From 3a9fe1504e08824d894bb3a804c6a313f5d1be8a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 25 Oct 2016 12:54:11 -0400
Subject: [PATCH 11/20] efi: Add SHIM and image security database GUID
definitions
Add the definitions for shim and image security database, both of which
are used widely in various Linux distros.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
include/linux/efi.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 2d089487d2da..ce943d5accfd 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -592,6 +592,9 @@ void efi_native_runtime_setup(void);
#define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
#define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
+#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
+#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+
/*
* This GUID is used to pass to the kernel proper the struct screen_info
* structure that was populated by the stub based on the GOP protocol instance
--
2.9.3

View File

@ -1,7 +1,7 @@
From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001
From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode
Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 6b8b9a775b46..b3a5364d31c6 100644
index ebc85c1eefd6..50e027f388d8 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -574,8 +574,9 @@ free_handle:
@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)
static int get_secure_boot(void)
{
@ -29,7 +29,7 @@ index 6b8b9a775b46..b3a5364d31c6 100644
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
@@ -599,6 +600,23 @@ static int get_secure_boot(void)
@@ -565,6 +566,23 @@ static int get_secure_boot(void)
if (setup == 1)
return 0;
@ -54,5 +54,5 @@ index 6b8b9a775b46..b3a5364d31c6 100644
}
--
2.5.5
2.9.3

View File

@ -1,7 +1,7 @@
From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001
From 6c56c15ec618a508b0eca98571780a8b7114cb92 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment
Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index fca9254280ee..ffd8644078b2 100644
index b26dbc48c75b..ab187ad3fc61 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -29,6 +29,7 @@
@ -25,7 +25,7 @@ index fca9254280ee..ffd8644078b2 100644
#include <trace/events/power.h>
#include "power.h"
@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
bool hibernation_available(void)
{
@ -35,5 +35,5 @@ index fca9254280ee..ffd8644078b2 100644
/**
--
2.5.5
2.9.3

View File

@ -549,7 +549,9 @@ Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch
Patch482: Add-option-to-automatically-enforce-module-signature.patch
Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
Patch483: efi-Add-SHIM-and-image-security-database-GUID-defini.patch
Patch484: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
@ -2147,6 +2149,9 @@ fi
#
#
%changelog
* Thu Oct 27 2016 Josh Boyer <jwboyer@fedoraproject.org>
- Refresh SB patchset to fix bisectability issue
* Thu Oct 27 2016 Justin M. Forbes <jforbes@fedoraproject.org>
- CVE-2016-9083 CVE-2016-9084 vfio multiple flaws (rhbz 1389258 1389259 1389285)

View File

@ -1,7 +1,7 @@
From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001
From 85968a9f0b3f05c56d4ac4002748f3412a9baab0 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 03:33:56 -0400
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which
@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 8 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 4c5edc357923..db431971dbd4 100644
index 980936a90ee6..fce28bf7d5d7 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -10,6 +10,7 @@
@@ -12,6 +12,7 @@
#include <linux/mm.h>
#include <linux/file.h>
#include <linux/kexec.h>
@ -25,7 +25,7 @@ index 4c5edc357923..db431971dbd4 100644
#include <linux/mutex.h>
#include <linux/list.h>
#include <linux/syscalls.h>
@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
@@ -194,6 +195,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;
/*
@ -40,5 +40,5 @@ index 4c5edc357923..db431971dbd4 100644
* This leaves us room for future extensions.
*/
--
2.4.3
2.9.3

View File

@ -1,7 +1,8 @@
From 8010b5eb4680df797575e6306d4d891200e303ab Mon Sep 17 00:00:00 2001
From e7817a96c7ef1b502dba6f70b75f9e8993a8750b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500
Subject: [PATCH] x86: Lock down IO port access when module security is enabled
Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
enabled
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
@ -45,10 +46,10 @@ index 589b3193f102..ab8372443efb 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 71025c2f6bbb..86e5bfa91563 100644
index 5bb1985ec484..7f1a7ab5850d 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -27,6 +27,7 @@
@@ -28,6 +28,7 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
@ -56,7 +57,7 @@ index 71025c2f6bbb..86e5bfa91563 100644
#include <linux/uaccess.h>
@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user *tmp = buf;
@ -67,5 +68,5 @@ index 71025c2f6bbb..86e5bfa91563 100644
return -EFAULT;
while (count-- > 0 && i < 65536) {
--
2.5.5
2.9.3

View File

@ -1,4 +1,4 @@
From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001
From 85539b332c79fbce1b9f371ff1a2a8d489e65110 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
@ -15,10 +15,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 113e70784854..26c2f83fc470 100644
index 7f3550acde1b..963ba4011923 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
@ -28,7 +28,7 @@ index 113e70784854..26c2f83fc470 100644
if (count % 8)
return -EINVAL; /* Invalid chunk size */
@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF;
break;
}
@ -40,5 +40,5 @@ index 113e70784854..26c2f83fc470 100644
err = -EFAULT;
break;
--
2.4.3
2.9.3