diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch index 38236753e..44d2a004d 100644 --- a/ACPI-Limit-access-to-custom_method.patch +++ b/ACPI-Limit-access-to-custom_method.patch @@ -1,4 +1,4 @@ -From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001 +From 36d02761fc952f8190fca75bb4b81c2c7b7ddf68 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/20] ACPI: Limit access to custom_method @@ -27,5 +27,5 @@ index c68e72414a67..4277938af700 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.4.3 +2.9.3 diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch index 23402354e..c376c48b3 100644 --- a/Add-EFI-signature-data-types.patch +++ b/Add-EFI-signature-data-types.patch @@ -1,7 +1,7 @@ -From 5216de8394ff599e41c8540c0572368c18c51459 Mon Sep 17 00:00:00 2001 +From ba3f737b8521314b62edaa7d4cc4bdc9aeefe394 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 4/9] Add EFI signature data types +Subject: [PATCH 15/20] Add EFI signature data types Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. @@ -11,14 +11,14 @@ Upstream-status: Fedora mustard for now Signed-off-by: David Howells --- - include/linux/efi.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) + include/linux/efi.h | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h -index 8cb38cfcba74..8c274b4ea8e6 100644 +index 5af91b58afae..190858d62fe3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -647,6 +647,9 @@ void efi_native_runtime_setup(void); +@@ -603,6 +603,9 @@ void efi_native_runtime_setup(void); #define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95) #define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f) @@ -28,7 +28,7 @@ index 8cb38cfcba74..8c274b4ea8e6 100644 typedef struct { efi_guid_t guid; u64 table; -@@ -879,6 +885,20 @@ typedef struct { +@@ -853,6 +856,20 @@ typedef struct { efi_memory_desc_t entry[0]; } efi_memory_attributes_table_t; @@ -50,5 +50,5 @@ index 8cb38cfcba74..8c274b4ea8e6 100644 * All runtime access to EFI goes through this structure: */ -- -2.5.5 +2.9.3 diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index 3697a4b74..f57abc9f2 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,7 +1,7 @@ -From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001 +From 822b4b3eb76ca451a416a51f0a7bfedfa5c5ea39 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader. +Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -17,10 +17,10 @@ Signed-off-by: David Howells create mode 100644 crypto/asymmetric_keys/efi_parser.c diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index e28e912000a7..94024e8aedaa 100644 +index 331f6baf2df8..5f9002d3192e 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig -@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION +@@ -61,4 +61,12 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. @@ -160,10 +160,10 @@ index 000000000000..636feb18b733 + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index 8c274b4ea8e6..ff1877145aa4 100644 +index 190858d62fe3..668aa1244885 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, +@@ -1025,6 +1025,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, char * __init efi_md_typeattr_format(char *buf, size_t size, const efi_memory_desc_t *md); @@ -175,5 +175,5 @@ index 8c274b4ea8e6..ff1877145aa4 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -2.5.5 +2.9.3 diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch index aa1983377..ebabac62e 100644 --- a/Add-option-to-automatically-enforce-module-signature.patch +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -1,8 +1,8 @@ -From 0000dc9edd5997cc49b8893a9d5407f89dfa1307 Mon Sep 17 00:00:00 2001 +From 6b6203b92cfb457a0669a9c87a29b360405bffc6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH] Add option to automatically enforce module signatures when in - Secure Boot mode +Subject: [PATCH 10/20] Add option to automatically enforce module signatures + when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -34,10 +34,10 @@ index 95a4d34af3fd..b8527c6b7646 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 0a7b885964ba..29b8ba9ae713 100644 +index bada636d1065..d666ef8b616c 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1776,6 +1776,17 @@ config EFI_MIXED +@@ -1786,6 +1786,17 @@ config EFI_MIXED If unsure, say N. @@ -56,7 +56,7 @@ index 0a7b885964ba..29b8ba9ae713 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 52fef606bc54..6b8b9a775b46 100644 +index cc69e37548db..ebc85c1eefd6 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -67,7 +67,7 @@ index 52fef606bc54..6b8b9a775b46 100644 #include "../string.h" #include "eboot.h" -@@ -571,6 +572,67 @@ free_handle: +@@ -537,6 +538,67 @@ static void setup_efi_pci(struct boot_params *params) efi_call_early(free_pool, pci_handle); } @@ -135,7 +135,7 @@ index 52fef606bc54..6b8b9a775b46 100644 static efi_status_t setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height) { -@@ -1126,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c, +@@ -1094,6 +1156,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -161,10 +161,10 @@ index c18ce67495fa..2b3e5427097b 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index c4e7b3991b60..bdb9881c7afd 100644 +index bbfbca5fea0c..d40e961753c9 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -178,10 +178,10 @@ index c4e7b3991b60..bdb9881c7afd 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index 082298a09df1..38d0597f7615 100644 +index 05bd6c989a0c..32327704e18d 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \ struct notifier_block; @@ -195,10 +195,10 @@ index 082298a09df1..38d0597f7615 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 3c384968f553..ea484f3a35b2 100644 +index cb864505d020..cb1f1da69bf4 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod, +@@ -4285,6 +4285,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -213,5 +213,5 @@ index 3c384968f553..ea484f3a35b2 100644 { #ifdef CONFIG_MODULE_SIG -- -2.5.5 +2.9.3 diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch index 1cbf3afd9..99d04c43e 100644 --- a/Add-secure_modules-call.patch +++ b/Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 3213f1513a744fb21b6b9e4d4f2650a204855b3e Mon Sep 17 00:00:00 2001 +From 80d2d273b36b33d46820ab128c7a5b068389f643 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH] Add secure_modules() call +Subject: [PATCH 01/20] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -17,7 +17,7 @@ Signed-off-by: Matthew Garrett 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index 0c3207d..05bd6c9 100644 +index 0c3207d26ac0..05bd6c989a0c 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -641,6 +641,8 @@ static inline bool is_livepatch_module(struct module *mod) @@ -41,10 +41,10 @@ index 0c3207d..05bd6c9 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 529efae..0332fdd 100644 +index f57dd63186e6..cb864505d020 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod, +@@ -4284,3 +4284,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 529efae..0332fdd 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.9.2 +2.9.3 diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch index 3cecd1399..edd6039f9 100644 --- a/Add-sysrq-option-to-disable-secure-boot-mode.patch +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -1,7 +1,7 @@ -From e27a9a98dcf3ff95568593026da065a72ad21b92 Mon Sep 17 00:00:00 2001 +From d9e0379e8d3cb51efe4e2b1a5a60c52c2c40bdfb Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Fri, 30 Aug 2013 09:28:51 -0400 -Subject: [PATCH 9/9] Add sysrq option to disable secure boot mode +Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode Bugzilla: N/A Upstream-status: Fedora mustard @@ -16,7 +16,7 @@ Upstream-status: Fedora mustard 7 files changed, 64 insertions(+), 9 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index a666b6c29c77..7732c769937b 100644 +index b93183336674..dab2882927c2 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -70,6 +70,11 @@ @@ -70,7 +70,7 @@ index a666b6c29c77..7732c769937b 100644 .notifier_call = dump_kernel_offset }; diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index abe1a927b332..f4126fcec10c 100644 +index 92595b98e7ed..894ed3f74f04 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev) @@ -82,10 +82,10 @@ index abe1a927b332..f4126fcec10c 100644 input_set_drvdata(udev->dev, udev); diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index e5139402e7f8..5ef2e04a03ad 100644 +index 52bbd27e93ae..594bd731253a 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c -@@ -478,6 +478,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { +@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { /* x: May be registered on mips for TLB dump */ /* x: May be registered on ppc/powerpc for xmon */ /* x: May be registered on sparc64 for global PMU dump */ @@ -93,7 +93,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 NULL, /* x */ /* y: May be registered on sparc64 for global register dump */ NULL, /* y */ -@@ -521,7 +522,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) +@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) sysrq_key_table[i] = op_p; } @@ -102,7 +102,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 { struct sysrq_key_op *op_p; int orig_log_level; -@@ -541,11 +542,15 @@ void __handle_sysrq(int key, bool check_mask) +@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask) op_p = __sysrq_get_key_op(key); if (op_p) { @@ -119,7 +119,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 pr_cont("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); -@@ -577,7 +582,7 @@ void __handle_sysrq(int key, bool check_mask) +@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask) void handle_sysrq(int key) { if (sysrq_on()) @@ -128,7 +128,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 } EXPORT_SYMBOL(handle_sysrq); -@@ -658,7 +663,7 @@ static void sysrq_do_reset(unsigned long _state) +@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state) static void sysrq_handle_reset_request(struct sysrq_state *state) { if (state->reset_requested) @@ -137,7 +137,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 if (sysrq_reset_downtime_ms) mod_timer(&state->keyreset_timer, -@@ -809,8 +814,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, +@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, default: if (sysrq->active && value && value != 2) { @@ -149,7 +149,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 } break; } -@@ -1094,7 +1101,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, +@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, if (get_user(c, buf)) return -EFAULT; @@ -159,7 +159,7 @@ index e5139402e7f8..5ef2e04a03ad 100644 return count; diff --git a/include/linux/input.h b/include/linux/input.h -index 1e967694e9a5..2b56c6f9673c 100644 +index a65e3b24fb18..8b0357175049 100644 --- a/include/linux/input.h +++ b/include/linux/input.h @@ -42,6 +42,7 @@ struct input_value { @@ -229,10 +229,10 @@ index 2a20c0dfdafc..3d17205dab77 100644 return 0; diff --git a/kernel/module.c b/kernel/module.c -index ea484f3a35b2..84b00659b0ee 100644 +index cb1f1da69bf4..5933c27ba19e 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -269,7 +269,7 @@ static void module_assert_mutex_or_preempt(void) +@@ -270,7 +270,7 @@ static void module_assert_mutex_or_preempt(void) #endif } @@ -242,5 +242,5 @@ index ea484f3a35b2..84b00659b0ee 100644 module_param(sig_enforce, bool_enable_only, 0644); #endif /* !CONFIG_MODULE_SIG_FORCE */ -- -2.5.5 +2.9.3 diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch index 4f5678a15..262c960b8 100644 --- a/KEYS-Add-a-system-blacklist-keyring.patch +++ b/KEYS-Add-a-system-blacklist-keyring.patch @@ -1,7 +1,7 @@ -From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001 +From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring +Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -78,10 +78,10 @@ index fbd4647767e9..5bc291a3d261 100644 extern struct key *ima_blacklist_keyring; diff --git a/init/Kconfig b/init/Kconfig -index a9c4aefd5436..e5449d5aeff9 100644 +index 34407f15e6d3..461ad575a608 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION +@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION module verification, kexec image verification and firmware blob verification. @@ -98,5 +98,5 @@ index a9c4aefd5436..e5449d5aeff9 100644 bool "Profiling support" help -- -2.5.5 +2.9.3 diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index 05be7a028..752ba4631 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1,7 +1,7 @@ -From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001 +From 8a4535bcfe24d317be675e53cdc8c61d22fdc7f3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot +Subject: [PATCH 18/20] MODSIGN: Import certificates from UEFI Secure Boot Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the system trusted keyring. This @@ -20,11 +20,10 @@ Signed-off-by: Josh Boyer --- certs/system_keyring.c | 13 ++++++ include/keys/system_keyring.h | 1 + - include/linux/efi.h | 6 +++ init/Kconfig | 9 ++++ kernel/Makefile | 3 ++ kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++ - 6 files changed, 131 insertions(+) + 5 files changed, 125 insertions(+) create mode 100644 kernel/modsign_uefi.c diff --git a/certs/system_keyring.c b/certs/system_keyring.c @@ -63,28 +62,11 @@ index 5bc291a3d261..56ff5715ab67 100644 #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; -diff --git a/include/linux/efi.h b/include/linux/efi.h -index ff1877145aa4..2483de19c719 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -658,6 +658,12 @@ typedef struct { - u64 table; - } efi_config_table_64_t; - -+#define EFI_IMAGE_SECURITY_DATABASE_GUID \ -+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) -+ -+#define EFI_SHIM_LOCK_GUID \ -+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) -+ - typedef struct { - efi_guid_t guid; - u32 table; diff --git a/init/Kconfig b/init/Kconfig -index e5449d5aeff9..5408c96f6604 100644 +index 461ad575a608..93646fd7b1c8 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL +@@ -2009,6 +2009,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -101,7 +83,7 @@ index e5449d5aeff9..5408c96f6604 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index e2ec54e2b952..8dab549985d8 100644 +index eb26e12c6c2a..e0c2268cb97e 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -57,6 +57,7 @@ endif @@ -227,5 +209,5 @@ index 000000000000..fe4a6f2bf10a +} +late_initcall(load_uefi_certs); -- -2.5.5 +2.9.3 diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index 3339ce76e..d7087b5e7 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -1,7 +1,7 @@ -From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001 +From 9d2e5c61d5adcf7911f67ed44a1b0ff881f175bb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 3 Oct 2013 10:14:23 -0400 -Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db +Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -index 03f601a0052c..321c79a3b282 100644 +index fe4a6f2bf10a..a41da14b1ffd 100644 --- a/kernel/modsign_uefi.c +++ b/kernel/modsign_uefi.c @@ -8,6 +8,23 @@ @@ -82,5 +82,5 @@ index 03f601a0052c..321c79a3b282 100644 mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -- -2.5.5 +2.9.3 diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 9500b96d2..e30b337c1 100644 --- a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,8 @@ -From 6f756b32a45b022428e33ce20181e874c73ca82e Mon Sep 17 00:00:00 2001 +From 03a4ad09f20944e1917abfd24d1d0e5f107a2861 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH] PCI: Lock down BAR access when module security is enabled +Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is + enabled Any hardware that can potentially generate DMA has to be locked down from userspace in order to avoid it being possible for an attacker to modify @@ -17,7 +18,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index bcd10c7..a950301 100644 +index bcd10c795284..a950301496f3 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -30,6 +30,7 @@ @@ -59,7 +60,7 @@ index bcd10c7..a950301 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 2408abe..59f321c 100644 +index 2408abe4ee8c..59f321c56c18 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, @@ -92,7 +93,7 @@ index 2408abe..59f321c 100644 /* Make sure the caller is mapping a real resource for this device */ diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index b91c4da..98f5637 100644 +index b91c4da68365..98f5637304d1 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -10,6 +10,7 @@ @@ -113,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.9.2 +2.9.3 diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 7cd4eb574..24f1d5b5d 100644 --- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From 3dfb34906e9e57e70bd497ee21e8d59325c841d2 Mon Sep 17 00:00:00 2001 +From 9f31204f829da97f99f7aacf30f0ddc26e456df7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 5bb1985..74ee6a4 100644 +index 7f1a7ab5850d..d6a6f05fbc1c 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c -@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, +@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, if (p != *ppos) return -EFBIG; @@ -27,7 +27,7 @@ index 5bb1985..74ee6a4 100644 if (!valid_phys_addr_range(p, count)) return -EFAULT; -@@ -515,6 +518,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, +@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, if (!pfn_valid(PFN_DOWN(p))) return -EIO; @@ -38,5 +38,5 @@ index 5bb1985..74ee6a4 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.7.4 +2.9.3 diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 2794b155f..89d59424b 100644 --- a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,4 +1,4 @@ -From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001 +From ee880324686af8bb212fc088495ea528e3042cd6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 739a4a6b3b9b..9ef2a020a7a9 100644 +index 416953a42510..4887e343c7fd 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -25,7 +25,7 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644 #include #include -@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 739a4a6b3b9b..9ef2a020a7a9 100644 #endif -- -2.4.3 +2.9.3 diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 3ab7b85ea..7e70e4f1a 100644 --- a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,4 +1,4 @@ -From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001 +From ebbd8d01acdf472594f7e43e9a4274745c402e8e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module @@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index efbc3f0c592b..071171be4b7f 100644 +index ce6ca31a2d09..55d23994d6a2 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c -@@ -1868,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data) +@@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -29,7 +29,7 @@ index efbc3f0c592b..071171be4b7f 100644 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); if (err < 0) -@@ -1884,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data) +@@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -39,7 +39,7 @@ index efbc3f0c592b..071171be4b7f 100644 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, &retval); -@@ -1908,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data) +@@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data) union acpi_object *obj; acpi_status status; @@ -50,5 +50,5 @@ index efbc3f0c592b..071171be4b7f 100644 1, asus->debug.method_id, &input, &output); -- -2.4.3 +2.9.3 diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch index dca2eb296..c44010322 100644 --- a/efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From 04e65e01058ed6357b932e64b19e4bf762f04970 Mon Sep 17 00:00:00 2001 +From a8883aff32f1e15b65e210462804aa2a9ab9a0b6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 2/9] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index bdb9881c7afd..a666b6c29c77 100644 +index d40e961753c9..b93183336674 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,10 +27,10 @@ index bdb9881c7afd..a666b6c29c77 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index c2db3ca22217..8cb38cfcba74 100644 +index ce943d5accfd..5af91b58afae 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1046,6 +1046,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ @@ -39,5 +39,5 @@ index c2db3ca22217..8cb38cfcba74 100644 #ifdef CONFIG_EFI /* -- -2.5.5 +2.9.3 diff --git a/efi-Add-SHIM-and-image-security-database-GUID-defini.patch b/efi-Add-SHIM-and-image-security-database-GUID-defini.patch new file mode 100644 index 000000000..4d380ea76 --- /dev/null +++ b/efi-Add-SHIM-and-image-security-database-GUID-defini.patch @@ -0,0 +1,31 @@ +From 3a9fe1504e08824d894bb3a804c6a313f5d1be8a Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 25 Oct 2016 12:54:11 -0400 +Subject: [PATCH 11/20] efi: Add SHIM and image security database GUID + definitions + +Add the definitions for shim and image security database, both of which +are used widely in various Linux distros. + +Signed-off-by: Josh Boyer +--- + include/linux/efi.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 2d089487d2da..ce943d5accfd 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -592,6 +592,9 @@ void efi_native_runtime_setup(void); + #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20) + #define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d) + ++#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f) ++#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23) ++ + /* + * This GUID is used to pass to the kernel proper the struct screen_info + * structure that was populated by the stub based on the GOP protocol instance +-- +2.9.3 + diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch index 7d4a46e15..761a66ff7 100644 --- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -1,7 +1,7 @@ -From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001 +From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode +Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called @@ -15,10 +15,10 @@ Signed-off-by: Josh Boyer 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 6b8b9a775b46..b3a5364d31c6 100644 +index ebc85c1eefd6..50e027f388d8 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -574,8 +574,9 @@ free_handle: +@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params) static int get_secure_boot(void) { @@ -29,7 +29,7 @@ index 6b8b9a775b46..b3a5364d31c6 100644 efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; efi_status_t status; -@@ -599,6 +600,23 @@ static int get_secure_boot(void) +@@ -565,6 +566,23 @@ static int get_secure_boot(void) if (setup == 1) return 0; @@ -54,5 +54,5 @@ index 6b8b9a775b46..b3a5364d31c6 100644 } -- -2.5.5 +2.9.3 diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch index bea2892ee..0cbf94137 100644 --- a/hibernate-Disable-in-a-signed-modules-environment.patch +++ b/hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From e07815cf02eadb245fa60359133b122f9ffe9045 Mon Sep 17 00:00:00 2001 +From 6c56c15ec618a508b0eca98571780a8b7114cb92 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 3/9] hibernate: Disable in a signed modules environment +Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index fca9254280ee..ffd8644078b2 100644 +index b26dbc48c75b..ab187ad3fc61 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -25,7 +25,7 @@ index fca9254280ee..ffd8644078b2 100644 #include #include "power.h" -@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops; +@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { @@ -35,5 +35,5 @@ index fca9254280ee..ffd8644078b2 100644 /** -- -2.5.5 +2.9.3 diff --git a/kernel.spec b/kernel.spec index a4777910a..0f116f42f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -549,7 +549,9 @@ Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch Patch482: Add-option-to-automatically-enforce-module-signature.patch -Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +Patch483: efi-Add-SHIM-and-image-security-database-GUID-defini.patch + +Patch484: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch @@ -2147,6 +2149,9 @@ fi # # %changelog +* Thu Oct 27 2016 Josh Boyer +- Refresh SB patchset to fix bisectability issue + * Thu Oct 27 2016 Justin M. Forbes - CVE-2016-9083 CVE-2016-9084 vfio multiple flaws (rhbz 1389258 1389259 1389285) diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index a5832ea70..ec8675eb4 100644 --- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ -From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001 +From 85968a9f0b3f05c56d4ac4002748f3412a9baab0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 03:33:56 -0400 -Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 4c5edc357923..db431971dbd4 100644 +index 980936a90ee6..fce28bf7d5d7 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -10,6 +10,7 @@ +@@ -12,6 +12,7 @@ #include #include #include @@ -25,7 +25,7 @@ index 4c5edc357923..db431971dbd4 100644 #include #include #include -@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -194,6 +195,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -40,5 +40,5 @@ index 4c5edc357923..db431971dbd4 100644 * This leaves us room for future extensions. */ -- -2.4.3 +2.9.3 diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch index 185b1da99..3bb42bb45 100644 --- a/x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,8 @@ -From 8010b5eb4680df797575e6306d4d891200e303ab Mon Sep 17 00:00:00 2001 +From e7817a96c7ef1b502dba6f70b75f9e8993a8750b Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH] x86: Lock down IO port access when module security is enabled +Subject: [PATCH 03/20] x86: Lock down IO port access when module security is + enabled IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register @@ -45,10 +46,10 @@ index 589b3193f102..ab8372443efb 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 71025c2f6bbb..86e5bfa91563 100644 +index 5bb1985ec484..7f1a7ab5850d 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c -@@ -27,6 +27,7 @@ +@@ -28,6 +28,7 @@ #include #include #include @@ -56,7 +57,7 @@ index 71025c2f6bbb..86e5bfa91563 100644 #include -@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, +@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, unsigned long i = *ppos; const char __user *tmp = buf; @@ -67,5 +68,5 @@ index 71025c2f6bbb..86e5bfa91563 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.5.5 +2.9.3 diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 5c91ab143..71b5b2edb 100644 --- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,4 +1,4 @@ -From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001 +From 85539b332c79fbce1b9f371ff1a2a8d489e65110 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is @@ -15,10 +15,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 113e70784854..26c2f83fc470 100644 +index 7f3550acde1b..963ba4011923 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c -@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, +@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; @@ -28,7 +28,7 @@ index 113e70784854..26c2f83fc470 100644 if (count % 8) return -EINVAL; /* Invalid chunk size */ -@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) +@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EBADF; break; } @@ -40,5 +40,5 @@ index 113e70784854..26c2f83fc470 100644 err = -EFAULT; break; -- -2.4.3 +2.9.3