diff --git a/0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch b/0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch deleted file mode 100644 index dd7f273..0000000 --- a/0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 5573624261ab5d54f2dea2a3e09a98729db9ecd9 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Wed, 30 Apr 2014 15:24:19 +0200 -Subject: [PATCH 1/2] acpi-video: Add 4 new models to the use_native_backlight - dmi list - -Acer Aspire V5-171 -https://bugzilla.redhat.com/show_bug.cgi?id=983342 - -Acer Aspire V5-471G -Lenovo Yoga 2 11 -Reported-and-tested-by: Vincent Gerris - -HP EliteBook 8470p -https://bugzilla.redhat.com/show_bug.cgi?id=1093120 - -Cc: stable@vger.kernel.org -Signed-off-by: Hans de Goede ---- - drivers/acpi/video.c | 32 ++++++++++++++++++++++++++++++++ - 1 file changed, 32 insertions(+) - -diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index 8b6990e..48146fc 100644 ---- a/drivers/acpi/video.c -+++ b/drivers/acpi/video.c -@@ -488,6 +488,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { - }, - }, - { -+ .callback = video_set_use_native_backlight, -+ .ident = "Lenovo Yoga 2 11", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2 11"), -+ }, -+ }, -+ { - .callback = video_set_use_native_backlight, - .ident = "Thinkpad Helix", - .matches = { -@@ -513,6 +521,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { - }, - { - .callback = video_set_use_native_backlight, -+ .ident = "Acer Aspire V5-171", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "V5-171"), -+ }, -+ }, -+ { -+ .callback = video_set_use_native_backlight, - .ident = "Acer Aspire V5-431", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Acer"), -@@ -520,6 +536,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { - }, - }, - { -+ .callback = video_set_use_native_backlight, -+ .ident = "Acer Aspire V5-471G", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_VENDOR, "Acer"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire V5-471G"), -+ }, -+ }, -+ { - .callback = video_set_use_native_backlight, - .ident = "HP ProBook 4340s", - .matches = { -@@ -571,6 +595,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { - }, - { - .callback = video_set_use_native_backlight, -+ .ident = "HP EliteBook 8470p", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook 8470p"), -+ }, -+ }, -+ { -+ .callback = video_set_use_native_backlight, - .ident = "HP EliteBook 8780w", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), --- -1.9.0 - diff --git a/0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch b/0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch deleted file mode 100644 index aab1c4e..0000000 --- a/0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch +++ /dev/null @@ -1,138 +0,0 @@ -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1021036 -Upstream-status: Send upstream for 3.17 - -From 0ad19912cb324f0a356a212433ec0b2a31f61acc Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Fri, 20 Jun 2014 10:29:16 +0200 -Subject: [PATCH] ideapad-laptop: Change Lenovo Yoga 2 series rfkill handling - -It seems that the same problems which lead to adding an rfkill blacklist and -putting the Lenovo Yoga 2 11 on it are also present on the Lenovo Yoga 2 13 -and Lenovo Yoga 2 Pro too: -https://bugzilla.redhat.com/show_bug.cgi?id=1021036 -https://forums.lenovo.com/t5/Linux-Discussion/Yoga-2-13-not-Pro-Linux-Warning/m-p/1517612 - -Testing has shown that the firmware rfkill settings are persistent over -reboots. So blacklisting the driver is not good enough, if the wifi is blocked -at the firmware level the wifi needs to be explictly unblocked through the -ideapad-laptop interface. - -And at least on the Lenovo Yoga 2 13 the VPCCMD_RF register which on devices -with hardware kill switch reports the hardware switch state, needs to be -explictly set to 1 (radio enabled / not blocked). - -So this patch does 3 things to get proper rfkill handling on these models: - -1) Instead of blacklisting the rfkill functionality, which means that people -with a firmware blocked wifi get stuck in that situation, ignore the value -reported by the not present hardware rfkill switch, as this is what is causing -ideapad-laptop to wrongly report all radios as hardware blocks. But do register -the rfkill interfaces so that the user can soft [un]block them. - -2) On models without a hardware rfkill switch, explictly set VPCCMD_RF to 1 - -3) Drop the " 11" postfix from the dmi match string, as the entire Yoga 2 -series is affected. - -Yoga 2 11: -Reported-and-tested-by: Vincent Gerris - -Yoga 2 13: -Tested-by: madls05 - -Yoga 2 Pro: -Reported-and-tested-by: Peter F. Patel-Schneider - -Signed-off-by: Hans de Goede ---- - drivers/platform/x86/ideapad-laptop.c | 41 +++++++++++++++++++++++------------ - 1 file changed, 27 insertions(+), 14 deletions(-) - -diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c -index b4c495a..b0e3a2e 100644 ---- a/drivers/platform/x86/ideapad-laptop.c -+++ b/drivers/platform/x86/ideapad-laptop.c -@@ -87,6 +87,7 @@ struct ideapad_private { - struct backlight_device *blightdev; - struct dentry *debug; - unsigned long cfg; -+ bool has_hw_rfkill_switch; - }; - - static bool no_bt_rfkill; -@@ -473,12 +474,14 @@ static struct rfkill_ops ideapad_rfk_ops = { - - static void ideapad_sync_rfk_state(struct ideapad_private *priv) - { -- unsigned long hw_blocked; -+ unsigned long hw_blocked = 0; - int i; - -- if (read_ec_data(priv->adev->handle, VPCCMD_R_RF, &hw_blocked)) -- return; -- hw_blocked = !hw_blocked; -+ if (priv->has_hw_rfkill_switch) { -+ if (read_ec_data(priv->adev->handle, VPCCMD_R_RF, &hw_blocked)) -+ return; -+ hw_blocked = !hw_blocked; -+ } - - for (i = 0; i < IDEAPAD_RFKILL_DEV_NUM; i++) - if (priv->rfk[i]) -@@ -821,14 +824,17 @@ static void ideapad_acpi_notify(acpi_handle handle, u32 event, void *data) - } - } - --/* Blacklist for devices where the ideapad rfkill interface does not work */ --static struct dmi_system_id rfkill_blacklist[] = { -- /* The Lenovo Yoga 2 11 always reports everything as blocked */ -+/* -+ * Some ideapads don't have a hardware rfkill switch, reading VPCCMD_R_RF -+ * always results in 0 on these models, causing ideapad_laptop to wrongly -+ * report all radios as hardware-blocked. -+ */ -+static struct dmi_system_id no_hw_rfkill_list[] = { - { -- .ident = "Lenovo Yoga 2 11", -+ .ident = "Lenovo Yoga 2 11 / 13 / Pro", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2 11"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2"), - }, - }, - {} -@@ -856,6 +862,7 @@ static int ideapad_acpi_add(struct platform_device *pdev) - priv->cfg = cfg; - priv->adev = adev; - priv->platform_device = pdev; -+ priv->has_hw_rfkill_switch = !dmi_check_system(no_hw_rfkill_list); - - ret = ideapad_sysfs_init(priv); - if (ret) -@@ -869,11 +876,17 @@ static int ideapad_acpi_add(struct platform_device *pdev) - if (ret) - goto input_failed; - -- if (!dmi_check_system(rfkill_blacklist)) { -- for (i = 0; i < IDEAPAD_RFKILL_DEV_NUM; i++) -- if (test_bit(ideapad_rfk_data[i].cfgbit, &priv->cfg)) -- ideapad_register_rfkill(priv, i); -- } -+ /* -+ * On some models without a hw-switch (the yoga 2 13 at least) -+ * VPCCMD_W_RF must be explicitly set to 1 for the wifi to work. -+ */ -+ if (!priv->has_hw_rfkill_switch) -+ write_ec_cmd(priv->adev->handle, VPCCMD_W_RF, 1); -+ -+ for (i = 0; i < IDEAPAD_RFKILL_DEV_NUM; i++) -+ if (test_bit(ideapad_rfk_data[i].cfgbit, &priv->cfg)) -+ ideapad_register_rfkill(priv, i); -+ - ideapad_sync_rfk_state(priv); - ideapad_sync_touchpad_state(priv); - --- -2.0.0 - diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch new file mode 100644 index 0000000..636c25b --- /dev/null +++ b/ACPI-Limit-access-to-custom_method.patch @@ -0,0 +1,30 @@ +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:39:37 -0500 +Subject: [PATCH] ACPI: Limit access to custom_method + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if any such restrictions have been enabled. + +Signed-off-by: Matthew Garrett +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index c68e72414a67..4277938af700 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +1.9.3 + diff --git a/ARM-tegra-usb-no-reset.patch b/ARM-tegra-usb-no-reset.patch new file mode 100644 index 0000000..2f3dd68 --- /dev/null +++ b/ARM-tegra-usb-no-reset.patch @@ -0,0 +1,31 @@ +From: Peter Robinson +Date: Thu, 3 May 2012 20:27:11 +0100 +Subject: [PATCH] ARM: tegra: usb no reset + +Patch for disconnect issues with storage attached to a + tegra-ehci controller +--- + drivers/usb/core/hub.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index d481c99a20d7..6050143ce7ec 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5036,6 +5036,13 @@ static void hub_events(void) + (u16) hub->change_bits[0], + (u16) hub->event_bits[0]); + ++ /* Don't disconnect USB-SATA on TrimSlice */ ++ if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) { ++ if ((hdev->state == 7) && (hub->change_bits[0] == 0) && ++ (hub->event_bits[0] == 0x2)) ++ hub->event_bits[0] = 0; ++ } ++ + /* Lock the device, then check to see if we were + * disconnected while waiting for the lock to succeed. */ + usb_lock_device(hdev); +-- +1.9.3 + diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch new file mode 100644 index 0000000..b6df877 --- /dev/null +++ b/Add-EFI-signature-data-types.patch @@ -0,0 +1,56 @@ +From: Dave Howells +Date: Tue, 23 Oct 2012 09:30:54 -0400 +Subject: [PATCH] Add EFI signature data types + +Add the data types that are used for containing hashes, keys and certificates +for cryptographic verification. + +Bugzilla: N/A +Upstream-status: Fedora mustard for now + +Signed-off-by: David Howells +--- + include/linux/efi.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index ebe6a24cc1e1..5ce40e215f15 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -581,6 +581,12 @@ void efi_native_runtime_setup(void); + #define DEVICE_TREE_GUID \ + EFI_GUID( 0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 ) + ++#define EFI_CERT_SHA256_GUID \ ++ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) ++ ++#define EFI_CERT_X509_GUID \ ++ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +@@ -796,6 +802,20 @@ typedef struct _efi_file_io_interface { + + #define EFI_INVALID_TABLE_ADDR (~0UL) + ++typedef struct { ++ efi_guid_t signature_owner; ++ u8 signature_data[]; ++} efi_signature_data_t; ++ ++typedef struct { ++ efi_guid_t signature_type; ++ u32 signature_list_size; ++ u32 signature_header_size; ++ u32 signature_size; ++ u8 signature_header[]; ++ /* efi_signature_data_t signatures[][] */ ++} efi_signature_list_t; ++ + /* + * All runtime access to EFI goes through this structure: + */ +-- +1.9.3 + diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch new file mode 100644 index 0000000..e78b065 --- /dev/null +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -0,0 +1,178 @@ +From: Dave Howells +Date: Tue, 23 Oct 2012 09:36:28 -0400 +Subject: [PATCH] Add an EFI signature blob parser and key loader. + +X.509 certificates are loaded into the specified keyring as asymmetric type +keys. + +Signed-off-by: David Howells +--- + crypto/asymmetric_keys/Kconfig | 8 +++ + crypto/asymmetric_keys/Makefile | 1 + + crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 4 ++ + 4 files changed, 122 insertions(+) + create mode 100644 crypto/asymmetric_keys/efi_parser.c + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index 4870f28403f5..4a1b50d73b80 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION + This option provides support for verifying the signature(s) on a + signed PE binary. + ++config EFI_SIGNATURE_LIST_PARSER ++ bool "EFI signature list parser" ++ depends on EFI ++ select X509_CERTIFICATE_PARSER ++ help ++ This option provides support for parsing EFI signature lists for ++ X.509 certificates and turning them into keys. ++ + endif # ASYMMETRIC_KEY_TYPE +diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile +index e47fcd9ac5e8..6512f6596785 100644 +--- a/crypto/asymmetric_keys/Makefile ++++ b/crypto/asymmetric_keys/Makefile +@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o + + obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o + obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o ++obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o + + # + # X.509 Certificate handling +diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c +new file mode 100644 +index 000000000000..424896a0b169 +--- /dev/null ++++ b/crypto/asymmetric_keys/efi_parser.c +@@ -0,0 +1,109 @@ ++/* EFI signature/key/certificate list parser ++ * ++ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) "EFI: "fmt ++#include ++#include ++#include ++#include ++#include ++ ++static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; ++ ++/** ++ * parse_efi_signature_list - Parse an EFI signature list for certificates ++ * @data: The data blob to parse ++ * @size: The size of the data blob ++ * @keyring: The keyring to add extracted keys to ++ */ ++int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) ++{ ++ unsigned offs = 0; ++ size_t lsize, esize, hsize, elsize; ++ ++ pr_devel("-->%s(,%zu)\n", __func__, size); ++ ++ while (size > 0) { ++ efi_signature_list_t list; ++ const efi_signature_data_t *elem; ++ key_ref_t key; ++ ++ if (size < sizeof(list)) ++ return -EBADMSG; ++ ++ memcpy(&list, data, sizeof(list)); ++ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", ++ offs, ++ list.signature_type.b, list.signature_list_size, ++ list.signature_header_size, list.signature_size); ++ ++ lsize = list.signature_list_size; ++ hsize = list.signature_header_size; ++ esize = list.signature_size; ++ elsize = lsize - sizeof(list) - hsize; ++ ++ if (lsize > size) { ++ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", ++ __func__, offs); ++ return -EBADMSG; ++ } ++ if (lsize < sizeof(list) || ++ lsize - sizeof(list) < hsize || ++ esize < sizeof(*elem) || ++ elsize < esize || ++ elsize % esize != 0) { ++ pr_devel("- bad size combo @%x\n", offs); ++ return -EBADMSG; ++ } ++ ++ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { ++ data += lsize; ++ size -= lsize; ++ offs += lsize; ++ continue; ++ } ++ ++ data += sizeof(list) + hsize; ++ size -= sizeof(list) + hsize; ++ offs += sizeof(list) + hsize; ++ ++ for (; elsize > 0; elsize -= esize) { ++ elem = data; ++ ++ pr_devel("ELEM[%04x]\n", offs); ++ ++ key = key_create_or_update( ++ make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ &elem->signature_data, ++ esize - sizeof(*elem), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW, ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_TRUSTED); ++ ++ if (IS_ERR(key)) ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ else ++ pr_notice("Loaded cert '%s' linked to '%s'\n", ++ key_ref_to_ptr(key)->description, ++ keyring->description); ++ ++ data += esize; ++ size -= esize; ++ offs += esize; ++ } ++ } ++ ++ return 0; ++} +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 5ce40e215f15..41359e548bcb 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -906,6 +906,10 @@ extern bool efi_poweroff_required(void); + (md) <= (efi_memory_desc_t *)((m)->map_end - (m)->desc_size); \ + (md) = (void *)(md) + (m)->desc_size) + ++struct key; ++extern int __init parse_efi_signature_list(const void *data, size_t size, ++ struct key *keyring); ++ + /** + * efi_range_is_wc - check the WC bit on an address range + * @start: starting kvirt address +-- +1.9.3 + diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch new file mode 100644 index 0000000..8e2789a --- /dev/null +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -0,0 +1,185 @@ +From: Matthew Garrett +Date: Fri, 9 Aug 2013 18:36:30 -0400 +Subject: [PATCH] Add option to automatically enforce module signatures when in + Secure Boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that enforces this automatically when enabled. + +Signed-off-by: Matthew Garrett +--- + Documentation/x86/zero-page.txt | 2 ++ + arch/x86/Kconfig | 10 ++++++++++ + arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ + arch/x86/include/uapi/asm/bootparam.h | 3 ++- + arch/x86/kernel/setup.c | 6 ++++++ + include/linux/module.h | 6 ++++++ + kernel/module.c | 7 +++++++ + 7 files changed, 69 insertions(+), 1 deletion(-) + +diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt +index 199f453cb4de..ec38acf00b40 100644 +--- a/Documentation/x86/zero-page.txt ++++ b/Documentation/x86/zero-page.txt +@@ -30,6 +30,8 @@ Offset Proto Name Meaning + 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) + 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer + (below) ++1EB/001 ALL kbd_status Numlock is enabled ++1EC/001 ALL secure_boot Secure boot is enabled in the firmware + 1EF/001 ALL sentinel Used to detect broken bootloaders + 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures + 2D0/A00 ALL e820_map E820 memory map table +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 36327438caf0..61542c282e70 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1566,6 +1566,16 @@ config EFI_MIXED + + If unsure, say N. + ++config EFI_SECURE_BOOT_SIG_ENFORCE ++ def_bool n ++ prompt "Force module signing when UEFI Secure Boot is enabled" ++ ---help--- ++ UEFI Secure Boot provides a mechanism for ensuring that the ++ firmware will only load signed bootloaders and kernels. Certain ++ use cases may also require that all kernel modules also be signed. ++ Say Y here to automatically enable module signature enforcement ++ when a system boots with UEFI Secure Boot enabled. ++ + config SECCOMP + def_bool y + prompt "Enable seccomp to safely compute untrusted bytecode" +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index de8eebd6f67c..975d11bfaf5b 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #undef memcpy /* Use memcpy from misc.c */ + +@@ -814,6 +815,37 @@ out: + return status; + } + ++static int get_secure_boot(void) ++{ ++ u8 sb, setup; ++ unsigned long datasize = sizeof(sb); ++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; ++ efi_status_t status; ++ ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"SecureBoot", &var_guid, NULL, &datasize, &sb); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (sb == 0) ++ return 0; ++ ++ ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"SetupMode", &var_guid, NULL, &datasize, ++ &setup); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (setup == 1) ++ return 0; ++ ++ return 1; ++} ++ ++ + /* + * See if we have Graphics Output Protocol + */ +@@ -1389,6 +1421,10 @@ struct boot_params *efi_main(struct efi_config *c, + else + setup_boot_services32(efi_early); + ++ sanitize_boot_params(boot_params); ++ ++ boot_params->secure_boot = get_secure_boot(); ++ + setup_graphics(boot_params); + + setup_efi_pci(boot_params); +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index 225b0988043a..90dbfb73e11f 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -133,7 +133,8 @@ struct boot_params { + __u8 eddbuf_entries; /* 0x1e9 */ + __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ + __u8 kbd_status; /* 0x1eb */ +- __u8 _pad5[3]; /* 0x1ec */ ++ __u8 secure_boot; /* 0x1ec */ ++ __u8 _pad5[2]; /* 0x1ed */ + /* + * The sentinel is set to a nonzero value (0xff) in header.S. + * +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 41ead8d3bc0b..5a5cf7395724 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p) + + io_delay_init(); + ++#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE ++ if (boot_params.secure_boot) { ++ enforce_signed_modules(); ++ } ++#endif ++ + /* + * Parse the ACPI tables for possible boot-time SMP configuration. + */ +diff --git a/include/linux/module.h b/include/linux/module.h +index 341a73ecea2e..cca08ac450e2 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); + + struct notifier_block; + ++#ifdef CONFIG_MODULE_SIG ++extern void enforce_signed_modules(void); ++#else ++static inline void enforce_signed_modules(void) {}; ++#endif ++ + #ifdef CONFIG_MODULES + + extern int modules_disabled; /* for sysctl */ +diff --git a/kernel/module.c b/kernel/module.c +index 1f7b4664300e..866417ecc76a 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3843,6 +3843,13 @@ void module_layout(struct module *mod, + EXPORT_SYMBOL(module_layout); + #endif + ++#ifdef CONFIG_MODULE_SIG ++void enforce_signed_modules(void) ++{ ++ sig_enforce = true; ++} ++#endif ++ + bool secure_modules(void) + { + #ifdef CONFIG_MODULE_SIG +-- +1.9.3 + diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch new file mode 100644 index 0000000..ecf5b89 --- /dev/null +++ b/Add-secure_modules-call.patch @@ -0,0 +1,63 @@ +From: Matthew Garrett +Date: Fri, 9 Aug 2013 17:58:15 -0400 +Subject: [PATCH] Add secure_modules() call + +Provide a single call to allow kernel code to determine whether the system +has been configured to either disable module loading entirely or to load +only modules signed with a trusted key. + +Bugzilla: N/A +Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd + +Signed-off-by: Matthew Garrett +--- + include/linux/module.h | 7 +++++++ + kernel/module.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/include/linux/module.h b/include/linux/module.h +index 71f282a4e307..341a73ecea2e 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -516,6 +516,8 @@ int unregister_module_notifier(struct notifier_block *nb); + + extern void print_modules(void); + ++extern bool secure_modules(void); ++ + #else /* !CONFIG_MODULES... */ + + /* Given an address, look for it in the exception tables. */ +@@ -626,6 +628,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) + static inline void print_modules(void) + { + } ++ ++static inline bool secure_modules(void) ++{ ++ return false; ++} + #endif /* CONFIG_MODULES */ + + #ifdef CONFIG_SYSFS +diff --git a/kernel/module.c b/kernel/module.c +index 03214bd288e9..1f7b4664300e 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3842,3 +3842,13 @@ void module_layout(struct module *mod, + } + EXPORT_SYMBOL(module_layout); + #endif ++ ++bool secure_modules(void) ++{ ++#ifdef CONFIG_MODULE_SIG ++ return (sig_enforce || modules_disabled); ++#else ++ return modules_disabled; ++#endif ++} ++EXPORT_SYMBOL(secure_modules); +-- +1.9.3 + diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch new file mode 100644 index 0000000..414fe6e --- /dev/null +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -0,0 +1,248 @@ +From: Kyle McMartin +Date: Fri, 30 Aug 2013 09:28:51 -0400 +Subject: [PATCH] Add sysrq option to disable secure boot mode + +Bugzilla: N/A +Upstream-status: Fedora mustard +--- + arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 +++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + kernel/module.c | 4 ++-- + 7 files changed, 65 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index fb282ff6a802..d291d16ba257 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -70,6 +70,11 @@ + #include + #include + ++#include ++#include ++#include ++#include ++ + #include