[linux] 02/02: WIP: Update securelevel patches
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 8 22:06:11 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch benh/securelevel-update
in repository linux.
commit 308206819ad1b377a23d718c80834aeeff40df72
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Dec 8 20:56:30 2016 +0000
WIP: Update securelevel patches
This results in dropping:
- The first patch (!)
- The patches for arm64
- The patches for phram and slram MTD drivers
---
...le-signatures-when-securelevel-is-greate.patch} | 9 +-
...n-BAR-access-when-securelevel-is-enabled.patch} | 24 ++-
...n-IO-port-access-when-securelevel-is-ena.patch} | 19 +-
...-mem-and-dev-kmem-when-securelevel-is-se.patch} | 12 +-
...ccess-to-custom_method-if-securelevel-is.patch} | 5 +-
...acpi_rsdp-kernel-parameter-when-securele.patch} | 10 +-
...e-at-runtime-if-securelevel-has-been-set.patch} | 8 +-
...-uswsusp-Disable-when-securelevel-is-set.patch} | 6 +-
...trict-MSR-access-when-securelevel-is-set.patch} | 10 +-
...trict-debugfs-interface-when-securelevel.patch} | 13 +-
...o-automatically-set-securelevel-when-in-.patch} | 24 ++-
...-secure-boot-if-shim-is-in-insecure-mode.patch} | 32 ++--
...ibernate-Disable-when-securelevel-is-set.patch} | 8 +-
...opy-secure_boot-flag-in-boot-params-acro.patch} | 10 +-
...-ACPI-table-override-if-securelevel-is-s.patch} | 14 +-
...-APEI-error-injection-if-securelevel-is-.patch} | 9 +-
... 0017-Enable-cold-boot-attack-mitigation.patch} | 10 +-
...Disable-at-runtime-if-securelevel-has-bee.patch | 46 +++++
.../0019-More-secure-boot-holes-to-plug.patch | 80 ++++++++
.../add-bsd-style-securelevel-support.patch | 208 ---------------------
...ernel-config-option-to-set-securelevel-wh.patch | 128 -------------
...isable-secure-boot-if-shim-is-in-insecure.patch | 59 ------
...ram-and-phram-when-securelevel-is-enabled.patch | 52 ------
debian/patches/series | 41 ++--
24 files changed, 275 insertions(+), 562 deletions(-)
diff --git a/debian/patches/features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch b/debian/patches/features/all/securelevel/0001-Enforce-module-signatures-when-securelevel-is-greate.patch
similarity index 59%
rename from debian/patches/features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch
rename to debian/patches/features/all/securelevel/0001-Enforce-module-signatures-when-securelevel-is-greate.patch
index f6a2959..bd70985 100644
--- a/debian/patches/features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch
+++ b/debian/patches/features/all/securelevel/0001-Enforce-module-signatures-when-securelevel-is-greate.patch
@@ -1,7 +1,8 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Mon, 9 Sep 2013 08:46:52 -0400
-Subject: [02/18] Enforce module signatures when securelevel is greater than 0
-Origin: https://github.com/mjg59/linux/commit/90e0fa532b145d1bb76c368277a3a3e3b3eb5c94
+Subject: [PATCH 01/19] Enforce module signatures when securelevel is greater
+ than 0
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=ff7c4944a41d7034aa1129e29410741fabd3f393
If securelevel has been set to 1 or greater, require that all modules have
valid signatures.
@@ -11,9 +12,11 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
kernel/module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/kernel/module.c b/kernel/module.c
+index f57dd63186e6..e45b8b84f928 100644
--- a/kernel/module.c
+++ b/kernel/module.c
-@@ -2616,7 +2616,7 @@ static int module_sig_check(struct load_
+@@ -2744,7 +2744,7 @@ static int module_sig_check(struct load_info *info, int flags)
}
/* Not having a signature is only an error if we're strict. */
diff --git a/debian/patches/features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch b/debian/patches/features/all/securelevel/0002-PCI-Lock-down-BAR-access-when-securelevel-is-enabled.patch
similarity index 68%
rename from debian/patches/features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch
rename to debian/patches/features/all/securelevel/0002-PCI-Lock-down-BAR-access-when-securelevel-is-enabled.patch
index 06e2136..d5e749d 100644
--- a/debian/patches/features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch
+++ b/debian/patches/features/all/securelevel/0002-PCI-Lock-down-BAR-access-when-securelevel-is-enabled.patch
@@ -1,7 +1,7 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [03/18] PCI: Lock down BAR access when securelevel is enabled
-Origin: https://github.com/mjg59/linux/commit/2533a3844cf8c43bf58b653334f8925cd1e7d405
+Subject: [PATCH 02/19] PCI: Lock down BAR access when securelevel is enabled
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=07a1f45d1b12bfe40d59ab86153e3282b21c5690
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
@@ -16,9 +16,11 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
drivers/pci/syscall.c | 3 ++-
3 files changed, 19 insertions(+), 2 deletions(-)
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index bcd10c795284..0183f9b3583d 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
-@@ -716,6 +716,9 @@ static ssize_t pci_write_config(struct f
+@@ -716,6 +716,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8 *) buf;
@@ -28,7 +30,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
-@@ -1007,6 +1010,9 @@ static int pci_mmap_resource(struct kobj
+@@ -1007,6 +1010,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;
@@ -38,7 +40,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
-@@ -1106,6 +1112,9 @@ static ssize_t pci_write_resource_io(str
+@@ -1106,6 +1112,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
@@ -48,6 +50,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
return pci_resource_io(filp, kobj, attr, buf, off, count, true);
}
+diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
+index 2408abe4ee8c..27d466a85e5c 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -11,6 +11,7 @@
@@ -58,7 +62,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include <asm/uaccess.h>
#include <asm/byteorder.h>
#include "pci.h"
-@@ -116,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct
+@@ -116,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
int size = dev->cfg_size;
int cnt;
@@ -68,7 +72,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
if (pos >= size)
return 0;
if (nbytes >= size)
-@@ -195,6 +199,9 @@ static long proc_bus_pci_ioctl(struct fi
+@@ -195,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
#endif /* HAVE_PCI_MMAP */
int ret = 0;
@@ -78,7 +82,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
switch (cmd) {
case PCIIOC_CONTROLLER:
ret = pci_domain_nr(dev->bus);
-@@ -233,7 +240,7 @@ static int proc_bus_pci_mmap(struct file
+@@ -233,7 +240,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
struct pci_filp_private *fpriv = file->private_data;
int i, ret, write_combine;
@@ -87,6 +91,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
return -EPERM;
/* Make sure the caller is mapping a real resource for this device */
+diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
+index b91c4da68365..9449bdef323a 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -10,6 +10,7 @@
@@ -97,7 +103,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include <asm/uaccess.h>
#include "pci.h"
-@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigne
+@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
u32 dword;
int err = 0;
diff --git a/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch b/debian/patches/features/all/securelevel/0003-x86-Lock-down-IO-port-access-when-securelevel-is-ena.patch
similarity index 70%
rename from debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch
rename to debian/patches/features/all/securelevel/0003-x86-Lock-down-IO-port-access-when-securelevel-is-ena.patch
index 8201450..4969046 100644
--- a/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch
+++ b/debian/patches/features/all/securelevel/0003-x86-Lock-down-IO-port-access-when-securelevel-is-ena.patch
@@ -1,7 +1,8 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [04/18] x86: Lock down IO port access when securelevel is enabled
-Origin: https://github.com/mjg59/linux/commit/2ad64f6ea1f1164c8b552860faa27392d9da9928
+Subject: [PATCH 03/19] x86: Lock down IO port access when securelevel is
+ enabled
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=2564a5844da6b692ad93aa0abdb528ae3dd0e429
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
@@ -14,6 +15,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
drivers/char/mem.c | 7 +++++++
2 files changed, 10 insertions(+), 2 deletions(-)
+diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
+index 589b3193f102..48c888f0ea67 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -15,6 +15,7 @@
@@ -24,7 +27,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include <asm/syscalls.h>
/*
-@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long
+@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
@@ -33,7 +36,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
return -EPERM;
/*
-@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
+@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL;
/* Trying to gain more privileges? */
if (level > old) {
@@ -42,9 +45,11 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
return -EPERM;
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index 5bb1985ec484..e2f4d57b9eab 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
-@@ -27,6 +27,7 @@
+@@ -28,6 +28,7 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
@@ -52,7 +57,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include <linux/uaccess.h>
-@@ -559,6 +560,9 @@ static ssize_t read_port(struct file *fi
+@@ -562,6 +563,9 @@ static ssize_t read_port(struct file *file, char __user *buf,
unsigned long i = *ppos;
char __user *tmp = buf;
@@ -62,7 +67,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
if (!access_ok(VERIFY_WRITE, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
-@@ -577,6 +581,9 @@ static ssize_t write_port(struct file *f
+@@ -580,6 +584,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user *tmp = buf;
diff --git a/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch b/debian/patches/features/all/securelevel/0004-Restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
similarity index 61%
rename from debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
rename to debian/patches/features/all/securelevel/0004-Restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
index dd8676d..7f85d2d 100644
--- a/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
+++ b/debian/patches/features/all/securelevel/0004-Restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
@@ -1,21 +1,23 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [05/18] Restrict /dev/mem and /dev/kmem when securelevel is set.
-Origin: https://github.com/mjg59/linux/commit/401996625d478c814fe9e736ca9e6c5c5f055f06
+Subject: [PATCH 04/19] Restrict /dev/mem and /dev/kmem when securelevel is
+ set.
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=a74d4e4cc405d964b12824a705df48376beff199
Allowing users to write to address space provides mechanisms that may permit
modification of the kernel at runtime. Prevent this if securelevel has been
set.
Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
-[bwh: Forward-ported to 4.9: adjust context]
---
drivers/char/mem.c | 6 ++++++
1 file changed, 6 insertions(+)
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index e2f4d57b9eab..6afd9a8e3cb7 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
-@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *fi
+@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;
@@ -25,7 +27,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
if (!valid_phys_addr_range(p, count))
return -EFAULT;
-@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *f
+@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;
diff --git a/debian/patches/features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch b/debian/patches/features/all/securelevel/0005-acpi-Limit-access-to-custom_method-if-securelevel-is.patch
similarity index 83%
rename from debian/patches/features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch
rename to debian/patches/features/all/securelevel/0005-acpi-Limit-access-to-custom_method-if-securelevel-is.patch
index 97c0b1b..980cd6b 100644
--- a/debian/patches/features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch
+++ b/debian/patches/features/all/securelevel/0005-acpi-Limit-access-to-custom_method-if-securelevel-is.patch
@@ -1,7 +1,8 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [06/18] acpi: Limit access to custom_method if securelevel is set
-Origin: https://github.com/mjg59/linux/commit/3cdc48db6b6d1b3cc1412d428389889f74cafe83
+Subject: [PATCH 05/19] acpi: Limit access to custom_method if securelevel is
+ set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=00513d16efa1908205f52ede03af3947ca87a735
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to modify the kernel at runtime. Prevent this
diff --git a/debian/patches/features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch b/debian/patches/features/all/securelevel/0006-acpi-Ignore-acpi_rsdp-kernel-parameter-when-securele.patch
similarity index 73%
rename from debian/patches/features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch
rename to debian/patches/features/all/securelevel/0006-acpi-Ignore-acpi_rsdp-kernel-parameter-when-securele.patch
index 8a26e52..de64e0f 100644
--- a/debian/patches/features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch
+++ b/debian/patches/features/all/securelevel/0006-acpi-Ignore-acpi_rsdp-kernel-parameter-when-securele.patch
@@ -1,8 +1,8 @@
From: Josh Boyer <jwboyer at redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [07/18] acpi: Ignore acpi_rsdp kernel parameter when securelevel is
- set
-Origin: https://github.com/mjg59/linux/commit/9524fadac774fbe85e2ac6abe7b957b1750c7e36
+Subject: [PATCH 06/19] acpi: Ignore acpi_rsdp kernel parameter when
+ securelevel is set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=4108c88ae3e2af797c91262e0b402c9b1af4178c
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to execute arbitrary code in the kernel.
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer at redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 814d5f83b75e..242ca81bb606 100644
+index 416953a42510..f94d372c67ce 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 814d5f83b75e..242ca81bb606 100644
#include <asm/io.h>
#include <asm/uaccess.h>
-@@ -254,7 +255,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
acpi_physical_address __init acpi_os_get_root_pointer(void)
{
#ifdef CONFIG_KEXEC
diff --git a/debian/patches/features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch b/debian/patches/features/all/securelevel/0007-kexec-Disable-at-runtime-if-securelevel-has-been-set.patch
similarity index 73%
rename from debian/patches/features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch
rename to debian/patches/features/all/securelevel/0007-kexec-Disable-at-runtime-if-securelevel-has-been-set.patch
index 3969a8e..7ed2a38 100644
--- a/debian/patches/features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch
+++ b/debian/patches/features/all/securelevel/0007-kexec-Disable-at-runtime-if-securelevel-has-been-set.patch
@@ -1,7 +1,7 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [08/18] kexec: Disable at runtime if securelevel has been set.
-Origin: https://github.com/mjg59/linux/commit/ec87b6aac76fd553578cec2c05674e22b79afe3e
+Subject: [PATCH 07/19] kexec: Disable at runtime if securelevel has been set.
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=bbb05378ce478b2615e67ab887d5cbc450136b0f
kexec permits the loading and execution of arbitrary code in ring 0, which
permits the modification of the running kernel. Prevent this if securelevel
@@ -13,7 +13,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
1 file changed, 4 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
-index ee70aef5cd81..542655ea297c 100644
+index 980936a90ee6..6f645e51c77e 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -17,6 +17,7 @@
@@ -24,7 +24,7 @@ index ee70aef5cd81..542655ea297c 100644
#include "kexec_internal.h"
-@@ -134,6 +135,9 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -193,6 +194,9 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
diff --git a/debian/patches/features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch b/debian/patches/features/all/securelevel/0008-uswsusp-Disable-when-securelevel-is-set.patch
similarity index 80%
rename from debian/patches/features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch
rename to debian/patches/features/all/securelevel/0008-uswsusp-Disable-when-securelevel-is-set.patch
index 88129ec..4a6d8b0 100644
--- a/debian/patches/features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch
+++ b/debian/patches/features/all/securelevel/0008-uswsusp-Disable-when-securelevel-is-set.patch
@@ -1,7 +1,7 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Tue, 3 Sep 2013 11:23:29 -0400
-Subject: [09/18] uswsusp: Disable when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/504f45f7cc9b4265a4d89728c4f8254295e81977
+Subject: [PATCH 08/19] uswsusp: Disable when securelevel is set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=6b026a80916d302e52d17fb5cacbe8ed201a825c
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if securelevel
@@ -13,7 +13,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
1 file changed, 4 insertions(+)
diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 526e8911460a..40618bf41620 100644
+index 35310b627388..d1b274d7c49d 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
diff --git a/debian/patches/features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch b/debian/patches/features/all/securelevel/0009-x86-Restrict-MSR-access-when-securelevel-is-set.patch
similarity index 66%
rename from debian/patches/features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch
rename to debian/patches/features/all/securelevel/0009-x86-Restrict-MSR-access-when-securelevel-is-set.patch
index 40263e1..851d230 100644
--- a/debian/patches/features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch
+++ b/debian/patches/features/all/securelevel/0009-x86-Restrict-MSR-access-when-securelevel-is-set.patch
@@ -1,7 +1,7 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [10/18] x86: Restrict MSR access when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/c6ad37822699967e60fae57a64ae89676f543182
+Subject: [PATCH 09/19] x86: Restrict MSR access when securelevel is set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=89878527852b643f9018a013c4de6971ffca717a
Permitting write access to MSRs allows userspace to modify the running
kernel. Prevent this if securelevel has been set. Based on a patch by Kees
@@ -13,6 +13,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
arch/x86/kernel/msr.c | 8 ++++++++
1 file changed, 8 insertions(+)
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 7f3550acde1b..531d8dbc955d 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -39,6 +39,7 @@
@@ -23,7 +25,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include <asm/cpufeature.h>
#include <asm/msr.h>
-@@ -83,6 +84,9 @@ static ssize_t msr_write(struct file *fi
+@@ -83,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
@@ -33,7 +35,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
if (count % 8)
return -EINVAL; /* Invalid chunk size */
-@@ -130,6 +134,10 @@ static long msr_ioctl(struct file *file,
+@@ -130,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF;
break;
}
diff --git a/debian/patches/features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch b/debian/patches/features/all/securelevel/0010-asus-wmi-Restrict-debugfs-interface-when-securelevel.patch
similarity index 76%
rename from debian/patches/features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch
rename to debian/patches/features/all/securelevel/0010-asus-wmi-Restrict-debugfs-interface-when-securelevel.patch
index 08afb52..c26f19b 100644
--- a/debian/patches/features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch
+++ b/debian/patches/features/all/securelevel/0010-asus-wmi-Restrict-debugfs-interface-when-securelevel.patch
@@ -1,7 +1,8 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [11/18] asus-wmi: Restrict debugfs interface when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/f6e21827205ffcbfcce4b13d3a233427c3e742e0
+Subject: [PATCH 10/19] asus-wmi: Restrict debugfs interface when securelevel
+ is set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=c4297d0808c30eb2fa6ffa43f724ef4adebe77e5
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
@@ -14,7 +15,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
1 file changed, 10 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index a96630d52346..93943e480a67 100644
+index ce6ca31a2d09..d2c175b12a36 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -45,6 +45,7 @@
@@ -25,7 +26,7 @@ index a96630d52346..93943e480a67 100644
#include <linux/acpi.h>
#include <linux/dmi.h>
#include <acpi/video.h>
-@@ -1867,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data)
+@@ -1872,6 +1873,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@@ -35,7 +36,7 @@ index a96630d52346..93943e480a67 100644
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
if (err < 0)
-@@ -1883,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data)
+@@ -1888,6 +1892,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@@ -45,7 +46,7 @@ index a96630d52346..93943e480a67 100644
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);
-@@ -1907,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data)
+@@ -1912,6 +1919,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;
diff --git a/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch b/debian/patches/features/all/securelevel/0011-Add-option-to-automatically-set-securelevel-when-in-.patch
similarity index 80%
rename from debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch
rename to debian/patches/features/all/securelevel/0011-Add-option-to-automatically-set-securelevel-when-in-.patch
index c76d6ed..630a292 100644
--- a/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch
+++ b/debian/patches/features/all/securelevel/0011-Add-option-to-automatically-set-securelevel-when-in-.patch
@@ -1,8 +1,8 @@
From: Matthew Garrett <mjg59 at srcf.ucam.org>
Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [12/18] Add option to automatically set securelevel when in Secure
- Boot mode
-Origin: https://github.com/mjg59/linux/commit/e324de2d053295670f3ba8ef67289835d663aae5
+Subject: [PATCH 11/19] Add option to automatically set securelevel when in
+ Secure Boot mode
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=6dad5c87099c433fc3ff18b8857f9cdf9ff456b7
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@@ -19,6 +19,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
arch/x86/kernel/setup.c | 7 +++++++
5 files changed, 60 insertions(+), 1 deletion(-)
+diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
+index 95a4d34af3fd..b8527c6b7646 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -31,6 +31,8 @@ Offset Proto Name Meaning
@@ -30,9 +32,11 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
1EF/001 ALL sentinel Used to detect broken bootloaders
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index bada636d1065..83e7e2b8b064 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1754,6 +1754,19 @@ config EFI_MIXED
+@@ -1786,6 +1786,19 @@ config EFI_MIXED
If unsure, say N.
@@ -52,6 +56,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index cc69e37548db..4a7d64ef7268 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -12,6 +12,7 @@
@@ -62,7 +68,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include "../string.h"
#include "eboot.h"
-@@ -1050,6 +1051,37 @@ void setup_graphics(struct boot_params *
+@@ -710,6 +711,37 @@ void setup_graphics(struct boot_params *boot_params)
}
}
@@ -100,7 +106,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
-@@ -1432,6 +1464,10 @@ struct boot_params *efi_main(struct efi_
+@@ -1094,6 +1126,10 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);
@@ -111,6 +117,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
setup_graphics(boot_params);
setup_efi_pci(boot_params);
+diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
+index c18ce67495fa..2b3e5427097b 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -134,7 +134,8 @@ struct boot_params {
@@ -123,6 +131,8 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
/*
* The sentinel is set to a nonzero value (0xff) in header.S.
*
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 9c337b0e8ba7..8fc38e773983 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -50,6 +50,7 @@
@@ -133,7 +143,7 @@ Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
#include <linux/errno.h>
#include <linux/kernel.h>
-@@ -1145,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1160,6 +1161,12 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
diff --git a/debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch b/debian/patches/features/all/securelevel/0012-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
similarity index 53%
rename from debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch
rename to debian/patches/features/all/securelevel/0012-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
index 98cd43c..2ad6349 100644
--- a/debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch
+++ b/debian/patches/features/all/securelevel/0012-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
@@ -1,7 +1,7 @@
From: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [13/18] efi: Disable secure boot if shim is in insecure mode
-Origin: https://github.com/mjg59/linux/commit/f444a5ecb0ab09d6cf661b4520dd8e6fffacb8be
+Subject: [PATCH 12/19] efi: Disable secure boot if shim is in insecure mode
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=32b718a9bb083f6787e2a023fb64a3200b8b3b4e
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@@ -12,12 +12,14 @@ secure boot mode if that variable is set.
Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
---
arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
- include/linux/efi.h | 3 +++
- 2 files changed, 22 insertions(+), 1 deletion(-)
+ include/linux/efi.h | 1 +
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 4a7d64ef7268..e042f00cd9f7 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -1053,8 +1053,9 @@ void setup_graphics(struct boot_params *
+@@ -713,8 +713,9 @@ void setup_graphics(struct boot_params *boot_params)
static int get_secure_boot(void)
{
@@ -28,7 +30,7 @@ Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
-@@ -1078,6 +1079,23 @@ static int get_secure_boot(void)
+@@ -738,6 +739,23 @@ static int get_secure_boot(void)
if (setup == 1)
return 0;
@@ -52,15 +54,15 @@ Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
return 1;
}
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 2d089487d2da..e64f0b030704 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -629,6 +629,9 @@ typedef struct {
- #define EFI_1_10_SYSTEM_TABLE_REVISION ((1 << 16) | (10))
- #define EFI_1_02_SYSTEM_TABLE_REVISION ((1 << 16) | (02))
+@@ -591,6 +591,7 @@ void efi_native_runtime_setup(void);
+ #define EFI_RNG_PROTOCOL_GUID EFI_GUID(0x3152bca5, 0xeade, 0x433d, 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44)
+ #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
+ #define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
++#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
-+#define EFI_SHIM_LOCK_GUID \
-+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
-+
- typedef struct {
- efi_table_hdr_t hdr;
- u64 fw_vendor; /* physical addr of CHAR16 vendor string */
+ /*
+ * This GUID is used to pass to the kernel proper the struct screen_info
diff --git a/debian/patches/features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch b/debian/patches/features/all/securelevel/0013-hibernate-Disable-when-securelevel-is-set.patch
similarity index 75%
rename from debian/patches/features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch
rename to debian/patches/features/all/securelevel/0013-hibernate-Disable-when-securelevel-is-set.patch
index 3f22314..50f9058 100644
--- a/debian/patches/features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch
+++ b/debian/patches/features/all/securelevel/0013-hibernate-Disable-when-securelevel-is-set.patch
@@ -1,7 +1,7 @@
From: Josh Boyer <jwboyer at fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [14/18] hibernate: Disable when securelevel is set
-Origin: https://github.com/mjg59/linux/commit/500a87278c5c0608ba88ed8af7a35fcfa955c492
+Subject: [PATCH 13/19] hibernate: Disable when securelevel is set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=f7c4489890bca0cc56d23741c750907b98f2785d
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the securelevel trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index fca9254280ee..7bf7f723a27f 100644
+index b26dbc48c75b..1bbf952f586f 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -29,6 +29,7 @@
@@ -25,7 +25,7 @@ index fca9254280ee..7bf7f723a27f 100644
#include <trace/events/power.h>
#include "power.h"
-@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
+@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
bool hibernation_available(void)
{
diff --git a/debian/patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch b/debian/patches/features/all/securelevel/0014-kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
similarity index 77%
rename from debian/patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
rename to debian/patches/features/all/securelevel/0014-kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
index 445aa63..cf682e9 100644
--- a/debian/patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
+++ b/debian/patches/features/all/securelevel/0014-kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
@@ -1,8 +1,8 @@
From: Dave Young <dyoung at redhat.com>
Date: Tue, 6 Oct 2015 13:31:31 +0100
-Subject: [15/18] kexec/uefi: copy secure_boot flag in boot params across kexec
- reboot
-Origin: https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798
+Subject: [PATCH 14/19] kexec/uefi: copy secure_boot flag in boot params across
+ kexec reboot
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=1bdfef5d7f72c58330fa1bbefa8cf12241a64920
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
@@ -19,10 +19,10 @@ Signed-off-by: Dave Young <dyoung at redhat.com>
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 2af478e3fd4e..61827eeb6881 100644
+index 3407b148c240..b843a4e57a9b 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;
diff --git a/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch b/debian/patches/features/all/securelevel/0015-acpi-Disable-ACPI-table-override-if-securelevel-is-s.patch
similarity index 78%
rename from debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch
rename to debian/patches/features/all/securelevel/0015-acpi-Disable-ACPI-table-override-if-securelevel-is-s.patch
index 0491b2f..6c36904 100644
--- a/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch
+++ b/debian/patches/features/all/securelevel/0015-acpi-Disable-ACPI-table-override-if-securelevel-is-s.patch
@@ -1,7 +1,7 @@
From: Linn Crosetto <linn at hpe.com>
Date: Fri, 4 Mar 2016 16:08:24 -0700
-Subject: [16/18] acpi: Disable ACPI table override if securelevel is set
-Origin: https://github.com/mjg59/linux/commit/a4a5ed2835e8ea042868b7401dced3f517cafa76
+Subject: [PATCH 15/19] acpi: Disable ACPI table override if securelevel is set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=4321971d7ae760803e436f7b286a6c4f4f69ac68
From the kernel documentation (initrd_table_override.txt):
@@ -14,13 +14,13 @@ changes to kernel space. ACPI tables contain code invoked by the kernel, so
do not allow ACPI tables to be overridden if securelevel is set.
Signed-off-by: Linn Crosetto <linn at hpe.com>
-[bwh: Forward-ported to 4.7: ACPI override code moved to drivers/acpi/tables.c]
-[bwh: Forward-ported to 4.9: adjust context]
---
arch/x86/kernel/setup.c | 12 ++++++------
- drivers/acpi/tables.c | 6 ++++++
- 2 files changed, 12 insertions(+), 6 deletions(-)
+ drivers/acpi/tables.c | 7 +++++++
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 8fc38e773983..1e34e607ba8a 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1153,6 +1153,12 @@ void __init setup_arch(char **cmdline_p)
@@ -49,6 +49,8 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
+diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
+index cdd56c4657e0..1d493f12eea6 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -35,6 +35,7 @@
diff --git a/debian/patches/features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch b/debian/patches/features/all/securelevel/0016-acpi-Disable-APEI-error-injection-if-securelevel-is-.patch
similarity index 77%
rename from debian/patches/features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
rename to debian/patches/features/all/securelevel/0016-acpi-Disable-APEI-error-injection-if-securelevel-is-.patch
index 2ae1100..60feae3 100644
--- a/debian/patches/features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
+++ b/debian/patches/features/all/securelevel/0016-acpi-Disable-APEI-error-injection-if-securelevel-is-.patch
@@ -1,7 +1,8 @@
From: Linn Crosetto <linn at hpe.com>
Date: Wed, 16 Mar 2016 14:43:33 -0600
-Subject: [17/18] acpi: Disable APEI error injection if securelevel is set
-Origin: https://github.com/mjg59/linux/commit/d7a6be58edc01b1c66ecd8fcc91236bfbce0a420
+Subject: [PATCH 16/19] acpi: Disable APEI error injection if securelevel is
+ set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=91bfdd6ea1b4e86b87b537c879f07ef46f04ad30
ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
@@ -23,6 +24,8 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
drivers/acpi/apei/einj.c | 4 ++++
1 file changed, 4 insertions(+)
+diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
+index eebb7e39c49c..604d9ff5c227 100644
--- a/drivers/acpi/apei/einj.c
+++ b/drivers/acpi/apei/einj.c
@@ -29,6 +29,7 @@
@@ -33,7 +36,7 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
#include <asm/unaligned.h>
#include "apei-internal.h"
-@@ -521,6 +522,9 @@ static int einj_error_inject(u32 type, u
+@@ -518,6 +519,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
int rc;
u64 base_addr, size;
diff --git a/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/securelevel/0017-Enable-cold-boot-attack-mitigation.patch
similarity index 77%
rename from debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch
rename to debian/patches/features/all/securelevel/0017-Enable-cold-boot-attack-mitigation.patch
index 14d5a3b..916097c 100644
--- a/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch
+++ b/debian/patches/features/all/securelevel/0017-Enable-cold-boot-attack-mitigation.patch
@@ -1,17 +1,17 @@
From: Matthew Garrett <mjg59 at coreos.com>
Date: Tue, 12 Jan 2016 12:51:27 -0800
-Subject: [18/18] Enable cold boot attack mitigation
-Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
+Subject: [PATCH 17/19] Enable cold boot attack mitigation
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=cbf6c70b2b4d3ae472606e124ce75fd2f376f8df
---
arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 28c24d80d0a0..b0413ba639af 100644
+index e042f00cd9f7..715ccf95a430 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
-@@ -1051,6 +1051,22 @@ void setup_graphics(struct boot_params *boot_params)
+@@ -711,6 +711,22 @@ void setup_graphics(struct boot_params *boot_params)
}
}
@@ -34,7 +34,7 @@ index 28c24d80d0a0..b0413ba639af 100644
static int get_secure_boot(void)
{
u8 sb, setup, moksbstate;
-@@ -1482,6 +1498,12 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1144,6 +1160,12 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);
diff --git a/debian/patches/features/all/securelevel/0018-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/debian/patches/features/all/securelevel/0018-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
new file mode 100644
index 0000000..4226ce4
--- /dev/null
+++ b/debian/patches/features/all/securelevel/0018-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
@@ -0,0 +1,46 @@
+From: "Lee, Chun-Yi" <joeyli.kernel at gmail.com>
+Date: Tue, 14 Jun 2016 17:24:03 +0800
+Subject: [PATCH 18/19] kexec_file: Disable at runtime if securelevel has been
+ set
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=1194d6e47cd83252892ba0ce30fdf052f1c9aceb
+
+When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
+through kexec_file systemcall if securelevel has been set.
+
+This code was showed in Matthew's patch but not in git:
+https://lkml.org/lkml/2015/3/13/778
+
+Cc: Matthew Garrett <mjg59 at srcf.ucam.org>
+Signed-off-by: Lee, Chun-Yi <jlee at suse.com>
+---
+ kernel/kexec_file.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index 037c321c5618..75cb22203224 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -23,6 +23,7 @@
+ #include <crypto/sha.h>
+ #include <linux/syscalls.h>
+ #include <linux/vmalloc.h>
++#include <linux/security.h>
+ #include "kexec_internal.h"
+
+ /*
+@@ -264,6 +265,15 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ return -EPERM;
+
++#ifndef CONFIG_KEXEC_VERIFY_SIG
++ /*
++ * Don't permit images to be loaded into trusted kernels if we're not
++ * going to verify the signature on them
++ */
++ if (get_securelevel() > 0)
++ return -EPERM;
++#endif
++
+ /* Make sure we have a legal set of flags */
+ if (flags != (flags & KEXEC_FILE_FLAGS))
+ return -EINVAL;
diff --git a/debian/patches/features/all/securelevel/0019-More-secure-boot-holes-to-plug.patch b/debian/patches/features/all/securelevel/0019-More-secure-boot-holes-to-plug.patch
new file mode 100644
index 0000000..bc3e3f0
--- /dev/null
+++ b/debian/patches/features/all/securelevel/0019-More-secure-boot-holes-to-plug.patch
@@ -0,0 +1,80 @@
+From: joeyli <jlee at suse.com>
+Date: Sun, 13 Nov 2016 00:03:25 +0800
+Subject: [PATCH 19/19] More secure boot holes to plug
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/commit?id=497e7895e4669b2d35368e40bcc8e7932893e490
+
+Hi all,
+
+On Fri, Nov 04, 2016 at 04:42:13PM -0600, Kees Cook wrote:
+> Hi,
+>
+> It looks like CONFIG_BPF_EVENTS needs to be disabled in secure boot
+> environments since you can read kernel memory (and hence, the
+> hibernation image signing key) by attaching an eBPF program to a
+> tracepoint through a perf_event_open() fd which uses bpf_probe_read()
+> and either bpf_trace_printk() or bpf_probe_write_user().
+>
+> (Or, rather, kernel memory _reads_ need to be added to the threat
+> model if a private key is held in kernel memory.)
+>
+> -Kees
+>
+
+Here is a patch to restrict some bpf read functions. Actually not just
+bpf, currently securelevel patches do not prevent root account to read
+memory. e.g. /dev/mem and /dev/kmem.
+
+If kernel allows root to read kernel memory, then hibernation needs to be
+totally disabled.
+
+>From 69f142a5ea1073c6e0ba0dc612a5e6f83a5ab701 Mon Sep 17 00:00:00 2001
+From: "Lee, Chun-Yi" <jlee at suse.com>
+Date: Sat, 12 Nov 2016 23:15:13 +0800
+Subject: [PATCH] bpf: Restrict read functions when securelevel is set
+
+There have some bpf functions can be used to read kernel memory:
+bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. Then private
+key in kernel memory (e.g. hibernation image signing key) can be read
+by a eBPF program. So restricting those functions in secure mode.
+
+Signed-off-by: Lee, Chun-Yi <jlee at suse.com>
+---
+ kernel/trace/bpf_trace.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 5dcb99281259..4beea12e3109 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
+ {
+ int ret;
+
++ if (get_securelevel() > 0) {
++ memset(dst, 0, size);
++ return -EPERM;
++ }
++
+ ret = probe_kernel_read(dst, unsafe_ptr, size);
+ if (unlikely(ret < 0))
+ memset(dst, 0, size);
+@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
+ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
+ u32, size)
+ {
++ if (get_securelevel() > 0)
++ return -EPERM;
++
+ /*
+ * Ensure we're in user context which is safe for the helper to
+ * run. This helper has no business in a kthread.
+@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
+ if (fmt[--fmt_size] != 0)
+ return -EINVAL;
+
++ if (get_securelevel() > 0)
++ return __trace_printk(1, fmt, 0, 0, 0);
++
+ /* check format string for allowed specifiers */
+ for (i = 0; i < fmt_size; i++) {
+ if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
diff --git a/debian/patches/features/all/securelevel/add-bsd-style-securelevel-support.patch b/debian/patches/features/all/securelevel/add-bsd-style-securelevel-support.patch
deleted file mode 100644
index 15e636c..0000000
--- a/debian/patches/features/all/securelevel/add-bsd-style-securelevel-support.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-From: Matthew Garrett <mjg59 at srcf.ucam.org>
-Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [01/18] Add BSD-style securelevel support
-Origin: https://github.com/mjg59/linux/commit/058b8ddfe86dc90268f6dbe0ffed29ec46f1fafa
-
-Provide a coarse-grained runtime configuration option for restricting
-userspace's ability to modify the running kernel.
-
-Signed-off-by: Matthew Garrett <mjg59 at srcf.ucam.org>
----
- Documentation/security/securelevel.txt | 23 +++++++
- include/linux/security.h | 8 +++
- security/Kconfig | 8 +++
- security/Makefile | 1 +
- security/securelevel.c | 116 +++++++++++++++++++++++++++++++++
- 5 files changed, 156 insertions(+)
- create mode 100644 Documentation/security/securelevel.txt
- create mode 100644 security/securelevel.c
-
---- /dev/null
-+++ b/Documentation/security/securelevel.txt
-@@ -0,0 +1,23 @@
-+Linux securelevel interface
-+---------------------------
-+
-+The Linux securelevel interface (inspired by the BSD securelevel interface)
-+is a runtime mechanism for configuring coarse-grained kernel-level security
-+restrictions. It provides a runtime configuration variable at
-+/sys/kernel/security/securelevel which can be written to by root. The
-+following values are supported:
-+
-+-1: Permanently insecure mode. This level is equivalent to level 0, but once
-+ set cannot be changed.
-+
-+0: Insecure mode (default). This level imposes no additional kernel
-+ restrictions.
-+
-+1: Secure mode. If set, userspace will be unable to perform direct access
-+ to PCI devices, port IO access, access system memory directly via
-+ /dev/mem and /dev/kmem, perform kexec_load(), use the userspace
-+ software suspend mechanism, insert new ACPI code at runtime via the
-+ custom_method interface or modify CPU MSRs (on x86). Certain drivers
-+ may also limit additional interfaces.
-+
-+Once the securelevel value is increased, it may not be decreased.
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -1589,6 +1589,14 @@ static inline void security_audit_rule_f
- #endif /* CONFIG_SECURITY */
- #endif /* CONFIG_AUDIT */
-
-+#ifdef CONFIG_SECURITY_SECURELEVEL
-+extern int get_securelevel(void);
-+extern int set_securelevel(int new_securelevel);
-+#else
-+static inline int get_securelevel(void) { return 0; }
-+static inline int set_securelevel(int new_securelevel) { return 0; }
-+#endif /* CONFIG_SECURELEVEL */
-+
- #ifdef CONFIG_SECURITYFS
-
- extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -93,6 +93,14 @@ config SECURITY_PATH
- implement pathname based access controls.
- If you are unsure how to answer this question, answer N.
-
-+config SECURITY_SECURELEVEL
-+ bool "Securelevel kernel restriction interface"
-+ depends on SECURITY
-+ help
-+ This enables support for adding a set of additional kernel security
-+ restrictions at runtime. See Documentation/security/securelevel.txt
-+ for further information.
-+
- config INTEL_TXT
- bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
- depends on HAVE_INTEL_TXT
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -16,6 +16,7 @@ obj-$(CONFIG_MMU) += min_addr.o
- # Object file lists
- obj-$(CONFIG_SECURITY) += security.o
- obj-$(CONFIG_SECURITYFS) += inode.o
-+obj-$(CONFIG_SECURITY_SECURELEVEL) += securelevel.o
- obj-$(CONFIG_SECURITY_SELINUX) += selinux/
- obj-$(CONFIG_SECURITY_SMACK) += smack/
- obj-$(CONFIG_AUDIT) += lsm_audit.o
---- /dev/null
-+++ b/security/securelevel.c
-@@ -0,0 +1,116 @@
-+/*
-+ * securelevel.c - support for generic kernel lockdown
-+ *
-+ * Copyright Nebula, Inc <mjg59 at srcf.ucam.org>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License version 2 as
-+ * published by the Free Software Foundation.
-+ *
-+ */
-+
-+#include <linux/fs.h>
-+#include <linux/init.h>
-+#include <linux/security.h>
-+#include <linux/uaccess.h>
-+
-+static int securelevel;
-+
-+static DEFINE_SPINLOCK(securelevel_lock);
-+
-+#define MAX_SECURELEVEL 1
-+
-+int get_securelevel(void)
-+{
-+ return securelevel;
-+}
-+EXPORT_SYMBOL(get_securelevel);
-+
-+int set_securelevel(int new_securelevel)
-+{
-+ int ret = 0;
-+
-+ spin_lock(&securelevel_lock);
-+
-+ if ((securelevel == -1) || (new_securelevel < securelevel) ||
-+ (new_securelevel > MAX_SECURELEVEL)) {
-+ ret = -EINVAL;
-+ goto out;
-+ }
-+
-+ securelevel = new_securelevel;
-+out:
-+ spin_unlock(&securelevel_lock);
-+ return ret;
-+}
-+EXPORT_SYMBOL(set_securelevel);
-+
-+static ssize_t securelevel_read(struct file *filp, char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ char tmpbuf[12];
-+ ssize_t length;
-+
-+ length = scnprintf(tmpbuf, sizeof(tmpbuf), "%d", securelevel);
-+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
-+}
-+
-+static ssize_t securelevel_write(struct file *file, const char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ char *page = NULL;
-+ ssize_t length;
-+ int new_securelevel;
-+
-+ length = -ENOMEM;
-+ if (count >= PAGE_SIZE)
-+ goto out;
-+
-+ length = -EINVAL;
-+ if (*ppos != 0)
-+ goto out;
-+
-+ length = -ENOMEM;
-+ page = (char *)get_zeroed_page(GFP_KERNEL);
-+ if (!page)
-+ goto out;
-+
-+ length = -EFAULT;
-+ if (copy_from_user(page, buf, count))
-+ goto out;
-+
-+ length = -EINVAL;
-+ if (sscanf(page, "%d", &new_securelevel) != 1)
-+ goto out;
-+
-+ length = set_securelevel(new_securelevel);
-+ if (length)
-+ goto out;
-+
-+ length = count;
-+out:
-+ free_page((unsigned long) page);
-+ return length;
-+}
-+
-+static const struct file_operations securelevel_fops = {
-+ .read = securelevel_read,
-+ .write = securelevel_write,
-+ .llseek = generic_file_llseek,
-+};
-+
-+static __init int setup_securelevel(void)
-+{
-+ struct dentry *securelevel_file;
-+
-+ securelevel_file = securityfs_create_file("securelevel",
-+ S_IWUSR | S_IRUGO,
-+ NULL, NULL,
-+ &securelevel_fops);
-+
-+ if (IS_ERR(securelevel_file))
-+ return PTR_ERR(securelevel_file);
-+
-+ return 0;
-+}
-+late_initcall(setup_securelevel);
diff --git a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch b/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
deleted file mode 100644
index 92f5057..0000000
--- a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From: Linn Crosetto <linn at hpe.com>
-Date: Tue, 30 Aug 2016 11:54:38 -0600
-Subject: arm64: add kernel config option to set securelevel when in Secure Boot mode
-
-Add a kernel configuration option to enable securelevel, to restrict
-userspace's ability to modify the running kernel when UEFI Secure Boot is
-enabled. Based on the x86 patch by Matthew Garrett.
-
-Determine the state of Secure Boot in the EFI stub and pass this to the
-kernel using the FDT.
-
-Signed-off-by: Linn Crosetto <linn at hpe.com>
----
-v2:
-
- - Add cpu_to_fdt32() when setting Secure Boot flag in FDT (Ben Hutchings)
-
- arch/arm64/Kconfig | 13 +++++++++++++
- drivers/firmware/efi/arm-init.c | 7 +++++++
- drivers/firmware/efi/efi.c | 3 ++-
- drivers/firmware/efi/libstub/arm-stub.c | 2 +-
- drivers/firmware/efi/libstub/efistub.h | 1 +
- drivers/firmware/efi/libstub/fdt.c | 7 +++++++
- include/linux/efi.h | 1 +
- 7 files changed, 32 insertions(+), 2 deletions(-)
-
---- a/arch/arm64/Kconfig
-+++ b/arch/arm64/Kconfig
-@@ -972,6 +972,19 @@ config EFI
- allow the kernel to be booted as an EFI application. This
- is only useful on systems that have UEFI firmware.
-
-+config EFI_SECURE_BOOT_SECURELEVEL
-+ def_bool n
-+ depends on SECURITY_SECURELEVEL
-+ depends on EFI
-+ prompt "Automatically set securelevel when UEFI Secure Boot is enabled"
-+ ---help---
-+ UEFI Secure Boot provides a mechanism for ensuring that the
-+ firmware will only load signed bootloaders and kernels. Certain
-+ use cases may also require that the kernel restrict any userspace
-+ mechanism that could insert untrusted code into the kernel.
-+ Say Y here to automatically enable securelevel enforcement
-+ when a system boots with UEFI Secure Boot enabled.
-+
- config DMI
- bool "Enable support for SMBIOS (DMI) tables"
- depends on EFI
---- a/drivers/firmware/efi/arm-init.c
-+++ b/drivers/firmware/efi/arm-init.c
-@@ -21,6 +21,7 @@
- #include <linux/of_fdt.h>
- #include <linux/platform_device.h>
- #include <linux/screen_info.h>
-+#include <linux/security.h>
-
- #include <asm/efi.h>
-
-@@ -243,6 +244,12 @@ void __init efi_init(void)
- "Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
- efi.memmap.desc_version);
-
-+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-+ if (params.secure_boot > 0) {
-+ set_securelevel(1);
-+ }
-+#endif
-+
- if (uefi_init() < 0)
- return;
-
---- a/drivers/firmware/efi/efi.c
-+++ b/drivers/firmware/efi/efi.c
-@@ -580,7 +580,8 @@ static __initdata struct params fdt_para
- UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
- UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
- UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
-+ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
-+ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
- };
-
- static __initdata struct params xen_fdt_params[] = {
---- a/drivers/firmware/efi/libstub/arm-stub.c
-+++ b/drivers/firmware/efi/libstub/arm-stub.c
-@@ -20,7 +20,7 @@
-
- bool __nokaslr;
-
--static int efi_get_secureboot(efi_system_table_t *sys_table_arg)
-+int efi_get_secureboot(efi_system_table_t *sys_table_arg)
- {
- static efi_char16_t const sb_var_name[] = {
- 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
---- a/drivers/firmware/efi/libstub/efistub.h
-+++ b/drivers/firmware/efi/libstub/efistub.h
-@@ -62,4 +62,5 @@ efi_status_t efi_random_alloc(efi_system
-
- efi_status_t check_platform_features(efi_system_table_t *sys_table_arg);
-
-+int efi_get_secureboot(efi_system_table_t *sys_table_arg);
- #endif
---- a/drivers/firmware/efi/libstub/fdt.c
-+++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -139,6 +139,13 @@ efi_status_t update_fdt(efi_system_table
- return efi_status;
- }
- }
-+
-+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
-+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
-+ &fdt_val32, sizeof(fdt_val32));
-+ if (status)
-+ goto fdt_set_fail;
-+
- return EFI_SUCCESS;
-
- fdt_set_fail:
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -687,6 +687,7 @@ struct efi_fdt_params {
- u32 mmap_size;
- u32 desc_size;
- u32 desc_ver;
-+ u32 secure_boot;
- };
-
- typedef struct {
diff --git a/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch b/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch
deleted file mode 100644
index 59fd422..0000000
--- a/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From: Linn Crosetto <linn at hpe.com>
-Date: Mon, 22 Feb 2016 12:54:37 -0700
-Subject: arm64/efi: Disable secure boot if shim is in insecure mode
-
-Port to arm64 a patch originally written by Josh Boyer for the x86 EFI
-stub.
-
-A user can manually tell the shim boot loader to disable validation of
-images it loads. When a user does this, it creates a UEFI variable called
-MokSBState that does not have the runtime attribute set. Given that the
-user explicitly disabled validation, we can honor that and not enable
-secure boot mode if that variable is set.
-
-Signed-off-by: Linn Crosetto <linn at hpe.com>
-Cc: Josh Boyer <jwboyer at fedoraproject.org>
----
- drivers/firmware/efi/libstub/arm-stub.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
---- a/drivers/firmware/efi/libstub/arm-stub.c
-+++ b/drivers/firmware/efi/libstub/arm-stub.c
-@@ -26,11 +26,14 @@ static int efi_get_secureboot(efi_system
- 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
- static efi_char16_t const sm_var_name[] = {
- 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 };
-+ static efi_char16_t const mk_var_name[] = {
-+ 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 };
-
- efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
- efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable;
- u8 val;
- unsigned long size = sizeof(val);
-+ u32 attr;
- efi_status_t status;
-
- status = f_getvar((efi_char16_t *)sb_var_name, (efi_guid_t *)&var_guid,
-@@ -51,6 +54,22 @@ static int efi_get_secureboot(efi_system
- if (val == 1)
- return 0;
-
-+ /* See if a user has put shim into insecure_mode. If so, and the variable
-+ * doesn't have the runtime attribute set, we might as well honor that.
-+ */
-+ var_guid = EFI_SHIM_LOCK_GUID;
-+ status = f_getvar((efi_char16_t *)mk_var_name, (efi_guid_t *)&var_guid,
-+ &attr, &size, &val);
-+
-+ /* If it fails, we don't care why. Default to secure */
-+ if (status != EFI_SUCCESS)
-+ return 1;
-+
-+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
-+ if (val == 1)
-+ return 0;
-+ }
-+
- return 1;
-
- out_efi_err:
diff --git a/debian/patches/features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch b/debian/patches/features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
deleted file mode 100644
index b8b2e33..0000000
--- a/debian/patches/features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Fri, 03 Jun 2016 00:48:39 +0100
-Subject: mtd: Disable slram and phram when securelevel is enabled
-
-The slram and phram drivers both allow mapping regions of physical
-address space such that they can then be read and written by userland
-through the MTD interface. This is probably usable to manipulate
-hardware into overwriting kernel code on many systems. Prevent that
-if securelevel is set.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/drivers/mtd/devices/phram.c
-+++ b/drivers/mtd/devices/phram.c
-@@ -25,6 +25,7 @@
- #include <linux/moduleparam.h>
- #include <linux/slab.h>
- #include <linux/mtd/mtd.h>
-+#include <linux/security.h>
-
- struct phram_mtd_list {
- struct mtd_info mtd;
-@@ -226,6 +227,9 @@ static int phram_setup(const char *val)
- uint64_t len;
- int i, ret;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if (strnlen(val, sizeof(buf)) >= sizeof(buf))
- parse_err("parameter too long\n");
-
---- a/drivers/mtd/devices/slram.c
-+++ b/drivers/mtd/devices/slram.c
-@@ -42,6 +42,7 @@
- #include <linux/ioctl.h>
- #include <linux/init.h>
- #include <linux/io.h>
-+#include <linux/security.h>
-
- #include <linux/mtd/mtd.h>
-
-@@ -230,6 +231,9 @@ static int parse_cmdline(char *devname,
- unsigned long devstart;
- unsigned long devlength;
-
-+ if (get_securelevel() > 0)
-+ return -EPERM;
-+
- if ((!devname) || (!szstart) || (!szlength)) {
- unregister_devices();
- return(-EINVAL);
diff --git a/debian/patches/series b/debian/patches/series
index dc04ae1..68cc6e3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -66,28 +66,25 @@ bugfix/all/mm-memcontrol-use-special-workqueue-for-creating-per-memcg-caches.pat
# Miscellaneous features
# Securelevel patchset from mjg59
-features/all/securelevel/add-bsd-style-securelevel-support.patch
-features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch
-features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch
-features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch
-features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
-features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch
-features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch
-features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch
-features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch
-features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch
-features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch
-features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch
-features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch
-features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch
-features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
-features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch
-features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
-features/all/securelevel/enable-cold-boot-attack-mitigation.patch
-features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
-# same for arm64
-features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch
-features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
+features/all/securelevel/0001-Enforce-module-signatures-when-securelevel-is-greate.patch
+features/all/securelevel/0002-PCI-Lock-down-BAR-access-when-securelevel-is-enabled.patch
+features/all/securelevel/0003-x86-Lock-down-IO-port-access-when-securelevel-is-ena.patch
+features/all/securelevel/0004-Restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch
+features/all/securelevel/0005-acpi-Limit-access-to-custom_method-if-securelevel-is.patch
+features/all/securelevel/0006-acpi-Ignore-acpi_rsdp-kernel-parameter-when-securele.patch
+features/all/securelevel/0007-kexec-Disable-at-runtime-if-securelevel-has-been-set.patch
+features/all/securelevel/0008-uswsusp-Disable-when-securelevel-is-set.patch
+features/all/securelevel/0009-x86-Restrict-MSR-access-when-securelevel-is-set.patch
+features/all/securelevel/0010-asus-wmi-Restrict-debugfs-interface-when-securelevel.patch
+features/all/securelevel/0011-Add-option-to-automatically-set-securelevel-when-in-.patch
+features/all/securelevel/0012-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+features/all/securelevel/0013-hibernate-Disable-when-securelevel-is-set.patch
+features/all/securelevel/0014-kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch
+features/all/securelevel/0015-acpi-Disable-ACPI-table-override-if-securelevel-is-s.patch
+features/all/securelevel/0016-acpi-Disable-APEI-error-injection-if-securelevel-is-.patch
+features/all/securelevel/0017-Enable-cold-boot-attack-mitigation.patch
+features/all/securelevel/0018-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
+features/all/securelevel/0019-More-secure-boot-holes-to-plug.patch
# Security fixes
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list