kernel: use new patches for secure boot

From: https://sources.debian.org/data/main/l/linux/6.12~rc6-1~exp1/debian/patches/features/all/lockdown/

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.12.20.ebuild

@@ -38,9 +38,8 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \
 	${PATCH_DIR}/z0002-revert-pahole-flags.patch \
 	${PATCH_DIR}/z0003-Revert-x86-boot-Remove-the-bugger-off-message.patch \
-	${PATCH_DIR}/z0004-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch \
+	${PATCH_DIR}/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch \
-	${PATCH_DIR}/z0005-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
+	${PATCH_DIR}/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
-	${PATCH_DIR}/z0006-mtd-phram-slram-Disable-when-the-kernel-is-locked-do.patch \
+	${PATCH_DIR}/z0006-mtd-disable-slram-and-phram-when-locked-down.patch \
-	${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when-in-.patch \
+	${PATCH_DIR}/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch \
-	${PATCH_DIR}/z0008-tools-hv-fix-cross-compilation-for-ARM64.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0004-efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch

@@ -1,8 +1,7 @@
-From 1e2ffbec195c89d887bc088691ebb19c9173ecad Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 18 Feb 2019 12:45:03 +0000
-Subject: [PATCH 1/4] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot
+Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
- mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
 
 UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
 flag that can be passed to efi_enabled() to find out whether secure boot is
@@ -26,15 +25,13 @@ cc: linux-efi@vger.kernel.org
  arch/x86/kernel/setup.c           | 14 +----------
  drivers/firmware/efi/Makefile     |  1 +
  drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
- include/linux/efi.h               | 17 ++++++++------
+ include/linux/efi.h               | 16 ++++++++-----
- 4 files changed, 51 insertions(+), 20 deletions(-)
+ 4 files changed, 51 insertions(+), 19 deletions(-)
  create mode 100644 drivers/firmware/efi/secureboot.c
 
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index eb129277dcdd..7c4a6697e39d 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1190,19 +1190,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1193,19 +1193,7 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -55,11 +52,9 @@ index eb129277dcdd..7c4a6697e39d 100644
  
  	reserve_initrd();
  
-diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
-index e489fefd23da..f2dfae764fb5 100644
 --- a/drivers/firmware/efi/Makefile
 +++ b/drivers/firmware/efi/Makefile
-@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
+@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_m
  obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
  obj-$(CONFIG_EFI_TEST)			+= test/
  obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
@@ -67,9 +62,6 @@ index e489fefd23da..f2dfae764fb5 100644
  obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
  obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
  obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
-diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
-new file mode 100644
-index 000000000000..b6620669e32b
 --- /dev/null
 +++ b/drivers/firmware/efi/secureboot.c
 @@ -0,0 +1,39 @@
@@ -112,11 +104,9 @@ index 000000000000..b6620669e32b
 +		}
 +	}
 +}
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 80b21d1c6eaf..d267ddba8369 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -871,6 +871,14 @@ extern int __init efi_setup_pcdp_console
  #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
  #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
  #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
@@ -131,7 +121,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
  
  #ifdef CONFIG_EFI
  /*
-@@ -895,6 +903,7 @@ static inline bool efi_rt_services_supported(unsigned int mask)
+@@ -895,6 +903,7 @@ static inline bool efi_rt_services_suppo
  	return (efi.runtime_supported_mask & mask) == mask;
  }
  extern void efi_find_mirror(void);
@@ -139,7 +129,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
  #else
  static inline bool efi_enabled(int feature)
  {
-@@ -914,6 +923,7 @@ static inline bool efi_rt_services_supported(unsigned int mask)
+@@ -914,6 +923,7 @@ static inline bool efi_rt_services_suppo
  }
  
  static inline void efi_find_mirror(void) {}
@@ -147,7 +137,7 @@ index 80b21d1c6eaf..d267ddba8369 100644
  #endif
  
  extern int efi_status_to_err(efi_status_t status);
-@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
+@@ -1133,13 +1143,6 @@ static inline bool efi_runtime_disabled(
  extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
  extern unsigned long efi_call_virt_save_flags(void);
  
@@ -161,6 +151,3 @@ index 80b21d1c6eaf..d267ddba8369 100644
  static inline
  enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
  {
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0005-efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -1,7 +1,6 @@
-From fa96a2ef86466da0a43756ee39ce3b1cb555a55a Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Tue, 10 Sep 2019 11:54:28 +0100
-Subject: [PATCH 2/4] efi: Lock down the kernel if booted in secure boot mode
+Subject: efi: Lock down the kernel if booted in secure boot mode
 
 Based on an earlier patch by David Howells, who wrote the following
 description:
@@ -18,18 +17,16 @@ help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
 lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
 Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
 ---
- arch/x86/kernel/setup.c           |  4 ++--
+ arch/x86/kernel/setup.c           |    4 ++--
- drivers/firmware/efi/secureboot.c |  5 +++++
+ drivers/firmware/efi/secureboot.c |    3 +++
- include/linux/security.h          |  6 ++++++
+ include/linux/security.h          |    6 ++++++
- security/lockdown/Kconfig         | 15 +++++++++++++++
+ security/lockdown/Kconfig         |   15 +++++++++++++++
- security/lockdown/lockdown.c      |  2 +-
+ security/lockdown/lockdown.c      |    2 +-
- 5 files changed, 29 insertions(+), 3 deletions(-)
+ 5 files changed, 27 insertions(+), 3 deletions(-)
 
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 7c4a6697e39d..04e73973098e 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1028,6 +1028,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -904,6 +904,8 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
@@ -38,7 +35,7 @@ index 7c4a6697e39d..04e73973098e 100644
  	reserve_ibft_region();
  	x86_init.resources.dmi_setup();
  
-@@ -1190,8 +1192,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -47,8 +44,6 @@ index 7c4a6697e39d..04e73973098e 100644
  	reserve_initrd();
  
  	acpi_table_upgrade();
-diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
-index b6620669e32b..8f2554291fb1 100644
 --- a/drivers/firmware/efi/secureboot.c
 +++ b/drivers/firmware/efi/secureboot.c
 @@ -15,6 +15,7 @@
@@ -59,7 +54,7 @@ index b6620669e32b..8f2554291fb1 100644
  
  /*
   * Decide what to do when UEFI secure boot mode is enabled.
-@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
+@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
  			break;
  		case efi_secureboot_mode_enabled:
  			set_bit(EFI_SECURE_BOOT, &efi.flags);
@@ -70,19 +65,17 @@ index b6620669e32b..8f2554291fb1 100644
  			pr_info("Secure boot enabled\n");
  			break;
  		default:
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 4bd0f6fc553e..08258ecbb5f9 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -486,6 +486,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
  int security_locked_down(enum lockdown_reason what);
 +int lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
+ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
- 
+ 		      void *val, size_t val_len, u64 id, u64 flags);
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+ int security_bdev_alloc(struct block_device *bdev);
-@@ -1404,6 +1405,11 @@ static inline int security_locked_down(enum lockdown_reason what)
+@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
  {
  	return 0;
  }
@@ -91,14 +84,12 @@ index 4bd0f6fc553e..08258ecbb5f9 100644
 +{
 +	return -EOPNOTSUPP;
 +}
- #endif	/* CONFIG_SECURITY */
+ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
- 
+ 				    u32 *uctx_len, void *val, size_t val_len,
- #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+ 				    u64 id, u64 flags)
-diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
-index e84ddf484010..4175b50b1e6e 100644
 --- a/security/lockdown/Kconfig
 +++ b/security/lockdown/Kconfig
-@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
  	 disabled.
  
  endchoice
@@ -117,11 +108,9 @@ index e84ddf484010..4175b50b1e6e 100644
 +
 +	  Enabling this option results in kernel lockdown being
 +	  triggered in integrity mode if EFI Secure Boot is set.
-diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
-index 68d19632aeb7..67cc9839952f 100644
 --- a/security/lockdown/lockdown.c
 +++ b/security/lockdown/lockdown.c
-@@ -23,7 +23,7 @@ static const enum lockdown_reason lockdown_levels[] = {LOCKDOWN_NONE,
+@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
  /*
   * Put the kernel into lock-down mode.
   */
@@ -130,6 +119,3 @@ index 68d19632aeb7..67cc9839952f 100644
  {
  	if (kernel_locked_down >= level)
  		return -EPERM;
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0006-mtd-disable-slram-and-phram-when-locked-down.patch

@@ -1,7 +1,7 @@
-From bb8912cf807feab56cf8e924d33229d800ae71a6 Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Fri, 30 Aug 2019 15:54:24 +0100
-Subject: [PATCH 3/4] mtd: phram,slram: Disable when the kernel is locked down
+Subject: mtd: phram,slram: Disable when the kernel is locked down
+Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
 
 These drivers allow mapping arbitrary memory ranges as MTD devices.
 This should be disabled to preserve the kernel's integrity when it is
@@ -21,11 +21,9 @@ Cc: linux-mtd@lists.infradead.org
  drivers/mtd/devices/slram.c | 9 ++++++++-
  2 files changed, 13 insertions(+), 2 deletions(-)
 
-diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
-index 208bd4d871f4..30f84a91692d 100644
 --- a/drivers/mtd/devices/phram.c
 +++ b/drivers/mtd/devices/phram.c
-@@ -364,7 +364,11 @@ static int phram_param_call(const char *val, const struct kernel_param *kp)
+@@ -364,7 +364,11 @@ static int phram_param_call(const char *
  #endif
  }
  
@@ -38,8 +36,6 @@ index 208bd4d871f4..30f84a91692d 100644
  MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
  
  #ifdef CONFIG_OF
-diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
-index 28131a127d06..d92a2461e2ce 100644
 --- a/drivers/mtd/devices/slram.c
 +++ b/drivers/mtd/devices/slram.c
 @@ -43,6 +43,7 @@
@@ -77,6 +73,3 @@ index 28131a127d06..d92a2461e2ce 100644
  	while (map) {
  		devname = devstart = devlength = NULL;
  
--- 
-2.39.2
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/6.12/z0007-arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -1,8 +1,8 @@
-From 8598238a38a333fed5ec0c8287f99813578370ab Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Tue, 30 Aug 2016 11:54:38 -0600
-Subject: [PATCH 4/4] arm64: add kernel config option to lock down when in
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
- Secure Boot mode
+Bug-Debian: https://bugs.debian.org/831827
+Forwarded: no
 
 Add a kernel configuration option to lock down the kernel, to restrict
 userspace's ability to modify the running kernel when UEFI Secure Boot is
@@ -32,17 +32,15 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
 [Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
 arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
 ---
- drivers/firmware/efi/efi-init.c    |  5 ++++-
+ drivers/firmware/efi/efi-init.c    |    5 ++++-
- drivers/firmware/efi/fdtparams.c   | 12 +++++++++++-
+ drivers/firmware/efi/fdtparams.c   |   12 +++++++++++-
- drivers/firmware/efi/libstub/fdt.c |  6 ++++++
+ drivers/firmware/efi/libstub/fdt.c |    6 ++++++
- include/linux/efi.h                |  3 ++-
+ include/linux/efi.h                |    3 ++-
  4 files changed, 23 insertions(+), 3 deletions(-)
 
-diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
-index 59b0d7197b68..e63f8a82d9f4 100644
 --- a/drivers/firmware/efi/efi-init.c
 +++ b/drivers/firmware/efi/efi-init.c
-@@ -204,9 +204,10 @@ void __init efi_init(void)
+@@ -213,9 +213,10 @@ void __init efi_init(void)
  {
  	struct efi_memory_map_data data;
  	u64 efi_system_table;
@@ -54,7 +52,7 @@ index 59b0d7197b68..e63f8a82d9f4 100644
  	if (!efi_system_table)
  		return;
  
-@@ -228,6 +229,8 @@ void __init efi_init(void)
+@@ -237,6 +238,8 @@ void __init efi_init(void)
  		return;
  	}
  
@@ -63,8 +61,6 @@ index 59b0d7197b68..e63f8a82d9f4 100644
  	reserve_regions();
  	/*
  	 * For memblock manipulation, the cap should come after the memblock_add().
-diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
-index 0ec83ba58097..81a0ac408cf5 100644
 --- a/drivers/firmware/efi/fdtparams.c
 +++ b/drivers/firmware/efi/fdtparams.c
 @@ -16,6 +16,7 @@ enum {
@@ -75,7 +71,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  
  	PARAMCOUNT
  };
-@@ -26,6 +27,7 @@ static __initconst const char name[][22] = {
+@@ -26,6 +27,7 @@ static __initconst const char name[][22]
  	[MMSIZE] = "MemMap Size          ",
  	[DCSIZE] = "MemMap Desc. Size    ",
  	[DCVERS] = "MemMap Desc. Version ",
@@ -99,7 +95,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  		}
  	}
  };
-@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
+@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const
  	int len;
  	u64 val;
  
@@ -111,7 +107,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  	prop = fdt_getprop(fdt, node, pname, &len);
  	if (!prop)
  		return 1;
-@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
+@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const
  	return 0;
  }
  
@@ -120,7 +116,7 @@ index 0ec83ba58097..81a0ac408cf5 100644
  {
  	const void *fdt = initial_boot_params;
  	unsigned long systab;
-@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
+@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi
  		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
  		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
  		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
@@ -128,11 +124,9 @@ index 0ec83ba58097..81a0ac408cf5 100644
  	};
  
  	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
-diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
-index 6a337f1f8787..6c679da644dd 100644
 --- a/drivers/firmware/efi/libstub/fdt.c
 +++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
+@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *ori
  		}
  	}
  
@@ -145,20 +139,15 @@ index 6a337f1f8787..6c679da644dd 100644
  	/* Shrink the FDT back to its minimum size: */
  	fdt_pack(fdt);
  
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index d267ddba8369..fbce526768d3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -756,7 +756,8 @@ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
+@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
+ extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
  extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
- extern void efi_initialize_iomem_resources(struct resource *code_resource,
- 		struct resource *data_resource, struct resource *bss_resource);
 -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
 +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
 +			      u32 *secure_boot);
  extern struct kobject *efi_kobj;
  
  extern int efi_reboot_quirk_mode;
--- 
-2.39.2
-