From eac64b8cd5d6ae87d07a9b194ae894bbbfd5bbd8 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Mon, 3 Jul 2017 18:08:51 -0700 Subject: [PATCH] sys-kernel/coreos-*: bump to v4.12 CONFIG_EDAC_MM_EDAC was merged into CONFIG_EDAC, and the latter converted to a tristate, in e3c4ff6d8c949fa9a9ea1bd005bf1967efe09d5d. --- ...1.8.ebuild => coreos-kernel-4.12.0.ebuild} | 0 ....8.ebuild => coreos-modules-4.12.0.ebuild} | 0 ...64_defconfig-4.11 => amd64_defconfig-4.12} | 0 ...64_defconfig-4.11 => arm64_defconfig-4.12} | 0 .../{commonconfig-4.11 => commonconfig-4.12} | 3 +- .../sys-kernel/coreos-sources/Manifest | 3 +- ....8.ebuild => coreos-sources-4.12.0.ebuild} | 1 - .../z0024-Add-arm64-coreos-verity-hash.patch | 29 ------ ...rest-of-ext4_mb_load_buddy-ENOMEM-er.patch | 88 ------------------- .../z0001-efi-Add-EFI_SECURE_BOOT-bit.patch | 10 +-- ...to-lock-down-access-to-the-running-k.patch | 16 ++-- ...e-kernel-if-booted-in-secure-boot-mo.patch | 14 +-- ...ignatures-if-the-kernel-is-locked-do.patch | 8 +- ...-and-dev-kmem-when-the-kernel-is-loc.patch | 4 +- ...-runtime-if-the-kernel-is-locked-dow.patch | 4 +- ...-flag-in-boot-params-across-kexec-re.patch | 6 +- ...le-at-runtime-if-securelevel-has-bee.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...R-access-when-the-kernel-is-locked-d.patch | 30 +++---- ...-port-access-when-the-kernel-is-lock.patch | 4 +- ...-access-when-the-kernel-is-locked-do.patch | 4 +- ...t-debugfs-interface-when-the-kernel-.patch | 12 +-- ...s-to-custom_method-when-the-kernel-i.patch | 4 +- ..._rsdp-kernel-param-when-the-kernel-h.patch | 4 +- ...I-table-override-if-the-kernel-is-lo.patch | 8 +- ...I-error-injection-if-the-kernel-is-l.patch | 4 +- ...nel-image-access-functions-when-the-.patch | 6 +- ...z0020-scsi-Lock-down-the-eata-driver.patch | 4 +- ...CIS-storage-when-the-kernel-is-locke.patch | 4 +- .../z0022-Lock-down-TIOCSSERIAL.patch | 6 +- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 6 +- .../z0024-Add-arm64-coreos-verity-hash.patch | 29 ++++++ 33 files changed, 116 insertions(+), 207 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.11.8.ebuild => coreos-kernel-4.12.0.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.11.8.ebuild => coreos-modules-4.12.0.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{amd64_defconfig-4.11 => amd64_defconfig-4.12} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{arm64_defconfig-4.11 => arm64_defconfig-4.12} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{commonconfig-4.11 => commonconfig-4.12} (99%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.11.8.ebuild => coreos-sources-4.12.0.ebuild} (96%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0025-ext4-handle-the-rest-of-ext4_mb_load_buddy-ENOMEM-er.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch (85%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch (86%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch (74%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch (87%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch (87%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch (78%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch (79%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch (87%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch (83%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch (92%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0020-scsi-Lock-down-the-eata-driver.patch (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch (86%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0022-Lock-down-TIOCSSERIAL.patch (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.11 => 4.12}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch (84%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.8.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.8.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.11 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.12 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.11 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.12 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.11 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.12 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.11 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.12 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12 similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12 index da8580bdbd..66ea0c1637 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12 @@ -703,9 +703,8 @@ CONFIG_INFINIBAND_IPOIB_CM=y CONFIG_INFINIBAND_IPOIB_DEBUG_DATA=y CONFIG_INFINIBAND_SRP=m CONFIG_INFINIBAND_ISER=m -CONFIG_EDAC=y +CONFIG_EDAC=m # CONFIG_EDAC_LEGACY_SYSFS is not set -CONFIG_EDAC_MM_EDAC=m CONFIG_RTC_CLASS=y CONFIG_DMADEVICES=y CONFIG_VIRT_DRIVERS=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index ed7438c53f..0f29bd0b5a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1 @@ -DIST linux-4.11.tar.xz 95447768 SHA256 b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6 SHA512 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 WHIRLPOOL f577b7c5c209cb8dfef2f1d56d77314fbd53323743a34b900e2559ab0049b7c2d6262bda136dd3d005bc0527788106e0484e46558448a8720dac389a969e5886 -DIST patch-4.11.8.xz 239352 SHA256 c390540524e9647efa3752550cb04b02f47a60a5d45f26d56a07cd8a67501929 SHA512 9fed139ec4658d373ea6f25b0cc0cd9384e3bf61a05d30a523c13d8b5e673b461cf3cc8d97da2c69ca3a6c718319529f7ccfd90ca38b81d68986b7e63f2db297 WHIRLPOOL a72ef2cebcae11425c5eccb29619d5c9be99624cc48f439f30e6c4499ba7a404abc1bb768a07689ee05e9c086d16f5de0f8eb914c33d1295c0e1450dd60c154c +DIST linux-4.12.tar.xz 99186576 SHA256 a45c3becd4d08ce411c14628a949d08e2433d8cdeca92036c7013980e93858ab SHA512 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 WHIRLPOOL 3b97da251c2ba4ace4a27b708f2b1dcf94cb1b59aaeded6acb74bd98f0d3e33f1df83670665e4186d99a55daa84c88d539d93e20f0ff18a6d46ef326c48dd375 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.0.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.8.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.0.ebuild index 2296b749f7..8e306611f2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.0.ebuild @@ -44,5 +44,4 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \ ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ - ${PATCH_DIR}/z0025-ext4-handle-the-rest-of-ext4_mb_load_buddy-ENOMEM-er.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch deleted file mode 100644 index 534e1f8212..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e546f8455c33b339a3b84b55f95d4fcb9fe07571 Mon Sep 17 00:00:00 2001 -From: Geoff Levand -Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 24/25] Add arm64 coreos verity hash - -Signed-off-by: Geoff Levand ---- - arch/arm64/kernel/head.S | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S -index 4fb6ccd..f791d18 100644 ---- a/arch/arm64/kernel/head.S -+++ b/arch/arm64/kernel/head.S -@@ -200,6 +200,11 @@ section_table: - .short 0 // NumberOfLineNumbers (0 for executables) - .long 0xe0500020 // Characteristics (section flags) - -+ /* CoreOS 64 byte verity hash value. */ -+ .org _head + 512 -+ .ascii "verity-hash" -+ .org _head + 512 + 64 -+ - #ifdef CONFIG_DEBUG_EFI - /* - * The debug table is referenced via its Relative Virtual Address (RVA), --- -2.9.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0025-ext4-handle-the-rest-of-ext4_mb_load_buddy-ENOMEM-er.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0025-ext4-handle-the-rest-of-ext4_mb_load_buddy-ENOMEM-er.patch deleted file mode 100644 index 4599feb3bd..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0025-ext4-handle-the-rest-of-ext4_mb_load_buddy-ENOMEM-er.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 53bcfff6ac09aa20b49b67233f729f06d4eff9a8 Mon Sep 17 00:00:00 2001 -From: Konstantin Khlebnikov -Date: Sun, 21 May 2017 22:35:23 -0400 -Subject: [PATCH 25/25] ext4: handle the rest of ext4_mb_load_buddy() ENOMEM - errors - -I've got another report about breaking ext4 by ENOMEM error returned from -ext4_mb_load_buddy() caused by memory shortage in memory cgroup. -This time inside ext4_discard_preallocations(). - -This patch replaces ext4_error() with ext4_warning() where errors returned -from ext4_mb_load_buddy() are not fatal and handled by caller: -* ext4_mb_discard_group_preallocations() - called before generating ENOSPC, - we'll try to discard other group or return ENOSPC into user-space. -* ext4_trim_all_free() - just stop trimming and return ENOMEM from ioctl. - -Some callers cannot handle errors, thus __GFP_NOFAIL is used for them: -* ext4_discard_preallocations() -* ext4_mb_discard_lg_preallocations() - -Fixes: adb7ef600cc9 ("ext4: use __GFP_NOFAIL in ext4_free_blocks()") -Signed-off-by: Konstantin Khlebnikov -Signed-off-by: Theodore Ts'o ---- - fs/ext4/mballoc.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 354dc1a..3942815 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -3887,7 +3887,8 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, - - err = ext4_mb_load_buddy(sb, group, &e4b); - if (err) { -- ext4_error(sb, "Error loading buddy information for %u", group); -+ ext4_warning(sb, "Error %d loading buddy information for %u", -+ err, group); - put_bh(bitmap_bh); - return 0; - } -@@ -4044,10 +4045,11 @@ void ext4_discard_preallocations(struct inode *inode) - BUG_ON(pa->pa_type != MB_INODE_PA); - group = ext4_get_group_number(sb, pa->pa_pstart); - -- err = ext4_mb_load_buddy(sb, group, &e4b); -+ err = ext4_mb_load_buddy_gfp(sb, group, &e4b, -+ GFP_NOFS|__GFP_NOFAIL); - if (err) { -- ext4_error(sb, "Error loading buddy information for %u", -- group); -+ ext4_error(sb, "Error %d loading buddy information for %u", -+ err, group); - continue; - } - -@@ -4303,11 +4305,14 @@ ext4_mb_discard_lg_preallocations(struct super_block *sb, - spin_unlock(&lg->lg_prealloc_lock); - - list_for_each_entry_safe(pa, tmp, &discard_list, u.pa_tmp_list) { -+ int err; - - group = ext4_get_group_number(sb, pa->pa_pstart); -- if (ext4_mb_load_buddy(sb, group, &e4b)) { -- ext4_error(sb, "Error loading buddy information for %u", -- group); -+ err = ext4_mb_load_buddy_gfp(sb, group, &e4b, -+ GFP_NOFS|__GFP_NOFAIL); -+ if (err) { -+ ext4_error(sb, "Error %d loading buddy information for %u", -+ err, group); - continue; - } - ext4_lock_group(sb, group); -@@ -5127,8 +5132,8 @@ ext4_trim_all_free(struct super_block *sb, ext4_group_t group, - - ret = ext4_mb_load_buddy(sb, group, &e4b); - if (ret) { -- ext4_error(sb, "Error in loading buddy " -- "information for %u", group); -+ ext4_warning(sb, "Error %d loading buddy information for %u", -+ ret, group); - return ret; - } - bitmap = e4b.bd_bitmap; --- -2.9.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index 08f9da5a17..5ae27cd028 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From 5eb64704322cfac6e12d26abe602c2e702df1312 Mon Sep 17 00:00:00 2001 +From 3f3cb677d70e6b5c77420792b9dc3c7183313b22 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is @@ -18,10 +18,10 @@ Signed-off-by: David Howells 2 files changed, 2 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 4bf0c89..396285b 100644 +index f818236..3a3ef6e 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p) +@@ -1183,6 +1183,7 @@ void __init setup_arch(char **cmdline_p) pr_info("Secure boot disabled\n"); break; case efi_secureboot_mode_enabled: @@ -30,7 +30,7 @@ index 4bf0c89..396285b 100644 break; default: diff --git a/include/linux/efi.h b/include/linux/efi.h -index 94d34e0..6049600 100644 +index ec36f42..381b3f6 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index 01dd397a83..83ba3730d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,7 +1,7 @@ -From 17572853d2658797d83a347b569970095be67666 Mon Sep 17 00:00:00 2001 +From 5d520de1931337577f000d9d082fea40e388e546 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 -Subject: [PATCH 02/25] Add the ability to lock down access to the running +Subject: [PATCH 02/24] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system @@ -21,10 +21,10 @@ Signed-off-by: David Howells create mode 100644 security/lock_down.c diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 4c26dc3..b820a80 100644 +index 13bc08a..282a168 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h -@@ -275,6 +275,15 @@ extern int oops_may_print(void); +@@ -276,6 +276,15 @@ extern int oops_may_print(void); void do_exit(long error_code) __noreturn; void complete_and_exit(struct completion *, long) __noreturn; @@ -41,10 +41,10 @@ index 4c26dc3..b820a80 100644 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h -index 96899fa..5808570 100644 +index af675b5..68bab18 100644 --- a/include/linux/security.h +++ b/include/linux/security.h -@@ -1678,5 +1678,16 @@ static inline void free_secdata(void *secdata) +@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata) { } #endif /* CONFIG_SECURITY */ @@ -62,10 +62,10 @@ index 96899fa..5808570 100644 #endif /* ! __LINUX_SECURITY_H */ diff --git a/security/Kconfig b/security/Kconfig -index d900f47..d9b391d 100644 +index 93027fd..4baac4a 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -193,6 +193,21 @@ config STATIC_USERMODEHELPER_PATH +@@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 67c609e03c..cf664d7c01 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,7 @@ -From 8fdc73845896fe16b1743eeee0984ce8530ede37 Mon Sep 17 00:00:00 2001 +From b60bbf065c75ec4b32387d0b2396f3d7c8402a09 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode +Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -16,10 +16,10 @@ Signed-off-by: David Howells 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index cc98d5a..21f3985 100644 +index 0efb4c9..4d1c53b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1817,6 +1817,18 @@ config EFI_MIXED +@@ -1827,6 +1827,18 @@ config EFI_MIXED If unsure, say N. @@ -39,7 +39,7 @@ index cc98d5a..21f3985 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 396285b..85dfa74 100644 +index 3a3ef6e..f6990c0 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -69,6 +69,7 @@ @@ -48,9 +48,9 @@ index 396285b..85dfa74 100644 #include +#include + #include #include