mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-22 15:01:00 +02:00
Merge pull request #2641 from bgilbert/4.12
sys-kernel/coreos-*: bump to v4.12
This commit is contained in:
Benjamin Gilbert
GitHub
commit
4bfb26d23e
@ -703,9 +703,8 @@ CONFIG_INFINIBAND_IPOIB_CM=y
|
||||
CONFIG_INFINIBAND_IPOIB_DEBUG_DATA=y
|
||||
CONFIG_INFINIBAND_SRP=m
|
||||
CONFIG_INFINIBAND_ISER=m
|
||||
CONFIG_EDAC=y
|
||||
CONFIG_EDAC=m
|
||||
# CONFIG_EDAC_LEGACY_SYSFS is not set
|
||||
CONFIG_EDAC_MM_EDAC=m
|
||||
CONFIG_RTC_CLASS=y
|
||||
CONFIG_DMADEVICES=y
|
||||
CONFIG_VIRT_DRIVERS=y
|
||||
@ -1,2 +1 @@
|
||||
DIST linux-4.11.tar.xz 95447768 SHA256 b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6 SHA512 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 WHIRLPOOL f577b7c5c209cb8dfef2f1d56d77314fbd53323743a34b900e2559ab0049b7c2d6262bda136dd3d005bc0527788106e0484e46558448a8720dac389a969e5886
|
||||
DIST patch-4.11.8.xz 239352 SHA256 c390540524e9647efa3752550cb04b02f47a60a5d45f26d56a07cd8a67501929 SHA512 9fed139ec4658d373ea6f25b0cc0cd9384e3bf61a05d30a523c13d8b5e673b461cf3cc8d97da2c69ca3a6c718319529f7ccfd90ca38b81d68986b7e63f2db297 WHIRLPOOL a72ef2cebcae11425c5eccb29619d5c9be99624cc48f439f30e6c4499ba7a404abc1bb768a07689ee05e9c086d16f5de0f8eb914c33d1295c0e1450dd60c154c
|
||||
DIST linux-4.12.tar.xz 99186576 SHA256 a45c3becd4d08ce411c14628a949d08e2433d8cdeca92036c7013980e93858ab SHA512 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 WHIRLPOOL 3b97da251c2ba4ace4a27b708f2b1dcf94cb1b59aaeded6acb74bd98f0d3e33f1df83670665e4186d99a55daa84c88d539d93e20f0ff18a6d46ef326c48dd375
|
||||
|
||||
@ -44,5 +44,4 @@ UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
|
||||
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
|
||||
${PATCH_DIR}/z0025-ext4-handle-the-rest-of-ext4_mb_load_buddy-ENOMEM-er.patch \
|
||||
"
|
||||
@ -1,29 +0,0 @@
|
||||
From e546f8455c33b339a3b84b55f95d4fcb9fe07571 Mon Sep 17 00:00:00 2001
|
||||
From: Geoff Levand <geoff@infradead.org>
|
||||
Date: Fri, 11 Nov 2016 17:28:52 -0800
|
||||
Subject: [PATCH 24/25] Add arm64 coreos verity hash
|
||||
|
||||
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
---
|
||||
arch/arm64/kernel/head.S | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
|
||||
index 4fb6ccd..f791d18 100644
|
||||
--- a/arch/arm64/kernel/head.S
|
||||
+++ b/arch/arm64/kernel/head.S
|
||||
@@ -200,6 +200,11 @@ section_table:
|
||||
.short 0 // NumberOfLineNumbers (0 for executables)
|
||||
.long 0xe0500020 // Characteristics (section flags)
|
||||
|
||||
+ /* CoreOS 64 byte verity hash value. */
|
||||
+ .org _head + 512
|
||||
+ .ascii "verity-hash"
|
||||
+ .org _head + 512 + 64
|
||||
+
|
||||
#ifdef CONFIG_DEBUG_EFI
|
||||
/*
|
||||
* The debug table is referenced via its Relative Virtual Address (RVA),
|
||||
--
|
||||
2.9.4
|
||||
|
||||
@ -1,88 +0,0 @@
|
||||
From 53bcfff6ac09aa20b49b67233f729f06d4eff9a8 Mon Sep 17 00:00:00 2001
|
||||
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
|
||||
Date: Sun, 21 May 2017 22:35:23 -0400
|
||||
Subject: [PATCH 25/25] ext4: handle the rest of ext4_mb_load_buddy() ENOMEM
|
||||
errors
|
||||
|
||||
I've got another report about breaking ext4 by ENOMEM error returned from
|
||||
ext4_mb_load_buddy() caused by memory shortage in memory cgroup.
|
||||
This time inside ext4_discard_preallocations().
|
||||
|
||||
This patch replaces ext4_error() with ext4_warning() where errors returned
|
||||
from ext4_mb_load_buddy() are not fatal and handled by caller:
|
||||
* ext4_mb_discard_group_preallocations() - called before generating ENOSPC,
|
||||
we'll try to discard other group or return ENOSPC into user-space.
|
||||
* ext4_trim_all_free() - just stop trimming and return ENOMEM from ioctl.
|
||||
|
||||
Some callers cannot handle errors, thus __GFP_NOFAIL is used for them:
|
||||
* ext4_discard_preallocations()
|
||||
* ext4_mb_discard_lg_preallocations()
|
||||
|
||||
Fixes: adb7ef600cc9 ("ext4: use __GFP_NOFAIL in ext4_free_blocks()")
|
||||
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
---
|
||||
fs/ext4/mballoc.c | 23 ++++++++++++++---------
|
||||
1 file changed, 14 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
|
||||
index 354dc1a..3942815 100644
|
||||
--- a/fs/ext4/mballoc.c
|
||||
+++ b/fs/ext4/mballoc.c
|
||||
@@ -3887,7 +3887,8 @@ ext4_mb_discard_group_preallocations(struct super_block *sb,
|
||||
|
||||
err = ext4_mb_load_buddy(sb, group, &e4b);
|
||||
if (err) {
|
||||
- ext4_error(sb, "Error loading buddy information for %u", group);
|
||||
+ ext4_warning(sb, "Error %d loading buddy information for %u",
|
||||
+ err, group);
|
||||
put_bh(bitmap_bh);
|
||||
return 0;
|
||||
}
|
||||
@@ -4044,10 +4045,11 @@ void ext4_discard_preallocations(struct inode *inode)
|
||||
BUG_ON(pa->pa_type != MB_INODE_PA);
|
||||
group = ext4_get_group_number(sb, pa->pa_pstart);
|
||||
|
||||
- err = ext4_mb_load_buddy(sb, group, &e4b);
|
||||
+ err = ext4_mb_load_buddy_gfp(sb, group, &e4b,
|
||||
+ GFP_NOFS|__GFP_NOFAIL);
|
||||
if (err) {
|
||||
- ext4_error(sb, "Error loading buddy information for %u",
|
||||
- group);
|
||||
+ ext4_error(sb, "Error %d loading buddy information for %u",
|
||||
+ err, group);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -4303,11 +4305,14 @@ ext4_mb_discard_lg_preallocations(struct super_block *sb,
|
||||
spin_unlock(&lg->lg_prealloc_lock);
|
||||
|
||||
list_for_each_entry_safe(pa, tmp, &discard_list, u.pa_tmp_list) {
|
||||
+ int err;
|
||||
|
||||
group = ext4_get_group_number(sb, pa->pa_pstart);
|
||||
- if (ext4_mb_load_buddy(sb, group, &e4b)) {
|
||||
- ext4_error(sb, "Error loading buddy information for %u",
|
||||
- group);
|
||||
+ err = ext4_mb_load_buddy_gfp(sb, group, &e4b,
|
||||
+ GFP_NOFS|__GFP_NOFAIL);
|
||||
+ if (err) {
|
||||
+ ext4_error(sb, "Error %d loading buddy information for %u",
|
||||
+ err, group);
|
||||
continue;
|
||||
}
|
||||
ext4_lock_group(sb, group);
|
||||
@@ -5127,8 +5132,8 @@ ext4_trim_all_free(struct super_block *sb, ext4_group_t group,
|
||||
|
||||
ret = ext4_mb_load_buddy(sb, group, &e4b);
|
||||
if (ret) {
|
||||
- ext4_error(sb, "Error in loading buddy "
|
||||
- "information for %u", group);
|
||||
+ ext4_warning(sb, "Error %d loading buddy information for %u",
|
||||
+ ret, group);
|
||||
return ret;
|
||||
}
|
||||
bitmap = e4b.bd_bitmap;
|
||||
--
|
||||
2.9.4
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 5eb64704322cfac6e12d26abe602c2e702df1312 Mon Sep 17 00:00:00 2001
|
||||
From 3f3cb677d70e6b5c77420792b9dc3c7183313b22 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
that can be passed to efi_enabled() to find out whether secure boot is
|
||||
@ -18,10 +18,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 4bf0c89..396285b 100644
|
||||
index f818236..3a3ef6e 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1183,6 +1183,7 @@ void __init setup_arch(char **cmdline_p)
|
||||
pr_info("Secure boot disabled\n");
|
||||
break;
|
||||
case efi_secureboot_mode_enabled:
|
||||
@ -30,7 +30,7 @@ index 4bf0c89..396285b 100644
|
||||
break;
|
||||
default:
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 94d34e0..6049600 100644
|
||||
index ec36f42..381b3f6 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
@ -1,7 +1,7 @@
|
||||
From 17572853d2658797d83a347b569970095be67666 Mon Sep 17 00:00:00 2001
|
||||
From 5d520de1931337577f000d9d082fea40e388e546 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:36:17 +0000
|
||||
Subject: [PATCH 02/25] Add the ability to lock down access to the running
|
||||
Subject: [PATCH 02/24] Add the ability to lock down access to the running
|
||||
kernel image
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
@ -21,10 +21,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
create mode 100644 security/lock_down.c
|
||||
|
||||
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
|
||||
index 4c26dc3..b820a80 100644
|
||||
index 13bc08a..282a168 100644
|
||||
--- a/include/linux/kernel.h
|
||||
+++ b/include/linux/kernel.h
|
||||
@@ -275,6 +275,15 @@ extern int oops_may_print(void);
|
||||
@@ -276,6 +276,15 @@ extern int oops_may_print(void);
|
||||
void do_exit(long error_code) __noreturn;
|
||||
void complete_and_exit(struct completion *, long) __noreturn;
|
||||
|
||||
@ -41,10 +41,10 @@ index 4c26dc3..b820a80 100644
|
||||
int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
|
||||
int __must_check _kstrtol(const char *s, unsigned int base, long *res);
|
||||
diff --git a/include/linux/security.h b/include/linux/security.h
|
||||
index 96899fa..5808570 100644
|
||||
index af675b5..68bab18 100644
|
||||
--- a/include/linux/security.h
|
||||
+++ b/include/linux/security.h
|
||||
@@ -1678,5 +1678,16 @@ static inline void free_secdata(void *secdata)
|
||||
@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
|
||||
{ }
|
||||
#endif /* CONFIG_SECURITY */
|
||||
|
||||
@ -62,10 +62,10 @@ index 96899fa..5808570 100644
|
||||
#endif /* ! __LINUX_SECURITY_H */
|
||||
|
||||
diff --git a/security/Kconfig b/security/Kconfig
|
||||
index d900f47..d9b391d 100644
|
||||
index 93027fd..4baac4a 100644
|
||||
--- a/security/Kconfig
|
||||
+++ b/security/Kconfig
|
||||
@@ -193,6 +193,21 @@ config STATIC_USERMODEHELPER_PATH
|
||||
@@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH
|
||||
If you wish for all usermode helper programs to be disabled,
|
||||
specify an empty string here (i.e. "").
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8fdc73845896fe16b1743eeee0984ce8530ede37 Mon Sep 17 00:00:00 2001
|
||||
From b60bbf065c75ec4b32387d0b2396f3d7c8402a09 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
|
||||
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
@ -16,10 +16,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
2 files changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index cc98d5a..21f3985 100644
|
||||
index 0efb4c9..4d1c53b 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1817,6 +1817,18 @@ config EFI_MIXED
|
||||
@@ -1827,6 +1827,18 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
@ -39,7 +39,7 @@ index cc98d5a..21f3985 100644
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 396285b..85dfa74 100644
|
||||
index 3a3ef6e..f6990c0 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -69,6 +69,7 @@
|
||||
@ -48,9 +48,9 @@ index 396285b..85dfa74 100644
|
||||
#include <linux/jiffies.h>
|
||||
+#include <linux/security.h>
|
||||
|
||||
#include <linux/usb/xhci-dbgp.h>
|
||||
#include <video/edid.h>
|
||||
|
||||
@@ -1185,7 +1186,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1184,7 +1185,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
break;
|
||||
case efi_secureboot_mode_enabled:
|
||||
set_bit(EFI_SECURE_BOOT, &efi.flags);
|
||||
@ -1,7 +1,7 @@
|
||||
From b952ea662bd2b88a712706bad504826fb5e47f00 Mon Sep 17 00:00:00 2001
|
||||
From 47f98c1c46069b98debb6e46b4da67a385d172b1 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 23 Nov 2016 13:22:22 +0000
|
||||
Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
|
||||
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
|
||||
|
||||
If the kernel is locked down, require that all modules have valid
|
||||
signatures that we can verify.
|
||||
@ -12,10 +12,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 7eba6de..3331f2e 100644
|
||||
index 4a3665f..3f1de34 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)
|
||||
@@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags)
|
||||
}
|
||||
|
||||
/* Not having a signature is only an error if we're strict. */
|
||||
@ -1,7 +1,7 @@
|
||||
From ae791b7f235c63639fe7756bd779e646c2492c7a Mon Sep 17 00:00:00 2001
|
||||
From 46e0cb8ba4a7647882b604bb58f86bc310d1c2b2 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
locked down
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel to
|
||||
@ -1,7 +1,7 @@
|
||||
From a9a6794e3d50a2bc3bf638e2a7e151e1483a87a0 Mon Sep 17 00:00:00 2001
|
||||
From 5aa43af8a55eae13963a0b20b8369de49fa99590 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
|
||||
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that lock-down is meant to prevent. It makes sense to disable
|
||||
@ -1,7 +1,7 @@
|
||||
From 8659ee3435108bf03df0b1a0155720f051ceabaa Mon Sep 17 00:00:00 2001
|
||||
From acdcb4a8e2b0644fbd87eb0209ba3d1b3cfbf915 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Young <dyoung@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
|
||||
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
|
||||
reboot
|
||||
|
||||
Kexec reboot in case secure boot being enabled does not keep the secure
|
||||
@ -22,7 +22,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
|
||||
index d0a814a..3551bca 100644
|
||||
index 9d7fd5e..7e6f00a 100644
|
||||
--- a/arch/x86/kernel/kexec-bzimage64.c
|
||||
+++ b/arch/x86/kernel/kexec-bzimage64.c
|
||||
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
|
||||
@ -1,7 +1,7 @@
|
||||
From 147b43aeaffaec0a0809314bbfe7afa7bfce9fef Mon Sep 17 00:00:00 2001
|
||||
From 5d6c3356ce40c4cf0994b5d02324bd7db356e2a3 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:49:19 +0000
|
||||
Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
|
||||
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
|
||||
set
|
||||
|
||||
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
|
||||
@ -1,7 +1,7 @@
|
||||
From 639fe1050f8f7ac809d6429023b9e135aa1408a8 Mon Sep 17 00:00:00 2001
|
||||
From 8e84b9fb024820a587273a1ddd35e6ba7b1c605b Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
|
||||
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
@ -1,7 +1,7 @@
|
||||
From 0cf20c96adc7e09d5a7155153d274ed60fd8f323 Mon Sep 17 00:00:00 2001
|
||||
From 320e7ee93cc1f51f1995e20e9ec43b748a0c87b1 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Wed, 23 Nov 2016 13:28:17 +0000
|
||||
Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
|
||||
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
|
||||
|
||||
uswsusp allows a user process to dump and then restore kernel state, which
|
||||
makes it possible to modify the running kernel. Disable this if the kernel
|
||||
@ -1,7 +1,7 @@
|
||||
From 83624e2a7733314685e2722586e27830b482abd3 Mon Sep 17 00:00:00 2001
|
||||
From a9c564104ea9fa19437d581330c558e6f9c9ca6c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
|
||||
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
|
||||
down
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down in
|
||||
@ -19,10 +19,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
3 files changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
||||
index 7ac258f..7d29b03 100644
|
||||
index 31e9961..5595560 100644
|
||||
--- a/drivers/pci/pci-sysfs.c
|
||||
+++ b/drivers/pci/pci-sysfs.c
|
||||
@@ -727,6 +727,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
|
||||
@@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
|
||||
loff_t init_off = off;
|
||||
u8 *data = (u8 *) buf;
|
||||
|
||||
@ -32,17 +32,17 @@ index 7ac258f..7d29b03 100644
|
||||
if (off > dev->cfg_size)
|
||||
return 0;
|
||||
if (off + count > dev->cfg_size) {
|
||||
@@ -1022,6 +1025,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
|
||||
resource_size_t start, end;
|
||||
int i;
|
||||
@@ -1048,6 +1051,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
|
||||
enum pci_mmap_state mmap_type;
|
||||
struct resource *res = &pdev->resource[bar];
|
||||
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
for (i = 0; i < PCI_ROM_RESOURCE; i++)
|
||||
if (res == &pdev->resource[i])
|
||||
break;
|
||||
@@ -1121,6 +1127,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
|
||||
return -EINVAL;
|
||||
|
||||
@@ -1131,6 +1137,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
struct bin_attribute *attr, char *buf,
|
||||
loff_t off, size_t count)
|
||||
{
|
||||
@ -53,7 +53,7 @@ index 7ac258f..7d29b03 100644
|
||||
}
|
||||
|
||||
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
|
||||
index dc8912e..e2c5eff 100644
|
||||
index 098360d..ef16fcc 100644
|
||||
--- a/drivers/pci/proc.c
|
||||
+++ b/drivers/pci/proc.c
|
||||
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
|
||||
@ -76,15 +76,15 @@ index dc8912e..e2c5eff 100644
|
||||
switch (cmd) {
|
||||
case PCIIOC_CONTROLLER:
|
||||
ret = pci_domain_nr(dev->bus);
|
||||
@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
|
||||
@@ -236,7 +242,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
|
||||
struct pci_filp_private *fpriv = file->private_data;
|
||||
int i, ret, write_combine = 0, res_bit;
|
||||
int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
|
||||
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
|
||||
return -EPERM;
|
||||
|
||||
if (fpriv->mmap_state == pci_mmap_io)
|
||||
if (fpriv->mmap_state == pci_mmap_io) {
|
||||
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
|
||||
index 9bf993e..c095247 100644
|
||||
--- a/drivers/pci/syscall.c
|
||||
@ -1,7 +1,7 @@
|
||||
From 44aae071f73313b7c3b8e62955d82a7130dac637 Mon Sep 17 00:00:00 2001
|
||||
From 71dd9dbf442d3d92005817b59c3814deb7ddcc88 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
|
||||
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
|
||||
down
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
@ -1,7 +1,7 @@
|
||||
From 7a5fcee2005bf31f04fee37f7f99b72633631261 Mon Sep 17 00:00:00 2001
|
||||
From 582efb243bbb08cadab48c6242c167dbfc23acbe Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:17 +0000
|
||||
Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
|
||||
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
|
||||
|
||||
Writing to MSRs should not be allowed if the kernel is locked down, since
|
||||
it could lead to execution of arbitrary code in kernel mode. Based on a
|
||||
@ -1,7 +1,7 @@
|
||||
From 375f4e4c2885875f901bd1d773fcbd1387b4d891 Mon Sep 17 00:00:00 2001
|
||||
From 94967b682db14cb61ae864be6981159b87b4aac5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
locked down
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a given
|
||||
@ -17,10 +17,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index 8fe5890..feef250 100644
|
||||
index 6c7d860..57b82cb 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -1900,6 +1900,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
@ -30,7 +30,7 @@ index 8fe5890..feef250 100644
|
||||
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
|
||||
|
||||
if (err < 0)
|
||||
@@ -1916,6 +1919,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
@@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
@ -40,7 +40,7 @@ index 8fe5890..feef250 100644
|
||||
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
|
||||
&retval);
|
||||
|
||||
@@ -1940,6 +1946,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
@@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
union acpi_object *obj;
|
||||
acpi_status status;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d58cf0867fb90f8705b2517446f46acd040b811b Mon Sep 17 00:00:00 2001
|
||||
From 45b4d28d45f07af2c75d9364ccb5f60f871dc4f6 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
|
||||
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
|
||||
locked down
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
@ -1,7 +1,7 @@
|
||||
From 384fb2a457962ce0929750a3ac1ba024b8e0d98c Mon Sep 17 00:00:00 2001
|
||||
From b5defb2cf61590316c053f540f505006749c9984 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
been locked down
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
@ -1,7 +1,7 @@
|
||||
From 23dfa5b9a48b4fa6e563eebaa7be8d077251a98b Mon Sep 17 00:00:00 2001
|
||||
From 39645f967ccec01a3fc9b5385581ad49f89d29b5 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:32:27 +0000
|
||||
Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
|
||||
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
|
||||
locked down
|
||||
|
||||
From the kernel documentation (initrd_table_override.txt):
|
||||
@ -21,10 +21,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
|
||||
index 2604189..601096d 100644
|
||||
index ff42539..c72bfa9 100644
|
||||
--- a/drivers/acpi/tables.c
|
||||
+++ b/drivers/acpi/tables.c
|
||||
@@ -542,6 +542,11 @@ void __init acpi_table_upgrade(void)
|
||||
@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
|
||||
if (table_nr == 0)
|
||||
return;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 518e8705e6343a43074ef9ef7f3a62cf4d1525d4 Mon Sep 17 00:00:00 2001
|
||||
From 01ec365f7bc1250419041321f346d6a916e05263 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:39:41 +0000
|
||||
Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
|
||||
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
|
||||
locked down
|
||||
|
||||
ACPI provides an error injection mechanism, EINJ, for debugging and testing
|
||||
@ -1,7 +1,7 @@
|
||||
From 5fd3f4124512e23197efa6bcbca4b41f513f045b Mon Sep 17 00:00:00 2001
|
||||
From fae701c2fca54509ddfb85da2ac7cc14a4c2011e Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
Date: Wed, 23 Nov 2016 13:52:16 +0000
|
||||
Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
|
||||
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
|
||||
kernel is locked down
|
||||
|
||||
There are some bpf functions can be used to read kernel memory:
|
||||
@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
|
||||
index cee9802..7fde851 100644
|
||||
index 460a031..58eb33d 100644
|
||||
--- a/kernel/trace/bpf_trace.c
|
||||
+++ b/kernel/trace/bpf_trace.c
|
||||
@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
|
||||
@ -1,7 +1,7 @@
|
||||
From c6cf9a02898f6b70f35c6436d04b9d151fc1b5d7 Mon Sep 17 00:00:00 2001
|
||||
From 83e910f07e8cb747a1d676d86a16b983c53535d9 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 10:10:34 +0000
|
||||
Subject: [PATCH 20/25] scsi: Lock down the eata driver
|
||||
Subject: [PATCH 20/24] scsi: Lock down the eata driver
|
||||
|
||||
When the kernel is running in secure boot mode, we lock down the kernel to
|
||||
prevent userspace from modifying the running kernel image. Whilst this
|
||||
@ -1,7 +1,7 @@
|
||||
From ae40d25c6273aee1875301ead7918aed44242342 Mon Sep 17 00:00:00 2001
|
||||
From 6bc5732f932207cdfe3e9c70ac6d43367f0c5c4b Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 25 Nov 2016 14:37:45 +0000
|
||||
Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
down
|
||||
|
||||
Prohibit replacement of the PCMCIA Card Information Structure when the
|
||||
@ -1,7 +1,7 @@
|
||||
From 1c7e0fcdc01d7d0c6e8002b82f913eea786f045a Mon Sep 17 00:00:00 2001
|
||||
From 819850ca18442e75bfb9c9d01efd10622f950aad Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 7 Dec 2016 10:28:39 +0000
|
||||
Subject: [PATCH 22/25] Lock down TIOCSSERIAL
|
||||
Subject: [PATCH 22/24] Lock down TIOCSSERIAL
|
||||
|
||||
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
|
||||
settings on a serial port. This only appears to be an issue for the serial
|
||||
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
|
||||
index 7f91394..ea9944d 100644
|
||||
index 13bfd5d..45fb768 100644
|
||||
--- a/drivers/tty/serial/serial_core.c
|
||||
+++ b/drivers/tty/serial/serial_core.c
|
||||
@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
|
||||
@ -1,7 +1,7 @@
|
||||
From 95fabc958dfc9e39bea8e9cad7c065e0382ae00f Mon Sep 17 00:00:00 2001
|
||||
From 56ec4aaa02d21637344b102d88ae817486dcdb41 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -12,7 +12,7 @@ by some undesirable path component.
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 8c5c94c..8c63105 100644
|
||||
index 283c623..aacf9cc 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
@ -0,0 +1,29 @@
|
||||
From 23fe6061c449fc088d6272c284a66817ccf59d96 Mon Sep 17 00:00:00 2001
|
||||
From: Geoff Levand <geoff@infradead.org>
|
||||
Date: Fri, 11 Nov 2016 17:28:52 -0800
|
||||
Subject: [PATCH 24/24] Add arm64 coreos verity hash
|
||||
|
||||
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
---
|
||||
arch/arm64/kernel/efi-header.S | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
|
||||
index 613fc30..fdaf86c 100644
|
||||
--- a/arch/arm64/kernel/efi-header.S
|
||||
+++ b/arch/arm64/kernel/efi-header.S
|
||||
@@ -103,6 +103,11 @@ section_table:
|
||||
|
||||
.set section_count, (. - section_table) / 40
|
||||
|
||||
+ /* CoreOS 64 byte verity hash value. */
|
||||
+ .org _head + 512
|
||||
+ .ascii "verity-hash"
|
||||
+ .org _head + 512 + 64
|
||||
+
|
||||
#ifdef CONFIG_DEBUG_EFI
|
||||
/*
|
||||
* The debug table is referenced via its Relative Virtual Address (RVA),
|
||||
--
|
||||
2.9.4
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user