Enable kernel lockdowns in Secure Boot environments

Secure Boot is easy to work around unless the kernel restricts
userspace's ability to modify the kernel. Add kernel patches from Fedora
that do this.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r2.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION="-r1"
+COREOS_SOURCE_REVISION="-r2"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.0

@@ -936,3 +936,4 @@ CONFIG_KVM_AMD=m
 # CONFIG_XZ_DEC_ARM is not set
 # CONFIG_XZ_DEC_ARMTHUMB is not set
 # CONFIG_XZ_DEC_SPARC is not set
+CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.7-r1.ebuild

@@ -1,14 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.0.7-r2.ebuild

@@ -0,0 +1,28 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+UNIPATCH_LIST="${FILESDIR}/01-Add-secure_modules-call.patch \
+${FILESDIR}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+${FILESDIR}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+${FILESDIR}/04-ACPI-Limit-access-to-custom_method.patch \
+${FILESDIR}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+${FILESDIR}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+${FILESDIR}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+${FILESDIR}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+${FILESDIR}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+${FILESDIR}/10-Add-option-to-automatically-enforce-module-signature.patch \
+${FILESDIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+${FILESDIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \
+${FILESDIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/01-Add-secure_modules-call.patch

@@ -0,0 +1,60 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Aug 2013 17:58:15 -0400
+Subject: [PATCH] Add secure_modules() call
+
+Provide a single call to allow kernel code to determine whether the system
+has been configured to either disable module loading entirely or to load
+only modules signed with a trusted key.
+
+Bugzilla: N/A
+Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ include/linux/module.h |  7 +++++++
+ kernel/module.c        | 10 ++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/include/linux/module.h b/include/linux/module.h
+index b03485bcb82a..b033dab5c8bf 100644
+--- a/include/linux/module.h
++++ b/include/linux/module.h
+@@ -506,6 +506,8 @@ int unregister_module_notifier(struct notifier_block *nb);
+ 
+ extern void print_modules(void);
+ 
++extern bool secure_modules(void);
++
+ #else /* !CONFIG_MODULES... */
+ 
+ /* Given an address, look for it in the exception tables. */
+@@ -616,6 +618,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
+ static inline void print_modules(void)
+ {
+ }
++
++static inline bool secure_modules(void)
++{
++	return false;
++}
+ #endif /* CONFIG_MODULES */
+ 
+ #ifdef CONFIG_SYSFS
+diff --git a/kernel/module.c b/kernel/module.c
+index 538794ce3cc7..f3489ef9e409 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -3911,3 +3911,13 @@ void module_layout(struct module *mod,
+ }
+ EXPORT_SYMBOL(module_layout);
+ #endif
++
++bool secure_modules(void)
++{
++#ifdef CONFIG_MODULE_SIG
++	return (sig_enforce || modules_disabled);
++#else
++	return modules_disabled;
++#endif
++}
++EXPORT_SYMBOL(secure_modules);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -0,0 +1,113 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Thu, 8 Mar 2012 10:10:38 -0500
+Subject: [PATCH] PCI: Lock down BAR access when module security is enabled
+
+Any hardware that can potentially generate DMA has to be locked down from
+userspace in order to avoid it being possible for an attacker to modify
+kernel code, allowing them to circumvent disabled module loading or module
+signing. Default to paranoid - in future we can potentially relax this for
+sufficiently IOMMU-isolated devices.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ drivers/pci/pci-sysfs.c | 10 ++++++++++
+ drivers/pci/proc.c      |  8 +++++++-
+ drivers/pci/syscall.c   |  3 ++-
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index 312f23a8429c..93e6ac103dd0 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -30,6 +30,7 @@
+ #include <linux/vgaarb.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/of.h>
++#include <linux/module.h>
+ #include "pci.h"
+ 
+ static int sysfs_initialized;	/* = 0 */
+@@ -710,6 +711,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+ 	loff_t init_off = off;
+ 	u8 *data = (u8 *) buf;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (off > dev->cfg_size)
+ 		return 0;
+ 	if (off + count > dev->cfg_size) {
+@@ -1004,6 +1008,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+ 	resource_size_t start, end;
+ 	int i;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
+ 		if (res == &pdev->resource[i])
+ 			break;
+@@ -1105,6 +1112,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+ 				     struct bin_attribute *attr, char *buf,
+ 				     loff_t off, size_t count)
+ {
++	if (secure_modules())
++		return -EPERM;
++
+ 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
+ }
+ 
+diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
+index 3f155e78513f..4265ea07e3b0 100644
+--- a/drivers/pci/proc.c
++++ b/drivers/pci/proc.c
+@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
+ 	int size = dev->cfg_size;
+ 	int cnt;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (pos >= size)
+ 		return 0;
+ 	if (nbytes >= size)
+@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
+ #endif /* HAVE_PCI_MMAP */
+ 	int ret = 0;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	switch (cmd) {
+ 	case PCIIOC_CONTROLLER:
+ 		ret = pci_domain_nr(dev->bus);
+@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
+ 	struct pci_filp_private *fpriv = file->private_data;
+ 	int i, ret;
+ 
+-	if (!capable(CAP_SYS_RAWIO))
++	if (!capable(CAP_SYS_RAWIO) || secure_modules())
+ 		return -EPERM;
+ 
+ 	/* Make sure the caller is mapping a real resource for this device */
+diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
+index b91c4da68365..98f5637304d1 100644
+--- a/drivers/pci/syscall.c
++++ b/drivers/pci/syscall.c
+@@ -10,6 +10,7 @@
+ #include <linux/errno.h>
+ #include <linux/pci.h>
+ #include <linux/syscalls.h>
++#include <linux/module.h>
+ #include <asm/uaccess.h>
+ #include "pci.h"
+ 
+@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+ 	u32 dword;
+ 	int err = 0;
+ 
+-	if (!capable(CAP_SYS_ADMIN))
++	if (!capable(CAP_SYS_ADMIN) || secure_modules())
+ 		return -EPERM;
+ 
+ 	dev = pci_get_bus_and_slot(bus, dfn);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/03-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -0,0 +1,67 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Thu, 8 Mar 2012 10:35:59 -0500
+Subject: [PATCH] x86: Lock down IO port access when module security is enabled
+
+IO port access would permit users to gain access to PCI configuration
+registers, which in turn (on a lot of hardware) give access to MMIO register
+space. This would potentially permit root to trigger arbitrary DMA, so lock
+it down by default.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ arch/x86/kernel/ioport.c | 5 +++--
+ drivers/char/mem.c       | 4 ++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
+index 4ddaf66ea35f..00b440307419 100644
+--- a/arch/x86/kernel/ioport.c
++++ b/arch/x86/kernel/ioport.c
+@@ -15,6 +15,7 @@
+ #include <linux/thread_info.h>
+ #include <linux/syscalls.h>
+ #include <linux/bitmap.h>
++#include <linux/module.h>
+ #include <asm/syscalls.h>
+ 
+ /*
+@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
+ 
+ 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ 		return -EINVAL;
+-	if (turn_on && !capable(CAP_SYS_RAWIO))
++	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
+ 		return -EPERM;
+ 
+ 	/*
+@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
+ 		return -EINVAL;
+ 	/* Trying to gain more privileges? */
+ 	if (level > old) {
+-		if (!capable(CAP_SYS_RAWIO))
++		if (!capable(CAP_SYS_RAWIO) || secure_modules())
+ 			return -EPERM;
+ 	}
+ 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index 297110c12635..efe38c1bc234 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -27,6 +27,7 @@
+ #include <linux/export.h>
+ #include <linux/io.h>
+ #include <linux/aio.h>
++#include <linux/module.h>
+ 
+ #include <linux/uaccess.h>
+ 
+@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+ 	unsigned long i = *ppos;
+ 	const char __user *tmp = buf;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (!access_ok(VERIFY_READ, buf, count))
+ 		return -EFAULT;
+ 	while (count-- > 0 && i < 65536) {

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/04-ACPI-Limit-access-to-custom_method.patch

@@ -0,0 +1,27 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Mar 2012 08:39:37 -0500
+Subject: [PATCH] ACPI: Limit access to custom_method
+
+custom_method effectively allows arbitrary access to system memory, making
+it possible for an attacker to circumvent restrictions on module loading.
+Disable it if any such restrictions have been enabled.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ drivers/acpi/custom_method.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
+index c68e72414a67..4277938af700 100644
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
+ 	struct acpi_table_header table;
+ 	acpi_status status;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (!(*ppos)) {
+ 		/* parse the table header to get the table length */
+ 		if (count <= sizeof(struct acpi_table_header))

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -0,0 +1,50 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Mar 2012 08:46:50 -0500
+Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is
+ restricted
+
+We have no way of validating what all of the Asus WMI methods do on a
+given machine, and there's a risk that some will allow hardware state to
+be manipulated in such a way that arbitrary code can be executed in the
+kernel, circumventing module loading restrictions. Prevent that if any of
+these features are enabled.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ drivers/platform/x86/asus-wmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index 7543a56e0f45..93b5a6998371 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -1589,6 +1589,9 @@ static int show_dsts(struct seq_file *m, void *data)
+ 	int err;
+ 	u32 retval = -1;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
+ 
+ 	if (err < 0)
+@@ -1605,6 +1608,9 @@ static int show_devs(struct seq_file *m, void *data)
+ 	int err;
+ 	u32 retval = -1;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
+ 				    &retval);
+ 
+@@ -1629,6 +1635,9 @@ static int show_call(struct seq_file *m, void *data)
+ 	union acpi_object *obj;
+ 	acpi_status status;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
+ 				     1, asus->debug.method_id,
+ 				     &input, &output);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -0,0 +1,38 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Mar 2012 09:28:15 -0500
+Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is
+ restricted
+
+Allowing users to write to address space makes it possible for the kernel
+to be subverted, avoiding module loading restrictions. Prevent this when
+any restrictions have been imposed on loading modules.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ drivers/char/mem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index efe38c1bc234..16b8af1188e1 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+ 	if (p != *ppos)
+ 		return -EFBIG;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (!valid_phys_addr_range(p, count))
+ 		return -EFAULT;
+ 
+@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+ 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+ 	int err = 0;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (p < (unsigned long) high_memory) {
+ 		unsigned long to_write = min_t(unsigned long, count,
+ 					       (unsigned long)high_memory - p);

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -0,0 +1,35 @@
+From: Josh Boyer <jwboyer@redhat.com>
+Date: Mon, 25 Jun 2012 19:57:30 -0400
+Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading
+ is restricted
+
+This option allows userspace to pass the RSDP address to the kernel, which
+makes it possible for a user to circumvent any restrictions imposed on
+loading modules. Disable it in that case.
+
+Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+---
+ drivers/acpi/osl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
+index 5aa1f6e281d2..58ae459937a4 100644
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -44,6 +44,7 @@
+ #include <linux/list.h>
+ #include <linux/jiffies.h>
+ #include <linux/semaphore.h>
++#include <linux/module.h>
+ 
+ #include <asm/io.h>
+ #include <asm/uaccess.h>
+@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+ acpi_physical_address __init acpi_os_get_root_pointer(void)
+ {
+ #ifdef CONFIG_KEXEC
+-	if (acpi_rsdp)
++	if (acpi_rsdp && !secure_modules())
+ 		return acpi_rsdp;
+ #endif
+ 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -0,0 +1,40 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Aug 2013 03:33:56 -0400
+Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
+ loading restrictions
+
+kexec permits the loading and execution of arbitrary code in ring 0, which
+is something that module signing enforcement is meant to prevent. It makes
+sense to disable kexec in this situation.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ kernel/kexec.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/kexec.c b/kernel/kexec.c
+index 38c25b1f2fd5..f2b5272156ce 100644
+--- a/kernel/kexec.c
++++ b/kernel/kexec.c
+@@ -36,6 +36,7 @@
+ #include <linux/syscore_ops.h>
+ #include <linux/compiler.h>
+ #include <linux/hugetlb.h>
++#include <linux/module.h>
+ 
+ #include <asm/page.h>
+ #include <asm/uaccess.h>
+@@ -1247,6 +1248,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+ 		return -EPERM;
+ 
+ 	/*
++	 * kexec can be used to circumvent module loading restrictions, so
++	 * prevent loading in that case
++	 */
++	if (secure_modules())
++		return -EPERM;
++
++	/*
+ 	 * Verify we have a legal set of flags
+ 	 * This leaves us room for future extensions.
+ 	 */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -0,0 +1,39 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 8 Feb 2013 11:12:13 -0800
+Subject: [PATCH] x86: Restrict MSR access when module loading is restricted
+
+Writing to MSRs should not be allowed if module loading is restricted,
+since it could lead to execution of arbitrary code in kernel mode. Based
+on a patch by Kees Cook.
+
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ arch/x86/kernel/msr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 113e70784854..26c2f83fc470 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+ 	int err = 0;
+ 	ssize_t bytes = 0;
+ 
++	if (secure_modules())
++		return -EPERM;
++
+ 	if (count % 8)
+ 		return -EINVAL;	/* Invalid chunk size */
+ 
+@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
+ 			err = -EBADF;
+ 			break;
+ 		}
++		if (secure_modules()) {
++			err = -EPERM;
++			break;
++		}
+ 		if (copy_from_user(&regs, uregs, sizeof regs)) {
+ 			err = -EFAULT;
+ 			break;

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/10-Add-option-to-automatically-enforce-module-signature.patch

@@ -0,0 +1,182 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Fri, 9 Aug 2013 18:36:30 -0400
+Subject: [PATCH] Add option to automatically enforce module signatures when in
+ Secure Boot mode
+
+UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+only load signed bootloaders and kernels. Certain use cases may also
+require that all kernel modules also be signed. Add a configuration option
+that enforces this automatically when enabled.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ Documentation/x86/zero-page.txt       |  2 ++
+ arch/x86/Kconfig                      | 10 ++++++++++
+ arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
+ arch/x86/include/uapi/asm/bootparam.h |  3 ++-
+ arch/x86/kernel/setup.c               |  6 ++++++
+ include/linux/module.h                |  6 ++++++
+ kernel/module.c                       |  7 +++++++
+ 7 files changed, 69 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
+index 82fbdbc1e0b0..a811210ad486 100644
+--- a/Documentation/x86/zero-page.txt
++++ b/Documentation/x86/zero-page.txt
+@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
+ 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
+ 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
+ 				(below)
++1EB/001	ALL     kbd_status      Numlock is enabled
++1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
+ 1EF/001	ALL	sentinel	Used to detect broken bootloaders
+ 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
+ 2D0/A00	ALL	e820_map	E820 memory map table
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index b7d31ca55187..ab403a636357 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1695,6 +1695,16 @@ config EFI_MIXED
+ 
+ 	   If unsure, say N.
+ 
++config EFI_SECURE_BOOT_SIG_ENFORCE
++        def_bool n
++	prompt "Force module signing when UEFI Secure Boot is enabled"
++	---help---
++	  UEFI Secure Boot provides a mechanism for ensuring that the
++	  firmware will only load signed bootloaders and kernels. Certain
++	  use cases may also require that all kernel modules also be signed.
++	  Say Y here to automatically enable module signature enforcement
++	  when a system boots with UEFI Secure Boot enabled.
++
+ config SECCOMP
+ 	def_bool y
+ 	prompt "Enable seccomp to safely compute untrusted bytecode"
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index ef17683484e9..105e7360d747 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -12,6 +12,7 @@
+ #include <asm/efi.h>
+ #include <asm/setup.h>
+ #include <asm/desc.h>
++#include <asm/bootparam_utils.h>
+ 
+ #include "../string.h"
+ #include "eboot.h"
+@@ -827,6 +828,37 @@ out:
+ 	return status;
+ }
+ 
++static int get_secure_boot(void)
++{
++	u8 sb, setup;
++	unsigned long datasize = sizeof(sb);
++	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
++	efi_status_t status;
++
++	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
++				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
++
++	if (status != EFI_SUCCESS)
++		return 0;
++
++	if (sb == 0)
++		return 0;
++
++
++	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
++				L"SetupMode", &var_guid, NULL, &datasize,
++				&setup);
++
++	if (status != EFI_SUCCESS)
++		return 0;
++
++	if (setup == 1)
++		return 0;
++
++	return 1;
++}
++
++
+ /*
+  * See if we have Graphics Output Protocol
+  */
+@@ -1406,6 +1438,10 @@ struct boot_params *efi_main(struct efi_config *c,
+ 	else
+ 		setup_boot_services32(efi_early);
+ 
++	sanitize_boot_params(boot_params);
++
++	boot_params->secure_boot = get_secure_boot();
++
+ 	setup_graphics(boot_params);
+ 
+ 	setup_efi_pci(boot_params);
+diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
+index 225b0988043a..90dbfb73e11f 100644
+--- a/arch/x86/include/uapi/asm/bootparam.h
++++ b/arch/x86/include/uapi/asm/bootparam.h
+@@ -133,7 +133,8 @@ struct boot_params {
+ 	__u8  eddbuf_entries;				/* 0x1e9 */
+ 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
+ 	__u8  kbd_status;				/* 0x1eb */
+-	__u8  _pad5[3];					/* 0x1ec */
++	__u8  secure_boot;				/* 0x1ec */
++	__u8  _pad5[2];					/* 0x1ed */
+ 	/*
+ 	 * The sentinel is set to a nonzero value (0xff) in header.S.
+ 	 *
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 0a2421cca01f..a3d8174dedf9 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1151,6 +1151,12 @@ void __init setup_arch(char **cmdline_p)
+ 
+ 	io_delay_init();
+ 
++#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
++	if (boot_params.secure_boot) {
++		enforce_signed_modules();
++	}
++#endif
++
+ 	/*
+ 	 * Parse the ACPI tables for possible boot-time SMP configuration.
+ 	 */
+diff --git a/include/linux/module.h b/include/linux/module.h
+index b033dab5c8bf..f526b6e02f59 100644
+--- a/include/linux/module.h
++++ b/include/linux/module.h
+@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
+ 
+ struct notifier_block;
+ 
++#ifdef CONFIG_MODULE_SIG
++extern void enforce_signed_modules(void);
++#else
++static inline void enforce_signed_modules(void) {};
++#endif
++
+ #ifdef CONFIG_MODULES
+ 
+ extern int modules_disabled; /* for sysctl */
+diff --git a/kernel/module.c b/kernel/module.c
+index f3489ef9e409..3bb7c01b3c9f 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -3912,6 +3912,13 @@ void module_layout(struct module *mod,
+ EXPORT_SYMBOL(module_layout);
+ #endif
+ 
++#ifdef CONFIG_MODULE_SIG
++void enforce_signed_modules(void)
++{
++	sig_enforce = true;
++}
++#endif
++
+ bool secure_modules(void)
+ {
+ #ifdef CONFIG_MODULE_SIG

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

@@ -0,0 +1,54 @@
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Tue, 5 Feb 2013 19:25:05 -0500
+Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
+
+A user can manually tell the shim boot loader to disable validation of
+images it loads.  When a user does this, it creates a UEFI variable called
+MokSBState that does not have the runtime attribute set.  Given that the
+user explicitly disabled validation, we can honor that and not enable
+secure boot mode if that variable is set.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 105e7360d747..83fc4e9888ee 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -830,8 +830,9 @@ out:
+ 
+ static int get_secure_boot(void)
+ {
+-	u8 sb, setup;
++	u8 sb, setup, moksbstate;
+ 	unsigned long datasize = sizeof(sb);
++	u32 attr;
+ 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
+ 	efi_status_t status;
+ 
+@@ -855,6 +856,23 @@ static int get_secure_boot(void)
+ 	if (setup == 1)
+ 		return 0;
+ 
++	/* See if a user has put shim into insecure_mode.  If so, and the variable
++	 * doesn't have the runtime attribute set, we might as well honor that.
++	 */
++	var_guid = EFI_SHIM_LOCK_GUID;
++	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
++				L"MokSBState", &var_guid, &attr, &datasize,
++				&moksbstate);
++
++	/* If it fails, we don't care why.  Default to secure */
++	if (status != EFI_SUCCESS)
++		return 1;
++
++	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
++		if (moksbstate == 1)
++			return 0;
++	}
++
+ 	return 1;
+ }
+ 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -0,0 +1,26 @@
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Tue, 27 Aug 2013 13:28:43 -0400
+Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+
+The functionality of the config option is dependent upon the platform being
+UEFI based.  Reflect this in the config deps.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ arch/x86/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index ab403a636357..5dac78119fa7 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1696,7 +1696,8 @@ config EFI_MIXED
+ 	   If unsure, say N.
+ 
+ config EFI_SECURE_BOOT_SIG_ENFORCE
+-        def_bool n
++	def_bool n
++	depends on EFI
+ 	prompt "Force module signing when UEFI Secure Boot is enabled"
+ 	---help---
+ 	  UEFI Secure Boot provides a mechanism for ensuring that the

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/13-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -0,0 +1,39 @@
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Tue, 27 Aug 2013 13:33:03 -0400
+Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit
+
+UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
+for use with efi_enabled.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ arch/x86/kernel/setup.c | 2 ++
+ include/linux/efi.h     | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index a3d8174dedf9..26c5d54124c1 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1153,7 +1153,9 @@ void __init setup_arch(char **cmdline_p)
+ 
+ #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
+ 	if (boot_params.secure_boot) {
++		set_bit(EFI_SECURE_BOOT, &efi.flags);
+ 		enforce_signed_modules();
++		pr_info("Secure boot enabled\n");
+ 	}
+ #endif
+ 
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index cf7e431cbc73..c74cbd892032 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -942,6 +942,7 @@ extern int __init efi_setup_pcdp_console(char *);
+ #define EFI_64BIT		5	/* Is the firmware 64-bit? */
+ #define EFI_PARAVIRT		6	/* Access is via a paravirt interface */
+ #define EFI_ARCH_1		7	/* First arch-specific bit */
++#define EFI_SECURE_BOOT		8	/* Are we in Secure Boot mode? */
+ 
+ #ifdef CONFIG_EFI
+ /*

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/14-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -0,0 +1,35 @@
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Fri, 20 Jun 2014 08:53:24 -0400
+Subject: [PATCH] hibernate: Disable in a signed modules environment
+
+There is currently no way to verify the resume image when returning
+from hibernate.  This might compromise the signed modules trust model,
+so until we can work with signed hibernate images we disable it in
+a secure modules environment.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ kernel/power/hibernate.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index 2329daae5255..48a8e82c7e2e 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -29,6 +29,7 @@
+ #include <linux/ctype.h>
+ #include <linux/genhd.h>
+ #include <linux/ktime.h>
++#include <linux/module.h>
+ #include <trace/events/power.h>
+ 
+ #include "power.h"
+@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
+ 
+ bool hibernation_available(void)
+ {
+-	return (nohibernate == 0);
++	return ((nohibernate == 0) && !secure_modules());
+ }
+ 
+ /**