Vivid SRU - Enforce signed modules in UEFI secure boot
Tim Gardner
tim.gardner at canonical.com
Thu Apr 28 19:46:39 UTC 2016
Attached is a pull request that enforces signed modules in a UEFI secure
boot mode.
http://bugs.launchpad.net/bugs/1566221
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot
rtg
--
Tim Gardner tim.gardner at canonical.com
-------------- next part --------------
The following changes since commit 5ce1511c88a4332d2fd1aa85f118c9710869873c:
Input: gtco - fix crash on detecting device without endpoints (2016-04-27 10:14:25 -0700)
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-vivid.git enforce-signed-modules
for you to fetch changes up to af42a83bb331027ef79eab11f7a4abd02cfb4f36:
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled (2016-04-28 13:18:44 -0600)
----------------------------------------------------------------
Josh Boyer (4):
UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
Matthew Garrett (9):
UBUNTU: SAUCE: UEFI: Add secure_modules() call
UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method
UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted
UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted
UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions
UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode
Tim Gardner (2):
UBUNTU: [Config] UEFI: CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled
Documentation/x86/zero-page.txt | 2 +
arch/x86/Kconfig | 11 ++++
arch/x86/boot/compressed/eboot.c | 55 ++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/ioport.c | 5 +-
arch/x86/kernel/msr.c | 7 +++
arch/x86/kernel/setup.c | 12 ++++
debian.master/config/config.common.ubuntu | 1 +
drivers/acpi/custom_method.c | 3 +
drivers/acpi/osl.c | 3 +-
drivers/char/mem.c | 10 ++++
drivers/pci/pci-sysfs.c | 10 ++++
drivers/pci/proc.c | 8 ++-
drivers/pci/syscall.c | 3 +-
drivers/platform/x86/asus-wmi.c | 9 +++
include/linux/efi.h | 9 +++
include/linux/module.h | 13 +++++
init/Kconfig | 9 +++
kernel/Makefile | 3 +
kernel/kexec.c | 3 +-
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++
kernel/module.c | 17 ++++++
22 files changed, 281 insertions(+), 7 deletions(-)
create mode 100644 kernel/modsign_uefi.c
More information about the kernel-team
mailing list