Vivid SRU - Enforce signed modules in UEFI secure boot

Tim Gardner tim.gardner at canonical.com
Thu Apr 28 19:46:39 UTC 2016


Attached is a pull request that enforces signed modules in a UEFI secure 
boot mode.

http://bugs.launchpad.net/bugs/1566221
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot

rtg
-- 
Tim Gardner tim.gardner at canonical.com
-------------- next part --------------
The following changes since commit 5ce1511c88a4332d2fd1aa85f118c9710869873c:

  Input: gtco - fix crash on detecting device without endpoints (2016-04-27 10:14:25 -0700)

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-vivid.git enforce-signed-modules

for you to fetch changes up to af42a83bb331027ef79eab11f7a4abd02cfb4f36:

  UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled (2016-04-28 13:18:44 -0600)

----------------------------------------------------------------
Josh Boyer (4):
      UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
      UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
      UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
      UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode

Matthew Garrett (9):
      UBUNTU: SAUCE: UEFI: Add secure_modules() call
      UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
      UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
      UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method
      UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted
      UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted
      UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions
      UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
      UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode

Tim Gardner (2):
      UBUNTU: [Config] UEFI: CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
      UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled

 Documentation/x86/zero-page.txt           |  2 +
 arch/x86/Kconfig                          | 11 ++++
 arch/x86/boot/compressed/eboot.c          | 55 ++++++++++++++++++
 arch/x86/include/uapi/asm/bootparam.h     |  3 +-
 arch/x86/kernel/ioport.c                  |  5 +-
 arch/x86/kernel/msr.c                     |  7 +++
 arch/x86/kernel/setup.c                   | 12 ++++
 debian.master/config/config.common.ubuntu |  1 +
 drivers/acpi/custom_method.c              |  3 +
 drivers/acpi/osl.c                        |  3 +-
 drivers/char/mem.c                        | 10 ++++
 drivers/pci/pci-sysfs.c                   | 10 ++++
 drivers/pci/proc.c                        |  8 ++-
 drivers/pci/syscall.c                     |  3 +-
 drivers/platform/x86/asus-wmi.c           |  9 +++
 include/linux/efi.h                       |  9 +++
 include/linux/module.h                    | 13 +++++
 init/Kconfig                              |  9 +++
 kernel/Makefile                           |  3 +
 kernel/kexec.c                            |  3 +-
 kernel/modsign_uefi.c                     | 92 +++++++++++++++++++++++++++++++
 kernel/module.c                           | 17 ++++++
 22 files changed, 281 insertions(+), 7 deletions(-)
 create mode 100644 kernel/modsign_uefi.c


More information about the kernel-team mailing list