Applied: Trusty SRU - Implement secure boot signed modules enforcement V2
Kamal Mostafa
kamal at canonical.com
Tue Oct 4 17:15:33 UTC 2016
On Fri, Sep 09, 2016 at 01:15:05PM -0600, Tim Gardner wrote:
> The attached pull request is a reprise from
> https://lists.ubuntu.com/archives/kernel-team/2016-August/079452.html
> wherein an arm64 regression fix was attempted. In the process we found
> that some x86 laptop platforms would not boot. Subsequent bisection
> found the root cause: "x86/efi: Save and restore FPU context around
> efi_calls (x86_64)". A partial revert appears to have fixed the boot issue.
>
> This patchset has been rebased against what will become
> Ubuntu-3.13.0-97.144. Test kernels at
> http://people.canonical.com/~rtg/arm64-efi-lp1608854.
>
> rtg
> --
> Tim Gardner tim.gardner at canonical.com
> The following changes since commit 2546ede8f9da5373cebba987a5a3e81ca1d05c97:
>
> powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) (2016-09-01 11:03:18 -0600)
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/rtg/ubuntu-trusty.git arm64-efi-lp1608854
>
> for you to fetch changes up to af1ef5707b060336f06ace9e324d3bb9a3937b8c:
>
> Revert "x86/efi: Save and restore FPU context around efi_calls (x86_64)" (2016-09-09 12:59:20 -0600)
>
> ----------------------------------------------------------------
> Andrzej Zaborowski (1):
> efi-pstore: Fix an overflow on 32-bit builds
>
> Ard Biesheuvel (4):
> efi/arm64: ignore dtb= when UEFI SecureBoot is enabled
> efi/arm64: efistub: remove local copy of linux_banner
> arm64/efi: map the entire UEFI vendor string before reading it
> arm64/efi: add missing call to early_ioremap_reset()
>
> Borislav Petkov (9):
> x86/efi: Simplify EFI_DEBUG
> x86/efi: Runtime services virtual mapping
> x86/efi: Check krealloc return value
> x86/efi: Fix 32-bit fallout
> x86/efi: Quirk out SGI UV
> x86/efi: Dump the EFI page table
> x86, pageattr: Export page unmapping interface
> x86/efi: Make efi virtual runtime map passing more robust
> x86/efi: Split efi_enter_virtual_mode
>
> Bruno Prémont (1):
> x86, ia64: Move EFI_FB vga_default_device() initialization to pci_vga_fixup()
>
> Catalin Marinas (2):
> efi: Fix compiler warnings (unused, const, type)
> efi: fdt: Do not report an error during boot if UEFI is not available
>
> Daeseok Youn (1):
> efi: Use NULL instead of 0 for pointer
>
> Dan Carpenter (2):
> efi: Fix error handling in add_sysfs_runtime_map_entry()
> efi: Small leak on error in runtime map code
>
> Dave Young (8):
> x86/efi: Remove unused variables in __map_region()
> x86/efi: Add a wrapper function efi_map_region_fixed()
> x86/efi: Fix off-by-one bug in EFI Boot Services reservation
> x86/efi: Cleanup efi_enter_virtual_mode() function
> efi: Export more EFI table variables to sysfs
> efi: Export EFI runtime memory mapping to sysfs
> x86/efi: Pass necessary EFI data for kexec via setup_data
> x86/efi: parse_efi_setup() build fix
>
> Dmitry Skorodumov (1):
> x86/efi: Use all 64 bit of efi_memmap in setup_e820()
>
> Fabian Frederick (1):
> fs/efivarfs/super.c: use static const for dentry_operations
>
> Geyslan G. Bem (1):
> efivarfs: 'efivarfs_file_write' function reorganization
>
> Guenter Roeck (1):
> firmware: Do not use WARN_ON(!spin_is_locked())
>
> H. Peter Anvin (1):
> efi: x86: Handle arbitrary Unicode characters
>
> Ingo Molnar (1):
> efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
>
> Joe Perches (1):
> x86/efi: Style neatening
>
> Josh Boyer (4):
> UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
> UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
> UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
> UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
>
> Leif Lindholm (2):
> efi: efi-stub-helper cleanup
> arm64: efi: only attempt efi map setup if booting via EFI
>
> Madper Xie (1):
> x86/efi: Delete out-of-date comments of efi_query_variable_store
>
> Mark Salter (5):
> efi: create memory map iteration helper
> efi: add helper function to get UEFI params from FDT
> arm64: add EFI runtime services
> arm64: efi: add EFI stub
> doc: arm64: add description of EFI stub support
>
> Matt Fleming (29):
> x86/efi: Delete superfluous global variables
> x86/efi: Allow mapping BGRT on x86-32
> x86/efi: Check status field to validate BGRT header
> efi: Move facility flags to struct efi
> efi: Set feature flags inside feature init functions
> ia64/efi: Implement efi_enabled()
> x86, tools: Consolidate #ifdef code
> x86/efi: Delete dead code when checking for non-native
> efi: Add separate 32-bit/64-bit definitions
> x86/efi: Build our own EFI services pointer table
> x86/efi: Add early thunk code to go from 64-bit to 32-bit
> x86/efi: Firmware agnostic handover entry points
> x86/efi: Wire up CONFIG_EFI_MIXED
> x86/efi: Re-disable interrupts after calling firmware services
> x86, tools: Fix up compiler warnings
> x86/efi: Preserve segment registers in mixed mode
> x86/efi: Rip out phys_efi_get_time()
> x86/efi: Restore 'attr' argument to query_variable_info()
> x86/efi: Delete most of the efi_call* macros
> efivars: Use local variables instead of a pointer dereference
> efivars: Check size of user object
> efivars: Stop passing a struct argument to efivar_validate()
> efivars: Refactor sanity checking code into separate function
> efivars: Add compatibility code for compat tasks
> x86/efi: Fix boot failure with EFI stub
> x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down
> efi/reboot: Add generic wrapper around EfiResetSystem()
> x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag
> efi/reboot: Allow powering off machines using EFI
>
> Matthew Garrett (9):
> UBUNTU: SAUCE: UEFI: Add secure_modules() call
> UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
> UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
> UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method
> UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted
> UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted
> UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions
> UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
> UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode
>
> Peter Jones (3):
> efi: Make our variable validation list include the guid
> lib/ucs2_string: Add ucs2 -> utf8 helper functions
> efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version
>
> Ricardo Neri (3):
> x86/efi: Implement a __efi_call_virt macro
> x86/efi: Save and restore FPU context around efi_calls (x86_64)
> x86/efi: Save and restore FPU context around efi_calls (i386)
>
> Ross Lagerwall (1):
> efivarfs: Ensure VariableName is NUL-terminated
>
> Roy Franz (5):
> efi: Add shared printk wrapper for consistent prefixing
> efi: Add get_dram_base() helper function
> doc: efi-stub.txt updates for ARM
> efi: Add shared FDT related functions for ARM/ARM64
> x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr
>
> Semen Protsenko (1):
> efi/arm64: Store Runtime Services revision
>
> Silvan Jegen (1):
> doc: Fix trivial spelling mistake in efi-stub.txt
>
> Tim Gardner (38):
> Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog calls"
> Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()"
> Revert "x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr"
> Revert "efivarfs: Ensure VariableName is NUL-terminated"
> Revert "efi/libstub: Fix boundary checking in efi_high_alloc()"
> Revert "arm64: efi: only attempt efi map setup if booting via EFI"
> Revert "UBUNTU: arm64: Implement efi_enabled()"
> Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled"
> Revert "doc: arm64: add description of EFI stub support"
> Revert "UBUNTU: Move get_dram_base to arm private file"
> Revert "arm64: efi: add EFI stub"
> Revert "arm64: add EFI runtime services"
> Revert "efi: Add shared FDT related functions for ARM/ARM64"
> Revert "efi: add helper function to get UEFI params from FDT"
> Revert "doc: efi-stub.txt updates for ARM"
> Revert "efi: Add get_dram_base() helper function"
> Revert "efi: create memory map iteration helper"
> Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to pci_vga_fixup()"
> Revert "firmware: Do not use WARN_ON(!spin_is_locked())"
> Revert "efi-pstore: Fix an overflow on 32-bit builds"
> Revert "x86/efi: Fix 32-bit fallout"
> Revert "x86/efi: Check krealloc return value"
> Revert "x86/efi: Runtime services virtual mapping"
> Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation"
> UBUNTU: SAUCE: Merge tag 'efi-next' of git://git.kernel.org/.../mfleming/efi into x86/efi
> UBUNTU: [Config] CONFIG_EFI_RUNTIME_MAP=y
> UBUNTU: SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts
> UBUNTU: v3.14 - Bacported EFI up to v3.14
> UBUNTU: [Config] CONFIG_EFI_MIXED=y
> UBUNTU: SAUCE: Merge remote-tracking branch 'tip/x86/efi-mixed' into efi-for-mingo
> UBUNTU: SAUCE: merge with v3.15
> UBUNTU: SAUCE: merge with v3.16
> UBUNTU: [Config] CONFIG_LIBFDT=y
> UBUNTU: [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
> UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled
> UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
> UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility
> Revert "x86/efi: Save and restore FPU context around efi_calls (x86_64)"
>
> Yinghai Lu (1):
> efi/libstub: Fix boundary checking in efi_high_alloc()
>
> Documentation/ABI/testing/sysfs-firmware-efi | 20 +
> .../ABI/testing/sysfs-firmware-efi-runtime-map | 34 +
> Documentation/efi-stub.txt | 2 +-
> Documentation/x86/zero-page.txt | 2 +
> arch/arm64/include/asm/efi.h | 1 -
> arch/arm64/kernel/efi-stub.c | 8 -
> arch/arm64/kernel/efi.c | 27 +-
> arch/arm64/kernel/setup.c | 1 +
> arch/ia64/kernel/efi.c | 7 +
> arch/ia64/kernel/process.c | 2 +-
> arch/ia64/pci/fixup.c | 21 +
> arch/x86/Kconfig | 25 +
> arch/x86/Kconfig.debug | 9 +
> arch/x86/boot/Makefile | 2 +-
> arch/x86/boot/compressed/eboot.c | 1102 ++++++++++++++++----
> arch/x86/boot/compressed/eboot.h | 60 ++
> arch/x86/boot/compressed/efi_stub_64.S | 29 +
> arch/x86/boot/compressed/head_32.S | 50 +-
> arch/x86/boot/compressed/head_64.S | 105 +-
> arch/x86/boot/header.S | 15 +-
> arch/x86/boot/tools/build.c | 100 +-
> arch/x86/include/asm/efi.h | 158 +--
> arch/x86/include/asm/pgtable_types.h | 2 +
> arch/x86/include/uapi/asm/bootparam.h | 4 +-
> arch/x86/kernel/ioport.c | 5 +-
> arch/x86/kernel/msr.c | 7 +
> arch/x86/kernel/reboot.c | 26 +-
> arch/x86/kernel/setup.c | 89 +-
> arch/x86/mm/pageattr.c | 44 +-
> arch/x86/pci/fixup.c | 21 +
> arch/x86/platform/efi/Makefile | 1 +
> arch/x86/platform/efi/early_printk.c | 83 +-
> arch/x86/platform/efi/efi-bgrt.c | 12 +-
> arch/x86/platform/efi/efi.c | 752 +++++++++----
> arch/x86/platform/efi/efi_32.c | 10 +-
> arch/x86/platform/efi/efi_64.c | 389 ++++++-
> arch/x86/platform/efi/efi_stub_64.S | 247 +++--
> arch/x86/platform/efi/efi_thunk_64.S | 65 ++
> arch/x86/platform/uv/bios_uv.c | 2 +-
> block/partitions/efi.h | 9 +-
> debian.master/config/config.common.ubuntu | 5 +-
> drivers/acpi/custom_method.c | 3 +
> drivers/acpi/osl.c | 3 +-
> drivers/char/mem.c | 10 +
> drivers/firmware/efi/Kconfig | 11 +
> drivers/firmware/efi/Makefile | 3 +-
> drivers/firmware/efi/arm-stub.c | 39 +-
> drivers/firmware/efi/efi-stub-helper.c | 273 +++--
> drivers/firmware/efi/efi.c | 78 +-
> drivers/firmware/efi/efivars.c | 221 +++-
> drivers/firmware/efi/fdt.c | 12 +-
> drivers/firmware/efi/reboot.c | 56 +
> drivers/firmware/efi/runtime-map.c | 181 ++++
> drivers/firmware/efi/vars.c | 82 +-
> drivers/pci/pci-sysfs.c | 10 +
> drivers/pci/proc.c | 8 +-
> drivers/pci/syscall.c | 3 +-
> drivers/platform/x86/asus-wmi.c | 9 +
> fs/efivarfs/file.c | 13 +-
> fs/efivarfs/super.c | 9 +-
> include/linux/efi.h | 308 +++++-
> include/linux/module.h | 13 +
> include/linux/ucs2_string.h | 4 +
> init/Kconfig | 9 +
> kernel/Makefile | 3 +
> kernel/kexec.c | 3 +-
> kernel/modsign_uefi.c | 92 ++
> kernel/module.c | 17 +
> kernel/sysctl.c | 31 +
> lib/ucs2_string.c | 62 ++
> notes.txt | 1 +
> 71 files changed, 4071 insertions(+), 1049 deletions(-)
> create mode 100644 Documentation/ABI/testing/sysfs-firmware-efi
> create mode 100644 Documentation/ABI/testing/sysfs-firmware-efi-runtime-map
> create mode 100644 arch/x86/platform/efi/efi_thunk_64.S
> create mode 100644 drivers/firmware/efi/reboot.c
> create mode 100644 drivers/firmware/efi/runtime-map.c
> create mode 100644 kernel/modsign_uefi.c
> create mode 100644 notes.txt
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list