Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Kubecek <mkubecek@suse.cz>2019-11-05 21:12:51 +0100
committerMichal Kubecek <mkubecek@suse.cz>2019-11-05 21:12:51 +0100
commit38547d2da3f6dc34253484eb83471ae832800a27 (patch)
treef3a62edde815cffab8a4de90727cd18f10329f61
parentcc9ff55b224707f09a76c53ee71b8d43a12eb728 (diff)
parent76eea73c9b479582dedd607f5c55f1e1fd3530f4 (diff)
Merge branch 'users/jlee/SLE15-SP2/for-next' into SLE15-SP2
Pull SLE15-SP1 patch cleanup from Joey Lee.
-rw-r--r--patches.suse/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch152
-rw-r--r--patches.suse/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch103
-rw-r--r--patches.suse/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch46
-rw-r--r--patches.suse/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch42
-rw-r--r--patches.suse/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch42
-rw-r--r--patches.suse/0047-kexec_file-restrict-if-the-kernel-is-locked-down.patch39
-rw-r--r--patches.suse/0047-kexec_file-split-KEXEC_VERIFY_SIG.patch217
-rw-r--r--patches.suse/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch36
-rw-r--r--patches.suse/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch98
-rw-r--r--patches.suse/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch56
-rw-r--r--patches.suse/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch48
-rw-r--r--patches.suse/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch54
-rw-r--r--patches.suse/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch32
-rw-r--r--patches.suse/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch36
-rw-r--r--patches.suse/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch40
-rw-r--r--series.conf16
16 files changed, 0 insertions, 1057 deletions
diff --git a/patches.suse/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/patches.suse/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch
deleted file mode 100644
index bb74fe7dd8..0000000000
--- a/patches.suse/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From 4e038dfc742f11bcd02e5a3fba5718cefbf06d70 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 5 Apr 2017 17:40:29 +0100
-Subject: [PATCH 40/62] Add the ability to lock down access to the running
- kernel image
-Patch-mainline: No, submitted https://patchwork.kernel.org/patch/9665591/
-References: fate#314486
-
-Provide a single call to allow kernel code to determine whether the system
-should be locked down, thereby disallowing various accesses that might
-allow the running kernel image to be changed including the loading of
-modules that aren't validly signed with a key we recognise, fiddling with
-MSR registers and disallowing hibernation,
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- include/linux/kernel.h | 9 +++++++++
- include/linux/security.h | 11 +++++++++++
- security/Kconfig | 15 +++++++++++++++
- security/Makefile | 3 +++
- security/lock_down.c | 40 ++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 78 insertions(+)
- create mode 100644 security/lock_down.c
-
-diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 4c26dc3..b820a80 100644
---- a/include/linux/kernel.h
-+++ b/include/linux/kernel.h
-@@ -275,6 +275,15 @@ extern int oops_may_print(void);
- void do_exit(long error_code) __noreturn;
- void complete_and_exit(struct completion *, long) __noreturn;
-
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern bool kernel_is_locked_down(void);
-+#else
-+static inline bool kernel_is_locked_down(void)
-+{
-+ return false;
-+}
-+#endif
-+
- /* Internal, do not use. */
- int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
- int __must_check _kstrtol(const char *s, unsigned int base, long *res);
-diff --git a/include/linux/security.h b/include/linux/security.h
-index af675b5..68bab18 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
- { }
- #endif /* CONFIG_SECURITY */
-
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern void lock_kernel_down(void);
-+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
-+extern void lift_kernel_lockdown(void);
-+#endif
-+#else
-+static inline void lock_kernel_down(void)
-+{
-+}
-+#endif
-+
- #endif /* ! __LINUX_SECURITY_H */
-
-diff --git a/security/Kconfig b/security/Kconfig
-index 3ff1bf9..e383017 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -198,6 +198,21 @@ config STATIC_USERMODEHELPER_PATH
- If you wish for all usermode helper programs to be disabled,
- specify an empty string here (i.e. "").
-
-+config LOCK_DOWN_KERNEL
-+ bool "Allow the kernel to be 'locked down'"
-+ help
-+ Allow the kernel to be locked down under certain circumstances, for
-+ instance if UEFI secure boot is enabled. Locking down the kernel
-+ turns off various features that might otherwise allow access to the
-+ kernel image (eg. setting MSR registers).
-+
-+config ALLOW_LOCKDOWN_LIFT
-+ bool
-+ help
-+ Allow the lockdown on a kernel to be lifted, thereby restoring the
-+ ability of userspace to access the kernel image (eg. by SysRq+x under
-+ x86).
-+
- source security/selinux/Kconfig
- source security/smack/Kconfig
- source security/tomoyo/Kconfig
-diff --git a/security/Makefile b/security/Makefile
-index f2d71cd..8c4a43e 100644
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
- # Object integrity file lists
- subdir-$(CONFIG_INTEGRITY) += integrity
- obj-$(CONFIG_INTEGRITY) += integrity/
-+
-+# Allow the kernel to be locked down
-+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
-diff --git a/security/lock_down.c b/security/lock_down.c
-new file mode 100644
-index 0000000..5788c60
---- /dev/null
-+++ b/security/lock_down.c
-@@ -0,0 +1,40 @@
-+/* Lock down the kernel
-+ *
-+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#include <linux/security.h>
-+#include <linux/export.h>
-+
-+static __read_mostly bool kernel_locked_down;
-+
-+/*
-+ * Put the kernel into lock-down mode.
-+ */
-+void lock_kernel_down(void)
-+{
-+ kernel_locked_down = true;
-+}
-+
-+/*
-+ * Take the kernel out of lockdown mode.
-+ */
-+void lift_kernel_lockdown(void)
-+{
-+ kernel_locked_down = false;
-+}
-+
-+/**
-+ * kernel_is_locked_down - Find out if the kernel is locked down
-+ */
-+bool kernel_is_locked_down(void)
-+{
-+ return kernel_locked_down;
-+}
-+EXPORT_SYMBOL(kernel_is_locked_down);
---
-2.10.2
-
diff --git a/patches.suse/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/patches.suse/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
deleted file mode 100644
index 8b5833113b..0000000000
--- a/patches.suse/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From a9643aef5a6c576f32a97053b4024638943044ca Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 42/62] Enforce module signatures if the kernel is locked down
-Patch-mainline: No, submitted https://patchwork.kernel.org/patch/9664927/
-References: fate#314486
-
-If the kernel is locked down, require that all modules have valid
-signatures that we can verify.
-
-
-[ modified according to this proposed change: https://lkml.org/lkml/2018/2/22/359 ]
-
-It adjusts the errors generated:
-
- (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY),
- then:
-
- (a) If signatures are enforced then EKEYREJECTED is returned.
-
- (b) If IMA will have validated the image, return 0 (okay).
-
- (c) If there's no signature or we can't check it, but the kernel is
- locked down then EPERM is returned (this is then consistent with
- other lockdown cases).
-
- (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
- the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return
- the error we got.
-
-Note that the X.509 code doesn't check for key expiry as the RTC might not be
-valid or might not have been transferred to the kernel's clock yet.
-
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Jiri Bohac <jbohac@suse.cz>
----
----
- kernel/module.c | 41 ++++++++++++++++++++++++++++++++++-------
- 1 file changed, 34 insertions(+), 7 deletions(-)
-
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2824,8 +2824,9 @@ static inline void kmemleak_load_module(
- #ifdef CONFIG_MODULE_SIG
- static int module_sig_check(struct load_info *info, int flags)
- {
-- int err = -ENOKEY;
-+ int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
-+ const char *reason;
- const void *mod = info->hdr;
-
- /*
-@@ -2840,16 +2841,42 @@ static int module_sig_check(struct load_
- err = mod_verify_sig(mod, info);
- }
-
-- if (!err) {
-+ switch (err) {
-+ case 0:
- info->sig_ok = true;
- return 0;
-- }
-
-- /* Not having a signature is only an error if we're strict. */
-- if (err == -ENOKEY && !sig_enforce)
-- err = 0;
-+ /* We don't permit modules to be loaded into trusted kernels
-+ * without a valid signature on them, but if we're not
-+ * enforcing, certain errors are non-fatal.
-+ */
-+ case -ENODATA:
-+ reason = "Loading of unsigned module";
-+ goto decide;
-+ case -ENOPKG:
-+ reason = "Loading of module with unsupported crypto";
-+ goto decide;
-+ case -ENOKEY:
-+ reason = "Loading of module with unavailable key";
-+ decide:
-+ if (sig_enforce) {
-+ pr_notice("%s is rejected\n", reason);
-+ return -EKEYREJECTED;
-+ }
-+ if (kernel_is_locked_down()) {
-+ pr_notice("%s is rejected, kernel is locked down\n", reason);
-+ return -EPERM;
-+ }
-+ return 0;
-+
-+ /* All other errors are fatal, including nomem, unparseable
-+ * signatures and signature check failures - even if signatures
-+ * aren't required.
-+ */
-+ default:
-+ return err;
-+ }
-
-- return err;
- }
- #else /* !CONFIG_MODULE_SIG */
- static int module_sig_check(struct load_info *info, int flags)
diff --git a/patches.suse/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/patches.suse/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
deleted file mode 100644
index b444df79d3..0000000000
--- a/patches.suse/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 104cff827b18e35874153bd8df14eba59e5b411a Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 43/62] Restrict /dev/mem and /dev/kmem when the kernel is
- locked down
-Patch-mainline: No, submitted https://patchwork.kernel.org/patch/9665599/
-References: fate#314486
-
-Allowing users to write to address space makes it possible for the kernel to
-be subverted, avoiding module loading restrictions. Prevent this when the
-kernel has been locked down.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- drivers/char/mem.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 6d9cc2d..f814404 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
- if (p != *ppos)
- return -EFBIG;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (!valid_phys_addr_range(p, count))
- return -EFAULT;
-
-@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
- char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
- int err = 0;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (p < (unsigned long) high_memory) {
- unsigned long to_write = min_t(unsigned long, count,
- (unsigned long)high_memory - p);
---
-2.10.2
-
diff --git a/patches.suse/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/patches.suse/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
deleted file mode 100644
index 9f2ee3a320..0000000000
--- a/patches.suse/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e7c340d3a52b23631aa5e67cd10eac766042db50 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 45/62] kexec: Disable at runtime if the kernel is locked down
-Patch-mainline: No, submitted
-References: fate#314486
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-is something that lock-down is meant to prevent. It makes sense to disable
-kexec in this situation.
-
-This does not affect kexec_file_load() which can check for a signature on the
-image to be booted.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- kernel/kexec.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 980936a..46de8e6 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- return -EPERM;
-
- /*
-+ * kexec can be used to circumvent module loading restrictions, so
-+ * prevent loading in that case
-+ */
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
-+ /*
- * Verify we have a legal set of flags
- * This leaves us room for future extensions.
- */
---
-2.10.2
-
diff --git a/patches.suse/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/patches.suse/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
deleted file mode 100644
index 33ad74a0be..0000000000
--- a/patches.suse/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From c124b113ed50045c2a81ddaab104578e592ebec3 Mon Sep 17 00:00:00 2001
-From: Dave Young <dyoung@redhat.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 46/62] Copy secure_boot flag in boot params across kexec
- reboot
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-Kexec reboot in case secure boot being enabled does not keep the secure
-boot mode in new kernel, so later one can load unsigned kernel via legacy
-kexec_load. In this state, the system is missing the protections provided
-by secure boot.
-
-Adding a patch to fix this by retain the secure_boot flag in original
-kernel.
-
-secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub. Fixing this issue by copying secure_boot flag across kexec reboot.
-
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- arch/x86/kernel/kexec-bzimage64.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index d0a814a..3551bca 100644
---- a/arch/x86/kernel/kexec-bzimage64.c
-+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
- if (efi_enabled(EFI_OLD_MEMMAP))
- return 0;
-
-+ params->secure_boot = boot_params.secure_boot;
- ei->efi_loader_signature = current_ei->efi_loader_signature;
- ei->efi_systab = current_ei->efi_systab;
- ei->efi_systab_hi = current_ei->efi_systab_hi;
---
-2.10.2
-
diff --git a/patches.suse/0047-kexec_file-restrict-if-the-kernel-is-locked-down.patch b/patches.suse/0047-kexec_file-restrict-if-the-kernel-is-locked-down.patch
deleted file mode 100644
index 32bcab1477..0000000000
--- a/patches.suse/0047-kexec_file-restrict-if-the-kernel-is-locked-down.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-References: fate#314486
-Acked-by: Jiri Bohac <jbohac@suse.cz>
-Patch-mainline: Not yet, submitted https://lkml.org/lkml/2018/2/22/439
-Subject: kexec_file: Restrict at runtime if the kernel is locked down
-
-When KEXEC_SIG is not enabled, kernel should not load images through
-kexec_file systemcall if the kernel is locked down unless IMA can be used
-to validate the image.
-
-[Modified by David Howells to fit with modifications to the previous patch
- and to return -EPERM if the kernel is locked down for consistency with
- other lockdowns]
-
-Signed-off-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Cc: Matthew Garrett <mjg59@srcf.ucam.org>
-cc: Chun-Yi Lee <jlee@suse.com>
-cc: kexec@lists.infradead.org
-
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index d5931e392050..c47c4de604cd 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -167,6 +167,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- }
-
- ret = 0;
-+
-+ if (kernel_is_locked_down()) {
-+ pr_notice("%s rejected, kernel is locked down\n", reason);
-+ ret = -EPERM;
-+ goto out;
-+ }
-+
- break;
-
- /* All other errors are fatal, including nomem, unparseable
-
diff --git a/patches.suse/0047-kexec_file-split-KEXEC_VERIFY_SIG.patch b/patches.suse/0047-kexec_file-split-KEXEC_VERIFY_SIG.patch
deleted file mode 100644
index 49a376d298..0000000000
--- a/patches.suse/0047-kexec_file-split-KEXEC_VERIFY_SIG.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-References: fate#314486
-Acked-by: Jiri Bohac <jbohac@suse.cz>
-Patch-mainline: Not yet, submitted https://lkml.org/lkml/2018/2/22/437
-Subject: kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE
-
-This is a preparatory patch for kexec_file_load() lockdown. A locked down
-kernel needs to prevent unsigned kernel images from being loaded with
-kexec_file_load(). Currently, the only way to force the signature
-verification is compiling with KEXEC_VERIFY_SIG. This prevents loading
-usigned images even when the kernel is not locked down at runtime.
-
-This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
-Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
-turns on the signature verification but allows unsigned images to be
-loaded. KEXEC_SIG_FORCE disallows images without a valid signature.
-
-[Modified by David Howells such that:
-
-(1) verify_pefile_signature() differentiates between no-signature and
- sig-didn't-match in its returned errors.
-
-(2) kexec fails with EKEYREJECTED and logs an appropriate message if
- signature checking is enforced and an signature is not found, uses
- unsupported crypto or has no matching key.
-
-(3) kexec fails with EKEYREJECTED if there is a signature for which we
- have a key, but signature doesn't match - even if in non-forcing mode.
-
-(4) kexec fails with EBADMSG or some other error if there is a signature
- which cannot be parsed - even if in non-forcing mode.
-
-(5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
- the signature - even if in non-forcing mode.
-
-]
-
-Signed-off-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Matthew Garrett <mjg59@srcf.ucam.org>
-cc: Chun-Yi Lee <jlee@suse.com>
-cc: kexec@lists.infradead.org
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index c1236b187824..cb6e67b7442d 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -2019,20 +2019,30 @@ config KEXEC_FILE
- for kernel and initramfs as opposed to list of segments as
- accepted by previous system call.
-
--config KEXEC_VERIFY_SIG
-+config KEXEC_SIG
- bool "Verify kernel signature during kexec_file_load() syscall"
- depends on KEXEC_FILE
- ---help---
-- This option makes kernel signature verification mandatory for
-- the kexec_file_load() syscall.
-
-- In addition to that option, you need to enable signature
-+ This option makes the kexec_file_load() syscall check for a valid
-+ signature of the kernel image. The image can still be loaded without
-+ a valid signature unless you also enable KEXEC_SIG_FORCE, though if
-+ there's a signature that we can check, then it must be valid.
-+
-+ In addition to this option, you need to enable signature
- verification for the corresponding kernel image type being
- loaded in order for this to work.
-
-+config KEXEC_SIG_FORCE
-+ bool "Require a valid signature in kexec_file_load() syscall"
-+ depends on KEXEC_SIG
-+ ---help---
-+ This option makes kernel signature verification mandatory for
-+ the kexec_file_load() syscall.
-+
- config KEXEC_BZIMAGE_VERIFY_SIG
- bool "Enable bzImage signature verification support"
-- depends on KEXEC_VERIFY_SIG
-+ depends on KEXEC_SIG
- depends on SIGNED_PE_FILE_VERIFICATION
- select SYSTEM_TRUSTED_KEYRING
- ---help---
-diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
-index 1f790cf9d38f..3fbe35b923ef 100644
---- a/arch/x86/kernel/machine_kexec_64.c
-+++ b/arch/x86/kernel/machine_kexec_64.c
-@@ -406,7 +406,7 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image)
- return image->fops->cleanup(image->image_loader_data);
- }
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- int arch_kexec_kernel_verify_sig(struct kimage *image, void *kernel,
- unsigned long kernel_len)
- {
-diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
-index d178650fd524..4473cea1e877 100644
---- a/crypto/asymmetric_keys/verify_pefile.c
-+++ b/crypto/asymmetric_keys/verify_pefile.c
-@@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
-
- if (!ddir->certs.virtual_address || !ddir->certs.size) {
- pr_debug("Unsigned PE binary\n");
-- return -EKEYREJECTED;
-+ return -ENODATA;
- }
-
- chkaddr(ctx->header_size, ddir->certs.virtual_address,
-@@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
- * (*) 0 if at least one signature chain intersects with the keys in the trust
- * keyring, or:
- *
-+ * (*) -ENODATA if there is no signature present.
-+ *
- * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
- * chain.
- *
-diff --git a/include/linux/kexec.h b/include/linux/kexec.h
-index f16f6ceb3875..19652372f3ee 100644
---- a/include/linux/kexec.h
-+++ b/include/linux/kexec.h
-@@ -121,7 +121,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
- unsigned long cmdline_len);
- typedef int (kexec_cleanup_t)(void *loader_data);
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- typedef int (kexec_verify_sig_t)(const char *kernel_buf,
- unsigned long kernel_len);
- #endif
-@@ -130,7 +130,7 @@ struct kexec_file_ops {
- kexec_probe_t *probe;
- kexec_load_t *load;
- kexec_cleanup_t *cleanup;
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- kexec_verify_sig_t *verify_sig;
- #endif
- };
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index e5bcd94c1efb..d5931e392050 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -45,7 +45,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
- return -EINVAL;
- }
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
- unsigned long buf_len)
- {
-@@ -116,7 +116,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- const char __user *cmdline_ptr,
- unsigned long cmdline_len, unsigned flags)
- {
-- int ret = 0;
-+ const char *reason;
-+ int ret;
- void *ldata;
- loff_t size;
-
-@@ -135,15 +136,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- if (ret)
- goto out;
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
- image->kernel_buf_len);
-- if (ret) {
-- pr_debug("kernel signature verification failed.\n");
-+#else
-+ ret = -ENODATA;
-+#endif
-+
-+ switch (ret) {
-+ case 0:
-+ break;
-+
-+ /* Certain verification errors are non-fatal if we're not
-+ * checking errors, provided we aren't mandating that there
-+ * must be a valid signature.
-+ */
-+ case -ENODATA:
-+ reason = "kexec of unsigned image";
-+ goto decide;
-+ case -ENOPKG:
-+ reason = "kexec of image with unsupported crypto";
-+ goto decide;
-+ case -ENOKEY:
-+ reason = "kexec of image with unavailable key";
-+ decide:
-+ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-+ pr_notice("%s rejected\n", reason);
-+ ret = -EKEYREJECTED;
-+ goto out;
-+ }
-+
-+ ret = 0;
-+ break;
-+
-+ /* All other errors are fatal, including nomem, unparseable
-+ * signatures and signature check failures - even if signatures
-+ * aren't required.
-+ */
-+ default:
-+ pr_notice("kernel signature verification failed (%d).\n", ret);
- goto out;
- }
-- pr_debug("kernel signature verification successful.\n");
--#endif
-+
- /* It is possible that there no initramfs is being loaded */
- if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
- ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
diff --git a/patches.suse/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch b/patches.suse/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch
deleted file mode 100644
index 0b5bda5eec..0000000000
--- a/patches.suse/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 398b27dd51e2c295ec870943a5afb842acf7726b Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 48/62] hibernate: Disable when the kernel is locked down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-There is currently no way to verify the resume image when returning
-from hibernate. This might compromise the signed modules trust model,
-so until we can work with signed hibernate images we disable it when the
-kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- kernel/power/hibernate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index a8b978c..50cca5d 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
-
- bool hibernation_available(void)
- {
-- return (nohibernate == 0);
-+ return nohibernate == 0 && !kernel_is_locked_down();
- }
-
- /**
---
-2.10.2
-
diff --git a/patches.suse/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/patches.suse/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
deleted file mode 100644
index 7180237cd1..0000000000
--- a/patches.suse/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From fdfe195b5f8e0693a98f1f37eb1281ea7830dbff Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 50/62] PCI: Lock down BAR access when the kernel is locked
- down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-Any hardware that can potentially generate DMA has to be locked down in
-order to avoid it being possible for an attacker to modify kernel code,
-allowing them to circumvent disabled module loading or module signing.
-Default to paranoid - in future we can potentially relax this for
-sufficiently IOMMU-isolated devices.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- drivers/pci/pci-sysfs.c | 9 +++++++++
- drivers/pci/proc.c | 8 +++++++-
- drivers/pci/syscall.c | 2 +-
- 3 files changed, 17 insertions(+), 2 deletions(-)
-
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct f
- loff_t init_off = off;
- u8 *data = (u8 *) buf;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (off > dev->cfg_size)
- return 0;
- if (off + count > dev->cfg_size) {
-@@ -1048,6 +1051,9 @@ static int pci_mmap_resource(struct kobj
- enum pci_mmap_state mmap_type;
- struct resource *res = &pdev->resource[bar];
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
- return -EINVAL;
-
-@@ -1131,6 +1137,9 @@ static ssize_t pci_write_resource_io(str
- struct bin_attribute *attr, char *buf,
- loff_t off, size_t count)
- {
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
-
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct
- int size = dev->cfg_size;
- int cnt;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (pos >= size)
- return 0;
- if (nbytes >= size)
-@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct fi
- #endif /* HAVE_PCI_MMAP */
- int ret = 0;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- switch (cmd) {
- case PCIIOC_CONTROLLER:
- ret = pci_domain_nr(dev->bus);
-@@ -236,7 +242,7 @@ static int proc_bus_pci_mmap(struct file
- struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
-
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
- return -EPERM;
-
- if (fpriv->mmap_state == pci_mmap_io) {
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigne
- u32 dword;
- int err = 0;
-
-- if (!capable(CAP_SYS_ADMIN))
-+ if (!capable(CAP_SYS_ADMIN) || kernel_is_locked_down())
- return -EPERM;
-
- dev = pci_get_bus_and_slot(bus, dfn);
diff --git a/patches.suse/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/patches.suse/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
deleted file mode 100644
index fd28f8af05..0000000000
--- a/patches.suse/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 37a19fd0d859cc12f1d6f47085071e35d34a0a41 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 51/62] x86: Lock down IO port access when the kernel is locked
- down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO
-register space. This would potentially permit root to trigger arbitrary
-DMA, so lock it down by default.
-
-This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
-KDDISABIO console ioctls.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- arch/x86/kernel/ioport.c | 4 ++--
- drivers/char/mem.c | 2 ++
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long
-
- if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- return -EINVAL;
-- if (turn_on && !capable(CAP_SYS_RAWIO))
-+ if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()))
- return -EPERM;
-
- /*
-@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
- return -EINVAL;
- /* Trying to gain more privileges? */
- if (level > old) {
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
- return -EPERM;
- }
- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *
-
- static int open_port(struct inode *inode, struct file *filp)
- {
-+ if (kernel_is_locked_down())
-+ return -EPERM;
- return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
- }
-
diff --git a/patches.suse/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/patches.suse/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
deleted file mode 100644
index 7289198beb..0000000000
--- a/patches.suse/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From e20ab2be2f77e6c0da7cd8fe0953a367c5012ecf Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 52/62] x86: Restrict MSR access when the kernel is locked down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-Writing to MSRs should not be allowed if the kernel is locked down, since
-it could lead to execution of arbitrary code in kernel mode. Based on a
-patch by Kees Cook.
-
-Cc: Kees Cook <keescook@chromium.org>
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- arch/x86/kernel/msr.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index ef68880..fbcce02 100644
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
- int err = 0;
- ssize_t bytes = 0;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (count % 8)
- return -EINVAL; /* Invalid chunk size */
-
-@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
- err = -EBADF;
- break;
- }
-+ if (kernel_is_locked_down()) {
-+ err = -EPERM;
-+ break;
-+ }
- if (copy_from_user(&regs, uregs, sizeof regs)) {
- err = -EFAULT;
- break;
---
-2.10.2
-
diff --git a/patches.suse/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/patches.suse/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
deleted file mode 100644
index a99cd81fa9..0000000000
--- a/patches.suse/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From bfa10bc7193d6309dc8029e18fe7d844f9a3a1c0 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 53/62] asus-wmi: Restrict debugfs interface when the kernel is
- locked down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-We have no way of validating what all of the Asus WMI methods do on a given
-machine - and there's a risk that some will allow hardware state to be
-manipulated in such a way that arbitrary code can be executed in the
-kernel, circumventing module loading restrictions. Prevent that if the
-kernel is locked down.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- drivers/platform/x86/asus-wmi.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
---- a/drivers/platform/x86/asus-wmi.c
-+++ b/drivers/platform/x86/asus-wmi.c
-@@ -1914,6 +1914,9 @@ static int show_dsts(struct seq_file *m,
- int err;
- u32 retval = -1;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
-
- if (err < 0)
-@@ -1930,6 +1933,9 @@ static int show_devs(struct seq_file *m,
- int err;
- u32 retval = -1;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
- &retval);
-
-@@ -1954,6 +1960,9 @@ static int show_call(struct seq_file *m,
- union acpi_object *obj;
- acpi_status status;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
- 0, asus->debug.method_id,
- &input, &output);
diff --git a/patches.suse/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/patches.suse/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
deleted file mode 100644
index 045502b925..0000000000
--- a/patches.suse/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c333ace27a3115f2b56f25987bdb7ef05f71836c Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Wed, 5 Apr 2017 17:40:30 +0100
-Subject: [PATCH 54/62] ACPI: Limit access to custom_method when the kernel is
- locked down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-custom_method effectively allows arbitrary access to system memory, making
-it possible for an attacker to circumvent restrictions on module loading.
-Disable it if the kernel is locked down.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- drivers/acpi/custom_method.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/acpi/custom_method.c
-+++ b/drivers/acpi/custom_method.c
-@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *fil
- struct acpi_table_header table;
- acpi_status status;
-
-+ if (kernel_is_locked_down())
-+ return -EPERM;
-+
- if (!(*ppos)) {
- /* parse the table header to get the table length */
- if (count <= sizeof(struct acpi_table_header))
diff --git a/patches.suse/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/patches.suse/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
deleted file mode 100644
index 42bc231434..0000000000
--- a/patches.suse/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 1e915addf2f56a29d84dfc899017a926de9c0264 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Wed, 5 Apr 2017 17:40:31 +0100
-Subject: [PATCH 55/62] acpi: Ignore acpi_rsdp kernel param when the kernel has
- been locked down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to circumvent any restrictions imposed on
-loading modules. Ignore the option when the kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- drivers/acpi/osl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index db78d35..d4d4ba3 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
- acpi_physical_address pa = 0;
-
- #ifdef CONFIG_KEXEC
-- if (acpi_rsdp)
-+ if (acpi_rsdp && !kernel_is_locked_down())
- return acpi_rsdp;
- #endif
-
---
-2.10.2
-
diff --git a/patches.suse/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/patches.suse/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
deleted file mode 100644
index 52f34a2e35..0000000000
--- a/patches.suse/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 2a3b80bfba52f3f71bbb9b20942fb86ca6f491fe Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Wed, 5 Apr 2017 17:40:31 +0100
-Subject: [PATCH 56/62] acpi: Disable ACPI table override if the kernel is
- locked down
-Patch-mainline: No, submitted
-
-References: fate#314486
-
-From the kernel documentation (initrd_table_override.txt):
-
- If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
- to override nearly any ACPI table provided by the BIOS with an
- instrumented, modified one.
-
-When securelevel is set, the kernel should disallow any unauthenticated
-changes to kernel space. ACPI tables contain code invoked by the kernel,
-so do not allow ACPI tables to be overridden if the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Lee, Chun-Yi <jlee@suse.com>
----
- drivers/acpi/tables.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/drivers/acpi/tables.c
-+++ b/drivers/acpi/tables.c
-@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
- if (table_nr == 0)
- return;
-
-+ if (kernel_is_locked_down()) {
-+ pr_notice("kernel is locked down, ignoring table override\n");
-+ return;
-+ }
-+
- acpi_tables_addr =
- memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
- all_tables_size, PAGE_SIZE);
diff --git a/series.conf b/series.conf
index 0acc051236..e13afc02c8 100644
--- a/series.conf
+++ b/series.conf
@@ -3245,10 +3245,6 @@
+hare patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
+hare patches.suse/nvme-skip-nvme_update_disk_info-if-the-controller-is.patch
+hare patches.suse/scsi-do-not-print-reservation-conflict-for-TEST-UNIT.patch
-# jbohac
-+jbohac patches.suse/0042-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
-+jbohac patches.suse/0047-kexec_file-restrict-if-the-kernel-is-locked-down.patch
-+jbohac patches.suse/0047-kexec_file-split-KEXEC_VERIFY_SIG.patch
# jeffm
+jeffm patches.suse/btrfs-dump_space_info-when-encountering-total_bytes_pinned-0-at-umount.patch
+jeffm patches.suse/btrfs-qgroups-fix-rescan-worker-running-races.patch
@@ -3271,19 +3267,7 @@
+jlee patches.suse/0010-PM-hibernate-a-option-to-request-that-snapshot-image.patch
+jlee patches.suse/0011-PM-hibernate-require-hibernate-snapshot-image-to-be-.patch
+jlee patches.suse/0039-efi-Add-EFI_SECURE_BOOT-bit.patch
-+jlee patches.suse/0040-Add-the-ability-to-lock-down-access-to-the-running-k.patch
+jlee patches.suse/0041-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
-+jlee patches.suse/0043-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
-+jlee patches.suse/0045-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
-+jlee patches.suse/0046-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
-+jlee patches.suse/0048-hibernate-Disable-when-the-kernel-is-locked-down.patch
-+jlee patches.suse/0050-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
-+jlee patches.suse/0051-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
-+jlee patches.suse/0052-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
-+jlee patches.suse/0053-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
-+jlee patches.suse/0054-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
-+jlee patches.suse/0055-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
-+jlee patches.suse/0056-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
+jlee patches.suse/0057-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
# lhenriques
+lhenriques patches.suse/rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch