ALC256 has its own quirk to override the shutup call, and it contains
the COEF update for pulling down the headset jack control. Currently,
the COEF update is called after clearing the headphone pin, and this
seems triggering a stall of the codec communication, and results in a
long delay over a second at suspend.
A quick resolution is to swap the calls: at first with the COEF
update, then clear the headphone pin.
John Stultz reports a boot time crash with the HiKey board (which uses
hci_serdev) occurring in hci_uart_tx_wakeup(). That function is
contained in hci_ldisc.c, but also called from the newer hci_serdev.c.
It acquires the proto_lock in struct hci_uart and it turns out that we
forgot to init the lock in the serdev code path, thus causing the crash.
John bisected the crash to commit 67d2f8781b9f ("Bluetooth: hci_ldisc:
Allow sleeping while proto locks are held"), but the issue was present
before and the commit merely exposed it. (Perhaps by luck, the crash
did not occur with rwlocks.)
Init the proto_lock in the serdev code path to avoid the oops.
Stack trace for posterity:
Unable to handle kernel read from unreadable memory at 406f127000
[000000406f127000] user address but active_mm is swapper
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Hardware name: HiKey Development Board (DT)
Call trace:
hci_uart_tx_wakeup+0x38/0x148
hci_uart_send_frame+0x28/0x38
hci_send_frame+0x64/0xc0
hci_cmd_work+0x98/0x110
process_one_work+0x134/0x330
worker_thread+0x130/0x468
kthread+0xf8/0x128
ret_from_fork+0x10/0x18
Hans de Goede [Thu, 1 Feb 2018 05:06:54 +0000 (13:06 +0800)]
Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version
BugLink: https://bugs.launchpad.net/bugs/1744712
Commit 7d06d5895c15 ("Revert "Bluetooth: btusb: fix QCA...suspend/resume"")
removed the setting of the BTUSB_RESET_RESUME quirk for QCA Rome devices,
instead favoring adding USB_QUIRK_RESET_RESUME quirks in usb/core/quirks.c.
This was done because the DIY BTUSB_RESET_RESUME reset-resume handling
has several issues (see the original commit message). An added advantage
of moving over to the USB-core reset-resume handling is that it also
disables autosuspend for these devices, which is similarly broken on these.
But there are 2 issues with this approach:
1) It leaves the broken DIY BTUSB_RESET_RESUME code in place for Realtek
devices.
2) Sofar only 2 of the 10 QCA devices known to the btusb code have been
added to usb/core/quirks.c and if we fix the Realtek case the same way
we need to add an additional 14 entries. So in essence we need to
duplicate a large part of the usb_device_id table in btusb.c in
usb/core/quirks.c and manually keep them in sync.
This commit instead restores setting a reset-resume quirk for QCA devices
in the btusb.c code, avoiding the duplicate usb_device_id table problem.
This commit avoids the problems with the original DIY BTUSB_RESET_RESUME
code by simply setting the USB_QUIRK_RESET_RESUME quirk directly on the
usb_device.
This commit also moves the BTUSB_REALTEK case over to directly setting the
USB_QUIRK_RESET_RESUME on the usb_device and removes the now unused
BTUSB_RESET_RESUME code.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514836 Fixes: 7d06d5895c15 ("Revert "Bluetooth: btusb: fix QCA...suspend/resume"") Cc: stable@vger.kernel.org Cc: Leif Liddy <leif.linux@gmail.com> Cc: Matthias Kaehlcke <mka@chromium.org> Cc: Brian Norris <briannorris@chromium.org> Cc: Daniel Drake <drake@endlessm.com> Cc: Kai-Heng Feng <kai.heng.feng@canonical.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 61f5acea8737d9b717fcc22bb6679924f3c82b98) Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Acked-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
This commit causes a regression on some QCA ROME chips. The USB device
reset happens in btusb_open(), hence firmware loading gets interrupted.
Furthermore, this commit stops working after commit
("a0085f2510e8976614ad8f766b209448b385492f Bluetooth: btusb: driver to
enable the usb-wakeup feature"). Reset-resume quirk only gets enabled in
btusb_suspend() when it's not a wakeup source.
If we really want to reset the USB device, we need to do it before
btusb_open(). Let's handle it in drivers/usb/core/quirks.c.
Cc: stable@vger.kernel.org Cc: Leif Liddy <leif.linux@gmail.com> Cc: Matthias Kaehlcke <mka@chromium.org> Cc: Brian Norris <briannorris@chromium.org> Cc: Daniel Drake <drake@endlessm.com> Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Reviewed-by: Brian Norris <briannorris@chromium.org> Tested-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 7d06d5895c159f64c46560dc258e553ad8670fe0) Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Acked-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
John Johansen [Wed, 31 Jan 2018 10:23:41 +0000 (11:23 +0100)]
UBUNTU: SAUCE: apparmor: fix display of .ns_name for containers
The .ns_name should not be virtualized by the current ns view. It
needs to report the ns base name as that is being used during startup
as part of determining apparmor policy namespace support.
BugLink: http://bugs.launchpad.net/bugs/1746463 Fixes: d9f02d9c237aa ("apparmor: fix display of ns name") Reported-by: Serge Hallyn <serge@hallyn.com> Tested-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Colin Ian King [Fri, 26 Jan 2018 23:13:03 +0000 (23:13 +0000)]
UBUNTU: SAUCE: (noup) Update spl to 0.7.5-1ubuntu1, zfs to 0.7.5-1ubuntu1
Sync up kernel drives of SPL and ZFS to version 0.7.5. This has passed
the set of ubuntu autotest ZFS regression tests when built against the
current Bionic unstable 4.15 tip.
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Andy Whitcroft [Thu, 25 Jan 2018 10:27:43 +0000 (10:27 +0000)]
UBUNTU: [Packaging] update urgency to medium by default
BugLink: http://bugs.launchpad.net/bugs/1745338 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
scsi: libiscsi: Allow sd_shutdown on bad transport
BugLink: https://bugs.launchpad.net/bugs/1569925
If, for any reason, userland shuts down iscsi transport interfaces
before proper logouts - like when logging in to LUNs manually, without
logging out on server shutdown, or when automated scripts can't
umount/logout from logged LUNs - kernel will hang forever on its
sd_sync_cache() logic, after issuing the SYNCHRONIZE_CACHE cmd to all
still existent paths.
This happens because iscsi_eh_cmd_timed_out(), the transport layer
timeout helper, would tell the queue timeout function (scsi_times_out)
to reset the request timer over and over, until the session state is
back to logged in state. Unfortunately, during server shutdown, this
might never happen again.
Other option would be "not to handle" the issue in the transport
layer. That would trigger the error handler logic, which would also need
the session state to be logged in again.
Best option, for such case, is to tell upper layers that the command was
handled during the transport layer error handler helper, marking it as
DID_NO_CONNECT, which will allow completion and inform about the
problem.
After the session was marked as ISCSI_STATE_FAILED, due to the first
timeout during the server shutdown phase, all subsequent cmds will fail
to be queued, allowing upper logic to fail faster.
Signed-off-by: Rafael David Tinoco <rafael.tinoco@canonical.com> Reviewed-by: Lee Duncan <lduncan@suse.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit d754941225a7dbc61f6dd2173fa9498049f9a7ee linux-next) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Mon, 22 Jan 2018 15:56:21 +0000 (09:56 -0600)]
UBUNTU: Rebase to v4.15-rc9
Note that updateconfigs deselected a number of B43/B44/SSB config
options due to a new dependency on
CONFIG_PCI_DRIVERS_LEGACY,PCI_DRIVERS_LEGACY, which is only
selectable for the mips architecture.
BugLink: https://launchpad.net/bugs/1742759
Add quirks for handling PX/HG systems. In this case, add
a quirk for a weston dGPU that only seems to properly power
down using ATPX power control rather than HG (_PR3).
v2: append a new weston XT
Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com> (v2) Reviewed-and-Tested-by: Junwei Zhang <Jerry.Zhang@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Larry Finger [Thu, 7 Dec 2017 22:44:10 +0000 (16:44 -0600)]
UBUNTU: ubuntu: vbox: build fixes for 4.15
This patch file makes the necessary changes to the VirtualBox 5.1.30 sources
to allow the kernel modules to build with kernel 4.15.
The API changes are of several types:
1. The timer initialization routine init_timer_pinned() no longer exists, and
is replaced by timer_setup().
2. The timer callback routine calling sequence is changed as is the technique
for getting the timer information from the callback parameters.
3. The calling sequence for drm_encoder_find() is changed.
4. The calling sequence for the .get and .set members of the module_param_call()
calls have changed.
This patch is released under the MIT license when appropriate, GPLv2 otherwise.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
[ saf: The timer-related changes seem to have been applied upstream but
not those for the module parameter callbacks; adjusted to only apply
these changes. ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Thu, 4 Jan 2018 20:41:30 +0000 (14:41 -0600)]
UBUNTU: [Debian] autoreconstruct - add resoration of execute permissions
Debian source package diffs cannot represent that a file should
be executable. This is a problem for us if a patch adds a script
which is invoked directly during the build, as happened with a
recent stable update for 4.14. Update gen-auto-reconstruct to
detect this situation and restore the execute permissions in the
reconstruct script. Exclude the debian packaging directories as
the scripts here already account for the loss of execute
permissions.
Kamal Mostafa [Wed, 20 Dec 2017 22:44:59 +0000 (14:44 -0800)]
UBUNTU: [debian] use SRCPKGNAME in linux-headers Depends
Use the SRCPKGNAME macro instead of hardcoded "linux" in the Depends for
linux-headers-PKGVER-ABINUM-FLAVOUR, to provide the correct package name
for derivative kernels with a different SRCPKGNAME.
Seth Forshee [Sat, 16 Dec 2017 06:33:36 +0000 (00:33 -0600)]
UBUNTU: [Config] CONFIG_SPI_INTEL_SPI_*=n
BugLink: http://bugs.launchpad.net/bugs/1734147
Many Lenovo users are ending up with corrupted bios, and
guidance from Intel is that (for now at least) these options
should be disabled. Seems the driver was never really meant for
end users anyway.
Kamal Mostafa [Wed, 13 Dec 2017 19:43:14 +0000 (11:43 -0800)]
UBUNTU: [debian] support for ship_extras_package=false
If optional .mk variable 'ship_extras_package' is explicitly set to false,
then do not construct the linux-image-extra package; instead just log all
of the "extra" modules which were pointlessly built yet won't be shipped.
This feature may be useful for config debugging and for custom kernel
development.
Ignore: yes
Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Wed, 13 Dec 2017 13:18:36 +0000 (07:18 -0600)]
UBUNTU: [Config] Enable support for emulation of deprecated ARMv8 instructions
BugLink: http://bugs.launchpad.net/bugs/1545542
Some binaries used in the Launchpad build farms need this
emulation, so enable the relevant config options and enforce the
values in the annotations file.
Seth Forshee [Sun, 10 Dec 2017 04:08:25 +0000 (22:08 -0600)]
UBUNTU: [Config] CONFIG_UNWINDER_FRAME_POINTER=y for amd64
During the rebase to 4.15 UNWINDER_ORC was chosen as the stack
unwinder as it promises a 5-10% performance improvement over
using UNWINDER_FRAME_POINTER. However it turns out to have a
couple of downsides. It adds a new requierment for building dkms
modules, and it does not produce the reliable stack traces
required for livepatch. Switch back to UNWINDER_FRAME_POINTER.
Andy Whitcroft [Fri, 8 Dec 2017 14:01:22 +0000 (14:01 +0000)]
UBUNTU: [Packaging] disable zfs module checks when zfs is disabled
We currently disable the zfs module changes when we disable zfs
builds as part of cross-compilation. We should disable the zfs
module checks whenever zfs itself is disabled.
Pull the zfs module disablement support such that it is always
present.
BugLink: http://bugs.launchpad.net/bugs/1737176 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Acked-by: Colin Ian King <colin.king@canonical.com>
[ saf: fix invalid syntax ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Fri, 8 Dec 2017 15:18:33 +0000 (09:18 -0600)]
UBUNTU: [Config] Update kernel lockdown options to fix build errors
While the options are available for non-x86 architectures, they
don't actually build there becuase LOCKDOWN_LIFT_KEY is only
defined for x86. Disable lock down options on all other arches so
they will build.
Larry Finger [Thu, 7 Dec 2017 22:44:10 +0000 (16:44 -0600)]
UBUNTU: ubuntu: vbox: build fixes for 4.15
This patch file makes the necessary changes to the VirtualBox 5.1.30 sources
to allow the kernel modules to build with kernel 4.15.
The API changes are of several types:
1. The timer initialization routine init_timer_pinned() no longer exists, and
is replaced by timer_setup().
2. The timer callback routine calling sequence is changed as is the technique
for getting the timer information from the callback parameters.
3. The calling sequence for drm_encoder_find() is changed.
4. The calling sequence for the .get and .set members of the module_param_call()
calls have changed.
This patch is released under the MIT license when appropriate, GPLv2 otherwise.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Fri, 2 Jun 2017 18:45:22 +0000 (13:45 -0500)]
UBUNTU: SAUCE: (efi-lockdown) efi: Don't print secure boot state from the efi stub
During boot the efi stub prints what amounts to debugging
messages about the secure boot state to the efi console. which
appear on the screen during boot. The same information is printed
in dmesg while the kernel is booting, so they serve no purpose
aside from debugging issues in the efi stub. Remove them.
Seth Forshee [Thu, 4 May 2017 13:09:04 +0000 (08:09 -0500)]
UBUNTU: SAUCE: (efi-lockdown) efi: Sanitize boot_params in efi stub
The efi stub will set the value of boot_params.secure_boot
without first checking whether boot_params has been sanitized. If
they have not, the value of secure_boot will be cleared later
when boot_params is sanitized. This currently happens with grub
as it currently does not clear the sentinel, and thus the kernel
cannot determine the secure boot state.
Since the efi stub is modifying a field in an area subject to
sanitization, it must first sanitize boot_params if needed. Later
sanitization by the decompressor will do nothing as the sentinel
value will have been cleared.
Josh Boyer [Fri, 5 May 2017 07:21:59 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) MODSIGN: Allow the "db" UEFI variable to be suppressed
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called
MokIgnoreDB. Have the uefi import code look for this and ignore the db
variable if it is found.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 9c38c1c996b55d5332a7e528a26ce3e58a095493
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Josh Boyer [Fri, 5 May 2017 07:21:59 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This
allows for a third party signing certificate to be used in conjunction
with signed modules. By importing the public certificate into the 'db'
variable, a user can allow a module signed with that certificate to
load. The shim UEFI bootloader has a similar certificate list stored
in the 'MokListRT' variable. We import those as well.
Secure Boot also maintains a list of disallowed certificates in the 'dbx'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit e0047875ca55cb28ea36ad179af21add4495d88e
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Dave Howells [Fri, 5 May 2017 07:21:58 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Add an EFI signature blob parser
Add a function to parse an EFI signature blob looking for elements of
interest. A list is made up of a series of sublists, where all the
elements in a sublist are of the same type, but sublists can be of
different types.
For each sublist encountered, the function pointed to by the
get_handler_for_guid argument is called with the type specifier GUID and
returns either a pointer to a function to handle elements of that type or
NULL if the type is not of interest.
If the sublist is of interest, each element is passed to the handler
function in turn.
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit a0edbe5bff0d82e1495fde162bf36b51e0f56028
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Dave Howells [Fri, 5 May 2017 07:21:58 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Add EFI signature data types
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit cf8a2070ce1ab1ed8578a537af141ca0073b46e0
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Fri, 5 May 2017 07:21:56 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) KEYS: Allow unrestricted boot-time addition of keys to secondary keyring
Allow keys to be added to the system secondary certificates keyring during
kernel initialisation in an unrestricted fashion. Such keys are implicitly
trusted and don't have their trust chains checked on link.
This allows keys in the UEFI database to be added in secure boot mode for
the purposes of module signing.
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 9ad18fe5e96752b7e39d9e7cc9be7a4aa81630b0
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Thu, 19 Oct 2017 13:05:02 +0000 (14:05 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that all kernel modules also be signed. Add a configuration option
that to lock down the kernel - which includes requiring validly signed
modules - if the kernel is secure-booted.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
(cherry picked from commit 38fe03c2891718e53db9d51f414fef96055dacad
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Thu, 19 Oct 2017 13:18:53 +0000 (14:18 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.
David Howells [Wed, 24 May 2017 13:56:06 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify hardware parameters (eg. ioport)
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 33a38c67ed53106458e1858a2101cae3026486e4
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Wed, 24 May 2017 13:56:06 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port. This only appears to be an issue for the serial
drivers that use the core serial code. All other drivers seem to either
ignore attempts to change port/irq or give an error.
David Howells [Wed, 24 May 2017 13:56:06 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) scsi: Lock down the eata driver
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
device to access or modify the kernel image.
The eata driver takes a single string parameter that contains a slew of
settings, including hardware resource configuration. Prohibit use of the
parameter if the kernel is locked down.
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> Signed-off-by: David Howells <dhowells@redhat.com>
cc: Dario Ballabio <ballabio_dario@emc.com>
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
cc: linux-scsi@vger.kernel.org
(cherry picked from commit b6435a0bf222a5ad7b5071be950505b0ef2d622b
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Linn Crosetto [Wed, 24 May 2017 13:56:05 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) acpi: Disable APEI error injection if the kernel is locked down
ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
supported by the firmware, ACPI specification 5.0 and later provide for a
way to specify a physical memory address to which to inject the error.
Injecting errors through EINJ can produce errors which to the platform are
indistinguishable from real hardware errors. This can have undesirable
side-effects, such as causing the platform to mark hardware as needing
replacement.
While it does not provide a method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
the kernel is locked down.
Signed-off-by: Linn Crosetto <linn@hpe.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit 6b13c1b1c2fcd969b67fbbb1ad338e61ec7e184e
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Linn Crosetto [Wed, 24 May 2017 13:56:05 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) acpi: Disable ACPI table override if the kernel is locked down
From the kernel documentation (initrd_table_override.txt):
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
to override nearly any ACPI table provided by the BIOS with an
instrumented, modified one.
When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto <linn@hpe.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit dd6efccc38c5e28c8f588f8ac576395633313aa3
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Josh Boyer [Wed, 24 May 2017 13:56:05 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware . Reject
the option when the kernel is locked down.
Signed-off-by: Josh Boyer <jwboyer@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: Dave Young <dyoung@redhat.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit 54929ddfc652ac9c9c0daecc4bfb00df82ca5b20
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) ACPI: Limit access to custom_method when the kernel is locked down
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit d42e85dad43a09adc2d0109bea444ddb58bacf38
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) asus-wmi: Restrict debugfs interface when the kernel is locked down
We have no way of validating what all of the Asus WMI methods do on a given
machine - and there's a risk that some will allow hardware state to be
manipulated in such a way that arbitrary code can be executed in the
kernel, circumventing module loading restrictions. Prevent that if the
kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: acpi4asus-user@lists.sourceforge.net
cc: platform-driver-x86@vger.kernel.org
(cherry picked from commit fb4033e731796fe16c334810eb5a0b5e2fb23913
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) x86/msr: Restrict MSR access when the kernel is locked down
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook.
MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
(cherry picked from commit 1ac328ac66d7ae815dc3b0b531a8959a88005f6d
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) x86: Lock down IO port access when the kernel is locked down
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
(cherry picked from commit b1e4bf3ccfea06ae8b1b7f6a8875c241ba68fe43
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:03 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) PCI: Lock down BAR access when the kernel is locked down
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax this for
sufficiently IOMMU-isolated devices.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pci@vger.kernel.org
(cherry picked from commit 6999b2411874e2703d2e1bbec9ea42209699a984
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>