Seth Forshee [Sat, 16 Dec 2017 06:33:36 +0000 (00:33 -0600)]
UBUNTU: [Config] CONFIG_SPI_INTEL_SPI_*=n
BugLink: http://bugs.launchpad.net/bugs/1734147
Many Lenovo users are ending up with corrupted bios, and
guidance from Intel is that (for now at least) these options
should be disabled. Seems the driver was never really meant for
end users anyway.
Kamal Mostafa [Wed, 13 Dec 2017 19:43:14 +0000 (11:43 -0800)]
UBUNTU: [debian] support for ship_extras_package=false
If optional .mk variable 'ship_extras_package' is explicitly set to false,
then do not construct the linux-image-extra package; instead just log all
of the "extra" modules which were pointlessly built yet won't be shipped.
This feature may be useful for config debugging and for custom kernel
development.
Ignore: yes
Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Wed, 13 Dec 2017 13:18:36 +0000 (07:18 -0600)]
UBUNTU: [Config] Enable support for emulation of deprecated ARMv8 instructions
BugLink: http://bugs.launchpad.net/bugs/1545542
Some binaries used in the Launchpad build farms need this
emulation, so enable the relevant config options and enforce the
values in the annotations file.
Seth Forshee [Sun, 10 Dec 2017 04:08:25 +0000 (22:08 -0600)]
UBUNTU: [Config] CONFIG_UNWINDER_FRAME_POINTER=y for amd64
During the rebase to 4.15 UNWINDER_ORC was chosen as the stack
unwinder as it promises a 5-10% performance improvement over
using UNWINDER_FRAME_POINTER. However it turns out to have a
couple of downsides. It adds a new requierment for building dkms
modules, and it does not produce the reliable stack traces
required for livepatch. Switch back to UNWINDER_FRAME_POINTER.
Andy Whitcroft [Fri, 8 Dec 2017 14:01:22 +0000 (14:01 +0000)]
UBUNTU: [Packaging] disable zfs module checks when zfs is disabled
We currently disable the zfs module changes when we disable zfs
builds as part of cross-compilation. We should disable the zfs
module checks whenever zfs itself is disabled.
Pull the zfs module disablement support such that it is always
present.
BugLink: http://bugs.launchpad.net/bugs/1737176 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Acked-by: Colin Ian King <colin.king@canonical.com>
[ saf: fix invalid syntax ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Fri, 8 Dec 2017 15:18:33 +0000 (09:18 -0600)]
UBUNTU: [Config] Update kernel lockdown options to fix build errors
While the options are available for non-x86 architectures, they
don't actually build there becuase LOCKDOWN_LIFT_KEY is only
defined for x86. Disable lock down options on all other arches so
they will build.
Larry Finger [Thu, 7 Dec 2017 22:44:10 +0000 (16:44 -0600)]
UBUNTU: ubuntu: vbox: build fixes for 4.15
This patch file makes the necessary changes to the VirtualBox 5.1.30 sources
to allow the kernel modules to build with kernel 4.15.
The API changes are of several types:
1. The timer initialization routine init_timer_pinned() no longer exists, and
is replaced by timer_setup().
2. The timer callback routine calling sequence is changed as is the technique
for getting the timer information from the callback parameters.
3. The calling sequence for drm_encoder_find() is changed.
4. The calling sequence for the .get and .set members of the module_param_call()
calls have changed.
This patch is released under the MIT license when appropriate, GPLv2 otherwise.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Fri, 2 Jun 2017 18:45:22 +0000 (13:45 -0500)]
UBUNTU: SAUCE: (efi-lockdown) efi: Don't print secure boot state from the efi stub
During boot the efi stub prints what amounts to debugging
messages about the secure boot state to the efi console. which
appear on the screen during boot. The same information is printed
in dmesg while the kernel is booting, so they serve no purpose
aside from debugging issues in the efi stub. Remove them.
Seth Forshee [Thu, 4 May 2017 13:09:04 +0000 (08:09 -0500)]
UBUNTU: SAUCE: (efi-lockdown) efi: Sanitize boot_params in efi stub
The efi stub will set the value of boot_params.secure_boot
without first checking whether boot_params has been sanitized. If
they have not, the value of secure_boot will be cleared later
when boot_params is sanitized. This currently happens with grub
as it currently does not clear the sentinel, and thus the kernel
cannot determine the secure boot state.
Since the efi stub is modifying a field in an area subject to
sanitization, it must first sanitize boot_params if needed. Later
sanitization by the decompressor will do nothing as the sentinel
value will have been cleared.
Josh Boyer [Fri, 5 May 2017 07:21:59 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) MODSIGN: Allow the "db" UEFI variable to be suppressed
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called
MokIgnoreDB. Have the uefi import code look for this and ignore the db
variable if it is found.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 9c38c1c996b55d5332a7e528a26ce3e58a095493
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Josh Boyer [Fri, 5 May 2017 07:21:59 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This
allows for a third party signing certificate to be used in conjunction
with signed modules. By importing the public certificate into the 'db'
variable, a user can allow a module signed with that certificate to
load. The shim UEFI bootloader has a similar certificate list stored
in the 'MokListRT' variable. We import those as well.
Secure Boot also maintains a list of disallowed certificates in the 'dbx'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit e0047875ca55cb28ea36ad179af21add4495d88e
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Dave Howells [Fri, 5 May 2017 07:21:58 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Add an EFI signature blob parser
Add a function to parse an EFI signature blob looking for elements of
interest. A list is made up of a series of sublists, where all the
elements in a sublist are of the same type, but sublists can be of
different types.
For each sublist encountered, the function pointed to by the
get_handler_for_guid argument is called with the type specifier GUID and
returns either a pointer to a function to handle elements of that type or
NULL if the type is not of interest.
If the sublist is of interest, each element is passed to the handler
function in turn.
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit a0edbe5bff0d82e1495fde162bf36b51e0f56028
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Dave Howells [Fri, 5 May 2017 07:21:58 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Add EFI signature data types
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit cf8a2070ce1ab1ed8578a537af141ca0073b46e0
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Fri, 5 May 2017 07:21:56 +0000 (08:21 +0100)]
UBUNTU: SAUCE: (efi-lockdown) KEYS: Allow unrestricted boot-time addition of keys to secondary keyring
Allow keys to be added to the system secondary certificates keyring during
kernel initialisation in an unrestricted fashion. Such keys are implicitly
trusted and don't have their trust chains checked on link.
This allows keys in the UEFI database to be added in secure boot mode for
the purposes of module signing.
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 9ad18fe5e96752b7e39d9e7cc9be7a4aa81630b0
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Thu, 19 Oct 2017 13:05:02 +0000 (14:05 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that all kernel modules also be signed. Add a configuration option
that to lock down the kernel - which includes requiring validly signed
modules - if the kernel is secure-booted.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
(cherry picked from commit 38fe03c2891718e53db9d51f414fef96055dacad
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Thu, 19 Oct 2017 13:18:53 +0000 (14:18 +0100)]
UBUNTU: SAUCE: (efi-lockdown) efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.
David Howells [Wed, 24 May 2017 13:56:06 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Lock down module params that specify hardware parameters (eg. ioport)
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 33a38c67ed53106458e1858a2101cae3026486e4
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Wed, 24 May 2017 13:56:06 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Lock down TIOCSSERIAL
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port. This only appears to be an issue for the serial
drivers that use the core serial code. All other drivers seem to either
ignore attempts to change port/irq or give an error.
David Howells [Wed, 24 May 2017 13:56:06 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) scsi: Lock down the eata driver
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
device to access or modify the kernel image.
The eata driver takes a single string parameter that contains a slew of
settings, including hardware resource configuration. Prohibit use of the
parameter if the kernel is locked down.
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> Signed-off-by: David Howells <dhowells@redhat.com>
cc: Dario Ballabio <ballabio_dario@emc.com>
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
cc: linux-scsi@vger.kernel.org
(cherry picked from commit b6435a0bf222a5ad7b5071be950505b0ef2d622b
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Linn Crosetto [Wed, 24 May 2017 13:56:05 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) acpi: Disable APEI error injection if the kernel is locked down
ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
supported by the firmware, ACPI specification 5.0 and later provide for a
way to specify a physical memory address to which to inject the error.
Injecting errors through EINJ can produce errors which to the platform are
indistinguishable from real hardware errors. This can have undesirable
side-effects, such as causing the platform to mark hardware as needing
replacement.
While it does not provide a method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
the kernel is locked down.
Signed-off-by: Linn Crosetto <linn@hpe.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit 6b13c1b1c2fcd969b67fbbb1ad338e61ec7e184e
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Linn Crosetto [Wed, 24 May 2017 13:56:05 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) acpi: Disable ACPI table override if the kernel is locked down
From the kernel documentation (initrd_table_override.txt):
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
to override nearly any ACPI table provided by the BIOS with an
instrumented, modified one.
When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto <linn@hpe.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit dd6efccc38c5e28c8f588f8ac576395633313aa3
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Josh Boyer [Wed, 24 May 2017 13:56:05 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware . Reject
the option when the kernel is locked down.
Signed-off-by: Josh Boyer <jwboyer@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: Dave Young <dyoung@redhat.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit 54929ddfc652ac9c9c0daecc4bfb00df82ca5b20
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) ACPI: Limit access to custom_method when the kernel is locked down
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
(cherry picked from commit d42e85dad43a09adc2d0109bea444ddb58bacf38
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) asus-wmi: Restrict debugfs interface when the kernel is locked down
We have no way of validating what all of the Asus WMI methods do on a given
machine - and there's a risk that some will allow hardware state to be
manipulated in such a way that arbitrary code can be executed in the
kernel, circumventing module loading restrictions. Prevent that if the
kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: acpi4asus-user@lists.sourceforge.net
cc: platform-driver-x86@vger.kernel.org
(cherry picked from commit fb4033e731796fe16c334810eb5a0b5e2fb23913
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) x86/msr: Restrict MSR access when the kernel is locked down
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook.
MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
(cherry picked from commit 1ac328ac66d7ae815dc3b0b531a8959a88005f6d
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:04 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) x86: Lock down IO port access when the kernel is locked down
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
(cherry picked from commit b1e4bf3ccfea06ae8b1b7f6a8875c241ba68fe43
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:03 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) PCI: Lock down BAR access when the kernel is locked down
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax this for
sufficiently IOMMU-isolated devices.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pci@vger.kernel.org
(cherry picked from commit 6999b2411874e2703d2e1bbec9ea42209699a984
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:03 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) uswsusp: Disable when the kernel is locked down
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: linux-pm@vger.kernel.org
(cherry picked from commit fc55d45a5b3c80d7a751de9650865113293518eb
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Josh Boyer [Wed, 24 May 2017 13:56:03 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) hibernate: Disable when the kernel is locked down
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.
Dave Young [Wed, 24 May 2017 13:56:02 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Copy secure_boot flag in boot params across kexec reboot
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.
Adding a patch to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyoung@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: kexec@lists.infradead.org
(cherry picked from commit 046143c089ab19140e210794323944dc46b92a72
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:02 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) kexec: Disable at runtime if the kernel is locked down
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.
This does not affect kexec_file_load() which can check for a signature on the
image to be booted.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Dave Young <dyoung@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
cc: kexec@lists.infradead.org
(cherry picked from commit 9a7ef0aead9519d42e351d10e0c6f7b8d3bebdb1
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Matthew Garrett [Wed, 24 May 2017 13:56:02 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem,kmem,port} when the kernel is locked down
Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.
Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
(cherry picked from commit 2eada4c7af2d4e9522a47523d2a5106d96271cd9
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
David Howells [Wed, 24 May 2017 13:56:00 +0000 (14:56 +0100)]
UBUNTU: SAUCE: (efi-lockdown) Add the ability to lock down access to the running kernel image
Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might
allow the running kernel image to be changed including the loading of
modules that aren't validly signed with a key we recognise, fiddling with
MSR registers and disallowing hibernation,
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com>
(cherry picked from commit 152c170ecb38cab0f78379d163be048303dae49d
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Mon, 4 Dec 2017 13:14:41 +0000 (07:14 -0600)]
UBUNTU: SAUCE: mm: fix memory hotplug in ZONE_HIGHMEM
BugLink: http://bugs.launchpad.net/bugs/1732463
Prior to f1dd2cd13c4b "mm, memory_hotplug: do not associate
hotadded memory to zones until online" 32-bit x86 with
CONFIG_HIGHMEM=y would default to ZONE_HIGHMEM for hotplugged
memory. That commit changed this to ZONE_NORMAL and made it
impossible for hotplugged memory to be added to ZONE_HIGHMEM,
resulting in oopses whenever the kernel tries to use hotplugged
memory that should have been placed in ZONE_HIGHMEM.
This has been reported upstream, but as a temporary fix make the
following changes:
- If CONFIG_HIGHMEM=y, also look in ZONE_HIGHMEM when searching
for a matching zone for memory being onlined.
- Allow the arch to specify the default zone to be used if no
matching zone is found.
- Change 32-bit x86 to set the default zone to ZONE_HIGHMEM if
CONFIG_HIGHMEM=y.
Seth Forshee [Fri, 1 Dec 2017 21:08:32 +0000 (15:08 -0600)]
UBUNTU: SAUCE: mm: disable vma based swap readahead by default
BugLink: http://bugs.launchpad.net/bugs/1732463
Starting with 4.14 our test for CVE-2015-7550 started oopsing the
kernel on i386 with the following stack trace:
I'm not able to reproduce this outside of ADT, but vma based swap
readahead is a new feature in 4.14 so it seems quite likely that
this is where the bug lies. However I'm not able to reproduce the
problem outside of ADT to confirm this.
So for now disable this feature by default so we can see if that
gets the test to pass. It can still be enabled by writing to
/sys/kernel/mm/swap/vma_ra_enabled if desired.
Inlining cpu_to_node ends up with the GPL exported array cpu_topology
being pulled into all sources that call cpu_to_node and indirectly
makes cpu_to_node into a function that has the same GPL exported
constraints. This is unlike any other architecture where cpu_to_node
does not have this constraint. Fix this by making cpu_to_node a macro
that calls a non-inlined __cpu_to_node helper function that performs
the same as the original cpu_to_node.
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
John Johansen [Wed, 19 Jul 2017 06:18:33 +0000 (23:18 -0700)]
UBUNTU: SAUCE: apparmor: add base infastructure for socket mediation
Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application, along with setting up some basic infrastructure for
network mediation to follow.
the user space rule hav the basic form of
NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
[ TYPE | PROTOCOL ]
Colin Ian King [Mon, 6 Nov 2017 17:23:55 +0000 (17:23 +0000)]
UBUNTU: SAUCE: add workarounds to enable ZFS for 4.14
Currently there are no upstream compat workarounds for 4.14 so for
the moment use some workarounds that enable ZFS to build on 4.14.
I added pre-v4.14 #ifdefs so these patches are compatible with the
userspace dkms ZFS/SPL source. Passes the ZFS kernel team autotest
regression tests.
This should all be superceeded once 7.3.0 lands in Bionic and we
have the official 4.14 compat fixes.
Also enable ZFS in debian/rules
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Mon, 30 Oct 2017 16:57:57 +0000 (11:57 -0500)]
UBUNTU: vbox-update: Fix up KERN_DIR definitions
The 5.2.0-dfsg-2 vbox package has some makefile changes which
define KERN_DIR under the asumption that modules are being built
against external headers found under /lib/modules. This is not
true when building the modules alongside the kernel, and the vbox
build aboarts because the path doesn't exist.
Update vbox-update to automatically replace the KERN_DIR
definitions with one which points it at the base of the kernel
source tree.
Seth Forshee [Mon, 23 Oct 2017 17:43:58 +0000 (12:43 -0500)]
UBUNTU: hio: Update io stat accounting for 4.14
In 4.14-rc1 invflight accounting calls were updated to require a
request queue be passed, and part_(inc|dec)_in_flight() were
moved out of linux/genhd.h and are not exported to modules. Make
a couple of updates to cope with these changes:
- Pass the rq to part_round_stats for 4.14 and later.
- Use generic_(start|end)_io_acct() helpers for io accounting
with 4.14 and later. These do exactly what was being done with
the no-longer-exported interfaces.
Seth Forshee [Mon, 23 Oct 2017 17:38:10 +0000 (12:38 -0500)]
UBUNTU: hio: Use correct sizes when initializing ssd_index_bits* arrays
The memsets which initialize these arrays use a size of the
number of elements in the array without multplying by the size of
the array elements, therefore these arrays are only partially
initialized. Fix this by using sizeof to trivially get the
correct size for these arrays.
Moving forward we will be using the vboxvideo module in
drivers/staging. Disable building the same module from the
imported virtualbox guest modules to avoid any ambiguity about
which vboxvideo module will be loaded.
psmouse serio2: Failed to reset mouse on synaptics-pt/serio0
psmouse serio2: Failed to enable mouse on synaptics-pt/serio0
Set these new devices to use SMBus to fix this issue,
then they report SMBus version 3 is using,
patch: https://patchwork.kernel.org/patch/9989547/ enabled SMBus ver 3 and
makes synaptics devices work fine on SMBus mode.
Signed-off-by: Aaron Ma <aaron.ma@canonical.com> Acked-by: Hui Wang <hui.wang@canonical.com> Acked-by: AceLan Kao <acelan.kao@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: PCI: Disable broken RTIT_BAR of Intel TH
BugLink: http://bugs.launchpad.net/bugs/1715833
On some intergrations of the Intel TH the reported size of RTIT_BAR
doesn't match its actual size, which leads to overlaps with other
devices' resources.
For this reason, we need to disable the RTIT_BAR on Denverton where
it would overlap with XHCI MMIO space and effectively kill usb dead.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Wed, 30 Aug 2017 13:14:06 +0000 (08:14 -0500)]
UBUNTU: SAUCE: selftests/powerpc: Disable some ptrace selftests
The ptrace-tm-vsx, ptrace-tm-spd-vsx, and ptrace-tm-spr tests
FTBFS with the gcc in artful due to inline asm which includes r2
in the clobber list. Disable these tests until a solution is
found.
export ARCH=arm; export CROSS_COMPILE=arm-linux-gnueabihf-
make defconfig
make snap-pkg
The resulting kernel snap will be generated in $(objtree)/snap
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: hio: Fix incorrect use of enum req_opf values
BugLink: http://bugs.launchpad.net/bugs/1701316
Patch from Huawei to fix incorrect use of enumerated values for
bio operations as bitmasks. A reordering of the enum in 4.10
caused a change in behavior which has been leading to data
corruption.
UBUNTU: SAUCE: (no-up) net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
CVE-2014-9900
memset() the structure ethtool_wolinfo that has padded bytes
but the padded bytes have not been zeroed out.
Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org> Signed-off-by: Brad Figg <brad.figg@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Colin Ian King [Wed, 7 Jun 2017 12:28:24 +0000 (13:28 +0100)]
UBUNTU: SAUCE: (noup) Update spl to 0.6.5.9-1ubuntu2, zfs to 0.6.5.9-5ubuntu7
Sync with upstream 4.12 compat fixes to build with 4.12. Tested against
upstream 4.12-rc4 and ubuntu Artful 4.11 kernels.
SPL:
* Add 4.12 compat patch from upstream to build with 4.12 kernel:
- 8f87971e1fd11e Linux 4.12 compat: PF_FSTRANS was removed
ZFS:
* Add 4.12 compat patches from upstream to build with 4.12 kernel:
- 608d6942b70436 Linux 4.12 compat: super_setup_bdi_name()
- e624cd19599047 Linux 4.12 compat: PF_FSTRANS was removed
- 2946a1a15aab87 Linux 4.12 compat: CURRENT_TIME removed
- 3e6c9433474f0b Linux 4.12 compat: fix super_setup_bdi_name() call
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Fri, 12 May 2017 20:29:18 +0000 (15:29 -0500)]
UBUNTU: SAUCE: Fix module signing exclusion in package builds
BugLink: http://bugs.launchpad.net/bugs/1690908
The current module signing exclusion implementation suffers from
two problems. First, it looks for the signed-inclusion file
relative to the path where make is executed and thus doesn't work
if the source and build directories are different. Second, the
signed-inclusion file lists only the module name, but the strings
searched for in the file include the path (and the path to the
module install location at that).
Fix these problems by updating scripts/Makefile.modinst to look
for signed-inclusion relative to the path of the source tree and
to use only the module name when matching against the contents of
that file.
Jay Vosburgh [Wed, 11 Nov 2015 13:04:50 +0000 (13:04 +0000)]
UBUNTU: SAUCE: fan: add VXLAN implementation
Generify the fan mapping support and utilise that to implement fan
mappings over vxlan transport.
Expose the existance of this functionality (when the module is loaded)
via an additional sysctl marker.
Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
[apw@canonical.com: added feature marker for fan over vxlan.] Signed-off-by: Andy Whitcroft <apw@canonical.com>
Conflicts:
drivers/net/vxlan.c
include/uapi/linux/if_link.h
net/ipv4/ipip.c
Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Switch to a single tunnel for all mappings, this removes the limitations
on how many mappings each tunnel can handle, and therefore how many Fan
slices each local address may hold.
NOTE: This introduces a new kernel netlink interface which needs updated
iproute2 support.
BugLink: http://bugs.launchpad.net/bugs/1470091 Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
[saf: Fix conflicts during rebase to 4.12] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Conflicts:
include/uapi/linux/if_tunnel.h
net/ipv4/ipip.c
Colin Ian King [Tue, 2 May 2017 14:32:47 +0000 (15:32 +0100)]
UBUNTU: SAUCE: (noup) Update spl to 0.6.5.9-1ubuntu1, zfs to 0.6.5.9-5ubuntu5
Add upstream SPL compat patches from upstream to build with 4.11 kernel:
- 8d5feecacfdcca Linux 4.11 compat: set_task_state() removed
- 94b1ab2ae01e9e Linux 4.11 compat: vfs_getattr() takes 4 args
- 9a054d54fb6772 Linux 4.11 compat: add linux/sched/signal.h
- bf8abea4dade11 Linux 4.11 compat: remove stub for __put_task_struct
Add upstream ZFS compat patches from upstream to build with 4.11 kernel:
- a3478c07475261 Linux 4.11 compat: iops.getattr and friends
- 4859fe796c5b03 Linux 4.11 compat: avoid refcount_t name conflict
Tested and verified against the Ubuntu ZFS autotest regression tests
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: (namespace) block_dev: Forbid unprivileged mounting when device is opened for writing
For unprivileged mounts to be safe the user must not be able to
make changes to the backing store while it is mounted. This patch
takes a step towards preventing this by refusing to mount in a
user namepspace if the block device is open for writing and
refusing attempts to open the block device for writing by non-
root while it is mounted in a user namespace.
To prevent this from happening we use i_writecount in the inodes
of the bdev filesystem similarly to how it is used for regular
files. Whenever the device is opened for writing i_writecount
is checked; if it is negative the open returns -EBUSY, otherwise
i_writecount is incremented. On mount, a positive i_writecount
results in mount_bdev returning -EBUSY, otherwise i_writecount
is decremented. Opens by root and mounts from init_user_ns do not
check nor modify i_writecount.