Restore CR4.LA57 to the mmu_role to fix an amusing edge case with nested
virtualization. When KVM (L0) is using TDP, CR4.LA57 is not reflected in
mmu_role.base.level because that tracks the shadow root level, i.e. TDP
level. Normally, this is not an issue because LA57 can't be toggled
while long mode is active, i.e. the guest has to first disable paging,
then toggle LA57, then re-enable paging, thus ensuring an MMU
reinitialization.
But if L1 is crafty, it can load a new CR4 on VM-Exit and toggle LA57
without having to bounce through an unpaged section. L1 can also load a
new CR3 on exit, i.e. it doesn't even need to play crazy paging games, a
single entry PML5 is sufficient. Such shenanigans are only problematic
if L0 and L1 use TDP, otherwise L1 and L2 share an MMU that gets
reinitialized on nested VM-Enter/VM-Exit due to mmu_role.base.guest_mode.
Note, in the L2 case with nested TDP, even though L1 can switch between
L2s with different LA57 settings, thus bypassing the paging requirement,
in that case KVM's nested_mmu will track LA57 in base.level.
Kernel stack offset randomization is a useful security feature
that should be enabled. Benchmarking showed that the impact is
within the noise of various microbenchmarks so I believe this
has some added benefit with minimal performance impact. The
security folk believe this is worth enabling, so lets switch
it on.
Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+ cat trace
+ cnt=0
+ [ 0 -eq 0 ]
+ fail No other events were recorded
[15] event tracing - restricts events based on pid notrace filtering [FAIL]
Schedule a simple sleep task to be sure that some other process events
get recorded.
Fixes: ebed9628f5c2 ("selftests/ftrace: Add test to test new set_event_notrace_pid file") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
(cherry picked from commit 07b60713b57a8f952d029a2b6849d003d9c16108) Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Fixes: 71adefd254f2 ("UBUNTU: Add ubuntu-host module") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Mel Gorman [Mon, 28 Jun 2021 15:02:19 +0000 (16:02 +0100)]
mm/page_alloc: Correct return value of populated elements if bulk array is populated
Dave Jones reported the following
This made it into 5.13 final, and completely breaks NFSD for me
(Serving tcp v3 mounts). Existing mounts on clients hang, as do
new mounts from new clients. Rebooting the server back to rc7
everything recovers.
The commit b3b64ebd3822 ("mm/page_alloc: do bulk array bounds check after
checking populated elements") returns the wrong value if the array is
already populated which is interpreted as an allocation failure. Dave
reported this fixes his problem and it also passed a test running dbench
over NFS.
Fixes: b3b64ebd3822 ("mm/page_alloc: do bulk array bounds check after checking populated elements") Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Mel Gorman <mgorman@techsingularity.net> Cc: <stable@vger.kernel.org> [5.13+] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 66d9282523b3228183b14d9f812872dd2620704d) Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Mon, 28 Jun 2021 06:36:16 +0000 (08:36 +0200)]
UBUNTU: [Config] update configs and annotations after rebase to 5.13
Commit c6414e1a2bd2 ("gpio: AMD8111 and TQMX86 require HAS_IOPORT_MAP")
added a dependency of HAS_IOPORT_MAP for TQMX86, so this module cannot
be enabled anymore on armhf.
Also update CONFIG_KERNEL_LZ4 in the config, because of commit 4ed757d8a68f ("UBUNTU: [Config] use ZSTD to compress amd64 kernels").
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Benjamin Drung [Wed, 23 Jun 2021 22:16:20 +0000 (22:16 +0000)]
media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
BugLink: https://bugs.launchpad.net/bugs/1932367
The Elgato Cam Link 4K HDMI video capture card reports to support three
different pixel formats, where the first format depends on the connected
HDMI device.
Changing the pixel format to anything besides the first pixel format
does not work:
```
$ v4l2-ctl -d /dev/video0 --try-fmt-video pixelformat=YU12
Format Video Capture:
Width/Height : 3840/2160
Pixel Format : 'NV12' (Y/CbCr 4:2:0)
Field : None
Bytes per Line : 3840
Size Image : 12441600
Colorspace : sRGB
Transfer Function : Rec. 709
YCbCr/HSV Encoding: Rec. 709
Quantization : Default (maps to Limited Range)
Flags :
```
User space applications like VLC might show an error message on the
terminal in that case:
```
libv4l2: error set_fmt gave us a different result than try_fmt!
```
Depending on the error handling of the user space applications, they
might display a distorted video, because they use the wrong pixel format
for decoding the stream.
The Elgato Cam Link 4K responds to the USB video probe
VS_PROBE_CONTROL/VS_COMMIT_CONTROL with a malformed data structure: The
second byte contains bFormatIndex (instead of being the second byte of
bmHint). The first byte is always zero. The third byte is always 1.
The firmware bug was reported to Elgato on 2020-12-01 and it was
forwarded by the support team to the developers as feature request.
There is no firmware update available since then. The latest firmware
for Elgato Cam Link 4K as of 2021-03-23 has MCU 20.02.19 and FPGA 67.
Therefore correct the malformed data structure for this device. The
change was successfully tested with VLC, OBS, and Chromium using
different pixel formats (YUYV, NV12, YU12), resolutions (3840x2160,
1920x1080), and frame rates (29.970 and 59.940 fps).
Cc: stable@vger.kernel.org Signed-off-by: Benjamin Drung <bdrung@posteo.de> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
(backported from commit 4c6e0976295add7f0ed94d276c04a3d6f1ea8f83 linux-next) Signed-off-by: Benjamin Drung <bdrung@posteo.de>
[ changed uvc_trace(UVC_TRACE_VIDEO) -> uvc_dbg(stream->dev, VIDEO) ] Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: [Packaging] use ZSTD to compress s390 kernels
BugLink: https://bugs.launchpad.net/bugs/1931725
linux-next has ZSTD support for s390 arch now, cherry-pick those
commits and enable ZSTD compression for s390x like it was already done
on amd64.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Currently BOOT_HEAP_SIZE is always defined as 0x400000 due to
bogus condition. Use CONFIG_KERNEL_BZIP2 instead of
CONFIG_HAVE_KERNEL_BZIP2 to correct that.
BOOT_HEAP_SIZE of 0x10000 is still good enough for every decompressor
algorithm but bzip2. Actual decompressor memory usage with allyesconfig
is the following:
gzip 0xbc28
bzip2 0x379518
xz 0x7410
lzma 0x3e6c
lzo 0
lz4 0
Andrea Righi [Tue, 22 Jun 2021 07:46:48 +0000 (09:46 +0200)]
UBUNTU: SAUCE: selftests: icmp_redirect: support expected failures
According to a comment in commit 99513cfa16c6 ("selftest: Fixes for
icmp_redirect test") the test "IPv6: mtu exception plus redirect" is
expected to fail, because of a bug in the IPv6 logic that hasn't been
fixed yet apparently.
We should probably consider this failure as an "expected failure",
therefore change the script to return XFAIL for that particular test and
also report the total amount of expected failures at the end of the run.
Jakub Kicinski [Fri, 18 Jun 2021 20:34:06 +0000 (13:34 -0700)]
tls: prevent oversized sendfile() hangs by ignoring MSG_MORE
We got multiple reports that multi_chunk_sendfile test
case from tls selftest fails. This was sort of expected,
as the original fix was never applied (see it in the first
Link:). The test in question uses sendfile() with count
larger than the size of the underlying file. This will
make splice set MSG_MORE on all sendpage calls, meaning
TLS will never close and flush the last partial record.
Eric seem to have addressed a similar problem in
commit 35f9c09fe9c7 ("tcp: tcp_sendpages() should call tcp_push() once")
by introducing MSG_SENDPAGE_NOTLAST. Unlike MSG_MORE
MSG_SENDPAGE_NOTLAST is not set on the last call
of a "pipefull" of data (PIPE_DEF_BUFFERS == 16,
so every 16 pages or whenever we run out of data).
Having a break every 16 pages should be fine, TLS
can pack exactly 4 pages into a record, so for
aligned reads there should be no difference,
unaligned may see one extra record per sendpage().
Sticking to TCP semantics seems preferable to modifying
splice, but we can revisit it if real life scenarios
show a regression.
Reported-by: Vadim Fedorenko <vfedorenko@novek.ru> Reported-by: Seth Forshee <seth.forshee@canonical.com> Link: https://lore.kernel.org/netdev/1591392508-14592-1-git-send-email-pooja.trivedi@stackpath.com/ Fixes: 3c4d7559159b ("tls: kernel TLS support") Signed-off-by: Jakub Kicinski <kuba@kernel.org> Tested-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit d452d48b9f8b1a7f8152d33ef52cfd7fe1735b0a linux-next) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1912789
Encounted below errors, prefer 'help' over '---help---' for new help texts
ubuntu/Kconfig:7: syntax error
ubuntu/Kconfig:6: unknown statement "---help---"
ubuntu/Kconfig:7: unknown statement "Turn"
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Stefan Bader [Fri, 11 Jun 2021 10:01:30 +0000 (18:01 +0800)]
UBUNTU: [Packaging] Fix ODM support in actual build
BugLink: https://bugs.launchpad.net/bugs/1912789
The config update was working with the conditional entry but the actual
build is different and was just ignoring everything.
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
(cherry picked commit from 198971108d5dfe12b9846bf0d115accc3d1c3fe8
focal) Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Stefan Bader [Fri, 11 Jun 2021 10:01:29 +0000 (18:01 +0800)]
UBUNTU: [Packaging] Turn on ODM support for amd64
BugLink: https://bugs.launchpad.net/1912789
Now there is the support in place let us turn this on for amd64. This is
added as enabled generally in the config because otherwise updating the
config for drivers depending on it would not work. It is changed at
build time for arches which have not enabled it. Also it will
automatically go away for backports.
Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>
(backported from commit 4aeffc246531a666c1fad1925ebf1a6e68a704e4 focal) Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Stefan Bader [Fri, 11 Jun 2021 10:01:28 +0000 (18:01 +0800)]
UBUNTU: [Packaging] Add support for ODM drivers
BugLink: https://bugs.launchpad.net/bugs/1912789
We want to be able to selectively turn on ODM driver support for those
kernels/arches we have to but otherwise not inherit this to other
derivatives. This is done by a new config option which we will have to
depend on in the new drivers config options. Support is toggled by
changing a makefile rule variable. The new config option will be hidden
as long as not at least one of the arches supported turns on the rule
variable.
Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>
(cherry picked from commit 4aeffc246531a666c1fad1925ebf1a6e68a704e4
focal) Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Kunyang_Fan [Wed, 16 Jun 2021 05:56:58 +0000 (13:56 +0800)]
UBUNTU: ODM: mfd: Add support for IO functions of AAEON devices
BugLink: https://bugs.launchpad.net/bugs/1929504
This adds the supports for multiple IO functions of the
AAEON x86 devices and makes use of the WMI interface to
control the these IO devices including:
- GPIO
- LED
- Watchdog
- HWMON
It also adds the mfd child device drivers to support
the above IO functions.
Signed-off-by: Kunyang_Fan <kunyang_fan@asus.com> Review-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Review-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Kunyang_Fan [Wed, 16 Jun 2021 05:57:01 +0000 (13:57 +0800)]
UBUNTU: ODM: hwmon: add driver for AAEON devices
BugLink: https://bugs.launchpad.net/bugs/1929504
This refator patch adds support for the hwmon information
which are transported to userspace through ASUS WMI interface.
Signed-off-by: Kunyang_Fan <kunyang_fan@asus.com> Review-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Review-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: [Packaging]: Add kernel command line condition to hv-kvp-daemon service
linux-cloud-tools-common ships a service for hyper-v hypervisor. It is
known to be prohibited on certain instance types. Add a kernel command
line condition to skip starting this service there.
BugLink: https://bugs.launchpad.net/bugs/1932081 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
cc: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Seth Forshee [Thu, 17 Jun 2021 19:48:08 +0000 (14:48 -0500)]
UBUNTU: SAUCE: Revert "net/tls(TLS_SW): Add selftest for 'chunked' sendfile test"
This reverts commit 0e6fbe39bdf71b4e665767bcbf53567a3e6d0623. Based
on the commit message, this commit was added to demonstrate a problem
with sendfile when using ktls, but there's no indication that this
problem has ever been fixed. I'm inquiring about this upstream [1],
but in the mean time let's remove this test as it looks like its
expected to fail.
Seth Forshee [Mon, 14 Jun 2021 12:22:48 +0000 (07:22 -0500)]
UBUNTU: [Config] enable signing for ppc64el
A bug in 5.13 is preventing IBM from testing secure boot. They will
provide a fix, and we will need to provide a new signed kernel build
for them to test. Thus we must re-enable signing.
Seth Forshee [Mon, 14 Jun 2021 12:08:19 +0000 (07:08 -0500)]
UBUNTU: [Config] use ZSTD to compress amd64 kernels
BugLink: https://bugs.launchpad.net/bugs/1931725
Testing shows that while LZ4 decompresses faster than ZSTD, ZSTD
compresses much better, and the decreased load time for the smaller
kernel image more than makes up for the slower decompression. Switch
to ZSTD for kernel compression on amd64, which is the only arch which
currently supports it.
Seth Forshee [Tue, 1 Jun 2021 13:26:19 +0000 (08:26 -0500)]
UBUNTU: [Debian] remove nvidia dkms build support
We no longer need to generate signatures for nvidia modules during our
kernel build, as they are signed using the ubuntu drivers key. Remove
support for building the nvidia modules.
We must still keep the dkms-build--* scripts for now, as our tooling
currently syncs these scripts from the kernel tree into
linux-restricted-modules.
Seth Forshee [Wed, 2 Jun 2021 20:16:14 +0000 (15:16 -0500)]
UBUNTU: [Debian] exclude $(DEBIAN)/__abi.current from linux-source
BugLink: https://bugs.launchpad.net/bugs/1930713
Previously install-source ran before the flavour install, but that is
no longer the case. As a result the __abi.current driectory ends up
in the linux-source package. Explicitly exclude it when installing
files for linux-source.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com>
Seth Forshee [Tue, 1 Jun 2021 15:36:03 +0000 (10:36 -0500)]
UBUNTU: [Debian] dkms-build -- use fakeroot if not running as root
BugLink: https://bugs.launchpad.net/bugs/1930713
Some dkms builds require running as root, or at least the illusion of
doing so. However we need to do dkms builds before deleting the
flavour build directory in order to sign the modules, and this may
happen without fakeroot. Detect whether or not dkms-build has been
invoked as root, and if not use fakeroot to do the dkms build.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com>
Seth Forshee [Thu, 20 May 2021 21:15:13 +0000 (16:15 -0500)]
UBUNTU: [Debian] run install-$(flavour) targets during build phase
BugLink: https://bugs.launchpad.net/bugs/1930713
Move installation of files from the flavour build directories to the
build phase. This results in cleaning up of one flavour build
directory before starting the build of the next flavour, significantly
reducing the amount of space needed on builders.
Note that this will result in incorrect ownership of files in cases
where the build and binary phases of building packages are run
separately. This will be addressed in a later commit.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com>
Seth Forshee [Thu, 20 May 2021 20:32:25 +0000 (15:32 -0500)]
UBUNTU: [Debian] use stamps for flavour install targets
BugLink: https://bugs.launchpad.net/bugs/1930713
In preparation for moving installation of files from the flavour
build directories over to the build phase, convert relevant install-*
targets to use stamps.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Andy Whitcroft <apw@canonical.com>
Install the kvm_stat systemd service in linux-host-tools package,
disabled by default. The service logs KVM kernel module trace events to
/var/log/kvm_stat.csv.
This tool is useful for observing guest behavior from the host
perspective. Often conclusions about performance or buggy behavior can
be drawn from the output.
BugLink: https://bugs.launchpad.net/bugs/1921870 Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
UBUNTU: [Packaging] Build and include GDB Python scripts into debug packages
The kernel comes with useful GDB debugging scripts/commands (enabled
with CONFIG_GDB_SCRIPTS), however these are built either with "all" make
target or with "scripts_gdb". Build these in
"$(stampdir)/stamp-build-%" target and package in "install-%" under
/usr/share/gdb/auto-load.
BugLink: https://bugs.launchpad.net/bugs/1928715 Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1920180 Signed-off-by: Alex Hung <alex.hung@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Kai-Heng Feng [Fri, 21 May 2021 13:07:18 +0000 (21:07 +0800)]
vgaarb: Use ACPI HID name to find integrated GPU
BugLink: https://bugs.launchpad.net/bugs/1929217
Commit 3d42f1ddc47a ("vgaarb: Keep adding VGA device in queue") assumes
the first device is an integrated GPU. However, on AMD platforms an
integrated GPU can have higher PCI device number than a discrete GPU.
Integrated GPU on ACPI platform generally has _DOD and _DOS method, so
use that as predicate to find integrated GPU. If the new strategy
doesn't work, fallback to use the first device as boot VGA.
Kai-Heng Feng [Wed, 19 May 2021 11:59:01 +0000 (19:59 +0800)]
Bluetooth: Shutdown controller after workqueues are flushed or cancelled
BugLink: https://bugs.launchpad.net/bugs/1928838
Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it
stops working:
[ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed
[ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on
[ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
[ 545.660350] usb 3-10: device descriptor read/64, error -110
[ 561.283530] usb 3-10: device descriptor read/64, error -110
[ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
[ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500
[ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113)
[ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110)
[ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113)
[ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110)
BugLink: https://bugs.launchpad.net/bugs/1921632
The soundwire audio driver in the kernel could work on some Dell cml
machines, so enable the machine driver and some needed codec driver.
Signed-off-by: Hui Wang <hui.wang@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Andrea Righi [Mon, 31 May 2021 10:02:50 +0000 (12:02 +0200)]
UBUNTU: [Config] set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
This option will disable uprivileged BPF by default. It can be reenabled,
though, as it uses the new value 2 for the kernel.unprivileged_bpf_disabled
sysctl. That value disables it, but allows the sysctl knob to be set back
to 0.
This allows sysadmins to enable unprivileged BPF back by using sysctl
config files.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Seth Forshee [Wed, 19 May 2021 15:21:20 +0000 (10:21 -0500)]
UBUNTU: [Config] Temporarily disable signing for ppc64el and s390x
We're awaiting testing of lockdown under secureboot on these
architectures. Disable signing in the meantime to allow putting
linux-unstable into -proposed.
UBUNTU: SAUCE: integrity: add informational messages when revoking certs
integrity_load_cert() prints messages of the source and cert details
when adding certs as trusted. Mirror those messages in
uefi_revocation_list_x509() when adding certs as revoked.
UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table
Refactor load_moklist_certs() to load either MokListRT into db, or
MokListXRT into dbx. Call load_moklist_certs() twice - first to load
mokx certs into dbx, then mok certs into db.
This thus now attempts to load mokx certs via the EFI MOKvar config
table first, and if that fails, via the EFI variable. Previously mokx
certs were only loaded via the EFI variable. Which fails when
MokListXRT is large. Instead of large MokListXRT variable, only
MokListXRT{1,2,3} are available which are not loaded. This is the case
with Ubuntu's 15.4 based shim. This patch is required to address
CVE-2020-26541 when certificates are revoked via MokListXRT.
Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>