Wily SRU - Enforce signed modules in UEFI secure boot
Tim Gardner
tim.gardner at canonical.com
Thu Apr 28 16:34:00 UTC 2016
Attached is a pull request that enforces signed modules in a UEFI secure
boot mode.
http://bugs.launchpad.net/bugs/1566221
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot
rtg
--
Tim Gardner tim.gardner at canonical.com
-------------- next part --------------
The following changes since commit 70a2a0336a6e99ce4f81563226b049cc8167a508:
Input: gtco - fix crash on detecting device without endpoints (2016-04-27 10:15:08 -0700)
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-wily.git enforce-signed-modules
for you to fetch changes up to 56ad27dfacf72d764d915c5a36e89b5d82c58786:
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled (2016-04-28 10:20:00 -0600)
----------------------------------------------------------------
Josh Boyer (4):
UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
Matthew Garrett (9):
UBUNTU: SAUCE: UEFI: Add secure_modules() call
UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method
UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted
UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted
UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions
UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode
Tim Gardner (2):
UBUNTU: [Config] UEFI: CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled
Documentation/x86/zero-page.txt | 2 ++
arch/x86/Kconfig | 11 +++++++++++
arch/x86/boot/compressed/eboot.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
arch/x86/kernel/ioport.c | 5 +++--
arch/x86/kernel/msr.c | 7 +++++++
arch/x86/kernel/setup.c | 12 ++++++++++++
debian.master/config/config.common.ubuntu | 1 +
drivers/acpi/custom_method.c | 3 +++
drivers/acpi/osl.c | 3 ++-
drivers/char/mem.c | 10 ++++++++++
drivers/pci/pci-sysfs.c | 10 ++++++++++
drivers/pci/proc.c | 8 +++++++-
drivers/pci/syscall.c | 3 ++-
drivers/platform/x86/asus-wmi.c | 9 +++++++++
include/linux/efi.h | 9 +++++++++
include/linux/module.h | 12 ++++++++++++
init/Kconfig | 9 +++++++++
kernel/Makefile | 3 +++
kernel/kexec.c | 3 ++-
kernel/modsign_uefi.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
kernel/module.c | 17 +++++++++++++++++
22 files changed, 280 insertions(+), 7 deletions(-)
create mode 100644 kernel/modsign_uefi.c
More information about the kernel-team
mailing list