LTS-Utopic SRU - Enforce signed modules in UEFI secure boot
Tim Gardner
tim.gardner at canonical.com
Thu Apr 28 21:05:35 UTC 2016
Attached is a pull request that enforces signed modules in a UEFI secure
boot mode.
http://bugs.launchpad.net/bugs/1566221
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot
rtg
--
Tim Gardner tim.gardner at canonical.com
-------------- next part --------------
The following changes since commit 4a40532b8bc53d0e1cafc0c8daf0f00123e3b3a8:
UBUNTU: Ubuntu-lts-3.16.0-70.90~14.04.1 (2016-04-06 09:41:14 -0700)
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-trusty.git lts-backport-utopic-enforce-signed-modules
for you to fetch changes up to cc536c76aa141cd6c64ed0af88ae65850f387657:
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled (2016-04-28 15:01:52 -0600)
----------------------------------------------------------------
Josh Boyer (4):
UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
Matthew Garrett (9):
UBUNTU: SAUCE: UEFI: Add secure_modules() call
UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method
UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted
UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted
UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions
UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode
Tim Gardner (2):
UBUNTU: UEFI: [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled
Documentation/x86/zero-page.txt | 2 +
arch/x86/Kconfig | 11 ++++
arch/x86/boot/compressed/eboot.c | 55 ++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/ioport.c | 5 +-
arch/x86/kernel/msr.c | 7 +++
arch/x86/kernel/setup.c | 12 ++++
debian.master/config/config.common.ubuntu | 2 +
debian.utopic/config/config.common.ubuntu | 1 +
drivers/acpi/custom_method.c | 3 +
drivers/acpi/osl.c | 3 +-
drivers/char/mem.c | 10 ++++
drivers/pci/pci-sysfs.c | 10 ++++
drivers/pci/proc.c | 8 ++-
drivers/pci/syscall.c | 3 +-
drivers/platform/x86/asus-wmi.c | 9 +++
include/linux/efi.h | 10 ++++
include/linux/module.h | 13 +++++
init/Kconfig | 9 +++
kernel/Makefile | 3 +
kernel/kexec.c | 3 +-
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++
kernel/module.c | 17 ++++++
23 files changed, 284 insertions(+), 7 deletions(-)
create mode 100644 kernel/modsign_uefi.c
More information about the kernel-team
mailing list