Trusty SRU - Enforce signed modules in UEFI secure boot
Tim Gardner
tim.gardner at canonical.com
Tue May 3 13:14:31 UTC 2016
Attached is a pull request that enforces signed modules in a UEFI secure
boot mode.
http://bugs.launchpad.net/bugs/1566221
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot
rtg
--
Tim Gardner tim.gardner at canonical.com
-------------- next part --------------
The following changes since commit e4bab2a131f639e382f400a979663f417cdac0c6:
atl2: Disable unimplemented scatter/gather feature (2016-05-02 08:58:04 -0700)
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-trusty.git enforce-signed-modules
for you to fetch changes up to 259e07305d3c4f1e5e1128e558961fd8e0f60bf3:
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled (2016-05-03 07:11:53 -0600)
----------------------------------------------------------------
Josh Boyer (4):
UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
Matt Fleming (2):
efi: Add separate 32-bit/64-bit definitions
x86/efi: Build our own EFI services pointer table
Matthew Garrett (9):
UBUNTU: SAUCE: UEFI: Add secure_modules() call
UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method
UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted
UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted
UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions
UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode
Tim Gardner (2):
UBUNTU: UEFI: [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled
Documentation/x86/zero-page.txt | 2 +
arch/x86/Kconfig | 11 +
arch/x86/boot/compressed/eboot.c | 374 +++++++++++++++++++++++-------
arch/x86/boot/compressed/eboot.h | 60 +++++
arch/x86/boot/compressed/head_32.S | 48 +++-
arch/x86/boot/compressed/head_64.S | 57 ++++-
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/ioport.c | 5 +-
arch/x86/kernel/msr.c | 7 +
arch/x86/kernel/setup.c | 11 +
debian.master/config/config.common.ubuntu | 1 +
drivers/acpi/custom_method.c | 3 +
drivers/acpi/osl.c | 3 +-
drivers/char/mem.c | 10 +
drivers/firmware/efi/efi-stub-helper.c | 148 +++---------
drivers/pci/pci-sysfs.c | 10 +
drivers/pci/proc.c | 8 +-
drivers/pci/syscall.c | 3 +-
drivers/platform/x86/asus-wmi.c | 9 +
include/linux/efi.h | 262 +++++++++++++++++++++
include/linux/module.h | 13 ++
init/Kconfig | 9 +
kernel/Makefile | 3 +
kernel/kexec.c | 3 +-
kernel/modsign_uefi.c | 92 ++++++++
kernel/module.c | 17 ++
26 files changed, 954 insertions(+), 218 deletions(-)
create mode 100644 kernel/modsign_uefi.c
More information about the kernel-team
mailing list