diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 10:15:42 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 10:15:42 +0000 |
commit | db196cd484f21495b246f9381e70d225e8a5212e (patch) | |
tree | 4ccef5191aa34d62d8f385644be6e2dff0c8dea7 /debian/patches/features | |
parent | Merging upstream version 6.1.85. (diff) | |
download | linux-debian/6.1.85-1.tar.xz linux-debian/6.1.85-1.zip |
Adding debian version 6.1.85-1.debian/6.1.85-1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/features')
-rw-r--r-- | debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch | 40 | ||||
-rw-r--r-- | debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch | 22 |
2 files changed, 26 insertions, 36 deletions
diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 9ec425871..68255cb01 100644 --- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -24,20 +24,18 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> security/lockdown/lockdown.c | 2 +- 5 files changed, 27 insertions(+), 3 deletions(-) -Index: debian-kernel/arch/x86/kernel/setup.c -=================================================================== ---- debian-kernel.orig/arch/x86/kernel/setup.c -+++ debian-kernel/arch/x86/kernel/setup.c -@@ -979,6 +979,8 @@ void __init setup_arch(char **cmdline_p) +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1031,6 +1031,8 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); + efi_set_secure_boot(boot_params.secure_boot); + - dmi_setup(); + x86_init.resources.dmi_setup(); /* -@@ -1130,8 +1132,6 @@ void __init setup_arch(char **cmdline_p) +@@ -1200,8 +1202,6 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); @@ -46,10 +44,8 @@ Index: debian-kernel/arch/x86/kernel/setup.c reserve_initrd(); acpi_table_upgrade(); -Index: debian-kernel/drivers/firmware/efi/secureboot.c -=================================================================== ---- debian-kernel.orig/drivers/firmware/efi/secureboot.c -+++ debian-kernel/drivers/firmware/efi/secureboot.c +--- a/drivers/firmware/efi/secureboot.c ++++ b/drivers/firmware/efi/secureboot.c @@ -15,6 +15,7 @@ #include <linux/efi.h> #include <linux/kernel.h> @@ -69,11 +65,9 @@ Index: debian-kernel/drivers/firmware/efi/secureboot.c pr_info("Secure boot enabled\n"); break; default: -Index: debian-kernel/include/linux/security.h -=================================================================== ---- debian-kernel.orig/include/linux/security.h -+++ debian-kernel/include/linux/security.h -@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct i +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -481,6 +481,7 @@ int security_inode_notifysecctx(struct i int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); @@ -81,7 +75,7 @@ Index: debian-kernel/include/linux/security.h #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) -@@ -1291,6 +1292,11 @@ static inline int security_locked_down(e +@@ -1381,6 +1382,11 @@ static inline int security_locked_down(e { return 0; } @@ -93,10 +87,8 @@ Index: debian-kernel/include/linux/security.h #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) -Index: debian-kernel/security/lockdown/Kconfig -=================================================================== ---- debian-kernel.orig/security/lockdown/Kconfig -+++ debian-kernel/security/lockdown/Kconfig +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI disabled. @@ -116,10 +108,8 @@ Index: debian-kernel/security/lockdown/Kconfig + + Enabling this option results in kernel lockdown being + triggered in integrity mode if EFI Secure Boot is set. -Index: debian-kernel/security/lockdown/lockdown.c -=================================================================== ---- debian-kernel.orig/security/lockdown/lockdown.c -+++ debian-kernel/security/lockdown/lockdown.c +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c @@ -23,7 +23,7 @@ static const enum lockdown_reason lockdo /* * Put the kernel into lock-down mode. diff --git a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch index 44dd25261..78f407896 100644 --- a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch +++ b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch @@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk> --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -5768,6 +5768,10 @@ +@@ -6160,6 +6160,10 @@ later by a loaded module cannot be set this way. Example: sysctl.vm.swappiness=40 @@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk> on older distributions. When this option is enabled --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -2865,6 +2865,14 @@ config COMPAT_32 +@@ -2997,6 +2997,14 @@ config COMPAT_32 select HAVE_UID16 select OLD_SIGSUSPEND3 @@ -59,14 +59,14 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk> depends on IA32_EMULATION || X86_X32_ABI --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c -@@ -62,7 +62,7 @@ static __always_inline bool do_syscall_x +@@ -63,7 +63,7 @@ static __always_inline bool do_syscall_x */ unsigned int xnr = nr - __X32_SYSCALL_BIT; - if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { + if (IS_ENABLED(CONFIG_X86_X32_ABI) && unlikely(x32_enabled) && likely(xnr < X32_NR_syscalls)) { xnr = array_index_nospec(xnr, X32_NR_syscalls); - regs->ax = x32_sys_call_table[xnr](regs); + regs->ax = x32_sys_call(regs, xnr); return true; --- a/arch/x86/entry/syscall_x32.c +++ b/arch/x86/entry/syscall_x32.c @@ -80,9 +80,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk> #include <linux/syscalls.h> #include <asm/syscall.h> -@@ -16,3 +19,46 @@ - asmlinkage const sys_call_ptr_t x32_sys_call_table[] = { - #include <asm/syscalls_x32.h> +@@ -20,3 +23,46 @@ long x32_sys_call(const struct pt_regs * + default: return __x64_sys_ni_syscall(regs); + } }; + +/* Maybe enable x32 syscalls */ @@ -139,7 +139,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk> typedef unsigned long elf_greg_t; -@@ -161,7 +164,8 @@ do { \ +@@ -150,7 +153,8 @@ do { \ #define compat_elf_check_arch(x) \ (elf_check_arch_ia32(x) || \ @@ -159,9 +159,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk> #include <asm/thread_info.h> /* for TS_COMPAT */ #include <asm/unistd.h> -@@ -30,6 +31,18 @@ extern const sys_call_ptr_t ia32_sys_cal - extern const sys_call_ptr_t x32_sys_call_table[]; - #endif +@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p + extern long x32_sys_call(const struct pt_regs *, unsigned int nr); + extern long x64_sys_call(const struct pt_regs *, unsigned int nr); +#if defined(CONFIG_X86_X32_ABI) +#if defined(CONFIG_X86_X32_DISABLED) |