2 files changed, 26 insertions, 36 deletions

diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index 9ec425871..68255cb01 100644
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -24,20 +24,18 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
  security/lockdown/lockdown.c      |    2 +-
  5 files changed, 27 insertions(+), 3 deletions(-)
 
-Index: debian-kernel/arch/x86/kernel/setup.c
-===================================================================
---- debian-kernel.orig/arch/x86/kernel/setup.c
-+++ debian-kernel/arch/x86/kernel/setup.c
-@@ -979,6 +979,8 @@ void __init setup_arch(char **cmdline_p)
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1031,6 +1031,8 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
 +	efi_set_secure_boot(boot_params.secure_boot);
 +
- 	dmi_setup();
+ 	x86_init.resources.dmi_setup();
  
  	/*
-@@ -1130,8 +1132,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1200,8 +1202,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -46,10 +44,8 @@ Index: debian-kernel/arch/x86/kernel/setup.c
  	reserve_initrd();
  
  	acpi_table_upgrade();
-Index: debian-kernel/drivers/firmware/efi/secureboot.c
-===================================================================
---- debian-kernel.orig/drivers/firmware/efi/secureboot.c
-+++ debian-kernel/drivers/firmware/efi/secureboot.c
+--- a/drivers/firmware/efi/secureboot.c
++++ b/drivers/firmware/efi/secureboot.c
 @@ -15,6 +15,7 @@
  #include <linux/efi.h>
  #include <linux/kernel.h>
@@ -69,11 +65,9 @@ Index: debian-kernel/drivers/firmware/efi/secureboot.c
  			pr_info("Secure boot enabled\n");
  			break;
  		default:
-Index: debian-kernel/include/linux/security.h
-===================================================================
---- debian-kernel.orig/include/linux/security.h
-+++ debian-kernel/include/linux/security.h
-@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct i
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -481,6 +481,7 @@ int security_inode_notifysecctx(struct i
  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
  int security_locked_down(enum lockdown_reason what);
@@ -81,7 +75,7 @@ Index: debian-kernel/include/linux/security.h
  #else /* CONFIG_SECURITY */
  
  static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1291,6 +1292,11 @@ static inline int security_locked_down(e
+@@ -1381,6 +1382,11 @@ static inline int security_locked_down(e
  {
  	return 0;
  }
@@ -93,10 +87,8 @@ Index: debian-kernel/include/linux/security.h
  #endif	/* CONFIG_SECURITY */
  
  #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
-Index: debian-kernel/security/lockdown/Kconfig
-===================================================================
---- debian-kernel.orig/security/lockdown/Kconfig
-+++ debian-kernel/security/lockdown/Kconfig
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
 @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
  	 disabled.
  
@@ -116,10 +108,8 @@ Index: debian-kernel/security/lockdown/Kconfig
 +
 +	  Enabling this option results in kernel lockdown being
 +	  triggered in integrity mode if EFI Secure Boot is set.
-Index: debian-kernel/security/lockdown/lockdown.c
-===================================================================
---- debian-kernel.orig/security/lockdown/lockdown.c
-+++ debian-kernel/security/lockdown/lockdown.c
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
 @@ -23,7 +23,7 @@ static const enum lockdown_reason lockdo
  /*
   * Put the kernel into lock-down mode.
diff --git a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
index 44dd25261..78f407896 100644
--- a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
+++ b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -5768,6 +5768,10 @@
+@@ -6160,6 +6160,10 @@
  			later by a loaded module cannot be set this way.
  			Example: sysctl.vm.swappiness=40
  
@@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			on older distributions. When this option is enabled
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -2865,6 +2865,14 @@ config COMPAT_32
+@@ -2997,6 +2997,14 @@ config COMPAT_32
  	select HAVE_UID16
  	select OLD_SIGSUSPEND3
  
@@ -59,14 +59,14 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  	depends on IA32_EMULATION || X86_X32_ABI
 --- a/arch/x86/entry/common.c
 +++ b/arch/x86/entry/common.c
-@@ -62,7 +62,7 @@ static __always_inline bool do_syscall_x
+@@ -63,7 +63,7 @@ static __always_inline bool do_syscall_x
  	 */
  	unsigned int xnr = nr - __X32_SYSCALL_BIT;
  
 -	if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) {
 +	if (IS_ENABLED(CONFIG_X86_X32_ABI) && unlikely(x32_enabled) && likely(xnr < X32_NR_syscalls)) {
  		xnr = array_index_nospec(xnr, X32_NR_syscalls);
- 		regs->ax = x32_sys_call_table[xnr](regs);
+ 		regs->ax = x32_sys_call(regs, xnr);
  		return true;
 --- a/arch/x86/entry/syscall_x32.c
 +++ b/arch/x86/entry/syscall_x32.c
@@ -80,9 +80,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #include <linux/syscalls.h>
  #include <asm/syscall.h>
  
-@@ -16,3 +19,46 @@
- asmlinkage const sys_call_ptr_t x32_sys_call_table[] = {
- #include <asm/syscalls_x32.h>
+@@ -20,3 +23,46 @@ long x32_sys_call(const struct pt_regs *
+ 	default: return __x64_sys_ni_syscall(regs);
+ 	}
  };
 +
 +/* Maybe enable x32 syscalls */
@@ -139,7 +139,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  typedef unsigned long elf_greg_t;
  
-@@ -161,7 +164,8 @@ do {						\
+@@ -150,7 +153,8 @@ do {						\
  
  #define compat_elf_check_arch(x)					\
  	(elf_check_arch_ia32(x) ||					\
@@ -159,9 +159,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #include <asm/thread_info.h>	/* for TS_COMPAT */
  #include <asm/unistd.h>
  
-@@ -30,6 +31,18 @@ extern const sys_call_ptr_t ia32_sys_cal
- extern const sys_call_ptr_t x32_sys_call_table[];
- #endif
+@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p
+ extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
+ extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
  
 +#if defined(CONFIG_X86_X32_ABI)
 +#if defined(CONFIG_X86_X32_DISABLED)