diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2013-09-01 20:07:58 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2013-09-01 20:07:58 +0000 |
| commit | 5400d3e30d6d624734498575515affe0d0a0c907 (patch) | |
| tree | 12d21ddd69a87eacb14b0dff41efae7a48f40057 | |
| parent | 913fe7dc094934b431e73ce624865275d8514314 (diff) | |
| download | linux-libre-raptor-5400d3e30d6d624734498575515affe0d0a0c907.tar.gz linux-libre-raptor-5400d3e30d6d624734498575515affe0d0a0c907.zip | |
3.11.0-0.rc7.git4.1.fc21.gnu
60 files changed, 8452 insertions, 9004 deletions
diff --git a/freed-ora/current/master/HID-CVE-fixes.patch b/freed-ora/current/master/HID-CVE-fixes.patch new file mode 100644 index 000000000..dc44c5edc --- /dev/null +++ b/freed-ora/current/master/HID-CVE-fixes.patch @@ -0,0 +1,1490 @@ +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 01/14] HID: validate HID report id size +Date: Wed, 28 Aug 2013 22:29:55 +0200 (CEST) +Lines: 81 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282158220.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721804 9521 80.91.229.3 (28 Aug 2013 20:30:04 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:04 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:06 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmNR-0008U8-2t + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:05 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754658Ab3H1UaD (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:30:03 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57907 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752748Ab3H1UaD (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:30:03 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 1C5ACA535B; + Wed, 28 Aug 2013 22:30:01 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31652 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31652> + +From: Kees Cook <keescook@chromium.org> + +The "Report ID" field of a HID report is used to build indexes of +reports. The kernel's index of these is limited to 256 entries, so any +malicious device that sets a Report ID greater than 255 will trigger +memory corruption on the host: + +[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 +[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b + +CVE-2013-2888 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 36668d1..5ea7d51 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, + struct hid_report_enum *report_enum = device->report_enum + type; + struct hid_report *report; + ++ if (id >= HID_MAX_IDS) ++ return NULL; + if (report_enum->report_id_hash[id]) + return report_enum->report_id_hash[id]; + +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) + + case HID_GLOBAL_ITEM_TAG_REPORT_ID: + parser->global.report_id = item_udata(item); +- if (parser->global.report_id == 0) { +- hid_err(parser->device, "report_id 0 is invalid\n"); ++ if (parser->global.report_id == 0 || ++ parser->global.report_id >= HID_MAX_IDS) { ++ hid_err(parser->device, "report_id %u is invalid\n", ++ parser->global.report_id); + return -1; + } + return 0; +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) + for (i = 0; i < HID_REPORT_TYPES; i++) { + struct hid_report_enum *report_enum = device->report_enum + i; + +- for (j = 0; j < 256; j++) { ++ for (j = 0; j < HID_MAX_IDS; j++) { + struct hid_report *report = report_enum->report_id_hash[j]; + if (report) + hid_free_report(report); +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 0c48991..ff545cc 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -393,10 +393,12 @@ struct hid_report { + struct hid_device *device; /* associated device */ + }; + ++#define HID_MAX_IDS 256 ++ + struct hid_report_enum { + unsigned numbered; + struct list_head report_list; +- struct hid_report *report_id_hash[256]; ++ struct hid_report *report_id_hash[HID_MAX_IDS]; + }; + + #define HID_REPORT_TYPES 3 + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 02/14] HID: provide a helper for validating hid reports +Date: Wed, 28 Aug 2013 22:30:06 +0200 (CEST) +Lines: 99 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282158570.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721810 9564 80.91.229.3 (28 Aug 2013 20:30:10 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:10 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:12 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmNX-0008U8-Cg + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:11 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754750Ab3H1UaK (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:30:10 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57911 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752748Ab3H1UaK (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:30:10 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 3C054A531D; + Wed, 28 Aug 2013 22:30:09 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31653 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31653> + +From: Kees Cook <keescook@chromium.org> + +Many drivers need to validate the characteristics of their HID report +during initialization to avoid misusing the reports. This adds a common +helper to perform validation of the report, its field count, and the +value count within the fields. + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 ++++ + 2 files changed, 54 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 5ea7d51..55798b2 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) + } + EXPORT_SYMBOL_GPL(hid_parse_report); + ++static const char * const hid_report_names[] = { ++ "HID_INPUT_REPORT", ++ "HID_OUTPUT_REPORT", ++ "HID_FEATURE_REPORT", ++}; ++/** ++ * hid_validate_report - validate existing device report ++ * ++ * @device: hid device ++ * @type: which report type to examine ++ * @id: which report ID to examine (0 for first) ++ * @fields: expected number of fields ++ * @report_counts: expected number of values per field ++ * ++ * Validate the report details after parsing. ++ */ ++struct hid_report *hid_validate_report(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int fields, ++ unsigned int report_counts) ++{ ++ struct hid_report *report; ++ unsigned int i; ++ ++ if (type > HID_FEATURE_REPORT) { ++ hid_err(hid, "invalid HID report %u\n", type); ++ return NULL; ++ } ++ ++ report = hid->report_enum[type].report_id_hash[id]; ++ if (!report) { ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); ++ return NULL; ++ } ++ if (report->maxfield < fields) { ++ hid_err(hid, "not enough fields in %s %u\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ for (i = 0; i < fields; i++) { ++ if (report->field[i]->report_count < report_counts) { ++ hid_err(hid, "not enough values in %s %u fields\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ } ++ return report; ++} ++EXPORT_SYMBOL_GPL(hid_validate_report); ++ + /** + * hid_open_report - open a driver-specific device report + * +diff --git a/include/linux/hid.h b/include/linux/hid.h +index ff545cc..76e41d8 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); + struct hid_device *hid_allocate_device(void); + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); ++struct hid_report *hid_validate_report(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int fields, ++ unsigned int report_counts); + int hid_open_report(struct hid_device *device); + int hid_check_keys_pressed(struct hid_device *hid); + int hid_connect(struct hid_device *hid, unsigned int connect_mask); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 03/14] HID: zeroplus: validate output report details +Date: Wed, 28 Aug 2013 22:30:15 +0200 (CEST) +Lines: 57 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282159270.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721819 9648 80.91.229.3 (28 Aug 2013 20:30:19 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:19 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:21 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmNg-0008U8-24 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:21 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754896Ab3H1UaT (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:30:19 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57913 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752748Ab3H1UaS (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:30:18 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id A94ACA531D; + Wed, 28 Aug 2013 22:30:17 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31654 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31654> + +From: Kees Cook <keescook@chromium.org> + +The zeroplus HID driver was not checking the size of allocated values +in fields it used. A HID device could send a malicious output report +that would cause the driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 +... +[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2889 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-zpff.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c +index 6ec28a3..b124991 100644 +--- a/drivers/hid/hid-zpff.c ++++ b/drivers/hid/hid-zpff.c +@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 4) { +- hid_err(hid, "not enough fields in report\n"); +- return -ENODEV; +- } + + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); + if (!zpff) + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 04/14] HID: sony: validate HID output report details +Date: Wed, 28 Aug 2013 22:30:23 +0200 (CEST) +Lines: 43 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282159590.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721826 9710 80.91.229.3 (28 Aug 2013 20:30:26 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:26 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:28 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmNn-0008U8-JR + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:27 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754899Ab3H1Ua1 (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:30:27 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57919 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753936Ab3H1Ua0 (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:30:26 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 02DB9A531D; + Wed, 28 Aug 2013 22:30:26 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31655 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31655> + +From: Kees Cook <keescook@chromium.org> + +This driver must validate the availability of the HID output report and +its size before it can write LED states via buzz_set_leds(). This stops +a heap overflow that is possible if a device provides a malicious HID +output report: + +[ 108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002 +... +[ 117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten + +CVE-2013-2890 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-sony.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c +index 87fbe29..b987926 100644 +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev) + drv_data = hid_get_drvdata(hdev); + BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER)); + ++ /* Validate expected report characteristics. */ ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 7)) ++ return -ENODEV; ++ + buzz = kzalloc(sizeof(*buzz), GFP_KERNEL); + if (!buzz) { + hid_err(hdev, "Insufficient memory, cannot allocate driver data\n"); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 05/14] HID: steelseries: validate output report details +Date: Wed, 28 Aug 2013 22:30:37 +0200 (CEST) +Lines: 43 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282201070.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721849 9885 80.91.229.3 (28 Aug 2013 20:30:49 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:49 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, Simon Wood <simon@mungewell.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:51 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmO7-0000cl-Po + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:48 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1755238Ab3H1Uam (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:30:42 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57942 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754222Ab3H1Uak (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:30:40 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id EFDE1A531D; + Wed, 28 Aug 2013 22:30:39 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31656 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31656> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious output report that would cause the +steelseries HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 +... +[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + +CVE-2013-2891 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-steelseries.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c +index d164911..ef42e86 100644 +--- a/drivers/hid/hid-steelseries.c ++++ b/drivers/hid/hid-steelseries.c +@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, + goto err_free; + } + ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) { ++ ret = -ENODEV; ++ goto err_free; ++ } ++ + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + if (ret) { + hid_err(hdev, "hw start failed\n"); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 06/14] HID: pantherlord: validate output report details +Date: Wed, 28 Aug 2013 22:30:49 +0200 (CEST) +Lines: 47 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282218580.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721853 9919 80.91.229.3 (28 Aug 2013 20:30:53 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:53 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:55 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmOD-0000cl-Qd + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:54 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754500Ab3H1Uax (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:30:53 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57948 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753468Ab3H1Uaw (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:30:52 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 21315A531D; + Wed, 28 Aug 2013 22:30:52 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31657 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31657> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious output report that would cause the +pantherlord HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 +... +[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2892 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c +index d29112f..2dcd7d9 100644 +--- a/drivers/hid/hid-pl.c ++++ b/drivers/hid/hid-pl.c +@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) + strong = &report->field[0]->value[2]; + weak = &report->field[0]->value[3]; + debug("detected single-field device"); +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { ++ } else if (report->field[0]->maxusage == 1 && ++ report->field[0]->usage[0].hid == ++ (HID_UP_LED | 0x43) && ++ report->maxfield >= 4 && ++ report->field[0]->report_count >= 1 && ++ report->field[1]->report_count >= 1 && ++ report->field[2]->report_count >= 1 && ++ report->field[3]->report_count >= 1) { + report->field[0]->value[0] = 0x00; + report->field[1]->value[0] = 0x00; + strong = &report->field[2]->value[0]; +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 07/14] HID: LG: validate HID output report details +Date: Wed, 28 Aug 2013 22:31:00 +0200 (CEST) +Lines: 194 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282219290.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721865 10099 80.91.229.3 (28 Aug 2013 20:31:05 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:05 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:07 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmOQ-0000cl-Fi + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:06 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753468Ab3H1UbF (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:05 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57957 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752780Ab3H1UbE (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:04 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 5F1F5A531D; + Wed, 28 Aug 2013 22:31:03 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31658 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31658> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious output report that would cause the +lg, lg3, and lg4 HID drivers to write beyond the output report allocation +during an event, causing a heap overflow: + +[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 +... +[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + +Additionally, while lg2 did correctly validate the report details, it was +cleaned up and shortened. + +CVE-2013-2893 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c +index b3cd150..9805197 100644 +--- a/drivers/hid/hid-lg2ff.c ++++ b/drivers/hid/hid-lg2ff.c +@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ /* Check that the report looks ok */ ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 1) { +- hid_err(hid, "output report is empty\n"); +- return -ENODEV; +- } +- if (report->field[0]->report_count < 7) { +- hid_err(hid, "not enough values in the field\n"); +- return -ENODEV; +- } + + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); + if (!lg2ff) +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c +index e52f181..53ac79b 100644 +--- a/drivers/hid/hid-lg3ff.c ++++ b/drivers/hid/hid-lg3ff.c +@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, + int x, y; + + /* +- * Maxusage should always be 63 (maximum fields) +- * likely a better way to ensure this data is clean ++ * Available values in the field should always be 63, but we only use up to ++ * 35. Instead, clear the entire area, however big it is. + */ +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); ++ memset(report->field[0]->value, 0, ++ sizeof(__s32) * report->field[0]->report_count); + + switch (effect->type) { + case FF_CONSTANT: +@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { + int lg3ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff3_joystick_ac; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); +- return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35)) ++ return -ENODEV; + + /* Assume single fixed device G940 */ + for (i = 0; ff_bits[i] >= 0; i++) +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c +index 0ddae2a..8b89f0f 100644 +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde + int lg4ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + struct lg4ff_device_entry *entry; + struct lg_drv_data *drv_data; + struct usb_device_descriptor *udesc; + int error, i, j; + __u16 bcdDevice, rev_maj, rev_min; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) + return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } + + /* Check what wheel has been connected */ + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c +index d7ea8c8..a84fb40 100644 +--- a/drivers/hid/hid-lgff.c ++++ b/drivers/hid/hid-lgff.c +@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) + int lgff_init(struct hid_device* hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff_joystick; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) ++ return -ENODEV; + + for (i = 0; i < ARRAY_SIZE(devices); i++) { + if (dev->id.vendor == devices[i].idVendor && +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 08/14] HID: lenovo-tpkbd: validate output report details +Date: Wed, 28 Aug 2013 22:31:10 +0200 (CEST) +Lines: 42 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282219570.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721874 10167 80.91.229.3 (28 Aug 2013 20:31:14 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:14 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, + Bernhard Seibold <mail@bernhard-seibold.de> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:16 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmOY-0000cl-HM + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:14 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754122Ab3H1UbN (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:13 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57965 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752780Ab3H1UbN (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:13 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 982A1A531D; + Wed, 28 Aug 2013 22:31:12 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31659 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31659> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious output report that would cause the +lenovo-tpkbd HID driver to write just beyond the output report allocation +during initialization, causing a heap overflow: + +[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 +... +[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2894 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c +index 07837f5..b697ada 100644 +--- a/drivers/hid/hid-lenovo-tpkbd.c ++++ b/drivers/hid/hid-lenovo-tpkbd.c +@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev) + char *name_mute, *name_micmute; + int ret; + ++ /* Validate required reports. */ ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) || ++ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2)) ++ return -ENODEV; ++ + if (sysfs_create_group(&hdev->dev.kobj, + &tpkbd_attr_group_pointer)) { + hid_warn(hdev, "Could not create sysfs group\n"); +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 09/14] HID: logitech-dj: validate output report details +Date: Wed, 28 Aug 2013 22:31:18 +0200 (CEST) +Lines: 65 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282220530.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721883 10249 80.91.229.3 (28 Aug 2013 20:31:23 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:23 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, + Nestor Lopez Casado <nlopezcasad@logitech.com> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:25 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmOg-0000cl-O9 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:23 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752780Ab3H1UbW (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:22 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57976 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1751971Ab3H1UbV (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:21 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id D53F8A531D; + Wed, 28 Aug 2013 22:31:20 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31660 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31660> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious output report that would cause the +logitech-dj HID driver to leak kernel memory contents to the device, or +trigger a NULL dereference during initialization: + +[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b +... +[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 +[ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90 + +CVE-2013-2895 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index cd33084..7b99c2a 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + struct hid_report *report; + struct hid_report_enum *output_report_enum; + u8 *data = (u8 *)(&dj_report->device_index); +- int i; ++ unsigned int i, length; + + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; + report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; +@@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + return -ENODEV; + } + +- for (i = 0; i < report->field[0]->report_count; i++) ++ length = min_t(size_t, sizeof(*dj_report) - 1, ++ report->field[0]->report_count); ++ for (i = 0; i < length; i++) + report->field[0]->value[i] = data[i]; + + hid_hw_request(hdev, report, HID_REQ_SET_REPORT); +@@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev, + goto hid_parse_fail; + } + ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, ++ 1, 3)) { ++ retval = -ENODEV; ++ goto hid_parse_fail; ++ } ++ + /* Starts the usb device and connects to upper interfaces hiddev and + * hidraw */ + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 10/14] HID: ntrig: validate feature report details +Date: Wed, 28 Aug 2013 22:31:28 +0200 (CEST) +Lines: 41 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282221210.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721895 10362 80.91.229.3 (28 Aug 2013 20:31:35 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:35 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, Rafi Rubin <rafi@seas.upenn.edu> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:36 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmOq-0000cl-KK + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:32 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753024Ab3H1Ubc (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:32 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57985 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1751971Ab3H1Ubb (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:31 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id C4DDAA531D; + Wed, 28 Aug 2013 22:31:30 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31661 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31661> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious feature report that would cause the +ntrig HID driver to trigger a NULL dereference during initialization: + +[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 +... +[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] + +CVE-2013-2896 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-ntrig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c +index ef95102..5482156 100644 +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. + report_id_hash[0x0d]; + +- if (!report) ++ if (!report || report->maxfield < 1 || ++ report->field[0]->report_count < 1) + return -EINVAL; + + hid_hw_request(hdev, report, HID_REQ_GET_REPORT); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 11/14] HID: multitouch: validate feature report details +Date: Wed, 28 Aug 2013 22:31:37 +0200 (CEST) +Lines: 77 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282221440.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721900 10409 80.91.229.3 (28 Aug 2013 20:31:40 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:40 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, + Henrik Rydberg <rydberg@euromail.se>, + Benjamin Tissoires <benjamin.tissoires@redhat.com> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:42 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmOz-0000cl-Ku + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:42 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754253Ab3H1Ubl (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:41 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57991 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754222Ab3H1Ubk (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:40 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id BA511A535B; + Wed, 28 Aug 2013 22:31:39 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31662 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31662> + +From: Kees Cook <keescook@chromium.org> + +When working on report indexes, always validate that they are in bounds. +Without this, a HID device could report a malicious feature report that +could trick the driver into a heap overflow: + +[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 +... +[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2897 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index cb0e361..2aa275e 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev, + break; + } + } ++ /* Ignore if value index is out of bounds. */ ++ if (td->inputmode_index < 0 || ++ td->inputmode_index >= field->report_count) { ++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); ++ td->inputmode = -1; ++ } + + break; + case HID_DG_CONTACTMAX: ++ /* Ignore if value count is out of bounds. */ ++ if (field->report_count < 1) ++ break; + td->maxcontact_report_id = field->report->id; + td->maxcontacts = field->value[0]; + if (!td->maxcontacts && +@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report) + unsigned count; + int r, n; + ++ if (report->maxfield == 0) ++ return; ++ + /* + * Includes multi-packet support where subsequent + * packets are sent with zero contactcount. + */ +- if (td->cc_index >= 0) { +- struct hid_field *field = report->field[td->cc_index]; +- int value = field->value[td->cc_value_index]; +- if (value) +- td->num_expected = value; ++ if (td->cc_index >= 0 && td->cc_index < report->maxfield) { ++ field = report->field[td->cc_index]; ++ if (td->cc_value_index >= 0 && ++ td->cc_value_index < field->report_count) { ++ int value = field->value[td->cc_value_index]; ++ if (value) ++ td->num_expected = value; ++ } + } + + for (r = 0; r < report->maxfield; r++) { + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 12/14] HID: sensor-hub: validate feature report details +Date: Wed, 28 Aug 2013 22:31:44 +0200 (CEST) +Lines: 36 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282222190.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721907 10489 80.91.229.3 (28 Aug 2013 20:31:47 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:47 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, + Mika Westerberg <mika.westerberg@linux.intel.com>, + srinivas pandruvada <srinivas.pandruvada@intel.com> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:51 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmP8-0000cl-9D + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:50 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754788Ab3H1Ubt (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:49 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:58000 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754228Ab3H1Ubt (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:49 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id BBD85A535B; + Wed, 28 Aug 2013 22:31:47 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31663 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31663> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious feature report that would cause the +sensor-hub HID driver to read past the end of heap allocation, leaking +kernel memory contents to the caller. + +CVE-2013-2898 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index ca749810..aa34755 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + + mutex_lock(&data->mutex); + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); +- if (!report || (field_index >= report->maxfield)) { ++ if (!report || (field_index >= report->maxfield) || ++ report->field[field_index]->report_count < 1) { + ret = -EINVAL; + goto done_proc; + } +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 13/14] HID: picolcd_core: validate output report details +Date: Wed, 28 Aug 2013 22:31:52 +0200 (CEST) +Lines: 34 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282222460.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721917 10573 80.91.229.3 (28 Aug 2013 20:31:57 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:57 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org>, + =?ISO-8859-15?Q?Bruno_Pr=E9mont?= <bonbons@linux-vserver.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:59 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmPE-0000cl-T8 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:57 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754901Ab3H1Ub4 (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:31:56 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:58006 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754228Ab3H1Ub4 (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:31:56 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 2720DA531D; + Wed, 28 Aug 2013 22:31:55 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31664 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31664> + +From: Kees Cook <keescook@chromium.org> + +A HID device could send a malicious output report that would cause the +picolcd HID driver to trigger a NULL dereference during attr file writing. + +CVE-2013-2899 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-picolcd_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c +index b48092d..72bba1e 100644 +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield < 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina <jkosina@suse.cz> +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 14/14] HID: check for NULL field when setting values +Date: Wed, 28 Aug 2013 22:32:01 +0200 (CEST) +Lines: 36 +Approved: news@gmane.org +Message-ID: <alpine.LNX.2.00.1308282223090.22181@pobox.suse.cz> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721927 10651 80.91.229.3 (28 Aug 2013 20:32:07 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:32:07 +0000 (UTC) +Cc: Kees Cook <keescook@chromium.org> +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:32:06 2013 +Return-path: <linux-input-owner@vger.kernel.org> +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-input-owner@vger.kernel.org>) + id 1VEmPO-0000cl-40 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:32:06 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754959Ab3H1UcF (ORCPT <rfc822;glki-linux-input-2@m.gmane.org>); + Wed, 28 Aug 2013 16:32:05 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:58016 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754282Ab3H1UcE (ORCPT <rfc822;linux-input@vger.kernel.org>); + Wed, 28 Aug 2013 16:32:04 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 6D278A531D; + Wed, 28 Aug 2013 22:32:03 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-input.vger.kernel.org> +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31665 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.input/31665> + +From: Kees Cook <keescook@chromium.org> + +Defensively check that the field to be worked on is not NULL. + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@kernel.org +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 55798b2..192be6b 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1206,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); + + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) + { +- unsigned size = field->report_size; ++ unsigned size; ++ ++ if (!field) ++ return -1; ++ ++ size = field->report_size; + + hid_dump_input(field->report->device, field->usage + offset, value); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + diff --git a/freed-ora/current/master/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch b/freed-ora/current/master/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch deleted file mode 100644 index acdd66d48..000000000 --- a/freed-ora/current/master/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d0a934b764c67b4bf626f5b7cf725a6e3066afd2 Mon Sep 17 00:00:00 2001 -From: David Herrmann <dh.herrmann@gmail.com> -Date: Mon, 13 May 2013 15:01:30 +0000 -Subject: HID: input: return ENODATA if reading battery attrs fails - -power_supply core has the bad habit of calling our battery callbacks -from within power_supply_register(). Furthermore, if the callbacks -fail with an unhandled error code, it will skip any uevent that it -might currently process. -So if HID-core registers battery devices, an "add" uevent is generated -and the battery callbacks are called. These will gracefully fail due -to timeouts as they might still hold locks on event processing. One -could argue that this should be fixed in power_supply core, but the -least we can do is to signal ENODATA so power_supply core will just -skip the property and continue with the uevent. - -This fixes a bug where "add" and "remove" uevents are skipped for -battery devices. upower is unable to track these devices and currently -needs to ignore them. - -This patch also overwrites any other error code. I cannot see any reason -why we should forward protocol- or I/O-errors to the power_supply core. -We handle these errors in hid_ll_driver later, anyway, so just skip -them. power_supply core cannot do anything useful with them, anyway, -and we avoid skipping important uevents and confusing user-space. - -Thanks a lot to Daniel Nicoletti for pushing and investigating -on this. - -Cc: Jiri Kosina <jkosina@suse.cz> -Cc: Anton Vorontsov <cbou@mail.ru> -Cc: David Woodhouse <dwmw2@infradead.org> -Reported-by: Daniel Nicoletti <dantti12@gmail.com> -Signed-off-by: David Herrmann <dh.herrmann@gmail.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index 945b815..c526a3c 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -354,10 +354,10 @@ static int hidinput_get_battery_property(struct power_supply *psy, - dev->battery_report_type); - - if (ret != 2) { -- if (ret >= 0) -- ret = -EINVAL; -+ ret = -ENODATA; - break; - } -+ ret = 0; - - if (dev->battery_min < dev->battery_max && - buf[1] >= dev->battery_min && --- -cgit v0.9.2 diff --git a/freed-ora/current/master/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch b/freed-ora/current/master/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch deleted file mode 100644 index 678e82953..000000000 --- a/freed-ora/current/master/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 094b5d9..64a4b03 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1194,20 +1194,37 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr) - elapsed = ns - kvm->arch.last_tsc_nsec; - - if (vcpu->arch.virtual_tsc_khz) { -+ int faulted = 0; -+ - /* n.b - signed multiplication and division required */ - usdiff = data - kvm->arch.last_tsc_write; - #ifdef CONFIG_X86_64 - usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; - #else - /* do_div() only does unsigned */ -- asm("idivl %2; xor %%edx, %%edx" -- : "=A"(usdiff) -- : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); -+ asm("1: idivl %[divisor]\n" -+ "2: xor %%edx, %%edx\n" -+ " movl $0, %[faulted]\n" -+ "3:\n" -+ ".section .fixup,\"ax\"\n" -+ "4: movl $1, %[faulted]\n" -+ " jmp 3b\n" -+ ".previous\n" -+ -+ _ASM_EXTABLE(1b, 4b) -+ -+ : "=A"(usdiff), [faulted] "=r" (faulted) -+ : "A"(usdiff * 1000), [divisor] "rm"(vcpu->arch.virtual_tsc_khz)); -+ - #endif - do_div(elapsed, 1000); - usdiff -= elapsed; - if (usdiff < 0) - usdiff = -usdiff; -+ -+ /* idivl overflow => difference is larger than USEC_PER_SEC */ -+ if (faulted) -+ usdiff = USEC_PER_SEC; - } else - usdiff = USEC_PER_SEC; /* disable TSC match window below */ - diff --git a/freed-ora/current/master/Makefile b/freed-ora/current/master/Makefile index 2a87029f7..178f4f2e5 100644 --- a/freed-ora/current/master/Makefile +++ b/freed-ora/current/master/Makefile @@ -31,6 +31,7 @@ debug: @perl -pi -e 's/# CONFIG_DEBUG_STACK_USAGE is not set/CONFIG_DEBUG_STACK_USAGE=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_SLAB is not set/CONFIG_DEBUG_SLAB=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_MUTEXES is not set/CONFIG_DEBUG_MUTEXES=y/' config-nodebug + @perl -pi -e 's/# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set/CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_RT_MUTEXES is not set/CONFIG_DEBUG_RT_MUTEXES=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_LOCK_ALLOC is not set/CONFIG_DEBUG_LOCK_ALLOC=y/' config-nodebug @perl -pi -e 's/# CONFIG_PROVE_LOCKING is not set/CONFIG_PROVE_LOCKING=y/' config-nodebug @@ -90,6 +91,7 @@ debug: @perl -pi -e 's/# CONFIG_DETECT_HUNG_TASK is not set/CONFIG_DETECT_HUNG_TASK=y/' config-nodebug @perl -pi -e 's/# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set/CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_KMEMLEAK is not set/CONFIG_DEBUG_KMEMLEAK=y/' config-nodebug + @perl -pi -e 's/# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set/CONFIG_X86_DEBUG_STATIC_CPU_HAS=y/' config-nodebug @# just in case we're going from extremedebug -> debug @perl -pi -e 's/CONFIG_DEBUG_PAGEALLOC=y/# CONFIG_DEBUG_PAGEALLOC is not set/' config-nodebug diff --git a/freed-ora/current/master/Makefile.release b/freed-ora/current/master/Makefile.release index 3eba9dbac..ef0d66b62 100644 --- a/freed-ora/current/master/Makefile.release +++ b/freed-ora/current/master/Makefile.release @@ -11,6 +11,7 @@ config-release: @perl -pi -e 's/CONFIG_DEBUG_STACK_USAGE=y/# CONFIG_DEBUG_STACK_USAGE is not set/' config-nodebug @perl -pi -e 's/CONFIG_DEBUG_SLAB=y/# CONFIG_DEBUG_SLAB is not set/' config-nodebug @perl -pi -e 's/CONFIG_DEBUG_MUTEXES=y/# CONFIG_DEBUG_MUTEXES is not set/' config-nodebug + @perl -pi -e 's/CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y/# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set/' config-nodebug @perl -pi -e 's/CONFIG_DEBUG_RT_MUTEXES=y/# CONFIG_DEBUG_RT_MUTEXES is not set/' config-nodebug @perl -pi -e 's/CONFIG_DEBUG_LOCK_ALLOC=y/# CONFIG_DEBUG_LOCK_ALLOC is not set/' config-nodebug @perl -pi -e 's/CONFIG_PROVE_LOCKING=y/# CONFIG_PROVE_LOCKING is not set/' config-nodebug @@ -73,6 +74,7 @@ config-release: @perl -pi -e 's/CONFIG_XFS_WARN=y/# CONFIG_XFS_WARN is not set/' config-nodebug @perl -pi -e 's/CONFIG_EDAC_DEBUG=y/# CONFIG_EDAC_DEBUG is not set/' config-nodebug @perl -pi -e 's/CONFIG_RTLWIFI_DEBUG=y/# CONFIG_RTLWIFI_DEBUG is not set/' config-nodebug + @perl -pi -e 's/CONFIG_X86_DEBUG_STATIC_CPU_HAS=y/# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set/' config-nodebug @# Undo anything that make extremedebug might have set @perl -pi -e 's/CONFIG_DEBUG_PAGEALLOC=y/# CONFIG_DEBUG_PAGEALLOC is not set/' config-debug @@ -83,3 +85,7 @@ config-release: @# Disable UAS for release until it's ready. (#717633, #744099) @perl -pi -e 's/CONFIG_USB_UAS=m/# CONFIG_USB_UAS is not set/' config-generic + + @perl -pi -e 's/CONFIG_SCHEDSTATS=y/# CONFIG_SCHEDSTATS is not set/' config-nodebug + @perl -pi -e 's/CONFIG_LATENCYTOP=y/# CONFIG_LATENCYTOP is not set/' config-nodebug + diff --git a/freed-ora/current/master/acpi-video-dos.patch b/freed-ora/current/master/acpi-video-dos.patch deleted file mode 100644 index 3e2085193..000000000 --- a/freed-ora/current/master/acpi-video-dos.patch +++ /dev/null @@ -1,17 +0,0 @@ -Disable firmware video brightness change on AC/Battery switch by default - --- mjg59 - -diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index bac2901..93b1a9e 100644 ---- a/drivers/acpi/video.c -+++ b/drivers/acpi/video.c -@@ -1818,7 +1818,7 @@ static int acpi_video_bus_put_devices(struct acpi_video_bus *video) - - static int acpi_video_bus_start_devices(struct acpi_video_bus *video) - { -- return acpi_video_bus_DOS(video, 0, 0); -+ return acpi_video_bus_DOS(video, 0, 1); - } - - static int acpi_video_bus_stop_devices(struct acpi_video_bus *video) diff --git a/freed-ora/current/master/arm-dma-amba_pl08x-avoid-64bit-division.patch b/freed-ora/current/master/arm-dma-amba_pl08x-avoid-64bit-division.patch new file mode 100644 index 000000000..01da25c1f --- /dev/null +++ b/freed-ora/current/master/arm-dma-amba_pl08x-avoid-64bit-division.patch @@ -0,0 +1,36 @@ +diff --git a/drivers/dma/amba-pl08x.c b/drivers/dma/amba-pl08x.c +index 06fe45c..63744cf 100644 +--- a/drivers/dma/amba-pl08x.c ++++ b/drivers/dma/amba-pl08x.c +@@ -886,8 +886,8 @@ static int pl08x_fill_llis_for_desc(struct pl08x_driver_data *pl08x, + return 0; + } + +- if ((bd.srcbus.addr % bd.srcbus.buswidth) || +- (bd.dstbus.addr % bd.dstbus.buswidth)) { ++ if ((((u8)(bd.srcbus.addr & 0xff)) % bd.srcbus.buswidth) || ++ (((u8)(bd.dstbus.addr & 0xff)) % bd.dstbus.buswidth)) { + dev_err(&pl08x->adev->dev, + "%s src & dst address must be aligned to src" + " & dst width if peripheral is flow controller", +@@ -908,9 +908,8 @@ static int pl08x_fill_llis_for_desc(struct pl08x_driver_data *pl08x, + */ + if (bd.remainder < mbus->buswidth) + early_bytes = bd.remainder; +- else if ((mbus->addr) % (mbus->buswidth)) { +- early_bytes = mbus->buswidth - (mbus->addr) % +- (mbus->buswidth); ++ else if ((early_bytes = (u8)(mbus->addr & 0xff) % mbus->buswidth)) { ++ early_bytes = mbus->buswidth - early_bytes; + if ((bd.remainder - early_bytes) < mbus->buswidth) + early_bytes = bd.remainder; + } +@@ -928,7 +927,7 @@ static int pl08x_fill_llis_for_desc(struct pl08x_driver_data *pl08x, + * Master now aligned + * - if slave is not then we must set its width down + */ +- if (sbus->addr % sbus->buswidth) { ++ if (((u8)(sbus->addr & 0xff)) % sbus->buswidth) { + dev_dbg(&pl08x->adev->dev, + "%s set down bus width to one byte\n", + __func__); diff --git a/freed-ora/current/master/arm-exynos-mp.patch b/freed-ora/current/master/arm-exynos-mp.patch new file mode 100644 index 000000000..d037170e3 --- /dev/null +++ b/freed-ora/current/master/arm-exynos-mp.patch @@ -0,0 +1,428 @@ +commit 8b806e0201b97844d0eff4713eb88f0a6d0f689d +Author: Arnd Bergmann <arnd@arndb.de> +Date: Fri Jun 14 17:16:30 2013 +0200 + + ARM: exynos multiplatform, next try + + Signed-off-by: Arnd Bergmann <arnd@arndb.de> + +diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug +index e401a76..fad9324 100644 +--- a/arch/arm/Kconfig.debug ++++ b/arch/arm/Kconfig.debug +@@ -422,7 +422,7 @@ choice + + config DEBUG_S3C_UART0 + depends on PLAT_SAMSUNG +- select DEBUG_EXYNOS_UART if ARCH_EXYNOS ++ select DEBUG_EXYNOS_UART if ARCH_EXYNOS_COMMON + bool "Use S3C UART 0 for low-level debug" + help + Say Y here if you want the debug print routines to direct +@@ -434,7 +434,7 @@ choice + + config DEBUG_S3C_UART1 + depends on PLAT_SAMSUNG +- select DEBUG_EXYNOS_UART if ARCH_EXYNOS ++ select DEBUG_EXYNOS_UART if ARCH_EXYNOS_COMMON + bool "Use S3C UART 1 for low-level debug" + help + Say Y here if you want the debug print routines to direct +@@ -446,7 +446,7 @@ choice + + config DEBUG_S3C_UART2 + depends on PLAT_SAMSUNG +- select DEBUG_EXYNOS_UART if ARCH_EXYNOS ++ select DEBUG_EXYNOS_UART if ARCH_EXYNOS_COMMON + bool "Use S3C UART 2 for low-level debug" + help + Say Y here if you want the debug print routines to direct +@@ -457,7 +457,7 @@ choice + by CONFIG_S3C_LOWLEVEL_UART_PORT. + + config DEBUG_S3C_UART3 +- depends on PLAT_SAMSUNG && ARCH_EXYNOS ++ depends on PLAT_SAMSUNG && ARCH_EXYNOS_COMMON + select DEBUG_EXYNOS_UART + bool "Use S3C UART 3 for low-level debug" + help +diff --git a/arch/arm/include/debug/samsung.S b/arch/arm/include/debug/samsung.S +index f3a9cff..8d8d922 100644 +--- a/arch/arm/include/debug/samsung.S ++++ b/arch/arm/include/debug/samsung.S +@@ -9,7 +9,7 @@ + * published by the Free Software Foundation. + */ + +-#include <plat/regs-serial.h> ++#include <linux/serial_s3c.h> + + /* The S5PV210/S5PC110 implementations are as belows. */ + +diff --git a/arch/arm/mach-exynos/Kconfig b/arch/arm/mach-exynos/Kconfig +index 855d4a7..8744890 100644 +--- a/arch/arm/mach-exynos/Kconfig ++++ b/arch/arm/mach-exynos/Kconfig +@@ -7,13 +7,24 @@ + + # Configuration options for the EXYNOS4 + +-if ARCH_EXYNOS ++config ARCH_EXYNOS_MULTI ++ bool "Samsung EXYNOS" if ARCH_MULTI_V7 ++ select ARCH_HAS_CPUFREQ ++ select CPU_V7 ++ select GENERIC_CLOCKEVENTS ++ select HAVE_CLK ++ select HAVE_S3C2410_I2C if I2C ++ select HAVE_S3C_RTC if RTC_CLASS ++ help ++ Support for SAMSUNG's EXYNOS SoCs (EXYNOS4/5) ++ ++if ARCH_EXYNOS || ARCH_EXYNOS_MULTI + + menu "SAMSUNG EXYNOS SoCs Support" + + config ARCH_EXYNOS4 + bool "SAMSUNG EXYNOS4" +- default y ++ default ARCH_EXYNOS + select GIC_NON_BANKED + select HAVE_ARM_SCU if SMP + select HAVE_SMP +@@ -24,12 +35,16 @@ config ARCH_EXYNOS4 + + config ARCH_EXYNOS5 + bool "SAMSUNG EXYNOS5" ++ default ARCH_EXYNOS + select HAVE_ARM_SCU if SMP + select HAVE_SMP + select PINCTRL + help + Samsung EXYNOS5 (Cortex-A15) SoC based systems + ++config ARCH_EXYNOS_COMMON ++ def_bool ARCH_EXYNOS4 || ARCH_EXYNOS5 ++ + comment "EXYNOS SoCs" + + config CPU_EXYNOS4210 +@@ -41,7 +56,7 @@ config CPU_EXYNOS4210 + select PM_GENERIC_DOMAINS if PM + select S5P_PM if PM + select S5P_SLEEP if PM +- select SAMSUNG_DMADEV ++ select SAMSUNG_DMADEV if !ARCH_MULTIPLATFORM + help + Enable EXYNOS4210 CPU support + +@@ -49,10 +64,11 @@ config SOC_EXYNOS4212 + bool "SAMSUNG EXYNOS4212" + default y + depends on ARCH_EXYNOS4 ++ select MACH_EXYNOS4_DT + select PINCTRL_EXYNOS + select S5P_PM if PM + select S5P_SLEEP if PM +- select SAMSUNG_DMADEV ++ select SAMSUNG_DMADEV if !ARCH_MULTIPLATFORM + help + Enable EXYNOS4212 SoC support + +@@ -60,8 +76,9 @@ config SOC_EXYNOS4412 + bool "SAMSUNG EXYNOS4412" + default y + depends on ARCH_EXYNOS4 ++ select MACH_EXYNOS4_DT + select PINCTRL_EXYNOS +- select SAMSUNG_DMADEV ++ select SAMSUNG_DMADEV if !ARCH_MULTIPLATFORM + help + Enable EXYNOS4412 SoC support + +@@ -70,11 +87,12 @@ config SOC_EXYNOS5250 + default y + depends on ARCH_EXYNOS5 + select PINCTRL_EXYNOS ++ select MACH_EXYNOS5_DT + select PM_GENERIC_DOMAINS if PM + select S5P_PM if PM + select S5P_SLEEP if PM + select S5P_DEV_MFC +- select SAMSUNG_DMADEV ++ select SAMSUNG_DMADEV if !ARCH_MULTIPLATFORM + help + Enable EXYNOS5250 SoC support + +@@ -121,9 +139,7 @@ config MACH_EXYNOS4_DT + with this machine file. + + config MACH_EXYNOS5_DT +- bool "SAMSUNG EXYNOS5 Machine using device tree" +- default y +- depends on ARCH_EXYNOS5 ++ bool + select ARM_AMBA + select CLKSRC_OF + select USB_ARCH_HAS_XHCI +diff --git a/arch/arm/mach-exynos/Makefile b/arch/arm/mach-exynos/Makefile +index e970a7a..ae397bb 100644 +--- a/arch/arm/mach-exynos/Makefile ++++ b/arch/arm/mach-exynos/Makefile +diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig +@@ -5,14 +5,11 @@ + # + # Licensed under GPLv2 + +-obj-y := +-obj-m := +-obj-n := +-obj- := ++ccflags-$(CONFIG_ARCH_MULTIPLATFORM) += -I$(srctree)/$(src)/include -I$(srctree)/arch/arm/plat-samsung + +-# Core ++ifdef CONFIG_ARCH_EXYNOS_COMMON + +-obj-$(CONFIG_ARCH_EXYNOS) += common.o ++obj-y += pmu.o + + obj-$(CONFIG_S5P_PM) += pm.o + obj-$(CONFIG_PM_GENERIC_DOMAINS) += pm_domains.o +@@ -24,8 +21,8 @@ + + obj-$(CONFIG_HOTPLUG_CPU) += hotplug.o + +-obj-$(CONFIG_ARCH_EXYNOS) += exynos-smc.o +-obj-$(CONFIG_ARCH_EXYNOS) += firmware.o +++obj-y += exynos-smc.o +++obj-y += firmware.o + + plus_sec := $(call as-instr,.arch_extension sec,+sec) + AFLAGS_exynos-smc.o :=-Wa,-march=armv7-a$(plus_sec) +@@ -34,3 +31,5 @@ + + obj-$(CONFIG_MACH_EXYNOS4_DT) += mach-exynos4-dt.o + obj-$(CONFIG_MACH_EXYNOS5_DT) += mach-exynos5-dt.o ++ ++endif +index 3dc5cbe..e61abdc 100644 +--- a/arch/arm/plat-samsung/Kconfig ++++ b/arch/arm/plat-samsung/Kconfig +@@ -6,7 +6,7 @@ + + config PLAT_SAMSUNG + bool +- depends on PLAT_S3C24XX || ARCH_S3C64XX || PLAT_S5P || ARCH_EXYNOS ++ depends on PLAT_S3C24XX || ARCH_S3C64XX || PLAT_S5P || ARCH_EXYNOS_COMMON + default y + select GENERIC_IRQ_CHIP + select NO_IOPORT +@@ -176,6 +176,7 @@ config S5P_DEV_UART + + config S3C_ADC + bool "ADC common driver support" ++ depends on !ARCH_MULTIPLATFORM + help + Core support for the ADC block found in the Samsung SoC systems + for drivers such as the touchscreen and hwmon to use to share +@@ -396,6 +397,7 @@ config S5P_DEV_USB_EHCI + + config S3C24XX_PWM + bool "PWM device support" ++ depends on !ARCH_MULTIPLATFORM + select PWM + select PWM_SAMSUNG + help +@@ -453,7 +455,7 @@ comment "Power management" + config SAMSUNG_PM_DEBUG + bool "S3C2410 PM Suspend debug" + depends on PM +- select DEBUG_LL ++ depends on DEBUG_LL && SERIAL_SAMSUNG + help + Say Y here if you want verbose debugging from the PM Suspend and + Resume code. See <file:Documentation/arm/Samsung-S3C24XX/Suspend.txt> +diff --git a/arch/arm/plat-samsung/Makefile b/arch/arm/plat-samsung/Makefile +index 98d07d8..b458e7d 100644 +--- a/arch/arm/plat-samsung/Makefile ++++ b/arch/arm/plat-samsung/Makefile +@@ -4,6 +4,9 @@ + # + # Licensed under GPLv2 + ++ccflags-$(CONFIG_ARCH_MULTI_V7) += -I$(srctree)/$(src)/include ++ccflags-$(CONFIG_ARCH_EXYNOS_COMMON) += -I$(srctree)/arch/arm/mach-exynos/include ++ + obj-y := + obj-m := + obj-n := dummy.o +diff --git a/arch/arm/plat-samsung/s5p-irq-pm.c b/arch/arm/plat-samsung/s5p-irq-pm.c +index 7c1e3b7..dc66bb5 100644 +--- a/arch/arm/plat-samsung/s5p-irq-pm.c ++++ b/arch/arm/plat-samsung/s5p-irq-pm.c +@@ -40,7 +40,7 @@ int s3c_irq_wake(struct irq_data *data, unsigned int state) + unsigned long irqbit; + unsigned int irq_rtc_tic, irq_rtc_alarm; + +-#ifdef CONFIG_ARCH_EXYNOS ++#ifdef CONFIG_ARCH_EXYNOS_COMMON + if (soc_is_exynos5250()) { + irq_rtc_tic = EXYNOS5_IRQ_RTC_TIC; + irq_rtc_alarm = EXYNOS5_IRQ_RTC_ALARM; +diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig +index 81465c2..6bd8b5a 100644 +--- a/drivers/clocksource/Kconfig ++++ b/drivers/clocksource/Kconfig +@@ -75,7 +75,7 @@ config CLKSRC_METAG_GENERIC + This option enables support for the Meta per-thread timers. + + config CLKSRC_EXYNOS_MCT +- def_bool y if ARCH_EXYNOS ++ def_bool y if ARCH_EXYNOS_COMMON + help + Support for Multi Core Timer controller on Exynos SoCs. + +diff --git a/drivers/cpufreq/Kconfig.arm b/drivers/cpufreq/Kconfig.arm +index de4d5d9..ffe9cb3 100644 +--- a/drivers/cpufreq/Kconfig.arm ++++ b/drivers/cpufreq/Kconfig.arm +@@ -27,6 +27,7 @@ config ARM_EXYNOS_CPUFREQ + + If in doubt, say N. + ++if ARM_EXYNOS_CPUFREQ + config ARM_EXYNOS4210_CPUFREQ + def_bool CPU_EXYNOS4210 + help +@@ -54,6 +55,7 @@ config ARM_EXYNOS5440_CPUFREQ + SoC. The nature of exynos5440 clock controller is + different than previous exynos controllers so not using + the common exynos framework. ++endif + + config ARM_HIGHBANK_CPUFREQ + tristate "Calxeda Highbank-based" +diff --git a/drivers/devfreq/Kconfig b/drivers/devfreq/Kconfig +index 31f3adb..15454ad 100644 +--- a/drivers/devfreq/Kconfig ++++ b/drivers/devfreq/Kconfig +@@ -68,6 +68,7 @@ comment "DEVFREQ Drivers" + config ARM_EXYNOS4_BUS_DEVFREQ + bool "ARM Exynos4210/4212/4412 Memory Bus DEVFREQ Driver" + depends on CPU_EXYNOS4210 || SOC_EXYNOS4212 || SOC_EXYNOS4412 ++ depends on !ARCH_MULTIPLATFORM + select ARCH_HAS_OPP + select DEVFREQ_GOV_SIMPLE_ONDEMAND + help +diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig +index 6c6034e..d9ed7c0 100644 +--- a/drivers/iommu/Kconfig ++++ b/drivers/iommu/Kconfig +@@ -168,7 +168,7 @@ config TEGRA_IOMMU_SMMU + + config EXYNOS_IOMMU + bool "Exynos IOMMU Support" +- depends on ARCH_EXYNOS && EXYNOS_DEV_SYSMMU ++ depends on ARCH_EXYNOS_COMMON && EXYNOS_DEV_SYSMMU + select IOMMU_API + help + Support for the IOMMU(System MMU) of Samsung Exynos application +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index 5a8ad51..03688dd 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -252,7 +252,7 @@ config PINCTRL_SAMSUNG + + config PINCTRL_EXYNOS + bool "Pinctrl driver data for Samsung EXYNOS SoCs other than 5440" +- depends on OF && GPIOLIB && ARCH_EXYNOS ++ depends on OF && GPIOLIB && ARCH_EXYNOS_COMMON + select PINCTRL_SAMSUNG + + config PINCTRL_EXYNOS5440 +diff --git a/drivers/pwm/Kconfig b/drivers/pwm/Kconfig +index 75840b5..746a931 100644 +--- a/drivers/pwm/Kconfig ++++ b/drivers/pwm/Kconfig +@@ -140,7 +140,7 @@ config PWM_RENESAS_TPU + + config PWM_SAMSUNG + tristate "Samsung PWM support" +- depends on PLAT_SAMSUNG ++ depends on PLAT_SAMSUNG && !ARCH_MULTIPLATFORM + help + Generic PWM framework driver for Samsung. + +diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig +index 89cbbab..830b8e7 100644 +--- a/drivers/spi/Kconfig ++++ b/drivers/spi/Kconfig +@@ -365,7 +365,7 @@ config SPI_S3C24XX_FIQ + + config SPI_S3C64XX + tristate "Samsung S3C64XX series type SPI" +- depends on (ARCH_S3C24XX || ARCH_S3C64XX || ARCH_S5P64X0 || ARCH_EXYNOS) ++ depends on (ARCH_S3C24XX || ARCH_S3C64XX || ARCH_S5P64X0 || ARCH_EXYNOS_COMMON) + select S3C64XX_DMA if ARCH_S3C64XX + help + SPI driver for Samsung S3C64XX and newer SoCs. +diff --git a/drivers/usb/host/Kconfig b/drivers/usb/host/Kconfig +index 4263d01..d7ad720 100644 +--- a/drivers/usb/host/Kconfig ++++ b/drivers/usb/host/Kconfig +@@ -462,7 +462,7 @@ config USB_OHCI_SH + + config USB_OHCI_EXYNOS + boolean "OHCI support for Samsung EXYNOS SoC Series" +- depends on ARCH_EXYNOS ++ depends on ARCH_EXYNOS_COMMON + help + Enable support for the Samsung Exynos SOC's on-chip OHCI controller. + +diff --git a/drivers/video/Kconfig b/drivers/video/Kconfig +index 2c301f8..0ba3e03 100644 +--- a/drivers/video/Kconfig ++++ b/drivers/video/Kconfig +@@ -2039,7 +2039,7 @@ config FB_TMIO_ACCELL + config FB_S3C + tristate "Samsung S3C framebuffer support" + depends on FB && (CPU_S3C2416 || ARCH_S3C64XX || ARCH_S5P64X0 || \ +- ARCH_S5PC100 || ARCH_S5PV210 || ARCH_EXYNOS) ++ ARCH_S5PC100 || ARCH_S5PV210 || ARCH_EXYNOS_COMMON) + select FB_CFB_FILLRECT + select FB_CFB_COPYAREA + select FB_CFB_IMAGEBLIT +diff --git a/drivers/video/exynos/Kconfig b/drivers/video/exynos/Kconfig +index b8abda5..216af14 100644 +--- a/drivers/video/exynos/Kconfig ++++ b/drivers/video/exynos/Kconfig +@@ -15,7 +15,7 @@ if EXYNOS_VIDEO + + config EXYNOS_MIPI_DSI + bool "EXYNOS MIPI DSI driver support." +- depends on ARCH_S5PV210 || ARCH_EXYNOS ++ depends on ARCH_S5PV210 || ARCH_EXYNOS_COMMON + help + This enables support for MIPI-DSI device. + +@@ -29,7 +29,7 @@ config EXYNOS_LCD_S6E8AX0 + + config EXYNOS_DP + bool "EXYNOS DP driver support" +- depends on ARCH_EXYNOS ++ depends on ARCH_EXYNOS_COMMON + default n + help + This enables support for DP device. +diff --git a/sound/soc/samsung/Kconfig b/sound/soc/samsung/Kconfig +index 9855dfc..fcb2045 100644 +--- a/sound/soc/samsung/Kconfig ++++ b/sound/soc/samsung/Kconfig +@@ -1,6 +1,6 @@ + config SND_SOC_SAMSUNG + tristate "ASoC support for Samsung" +- depends on PLAT_SAMSUNG ++ depends on PLAT_SAMSUNG && !ARCH_MULTIPLATFORM + select S3C64XX_DMA if ARCH_S3C64XX + select S3C2410_DMA if ARCH_S3C24XX + help diff --git a/freed-ora/current/master/arm-imx-fixsound.patch b/freed-ora/current/master/arm-imx-fixsound.patch new file mode 100644 index 000000000..cfad652e4 --- /dev/null +++ b/freed-ora/current/master/arm-imx-fixsound.patch @@ -0,0 +1,65 @@ +From 3f1a91aa25579ba5e7268a47a73d2a83e4802c62 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam <fabio.estevam@freescale.com> +Date: Mon, 29 Jul 2013 21:37:32 +0000 +Subject: ASoC: fsl: Fix module build + +Building imx_v6_v7_defconfig with all audio drivers as modules results in +the folowing build error: + +ERROR: "imx_pcm_fiq_init" [sound/soc/fsl/snd-soc-imx-ssi.ko] undefined! +ERROR: "imx_pcm_dma_init" [sound/soc/fsl/snd-soc-imx-ssi.ko] undefined! +ERROR: "imx_pcm_fiq_exit" [sound/soc/fsl/snd-soc-imx-ssi.ko] undefined! +ERROR: "imx_pcm_dma_exit" [sound/soc/fsl/snd-soc-imx-ssi.ko] undefined! +ERROR: "imx_pcm_dma_init" [sound/soc/fsl/snd-soc-fsl-ssi.ko] undefined! +ERROR: "imx_pcm_dma_exit" [sound/soc/fsl/snd-soc-fsl-ssi.ko] undefined! + +Fix this by allowing SND_SOC_IMX_PCM_FIQ and SND_SOC_IMX_PCM_DMA to be also +built as modules and by using 'IS_ENABLED' to cover the module case. + +Reported-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> +Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com> +Acked-by: Shawn Guo <shawn.guo@linaro.org> +Signed-off-by: Mark Brown <broonie@linaro.org> +--- +diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig +index 3a79d01..c26449b 100644 +--- a/sound/soc/fsl/Kconfig ++++ b/sound/soc/fsl/Kconfig +@@ -109,11 +109,11 @@ config SND_SOC_IMX_SSI + tristate + + config SND_SOC_IMX_PCM_FIQ +- bool ++ tristate + select FIQ + + config SND_SOC_IMX_PCM_DMA +- bool ++ tristate + select SND_SOC_GENERIC_DMAENGINE_PCM + + config SND_SOC_IMX_AUDMUX +diff --git a/sound/soc/fsl/imx-pcm.h b/sound/soc/fsl/imx-pcm.h +index 9136625..5d5b733 100644 +--- a/sound/soc/fsl/imx-pcm.h ++++ b/sound/soc/fsl/imx-pcm.h +@@ -32,7 +32,7 @@ + dma_data->peripheral_type = IMX_DMATYPE_SSI; + } + +-#ifdef CONFIG_SND_SOC_IMX_PCM_DMA ++#if IS_ENABLED(CONFIG_SND_SOC_IMX_PCM_DMA) + int imx_pcm_dma_init(struct platform_device *pdev); + void imx_pcm_dma_exit(struct platform_device *pdev); + #else +@@ -46,7 +46,7 @@ + } + #endif + +-#ifdef CONFIG_SND_SOC_IMX_PCM_FIQ ++#if IS_ENABLED(CONFIG_SND_SOC_IMX_PCM_FIQ) + int imx_pcm_fiq_init(struct platform_device *pdev); + void imx_pcm_fiq_exit(struct platform_device *pdev); + #else +-- +cgit v0.9.2 diff --git a/freed-ora/current/master/arm-omap-bbb-dts.patch b/freed-ora/current/master/arm-omap-bbb-dts.patch new file mode 100644 index 000000000..b9b9fc475 --- /dev/null +++ b/freed-ora/current/master/arm-omap-bbb-dts.patch @@ -0,0 +1,230 @@ +From 227cadff47a2b00e91deb5b54f1fd551808d42ae Mon Sep 17 00:00:00 2001 +From: Pantelis Antoniou <panto@antoniou-consulting.com> +Date: Fri, 28 Jun 2013 14:18:08 +0300 +Subject: [PATCH 1/3] am335x: dts: Add beaglebone black DTS + +Added the beaglebone black's DTS file. Note that at some point in +time we'll switch to using a common black.dtsi file. + +Signed-off-by: Pantelis Antoniou <panto@antoniou-consulting.com> +--- + arch/arm/boot/dts/Makefile | 3 +- + arch/arm/boot/dts/am335x-boneblack.dts | 196 +++++++++++++++++++++++++++++++++ + 2 files changed, 198 insertions(+), 1 deletion(-) + create mode 100644 arch/arm/boot/dts/am335x-boneblack.dts + +diff --git a/arch/arm/boot/dts/Makefile b/arch/arm/boot/dts/Makefile +--- a/arch/arm/boot/dts/Makefile.orig 2013-07-17 11:51:55.510389342 +0100 ++++ b/arch/arm/boot/dts/Makefile 2013-07-17 11:55:09.492689175 +0100 +@@ -172,6 +172,7 @@ + am335x-evm.dtb \ + am335x-evmsk.dtb \ + am335x-bone.dtb \ ++ am335x-boneblack.dtb \ + am3517-evm.dtb \ + am3517_mt_ventoux.dtb \ + am43x-epos-evm.dtb +diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts +new file mode 100644 +index 0000000..d21e223 +--- /dev/null ++++ b/arch/arm/boot/dts/am335x-boneblack.dts +@@ -0,0 +1,196 @@ ++/* ++ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/ ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++/dts-v1/; ++ ++/include/ "am33xx.dtsi" ++ ++/ { ++ model = "TI AM335x BeagleBone"; ++ compatible = "ti,am335x-bone", "ti,am33xx"; ++ ++ cpus { ++ cpu@0 { ++ cpu0-supply = <&dcdc2_reg>; ++ ++ /* ++ * To consider voltage drop between PMIC and SoC, ++ * tolerance value is reduced to 2% from 4% and ++ * voltage value is increased as a precaution. ++ */ ++ operating-points = < ++ /* kHz uV */ ++ 1000000 1350000 ++ 800000 1300000 ++ 600000 1112000 ++ 300000 969000 ++ >; ++ }; ++ }; ++ ++ memory { ++ device_type = "memory"; ++ reg = <0x80000000 0x10000000>; /* 256 MB */ ++ }; ++ ++ am33xx_pinmux: pinmux@44e10800 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&user_leds_s0>; ++ ++ user_leds_s0: user_leds_s0 { ++ pinctrl-single,pins = < ++ 0x54 0x7 /* gpmc_a5.gpio1_21, OUTPUT | MODE7 */ ++ 0x58 0x17 /* gpmc_a6.gpio1_22, OUTPUT_PULLUP | MODE7 */ ++ 0x5c 0x7 /* gpmc_a7.gpio1_23, OUTPUT | MODE7 */ ++ 0x60 0x17 /* gpmc_a8.gpio1_24, OUTPUT_PULLUP | MODE7 */ ++ >; ++ }; ++ ++ emmc2_pins: pinmux_emmc2_pins { ++ pinctrl-single,pins = < ++ 0x80 0x32 /* gpmc_csn1.mmc1_clk, INPUT_PULLUP | MODE2 */ ++ 0x84 0x32 /* gpmc_csn2.mmc1_cmd, INPUT_PULLUP | MODE2 */ ++ 0x00 0x31 /* gpmc_ad0.mmc1_dat0, INPUT_PULLUP | MODE1 */ ++ 0x04 0x31 /* gpmc_ad1.mmc1_dat1, INPUT_PULLUP | MODE1 */ ++ 0x08 0x31 /* gpmc_ad2.mmc1_dat2, INPUT_PULLUP | MODE1 */ ++ 0x0c 0x31 /* gpmc_ad3.mmc1_dat3, INPUT_PULLUP | MODE1 */ ++ 0x10 0x31 /* gpmc_ad4.mmc1_dat4, INPUT_PULLUP | MODE1 */ ++ 0x14 0x31 /* gpmc_ad5.mmc1_dat5, INPUT_PULLUP | MODE1 */ ++ 0x18 0x31 /* gpmc_ad6.mmc1_dat6, INPUT_PULLUP | MODE1 */ ++ 0x1c 0x31 /* gpmc_ad7.mmc1_dat7, INPUT_PULLUP | MODE1 */ ++ /* eMMC_RSTn */ ++ 0x50 0x17 /* gpmc_a4.gpio1_20, OUTPUT | MODE7 | PULLUP */ ++ >; ++ }; ++ }; ++ ++ ocp { ++ uart1: serial@44e09000 { ++ status = "okay"; ++ }; ++ ++ i2c0: i2c@44e0b000 { ++ status = "okay"; ++ clock-frequency = <400000>; ++ ++ tps: tps@24 { ++ reg = <0x24>; ++ }; ++ ++ }; ++ }; ++ ++ leds { ++ compatible = "gpio-leds"; ++ ++ led@2 { ++ label = "beaglebone:green:heartbeat"; ++ gpios = <&gpio1 21 0>; ++ linux,default-trigger = "heartbeat"; ++ default-state = "off"; ++ }; ++ ++ led@3 { ++ label = "beaglebone:green:mmc0"; ++ gpios = <&gpio1 22 0>; ++ linux,default-trigger = "mmc0"; ++ default-state = "off"; ++ }; ++ ++ led@4 { ++ label = "beaglebone:green:usr2"; ++ gpios = <&gpio1 23 0>; ++ default-state = "off"; ++ }; ++ ++ led@5 { ++ label = "beaglebone:green:usr3"; ++ gpios = <&gpio1 24 0>; ++ default-state = "off"; ++ }; ++ }; ++ ++ vmmcsd_fixed: fixedregulator@0 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vmmcsd_fixed"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ }; ++ ++}; ++ ++/include/ "tps65217.dtsi" ++ ++&tps { ++ regulators { ++ dcdc1_reg: regulator@0 { ++ regulator-always-on; ++ }; ++ ++ dcdc2_reg: regulator@1 { ++ /* VDD_MPU voltage limits 0.95V - 1.26V with +/-4% tolerance */ ++ regulator-name = "vdd_mpu"; ++ regulator-min-microvolt = <925000>; ++ regulator-max-microvolt = <1325000>; ++ regulator-boot-on; ++ regulator-always-on; ++ }; ++ ++ dcdc3_reg: regulator@2 { ++ /* VDD_CORE voltage limits 0.95V - 1.1V with +/-4% tolerance */ ++ regulator-name = "vdd_core"; ++ regulator-min-microvolt = <925000>; ++ regulator-max-microvolt = <1150000>; ++ regulator-boot-on; ++ regulator-always-on; ++ }; ++ ++ ldo1_reg: regulator@3 { ++ regulator-always-on; ++ }; ++ ++ ldo2_reg: regulator@4 { ++ regulator-always-on; ++ }; ++ ++ ldo3_reg: regulator@5 { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; /* orig 3.3V*/ ++ regulator-always-on; ++ }; ++ ++ ldo4_reg: regulator@6 { ++ regulator-always-on; ++ }; ++ }; ++}; ++ ++&cpsw_emac0 { ++ phy_id = <&davinci_mdio>, <0>; ++}; ++ ++&cpsw_emac1 { ++ phy_id = <&davinci_mdio>, <1>; ++}; ++ ++&mmc1 { ++ status = "okay"; ++ vmmc-supply = <&vmmcsd_fixed>; ++ ti,vcc-aux-disable-is-sleep; ++}; ++ ++&mmc2 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&emmc2_pins>; /* wrong numbering */ ++ vmmc-supply = <&ldo3_reg>; ++ bus-width = <8>; ++ ti,non-removable; ++ status = "okay"; ++ ti,vcc-aux-disable-is-sleep; ++ ++ reset-gpio = <&gpio1 20 0x00>; ++}; +-- +1.8.2.1 diff --git a/freed-ora/current/master/arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch b/freed-ora/current/master/arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch new file mode 100644 index 000000000..d6de76989 --- /dev/null +++ b/freed-ora/current/master/arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch @@ -0,0 +1,13 @@ +diff --git a/sound/soc/samsung/dma.c b/sound/soc/samsung/dma.c +index 21b7926..19e6662 100644 +--- a/sound/soc/samsung/dma.c ++++ b/sound/soc/samsung/dma.c +@@ -76,7 +76,7 @@ static void dma_enqueue(struct snd_pcm_substream *substream) + + pr_debug("Entered %s\n", __func__); + +- limit = (prtd->dma_end - prtd->dma_start) / prtd->dma_period; ++ limit = (u32)(prtd->dma_end - prtd->dma_start) / prtd->dma_period; + + pr_debug("%s: loaded %d, limit %d\n", + __func__, prtd->dma_loaded, limit); diff --git a/freed-ora/current/master/arm-wandboard-quad.patch b/freed-ora/current/master/arm-wandboard-quad.patch new file mode 100644 index 000000000..ff746ed02 --- /dev/null +++ b/freed-ora/current/master/arm-wandboard-quad.patch @@ -0,0 +1,58 @@ +diff -uNr linux-3.10.0-0.rc7.git0.2.fc20.x86_64/arch/arm/boot/dts/imx6q-wandboard.dts linux-3.10.0-0.rc7.git0.2.fc20.armv7hl/arch/arm/boot/dts/imx6q-wandboard.dts +--- linux-3.10.0-0.rc7.git0.2.fc20.x86_64/arch/arm/boot/dts/imx6q-wandboard.dts 1969-12-31 18:00:00.000000000 -0600 ++++ linux-3.10.0-0.rc7.git0.2.fc20.armv7hl/arch/arm/boot/dts/imx6q-wandboard.dts 2013-06-30 15:09:21.350610898 -0500 +@@ -0,0 +1,44 @@ ++/* ++ * Copyright 2013 Freescale Semiconductor, Inc. ++ * ++ * Author: Fabio Estevam <fabio.estevam@freescale.com> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ * ++ */ ++/dts-v1/; ++#include "imx6q.dtsi" ++ ++/ { ++ model = "Wandboard i.MX6 Quad Board"; ++ compatible = "wand,imx6q-wandboard", "fsl,imx6q"; ++ ++ memory { ++ reg = <0x10000000 0x80000000>; ++ }; ++}; ++ ++&fec { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_enet_1>; ++ phy-mode = "rgmii"; ++ status = "okay"; ++}; ++ ++&uart1 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_uart1_1>; ++ status = "okay"; ++}; ++ ++&usbh1 { ++ status = "okay"; ++}; ++ ++&usdhc3 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_usdhc3_2>; ++ status = "okay"; ++}; +--- linux-3.11.0-0.rc0.git6.2.fc20.x86_64/arch/arm/boot/dts/Makefile.orig 2013-07-12 10:45:40.231087368 -0500 ++++ linux-3.11.0-0.rc0.git6.2.fc20.x86_64/arch/arm/boot/dts/Makefile 2013-07-12 10:48:39.973819470 -0500 +@@ -131,6 +131,7 @@ + imx6q-sabrelite.dtb \ + imx6q-sabresd.dtb \ + imx6q-sbc6x.dtb \ ++ imx6q-wandboard.dtb \ + imx6sl-evk.dtb \ + vf610-twr.dtb + dtb-$(CONFIG_ARCH_MXS) += imx23-evk.dtb \ diff --git a/freed-ora/current/master/arm64-makefile-vdso_install.patch b/freed-ora/current/master/arm64-makefile-vdso_install.patch deleted file mode 100644 index f7b4d122b..000000000 --- a/freed-ora/current/master/arm64-makefile-vdso_install.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile -index c95c5cb..b6ccf8a 100644 ---- a/arch/arm64/Makefile -+++ b/arch/arm64/Makefile -@@ -60,6 +60,10 @@ zinstall install: vmlinux - dtbs: scripts - $(Q)$(MAKE) $(build)=$(boot)/dts dtbs - -+PHONY += vdso_install -+vdso_install: -+ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@ -+ - # We use MRPROPER_FILES and CLEAN_FILES now - archclean: - $(Q)$(MAKE) $(clean)=$(boot) diff --git a/freed-ora/current/master/ath3k-dont-use-stack-memory-for-DMA.patch b/freed-ora/current/master/ath3k-dont-use-stack-memory-for-DMA.patch deleted file mode 100644 index 610a00067..000000000 --- a/freed-ora/current/master/ath3k-dont-use-stack-memory-for-DMA.patch +++ /dev/null @@ -1,72 +0,0 @@ -Memory allocated by vmalloc (including stack) can not be used for DMA, -i.e. data pointer on usb_control_msg() should not point to stack memory. - -Resolves: -https://bugzilla.redhat.com/show_bug.cgi?id=977558 - -Reported-and-tested-by: Andy Lawrence <dr.diesel@gmail.com> -Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> ---- - drivers/bluetooth/ath3k.c | 38 +++++++++++++++++++++++++++++--------- - 1 file changed, 29 insertions(+), 9 deletions(-) - -diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c -index 11f467c..81b636c 100644 ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -193,24 +193,44 @@ error: - - static int ath3k_get_state(struct usb_device *udev, unsigned char *state) - { -- int pipe = 0; -+ int ret, pipe = 0; -+ char *buf; -+ -+ buf = kmalloc(1, GFP_KERNEL); -+ if (!buf) -+ return -ENOMEM; - - pipe = usb_rcvctrlpipe(udev, 0); -- return usb_control_msg(udev, pipe, ATH3K_GETSTATE, -- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, -- state, 0x01, USB_CTRL_SET_TIMEOUT); -+ ret = usb_control_msg(udev, pipe, ATH3K_GETSTATE, -+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, -+ buf, 1, USB_CTRL_SET_TIMEOUT); -+ -+ *state = *buf; -+ kfree(buf); -+ -+ return ret; - } - - static int ath3k_get_version(struct usb_device *udev, - struct ath3k_version *version) - { -- int pipe = 0; -+ int ret, pipe = 0; -+ char *buf; -+ const int size = sizeof(struct ath3k_version); -+ -+ buf = kmalloc(size, GFP_KERNEL); -+ if (!buf) -+ return -ENOMEM; - - pipe = usb_rcvctrlpipe(udev, 0); -- return usb_control_msg(udev, pipe, ATH3K_GETVERSION, -- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, version, -- sizeof(struct ath3k_version), -- USB_CTRL_SET_TIMEOUT); -+ ret = usb_control_msg(udev, pipe, ATH3K_GETVERSION, -+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, -+ buf, size, USB_CTRL_SET_TIMEOUT); -+ -+ memcpy(version, buf, size); -+ kfree(buf); -+ -+ return ret; - } - - static int ath3k_load_fwfile(struct usb_device *udev, --- -1.7.11.7 diff --git a/freed-ora/current/master/block-do-not-pass-disk-names-as-format-strings.patch b/freed-ora/current/master/block-do-not-pass-disk-names-as-format-strings.patch deleted file mode 100644 index 496111dcd..000000000 --- a/freed-ora/current/master/block-do-not-pass-disk-names-as-format-strings.patch +++ /dev/null @@ -1,64 +0,0 @@ -Disk names may contain arbitrary strings, so they must not be interpreted -as format strings. It seems that only md allows arbitrary strings to be -used for disk names, but this could allow for a local memory corruption -from uid 0 into ring 0. - -CVE-2013-2851 - -Signed-off-by: Kees Cook <keescook@chromium.org> -Cc: stable@vger.kernel.org -Cc: Jens Axboe <axboe@kernel.dk> ---- - block/genhd.c | 2 +- - drivers/block/nbd.c | 3 ++- - drivers/scsi/osd/osd_uld.c | 2 +- - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/block/genhd.c b/block/genhd.c -index 20625ee..cdeb527 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) - - ddev->parent = disk->driverfs_dev; - -- dev_set_name(ddev, disk->disk_name); -+ dev_set_name(ddev, "%s", disk->disk_name); - - /* delay uevents, until we scanned partition table */ - dev_set_uevent_suppress(ddev, 1); -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 037288e..46b35f7 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - else - blk_queue_flush(nbd->disk->queue, 0); - -- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); -+ thread = kthread_create(nbd_thread, nbd, "%s", -+ nbd->disk->disk_name); - if (IS_ERR(thread)) { - mutex_lock(&nbd->tx_lock); - return PTR_ERR(thread); -diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c -index 0fab6b5..9d86947 100644 ---- a/drivers/scsi/osd/osd_uld.c -+++ b/drivers/scsi/osd/osd_uld.c -@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) - oud->class_dev.class = &osd_uld_class; - oud->class_dev.parent = dev; - oud->class_dev.release = __remove; -- error = dev_set_name(&oud->class_dev, disk->disk_name); -+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); - if (error) { - OSD_ERR("dev_set_name failed => %d\n", error); - goto err_put_cdev; --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/
\ No newline at end of file diff --git a/freed-ora/current/master/bridge-only-expire-the-mdb-entry-when-query-is-received.patch b/freed-ora/current/master/bridge-only-expire-the-mdb-entry-when-query-is-received.patch deleted file mode 100644 index b58b57083..000000000 --- a/freed-ora/current/master/bridge-only-expire-the-mdb-entry-when-query-is-received.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b Mon Sep 17 00:00:00 2001 -From: Cong Wang <amwang@redhat.com> -Date: Tue, 21 May 2013 21:52:55 +0000 -Subject: bridge: only expire the mdb entry when query is received - -Currently we arm the expire timer when the mdb entry is added, -however, this causes problem when there is no querier sent -out after that. - -So we should only arm the timer when a corresponding query is -received, as suggested by Herbert. - -And he also mentioned "if there is no querier then group -subscriptions shouldn't expire. There has to be at least one querier -in the network for this thing to work. Otherwise it just degenerates -into a non-snooping switch, which is OK." - -Cc: Herbert Xu <herbert@gondor.apana.org.au> -Cc: Stephen Hemminger <stephen@networkplumber.org> -Cc: "David S. Miller" <davem@davemloft.net> -Cc: Adam Baker <linux@baker-net.org.uk> -Signed-off-by: Cong Wang <amwang@redhat.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- -(limited to 'net/bridge') - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 2475147..40bda80 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -617,8 +617,6 @@ rehash: - - mp->br = br; - mp->addr = *group; -- setup_timer(&mp->timer, br_multicast_group_expired, -- (unsigned long)mp); - - hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]); - mdb->size++; -@@ -656,7 +654,6 @@ static int br_multicast_add_group(struct net_bridge *br, - struct net_bridge_mdb_entry *mp; - struct net_bridge_port_group *p; - struct net_bridge_port_group __rcu **pp; -- unsigned long now = jiffies; - int err; - - spin_lock(&br->multicast_lock); -@@ -671,7 +668,6 @@ static int br_multicast_add_group(struct net_bridge *br, - - if (!port) { - mp->mglist = true; -- mod_timer(&mp->timer, now + br->multicast_membership_interval); - goto out; - } - -@@ -679,7 +675,7 @@ static int br_multicast_add_group(struct net_bridge *br, - (p = mlock_dereference(*pp, br)) != NULL; - pp = &p->next) { - if (p->port == port) -- goto found; -+ goto out; - if ((unsigned long)p->port < (unsigned long)port) - break; - } -@@ -690,8 +686,6 @@ static int br_multicast_add_group(struct net_bridge *br, - rcu_assign_pointer(*pp, p); - br_mdb_notify(br->dev, port, group, RTM_NEWMDB); - --found: -- mod_timer(&p->timer, now + br->multicast_membership_interval); - out: - err = 0; - -@@ -1131,6 +1125,10 @@ static int br_ip4_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -+ setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); -+ mod_timer(&mp->timer, now + br->multicast_membership_interval); -+ mp->timer_armed = true; -+ - max_delay *= br->multicast_last_member_count; - - if (mp->mglist && -@@ -1205,6 +1203,10 @@ static int br_ip6_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -+ setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); -+ mod_timer(&mp->timer, now + br->multicast_membership_interval); -+ mp->timer_armed = true; -+ - max_delay *= br->multicast_last_member_count; - if (mp->mglist && - (timer_pending(&mp->timer) ? -@@ -1263,7 +1265,7 @@ static void br_multicast_leave_group(struct net_bridge *br, - call_rcu_bh(&p->rcu, br_multicast_free_pg); - br_mdb_notify(br->dev, port, group, RTM_DELMDB); - -- if (!mp->ports && !mp->mglist && -+ if (!mp->ports && !mp->mglist && mp->timer_armed && - netif_running(br->dev)) - mod_timer(&mp->timer, jiffies); - } -@@ -1275,30 +1277,12 @@ static void br_multicast_leave_group(struct net_bridge *br, - br->multicast_last_member_interval; - - if (!port) { -- if (mp->mglist && -+ if (mp->mglist && mp->timer_armed && - (timer_pending(&mp->timer) ? - time_after(mp->timer.expires, time) : - try_to_del_timer_sync(&mp->timer) >= 0)) { - mod_timer(&mp->timer, time); - } -- -- goto out; -- } -- -- for (p = mlock_dereference(mp->ports, br); -- p != NULL; -- p = mlock_dereference(p->next, br)) { -- if (p->port != port) -- continue; -- -- if (!hlist_unhashed(&p->mglist) && -- (timer_pending(&p->timer) ? -- time_after(p->timer.expires, time) : -- try_to_del_timer_sync(&p->timer) >= 0)) { -- mod_timer(&p->timer, time); -- } -- -- break; - } - - out: -@@ -1674,6 +1658,7 @@ void br_multicast_stop(struct net_bridge *br) - hlist_for_each_entry_safe(mp, n, &mdb->mhash[i], - hlist[ver]) { - del_timer(&mp->timer); -+ mp->timer_armed = false; - call_rcu_bh(&mp->rcu, br_multicast_free_group); - } - } -diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h -index e260710..1b0ac95 100644 ---- a/net/bridge/br_private.h -+++ b/net/bridge/br_private.h -@@ -112,6 +112,7 @@ struct net_bridge_mdb_entry - struct timer_list timer; - struct br_ip addr; - bool mglist; -+ bool timer_armed; - }; - - struct net_bridge_mdb_htable --- -cgit v0.9.2 diff --git a/freed-ora/current/master/bridge-send-query-as-soon-as-leave-is-received.patch b/freed-ora/current/master/bridge-send-query-as-soon-as-leave-is-received.patch deleted file mode 100644 index 8b6652e7e..000000000 --- a/freed-ora/current/master/bridge-send-query-as-soon-as-leave-is-received.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 6b7df111ece130fa979a0c4f58e53674c1e47d3e Mon Sep 17 00:00:00 2001 -From: Cong Wang <amwang@redhat.com> -Date: Tue, 21 May 2013 21:52:56 +0000 -Subject: bridge: send query as soon as leave is received - -Continue sending queries when leave is received if the user marks -it as a querier. - -Cc: Herbert Xu <herbert@gondor.apana.org.au> -Cc: Stephen Hemminger <stephen@networkplumber.org> -Cc: "David S. Miller" <davem@davemloft.net> -Cc: Adam Baker <linux@baker-net.org.uk> -Signed-off-by: Cong Wang <amwang@redhat.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- -(limited to 'net/bridge') - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 40bda80..37a4676 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -1250,6 +1250,32 @@ static void br_multicast_leave_group(struct net_bridge *br, - if (!mp) - goto out; - -+ if (br->multicast_querier && -+ !timer_pending(&br->multicast_querier_timer)) { -+ __br_multicast_send_query(br, port, &mp->addr); -+ -+ time = jiffies + br->multicast_last_member_count * -+ br->multicast_last_member_interval; -+ mod_timer(port ? &port->multicast_query_timer : -+ &br->multicast_query_timer, time); -+ -+ for (p = mlock_dereference(mp->ports, br); -+ p != NULL; -+ p = mlock_dereference(p->next, br)) { -+ if (p->port != port) -+ continue; -+ -+ if (!hlist_unhashed(&p->mglist) && -+ (timer_pending(&p->timer) ? -+ time_after(p->timer.expires, time) : -+ try_to_del_timer_sync(&p->timer) >= 0)) { -+ mod_timer(&p->timer, time); -+ } -+ -+ break; -+ } -+ } -+ - if (port && (port->flags & BR_MULTICAST_FAST_LEAVE)) { - struct net_bridge_port_group __rcu **pp; - --- -cgit v0.9.2 diff --git a/freed-ora/current/master/cdrom-use-kzalloc-for-failing-hardware.patch b/freed-ora/current/master/cdrom-use-kzalloc-for-failing-hardware.patch deleted file mode 100644 index 6afb6c4d8..000000000 --- a/freed-ora/current/master/cdrom-use-kzalloc-for-failing-hardware.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001 -From: Jonathan Salwan <jonathan.salwan@gmail.com> -Date: Thu, 06 Jun 2013 00:39:39 +0000 -Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware - -In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory -area with kmalloc in line 2885. - -2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -2886 if (cgc->buffer == NULL) -2887 return -ENOMEM; - -In line 2908 we can find the copy_to_user function: - -2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) - -The cgc->buffer is never cleaned and initialized before this function. If -ret = 0 with the previous basic block, it's possible to display some -memory bytes in kernel space from userspace. - -When we read a block from the disk it normally fills the ->buffer but if -the drive is malfunctioning there is a chance that it would only be -partially filled. The result is an leak information to userspace. - -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Cc: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> ---- -(limited to 'drivers/cdrom/cdrom.c') - -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index d620b44..8a3aff7 100644 ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, - if (lba < 0) - return -EINVAL; - -- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); - if (cgc->buffer == NULL) - return -ENOMEM; - --- -cgit v0.9.2 diff --git a/freed-ora/current/master/config-arm-generic b/freed-ora/current/master/config-arm-generic index efce65434..79716bdfa 100644 --- a/freed-ora/current/master/config-arm-generic +++ b/freed-ora/current/master/config-arm-generic @@ -1,43 +1,102 @@ -CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y -CONFIG_ARM_AMBA=y -CONFIG_ARM_ARCH_TIMER=y -# CONFIG_ARM_DT_BL_CPUFREQ is not set -CONFIG_ARM_GIC=y +CONFIG_KUSER_HELPERS=y # CONFIG_ASYMMETRIC_KEY_TYPE is not set -CONFIG_BACKLIGHT_PWM=m # CONFIG_COMMON_CLK_DEBUG is not set CONFIG_COMMON_CLK=y -CONFIG_DMA_OF=y -CONFIG_DTC=y CONFIG_EARLY_PRINTK=y -CONFIG_ETHERNET=y CONFIG_FB_SSD1307=m -CONFIG_GENERIC_GPIO=y -CONFIG_GPIOLIB=y -CONFIG_HIGH_RES_TIMERS=y CONFIG_HW_PERF_EVENTS=y -# CONFIG_I2C_NOMADIK is not set -CONFIG_INPUT_PWM_BEEPER=m -# CONFIG_IRQ_DOMAIN_DEBUG is not set -# CONFIG_LEDS_RENESAS_TPU is not set -CONFIG_MMC_ARMMMCI=y -# CONFIG_MMC_SDHCI_PXAV2 is not set -# CONFIG_MMC_SDHCI_PXAV3 is not set CONFIG_MMC=y CONFIG_NFS_FS=y -CONFIG_NLS_ISO8859_1=y -CONFIG_NO_HZ=y -CONFIG_OF_DEVICE=y -CONFIG_OF_GPIO=y -CONFIG_OF_IRQ=y -# CONFIG_OF_SELFTEST is not set -CONFIG_OF=y -CONFIG_PERF_EVENTS=y # CONFIG_PID_IN_CONTEXTIDR is not set CONFIG_PWM=y CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_RTC_DRV_SNVS is not set +CONFIG_BACKLIGHT_PWM=m +CONFIG_INPUT_PWM_BEEPER=m +CONFIG_ARM_SP805_WATCHDOG=m +CONFIG_ARM_ARCH_TIMER=y +# CONFIG_ARM_DT_BL_CPUFREQ is not set +CONFIG_NR_CPUS=8 +CONFIG_ARM_DMA_USE_IOMMU=y + +# ARM AMBA generic HW +CONFIG_ARM_AMBA=y +CONFIG_ARM_GIC=y +CONFIG_MMC_ARMMMCI=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIO_AMBAKMI=y +CONFIG_OC_ETM=y + +# ARM VExpress +CONFIG_ARCH_VEXPRESS=y +CONFIG_VEXPRESS_CONFIG=y +CONFIG_COMMON_CLK_VERSATILE=y +CONFIG_I2C_VERSATILE=m +CONFIG_POWER_RESET_VEXPRESS=y +CONFIG_REGULATOR_VEXPRESS=m +CONFIG_SENSORS_VEXPRESS=m + +# Device tree +CONFIG_DTC=y +CONFIG_DMA_OF=y +CONFIG_PROC_DEVICETREE=y +CONFIG_OF=y +CONFIG_OF_ADDRESS=y +CONFIG_OF_DEVICE=y +CONFIG_OF_EARLY_FLATTREE=y +CONFIG_OF_FLATTREE=y +CONFIG_OF_GPIO=y +CONFIG_OF_I2C=m +CONFIG_OF_IRQ=y +CONFIG_OF_MDIO=m +CONFIG_OF_MTD=y +CONFIG_OF_NET=y +CONFIG_OF_PCI_IRQ=m +CONFIG_OF_PCI=m +# CONFIG_OF_SELFTEST is not set +CONFIG_SERIAL_OF_PLATFORM=y + +# MTD +CONFIG_MTD_BLKDEVS=m +CONFIG_MTD_BLOCK=m +CONFIG_MTD_CHAR=m +CONFIG_MTD_CFI=m +CONFIG_MTD_CFI_INTELEXT=m +CONFIG_MTD_CFI_AMDSTD=m +CONFIG_MTD_CFI_STAA=m +CONFIG_MTD_OF_PARTS=m +# CONFIG_MTD_CFI_ADV_OPTIONS is not set +CONFIG_MTD_PHYSMAP=m +CONFIG_MTD_PHYSMAP_OF=m +# CONFIG_MTD_PHYSMAP_COMPAT is not set +CONFIG_OF_MTD=y + +# GPIO +CONFIG_GENERIC_GPIO=y +CONFIG_GPIOLIB=y +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +CONFIG_MDIO_GPIO=m +CONFIG_POWER_RESET_GPIO=y +CONFIG_RFKILL_GPIO=m + +# MFD +CONFIG_MFD_CORE=m + +CONFIG_SMC91X=m +CONFIG_SMC911X=m # CONFIG_CRYPTO_TEST is not set +# CONFIG_TRANSPARENT_HUGEPAGE is not set +# CONFIG_XEN is not set +# CONFIG_DRM_RCAR_DU is not set +# CONFIG_DRM_SHMOBILE is not set +# CONFIG_MMC_DW_SOCFPGA is not set +# CONFIG_ARM_SMMU is not set +# CONFIG_I2C_NOMADIK is not set +# CONFIG_IRQ_DOMAIN_DEBUG is not set +# CONFIG_LEDS_RENESAS_TPU is not set +# CONFIG_MMC_SDHCI_PXAV2 is not set +# CONFIG_MMC_SDHCI_PXAV3 is not set +# CONFIG_COMMON_CLK_SI5351 is not set +# CONFIG_LOCK_STAT is not set diff --git a/freed-ora/current/master/config-arm64 b/freed-ora/current/master/config-arm64 index 8bac90936..018246bca 100644 --- a/freed-ora/current/master/config-arm64 +++ b/freed-ora/current/master/config-arm64 @@ -1,495 +1,84 @@ CONFIG_64BIT=y -CONFIG_AIO=y +CONFIG_ARM64=y + +# arm64 only SoCs +CONFIG_ARCH_XGENE=y + # CONFIG_ALWAYS_USE_PERSISTENT_CLOCK is not set # CONFIG_AMBA_PL08X is not set -CONFIG_ANON_INODES=y -CONFIG_ARCH_DMA_ADDR_T_64BIT=y -CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y CONFIG_ARCH_HAS_HOLES_MEMORYMODEL=y -CONFIG_ARCH_PHYS_ADDR_T_64BIT=y CONFIG_ARCH_REQUIRE_GPIOLIB=y -CONFIG_ARCH_SELECT_MEMORY_MODEL=y -CONFIG_ARCH_SPARSEMEM_DEFAULT=y -CONFIG_ARCH_SPARSEMEM_ENABLE=y -CONFIG_ARCH_VEXPRESS=y -CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y -CONFIG_ARCH_WANT_FRAME_POINTERS=y CONFIG_ARM64_64K_PAGES=y -CONFIG_ARM64=y # CONFIG_ARM_DT_BL_CPUFREQ is not set -CONFIG_ASYNC_CORE=m -CONFIG_ASYNC_MEMCPY=m -CONFIG_ASYNC_PQ=m -CONFIG_ASYNC_RAID6_RECOV=m -CONFIG_ASYNC_XOR=m -# CONFIG_ATA_NONSTANDARD is not set -CONFIG_ATH9K_COMMON=m -CONFIG_ATH9K_HW=m -# CONFIG_ATH_DEBUG is not set -CONFIG_AUDIT_GENERIC=y -CONFIG_AVERAGE=y -CONFIG_B43_LEDS=y -CONFIG_B43LEGACY_LEDS=y -CONFIG_B43_PIO=y -CONFIG_B43_SSB=y -CONFIG_BASE_FULL=y -CONFIG_BASE_SMALL=0 +CONFIG_ARM_SMMU=y + CONFIG_BCMA_POSSIBLE=y -# CONFIG_BINARY_PRINTF is not set -CONFIG_BITREVERSE=y -# CONFIG_BLK_DEV_COW_COMMON is not set -CONFIG_BLK_DEV_CRYPTOLOOP=m -CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 -CONFIG_BLK_DEV_LOOP=y -CONFIG_BLOCK=y CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0 CONFIG_BQL=y CONFIG_BRCMUTIL=m CONFIG_BUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_CFG80211_INTERNAL_REGDB is not set CONFIG_CLKDEV_LOOKUP=y -CONFIG_CLONE_BACKWARDS=y CONFIG_CMDLINE="console=ttyAMA0" # CONFIG_CMDLINE_FORCE is not set -CONFIG_COMMON_CLK_SI5351=y -CONFIG_COMMON_CLK_VERSATILE=y CONFIG_CONSOLE_TRANSLATIONS=y -# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set -CONFIG_COREDUMP=y -CONFIG_CPU_RMAP=y -# CONFIG_CRC32_BIT is not set -# CONFIG_CRC32_SARWATE is not set -# CONFIG_CRC32_SLICEBY4 is not set -CONFIG_CRC32_SLICEBY8=y -CONFIG_CRC32=y -CONFIG_CRC_T10DIF=y -CONFIG_CRYPTO_AEAD2=y -CONFIG_CRYPTO_AEAD=y -CONFIG_CRYPTO_ALGAPI2=y -CONFIG_CRYPTO_ALGAPI=y -CONFIG_CRYPTO_BLKCIPHER2=y -CONFIG_CRYPTO_BLOWFISH_COMMON=m -CONFIG_CRYPTO_CAST_COMMON=m -CONFIG_CRYPTO_HASH2=y -CONFIG_CRYPTO_HASH=y -CONFIG_CRYPTO_MANAGER2=y -CONFIG_CRYPTO_MD5=y -CONFIG_CRYPTO_PCOMP2=y -CONFIG_CRYPTO_PCOMP=m -CONFIG_CRYPTO_RNG2=y -CONFIG_CRYPTO_RNG=y -CONFIG_CRYPTO_SEQIV=y -CONFIG_CRYPTO_TWOFISH_COMMON=m -CONFIG_CRYPTO_USER_API=y -CONFIG_CRYPTO_WORKQUEUE=y -CONFIG_CUSE=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set -# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DEBUG_BUGVERBOSE=y -# CONFIG_DEBUG_CREDENTIALS is not set -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -# CONFIG_DEBUG_KMEMLEAK is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -CONFIG_DEBUG_MEMORY_INIT=y -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_DEBUG_OBJECTS is not set -# CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_SG is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_DEBUG_STACK_USAGE is not set -# CONFIG_DEBUG_WRITECOUNT is not set -CONFIG_DECOMPRESS_BZIP2=y -CONFIG_DECOMPRESS_GZIP=y -CONFIG_DECOMPRESS_LZMA=y -CONFIG_DECOMPRESS_LZO=y -CONFIG_DECOMPRESS_XZ=y -CONFIG_DEFAULT_CUBIC=y -CONFIG_DEFAULT_HOSTNAME="(none)" -CONFIG_DEFAULT_IOSCHED="cfq" -# CONFIG_DEFAULT_NOOP is not set -# CONFIG_DEFAULT_RENO is not set -# CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_DEFAULT_SECURITY="selinux" -CONFIG_DEFAULT_SECURITY_SELINUX=y -CONFIG_DEFAULT_TCP_CONG="cubic" -CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" -# CONFIG_DETECT_HUNG_TASK is not set -# CONFIG_DMA_API_DEBUG is not set -# CONFIG_DMADEVICES_DEBUG is not set -CONFIG_DMA_SHARED_BUFFER=y -CONFIG_DM_BIO_PRISON=m -CONFIG_DM_BUFIO=m -CONFIG_DM_PERSISTENT_DATA=m -CONFIG_DNS_RESOLVER=y -CONFIG_DQL=y -# CONFIG_DRBD_FAULT_INJECTION is not set -# CONFIG_DVB_DUMMY_FE is not set -CONFIG_ELF_CORE=y -CONFIG_EVENTFD=y -# CONFIG_EXT4_DEBUG is not set -CONFIG_FAT_FS=y -# CONFIG_FAULT_INJECTION is not set + CONFIG_FB_ARMCLCD=y -# CONFIG_FB_BACKLIGHT is not set -# CONFIG_FB_BOOT_VESA_SUPPORT is not set -CONFIG_FB_CFB_COPYAREA=y -CONFIG_FB_CFB_FILLRECT=y -CONFIG_FB_CFB_IMAGEBLIT=y -# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set -# CONFIG_FB_DDC is not set -CONFIG_FB_DEFERRED_IO=y -# CONFIG_FB_MACMODES is not set -# CONFIG_FB_SVGALIB is not set -CONFIG_FB_SYS_COPYAREA=m -CONFIG_FB_SYS_FILLRECT=m -CONFIG_FB_SYS_FOPS=m -CONFIG_FB_SYS_IMAGEBLIT=m -# CONFIG_FB_WMT_GE_ROPS is not set -CONFIG_FIB_RULES=y -CONFIG_FILE_LOCKING=y -CONFIG_FONT_8x16=y -CONFIG_FONT_8x8=y -CONFIG_FREEZER=y -CONFIG_FS_POSIX_ACL=y -# CONFIG_FTRACE is not set -CONFIG_FUSE_FS=y -CONFIG_GARP=m CONFIG_GENERIC_ACL=y CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_GENERIC_CLOCKEVENTS_BUILD=y -CONFIG_GENERIC_CLOCKEVENTS=y -# CONFIG_GENERIC_CPU_DEVICES is not set CONFIG_GENERIC_CSUM=y CONFIG_GENERIC_HARDIRQS=y CONFIG_GENERIC_HWEIGHT=y -CONFIG_GENERIC_IOMAP=y CONFIG_GENERIC_IO=y -CONFIG_GENERIC_IRQ_PROBE=y -CONFIG_GENERIC_IRQ_SHOW=y CONFIG_GENERIC_PCI_IOMAP=y -CONFIG_GENERIC_SMP_IDLE_THREAD=y -CONFIG_GENERIC_TIME_VSYSCALL=y -# CONFIG_GIGASET_DUMMYLL is not set -# CONFIG_GIGASET_I4L is not set -# CONFIG_GPIO_ADNP is not set CONFIG_GPIO_DEVRES=y -# CONFIG_GPIO_GENERIC_PLATFORM is not set -# CONFIG_GPIO_MCP23S08 is not set -CONFIG_HARDIRQS_SW_RESEND=y -CONFIG_HAS_DMA=y -CONFIG_HAS_IOMEM=y CONFIG_HAVE_64BIT_ALIGNED_ACCESS=y -# CONFIG_HAVE_AOUT is not set CONFIG_HAVE_ARCH_PFN_VALID=y CONFIG_HAVE_ARCH_TRACEHOOK=y -# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set CONFIG_HAVE_CLK_PREPARE=y CONFIG_HAVE_CLK=y -CONFIG_HAVE_DEBUG_BUGVERBOSE=y -CONFIG_HAVE_DEBUG_KMEMLEAK=y -CONFIG_HAVE_DMA_API_DEBUG=y -CONFIG_HAVE_DMA_ATTRS=y -CONFIG_HAVE_GENERIC_DMA_COHERENT=y -CONFIG_HAVE_GENERIC_HARDIRQS=y -CONFIG_HAVE_HW_BREAKPOINT=y -CONFIG_HAVE_MEMBLOCK=y CONFIG_HAVE_MEMORY_PRESENT=y CONFIG_HAVE_NET_DSA=y -CONFIG_HAVE_PERF_EVENTS=y -CONFIG_HDMI=y -CONFIG_HID_APPLE=m -CONFIG_HID_MAGICMOUSE=m # CONFIG_HUGETLB_PAGE is not set CONFIG_HVC_DRIVER=y -# CONFIG_HWMON is not set -# CONFIG_HW_RANDOM is not set CONFIG_HZ=100 -CONFIG_I2C_BOARDINFO=y -# CONFIG_I2C_PXA_PCI is not set -CONFIG_I2C_SI4713=m -CONFIG_I2C_SMBUS=m -# CONFIG_I2C_VERSATILE is not set -CONFIG_IKCONFIG_PROC=y -CONFIG_IKCONFIG=y -CONFIG_INET6_TUNNEL=m -CONFIG_INET6_XFRM_TUNNEL=m -CONFIG_INET_DCCP_DIAG=m -CONFIG_INET_TCP_DIAG=m -CONFIG_INET_XFRM_TUNNEL=m -CONFIG_INIT_ENV_ARG_LIMIT=32 -CONFIG_INLINE_READ_UNLOCK_IRQ=y -CONFIG_INLINE_READ_UNLOCK=y -CONFIG_INLINE_SPIN_UNLOCK_IRQ=y -CONFIG_INLINE_WRITE_UNLOCK_IRQ=y -CONFIG_INLINE_WRITE_UNLOCK=y -CONFIG_IOMMU_HELPER=y -# CONFIG_IOMMU_SUPPORT is not set -# CONFIG_IOSCHED_DEADLINE is not set -CONFIG_IP_DCCP_TFRC_LIB=y -CONFIG_IP_ROUTE_CLASSID=y -CONFIG_IPV6_NDISC_NODETYPE=y -CONFIG_IP_VS_NFCT=y -CONFIG_IP_VS_PROTO_AH_ESP=y -CONFIG_IRQCHIP=y -CONFIG_IRQ_DOMAIN=y -CONFIG_IRQ_WORK=y -# CONFIG_JBD2_DEBUG is not set -CONFIG_LEDS_LP55XX_COMMON=m -CONFIG_LOCKDEP_SUPPORT=y -CONFIG_LOCKD=y -# CONFIG_LOCK_STAT is not set + +# CONFIG_KVM is not set CONFIG_LOG_BUF_SHIFT=14 -CONFIG_LRU_CACHE=m -CONFIG_LZO_COMPRESS=y -CONFIG_LZO_DECOMPRESS=y -CONFIG_MAC80211_HAS_RC=y -# CONFIG_MAC80211_MESSAGE_TRACING is not set -CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" -CONFIG_MAC80211_RC_MINSTREL_HT=y -# CONFIG_MDIO_BUS_MUX_GPIO is not set -# CONFIG_MDIO_BUS_MUX_MMIOREG is not set -CONFIG_MEDIA_COMMON_OPTIONS=y -CONFIG_MEDIA_TUNER=m -CONFIG_MEDIA_TUNER_MC44S803=m -CONFIG_MEDIA_TUNER_MT20XX=m -CONFIG_MEDIA_TUNER_SIMPLE=m -CONFIG_MEDIA_TUNER_TDA18271=m -CONFIG_MEDIA_TUNER_TDA827X=m -CONFIG_MEDIA_TUNER_TDA8290=m -CONFIG_MEDIA_TUNER_TDA9887=m -CONFIG_MEDIA_TUNER_TEA5761=m -CONFIG_MEDIA_TUNER_TEA5767=m -CONFIG_MEDIA_TUNER_XC2028=m -CONFIG_MEDIA_TUNER_XC4000=m -CONFIG_MEDIA_TUNER_XC5000=m -# CONFIG_MEMCG_SWAP_ENABLED is not set -CONFIG_MFD_CORE=m -# CONFIG_MFD_TMIO is not set -CONFIG_MFD_WL1273_CORE=m -CONFIG_MII=y -# CONFIG_MISC_FILESYSTEMS is not set -CONFIG_MM_OWNER=y -# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_MODULES_USE_ELF_RELA=y -CONFIG_MOUSE_PS2_ALPS=y -CONFIG_MOUSE_PS2_CYPRESS=y -CONFIG_MOUSE_PS2_LOGIPS2PP=y -CONFIG_MOUSE_PS2_SYNAPTICS=y -CONFIG_MOUSE_PS2_TRACKPOINT=y -CONFIG_MRP=m -CONFIG_MTD_BLKDEVS=m -CONFIG_MTD_BLOCK=m -CONFIG_MTD_CHAR=m -CONFIG_MTD_OF_PARTS=m -CONFIG_MUTEX_SPIN_ON_OWNER=y -CONFIG_NEED_DMA_MAP_STATE=y -CONFIG_NEED_SG_DMA_LENGTH=y -# CONFIG_NET_CADENCE is not set -CONFIG_NET_CORE=y -CONFIG_NET_DSA_MV88E6XXX=m -CONFIG_NET_DSA_MV88E6XXX_NEED_PPU=y -CONFIG_NET_DSA_TAG_DSA=y -CONFIG_NET_DSA_TAG_EDSA=y -CONFIG_NET_DSA_TAG_TRAILER=y -CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m -CONFIG_NETFILTER_XT_MATCH_STATE=m -CONFIG_NETFILTER_XT_TARGET_HL=m -CONFIG_NETFILTER_XT_TARGET_NETMAP=m -CONFIG_NETFILTER_XT_TARGET_REDIRECT=m -CONFIG_NETPOLL=y -CONFIG_NET_SCH_FIFO=y -CONFIG_NET_VENDOR_BROADCOM=y -CONFIG_NETWORK_SECMARK=y -CONFIG_NF_CONNTRACK_BROADCAST=m -CONFIG_NF_CONNTRACK_IPV4=m -CONFIG_NF_CONNTRACK_IPV6=m -CONFIG_NF_CONNTRACK_LABELS=y -CONFIG_NF_CT_PROTO_GRE=m -CONFIG_NF_DEFRAG_IPV4=m -CONFIG_NF_DEFRAG_IPV6=m -CONFIG_NF_NAT_AMANDA=m -CONFIG_NF_NAT_FTP=m -CONFIG_NF_NAT_H323=m -CONFIG_NF_NAT_IRC=m -CONFIG_NF_NAT_NEEDED=y -CONFIG_NF_NAT_PPTP=m -CONFIG_NF_NAT_PROTO_DCCP=m -CONFIG_NF_NAT_PROTO_GRE=m -CONFIG_NF_NAT_PROTO_SCTP=m -CONFIG_NF_NAT_PROTO_UDPLITE=m -CONFIG_NF_NAT_SIP=m -CONFIG_NF_NAT_TFTP=m + CONFIG_NFS_ACL_SUPPORT=y CONFIG_NFS_COMMON=y CONFIG_NFS_DEBUG=y # CONFIG_NFSD_FAULT_INJECTION is not set CONFIG_NFSD_V2_ACL=y CONFIG_NFS_USE_KERNEL_DNS=y -CONFIG_NLATTR=y -CONFIG_NO_BOOTMEM=y -CONFIG_NO_IOPORT=y -CONFIG_NR_CPUS=4 -CONFIG_OF_ADDRESS=y -# CONFIG_OF_DISPLAY_TIMING is not set -CONFIG_OF_EARLY_FLATTREE=y -CONFIG_OF_FLATTREE=y -CONFIG_OF_I2C=m -CONFIG_OF_MDIO=y -CONFIG_OF_MTD=y -CONFIG_OF_NET=y -# CONFIG_OF_VIDEOMODE is not set -CONFIG_ORE=m -CONFIG_P54_LEDS=y -CONFIG_PADATA=y -CONFIG_PAGEFLAGS_EXTENDED=y -CONFIG_PANIC_ON_OOPS_VALUE=0 -# CONFIG_PARPORT is not set -# CONFIG_PARPORT_GSC is not set -CONFIG_PERF_USE_VMALLOC=y -CONFIG_PHYS_ADDR_T_64BIT=y # CONFIG_PL330_DMA is not set -CONFIG_PNFS_FILE_LAYOUT=m -CONFIG_POSIX_MQUEUE_SYSCTL=y -# CONFIG_POWER_RESET_GPIO is not set -CONFIG_POWER_RESET_VEXPRESS=y -CONFIG_PPP_BSDCOMP=m -# CONFIG_PREEMPT_RCU is not set -CONFIG_PRINTK=y -# CONFIG_PROC_DEVICETREE is not set -CONFIG_PROC_PAGE_MONITOR=y -CONFIG_PROC_SYSCTL=y -# CONFIG_PROVE_LOCKING is not set -# CONFIG_QUOTA_DEBUG is not set -CONFIG_QUOTA_TREE=y -CONFIG_RAID6_PQ=m CONFIG_RCU_FANOUT=64 -CONFIG_RCU_STALL_COMMON=y -CONFIG_RD_BZIP2=y -CONFIG_RD_GZIP=y -CONFIG_RD_LZMA=y -CONFIG_RD_LZO=y -CONFIG_RD_XZ=y -CONFIG_REGMAP_I2C=m -CONFIG_REGMAP=y -# CONFIG_RFKILL_GPIO is not set -CONFIG_RFKILL_LEDS=y -CONFIG_RFS_ACCEL=y -CONFIG_RPS=y # CONFIG_RTC_DRV_PL030 is not set # CONFIG_RTC_DRV_PL031 is not set -CONFIG_RTC_LIB=y -# CONFIG_RTLWIFI_DEBUG is not set -CONFIG_RT_MUTEXES=y -CONFIG_RWSEM_GENERIC_SPINLOCK=y -# CONFIG_SCHED_DEBUG is not set -CONFIG_SCSI_DMA=y -CONFIG_SCSI_MOD=y -CONFIG_SCSI_NETLINK=y -CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SERIAL_8250_DMA=y # CONFIG_SERIAL_AMBA_PL010 is not set -CONFIG_SERIAL_OF_PLATFORM=m -CONFIG_SERIO_AMBAKMI=y -# CONFIG_SERIO_I8042 is not set -CONFIG_SERIO_LIBPS2=y -# CONFIG_SERIO_SERPORT is not set -CONFIG_SHMEM=y -CONFIG_SIGNALFD=y -CONFIG_SLABINFO=y -# CONFIG_SLAB is not set -CONFIG_SLHC=m -# CONFIG_SLUB_DEBUG_ON is not set -CONFIG_SLUB_DEBUG=y -CONFIG_SMC91X=y -CONFIG_SND_DEBUG=y -# CONFIG_SND_EMU10K1_SEQ is not set -CONFIG_SND_HRTIMER=m -CONFIG_SND=m -CONFIG_SND_MIXER_OSS=m -CONFIG_SND_MPU401_UART=m -# CONFIG_SND_OPL3_LIB_SEQ is not set -# CONFIG_SND_OPL4_LIB_SEQ is not set -CONFIG_SND_PCM=m -CONFIG_SND_PCM_OSS=m -CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_SND_RAWMIDI=m -CONFIG_SND_RAWMIDI_SEQ=m -# CONFIG_SND_SBAWE_SEQ is not set -CONFIG_SND_SEQUENCER=m -CONFIG_SND_TIMER=m -CONFIG_SND_VERBOSE_PRINTK=y -CONFIG_SOUND_OSS_CORE=y CONFIG_SPARSE_IRQ=y -CONFIG_SPARSEMEM_EXTREME=y -CONFIG_SPARSEMEM_MANUAL=y -CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y CONFIG_SPARSEMEM_VMEMMAP=y -CONFIG_SPARSEMEM=y -CONFIG_SPLIT_PTLOCK_CPUS=4 -CONFIG_SSB_BLOCKIO=y -CONFIG_SSB_POSSIBLE=y -CONFIG_SSB_SDIOHOST_POSSIBLE=y -CONFIG_STACKTRACE_SUPPORT=y -# CONFIG_STMMAC_CHAINED is not set -CONFIG_STMMAC_RING=y -CONFIG_STOP_MACHINE=y -CONFIG_STP=m -CONFIG_SUNRPC_BACKCHANNEL=y -CONFIG_SUNRPC_GSS=y -CONFIG_SUNRPC=y + CONFIG_SWIOTLB=y -CONFIG_SYSCTL_EXCEPTION_TRACE=y -# CONFIG_SYSCTL_SYSCALL is not set -CONFIG_SYSFS=y # CONFIG_SYS_HYPERVISOR is not set -CONFIG_SYSVIPC_SYSCTL=y -# CONFIG_TEST_LIST_SORT is not set -CONFIG_TEXTSEARCH_BM=m -CONFIG_TEXTSEARCH_FSM=m -CONFIG_TEXTSEARCH_KMP=m -CONFIG_TEXTSEARCH=y # CONFIG_THERMAL is not set -CONFIG_TICK_CPU_ACCOUNTING=y -CONFIG_TICK_ONESHOT=y -CONFIG_TIMERFD=y -CONFIG_TRACE_IRQFLAGS_SUPPORT=y -CONFIG_TRACING_SUPPORT=y -# CONFIG_TREE_RCU_TRACE is not set -CONFIG_TREE_RCU=y -# CONFIG_TTPCI_EEPROM is not set -CONFIG_TTY=y -CONFIG_UDF_NLS=y -CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" -# CONFIG_USB_ARCH_HAS_EHCI is not set -# CONFIG_USB_ARCH_HAS_HCD is not set -# CONFIG_USB_ARCH_HAS_OHCI is not set -# CONFIG_USB_ARCH_HAS_XHCI is not set -CONFIG_USE_GENERIC_SMP_HELPERS=y -CONFIG_VEXPRESS_CONFIG=y -CONFIG_VFAT_FS=y -# CONFIG_VGA_CONSOLE is not set -# CONFIG_VGASTATE is not set -CONFIG_VIDEO_IR_I2C=m -CONFIG_VIDEO_V4L2=m -CONFIG_VIRTIO_BLK=y -CONFIG_VIRTIO_MMIO=y -CONFIG_VIRTIO=y +CONFIG_VIRTUALIZATION=y CONFIG_VM_EVENT_COUNTERS=y -CONFIG_WEXT_CORE=y -CONFIG_WEXT_PROC=y -CONFIG_WEXT_SPY=y -CONFIG_WIZNET_BUS_ANY=y -# CONFIG_WIZNET_BUS_DIRECT is not set -# CONFIG_WIZNET_BUS_INDIRECT is not set -CONFIG_XFRM_ALGO=y -CONFIG_XFRM_IPCOMP=m -CONFIG_XOR_BLOCKS=m -CONFIG_XPS=y -# CONFIG_XZ_DEC_BCJ is not set -CONFIG_ZONE_DMA32=y -CONFIG_ZONE_DMA_FLAG=0 + +# not arm64 +# CONFIG_HW_RANDOM_ATMEL is not set +# CONFIG_HW_RANDOM_EXYNOS is not set +# CONFIG_GPIO_GENERIC_PLATFORM is not set +# CONFIG_GPIO_ADNP is not set +# CONFIG_GPIO_MCP23S08 is not set +# CONFIG_MDIO_BUS_MUX_GPIO is not set +# CONFIG_MDIO_BUS_MUX_MMIOREG is not set + +# busted build for various reasons +# uses pci_* for some reason to allocate DMA buffers +# CONFIG_DVB_B2C2_FLEXCOP_USB is not set +# weird include chain resulting in missing u64 type +# CONFIG_USB_SPEEDTOUCH is not set +# dma issues in headers diff --git a/freed-ora/current/master/config-armv7 b/freed-ora/current/master/config-armv7 index 1bbb3d524..1b2c1127b 100644 --- a/freed-ora/current/master/config-armv7 +++ b/freed-ora/current/master/config-armv7 @@ -1,21 +1,17 @@ # ARM unified arch kernel -# CONFIG_ARCH_BCM is not set -CONFIG_ARCH_HIGHBANK=y +# CONFIG_ARCH_EXYNOS_MULTI is not set +# CONFIG_ARCH_KEYSTONE is not set CONFIG_ARCH_MVEBU=y CONFIG_ARCH_MXC=y CONFIG_ARCH_OMAP2PLUS=y CONFIG_ARCH_PICOXCELL=y -# CONFIG_ARCH_SIRF is not set +CONFIG_ARCH_ROCKCHIP=y CONFIG_ARCH_SOCFPGA=y -# CONFIG_PLAT_SPEAR is not set CONFIG_ARCH_SUNXI=y CONFIG_ARCH_TEGRA=y # CONFIG_ARCH_U8500 is not set -CONFIG_ARCH_VEXPRESS_CA9X4=y -CONFIG_ARCH_VEXPRESS=y # CONFIG_ARCH_VIRT is not set -# CONFIG_ARCH_WM8850 is not set CONFIG_ARCH_ZYNQ=y # These are supported in the LPAE kernel @@ -27,16 +23,7 @@ CONFIG_ARCH_ZYNQ=y # Generic CONFIG_REMOTEPROC=m -# highbank -# 2013/04/19 - stability issues -# CONFIG_CPU_IDLE_CALXEDA is not set -CONFIG_EDAC_HIGHBANK_MC=m -CONFIG_EDAC_HIGHBANK_L2=m -CONFIG_SATA_HIGHBANK=m -CONFIG_ARM_HIGHBANK_CPUFREQ=m - -# versatile -CONFIG_VEXPRESS_CONFIG=y +# FIXME should be generic (I think it's enabled by default) CONFIG_FB=y CONFIG_FB_ARMCLCD=m CONFIG_FB_CFB_COPYAREA=m @@ -45,13 +32,14 @@ CONFIG_FB_CFB_IMAGEBLIT=m CONFIG_TOUCHSCREEN_ADS7846=m CONFIG_OC_ETM=y -CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y # mvebu CONFIG_MACH_ARMADA_370_XP=y CONFIG_MACH_ARMADA_370=y CONFIG_MACH_ARMADA_XP=y +CONFIG_MVEBU_DEVBUS=y +CONFIG_PCI_MVEBU=y CONFIG_CACHE_TAUROS2=y CONFIG_MV_XOR=y CONFIG_CRYPTO_DEV_MV_CESA=m @@ -86,6 +74,7 @@ CONFIG_SOC_OMAP5=y CONFIG_SOC_OMAP3430=y CONFIG_SOC_TI81XX=y CONFIG_SOC_AM33XX=y +CONFIG_SOC_AM43XX=y CONFIG_MACH_OMAP_GENERIC=y CONFIG_MACH_OMAP3_BEAGLE=y CONFIG_MACH_DEVKIT8000=y @@ -123,17 +112,24 @@ CONFIG_OMAP_32K_TIMER_HZ=128 # CONFIG_OMAP3_L2_AUX_SECURE_SAVE_RESTORE is not set CONFIG_OMAP_MCBSP=y +CONFIG_OMAP2PLUS_MBOX=m CONFIG_OMAP_MBOX_FWK=m CONFIG_OMAP_MBOX_KFIFO_SIZE=256 CONFIG_OMAP_DM_TIMER=y CONFIG_OMAP_PM_NOOP=y +CONFIG_DMA_OMAP=y CONFIG_OMAP_IOMMU=y CONFIG_OMAP_IOVMM=m +CONFIG_HWSPINLOCK_OMAP=m CONFIG_OMAP3_EMU=y # CONFIG_OMAP3_SDRC_AC_TIMING is not set CONFIG_ARM_OMAP2PLUS_CPUFREQ=y +CONFIG_OMAP_WATCHDOG=m +CONFIG_TWL4030_WATCHDOG=m CONFIG_TI_ST=m +CONFIG_TI_EDMA=y +CONFIG_TI_SOC_THERMAL=m CONFIG_TI_DAC7512=m CONFIG_TI_DAVINCI_EMAC=m CONFIG_TI_DAVINCI_MDIO=m @@ -142,6 +138,7 @@ CONFIG_TI_CPSW=m CONFIG_TI_CPTS=y CONFIG_TI_EMIF=m CONFIG_MFD_TPS65217=m +CONFIG_REGULATOR_TI_ABB=y CONFIG_REGULATOR_TPS65217=m CONFIG_BACKLIGHT_TPS65217=m @@ -156,7 +153,6 @@ CONFIG_OMAP_WATCHDOG=m CONFIG_TWL4030_CORE=y CONFIG_TWL4030_MADC=m CONFIG_TWL4030_POWER=y -CONFIG_TWL4030_CODEC=y CONFIG_TWL4030_WATCHDOG=m CONFIG_TWL4030_USB=m CONFIG_TWL6030_USB=m @@ -172,8 +168,8 @@ CONFIG_HDQ_MASTER_OMAP=m CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m CONFIG_OMAP_OCP2SCP=m -CONFIG_USB_EHCI_HCD_OMAP=y -CONFIG_USB_OHCI_HCD_PLATFORM=y +CONFIG_USB_EHCI_HCD_OMAP=m +CONFIG_USB_OHCI_HCD_PLATFORM=m CONFIG_USB_OHCI_HCD_OMAP3=y CONFIG_USB_MUSB_AM35X=m CONFIG_USB_MUSB_OMAP2PLUS=m @@ -183,16 +179,12 @@ CONFIG_USB_GADGET_MUSB_HDRC=m # CONFIG_USB_MUSB_DEBUG is not set CONFIG_OMAP_CONTROL_USB=m CONFIG_NOP_USB_XCEIV=m -CONFIG_MMC_OMAP=y -CONFIG_MMC_OMAP_HS=y +CONFIG_MMC_OMAP=m +CONFIG_MMC_OMAP_HS=m CONFIG_RTC_DRV_MAX8907=m # CONFIG_RTC_DRV_TWL92330 is not set -CONFIG_RTC_DRV_TWL4030=m -CONFIG_RTC_DRV_OMAP=m -# Note needs to be compiled in until we build MMC modular -CONFIG_DMA_OMAP=y -CONFIG_OMAP_IOVMM=m -CONFIG_HWSPINLOCK_OMAP=m +CONFIG_RTC_DRV_TWL4030=y +CONFIG_RTC_DRV_OMAP=y CONFIG_SENSORS_TWL4030_MADC=m CONFIG_WL_TI=y @@ -206,9 +198,7 @@ CONFIG_WILINK_PLATFORM_DATA=y CONFIG_MFD_WL1273_CORE=m CONFIG_NFC_WILINK=m -CONFIG_MTD_NAND_OMAP2=y -CONFIG_MTD_NAND_OMAP_PREFETCH=y -CONFIG_MTD_NAND_OMAP_PREFETCH_DMA=y +CONFIG_MTD_NAND_OMAP2=m CONFIG_SPI_DAVINCI=m CONFIG_SPI_OMAP24XX=m CONFIG_MFD_TI_SSP=m @@ -245,8 +235,6 @@ CONFIG_HW_RANDOM_OMAP=m CONFIG_DRM_TILCDC=m CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_NUM_CRTCS=2 -CONFIG_OMAP2_VRAM=y -CONFIG_OMAP2_VRAM_SIZE=0 CONFIG_OMAP2_VRFB=y # CONFIG_FB_OMAP_BOOTLOADER_INIT is not set # CONFIG_FB_OMAP_LCD_VGA is not set @@ -278,6 +266,19 @@ CONFIG_PANEL_LGPHILIPS_LB035Q02=m CONFIG_PANEL_ACX565AKM=m # CONFIG_PANEL_N8X0 is not set +CONFIG_DISPLAY_ENCODER_TFP410=m +CONFIG_DISPLAY_ENCODER_TPD12S015=m +CONFIG_DISPLAY_CONNECTOR_DVI=m +CONFIG_DISPLAY_CONNECTOR_HDMI=m +CONFIG_DISPLAY_CONNECTOR_ANALOG_TV=m +CONFIG_DISPLAY_PANEL_DPI=m +CONFIG_DISPLAY_PANEL_DSI_CM=m +CONFIG_DISPLAY_PANEL_SONY_ACX565AKM=m +CONFIG_DISPLAY_PANEL_LGPHILIPS_LB035Q02=m +CONFIG_DISPLAY_PANEL_SHARP_LS037V7DW01=m +CONFIG_DISPLAY_PANEL_TPO_TD043MTEA1=m +CONFIG_DISPLAY_PANEL_NEC_NL8048HL11=m + # Enable V4L2 drivers for OMAP2+ CONFIG_MEDIA_CONTROLLER=y CONFIG_VIDEO_V4L2_SUBDEV_API=y @@ -341,40 +342,9 @@ CONFIG_OMAP_REMOTEPROC=m # Allwinner a1x CONFIG_PINCTRL_SUNXI=y -# CONFIG_SUNXI_RFKILL=y -# CONFIG_SUNXI_NAND=y -# CONFIG_SUNXI_DBGREG=m -# CONFIG_WEMAC_SUN4I=y -# CONFIG_KEYBOARD_SUN4IKEYPAD=m -# CONFIG_KEYBOARD_SUN4I_KEYBOARD=m -# CONFIG_IR_SUN4I=m -# CONFIG_TOUCHSCREEN_SUN4I_TS=m -# CONFIG_SUN4I_G2D=y -# CONFIG_I2C_SUN4I=y -# CONFIG_DRM_MALI=m -# CONFIG_MALI=m -# CONFIG_FB_SUNXI=m -# CONFIG_FB_SUNXI_UMP=y -# CONFIG_FB_SUNXI_LCD=m -# CONFIG_FB_SUNXI_HDMI=m -# CONFIG_SOUND_SUN4I=y -# CONFIG_SND_SUN4I_SOC_CODEC=y -# CONFIG_SND_SUN4I_SOC_HDMIAUDIO=y -# CONFIG_SND_SUN4I_SOC_SPDIF=m -# CONFIG_SND_SUN4I_SOC_I2S_INTERFACE=m -# CONFIG_SND_SOC_I2C_AND_SPI=y -# CONFIG_USB_SW_SUN4I_HCD=y -# CONFIG_USB_SW_SUN4I_HCD0=y -# CONFIG_USB_SW_SUN4I_HCI=y -# CONFIG_USB_SW_SUN4I_EHCI0=y -# CONFIG_USB_SW_SUN4I_EHCI1=y -# CONFIG_USB_SW_SUN4I_OHCI0=y -# CONFIG_USB_SW_SUN4I_OHCI1=y -# CONFIG_USB_SW_SUN4I_USB=y -# CONFIG_USB_SW_SUN4I_USB_MANAGER=y -# CONFIG_MMC_SUNXI_POWER_CONTROL=y -# CONFIG_MMC_SUNXI=y -# CONFIG_RTC_DRV_SUN4I=y +CONFIG_MDIO_SUN4I=m +CONFIG_NET_VENDOR_ALLWINNER=y +CONFIG_SUN4I_EMAC=m # imx CONFIG_MXC_IRQ_PRIOR=y @@ -384,7 +354,12 @@ CONFIG_MACH_IMX51_DT=y # CONFIG_MACH_EUKREA_CPUIMX51SD is not set CONFIG_SOC_IMX53=y CONFIG_SOC_IMX6Q=y +CONFIG_SOC_IMX6SL=y CONFIG_PATA_IMX=m +CONFIG_USB_CHIPIDEA=m +CONFIG_USB_CHIPIDEA_UDC=y +CONFIG_USB_CHIPIDEA_HOST=y +# CONFIG_USB_CHIPIDEA_DEBUG is not set CONFIG_NET_VENDOR_FREESCALE=y CONFIG_FEC=m CONFIG_KEYBOARD_IMX=m @@ -392,11 +367,23 @@ CONFIG_SERIAL_IMX=y CONFIG_SERIAL_IMX_CONSOLE=y CONFIG_I2C_IMX=m CONFIG_SPI_IMX=m +CONFIG_MFD_MC13783=m +CONFIG_MFD_MC13XXX_SPI=m CONFIG_W1_MASTER_MXC=m +CONFIG_IMX_WEIM=y CONFIG_IMX2_WDT=m +CONFIG_CRYPTO_DEV_SAHARA=m # CONFIG_FB_MX3 is not set CONFIG_SND_IMX_SOC=m +CONFIG_SND_SOC_FSL_SSI=m +CONFIG_SND_SOC_FSL_UTILS=m +CONFIG_SND_SOC_IMX_SSI=m +CONFIG_SND_SOC_IMX_AUDMUX=m +CONFIG_SND_SOC_IMX_PCM_FIQ=m +CONFIG_SND_SOC_IMX_PCM_DMA=m CONFIG_SND_SOC_IMX_SGTL5000=m +CONFIG_SND_SOC_IMX_WM8962=m +CONFIG_SND_SOC_IMX_MC13783=m CONFIG_USB_EHCI_MXC=m CONFIG_USB_IMX21_HCD=m CONFIG_USB_MXS_PHY=m @@ -409,16 +396,23 @@ CONFIG_RTC_DRV_MXC=m # CONFIG_MX3_IPU_IRQS is not set CONFIG_IMX_SDMA=m CONFIG_IMX_DMA=m +CONFIG_AHCI_IMX=m # CONFIG_MXS_DMA is not set CONFIG_PWM_IMX=m CONFIG_BACKLIGHT_PWM=m CONFIG_DRM_IMX=m CONFIG_DRM_IMX_FB_HELPER=m -CONFIG_DRM_IMX_PARALLEL_DISPLAY=m CONFIG_DRM_IMX_IPUV3_CORE=m CONFIG_DRM_IMX_IPUV3=m +# CONFIG_DRM_IMX_LDB is not set +CONFIG_DRM_IMX_PARALLEL_DISPLAY=m CONFIG_DRM_IMX_TVE=m CONFIG_VIDEO_CODA=m +CONFIG_SENSORS_MC13783_ADC=m +CONFIG_REGULATOR_MC13783=m +CONFIG_REGULATOR_MC13892=m +CONFIG_LEDS_MC13783=m +CONFIG_RTC_DRV_MC13XXX=m CONFIG_INPUT_PWM_BEEPER=m CONFIG_INPUT_88PM80X_ONKEY=m @@ -467,11 +461,18 @@ CONFIG_AB8500_BM=y CONFIG_AB8500_GPADC=y CONFIG_SENSORS_AB8500=m CONFIG_STE_MODEM_RPROC=m +CONFIG_CW1200=m +CONFIG_CW1200_WLAN_SDIO=m +CONFIG_CW1200_WLAN_SPI=m +CONFIG_UX500_WATCHDOG=m # tegra CONFIG_ARCH_TEGRA_2x_SOC=y CONFIG_ARCH_TEGRA_3x_SOC=y # CONFIG_ARCH_TEGRA_114_SOC is not set +CONFIG_ARM_TEGRA_CPUFREQ=y +CONFIG_TEGRA20_MC=y +CONFIG_TEGRA30_MC=y CONFIG_SERIAL_TEGRA=y @@ -494,18 +495,19 @@ CONFIG_KEYBOARD_TEGRA=m CONFIG_PINCTRL_TEGRA=y CONFIG_PINCTRL_TEGRA20=y CONFIG_PINCTRL_TEGRA30=y -CONFIG_USB_EHCI_TEGRA=y -CONFIG_RTC_DRV_TEGRA=y +CONFIG_USB_EHCI_TEGRA=m +CONFIG_RTC_DRV_TEGRA=m CONFIG_SND_SOC_TEGRA=m CONFIG_SND_SOC_TEGRA_ALC5632=m +CONFIG_SND_SOC_TEGRA_RT5640=m +CONFIG_SND_SOC_TEGRA_TRIMSLICE=m CONFIG_SND_SOC_TEGRA_WM8753=m CONFIG_SND_SOC_TEGRA_WM8903=m CONFIG_SND_SOC_TEGRA_WM9712=m -CONFIG_SND_SOC_TEGRA_TRIMSLICE=m +CONFIG_SND_SOC_TEGRA20_AC97=m CONFIG_SND_SOC_TEGRA30_AHUB=m CONFIG_SND_SOC_TEGRA30_I2S=m -CONFIG_SND_SOC_TEGRA20_AC97=m # AC100 (PAZ00) CONFIG_MFD_NVEC=y @@ -534,8 +536,21 @@ CONFIG_CRYPTO_DEV_TEGRA_AES=m CONFIG_LEDS_RENESAS_TPU=y -# ZYNQ +# OLPC XO +CONFIG_SERIO_OLPC_APSP=m + +# Zynq-7xxx +# likely needs usb/mmc still +CONFIG_SERIAL_XILINX_PS_UART=y +CONFIG_SERIAL_XILINX_PS_UART_CONSOLE=y +CONFIG_COMMON_CLK_AXI_CLKGEN=m +CONFIG_CPU_IDLE_ZYNQ=y CONFIG_LATTICE_ECP3_CONFIG=m +CONFIG_NET_VENDOR_XILINX=y +CONFIG_XILINX_EMACLITE=m +CONFIG_GPIO_XILINX=y +CONFIG_I2C_XILINX=m +CONFIG_SPI_XILINX=m # MMC/SD CONFIG_MMC_TMIO=m @@ -543,8 +558,6 @@ CONFIG_MMC_SDHCI_PXAV3=m CONFIG_MMC_SDHCI_PXAV2=m # Multi function devices -CONFIG_MFD_CORE=m -CONFIG_MFD_SYSCON=y CONFIG_MFD_88PM800=m CONFIG_MFD_88PM805=m CONFIG_MFD_T7L66XB=y @@ -575,12 +588,39 @@ CONFIG_REGULATOR_MAX8907=m CONFIG_REGULATOR_LP872X=y CONFIG_REGULATOR_LP8755=m +# usb gadget +CONFIG_USB_GADGET=m +CONFIG_USB_GADGET_VBUS_DRAW=100 +CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 +# CONFIG_USB_FSL_USB2 is not set +# CONFIG_USB_FUSB300 is not set +# CONFIG_USB_RENESAS_USBHS is not set +# CONFIG_USB_GADGET_DEBUG is not set +# CONFIG_USB_GADGET_DEBUG_FILES is not set +# CONFIG_USB_GADGET_DEBUG_FS is not set +# CONFIG_USB_GADGET_VBUS_DRAW is not set +# CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS is not set +# CONFIG_USB_FOTG210_UDC is not set +# CONFIG_USB_R8A66597 is not set +# CONFIG_USB_PXA27X is not set +# CONFIG_USB_MV_UDC is not set +# CONFIG_USB_MV_U3D is not set +# CONFIG_USB_M66592 is not set +# CONFIG_USB_AMD5536UDC is not set +# CONFIG_USB_NET2272 is not set +# CONFIG_USB_NET2280 is not set +# CONFIG_USB_GOKU is not set +# CONFIG_USB_EG20T is not set +# CONFIG_USB_DUMMY_HCD is not set +# CONFIG_USB_ZERO_HNPTEST is not set +# CONFIG_USB_ETH_RNDIS is not set +# CONFIG_USB_ETH_EEM is not set + # Needs work/investigation # CONFIG_ARM_CHARLCD is not set # CONFIG_MTD_AFS_PARTS is not set # CONFIG_IP_PNP_RARP is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set @@ -619,8 +659,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_PMIC_ADP5520 is not set # CONFIG_REGULATOR_LP3972 is not set # CONFIG_REGULATOR_LP872X is not set -# CONFIG_SGI_IOC4 is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_DVB_USB_PCTV452E is not set # We need to fix these as they should be either generic includes or kconfig fixes @@ -637,3 +675,9 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_DRM_TEGRA_DEBUG is not set # CONFIG_CRYPTO_DEV_UX500_DEBUG is not set # CONFIG_AB8500_DEBUG is not set + +# CONFIG_SOC_VF610 is not set +# CONFIG_ARM_CCI is not set +# CONFIG_GPIO_XILINX is not set +# CONFIG_SERIAL_UARTLITE is not set + diff --git a/freed-ora/current/master/config-armv7-generic b/freed-ora/current/master/config-armv7-generic index 897a7e3ee..663f86b82 100644 --- a/freed-ora/current/master/config-armv7-generic +++ b/freed-ora/current/master/config-armv7-generic @@ -46,6 +46,25 @@ CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y # CONFIG_XIP_KERNEL is not set # CONFIG_ARM_VIRT_EXT is not set +# Platforms enabled/disabled globally on ARMv7 +CONFIG_ARCH_HIGHBANK=y +CONFIG_ARCH_VEXPRESS_CA9X4=y +CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y +# CONFIG_ARCH_BCM is not set +# CONFIG_PLAT_SPEAR is not set +# CONFIG_ARCH_STI is not set +# CONFIG_ARCH_SIRF is not set +# CONFIG_ARCH_U8500 is not set +# CONFIG_ARCH_WM8850 is not set + +# highbank +# 2013/04/19 - stability issues +# CONFIG_CPU_IDLE_CALXEDA is not set +CONFIG_EDAC_HIGHBANK_MC=m +CONFIG_EDAC_HIGHBANK_L2=m +CONFIG_SATA_HIGHBANK=m +CONFIG_ARM_HIGHBANK_CPUFREQ=m + # errata # v5/v6 # CONFIG_ARM_ERRATA_326103 is not set @@ -76,8 +95,6 @@ CONFIG_PJ4B_ERRATA_4742=y # CONFIG_ARM_ERRATA_798181 is not set # generic that deviates from or should be merged into config-generic -CONFIG_SMP=y -CONFIG_NR_CPUS=8 CONFIG_SMP_ON_UP=y CONFIG_HIGHMEM=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y @@ -98,15 +115,8 @@ CONFIG_RCU_FANOUT=32 CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 CONFIG_LSM_MMAP_MIN_ADDR=32768 -CONFIG_SECCOMP=y -CONFIG_STRICT_DEVMEM=y - CONFIG_XZ_DEC_ARM=y -CONFIG_OC_ETM=y -CONFIG_PM=y -CONFIG_PM_STD_PARTITION="" -CONFIG_SUSPEND=y CONFIG_ARM_CPU_SUSPEND=y CONFIG_LOCAL_TIMERS=y @@ -119,7 +129,6 @@ CONFIG_IP_PNP_BOOTP=y # Root as NFS, different from mainline CONFIG_ROOT_NFS=y -CONFIG_NLS_CODEPAGE_437=y CONFIG_LBDAF=y @@ -127,15 +136,7 @@ CONFIG_LBDAF=y CONFIG_USE_OF=y CONFIG_ARM_ATAG_DTB_COMPAT=y CONFIG_ARM_APPENDED_DTB=y -CONFIG_PROC_DEVICETREE=y -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_OF_PCI=y -CONFIG_OF_PCI_IRQ=y CONFIG_I2C_MUX_PINCTRL=m -CONFIG_OF_MDIO=m - -CONFIG_OF_DISPLAY_TIMING=y -CONFIG_OF_VIDEOMODE=y # General vexpress ARM drivers CONFIG_ARM_TIMER_SP804=y @@ -152,11 +153,8 @@ CONFIG_RTC_DRV_PL031=y CONFIG_PL330_DMA=m CONFIG_AMBA_PL08X=y CONFIG_ARM_SP805_WATCHDOG=m -CONFIG_I2C_VERSATILE=m CONFIG_GPIO_PL061=y -CONFIG_SENSORS_VEXPRESS=m CONFIG_FB_ARMCLCD=m -CONFIG_REGULATOR_VEXPRESS=m # usb CONFIG_USB_OTG=y @@ -165,9 +163,6 @@ CONFIG_USB_OTG=y CONFIG_USB_ULPI=y CONFIG_AX88796=m CONFIG_AX88796_93CX6=y -CONFIG_SMC91X=m -CONFIG_SMC911X=m -CONFIG_SMSC911X=m CONFIG_USB_ISP1760_HCD=m # CONFIG_USB_EHCI_HCD_ORION is not set @@ -183,7 +178,7 @@ CONFIG_MFD_TPS65912_SPI=y CONFIG_PINMUX=y CONFIG_PINCONF=y CONFIG_PINCTRL=y -CONFIG_PINCTRL_SINGLE=m +CONFIG_PINCTRL_SINGLE=y # CONFIG_PINCTRL_SAMSUNG is not set # CONFIG_PINCTRL_EXYNOS4 is not set @@ -194,7 +189,6 @@ CONFIG_EXTCON_GPIO=m CONFIG_GPIO_ADNP=m CONFIG_GPIO_MCP23S08=m CONFIG_POWER_RESET_GPIO=y -CONFIG_RFKILL_GPIO=m CONFIG_SERIAL_8250_EM=m CONFIG_INPUT_GPIO_TILT_POLLED=m CONFIG_MDIO_BUS_MUX_GPIO=m @@ -226,6 +220,8 @@ CONFIG_SPI_DESIGNWARE=m CONFIG_SPI_TLE62X0=m # CONFIG_SPI_FSL_SPI is not set +CONFIG_NFC_NCI_SPI=y + # HW crypto and rng CONFIG_CRYPTO_SHA1_ARM=m CONFIG_CRYPTO_AES_ARM=m @@ -244,7 +240,6 @@ CONFIG_POWER_RESET_RESTART=y CONFIG_ARM_PSCI=y # MTD -CONFIG_MTD_OF_PARTS=y # CONFIG_MG_DISK is not set CONFIG_MTD_DATAFLASH=m CONFIG_MTD_DATAFLASH_WRITE_VERIFY=y @@ -256,13 +251,20 @@ CONFIG_EEPROM_93XX46=m # MMC/SD CONFIG_MMC_SPI=m + +# Designware (used by numerous devices) CONFIG_MMC_DW=m CONFIG_MMC_DW_PLTFM=m CONFIG_MMC_DW_PCI=m CONFIG_SPI_DW_MMIO=m CONFIG_SPI_DW_PCI=m +CONFIG_MMC_DW_SOCFPGA=m # CONFIG_MMC_DW_EXYNOS is not set # CONFIG_MMC_DW_IDMAC is not set +CONFIG_USB_DWC2=m +CONFIG_USB_DWC3=m +# CONFIG_USB_DWC3_DEBUG is not set +CONFIG_DW_WATCHDOG=m # Sound CONFIG_SND_ARM=y @@ -401,7 +403,6 @@ CONFIG_UBIFS_FS_ZLIB=y # Should be in generic CONFIG_BPF_JIT=y -# CONFIG_NET_VENDOR_BROADCOM is not set # CONFIG_NET_VENDOR_CIRRUS is not set # CONFIG_NET_VENDOR_MICROCHIP is not set @@ -410,6 +411,7 @@ CONFIG_BPF_JIT=y # CONFIG_DRM_EXYNOS is not set # CONFIG_DRM_TILCDC is not set # CONFIG_DRM_IMX is not set +# CONFIG_AHCI_IMX is not set # CONFIG_CS89x0 is not set # CONFIG_DM9000 is not set # CONFIG_HW_RANDOM_ATMEL is not set @@ -429,7 +431,6 @@ CONFIG_BPF_JIT=y # CONFIG_SERIAL_MAX3100 is not set # CONFIG_SERIAL_MAX310X is not set # CONFIG_SERIAL_IFX6X60 is not set -# CONFIG_COMMON_CLK_SI5351 is not set # CONFIG_COMMON_CLK_AXI_CLKGEN is not set # CONFIG_SPI_TOPCLIFF_PCH is not set # CONFIG_SPI_PXA2XX is not set @@ -455,3 +456,6 @@ CONFIG_BPF_JIT=y # CONFIG_DEBUG_LL is not set # CONFIG_DEBUG_PINCTRL is not set # CONFIG_ARM_DT_BL_CPUFREQ is not set + +# FIX ME +# CONFIG_FB_XILINX is not set diff --git a/freed-ora/current/master/config-armv7-lpae b/freed-ora/current/master/config-armv7-lpae index f17b8616a..c4febfc94 100644 --- a/freed-ora/current/master/config-armv7-lpae +++ b/freed-ora/current/master/config-armv7-lpae @@ -1,16 +1,35 @@ -# ARM unified arch kernel -CONFIG_ARCH_EXYNOS=y +# ARM A15 lpae unified arch kernel +CONFIG_ARCH_EXYNOS_MULTI=y +CONFIG_ARCH_KEYSTONE=y CONFIG_ARCH_VIRT=y +CONFIG_ARCH_EXYNOS5=y + +# CONFIG_ARCH_MVEBU is not set +# CONFIG_ARCH_MXC is not set +# CONFIG_ARCH_OMAP3 is not set +# CONFIG_ARCH_OMAP4 is not set +# CONFIG_SOC_OMAP5 is not set +# CONFIG_SOC_AM33XX is not set +# CONFIG_SOC_AM43XX is not set +# CONFIG_ARCH_ROCKCHIP is not set +# CONFIG_ARCH_SOCFPGA is not set +# CONFIG_ARCH_SUNXI is not set +# CONFIG_ARCH_TEGRA is not set +# CONFIG_ARCH_ZYNQ is not set + # CONFIG_ARCH_EXYNOS4 is not set -CONFIG_ARCH_EXYNOS5=y # CONFIG_EXYNOS_ATAGS is not set CONFIG_ARM_LPAE=y +CONFIG_SYS_SUPPORTS_HUGETLBFS=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y CONFIG_VIRTIO_CONSOLE=m CONFIG_ARM_VIRT_EXT=y CONFIG_VIRTUALIZATION=y +CONFIG_ARM_SMMU=y +CONFIG_ARM_DMA_IOMMU_ALIGNMENT=8 # Cortex-A15 CONFIG_ARM_ERRATA_798181=y @@ -42,26 +61,22 @@ CONFIG_XEN_WDT=m CONFIG_MACH_EXYNOS5_DT=y CONFIG_SERIAL_SAMSUNG=y CONFIG_SERIAL_SAMSUNG_CONSOLE=y -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_S3C_BOOT_ERROR_RESET=y -CONFIG_S3C_BOOT_UART_FORCE_FIFO=y -CONFIG_S3C_LOWLEVEL_UART_PORT=0 -CONFIG_S3C_GPIO_SPACE=8 -CONFIG_S3C_ADC=y -CONFIG_S3C24XX_PWM=y # CONFIG_SAMSUNG_PM_DEBUG is not set # CONFIG_SAMSUNG_PM_CHECK is not set CONFIG_SOC_EXYNOS5250=y +CONFIG_SOC_EXYNOS5420=y CONFIG_SOC_EXYNOS5440=y CONFIG_ARM_EXYNOS_CPUFREQ=y # CONFIG_GENERIC_CPUFREQ_CPU0 is not set CONFIG_EXYNOS_THERMAL=m +CONFIG_PCI_EXYNOS=y +CONFIG_ARM_CCI=y CONFIG_TCG_TIS_I2C_INFINEON=m -CONFIG_I2C_S3C2410=m + CONFIG_PINCTRL_EXYNOS=y CONFIG_PINCTRL_EXYNOS5440=y -CONFIG_S3C2410_WATCHDOG=m +CONFIG_EXYNOS_IOMMU=y CONFIG_VIDEO_SAMSUNG_S5P_G2D=m CONFIG_VIDEO_SAMSUNG_S5P_JPEG=m CONFIG_VIDEO_SAMSUNG_S5P_MFC=m @@ -86,29 +101,16 @@ CONFIG_SND_SOC_SAMSUNG=m CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_S5P=m CONFIG_USB_OHCI_EXYNOS=y -CONFIG_USB_DWC3=m -# CONFIG_USB_DWC3_DEBUG is not set -CONFIG_S3C_DEV_HSMMC=y -CONFIG_MMC_SDHCI_S3C=m -CONFIG_MMC_SDHCI_S3C_DMA=y -CONFIG_RTC_DRV_S3C=m CONFIG_PWM_SAMSUNG=m -CONFIG_S3C_BOOT_WATCHDOG=y CONFIG_SAMSUNG_GPIO_EXTRA=8 CONFIG_SERIAL_SAMSUNG_CONSOLE=y -CONFIG_BATTERY_S3C_ADC=m -CONFIG_SENSORS_S3C=m -CONFIG_SENSORS_S3C_RAW=y -CONFIG_FB_S3C_DEBUG_REGWRITE=y CONFIG_SND_SOC_SAMSUNG_SMDK_SPDIF=m CONFIG_USB_EHCI_S5P=y CONFIG_SAMSUNG_USBPHY=m CONFIG_SAMSUNG_USB2PHY=m CONFIG_SAMSUNG_USB3PHY=m -CONFIG_MMC_DW=m -CONFIG_MMC_DW_PLTFM=m -CONFIG_MMC_DW_PCI=m CONFIG_MMC_DW_EXYNOS=m +CONFIG_RTC_DRV_S3C=m # Chromebook CONFIG_MFD_CROS_EC=m @@ -123,5 +125,13 @@ CONFIG_REGULATOR_MAX8997=m CONFIG_REGULATOR_S5M8767=m CONFIG_COMMON_CLK_MAX77686=m +CONFIG_S3C_LOWLEVEL_UART_PORT=1 # CONFIG_EXYNOS4_SDHCI_CH0_8BIT is not set # CONFIG_EXYNOS4_SDHCI_CH2_8BIT is not set + +# CONFIG_S3C_BOOT_ERROR_RESET is not set +# CONFIG_S3C_BOOT_UART_FORCE_FIFO is not set +# CONFIG_I2C_S3C2410 is not set +# CONFIG_S3C2410_WATCHDOG is not set +# CONFIG_MMC_SDHCI_S3C is not set +# CONFIG_TEGRA_HOST1X is not set diff --git a/freed-ora/current/master/config-debug b/freed-ora/current/master/config-debug index 5df2cd620..fb7df3e38 100644 --- a/freed-ora/current/master/config-debug +++ b/freed-ora/current/master/config-debug @@ -5,6 +5,7 @@ CONFIG_SND_PCM_XRUN_DEBUG=y CONFIG_DEBUG_ATOMIC_SLEEP=y CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y CONFIG_DEBUG_RT_MUTEXES=y CONFIG_DEBUG_LOCK_ALLOC=y CONFIG_PROVE_LOCKING=y @@ -120,3 +121,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y CONFIG_MAC80211_MESSAGE_TRACING=y CONFIG_EDAC_DEBUG=y + +CONFIG_X86_DEBUG_STATIC_CPU_HAS=y +CONFIG_LATENCYTOP=y +CONFIG_SCHEDSTATS=y diff --git a/freed-ora/current/master/config-generic b/freed-ora/current/master/config-generic index 4f518a574..df18c5fad 100644 --- a/freed-ora/current/master/config-generic +++ b/freed-ora/current/master/config-generic @@ -35,6 +35,7 @@ CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y +# CONFIG_COMPILE_TEST is not set CONFIG_FHANDLE=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y @@ -67,6 +68,7 @@ CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_SLUB=y +CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SLUB_STATS is not set # CONFIG_AD525X_DPOT is not set @@ -101,6 +103,8 @@ CONFIG_PCIEAER_INJECT=m CONFIG_HOTPLUG_PCI_PCIE=y CONFIG_HOTPLUG_PCI_FAKE=m +# CONFIG_SGI_IOC4 is not set + # CONFIG_ISA is not set # CONFIG_SCx200 is not set @@ -165,9 +169,11 @@ CONFIG_SCSI_CXGB3_ISCSI=m CONFIG_SCSI_CXGB4_ISCSI=m # CONFIG_INFINIBAND_CXGB3_DEBUG is not set CONFIG_MLX4_INFINIBAND=m +CONFIG_MLX5_INFINIBAND=m CONFIG_INFINIBAND_NES=m # CONFIG_INFINIBAND_NES_DEBUG is not set CONFIG_INFINIBAND_QIB=m +CONFIG_INFINIBAND_QIB_DCA=y # CONFIG_INFINIBAND_OCRDMA is not set # @@ -300,6 +306,7 @@ CONFIG_BLK_CPQ_DA=m CONFIG_BLK_CPQ_CISS_DA=m CONFIG_CISS_SCSI_TAPE=y CONFIG_BLK_DEV_DAC960=m +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set CONFIG_BLK_DEV_DRBD=m CONFIG_BLK_DEV_UMEM=m CONFIG_BLK_DEV_LOOP=m @@ -515,6 +522,7 @@ CONFIG_SATA_NV=m CONFIG_SATA_PMP=y CONFIG_SATA_PROMISE=m CONFIG_SATA_QSTOR=m +CONFIG_SATA_RCAR=m CONFIG_SATA_SIL=m CONFIG_SATA_SIL24=m CONFIG_SATA_SIS=m @@ -619,6 +627,7 @@ CONFIG_DM_MULTIPATH_ST=m CONFIG_DM_RAID=m CONFIG_DM_FLAKEY=m CONFIG_DM_VERITY=m +CONFIG_DM_SWITCH=m # # Fusion MPT device support @@ -1128,6 +1137,7 @@ CONFIG_BATMAN_ADV_NC=y # CONFIG_BATMAN_ADV_DEBUG is not set CONFIG_OPENVSWITCH=m +CONFIG_OPENVSWITCH_GRE=y CONFIG_VSOCKETS=m CONFIG_NETPRIO_CGROUP=m @@ -1161,6 +1171,7 @@ CONFIG_VXLAN=m CONFIG_EQUALIZER=m CONFIG_TUN=m CONFIG_VETH=m +CONFIG_NLMON=m # # ATM @@ -1217,6 +1228,8 @@ CONFIG_L2TP_ETH=m CONFIG_RFKILL=m CONFIG_RFKILL_INPUT=y +CONFIG_ETHERNET=y + # # Ethernet (10 or 100Mbit) # @@ -1233,6 +1246,9 @@ CONFIG_PCNET32=m CONFIG_AMD8111_ETH=m CONFIG_PCMCIA_NMCLAN=m +CONFIG_NET_VENDOR_ARC=y +CONFIG_ARC_EMAC=m + CONFIG_NET_VENDOR_ATHEROS=y CONFIG_ALX=m CONFIG_ATL2=m @@ -1367,6 +1383,8 @@ CONFIG_8139TOO_8129=y # CONFIG_8139_OLD_RX_RESET is not set CONFIG_R8169=m +CONFIG_SH_ETH=m + CONFIG_NET_VENDOR_RDC=y CONFIG_R6040=m @@ -1382,6 +1400,7 @@ CONFIG_SIS190=m CONFIG_NET_VENDOR_SMSC=y CONFIG_PCMCIA_SMC91C92=m CONFIG_EPIC100=m +CONFIG_SMSC911X=m CONFIG_SMSC9420=m CONFIG_NET_VENDOR_STMICRO=y @@ -1440,6 +1459,7 @@ CONFIG_VITESSE_PHY=m CONFIG_MICREL_PHY=m CONFIG_MII=m +CONFIG_NET_CORE=y CONFIG_NET_VENDOR_3COM=y CONFIG_VORTEX=m CONFIG_TYPHOON=m @@ -1527,12 +1547,7 @@ CONFIG_MAC80211_LEDS=y CONFIG_MAC80211_DEBUGFS=y # CONFIG_MAC80211_DEBUG_MENU is not set -CONFIG_WIMAX=m -CONFIG_WIMAX_DEBUG_LEVEL=8 -CONFIG_WIMAX_I2400M_USB=m -CONFIG_WIMAX_I2400M_SDIO=m -CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8 -# CONFIG_WIMAX_IWMC3200_SDIO is not set +# CONFIG_WIMAX is not set # CONFIG_ADM8211 is not set CONFIG_ATH_COMMON=m @@ -1556,8 +1571,14 @@ CONFIG_ATH9K_HTC=m CONFIG_ATH9K_BTCOEX_SUPPORT=y # CONFIG_ATH9K_HTC_DEBUGFS is not set # CONFIG_ATH9K_LEGACY_RATE_CONTROL is not set +CONFIG_ATH10K=m +CONFIG_ATH10K_PCI=m +# CONFIG_ATH10K_DEBUG is not set +# CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DEBUGFS=y CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y +# CONFIG_WIL6210_TRACING is not set CONFIG_CARL9170=m CONFIG_CARL9170_LEDS=y # CONFIG_CARL9170_HWRNG is not set @@ -1565,19 +1586,20 @@ CONFIG_AT76C50X_USB=m # CONFIG_AIRO is not set # CONFIG_AIRO_CS is not set # CONFIG_ATMEL is not set +CONFIG_NET_VENDOR_BROADCOM=y CONFIG_B43=m CONFIG_B43_PCMCIA=y CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -1601,6 +1623,9 @@ CONFIG_PCMCIA_HERMES=m CONFIG_ORINOCO_USB=m # CONFIG_TMD_HERMES is not set # CONFIG_PCMCIA_SPECTRUM is not set +CONFIG_CW1200=m +CONFIG_CW1200_WLAN_SDIO=m +CONFIG_CW1200_WLAN_SPI=m # CONFIG_HOSTAP is not set # CONFIG_IPW2100 is not set # CONFIG_IPW2200 is not set @@ -1679,6 +1704,7 @@ CONFIG_WL1251=m CONFIG_WL1251_SPI=m CONFIG_WL1251_SDIO=m +CONFIG_RTL_CARDS=m CONFIG_RTLWIFI=m CONFIG_RTL8192CE=m CONFIG_RTL8192SE=m @@ -1737,6 +1763,7 @@ CONFIG_NFC_NCI=m CONFIG_NFC_HCI=m CONFIG_NFC_SHDLC=y CONFIG_NFC_LLCP=y +CONFIG_NFC_SIM=m # # Near Field Communication (NFC) devices @@ -2003,6 +2030,7 @@ CONFIG_SERIO_ARC_PS2=m # CONFIG_SERIO_APBPS2 is not set # CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_OLPC_APSP is not set # CONFIG_SERIO_PARKBD is not set # CONFIG_SERIO_PCIPS2 is not set @@ -2080,6 +2108,7 @@ CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_AD7879_I2C=m # CONFIG_TOUCHSCREEN_CY8CTMG110 is not set # CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set +# CONFIG_TOUCHSCREEN_CYTTSP4_CORE is not set CONFIG_TOUCHSCREEN_DYNAPRO=m CONFIG_TOUCHSCREEN_EDT_FT5X06=m CONFIG_TOUCHSCREEN_EETI=m @@ -2307,6 +2336,7 @@ CONFIG_SENSORS_F71882FG=m CONFIG_SENSORS_F75375S=m CONFIG_SENSORS_FSCHMD=m CONFIG_SENSORS_G760A=m +CONFIG_SENSORS_G762=m CONFIG_SENSORS_GL518SM=m CONFIG_SENSORS_GL520SM=m CONFIG_SENSORS_HDAPS=m @@ -2426,6 +2456,7 @@ CONFIG_SENSORS_MAX197=m CONFIG_SERIAL_ARC=m CONFIG_SERIAL_ARC_NR_PORTS=1 # CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set CONFIG_W1=m CONFIG_W1_CON=y @@ -2504,6 +2535,7 @@ CONFIG_WM831X_WATCHDOG=m # CONFIG_MAX63XX_WATCHDOG is not set # CONFIG_DW_WATCHDOG is not set CONFIG_W83697UG_WDT=m +# CONFIG_MEN_A21_WDT is not set CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m @@ -2535,6 +2567,7 @@ CONFIG_RTC_DRV_M41T80_WDT=y CONFIG_RTC_DRV_M48T59=m CONFIG_RTC_DRV_MAX6900=m # CONFIG_RTC_DRV_M48T86 is not set +CONFIG_RTC_DRV_PCF2127=m CONFIG_RTC_DRV_PCF8563=m CONFIG_RTC_DRV_PCF8583=m CONFIG_RTC_DRV_RS5C372=m @@ -2728,6 +2761,7 @@ CONFIG_VIDEO_TLG2300=m # CONFIG_VIDEO_TIMBERDALE is not set # CONFIG_VIDEO_M5MOLS is not set # CONFIG_EXYNOS_VIDEO is not set +CONFIG_VIDEO_USBTV=m CONFIG_USB_VIDEO_CLASS=m CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y @@ -3020,6 +3054,7 @@ CONFIG_SND_PCM_OSS=y CONFIG_SND_PCM_OSS_PLUGINS=y CONFIG_SND_RTCTIMER=y CONFIG_SND_DYNAMIC_MINORS=y +CONFIG_SND_MAX_CARDS=32 # CONFIG_SND_SUPPORT_OLD_API is not set # @@ -3095,6 +3130,7 @@ CONFIG_SND_HDA_CODEC_CONEXANT=y CONFIG_SND_HDA_CODEC_CMEDIA=y CONFIG_SND_HDA_CODEC_SI3054=y CONFIG_SND_HDA_CODEC_HDMI=y +CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_CODEC_CA0132=y CONFIG_SND_HDA_CODEC_CA0132_DSP=y CONFIG_SND_HDA_GENERIC=y @@ -3142,6 +3178,7 @@ CONFIG_SND_USB_USX2Y=m CONFIG_SND_USB_US122L=m CONFIG_SND_USB_UA101=m CONFIG_SND_USB_6FIRE=m +CONFIG_SND_USB_HIFACE=m # # PCMCIA devices @@ -3189,6 +3226,7 @@ CONFIG_USB_EHCI_TT_NEWSCHED=y # CONFIG_USB_EHCI_MV is not set # CONFIG_USB_EHCI_HCD_PLATFORM is not set CONFIG_USB_OHCI_HCD=y +CONFIG_USB_OHCI_HCD_PCI=y # CONFIG_USB_OHCI_HCD_SSB is not set # CONFIG_USB_OHCI_HCD_PLATFORM is not set CONFIG_USB_UHCI_HCD=y @@ -3199,6 +3237,7 @@ CONFIG_USB_SL811_HCD_ISO=y CONFIG_USB_XHCI_HCD=y # CONFIG_USB_XHCI_HCD_DEBUGGING is not set CONFIG_USB_ISP1362_HCD=m +CONFIG_USB_FUSBH200_HCD=m # # USB Device Class drivers @@ -3229,7 +3268,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -3290,9 +3329,10 @@ CONFIG_HID_THINGM=m CONFIG_HID_THRUSTMASTER=m CONFIG_HID_ZEROPLUS=m CONFIG_HID_ZYDACRON=m -# CONFIG_HID_SENSOR_HUB is not set +CONFIG_HID_SENSOR_HUB=m CONFIG_HID_EMS_FF=m CONFIG_HID_ELECOM=m +CONFIG_HID_ELO=m CONFIG_HID_UCLOGIC=m CONFIG_HID_WALTOP=m CONFIG_HID_ROCCAT_PYRA=m @@ -3307,6 +3347,7 @@ CONFIG_HID_ROCCAT_ISKU=m CONFIG_HID_ROCCAT_KOVAPLUS=m CONFIG_HID_HOLTEK=m CONFIG_HOLTEK_FF=y +CONFIG_HID_HUION=m CONFIG_HID_SPEEDLINK=m CONFIG_HID_WIIMOTE=m CONFIG_HID_WIIMOTE_EXT=y @@ -3512,7 +3553,8 @@ CONFIG_USB_SERIAL_XSENS_MT=m CONFIG_USB_SERIAL_DEBUG=m CONFIG_USB_SERIAL_SSU100=m CONFIG_USB_SERIAL_QT2=m - +CONFIG_USB_SERIAL_FLASHLOADER=m +CONFIG_USB_SERIAL_SUUNTO=m CONFIG_USB_SERIAL_CONSOLE=y CONFIG_USB_EZUSB=y @@ -3641,6 +3683,7 @@ CONFIG_MFD_VIPERBOARD=m # CONFIG_ABX500_CORE is not set # CONFIG_MFD_RDC321X is not set # CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set # CONFIG_MFD_WM831X_I2C is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_STMPE is not set @@ -3785,6 +3828,7 @@ CONFIG_UFS_FS=m CONFIG_9P_FS=m CONFIG_9P_FSCACHE=y CONFIG_9P_FS_POSIX_ACL=y +CONFIG_9P_FS_SECURITY=y CONFIG_FUSE_FS=m # CONFIG_OMFS_FS is not set CONFIG_CUSE=m @@ -3795,17 +3839,19 @@ CONFIG_CUSE=m # CONFIG_NETWORK_FILESYSTEMS=y CONFIG_NFS_FS=m -CONFIG_NFS_V2=y +# CONFIG_NFS_V2 is not set CONFIG_NFS_V3=y CONFIG_NFS_V3_ACL=y CONFIG_NFS_V4=y -# CONFIG_NFS_SWAP is not set +CONFIG_NFS_SWAP=y CONFIG_NFS_V4_1=y CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" +CONFIG_NFS_V4_2=y CONFIG_NFSD=m CONFIG_NFSD_V3=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y +CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFS_FSCACHE=y # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_PNFS_OBJLAYOUT=m @@ -3877,6 +3923,7 @@ CONFIG_UBIFS_FS_XATTR=y # CONFIG_PARTITION_ADVANCED=y # CONFIG_ACORN_PARTITION is not set +CONFIG_AIX_PARTITION=y CONFIG_AMIGA_PARTITION=y # CONFIG_ATARI_PARTITION is not set CONFIG_BSD_DISKLABEL=y @@ -4010,7 +4057,6 @@ CONFIG_HWPOISON_INJECT=m CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_DEBUG_SECTION_MISMATCH is not set # CONFIG_BACKTRACE_SELF_TEST is not set -CONFIG_LATENCYTOP=y CONFIG_RESOURCE_COUNTERS=y # CONFIG_COMPAT_BRK is not set # CONFIG_DEBUG_VIRTUAL is not set @@ -4055,6 +4101,9 @@ CONFIG_AUDITSYSCALL=y # http://lists.fedoraproject.org/pipermail/kernel/2013-February/004125.html CONFIG_AUDIT_LOGINUID_IMMUTABLE=y +CONFIG_SECCOMP=y +CONFIG_STRICT_DEVMEM=y + # CONFIG_SSBI is not set # @@ -4095,6 +4144,8 @@ CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_KHAZAD=m CONFIG_CRYPTO_LRW=m CONFIG_CRYPTO_LZO=m +CONFIG_CRYPTO_LZ4=m +CONFIG_CRYPTO_LZ4HC=m CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=m CONFIG_CRYPTO_MICHAEL_MIC=m @@ -4181,7 +4232,6 @@ CONFIG_BACKLIGHT_LP855X=m CONFIG_LCD_CLASS_DEVICE=m CONFIG_LCD_PLATFORM=m -CONFIG_SCHEDSTATS=y CONFIG_SCHED_DEBUG=y CONFIG_FAIR_GROUP_SCHED=y CONFIG_CFS_BANDWIDTH=y @@ -4240,14 +4290,19 @@ CONFIG_PROC_EVENTS=y CONFIG_IBMASR=m +CONFIG_PM=y +CONFIG_PM_STD_PARTITION="" CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set +CONFIG_HIBERNATION=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_SUSPEND=y CONFIG_CPU_FREQ=y CONFIG_CPU_FREQ_GOV_PERFORMANCE=y @@ -4351,7 +4406,9 @@ CONFIG_LEDS_WM831X_STATUS=m CONFIG_DMADEVICES=y CONFIG_DMA_ENGINE=y +CONFIG_DW_DMAC_CORE=m CONFIG_DW_DMAC=m +CONFIG_DW_DMAC_PCI=m # CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set # CONFIG_TIMB_DMA is not set # CONFIG_DMATEST is not set @@ -4388,8 +4445,12 @@ CONFIG_JUMP_LABEL=y CONFIG_OPTPROBES=y CONFIG_HZ_1000=y +CONFIG_NO_HZ=y CONFIG_TIMER_STATS=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_PERF_EVENTS=y +CONFIG_PERF_COUNTERS=y # Auxillary displays CONFIG_KS0108=m @@ -4581,6 +4642,7 @@ CONFIG_R8712U=m # Larry Finger maintains this (rhbz 699618) # CONFIG_ATH6K_LEGACY is not set # CONFIG_USB_ENESTORAGE is not set # CONFIG_BCM_WIMAX is not set +# CONFIG_USB_BTMTK is not set # CONFIG_FT1000 is not set # CONFIG_SPEAKUP is not set # CONFIG_DX_SEP is not set @@ -4629,6 +4691,7 @@ CONFIG_IMA_LSM_RULES=y # CONFIG_EVM is not set # CONFIG_PWM is not set +# CONFIG_PWM_PCA9685 is not set CONFIG_LSM_MMAP_MIN_ADDR=65536 @@ -4659,6 +4722,7 @@ CONFIG_IEEE802154_FAKEHARD=m CONFIG_IEEE802154_FAKELB=m CONFIG_MAC802154=m +CONFIG_NET_MPLS_GSO=m # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set @@ -4677,6 +4741,7 @@ CONFIG_PTP_1588_CLOCK_PCH=m CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y +CONFIG_ZSWAP=y # CONFIG_MDIO_GPIO is not set # CONFIG_KEYBOARD_GPIO is not set @@ -4769,6 +4834,12 @@ CONFIG_IOMMU_SUPPORT=y # CONFIG_RESET_CONTROLLER is not set +CONFIG_FMC=m +CONFIG_FMC_FAKEDEV=m +CONFIG_FMC_TRIVIAL=m +CONFIG_FMC_WRITE_EEPROM=m +CONFIG_FMC_CHARDEV=m + # CONFIG_HSI is not set # CONFIG_PM_DEVFREQ is not set diff --git a/freed-ora/current/master/config-nodebug b/freed-ora/current/master/config-nodebug index 80c8a5f02..66b8caa04 100644 --- a/freed-ora/current/master/config-nodebug +++ b/freed-ora/current/master/config-nodebug @@ -2,99 +2,100 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set - -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y + +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y # CONFIG_XFS_WARN is not set -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y # CONFIG_RTLWIFI_DEBUG is not set -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y @@ -102,17 +103,17 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +CONFIG_TEST_LIST_SORT=y # CONFIG_TEST_STRING_HELPERS is not set -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -122,3 +123,9 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_EDAC_DEBUG is not set # CONFIG_SPI_DEBUG is not set + +CONFIG_X86_DEBUG_STATIC_CPU_HAS=y + +# CONFIG_SCHEDSTATS is not set +# CONFIG_LATENCYTOP is not set + diff --git a/freed-ora/current/master/config-powerpc-generic b/freed-ora/current/master/config-powerpc-generic index 2dcab485d..2f26fb4ba 100644 --- a/freed-ora/current/master/config-powerpc-generic +++ b/freed-ora/current/master/config-powerpc-generic @@ -1,5 +1,4 @@ # Most PowerPC kernels we build are SMP -CONFIG_SMP=y CONFIG_IRQ_ALL_CPUS=y CONFIG_PPC=y CONFIG_WATCHDOG_RTAS=m @@ -11,14 +10,6 @@ CONFIG_TAU=y # CONFIG_TAU_INT is not set CONFIG_TAU_AVERAGE=y -CONFIG_SECCOMP=y - -CONFIG_PM=y - -CONFIG_PM_STD_PARTITION="" - -CONFIG_SUSPEND=y -CONFIG_HIBERNATION=y # CONFIG_RTC is not set # CONFIG_GEN_RTC is not set # CONFIG_GEN_RTC_X is not set @@ -100,9 +91,6 @@ CONFIG_LEDS_TRIGGER_TIMER=m CONFIG_LEDS_TRIGGER_HEARTBEAT=m CONFIG_LEDS_TRIGGER_GPIO=m -# FIXME: Should depend on IA64/x86 -# CONFIG_SGI_IOC4 is not set - CONFIG_PPC_EFIKA=y CONFIG_PPC_MEDIA5200=y @@ -363,7 +351,6 @@ CONFIG_RFKILL_GPIO=m # CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set # CONFIG_INPUT_GP2A is not set # CONFIG_INPUT_GPIO_TILT_POLLED is not set -CONFIG_STRICT_DEVMEM=y CONFIG_RCU_FANOUT_LEAF=16 @@ -371,9 +358,10 @@ CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_MPIC_MSGR is not set # CONFIG_FA_DUMP is not set # CONFIG_MDIO_BUS_MUX_GPIO is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_FAIL_IOMMU is not set +# CONFIG_SPAPR_TCE_IOMMU is not set +# CONFIG_TRANSPARENT_HUGEPAGE is not set # CONFIG_PPC_DENORMALISATION is not set # CONFIG_MDIO_BUS_MUX_MMIOREG is not set diff --git a/freed-ora/current/master/config-powerpc32-generic b/freed-ora/current/master/config-powerpc32-generic index 935aab420..61e3236b1 100644 --- a/freed-ora/current/master/config-powerpc32-generic +++ b/freed-ora/current/master/config-powerpc32-generic @@ -95,8 +95,6 @@ CONFIG_SERIAL_OF_PLATFORM=y CONFIG_DEBUG_STACKOVERFLOW=y # CONFIG_EMBEDDED6xx is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y # CONFIG_BLK_DEV_PLATFORM is not set # CONFIG_BLK_DEV_4DRIVES is not set @@ -175,10 +173,6 @@ CONFIG_CRYPTO_DEV_TALITOS=m CONFIG_RCU_FANOUT=32 -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y - CONFIG_KVM_BOOK3S_32=m # CONFIG_SCSI_QLA_ISCSI is not set diff --git a/freed-ora/current/master/config-powerpc32-smp b/freed-ora/current/master/config-powerpc32-smp index e60f59cdf..5dbe87f7f 100644 --- a/freed-ora/current/master/config-powerpc32-smp +++ b/freed-ora/current/master/config-powerpc32-smp @@ -1,4 +1,3 @@ -CONFIG_SMP=y # CONFIG_HOTPLUG_CPU is not set CONFIG_NR_CPUS=4 # CONFIG_BATTERY_PMU is not set diff --git a/freed-ora/current/master/config-powerpc64 b/freed-ora/current/master/config-powerpc64 index 34297ec97..705a7ea2b 100644 --- a/freed-ora/current/master/config-powerpc64 +++ b/freed-ora/current/master/config-powerpc64 @@ -111,11 +111,7 @@ CONFIG_XMON_DISASSEMBLY=y CONFIG_SCSI_IBMVSCSIS=m -CONFIG_SECCOMP=y - # CONFIG_TUNE_CELL is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y # CONFIG_BLK_DEV_PLATFORM is not set # CONFIG_VIRQ_DEBUG is not set @@ -138,10 +134,6 @@ CONFIG_RELOCATABLE=y CONFIG_RCU_FANOUT=64 -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y - CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=y # CONFIG_KVM_EXIT_TIMING is not set @@ -178,7 +170,6 @@ CONFIG_CRYPTO_DEV_NX_COMPRESS=m CONFIG_BPF_JIT=y # CONFIG_PPC_ICSWX_PID is not set # CONFIG_PPC_ICSWX_USE_SIGILL is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_PCIEPORTBUS is not set # CONFIG_PPC_TRANSACTIONAL_MEM is not set # CONFIG_SND_HDA_INTEL is not set diff --git a/freed-ora/current/master/config-powerpc64p7 b/freed-ora/current/master/config-powerpc64p7 index d22fbbf02..7ab19187b 100644 --- a/freed-ora/current/master/config-powerpc64p7 +++ b/freed-ora/current/master/config-powerpc64p7 @@ -102,11 +102,7 @@ CONFIG_XMON_DISASSEMBLY=y CONFIG_SCSI_IBMVSCSIS=m -CONFIG_SECCOMP=y - # CONFIG_TUNE_CELL is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y # CONFIG_BLK_DEV_PLATFORM is not set # CONFIG_VIRQ_DEBUG is not set @@ -129,10 +125,6 @@ CONFIG_RELOCATABLE=y CONFIG_RCU_FANOUT=64 -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y - CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=y # CONFIG_KVM_EXIT_TIMING is not set @@ -169,7 +161,6 @@ CONFIG_CRYPTO_DEV_NX_COMPRESS=m CONFIG_BPF_JIT=y # CONFIG_PPC_ICSWX_PID is not set # CONFIG_PPC_ICSWX_USE_SIGILL is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_PCIEPORTBUS is not set # CONFIG_SND_HDA_INTEL is not set CONFIG_BLK_DEV_RSXX=m diff --git a/freed-ora/current/master/config-s390x b/freed-ora/current/master/config-s390x index 99c16ef96..a292f425e 100644 --- a/freed-ora/current/master/config-s390x +++ b/freed-ora/current/master/config-s390x @@ -13,13 +13,9 @@ CONFIG_HZ_100=y # See bug 496605 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set -CONFIG_MMU=y - CONFIG_LOG_BUF_SHIFT=16 CONFIG_NO_IDLE_HZ=y -CONFIG_SMP=y - # # I/O subsystem configuration # @@ -38,6 +34,7 @@ CONFIG_CMM=m CONFIG_CMM_PROC=y # CONFIG_NETIUCV is not set CONFIG_SMSGIUCV=m +CONFIG_CRASH_DUMP=y # # SCSI low-level drivers @@ -189,8 +186,6 @@ CONFIG_S390_VMUR=m # CONFIG_THERMAL is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y CONFIG_CTCM=m CONFIG_QETH_L2=m CONFIG_QETH_L3=m @@ -213,15 +208,7 @@ CONFIG_HVC_IUCV=y CONFIG_RCU_FANOUT=64 CONFIG_RCU_FANOUT_LEAF=16 -CONFIG_SECCOMP=y - -CONFIG_PM=y -CONFIG_HIBERNATION=y -CONFIG_PM_STD_PARTITION="/dev/jokes" - -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y +# CONFIG_SUSPEND is not set CONFIG_SMSGIUCV_EVENT=m @@ -234,13 +221,9 @@ CONFIG_ZFCP_DIF=y CONFIG_SCHED_MC=y CONFIG_SCHED_BOOK=y -CONFIG_STRICT_DEVMEM=y - # CONFIG_WARN_DYNAMIC_STACK is not set CONFIG_CRYPTO_GHASH_S390=m -CONFIG_NET_CORE=y -CONFIG_ETHERNET=y CONFIG_BPF_JIT=y # CONFIG_TRANSPARENT_HUGEPAGE is not set @@ -250,24 +233,48 @@ CONFIG_SCM_BLOCK=m CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_S390_PTDUMP is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set -CONFIG_PCI_NR_FUNCTIONS=64 -CONFIG_HOTPLUG_PCI=m -# CONFIG_HOTPLUG_PCI_CPCI is not set -# CONFIG_HOTPLUG_PCI_SHPC is not set -CONFIG_HOTPLUG_PCI_S390=m -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set -# CONFIG_SGI_IOC4 is not set +# CONFIG_PCI is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_MCP23S08 is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_HID is not set + +# CONFIG_INPUT is not set +# CONFIG_INPUT_JOYDEV is not set +# CONFIG_INPUT_KEYBOARD is not set +# CONFIG_INPUT_MOUSE is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set + +# CONFIG_ACCESSIBILITY is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_POWER_SUPPLY is not set +# CONFIG_STAGING is not set +# CONFIG_MEMSTICK is not set # CONFIG_MEDIA_SUPPORT is not set # CONFIG_USB_SUPPORT is not set # CONFIG_DRM is not set # CONFIG_SOUND is not set # CONFIG_DW_DMAC is not set +# CONFIG_I2C is not set # CONFIG_I2C_SMBUS is not set # CONFIG_I2C_STUB is not set # CONFIG_I2C_HELPER_AUTO is not set # CONFIG_I2C_PARPORT is not set # CONFIG_I2C_PARPORT_LIGHT is not set # CONFIG_I2C_NFORCE2 is not set + +# CONFIG_PHYLIB is not set +# CONFIG_ATM_DRIVERS is not set +# CONFIG_NET_VENDOR_ARC is not set +# CONFIG_NET_VENDOR_INTEL is not set +# CONFIG_NET_VENDOR_MARVELL is not set +# CONFIG_NET_VENDOR_NATSEMI is not set +# CONFIG_SH_ETH is not set +# CONFIG_NET_VENDOR_VIA is not set +# CONFIG_IEEE802154_DRIVERS is not set + +# CONFIG_FMC is not set diff --git a/freed-ora/current/master/config-x86-32-generic b/freed-ora/current/master/config-x86-32-generic index 1ee7325d8..ebdb0f3fe 100644 --- a/freed-ora/current/master/config-x86-32-generic +++ b/freed-ora/current/master/config-x86-32-generic @@ -122,8 +122,6 @@ CONFIG_SND_ES18XX=m CONFIG_HW_RANDOM_GEODE=m -# CONFIG_SGI_IOC4 is not set - CONFIG_TC1100_WMI=m CONFIG_IB700_WDT=m @@ -230,3 +228,5 @@ CONFIG_BACKLIGHT_PWM=m # CONFIG_RTC_DRV_SNVS is not set # CONFIG_OF_DISPLAY_TIMING is not set # CONFIG_OF_VIDEOMODE is not set + +# CONFIG_MLX5_INFINIBAND is not set diff --git a/freed-ora/current/master/config-x86-generic b/freed-ora/current/master/config-x86-generic index 42c0d09fe..64f5a2fc8 100644 --- a/freed-ora/current/master/config-x86-generic +++ b/freed-ora/current/master/config-x86-generic @@ -2,8 +2,6 @@ CONFIG_UID16=y CONFIG_X86_EXTENDED_PLATFORM=y -CONFIG_SMP=y - CONFIG_X86_GENERIC=y CONFIG_HPET=y @@ -52,8 +50,6 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set CONFIG_SCSI_ADVANSYS=m -CONFIG_SECCOMP=y - CONFIG_CAPI_EICON=y # @@ -117,10 +113,6 @@ CONFIG_CRYPTO_DEV_PADLOCK_SHA=m CONFIG_GENERIC_ISA_DMA=y -CONFIG_SUSPEND=y -CONFIG_HIBERNATION=y -CONFIG_PM_STD_PARTITION="" - CONFIG_PCI_MMCONFIG=y CONFIG_PCI_BIOS=y CONFIG_PCI_IOAPIC=y @@ -131,8 +123,6 @@ CONFIG_HOTPLUG_PCI_COMPAQ=m CONFIG_HOTPLUG_PCI_IBM=m # CONFIG_HOTPLUG_PCI_CPCI is not set -CONFIG_PM=y - CONFIG_IPW2100=m CONFIG_IPW2100_MONITOR=y CONFIG_IPW2200=m @@ -156,7 +146,8 @@ CONFIG_I2C_SIS96X=m CONFIG_I2C_VIA=m CONFIG_I2C_VIAPRO=m -CONFIG_DELL_RBU=m +#rhbz 997149 +# CONFIG_DELL_RBU is not set CONFIG_DCDBAS=m CONFIG_EDAC=y @@ -213,7 +204,6 @@ CONFIG_SAMSUNG_LAPTOP=m CONFIG_SONY_LAPTOP=m CONFIG_TOPSTAR_LAPTOP=m - CONFIG_ACPI_WMI=m CONFIG_ACER_WMI=m CONFIG_ACERHDF=m @@ -228,6 +218,9 @@ CONFIG_INTEL_OAKTRAIL=m CONFIG_SAMSUNG_Q10=m CONFIG_APPLE_GMUX=m CONFIG_XO15_EBOOK=m +CONFIG_INTEL_RST=m +CONFIG_INTEL_SMARTCONNECT=y +CONFIG_PVPANIC=m # CONFIG_TOUCHSCREEN_INTEL_MID is not set @@ -289,8 +282,6 @@ CONFIG_XEN_ACPI_PROCESSOR=m CONFIG_MTD_ESB2ROM=m CONFIG_MTD_CK804XROM=m -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y CONFIG_CPU_IDLE=y # CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set # CONFIG_CPU_IDLE_GOV_LADDER is not set @@ -325,13 +316,11 @@ CONFIG_HP_WATCHDOG=m CONFIG_NV_TCO=m CONFIG_SP5100_TCO=m -CONFIG_STRICT_DEVMEM=y - # CONFIG_NO_BOOTMEM is not set # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m @@ -349,9 +338,6 @@ CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y # CONFIG_IOMMU_STRESS is not set -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y - CONFIG_X86_MCE=y CONFIG_X86_MCE_INTEL=y CONFIG_X86_MCE_AMD=y @@ -435,7 +421,7 @@ CONFIG_DRM_GMA3600=y CONFIG_RCU_FANOUT_LEAF=16 CONFIG_INTEL_MEI=m -CONFIG_INTEL_MEI_ME=y +CONFIG_INTEL_MEI_ME=m CONFIG_NFC_MEI_PHY=m CONFIG_NFC_PN544_MEI=m @@ -447,6 +433,7 @@ CONFIG_NFC_MICROREAD_MEI=m # CONFIG_X86_INTEL_LPSS is not set # CONFIG_INTEL_POWERCLAMP is not set +CONFIG_X86_PKG_TEMP_THERMAL=m CONFIG_VMWARE_VMCI=m CONFIG_VMWARE_VMCI_VSOCKETS=m @@ -454,17 +441,16 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m CONFIG_XZ_DEC_X86=y CONFIG_MPILIB=y -CONFIG_PKCS7_MESSAGE_PARSER=y -CONFIG_PE_FILE_PARSER=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_FORCE is not set -CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_MODULE_SIG_BLACKLIST=y +CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y +CONFIG_EFI_SIGNATURE_LIST_PARSER=y CONFIG_MODULE_SIG_UEFI=y CONFIG_VMXNET3=m CONFIG_VFIO_PCI_VGA=y -CONFIG_PVPANIC=m diff --git a/freed-ora/current/master/config-x86_64-generic b/freed-ora/current/master/config-x86_64-generic index 5b6b32b47..85f588bc1 100644 --- a/freed-ora/current/master/config-x86_64-generic +++ b/freed-ora/current/master/config-x86_64-generic @@ -30,6 +30,7 @@ CONFIG_SWIOTLB=y # CONFIG_CALGARY_IOMMU is not set CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_MEM_SOFT_DIRTY=y CONFIG_KEXEC_JUMP=y @@ -57,6 +58,7 @@ CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m CONFIG_CRYPTO_CAST5_AVX_X86_64=m CONFIG_CRYPTO_CAST6_AVX_X86_64=m +CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m CONFIG_CRYPTO_SERPENT_AVX_X86_64=m CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m diff --git a/freed-ora/current/master/crash-driver.patch b/freed-ora/current/master/crash-driver.patch index 239f0f6a0..a7b7b72f9 100644 --- a/freed-ora/current/master/crash-driver.patch +++ b/freed-ora/current/master/crash-driver.patch @@ -131,7 +131,7 @@ new file mode 100644 index 0000000..dfcc006 --- /dev/null +++ b/arch/x86/include/asm/crash.h -@@ -0,0 +1,75 @@ +@@ -0,0 +1,73 @@ +#ifndef _ASM_I386_CRASH_H +#define _ASM_I386_CRASH_H + @@ -162,8 +162,6 @@ index 0000000..dfcc006 +#include <linux/highmem.h> +#include <asm/mmzone.h> + -+extern int page_is_ram(unsigned long); -+ +static inline void * +map_virtual(u64 offset, struct page **pp) +{ @@ -207,19 +205,6 @@ index 0000000..dfcc006 +#endif /* __KERNEL__ */ + +#endif /* _ASM_I386_CRASH_H */ -diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index be1ef57..ac659f7 100644 ---- a/arch/x86/mm/ioremap.c -+++ b/arch/x86/mm/ioremap.c -@@ -24,6 +24,8 @@ - - #include "physaddr.h" - -+EXPORT_SYMBOL_GPL(page_is_ram); -+ - /* - * Fix up the linear direct mapping of the kernel to avoid cache attribute - * conflicts. diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig index 423fd56..e04a561 100644 --- a/drivers/char/Kconfig diff --git a/freed-ora/current/master/deblob-3.11 b/freed-ora/current/master/deblob-3.11 new file mode 100755 index 000000000..aaf33cff2 --- /dev/null +++ b/freed-ora/current/master/deblob-3.11 @@ -0,0 +1,2774 @@ +#!/bin/sh + +# Copyright (C) 2008-2013 Alexandre Oliva <lxoliva@fsfla.org> +# Copyright (C) 2008 Jeff Moe +# Copyright (C) 2009 Rubén RodrÃguez <ruben@gnu.org> +# +# This program is part of GNU Linux-libre, a GNU project that +# publishes scripts to clean up Linux so as to make it suitable for +# use in the GNU Project and in Free System Distributions. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + + +# deblob - remove non-free blobs from the vanilla linux kernel + +# http://www.fsfla.org/svn/fsfla/software/linux-libre + + +# This script, suited for the kernel version named below, in kver, +# attempts to remove only non-Free Software bits, without removing +# Free Software that happens to be in the same file. + +# Drivers that currently require non-Free firmware are retained, but +# firmware included in GPLed sources is replaced with /*(DEBLOBBED)*/ +# if the deblob-check script, that knows how to do this, is present. +# -lxoliva + + +# See also: +# http://wiki.debian.org/KernelFirmwareLicensing +# svn://svn.debian.org/kernel/dists/trunk/linux-2.6/debian/patches/debian/dfsg/files-1 +# http://wiki.gnewsense.org/Builder gen-kernel + +# Thanks to Brian Brazil @ gnewsense + + +# For each kver release, start extra with an empty string, then count +# from 1 if changes are needed that require rebuilding the tarball. +kver=3.11 extra= + +case $1 in +--force) + echo "WARNING: Using the force, ignored errors will be" >&2 + die () { + echo ERROR: "$@" >&2 + errors=: + } + forced=: errors=false + shift + ;; +*) + die () { + echo ERROR: "$@" >&2 + echo Use --force to ignore + exit 1 + } + forced=false errors=false + ;; +esac + +check=`echo "$0" | sed 's,[^/]*$,,;s,^$,.,;s,/*$,,'`/deblob-check +if [ ! -f $check ] ; then + if $forced; then + die deblob-check script missing, will remove entire files + else + die deblob-check script missing + fi + have_check=false +else + have_check=: + [ -x $check ] || check="/bin/sh $check" +fi + +filetest () { + if [ ! -f $1 ]; then + die $1 does not exist, something is wrong && return 1 + fi +} + +announce () { + echo + echo "$@" +} + +clean_file () { + #$1 = filename + filetest $1 || return + rm $1 + echo $1: removed +} + +check_changed () { + #$1 = filename + if cmp $1.deblob $1 > /dev/null; then + rm $1.deblob + die $1 did not change, something is wrong && return 1 + fi + mv $1.deblob $1 +} + +clean_blob () { + #$1 = filename + filetest $1 || return + if $have_check; then + name=$1 + set fnord "$@" -d + shift 2 + if $check "$@" -i linux-$kver $name > $name.deblob; then + if [ ! -s $name.deblob ]; then + die got an empty file after removing blobs from $name + fi + else + die failed removing blobs from $name + fi + check_changed $name && echo $name: removed blobs + else + clean_file $1 + fi +} + +dummy_blob () { + #$1 = filename + if test -f $1; then + die $1 exists, something is wrong && return + elif test ! -f firmware/Makefile; then + die firmware/Makefile does not exist, something is wrong && return + fi + + clean_sed "s,`echo $1 | sed s,^firmware/,,`,\$(DEBLOBBED),g" \ + firmware/Makefile "dropped $1" +} + +clean_fw () { + #$1 = firmware text input, $2 = firmware output + filetest $1 || return + if test -f $2; then + die $2 exists, something is wrong && return + fi + clean_blob $1 -s 4 + dummy_blob $2 +} + +drop_fw_file () { + #$1 = firmware text input, $2 = firmware output + filetest $1 || return + if test -f $2; then + die $2 exists, something is wrong && return + fi + clean_file $1 + dummy_blob $2 +} + +clean_kconfig () { + #$1 = filename $2 = things to remove + case $1 in + -f) + shift + ;; + *) + if $have_check; then + return + fi + ;; + esac + filetest $1 || return + sed "/^config \\($2\\)\$/{p;i\ + depends on NONFREE +d;}" $1 > $1.deblob + check_changed $1 && echo $1: marked config $2 as depending on NONFREE +} + +clean_mk () { + #$1 = config $2 = Makefile name + # We don't clean up Makefiles any more --lxoliva + # sed -i "/\\($1\\)/d" $2 + # echo $2: removed $1 support + # check_changed $2 + filetest $2 || return + if sed -n "/\\($1\\)/p" $2 | grep . > /dev/null; then + : + else + die $2 does not contain matches for $1 + fi +} + +clean_sed () { + #$1 = sed-script $2 = file $3 = comment + filetest $2 || return + sed -e "$1" "$2" > "$2".deblob || { + die $2: failed: ${3-applied sed script $1} && return 1; } + check_changed $2 && echo $2: ${3-applied sed script $1} +} + +reject_firmware () { + #$1 = file $2 = pre sed pattern + filetest $1 || return + clean_sed "$2"' +s,request\(_ihex\)\?_firmware\(_nowait\)\?,reject_firmware\2,g +' "$1" 'disabled non-Free firmware-loading machinery' +} + +maybe_reject_firmware () { + #$1 = file $2 = pre sed pattern + filetest $1 || return + clean_sed "$2"' +s,request_\(ihex_\)\?firmware\(_nowait\)\?,maybe_reject_\1firmware\2,g +' "$1" 'retain Free firmware-loading machinery, disabling non-Free one' +} + +undefine_macro () { + #$1 - macro name + #$2 - substitution + #$3 - message + #rest - file names + macro=$1 repl=$2 msg=$3; shift 3 + for f in "$@"; do + clean_sed " +s,^#define $macro .*\$,/*(DEBLOBBED)*/,; +s,$macro,$repl,g; +" "$f" "$msg" + done +} + +undefault_firmware () { + #$1 - pattern such that $1_DEFAULT_FIRMWARE is #defined to non-Free firmware + #$@ other than $1 - file names + macro="$1"_DEFAULT_FIRMWARE; shift + undefine_macro "$macro" "\"/*(DEBLOBBED)*/\"" \ + "disabled non-Free firmware" "$@" +} + +# First, check that files that contain firmwares and their +# corresponding sources are present. + +for f in \ + drivers/gpu/drm/nouveau/core/engine/copy/fuc/nva3.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/copy/fuc/nva3.fuc \ + drivers/gpu/drm/nouveau/core/engine/copy/fuc/nvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/copy/fuc/nva3.fuc \ + drivers/gpu/drm/nouveau/core/engine/crypt/fuc/nv98.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/crypt/fuc/nv98.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/com.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/macros.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpc.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvc0.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvd7.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvd7.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnve0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnve0.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvf0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvf0.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hub.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvc0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvc0.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvd7.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvd7.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnve0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnve0.fuc \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvf0.fuc.h \ + drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvf0.fuc \ + drivers/net/wan/wanxlfw.inc_shipped \ + drivers/net/wan/wanxlfw.S \ + drivers/net/wireless/atmel.c \ + drivers/net/wireless/atmel.c \ + drivers/scsi/aic7xxx/aic79xx_seq.h_shipped \ + drivers/scsi/aic7xxx/aic79xx.seq \ + drivers/scsi/aic7xxx/aic7xxx_seq.h_shipped \ + drivers/scsi/aic7xxx/aic7xxx.seq \ + drivers/scsi/aic7xxx_old/aic7xxx_seq.c \ + drivers/scsi/aic7xxx_old/aic7xxx.seq \ + drivers/scsi/53c700_d.h_shipped \ + drivers/scsi/53c700.scr \ + drivers/scsi/sym53c8xx_2/sym_fw1.h \ + drivers/scsi/sym53c8xx_2/sym_fw1.h \ + drivers/scsi/sym53c8xx_2/sym_fw2.h \ + drivers/scsi/sym53c8xx_2/sym_fw2.h \ + firmware/dsp56k/bootstrap.bin.ihex \ + firmware/dsp56k/bootstrap.asm \ + firmware/keyspan_pda/keyspan_pda.HEX \ + firmware/keyspan_pda/keyspan_pda.S \ + firmware/keyspan_pda/xircom_pgs.HEX \ + firmware/keyspan_pda/xircom_pgs.S \ + sound/pci/cs46xx/imgs/cwcdma.h \ + sound/pci/cs46xx/imgs/cwcdma.asp \ +; do + filetest $f +done + +# Identify the tarball. +grep -q 'EXTRAVERSION.*-gnu' Makefile || +clean_sed "s,^EXTRAVERSION.*,&-gnu$extra, +" Makefile 'added -gnu to EXTRAVERSION' + +grep -q Linux-libre README || +clean_sed ' +1,3 s,Linux kernel release.*kernel\.org.*,GNU Linux-libre <http://linux-libre.fsfla.org>, +2,5 s,Linux version [0-9.]*,GNU Linux-libre, +1,20 s,\(operating system \)\?Unix,Unix kernel, +/WHAT IS LINUX/i\ +WHAT IS GNU Linux-libre?\ +\ + GNU Linux-libre is a Free version of the kernel Linux (see below),\ + suitable for use with the GNU Operating System in 100% Free\ + GNU/Linux-libre System Distributions.\ + http://www.gnu.org/distros/\ +\ + It removes non-Free components from Linux, that are disguised as\ + source code or distributed in separate files. It also disables\ + run-time requests for non-Free components, shipped separately or as\ + part of Linux, and documentation pointing to them, so as to avoid\ + (Free-)baiting users into the trap of non-Free Software.\ + http://www.fsfla.org/anuncio/2010-11-Linux-2.6.36-libre-debait\ +\ + Linux-libre started within the gNewSense GNU/Linux distribution.\ + It was later adopted by Jeff Moe, who coined its name, and in 2008\ + it became a project maintained by FSF Latin America. In 2012, it\ + became part of the GNU Project.\ +\ + The GNU Linux-libre project takes a minimal-changes approach to\ + cleaning up Linux, making no effort to substitute components that\ + need to be removed with functionally equivalent Free ones.\ + Nevertheless, we encourage and support efforts towards doing so.\ + http://libreplanet.org/wiki/LinuxLibre:Devices_that_require_non-free_firmware\ +\ + Our mascot is Freedo, a light-blue penguin that has just come out\ + of the shower. Although we like penguins, GNU is a much greater\ + contribution to the entire system, so its mascot deserves more\ + promotion. See our web page for their images.\ + http://linux-libre.fsfla.org/\ + +' README 'added blurb about GNU Linux-libre' + +# Add reject_firmware and maybe_reject_firmware +grep -q _LINUX_LIBRE_FIRMWARE_H include/linux/firmware.h || +clean_sed '$i\ +#ifndef _LINUX_LIBRE_FIRMWARE_H\ +#define _LINUX_LIBRE_FIRMWARE_H\ +\ +#include <linux/device.h>\ +\ +#define NONFREE_FIRMWARE "/*(DEBLOBBED)*/"\ +\ +static inline int\ +report_missing_free_firmware(const char *name, const char *what)\ +{\ + printk(KERN_ERR "%s: Missing Free %s\\n", name,\ + what ? what : "firmware");\ + return -EINVAL;\ +}\ +static inline int\ +reject_firmware(const struct firmware **fw,\ + const char *name, struct device *device)\ +{\ + const struct firmware *xfw = NULL;\ + int retval;\ + report_missing_free_firmware(dev_name(device), NULL);\ + retval = request_firmware(&xfw, NONFREE_FIRMWARE, device);\ + if (!retval)\ + release_firmware(xfw);\ + return -EINVAL;\ +}\ +static inline int\ +maybe_reject_firmware(const struct firmware **fw,\ + const char *name, struct device *device)\ +{\ + if (strstr (name, NONFREE_FIRMWARE))\ + return reject_firmware(fw, name, device);\ + else\ + return request_firmware(fw, name, device);\ +}\ +static inline void\ +discard_rejected_firmware(const struct firmware *fw, void *context)\ +{\ + release_firmware(fw);\ +}\ +static inline int\ +reject_firmware_nowait(struct module *module, int uevent,\ + const char *name, struct device *device,\ + gfp_t gfp, void *context,\ + void (*cont)(const struct firmware *fw,\ + void *context))\ +{\ + int retval;\ + report_missing_free_firmware(dev_name(device), NULL);\ + retval = request_firmware_nowait(module, uevent, NONFREE_FIRMWARE,\ + device, gfp, NULL,\ + discard_rejected_firmware);\ + if (retval)\ + return retval;\ + return -EINVAL;\ +}\ +static inline int\ +maybe_reject_firmware_nowait(struct module *module, int uevent,\ + const char *name, struct device *device,\ + gfp_t gfp, void *context,\ + void (*cont)(const struct firmware *fw,\ + void *context))\ +{\ + if (strstr (name, NONFREE_FIRMWARE))\ + return reject_firmware_nowait(module, uevent, name,\ + device, gfp, context, cont);\ + else\ + return request_firmware_nowait(module, uevent, name,\ + device, gfp, context, cont);\ +}\ +\ +#endif /* _LINUX_LIBRE_FIRMWARE_H */\ +' include/linux/firmware.h 'added non-Free firmware notification support' + +grep -q _LINUX_LIBRE_IHEX_FIRMWARE_H include/linux/ihex.h || +clean_sed '$i\ +#ifndef _LINUX_LIBRE_IHEX_H\ +#define _LINUX_LIBRE_IHEX_H\ +\ +static inline int\ +maybe_reject_ihex_firmware(const struct firmware **fw,\ + const char *name, struct device *device)\ +{\ + if (strstr (name, NONFREE_FIRMWARE))\ + return reject_firmware(fw, name, device);\ + else\ + return request_ihex_firmware(fw, name, device);\ +}\ +\ +#endif /* _LINUX_LIBRE_IHEX_H */\ +' include/linux/ihex.h 'added non-Free ihex firmware notification support' + +######## +# Arch # +######## + +# x86 + +announce MICROCODE_AMD - "AMD microcode patch loading support" +reject_firmware arch/x86/kernel/microcode_amd.c +clean_blob arch/x86/kernel/microcode_amd.c +clean_kconfig arch/x86/Kconfig 'MICROCODE_AMD' +clean_mk CONFIG_MICROCODE_AMD arch/x86/kernel/Makefile + +announce MICROCODE_AMD_EARLY - "Early load AMD microcode" +clean_blob arch/x86/kernel/microcode_amd_early.c +clean_kconfig arch/x86/Kconfig 'MICROCODE_AMD_EARLY' +clean_mk CONFIG_MICROCODE_AMD_EARLY arch/x86/kernel/Makefile + +announce MICROCODE_INTEL - "Intel microcode patch loading support" +reject_firmware arch/x86/kernel/microcode_intel.c +clean_blob arch/x86/kernel/microcode_intel.c +clean_kconfig arch/x86/Kconfig 'MICROCODE_INTEL' +clean_mk CONFIG_MICROCODE_INTEL arch/x86/kernel/Makefile + +announce MICROCODE_INTEL_EARLY - "Early load Intel microcode" +clean_blob arch/x86/kernel/microcode_intel_early.c +clean_kconfig arch/x86/Kconfig 'MICROCODE_INTEL_EARLY' +clean_mk CONFIG_MICROCODE_INTEL_EARLY arch/x86/kernel/Makefile + +announce MICROCODE_EARLY - "Early load microcode" +clean_blob Documentation/x86/early-microcode.txt +clean_kconfig arch/x86/Kconfig 'MICROCODE_EARLY' + +# arm + +announce IXP4XX_NPE - "IXP4xx Network Processor Engine support" +reject_firmware arch/arm/mach-ixp4xx/ixp4xx_npe.c +clean_blob arch/arm/mach-ixp4xx/ixp4xx_npe.c +clean_blob Documentation/arm/IXP4xx +clean_kconfig arch/arm/mach-ixp4xx/Kconfig 'ARCH_IXP4XX' +clean_mk CONFIG_IXP4XX_NPE arch/arm/mach-ixp4xx/Makefile + +announce ARCH_NETX - "Hilscher NetX based" +clean_sed ' +s,\([" ]\)request_firmware(,\1reject_firmware(, +' arch/arm/mach-netx/xc.c 'disabled non-Free firmware-loading machinery' +clean_blob arch/arm/mach-netx/xc.c +clean_blob drivers/net/ethernet/netx-eth.c +clean_kconfig arch/arm/Kconfig 'ARCH_NETX' +clean_mk CONFIG_ARCH_NETX arch/arm/Makefile + +# mips + +# I couldn't figure out where the firmware name actually comes from. +# If it's from some user-set property, we could reenable it. -lxo +announce XRX200_PHY_FW - "XRX200 PHY firmware loader" +reject_firmware arch/mips/lantiq/xway/xrx200_phy_fw.c +clean_kconfig arch/mips/lantiq/Kconfig 'XRX200_PHY_FW' +clean_mk CONFIG_XRX200_PHY_FW arch/mips/lantiq/xway/Makefile + +####### +# ATM # +####### + +announce ATM_AMBASSADOR - "Madge Ambassador, Collage PCI 155 Server" +reject_firmware drivers/atm/ambassador.c +clean_blob drivers/atm/ambassador.c +clean_fw firmware/atmsar11.HEX firmware/atmsar11.fw +clean_kconfig drivers/atm/Kconfig 'ATM_AMBASSADOR' +clean_mk CONFIG_ATM_AMBASSADOR drivers/atm/Makefile + +announce ATM_FORE200E - "FORE Systems 200E-series" +reject_firmware drivers/atm/fore200e.c +clean_blob drivers/atm/fore200e.c +clean_blob Documentation/networking/fore200e.txt +clean_blob drivers/atm/.gitignore +clean_blob Documentation/dontdiff +clean_kconfig drivers/atm/Kconfig 'ATM_FORE200E' +clean_mk CONFIG_ATM_FORE200E drivers/atm/Makefile + +announce ATM_SOLOS - "Solos ADSL2+ PCI Multiport card driver" +reject_firmware drivers/atm/solos-pci.c +clean_blob drivers/atm/solos-pci.c +clean_kconfig drivers/atm/Kconfig 'ATM_SOLOS' +clean_mk CONFIG_ATM_SOLOS drivers/atm/Makefile + +######## +# tty # +######## + +announce CYCLADES - "Cyclades async mux support" +reject_firmware drivers/tty/cyclades.c +clean_blob drivers/tty/cyclades.c +clean_kconfig drivers/tty/Kconfig 'CYCLADES' +clean_mk CONFIG_CYCLADES drivers/tty/Makefile + +announce ISI - "Multi-Tech multiport card support" +reject_firmware drivers/tty/isicom.c +clean_blob drivers/tty/isicom.c +clean_kconfig drivers/tty/Kconfig 'ISI' +clean_mk CONFIG_ISI drivers/tty/Makefile + +announce MOXA_INTELLIO - "Moxa Intellio support" +reject_firmware drivers/tty/moxa.c +clean_blob drivers/tty/moxa.c +clean_kconfig drivers/tty/Kconfig 'MOXA_INTELLIO' +clean_mk CONFIG_MOXA_INTELLIO drivers/tty/Makefile + +# gpu drm + +announce DRM_NOUVEAU - "Nouveau (nVidia) cards" +reject_firmware drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c +clean_blob drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c +reject_firmware drivers/gpu/drm/nouveau/core/engine/falcon.c +clean_blob drivers/gpu/drm/nouveau/core/engine/falcon.c +reject_firmware drivers/gpu/drm/nouveau/core/engine/xtensa.c +clean_blob drivers/gpu/drm/nouveau/core/engine/xtensa.c +clean_kconfig drivers/gpu/drm/nouveau/Kconfig 'DRM_NOUVEAU' +clean_mk CONFIG_DRM_NOUVEAU drivers/gpu/drm/nouveau/Makefile + +announce DRM_MGA - "Matrox g200/g400" +drop_fw_file firmware/matrox/g200_warp.H16 firmware/matrox/g200_warp.fw +drop_fw_file firmware/matrox/g400_warp.H16 firmware/matrox/g400_warp.fw +reject_firmware drivers/gpu/drm/mga/mga_warp.c +clean_blob drivers/gpu/drm/mga/mga_warp.c +clean_kconfig drivers/gpu/drm/Kconfig 'DRM_MGA' +clean_mk CONFIG_DRM_MGA drivers/gpu/drm/Makefile + +announce DRM_R128 - "ATI Rage 128" +drop_fw_file firmware/r128/r128_cce.bin.ihex firmware/r128/r128_cce.bin +reject_firmware drivers/gpu/drm/r128/r128_cce.c +clean_blob drivers/gpu/drm/r128/r128_cce.c +clean_kconfig drivers/gpu/drm/Kconfig 'DRM_R128' +clean_mk CONFIG_DRM_R128 drivers/gpu/drm/Makefile + +announce DRM_RADEON - "ATI Radeon" +drop_fw_file firmware/radeon/R100_cp.bin.ihex firmware/radeon/R100_cp.bin +drop_fw_file firmware/radeon/R200_cp.bin.ihex firmware/radeon/R200_cp.bin +drop_fw_file firmware/radeon/R300_cp.bin.ihex firmware/radeon/R300_cp.bin +drop_fw_file firmware/radeon/R420_cp.bin.ihex firmware/radeon/R420_cp.bin +drop_fw_file firmware/radeon/R520_cp.bin.ihex firmware/radeon/R520_cp.bin +drop_fw_file firmware/radeon/R600_me.bin.ihex firmware/radeon/R600_me.bin +drop_fw_file firmware/radeon/R600_pfp.bin.ihex firmware/radeon/R600_pfp.bin +drop_fw_file firmware/radeon/RS600_cp.bin.ihex firmware/radeon/RS600_cp.bin +drop_fw_file firmware/radeon/RS690_cp.bin.ihex firmware/radeon/RS690_cp.bin +drop_fw_file firmware/radeon/RS780_me.bin.ihex firmware/radeon/RS780_me.bin +drop_fw_file firmware/radeon/RS780_pfp.bin.ihex firmware/radeon/RS780_pfp.bin +drop_fw_file firmware/radeon/RV610_me.bin.ihex firmware/radeon/RV610_me.bin +drop_fw_file firmware/radeon/RV610_pfp.bin.ihex firmware/radeon/RV610_pfp.bin +drop_fw_file firmware/radeon/RV620_me.bin.ihex firmware/radeon/RV620_me.bin +drop_fw_file firmware/radeon/RV620_pfp.bin.ihex firmware/radeon/RV620_pfp.bin +drop_fw_file firmware/radeon/RV630_me.bin.ihex firmware/radeon/RV630_me.bin +drop_fw_file firmware/radeon/RV630_pfp.bin.ihex firmware/radeon/RV630_pfp.bin +drop_fw_file firmware/radeon/RV635_me.bin.ihex firmware/radeon/RV635_me.bin +drop_fw_file firmware/radeon/RV635_pfp.bin.ihex firmware/radeon/RV635_pfp.bin +drop_fw_file firmware/radeon/RV670_me.bin.ihex firmware/radeon/RV670_me.bin +drop_fw_file firmware/radeon/RV670_pfp.bin.ihex firmware/radeon/RV670_pfp.bin +drop_fw_file firmware/radeon/RV710_me.bin.ihex firmware/radeon/RV710_me.bin +drop_fw_file firmware/radeon/RV710_pfp.bin.ihex firmware/radeon/RV710_pfp.bin +drop_fw_file firmware/radeon/RV730_me.bin.ihex firmware/radeon/RV730_me.bin +drop_fw_file firmware/radeon/RV730_pfp.bin.ihex firmware/radeon/RV730_pfp.bin +drop_fw_file firmware/radeon/RV770_me.bin.ihex firmware/radeon/RV770_me.bin +drop_fw_file firmware/radeon/RV770_pfp.bin.ihex firmware/radeon/RV770_pfp.bin +reject_firmware drivers/gpu/drm/radeon/radeon_cp.c +clean_blob drivers/gpu/drm/radeon/radeon_cp.c +reject_firmware drivers/gpu/drm/radeon/r100.c +clean_blob drivers/gpu/drm/radeon/r100.c +reject_firmware drivers/gpu/drm/radeon/r600.c +clean_blob drivers/gpu/drm/radeon/r600.c +reject_firmware drivers/gpu/drm/radeon/r600_cp.c +clean_blob drivers/gpu/drm/radeon/r600_cp.c +reject_firmware drivers/gpu/drm/radeon/ni.c +clean_blob drivers/gpu/drm/radeon/ni.c +reject_firmware drivers/gpu/drm/radeon/si.c +clean_blob drivers/gpu/drm/radeon/si.c +reject_firmware drivers/gpu/drm/radeon/cik.c +clean_blob drivers/gpu/drm/radeon/cik.c +reject_firmware drivers/gpu/drm/radeon/radeon_uvd.c +clean_blob drivers/gpu/drm/radeon/radeon_uvd.c +clean_kconfig drivers/gpu/drm/Kconfig 'DRM_RADEON' +clean_mk CONFIG_DRM_RADEON drivers/gpu/drm/Makefile + +####### +# dma # +####### + +announce IMX_SDMA - "i.MX SDMA support" +reject_firmware drivers/dma/imx-sdma.c +clean_blob arch/arm/mach-imx/mm-imx25.c +clean_blob arch/arm/mach-imx/mm-imx3.c +clean_blob arch/arm/mach-imx/mm-imx5.c +clean_blob arch/arm/boot/dts/imx51.dtsi +clean_blob arch/arm/boot/dts/imx53.dtsi +clean_blob arch/arm/boot/dts/imx6qdl.dtsi +clean_blob arch/arm/boot/dts/imx6sl.dtsi +clean_blob Documentation/devicetree/bindings/dma/fsl-imx-sdma.txt +clean_kconfig drivers/dma/Kconfig 'IMX_SDMA' +clean_mk CONFIG_IMX_SDMA drivers/dma/Makefile + +######### +# Media # +######### + +# media/tuner + +announce MEDIA_TUNER_XC2028 - "XCeive xc2028/xc3028 tuners" +undefault_firmware 'XC\(2028\|3028L\)' \ + drivers/media/tuners/tuner-xc2028.h \ + drivers/media/pci/saa7134/saa7134-cards.c \ + drivers/media/pci/ivtv/ivtv-driver.c \ + drivers/media/pci/cx18/cx18-driver.c \ + drivers/media/pci/cx18/cx18-dvb.c \ + drivers/media/pci/cx23885/cx23885-dvb.c \ + drivers/media/pci/cx23885/cx23885-video.c \ + drivers/media/pci/cx88/cx88-dvb.c \ + drivers/media/pci/cx88/cx88-cards.c \ + drivers/media/usb/em28xx/em28xx-cards.c \ + drivers/media/usb/dvb-usb/dib0700_devices.c \ + drivers/media/usb/dvb-usb/cxusb.c +reject_firmware drivers/media/tuners/tuner-xc2028.c +clean_blob drivers/media/tuners/tuner-xc2028.c +clean_kconfig drivers/media/tuners/Kconfig 'MEDIA_TUNER_XC2028' +clean_mk CONFIG_MEDIA_TUNER_XC2028 drivers/media/tuners/Makefile + +announce VIDEO_TM6000_DVB - "DVB Support for tm6000 based TV cards" +clean_blob drivers/media/usb/tm6000/tm6000-cards.c +clean_kconfig drivers/media/usb/tm6000/Kconfig 'VIDEO_TM6000_DVB' +clean_mk CONFIG_VIDEO_TM6000_DVB drivers/media/usb/tm6000/Makefile + +announce MEDIA_TUNER_XC4000 - "Xceive XC4000 silicon tuner" +undefault_firmware 'XC4000' drivers/media/tuners/xc4000.c +maybe_reject_firmware drivers/media/tuners/xc4000.c +clean_kconfig drivers/media/tuners/Kconfig 'MEDIA_TUNER_XC4000' +clean_mk CONFIG_MEDIA_TUNER_XC4000 drivers/media/tuners/Makefile + +announce MEDIA_TUNER_XC5000 - "Xceive XC5000 silicon tuner" +undefault_firmware 'XC5000' \ + drivers/media/usb/cx231xx/cx231xx-cards.c +reject_firmware drivers/media/tuners/xc5000.c +clean_blob drivers/media/tuners/xc5000.c +clean_kconfig drivers/media/tuners/Kconfig 'MEDIA_TUNER_XC5000' +clean_mk CONFIG_MEDIA_TUNER_XC5000 drivers/media/tuners/Makefile + +announce DVB_USB - "Support for various USB DVB devices" +reject_firmware drivers/media/usb/dvb-usb/dvb-usb-firmware.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB' +clean_mk CONFIG_DVB_USB drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_V2 - "Support for various USB DVB devices v2" +reject_firmware drivers/media/usb/dvb-usb-v2/dvb_usb_core.c +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_V2' +clean_mk CONFIG_DVB_USB_V2 drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_B2C2_FLEXCOP - "Technisat/B2C2 FlexCopII(b) and FlexCopIII adapters" +reject_firmware drivers/media/common/b2c2/flexcop-fe-tuner.c + +announce DVB_BT8XX - "BT8xx based PCI cards" +reject_firmware drivers/media/pci/bt8xx/dvb-bt8xx.c + +announce DVB_USB_A800 - "AVerMedia AverTV DVB-T USB 2.0 (A800)" +clean_blob drivers/media/usb/dvb-usb/a800.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_A800' +clean_mk CONFIG_DVB_USB_A800 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_AF9005 - "Afatech AF9005 DVB-T USB1.1 support" +clean_file drivers/media/usb/dvb-usb/af9005-script.h +clean_sed ' +s,^ deb_info("load init script\\n");$, {\n err("Missing Free init script\\n");\n return scriptlen = ret = -EINVAL;\n ,; +' drivers/media/usb/dvb-usb/af9005-fe.c 'report missing Free init script' +clean_blob drivers/media/usb/dvb-usb/af9005-fe.c +clean_blob drivers/media/usb/dvb-usb/af9005.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_AF9005' +clean_mk CONFIG_DVB_USB_AF9005 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_AF9015 - "Afatech AF9015 DVB-T USB2.0 support" +clean_blob drivers/media/usb/dvb-usb-v2/af9015.h +clean_blob drivers/media/usb/dvb-usb-v2/af9015.c +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_AF9015' +clean_mk CONFIG_DVB_USB_AF9015 drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_USB_AF9035 - "Afatech AF9035 DVB-T USB2.0 support" +clean_blob drivers/media/usb/dvb-usb-v2/af9035.h +clean_blob drivers/media/usb/dvb-usb-v2/af9035.c +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_AF9035' +clean_mk CONFIG_DVB_USB_AF9035 drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_USB_AZ6007 - "Azurewave 6007 and clones DVB-T/C USB2.0 support" +clean_blob drivers/media/usb/dvb-usb-v2/az6007.c +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_AZ6007' +clean_mk CONFIG_DVB_USB_AZ6007 drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_USB_AZ6027 - "Azurewave DVB-S/S2 USB2.0 AZ6027 support" +clean_blob drivers/media/usb/dvb-usb/az6027.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_AZ6027' +clean_mk CONFIG_DVB_USB_AZ6027 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_CXUSB - "Conexant USB2.0 hybrid reference design support" +clean_blob drivers/media/usb/dvb-usb/cxusb.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_CXUSB' +clean_mk CONFIG_DVB_USB_CXUSB drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_DIB0700 - "DiBcom DiB0700 USB DVB devices" +reject_firmware drivers/media/usb/dvb-usb/dib0700_devices.c +clean_blob drivers/media/usb/dvb-usb/dib0700_devices.c +clean_blob drivers/media/usb/dvb-usb/dib0700_core.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_DIB0700' +clean_mk CONFIG_DVB_USB_DIB0700 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_DIBUSB_MB - "DiBcom USB DVB-T devices (based on the DiB3000M-B)" +clean_blob drivers/media/usb/dvb-usb/dibusb-mb.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_DIBUSB_MB' +clean_mk CONFIG_DVB_USB_DIBUSB_MB drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_DIBUSB_MC - "DiBcom USB DVB-T devices (based on the DiB3000M-C/P)" +clean_blob drivers/media/usb/dvb-usb/dibusb-mc.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_DIBUSB_MC' +clean_mk CONFIG_DVB_USB_DIBUSB_MC drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_DIGITV - "Nebula Electronics uDigiTV DVB-T USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/digitv.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_DIGITV' +clean_mk CONFIG_DVB_USB_DIGITV drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_DTT200U - "WideView WT-200U and WT-220U (pen) DVB-T USB2.0 support (Yakumo/Hama/Typhoon/Yuan)" +clean_blob drivers/media/usb/dvb-usb/dtt200u.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_DTT200U' +clean_mk CONFIG_DVB_USB_DTT200U drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_DW2102 - "DvbWorld DVB-S/S2 USB2.0 support" +reject_firmware drivers/media/usb/dvb-usb/dw2102.c +clean_blob drivers/media/usb/dvb-usb/dw2102.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_DW2102' +clean_mk CONFIG_DVB_USB_DW2102 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_EC168 - "E3C EC168 DVB-T USB2.0 support" +clean_blob drivers/media/usb/dvb-usb-v2/ec168.h +clean_blob drivers/media/usb/dvb-usb-v2/ec168.c +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_EC168' +clean_mk CONFIG_DVB_USB_EC168 drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_USB_GP8PSK - "GENPIX 8PSK->USB module support" +reject_firmware drivers/media/usb/dvb-usb/gp8psk.c +clean_blob drivers/media/usb/dvb-usb/gp8psk.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_GP8PSK' +clean_mk CONFIG_DVB_USB_GP8PSK drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_IT913X - "it913x driver" +clean_blob drivers/media/usb/dvb-usb-v2/it913x.c +clean_file Documentation/dvb/it9137.txt +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_IT913X' +clean_mk CONFIG_DVB_USB_IT913X drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_USB_LME2510 - "LME DM04/QQBOX DVB-S USB2.0 support" +reject_firmware drivers/media/usb/dvb-usb-v2/lmedm04.c +clean_blob drivers/media/usb/dvb-usb-v2/lmedm04.c +clean_file Documentation/dvb/lmedm04.txt +clean_kconfig drivers/media/usb/dvb-usb-v2/Kconfig 'DVB_USB_LME2510' +clean_mk CONFIG_DVB_USB_LME2510 drivers/media/usb/dvb-usb-v2/Makefile + +announce DVB_USB_M920X - "Uli m920x DVB-T USB2.0 support" +reject_firmware drivers/media/usb/dvb-usb/m920x.c +clean_blob drivers/media/usb/dvb-usb/m920x.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_M920X' +clean_mk CONFIG_DVB_USB_M920X drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_NOVA_T_USB2 - "Hauppauge WinTV-NOVA-T usb2 DVB-T USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/nova-t-usb2.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_NOVA_T_USB2' +clean_mk CONFIG_DVB_USB_NOVA_T_USB2 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_OPERA1 - "Opera1 DVB-S USB2.0 receiver" +reject_firmware drivers/media/usb/dvb-usb/opera1.c +clean_blob drivers/media/usb/dvb-usb/opera1.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_OPERA1' +clean_mk CONFIG_DVB_USB_OPERA1 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_TECHNISAT_USB2 - "Technisat DVB-S/S2 USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/technisat-usb2.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_TECHNISAT_USB2' +clean_mk CONFIG_DVB_USB_TECHNISAT_USB2 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_TTUSB2 - "Pinnacle 400e DVB-S USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/ttusb2.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_TTUSB2' +clean_mk CONFIG_DVB_USB_TTUSB2 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_UMT_010 - "HanfTek UMT-010 DVB-T USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/umt-010.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_UMT_010' +clean_mk CONFIG_DVB_USB_UMT_010 drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_VP702X - "TwinhanDTV StarBox and clones DVB-S USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/vp702x.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_VP702X' +clean_mk CONFIG_DVB_USB_VP702X drivers/media/usb/dvb-usb/Makefile + +announce DVB_USB_VP7045 - "TwinhanDTV Alpha/MagicBoxII, DNTV tinyUSB2, Beetle USB2.0 support" +clean_blob drivers/media/usb/dvb-usb/vp7045.c +clean_kconfig drivers/media/usb/dvb-usb/Kconfig 'DVB_USB_VP7045' +clean_mk CONFIG_DVB_USB_VP7045 drivers/media/usb/dvb-usb/Makefile + +# dvb/frontends + +announce DVB_AF9013 - "Afatech AF9013 demodulator" +reject_firmware drivers/media/dvb-frontends/af9013.c +clean_blob drivers/media/dvb-frontends/af9013.c +clean_blob drivers/media/dvb-frontends/af9013_priv.h +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_AF9013' +clean_mk CONFIG_DVB_AF9013 drivers/media/dvb-frontends/Makefile + +announce DVB_BCM3510 - "Broadcom BCM3510" +undefault_firmware 'BCM3510' drivers/media/dvb-frontends/bcm3510.c +reject_firmware drivers/media/dvb-frontends/bcm3510.c +reject_firmware drivers/media/dvb-frontends/bcm3510.h +clean_sed ' +/You.ll need a firmware/,/dvb-fe-bcm/d; +' drivers/media/dvb-frontends/bcm3510.c \ + "removed non-Free firmware notes" +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_BCM3510' +clean_mk CONFIG_DVB_BCM3510 drivers/media/dvb-frontends/Makefile + +announce DVB_DS3000 - "Montage Tehnology DS3000 based" +undefault_firmware 'DS3000' \ + drivers/media/dvb-frontends/ds3000.c +reject_firmware drivers/media/dvb-frontends/ds3000.c +clean_blob drivers/media/dvb-frontends/ds3000.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_DS3000' +clean_mk CONFIG_DVB_DS3000 drivers/media/dvb-frontends/Makefile + +announce DVB_LGS8GXX - "Legend Silicon LGS8913/LGS8GL5/LGS8GXX DMB-TH demodulator" +reject_firmware drivers/media/dvb-frontends/lgs8gxx.c +clean_blob drivers/media/dvb-frontends/lgs8gxx.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_LGS8GXX' +clean_mk CONFIG_DVB_LGS8GXX drivers/media/dvb-frontends/Makefile + +announce DVB_NXT200X - "NxtWave Communications NXT2002/NXT2004 based" +undefault_firmware 'NXT200[24]' drivers/media/dvb-frontends/nxt200x.c +reject_firmware drivers/media/dvb-frontends/nxt200x.c +clean_blob drivers/media/dvb-frontends/nxt200x.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_NXT200X' +clean_mk CONFIG_DVB_NXT200X drivers/media/dvb-frontends/Makefile + +announce DVB_OR51132 - "Oren OR51132 based" +reject_firmware drivers/media/dvb-frontends/or51132.c +clean_blob drivers/media/dvb-frontends/or51132.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_OR51132' +clean_mk CONFIG_DVB_OR51132 drivers/media/dvb-frontends/Makefile + +announce DVB_OR51211 - "Oren OR51211 based" +undefault_firmware 'OR51211' drivers/media/dvb-frontends/or51211.c +reject_firmware drivers/media/dvb-frontends/or51211.c +reject_firmware drivers/media/dvb-frontends/or51211.h +clean_blob drivers/media/dvb-frontends/or51211.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_OR51211' +clean_mk CONFIG_DVB_OR51211 drivers/media/dvb-frontends/Makefile + +announce DVB_SP8870 - "Spase sp8870" +undefault_firmware 'SP8870' drivers/media/dvb-frontends/sp8870.c +reject_firmware drivers/media/dvb-frontends/sp8870.c +reject_firmware drivers/media/dvb-frontends/sp8870.h +clean_blob drivers/media/dvb-frontends/sp8870.c +clean_kconfig drivers/media/dvb-frontends 'DVB_SP8870' +clean_mk CONFIG_DVB_SP8870 drivers/media/dvb-frontends/Makefile + +announce DVB_CX24116 - "Conexant CX24116 based" +undefault_firmware CX24116 drivers/media/dvb-frontends/cx24116.c +reject_firmware drivers/media/dvb-frontends/cx24116.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_CX24116' +clean_mk CONFIG_DVB_CX24116 drivers/media/dvb-frontends/Makefile + +announce DVB_SP887X - "Spase sp887x based" +undefault_firmware 'SP887X' drivers/media/dvb-frontends/sp887x.c +reject_firmware drivers/media/dvb-frontends/sp887x.c +reject_firmware drivers/media/dvb-frontends/sp887x.h +clean_blob drivers/media/dvb-frontends/sp887x.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_SP887X' +clean_mk CONFIG_DVB_SP887X drivers/media/dvb-frontends/Makefile + +announce DVB_TDA10048 - "Philips TDA10048HN based" +undefine_macro 'TDA10048_DEFAULT_FIRMWARE_SIZE' 0 \ + 'removed non-Free firmware size' drivers/media/dvb-frontends/tda10048.c +undefault_firmware 'TDA10048' drivers/media/dvb-frontends/tda10048.c +reject_firmware drivers/media/dvb-frontends/tda10048.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_TDA10048' +clean_mk CONFIG_DVB_TDA10048 drivers/media/dvb-frontends/Makefile + +announce DVB_TDA1004X - "Philips TDA10045H/TDA10046H" +undefault_firmware 'TDA1004[56]' drivers/media/dvb-frontends/tda1004x.c +reject_firmware drivers/media/dvb-frontends/tda1004x.c +reject_firmware drivers/media/dvb-frontends/tda1004x.h +clean_blob drivers/media/dvb-frontends/tda1004x.c +clean_kconfig drivers/media/dvb-frontends 'DVB_TDA1004X' +clean_mk CONFIG_DVB_TDA1004X drivers/media/dvb-frontends/Makefile + +announce DVB_TDA10071 - "NXP TDA10071" +reject_firmware drivers/media/dvb-frontends/tda10071.c +clean_blob drivers/media/dvb-frontends/tda10071.c +clean_blob drivers/media/dvb-frontends/tda10071_priv.h +clean_kconfig drivers/media/dvb-frontends 'DVB_TDA10071' +clean_mk CONFIG_DVB_TDA10071 drivers/media/dvb-frontends/Makefile + +# dvb + +announce DVB_AS102 - "Abilis AS102 DVB receiver" +reject_firmware drivers/staging/media/as102/as102_fw.c +clean_blob drivers/staging/media/as102/as102_fw.c +clean_kconfig drivers/staging/media/as102/Kconfig 'DVB_AS102' +clean_mk CONFIG_DVB_AS102 drivers/staging/media/as102/Makefile + +announce DVB_AV7110 - "AV7110 cards" +reject_firmware drivers/media/pci/ttpci/av7110.c +clean_blob drivers/media/pci/ttpci/av7110.c +clean_kconfig drivers/media/pci/ttpci/Kconfig 'DVB_AV7110' +clean_mk CONFIG_DVB_AV7110 drivers/media/pci/ttpci/Makefile + +announce DVB_BUDGET - "Budget cards" +reject_firmware drivers/media/pci/ttpci/budget.c +reject_firmware drivers/media/dvb-frontends/tdhd1.h + +announce DVB_BUDGET_AV - "Budget cards with analog video inputs" +reject_firmware drivers/media/pci/ttpci/budget-av.c + +announce DVB_BUDGET_CI - "Budget cards with onboard CI connector" +reject_firmware drivers/media/pci/ttpci/budget-ci.c + +announce DVB_DRXD - "Micronas DRXD driver" +reject_firmware drivers/media/dvb-frontends/drxd_hard.c +clean_blob drivers/media/dvb-frontends/drxd_hard.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_DRXD' +clean_mk CONFIG_DVB_DRXD drivers/media/dvb-frontends/Makefile + +announce DVB_DRXK - "Micronas DRXK based" +reject_firmware drivers/media/dvb-frontends/drxk_hard.c +clean_kconfig drivers/media/dvb-frontends/Kconfig 'DVB_DRXK' +clean_mk CONFIG_DVB_DRXK drivers/media/dvb-frontends/Makefile + +announce DVB_NGENE - "Micronas nGene support" +reject_firmware drivers/media/pci/ngene/ngene-core.c +clean_blob drivers/media/pci/ngene/ngene-core.c +clean_kconfig drivers/media/pci/ngene/Kconfig 'DVB_NGENE' +clean_mk CONFIG_DVB_NGENE drivers/media/pci/ngene/Makefile + +announce DVB_PLUTO2 - "Pluto2 cards" +reject_firmware drivers/media/pci/pluto2/pluto2.c + +announce SMS_SIANO_MDTV - "Siano SMS1xxx based MDTV receiver" +reject_firmware drivers/media/common/siano/smscoreapi.c +clean_blob drivers/media/common/siano/smscoreapi.c +clean_blob drivers/media/common/siano/smscoreapi.h +clean_kconfig drivers/media/common/siano/Kconfig 'SMS_SIANO_MDTV' +clean_mk CONFIG_SMS_SIANO_MDTV drivers/media/common/siano/Makefile + +announce SMS_USB_DRV - "Siano's USB interface support" +reject_firmware drivers/media/usb/siano/smsusb.c +clean_blob drivers/media/usb/siano/smsusb.c +clean_kconfig drivers/media/usb/siano/Kconfig 'SMS_USB_DRV' +clean_mk CONFIG_SMS_USB_DRV drivers/media/usb/siano/Makefile + +announce DVB_TTUSB_BUDGET - "Technotrend/Hauppauge Nova-USB devices" +drop_fw_file firmware/ttusb-budget/dspbootcode.bin.ihex firmware/ttusb-budget/dspbootcode.bin +reject_firmware drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c +clean_blob drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c +clean_kconfig drivers/media/usb/ttusb-budget/Kconfig 'DVB_TTUSB_BUDGET' +clean_mk CONFIG_DVB_TTUSB_BUDGET drivers/media/usb/ttusb-budget/Makefile + +announce DVB_TTUSB_DEC - "Technotrend/Hauppauge USB DEC devices" +reject_firmware drivers/media/usb/ttusb-dec/ttusb_dec.c +clean_blob drivers/media/usb/ttusb-dec/ttusb_dec.c +clean_blob Documentation/dvb/ttusb-dec.txt +clean_kconfig drivers/media/usb/ttusb-dec/Kconfig 'DVB_TTUSB_DEC' +clean_mk CONFIG_DVB_TTUSB_DEC drivers/media/usb/ttusb-dec/Makefile + +# video + +announce VIDEO_BT848 - "BT848 Video For Linux" +reject_firmware drivers/media/pci/bt8xx/bttv-cards.c +clean_blob drivers/media/pci/bt8xx/bttv-cards.c +clean_blob Documentation/video4linux/bttv/README +clean_kconfig drivers/media/pci/bt8xx/Kconfig 'VIDEO_BT848' +clean_mk CONFIG_VIDEO_BT848 drivers/media/pci/bt8xx/Makefile + +announce VIDEO_CODA - "Chips&Media Coda multi-standard codec IP" +reject_firmware drivers/media/platform/coda.c +clean_blob drivers/media/platform/coda.c +clean_kconfig drivers/media/platform/Kconfig 'VIDEO_CODA' +clean_mk CONFIG_VIDEO_CODA drivers/media/platform/Makefile + +announce VIDEO_CPIA2 - "CPiA2 Video For Linux" +clean_fw firmware/cpia2/stv0672_vp4.bin.ihex firmware/cpia2/stv0672_vp4.bin +reject_firmware drivers/media/usb/cpia2/cpia2_core.c +clean_blob drivers/media/usb/cpia2/cpia2_core.c +clean_kconfig drivers/media/usb/cpia2/Kconfig 'VIDEO_CPIA2' +clean_mk CONFIG_VIDEO_CPIA2 drivers/media/usb/cpia2/Makefile + +announce VIDEO_CX18 - "Conexant cx23418 MPEG encoder support" +reject_firmware drivers/media/pci/cx18/cx18-av-firmware.c +reject_firmware drivers/media/pci/cx18/cx18-dvb.c +reject_firmware drivers/media/pci/cx18/cx18-firmware.c +clean_blob drivers/media/pci/cx18/cx18-av-firmware.c +clean_blob drivers/media/pci/cx18/cx18-dvb.c +clean_blob drivers/media/pci/cx18/cx18-firmware.c +clean_blob drivers/media/pci/cx18/cx18-driver.c +clean_kconfig drivers/media/pci/cx18/Kconfig 'VIDEO_CX18' +clean_mk CONFIG_VIDEO_CX18 drivers/media/pci/cx18/Makefile + +announce VIDEO_CX231XX - "Conexant cx231xx USB video capture support" +reject_firmware drivers/media/usb/cx231xx/cx231xx-417.c +clean_blob drivers/media/usb/cx231xx/cx231xx-417.c +clean_kconfig drivers/media/usb/cx231xx/Kconfig 'VIDEO_CX231XX' +clean_mk CONFIG_VIDEO_CX231XX drivers/media/usb/cx231xx/Makefile + +announce VIDEO_CX23885 - "Conexant cx23885 (2388x successor) support" +reject_firmware drivers/media/pci/cx23885/cx23885-417.c +clean_blob drivers/media/pci/cx23885/cx23885-417.c +reject_firmware drivers/media/pci/cx23885/cx23885-cards.c +clean_blob drivers/media/pci/cx23885/cx23885-cards.c +clean_blob drivers/media/pci/cx23885/cx23885-video.c +clean_kconfig drivers/media/pci/cx23885/Kconfig 'VIDEO_CX23885' +clean_mk CONFIG_VIDEO_CX23885 drivers/media/pci/cx23885/Makefile + +announce VIDEO_CX25840 - "Conexant CX2584x audio/video decoders" +reject_firmware drivers/media/i2c/cx25840/cx25840-firmware.c +clean_blob drivers/media/i2c/cx25840/cx25840-firmware.c +clean_kconfig drivers/media/i2c/cx25840/Kconfig 'VIDEO_CX25840' +clean_mk CONFIG_VIDEO_CX25840 drivers/media/i2c/cx25840/Makefile + +announce VIDEO_CX88_BLACKBIRD - "Blackbird MPEG encoder support (cx2388x + cx23416)" +reject_firmware drivers/media/pci/cx88/cx88-blackbird.c +clean_kconfig drivers/media/pci/cx88/Kconfig 'VIDEO_CX88_BLACKBIRD' +clean_mk CONFIG_VIDEO_CX88_BLACKBIRD drivers/media/pci/cx88/Makefile + +announce VIDEO_EM28XX_DVB - "DVB/ATSC Support for em28xx based TV cards" +clean_blob drivers/media/usb/em28xx/em28xx-dvb.c +clean_kconfig drivers/media/usb/em28xx/Kconfig 'VIDEO_EM28XX_DVB' +clean_mk CONFIG_VIDEO_EM28XX_DVB drivers/media/usb/em28xx/Makefile + +announce VIDEO_EXYNOS4_FIMC_IS - "EXYNOS4x12 FIMC-IS (Imaging Subsystem) driver" +reject_firmware drivers/media/platform/exynos4-is/fimc-is.c +clean_blob drivers/media/platform/exynos4-is/fimc-is.h +clean_kconfig drivers/media/platform/exynos4-is/Kconfig 'VIDEO_EXYNOS4_FIMC_IS' +clean_mk CONFIG_VIDEO_EXYNOS4_FIMC_IS drivers/media/platform/exynos4-is/Makefile + +announce VIDEO_IVTV - "Conexant cx23416/cx23415 MPEG encoder/decoder support" +reject_firmware drivers/media/pci/ivtv/ivtv-firmware.c +clean_blob drivers/media/pci/ivtv/ivtv-firmware.c +clean_kconfig drivers/media/pci/ivtv/Kconfig 'VIDEO_IVTV' +clean_mk CONFIG_VIDEO_IVTV drivers/media/pci/ivtv/Makefile + +announce VIDEO_PVRUSB2 - "Hauppauge WinTV-PVR USB2 support" +reject_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c +clean_blob drivers/media/usb/pvrusb2/pvrusb2-devattr.c +clean_kconfig drivers/media/usb/pvrusb2/Kconfig 'VIDEO_PVRUSB2' +clean_mk CONFIG_VIDEO_PVRUSB2 drivers/media/usb/pvrusb2/Makefile + +announce "VIDEO_CX23885, VIDEO_CX88_BLACKBIRD, VIDEO_IVTV, VIDEO_PVRUSB2" - "See above" +clean_blob include/media/cx2341x.h + +announce VIDEO_GO7007 - "Go 7007 support" +reject_firmware drivers/staging/media/go7007/go7007-driver.c +clean_blob drivers/staging/media/go7007/go7007-driver.c +reject_firmware drivers/staging/media/go7007/go7007-fw.c +clean_blob drivers/staging/media/go7007/go7007-fw.c +clean_blob drivers/staging/media/go7007/saa7134-go7007.c +clean_kconfig drivers/staging/media/go7007/Kconfig 'VIDEO_GO7007' +clean_mk CONFIG_VIDEO_GO7007 drivers/staging/media/go7007/Makefile + +announce VIDEO_GO7007_USB_S2250_BOARD - "Sensoray 2250/2251 support" +reject_firmware drivers/staging/media/go7007/go7007-loader.c +clean_blob drivers/staging/media/go7007/go7007-loader.c +clean_kconfig drivers/staging/media/go7007/Kconfig 'VIDEO_GO7007_USB_S2250_BOARD' +clean_mk CONFIG_VIDEO_GO7007_USB_S2250_BOARD drivers/staging/media/go7007/Makefile + +announce VIDEO_SAA7134_DVB - "DVB/ATSC Support for saa7134 based TV cards" +reject_firmware drivers/media/pci/saa7134/saa7134-dvb.c +clean_kconfig drivers/media/pci/saa7134/Kconfig 'VIDEO_SAA7134_DVB' +clean_mk CONFIG_VIDEO_SAA7134_DVB drivers/media/pci/saa7134/Makefile + +announce VIDEO_SAA7164 - "NXP SAA7164 support" +reject_firmware drivers/media/pci/saa7164/saa7164-fw.c +clean_blob drivers/media/pci/saa7164/saa7164-fw.c +clean_kconfig drivers/media/pci/saa7164/Kconfig 'VIDEO_SAA7164' +clean_mk CONFIG_VIDEO_SAA7164 drivers/media/pci/saa7164/Makefile + +announce VIDEO_TLG2300 - "Telegent TLG2300 USB video capture support" +reject_firmware drivers/media/usb/tlg2300/pd-main.c +clean_blob drivers/media/usb/tlg2300/pd-main.c +clean_kconfig drivers/media/usb/tlg2300/Kconfig 'VIDEO_TLG2300' +clean_mk CONFIG_VIDEO_TLG2300 drivers/media/usb/tlg2300/Makefile + +announce VIDEO_S5C73M3 - "Samsung S5C73M3 sensor support" +reject_firmware drivers/media/i2c/s5c73m3/s5c73m3-core.c +clean_blob drivers/media/i2c/s5c73m3/s5c73m3-core.c +clean_kconfig drivers/media/i2c/Kconfig 'VIDEO_S5C73M3' +clean_mk CONFIG_VIDEO_S5C73M3 drivers/media/i2c/s5c73m3/Makefile + +announce VIDEO_S5K4ECGX - "Samsung S5K4ECGX sensor support" +reject_firmware drivers/media/i2c/s5k4ecgx.c +clean_blob drivers/media/i2c/s5k4ecgx.c +clean_kconfig drivers/media/i2c/s5k4ecgx.c 'VIDEO_S5K4ECGX' +clean_mk CONFIG_VIDEO_S5K4ECGX drivers/media/i2c/Makefile + +announce VIDEO_SAMSUNG_S5P_MFC - "Samsung S5P MFC 5.1 Video Codec" +reject_firmware drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c +clean_blob drivers/media/platform/s5p-mfc/s5p_mfc.c +clean_kconfig drivers/media/platform/Kconfig 'VIDEO_SAMSUNG_S5P_MFC' +clean_mk CONFIG_VIDEO_SAMSUNG_S5P_MFC drivers/media/platform/s5p-mfc/Makefile + +announce USB_S2255 - "USB Sensoray 2255 video capture device" +reject_firmware drivers/media/usb/s2255/s2255drv.c +clean_blob drivers/media/usb/s2255/s2255drv.c +clean_kconfig drivers/media/usb/Kconfig 'USB_S2255' +clean_mk CONFIG_USB_S2255 drivers/media/usb/s2255/Makefile + +announce USB_GSPCA_VICAM - "USB 3com HomeConnect, AKA vicam" +drop_fw_file firmware/vicam/firmware.H16 firmware/vicam/firmware.fw +reject_firmware drivers/media/usb/gspca/vicam.c +clean_blob drivers/media/usb/gspca/vicam.c +clean_kconfig drivers/media/usb/gspca/Kconfig 'USB_GSPCA_VICAM' +clean_mk CONFIG_USB_GSPCA_VICAM drivers/media/usb/gspca/Makefile + +# radio + +announce RADIO_WL1273 - "Texas Instruments WL1273 I2C FM Radio" +reject_firmware drivers/media/radio/radio-wl1273.c +clean_blob drivers/media/radio/radio-wl1273.c +clean_kconfig drivers/media/radio/Kconfig 'RADIO_WL1273' +clean_mk CONFIG_RADIO_WL1273 drivers/media/radio/Makefile + +announce RADIO_WL128X - "Texas Instruments WL128x FM Radio" +clean_blob drivers/media/radio/wl128x/fmdrv_common.h +reject_firmware drivers/media/radio/wl128x/fmdrv_common.c +clean_blob drivers/media/radio/wl128x/fmdrv_common.c +clean_kconfig drivers/media/radio/Kconfig 'RADIO_WL128X' +clean_mk CONFIG_RADIO_WL128X drivers/media/radio/Makefile + +####### +# net # +####### + +announce ACENIC - "Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit" +drop_fw_file firmware/acenic/tg1.bin.ihex firmware/acenic/tg1.bin +drop_fw_file firmware/acenic/tg2.bin.ihex firmware/acenic/tg2.bin +reject_firmware drivers/net/ethernet/alteon/acenic.c +clean_blob drivers/net/ethernet/alteon/acenic.c +clean_kconfig drivers/net/ethernet/alteon/Kconfig 'ACENIC' +clean_mk CONFIG_ACENIC drivers/net/ethernet/alteon/Makefile + +announce ADAPTEC_STARFIRE - "Adaptec Starfire/DuraLAN support" +clean_fw firmware/adaptec/starfire_rx.bin.ihex firmware/adaptec/starfire_rx.bin +clean_fw firmware/adaptec/starfire_tx.bin.ihex firmware/adaptec/starfire_tx.bin +reject_firmware drivers/net/ethernet/adaptec/starfire.c +clean_blob drivers/net/ethernet/adaptec/starfire.c +clean_kconfig drivers/net/ethernet/adaptec/Kconfig 'ADAPTEC_STARFIRE' +clean_mk CONFIG_ADAPTEC_STARFIRE drivers/net/ethernet/adaptec/Makefile + +announce BNA - "Brocade 1010/1020 10Gb Ethernet Driver support" +clean_blob drivers/net/ethernet/brocade/bna/bnad.c +clean_blob drivers/net/ethernet/brocade/bna/cna.h +reject_firmware drivers/net/ethernet/brocade/bna/bnad_ethtool.c +reject_firmware drivers/net/ethernet/brocade/bna/cna_fwimg.c +clean_kconfig drivers/net/ethernet/brocade/bna/Kconfig 'BNA' +clean_mk CONFIG_BNA drivers/net/ethernet/brocade/bna/Makefile + +announce BNX2 - "Broadcom NetXtremeII" +drop_fw_file firmware/bnx2/bnx2-mips-09-6.2.1a.fw.ihex firmware/bnx2/bnx2-mips-09-6.2.1a.fw +drop_fw_file firmware/bnx2/bnx2-rv2p-09-6.0.17.fw.ihex firmware/bnx2/bnx2-rv2p-09-6.0.17.fw +drop_fw_file firmware/bnx2/bnx2-rv2p-09ax-6.0.17.fw.ihex firmware/bnx2/bnx2-rv2p-09ax-6.0.17.fw +drop_fw_file firmware/bnx2/bnx2-mips-06-6.2.1.fw.ihex firmware/bnx2/bnx2-mips-06-6.2.1.fw +drop_fw_file firmware/bnx2/bnx2-rv2p-06-6.0.15.fw.ihex firmware/bnx2/bnx2-rv2p-06-6.0.15.fw +reject_firmware drivers/net/ethernet/broadcom/bnx2.c +clean_blob drivers/net/ethernet/broadcom/bnx2.c +clean_kconfig drivers/net/ethernet/broadcom/Kconfig 'BNX2' +clean_mk CONFIG_BNX2 drivers/net/ethernet/broadcom/Makefile + +announce BNX2X - "Broadcom NetXtremeII 10Gb support" +drop_fw_file firmware/bnx2x/bnx2x-e1-6.2.9.0.fw.ihex firmware/bnx2x/bnx2x-e1-6.2.9.0.fw +drop_fw_file firmware/bnx2x/bnx2x-e1h-6.2.9.0.fw.ihex firmware/bnx2x/bnx2x-e1h-6.2.9.0.fw +drop_fw_file firmware/bnx2x/bnx2x-e2-6.2.9.0.fw.ihex firmware/bnx2x/bnx2x-e2-6.2.9.0.fw +reject_firmware drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +clean_sed ' +/^#include "bnx2x_init\.h"/,/^$/{ + /^$/i\ +#define bnx2x_init_block(bp, start, end) \\\ + return (printk(KERN_ERR "%s: Missing Free firmware\\n", bp->dev->name),\\\ + -EINVAL) +}' drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c 'report missing Free firmware' +clean_blob drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +clean_sed ' +/^int bnx2x_nic_load_analyze_req/,/^}$/{ + /^ u32 my_fw = /i\ + /*(DEBLOBBED)*/ + /^ u32 my_fw = /,/<< 24);/d; + /^ u32 loaded_fw = /,/^$/{ + /^$/i\ +\ + u32 my_fw = ~loaded_fw; + } +}' drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c 'fail already-loaded test' +clean_blob drivers/net/ethernet/broadcom/bnx2x/bnx2x_hsi.h +clean_sed ' +/static void bnx2x_init_wr_wb/{ + i\ +extern void bnx2x_init_wr_wb(struct bnx2x *, u32, const u32 *, u32); +}' drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h 'declare removed function' +clean_blob drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h +clean_kconfig drivers/net/ethernet/broadcom/Kconfig 'BNX2X' +clean_mk CONFIG_BNX2X drivers/net/ethernet/broadcom/bnx2x/Makefile + +announce CASSINI - "Sun Cassini" +drop_fw_file firmware/sun/cassini.bin.ihex firmware/sun/cassini.bin +reject_firmware drivers/net/ethernet/sun/cassini.c +clean_blob drivers/net/ethernet/sun/cassini.c +clean_kconfig drivers/net/ethernet/sun/Kconfig 'CASSINI' +clean_mk CONFIG_CASSINI drivers/net/ethernet/sun/Makefile + +announce CHELSIO_T3 - "Chelsio AEL 2005 support" +drop_fw_file firmware/cxgb3/t3b_psram-1.1.0.bin.ihex firmware/cxgb3/t3b_psram-1.1.0.bin +drop_fw_file firmware/cxgb3/t3c_psram-1.1.0.bin.ihex firmware/cxgb3/t3c_psram-1.1.0.bin +drop_fw_file firmware/cxgb3/ael2005_opt_edc.bin.ihex firmware/cxgb3/ael2005_opt_edc.bin +drop_fw_file firmware/cxgb3/ael2005_twx_edc.bin.ihex firmware/cxgb3/ael2005_twx_edc.bin +drop_fw_file firmware/cxgb3/ael2020_twx_edc.bin.ihex firmware/cxgb3/ael2020_twx_edc.bin +reject_firmware drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +clean_blob drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +clean_kconfig drivers/net/ethernet/chelsio/Kconfig 'CHELSIO_T3' +clean_mk CONFIG_CHELSIO_T3 drivers/net/ethernet/chelsio/cxgb3/Makefile + +announce CHELSIO_T4 - "Chelsio Communications T4 Ethernet support" +reject_firmware drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +clean_blob drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +clean_kconfig drivers/net/ethernet/chelsio/Kconfig 'CHELSIO_T4' +clean_mk CONFIG_CHELSIO_T4 drivers/net/ethernet/chelsio/cxgb4/Makefile + +announce E100 - "Intel PRO/100+" +drop_fw_file firmware/e100/d101m_ucode.bin.ihex firmware/e100/d101m_ucode.bin +drop_fw_file firmware/e100/d101s_ucode.bin.ihex firmware/e100/d101s_ucode.bin +drop_fw_file firmware/e100/d102e_ucode.bin.ihex firmware/e100/d102e_ucode.bin +reject_firmware drivers/net/ethernet/intel/e100.c +clean_sed ' +/^static const struct firmware \*e100_\(reject\|request\)_firmware(/,/^}$/{ + s:^\(.*\)return ERR_PTR(err);$:\1netif_err(nic, probe, nic->netdev, "Proceeding without firmware\\n");\n\1return NULL;: +}' drivers/net/ethernet/intel/e100.c 'proceed without firmware' +clean_blob drivers/net/ethernet/intel/e100.c +clean_kconfig drivers/net/ethernet/intel/Kconfig 'E100' +clean_mk CONFIG_E100 drivers/net/ethernet/intel/Makefile + +announce FT1000_PCMCIA - "Driver for ft1000 pcmcia device." +clean_file drivers/staging/ft1000/ft1000-pcmcia/ft1000.img +reject_firmware drivers/staging/ft1000/TODO +clean_blob drivers/staging/ft1000/ft1000-pcmcia/boot.h +clean_sed ' +/^static int ft1000_reset_card/,/^}$/ { + /card_bootload/i\ + return /*(DEBLOBBED)*/ false; +} +' drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c \ + 'disabled non-Free firmware-loading machinery' +reject_firmware drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c +clean_blob drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c +clean_kconfig drivers/staging/ft1000/Kconfig 'FT1000_PCMCIA' +clean_mk CONFIG_FT1000_PCMCIA drivers/staging/ft1000/Makefile + +announce FT1000_USB - "Driver for ft1000 USB devices." +clean_file drivers/staging/ft1000/ft1000-usb/ft3000.img +reject_firmware drivers/staging/ft1000/ft1000-usb/ft1000_usb.c +clean_blob drivers/staging/ft1000/ft1000-usb/ft1000_usb.c +clean_kconfig drivers/staging/ft1000/Kconfig 'FT1000_USB' +clean_mk CONFIG_FT1000_USB drivers/staging/ft1000/Makefile + +announce MYRI_SBUS - "MyriCOM Gigabit Ethernet" +drop_fw_file firmware/myricom/lanai.bin.ihex firmware/myricom/lanai.bin + +announce MYRI10GE - "Myricom Myri-10G Ethernet support" +reject_firmware drivers/net/ethernet/myricom/myri10ge/myri10ge.c +clean_blob drivers/net/ethernet/myricom/myri10ge/myri10ge.c +clean_kconfig drivers/net/ethernet/myricom/Kconfig 'MYRI10GE' +clean_mk CONFIG_MYRI10GE drivers/net/ethernet/myricom/myri10ge/Makefile + +announce NETXEN_NIC - "NetXen Multi port (1/10) Gigabit Ethernet NIC" +reject_firmware drivers/net/ethernet/qlogic/netxen/netxen_nic.h +reject_firmware drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +reject_firmware drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c +clean_blob drivers/net/ethernet/qlogic/netxen/netxen_nic.h +clean_blob drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +clean_kconfig drivers/net/ethernet/qlogic/Kconfig 'NETXEN_NIC' +clean_mk CONFIG_NETXEN_NIC drivers/net/ethernet/qlogic/Makefile + +announce QLCNIC - "QLOGIC QLCNIC 1/10Gb Converged Ethernet NIC Support" +reject_firmware drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +reject_firmware drivers/net/ethernet/qlogic/qlcnic/qlcnic_init.c +reject_firmware drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +reject_firmware drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +clean_blob drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +clean_blob drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h +clean_blob drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +clean_kconfig drivers/net/ethernet/qlogic/Kconfig 'QLCNIC' +clean_mk CONFIG_QLCNIC drivers/net/ethernet/qlogic/qlcnic/Makefile + +announce R8169 - "Realtek 8169 gigabit ethernet support" +reject_firmware drivers/net/ethernet/realtek/r8169.c +clean_blob drivers/net/ethernet/realtek/r8169.c +clean_kconfig drivers/net/ethernet/realtek/Kconfig R8169 +clean_mk CONFIG_R8169 drivers/net/ethernet/realtek/Makefile + +announce SLICOSS - "Alacritech Gigabit IS-NIC cards" +reject_firmware drivers/staging/slicoss/slicoss.c +clean_blob drivers/staging/slicoss/slicoss.c +clean_kconfig drivers/staging/slicoss/Kconfig 'SLICOSS' +clean_mk CONFIG_SLICOSS drivers/staging/slicoss/Makefile + +announce SPIDER_NET - "Spider Gigabit Ethernet driver" +reject_firmware drivers/net/ethernet/toshiba/spider_net.c +clean_sed 's,spider_fw\.bin,DEBLOBBED.bin,g' \ + drivers/net/ethernet/toshiba/spider_net.c 'removed non-Free firmware notes' +clean_blob drivers/net/ethernet/toshiba/spider_net.c +clean_blob drivers/net/ethernet/toshiba/spider_net.h +clean_kconfig drivers/net/ethernet/toshiba/Kconfig 'SPIDER_NET' +clean_mk CONFIG_SPIDER_NET drivers/net/ethernet/toshiba/Makefile + +announce TEHUTI - "Tehuti Networks 10G Ethernet" +drop_fw_file firmware/tehuti/bdx.bin.ihex firmware/tehuti/bdx.bin +reject_firmware drivers/net/ethernet/tehuti/tehuti.c +clean_blob drivers/net/ethernet/tehuti/tehuti.c +clean_kconfig drivers/net/ethernet/tehuti/Kconfig 'TEHUTI' +clean_mk CONFIG_TEHUTI drivers/net/ethernet/tehuti/Makefile + +announce TIGON3 - "Broadcom Tigon3" +drop_fw_file firmware/tigon/tg3.bin.ihex firmware/tigon/tg3.bin +drop_fw_file firmware/tigon/tg3_tso.bin.ihex firmware/tigon/tg3_tso.bin +drop_fw_file firmware/tigon/tg3_tso5.bin.ihex firmware/tigon/tg3_tso5.bin +reject_firmware drivers/net/ethernet/broadcom/tg3.c +clean_blob drivers/net/ethernet/broadcom/tg3.c +clean_kconfig drivers/net/ethernet/broadcom/Kconfig 'TIGON3' +clean_mk CONFIG_TIGON3 drivers/net/ethernet/broadcom/Makefile + +announce TYPHOON - "3cr990 series Typhoon" +drop_fw_file firmware/3com/typhoon.bin.ihex firmware/3com/typhoon.bin +reject_firmware drivers/net/ethernet/3com/typhoon.c +clean_blob drivers/net/ethernet/3com/typhoon.c +clean_kconfig drivers/net/ethernet/3com/Kconfig 'TYPHOON' +clean_mk CONFIG_TYPHOON drivers/net/ethernet/3com/Makefile + +announce VXGE - "Exar X3100 Series 10GbE PCIe Server Adapter" +reject_firmware drivers/net/ethernet/neterion/vxge/vxge-main.c +clean_blob drivers/net/ethernet/neterion/vxge/vxge-main.c +clean_kconfig drivers/net/ethernet/neterion/Kconfig 'VXGE' +clean_mk CONFIG_VXGE drivers/net/ethernet/neterion/vxge/Makefile + +# appletalk + +announce COPS - "COPS LocalTalk PC" +clean_sed ' +/sizeof(\(ff\|lt\)drv_code)/{ + i\ + printk(KERN_INFO "%s: Missing Free firmware.\\n", dev->name);\ + return; +} +/\(ff\|lt\)drv_code/d; +' drivers/net/appletalk/cops.c 'report missing Free firmware' +clean_blob drivers/net/appletalk/cops.c +clean_file drivers/net/appletalk/cops_ffdrv.h +clean_file drivers/net/appletalk/cops_ltdrv.h +clean_kconfig drivers/net/appletalk/Kconfig 'COPS' +clean_mk CONFIG_COPS drivers/net/appletalk/Makefile + +# hamradio + +announce YAM - "YAM driver for AX.25" +drop_fw_file firmware/yam/1200.bin.ihex firmware/yam/1200.bin +drop_fw_file firmware/yam/9600.bin.ihex firmware/yam/9600.bin +reject_firmware drivers/net/hamradio/yam.c +clean_blob drivers/net/hamradio/yam.c +clean_kconfig drivers/net/hamradio/Kconfig 'YAM' +clean_mk CONFIG_YAM drivers/net/hamradio/Makefile + +# irda + +announce USB_IRDA - "IrDA USB dongles" +reject_firmware drivers/net/irda/irda-usb.c +clean_blob drivers/net/irda/irda-usb.c +clean_kconfig drivers/net/irda/Kconfig 'USB_IRDA' +clean_mk CONFIG_USB_IRDA drivers/net/irda/Makefile + +# smsc + +announce PCMCIA_SMC91C92 - "SMC 91Cxx PCMCIA" +drop_fw_file firmware/ositech/Xilinx7OD.bin.ihex firmware/ositech/Xilinx7OD.bin +reject_firmware drivers/net/ethernet/smsc/smc91c92_cs.c +clean_blob drivers/net/ethernet/smsc/smc91c92_cs.c +clean_kconfig drivers/net/ethernet/smsc/Kconfig 'PCMCIA_SMC91C92' +clean_mk CONFIG_PCMCIA_SMC91C92 drivers/net/ethernet/smsc/Makefile + +# near-field communication + +announce NFC_WILINK - "Texas Instruments NFC WiLink driver" +reject_firmware drivers/nfc/nfcwilink.c +clean_blob drivers/nfc/nfcwilink.c +clean_kconfig drivers/nfc/Kconfig 'NFC_WILINK' +clean_mk CONFIG_NFC_WILINK drivers/nfc/Makefile + +# pcmcia + +# CIS files are not software. +# announce PCCARD - "PCCard (PCMCIA/CardBus) support" +# reject_firmware drivers/pcmcia/ds.c +# clean_kconfig drivers/pcmcia/Kconfig 'PCCARD' +# clean_mk CONFIG_PCCARD drivers/pcmcia/Makefile + +announce PCMCIA_3C574 - "3Com 3c574 PCMCIA support" +# This is not software; it's Free, but GPLed without in-tree sources. +drop_fw_file firmware/cis/3CCFEM556.cis.ihex firmware/cis/3CCFEM556.cis +# clean_blob drivers/net/pcmcia/3c574_cs.c +# clean_kconfig drivers/net/pcmcia/Kconfig 'PCMCIA_3C574' +# clean_mk CONFIG_PCMCIA_3C574 drivers/net/pcmcia/Makefile + +announce PCMCIA_3C589 - "3Com 3c589 PCMCIA support" +# This is not software; it's Free, but GPLed without in-tree sources. +drop_fw_file firmware/cis/3CXEM556.cis.ihex firmware/cis/3CXEM556.cis +# clean_blob drivers/net/pcmcia/3c589_cs.c +# clean_kconfig drivers/net/pcmcia/Kconfig 'PCMCIA_3C589' +# clean_mk CONFIG_PCMCIA_3C589 drivers/net/pcmcia/Makefile + +announce PCMCIA_PCNET - "NE2000 compatible PCMCIA support" +# These are not software; they're Free, but GPLed without in-tree sources. +drop_fw_file firmware/cis/LA-PCM.cis.ihex firmware/cis/LA-PCM.cis +drop_fw_file firmware/cis/PCMLM28.cis.ihex firmware/cis/PCMLM28.cis +drop_fw_file firmware/cis/DP83903.cis.ihex firmware/cis/DP83903.cis +drop_fw_file firmware/cis/NE2K.cis.ihex firmware/cis/NE2K.cis +drop_fw_file firmware/cis/tamarack.cis.ihex firmware/cis/tamarack.cis +drop_fw_file firmware/cis/PE-200.cis.ihex firmware/cis/PE-200.cis +drop_fw_file firmware/cis/PE520.cis.ihex firmware/cis/PE520.cis +# clean_blob drivers/net/pcmcia/pcnet_cs.c +# clean_kconfig drivers/net/pcmcia/Kconfig 'PCMCIA_PCNET' +# clean_mk CONFIG_PCMCIA_PCNET drivers/net/pcmcia/Makefile + +# usb + +announce USB_KAWETH - "USB KLSI KL5USB101-based ethernet device support" +drop_fw_file firmware/kaweth/new_code.bin.ihex firmware/kaweth/new_code.bin +drop_fw_file firmware/kaweth/new_code_fix.bin.ihex firmware/kaweth/new_code_fix.bin +drop_fw_file firmware/kaweth/trigger_code.bin.ihex firmware/kaweth/trigger_code.bin +drop_fw_file firmware/kaweth/trigger_code_fix.bin.ihex firmware/kaweth/trigger_code_fix.bin +reject_firmware drivers/net/usb/kaweth.c +clean_blob drivers/net/usb/kaweth.c +clean_kconfig drivers/net/usb/Kconfig 'USB_KAWETH' +clean_mk CONFIG_USB_KAWETH drivers/net/usb/Makefile + +# wireless + +announce ATMEL "Atmel at76c50x chipset 802.11b support" +reject_firmware drivers/net/wireless/atmel.c +clean_blob drivers/net/wireless/atmel.c +clean_kconfig drivers/net/wireless/Kconfig 'ATMEL' +clean_mk CONFIG_ATMEL drivers/net/wireless/Makefile + +announce AT76C50X_USB - "Atmel at76c503/at76c505/at76c505a USB cards" +reject_firmware drivers/net/wireless/at76c50x-usb.c +clean_blob drivers/net/wireless/at76c50x-usb.c +clean_kconfig drivers/net/wireless/Kconfig 'AT76C50X_USB' +clean_mk CONFIG_AT76C50X_USB drivers/net/wireless/Makefile + +announce B43 - "Broadcom 43xx wireless support (mac80211 stack)" +maybe_reject_firmware drivers/net/wireless/b43/main.c +clean_sed ' +/^static int b43_upload_microcode(/,/^}$/{ + / if (dev->fw\.opensource) {$/i\ + if (!dev->fw.opensource) {\ + b43err(dev->wl, "Rejected non-Free firmware\\n");\ + err = -EOPNOTSUPP;\ + goto error;\ + } +}' drivers/net/wireless/b43/main.c 'double-check and reject non-Free firmware' +# Major portions of firmware filenames not deblobbed. +clean_blob drivers/net/wireless/b43/main.c +clean_kconfig drivers/net/wireless/b43/Kconfig 'B43' +clean_mk CONFIG_B43 drivers/net/wireless/b43/Makefile + +announce B43LEGACY - "Broadcom 43xx-legacy wireless support (mac80211 stack)" +reject_firmware drivers/net/wireless/b43legacy/main.c +# Major portions of firwmare filenames not deblobbed. +clean_blob drivers/net/wireless/b43legacy/main.c +clean_kconfig drivers/net/wireless/b43legacy/Kconfig 'B43LEGACY' +clean_mk CONFIG_B43LEGACY drivers/net/wireless/b43legacy/Makefile + +announce BRCMSMAC - "Broadcom IEEE802.11n PCIe SoftMAC WLAN driver" +reject_firmware drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c +clean_blob drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c +clean_kconfig drivers/net/wireless/brcm80211/Kconfig 'BRCMSMAC' +clean_mk CONFIG_BRCMSMAC drivers/net/wireless/brcm80211/Makefile + +announce BRCMFMAC_SDIO - "Broadcom IEEE802.11n SDIO FullMAC WLAN driver" +reject_firmware drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c +clean_blob drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c +clean_kconfig drivers/net/wireless/brcm80211/Kconfig 'BRCMFMAC_SDIO' +clean_mk CONFIG_BRCMFMAC_SDIO drivers/net/wireless/brcm80211/brcmfmac/Makefile + +announce BRCMFMAC_USB - "Broadcom IEEE802.11n USB FullMAC WLAN driver" +reject_firmware drivers/net/wireless/brcm80211/brcmfmac/usb.c +clean_blob drivers/net/wireless/brcm80211/brcmfmac/usb.c +clean_kconfig drivers/net/wireless/brcm80211/Kconfig 'BRCMFMAC_USB' +clean_mk CONFIG_BRCMFMAC_USB drivers/net/wireless/brcm80211/brcmfmac/Makefile + +announce HERMES - "Hermes chipset 802.11b support (Orinoco/Prism2/Symbol)" +reject_firmware drivers/net/wireless/orinoco/fw.c +clean_blob drivers/net/wireless/orinoco/fw.c +clean_kconfig drivers/net/wireless/orinoco/Kconfig 'HERMES' +clean_mk CONFIG_HERMES drivers/net/wireless/orinoco/Makefile + +announce ORINOCO_USB - "Agere Orinoco USB support" +reject_firmware drivers/net/wireless/orinoco/orinoco_usb.c +clean_blob drivers/net/wireless/orinoco/orinoco_usb.c +clean_kconfig drivers/net/wireless/orinoco/Kconfig 'ORINOCO_USB' +clean_mk CONFIG_ORINOCO_USB drivers/net/wireless/orinoco/Makefile + +announce WLAGS49_H2 - "Agere Systems HERMES II Wireless PC Card Model 0110" +# Some pieces of the firmware images are most definitely data, but +# others seem to be code. +clean_blob drivers/staging/wlags49_h2/ap_h2.c +clean_blob drivers/staging/wlags49_h2/sta_h2.c +echo 'extern int deblobbed; /*(DEBLOBBED)*/' > drivers/staging/wlags49_h2/ap_h2.c +echo 'extern int deblobbed; /*(DEBLOBBED)*/' > drivers/staging/wlags49_h2/sta_h2.c +clean_blob drivers/staging/wlags49_h2/wl_profile.c +clean_sed ' + s,\(.*hcf_status = \)dhf_download_fw(.*&fw_image );,//& /*(DEBLOBBED)*/\n\1HCF_ERR_INCOMP_FW;, +' drivers/staging/wlags49_h2/wl_main.c 'reject built-in non-Free firmware' +clean_kconfig drivers/staging/wlags49_h2/Kconfig 'WLAGS49_H2' +clean_mk CONFIG_WLAGS49_H2 drivers/staging/Makefile + +announce WLAGS49_H25 - "Linksys Systems HERMES II.5 Wireless-G_CompactFlash_Card" +# Some pieces of the firmware images are most definitely data, but +# others seem to be code. +clean_blob drivers/staging/wlags49_h2/ap_h25.c +clean_blob drivers/staging/wlags49_h2/sta_h25.c +echo 'extern int deblobbed; /*(DEBLOBBED)*/' > drivers/staging/wlags49_h2/ap_h25.c +echo 'extern int deblobbed; /*(DEBLOBBED)*/' > drivers/staging/wlags49_h2/sta_h25.c +clean_kconfig drivers/staging/wlags49_h25/Kconfig 'WLAGS49_H25' +clean_mk CONFIG_WLAGS49_H25 drivers/staging/Makefile + +announce IPW2100 - "Intel PRO/Wireless 2100 Network Connection" +reject_firmware drivers/net/wireless/ipw2x00/ipw2100.c +clean_blob drivers/net/wireless/ipw2x00/ipw2100.c +clean_kconfig drivers/net/wireless/Kconfig 'IPW2100' +clean_mk CONFIG_IPW2100 drivers/net/wireless/ipw2x00/Makefile + +announce IPW2200 - "Intel PRO/Wireless 2200BG and 2915ABG Network Connection" +reject_firmware drivers/net/wireless/ipw2x00/ipw2200.c +clean_blob drivers/net/wireless/ipw2x00/ipw2200.c +clean_kconfig drivers/net/wireless/Kconfig 'IPW2200' +clean_mk CONFIG_IPW2200 drivers/net/wireless/ipw2x00/Makefile + +announce IWL3945 - "Intel PRO/Wireless 3945ABG/BG Network Connection" +reject_firmware drivers/net/wireless/iwlegacy/3945-mac.c +clean_blob drivers/net/wireless/iwlegacy/3945-mac.c +clean_blob drivers/net/wireless/iwlegacy/3945.h +clean_kconfig drivers/net/wireless/iwlegacy/Kconfig 'IWL3945' +clean_mk CONFIG_IWL3945 drivers/net/wireless/iwlegacy/Makefile + +announce IWL4965 - "Intel Wireless WiFi 4965AGN" +reject_firmware drivers/net/wireless/iwlegacy/4965-mac.c +clean_blob drivers/net/wireless/iwlegacy/4965-mac.c +clean_blob drivers/net/wireless/iwlegacy/4965.c +clean_kconfig drivers/net/wireless/iwlegacy/Kconfig 'IWL4965' +clean_mk CONFIG_IWL4965 drivers/net/wireless/iwlegacy/Makefile + +announce IWLWIFI - "Intel Wireless WiFi Next Gen AGN" +reject_firmware drivers/net/wireless/iwlwifi/iwl-drv.c +clean_blob drivers/net/wireless/iwlwifi/iwl-drv.c +clean_blob drivers/net/wireless/iwlwifi/iwl-5000.c +clean_blob drivers/net/wireless/iwlwifi/iwl-6000.c +clean_blob drivers/net/wireless/iwlwifi/iwl-7000.c +clean_blob drivers/net/wireless/iwlwifi/iwl-1000.c +clean_blob drivers/net/wireless/iwlwifi/iwl-2000.c +clean_kconfig drivers/net/wireless/iwlwifi/Kconfig 'IWLWIFI' +clean_mk CONFIG_IWLWIFI drivers/net/wireless/iwlwifi/Makefile + +announce IWLMVM - "Intel Wireless WiFi MVM Firmware support" +reject_firmware drivers/net/wireless/iwlwifi/mvm/nvm.c +clean_kconfig drivers/net/wireless/iwlwifi/mvm/Kconfig 'IWLMVM' +clean_mk CONFIG_IWLMVM drivers/net/wireless/iwlwifi/mvm/Makefile + +announce LIBERTAS - "Marvell 8xxx Libertas WLAN driver support" +reject_firmware drivers/net/wireless/libertas/firmware.c +clean_kconfig drivers/net/wireless/Kconfig 'LIBERTAS' +clean_mk CONFIG_LIBERTAS drivers/net/wireless/libertas/Makefile + +announce LIBERTAS_CS - "Marvell Libertas 8385 CompactFlash 802.11b/g cards" +clean_blob drivers/net/wireless/libertas/if_cs.c +clean_kconfig drivers/net/wireless/Kconfig 'LIBERTAS_CS' +clean_mk CONFIG_LIBERTAS_CS drivers/net/wireless/libertas/Makefile + +announce LIBERTAS_SDIO - "Marvell Libertas 8385 and 8686 SDIO 802.11b/g cards" +clean_blob drivers/net/wireless/libertas/if_sdio.c +clean_kconfig drivers/net/wireless/Kconfig 'LIBERTAS_SDIO' +clean_mk CONFIG_LIBERTAS_SDIO drivers/net/wireless/libertas/Makefile + +announce LIBERTAS_SPI - "Marvell Libertas 8686 SPI 802.11b/g cards" +clean_blob drivers/net/wireless/libertas/if_spi.c +clean_kconfig drivers/net/wireless/Kconfig 'LIBERTAS_SPI' +clean_mk CONFIG_LIBERTAS_SPI drivers/net/wireless/libertas/Makefile + +announce LIBERTAS_USB - "Marvell Libertas 8388 USB 802.11b/g cards" +clean_blob drivers/net/wireless/libertas/if_usb.c +clean_blob drivers/net/wireless/libertas/README +clean_kconfig drivers/net/wireless/Kconfig 'LIBERTAS_USB' +clean_mk CONFIG_LIBERTAS_USB drivers/net/wireless/libertas/Makefile + +announce LIBERTAS_THINFIRM_USB - "Marvell Libertas 8388 USB 802.11b/g cards with thin firmware" +reject_firmware drivers/net/wireless/libertas_tf/if_usb.c +clean_blob drivers/net/wireless/libertas_tf/if_usb.c +clean_kconfig drivers/net/wireless/Kconfig 'LIBERTAS_THINFIRM_USB' +clean_mk CONFIG_LIBERTAS_THINFIRM_USB drivers/net/wireless/libertas_tf/Makefile + +announce MWIFIEX - "Marvell WiFi-Ex Driver" +clean_blob drivers/net/wireless/mwifiex/README +reject_firmware drivers/net/wireless/mwifiex/main.c +clean_kconfig drivers/net/wireless/mwifiex/Kconfig 'MWIFIEX' +clean_mk CONFIG_MWIFIEX drivers/net/wireless/mwifiex/Makefile + +announce MWIFIEX_SDIO - "Marvell WiFi-Ex Driver for SD8787" +clean_blob drivers/net/wireless/mwifiex/sdio.h +clean_blob drivers/net/wireless/mwifiex/sdio.c +clean_kconfig drivers/net/wireless/mwifiex/Kconfig 'MWIFIEX_SDIO' +clean_mk CONFIG_MWIFIEX_SDIO drivers/net/wireless/mwifiex/Makefile + +announce MWIFIEX_PCIE - "Marvell WiFi-Ex Driver for PCI 8766" +clean_blob drivers/net/wireless/mwifiex/pcie.h +clean_blob drivers/net/wireless/mwifiex/pcie.c +clean_kconfig drivers/net/wireless/mwifiex/Kconfig 'MWIFIEX_PCIE' +clean_mk CONFIG_MWIFIEX_PCIE drivers/net/wireless/mwifiex/Makefile + +announce MWIFIEX_USB - "Marvell WiFi-Ex Driver for USB8797" +clean_blob drivers/net/wireless/mwifiex/usb.h +clean_blob drivers/net/wireless/mwifiex/usb.c +clean_kconfig drivers/net/wireless/mwifiex/Kconfig 'MWIFIEX_USB' +clean_mk CONFIG_MWIFIEX_USB drivers/net/wireless/mwifiex/Makefile + +announce MWL8K - "Marvell 88W8xxx PCI/PCIe Wireless support" +reject_firmware drivers/net/wireless/mwl8k.c +clean_blob drivers/net/wireless/mwl8k.c +clean_kconfig drivers/net/wireless/Kconfig 'MWL8K' +clean_mk CONFIG_MWL8K drivers/net/wireless/Makefile + +announce AR5523 - "Atheros AR5523 wireless driver support" +reject_firmware drivers/net/wireless/ath/ar5523/ar5523.c +clean_blob drivers/net/wireless/ath/ar5523/ar5523.c +clean_blob drivers/net/wireless/ath/ar5523/ar5523.h +clean_kconfig drivers/net/wireless/ath/ar5523/Kconfig 'AR5523' +clean_mk CONFIG_AR5523 drivers/net/wireless/ath/ar5523/Makefile + +announce ATH6KL - "Atheros ath6kl support" +reject_firmware drivers/net/wireless/ath/ath6kl/init.c +clean_blob drivers/net/wireless/ath/ath6kl/init.c +clean_blob drivers/net/wireless/ath/ath6kl/core.h +clean_kconfig drivers/net/wireless/ath/ath6kl/Kconfig 'ATH6KL' +clean_mk CONFIG_ATH6KL drivers/net/wireless/ath/ath6kl/Makefile + +announce ATH6KL_SDIO - "Atheros ath6kl SDIO support" +clean_blob drivers/net/wireless/ath/ath6kl/sdio.c +clean_kconfig drivers/net/wireless/ath/ath6kl/Kconfig 'ATH6KL_SDIO' +clean_mk CONFIG_ATH6KL_SDIO drivers/net/wireless/ath/ath6kl/Makefile + +announce ATH6KL_USB - "Atheros ath6kl USB support" +clean_blob drivers/net/wireless/ath/ath6kl/usb.c +clean_kconfig drivers/net/wireless/ath/ath6kl/Kconfig 'ATH6KL_USB' +clean_mk CONFIG_ATH6KL_USB drivers/net/wireless/ath/ath6kl/Makefile + +announce ATH10K - "Atheros 802.11ac wireless cards support" +reject_firmware drivers/net/wireless/ath/ath10k/core.c +clean_blob drivers/net/wireless/ath/ath10k/hw.h +clean_kconfig drivers/net/wireless/ath/ath10k/Kconfig 'ATH10K' +clean_mk CONFIG_ATH10K drivers/net/wireless/ath/ath10k/Makefile + +announce ATH10K_PCI - "Atheros ath10k PCI support" +clean_blob drivers/net/wireless/ath/ath10k/pci.c +clean_kconfig drivers/net/wireless/ath/ath10k/Kconfig 'ATH10K_PCI' +clean_mk CONFIG_ATH10K_PCI drivers/net/wireless/ath/ath10k/Makefile + +announce CW1200 - "CW1200 WLAN support" +reject_firmware drivers/net/wireless/cw1200/fwio.c +clean_blob drivers/net/wireless/cw1200/fwio.h +reject_firmware drivers/net/wireless/cw1200/sta.c +clean_kconfig drivers/net/wireless/cw1200/Kconfig 'CW1200' +clean_mk CONFIG_CW1200 drivers/net/wireless/cw1200/Makefile + +announce CW1200_WLAN_SDIO - "Support SDIO platforms" +clean_blob drivers/net/wireless/cw1200/cw1200_sdio.c +clean_kconfig drivers/net/wireless/cw1200/Kconfig 'CW1200_WLAN_SDIO' +clean_mk CONFIG_CW1200_WLAN_SDIO drivers/net/wireless/cw1200/Makefile + +announce PRISM2_USB - "Prism2.5/3 USB driver" +reject_firmware drivers/staging/wlan-ng/prism2fw.c +clean_blob drivers/staging/wlan-ng/prism2fw.c +clean_kconfig drivers/staging/wlan-ng/Kconfig PRISM2_USB +clean_mk CONFIG_PRISM2_USB drivers/staging/wlan-ng/Makefile + +announce P54_PCI - "Prism54 PCI support" +reject_firmware drivers/net/wireless/p54/p54pci.c +clean_blob drivers/net/wireless/p54/p54pci.c +clean_kconfig drivers/net/wireless/p54/Kconfig 'P54_PCI' +clean_mk CONFIG_P54_PCI drivers/net/wireless/p54/Makefile + +announce P54_SPI - "Prism54 SPI (stlc45xx) support" +# There's support for loading custom 3826.eeprom here, with a default +# eeprom that is clearly pure data. Without Free 3826.arm, there's +# little point in trying to retain the ability to load 3826.eeprom, so +# we drop it altogether. +reject_firmware drivers/net/wireless/p54/p54spi.c +clean_blob drivers/net/wireless/p54/p54spi.c +clean_kconfig drivers/net/wireless/p54/Kconfig 'P54_SPI' +clean_mk CONFIG_P54_SPI drivers/net/wireless/p54/Makefile + +announce P54_USB - "Prism54 USB support" +reject_firmware drivers/net/wireless/p54/p54usb.c +clean_blob drivers/net/wireless/p54/p54usb.c +clean_blob drivers/net/wireless/p54/p54usb.h +clean_kconfig drivers/net/wireless/p54/Kconfig 'P54_USB' +clean_mk CONFIG_P54_USB drivers/net/wireless/p54/Makefile + +announce PRISM54 - "Intersil Prism GT/Duette/Indigo PCI/Cardbus" +reject_firmware drivers/net/wireless/prism54/islpci_dev.c +clean_blob drivers/net/wireless/prism54/islpci_dev.c +clean_kconfig drivers/net/wireless/Kconfig 'PRISM54' +clean_mk CONFIG_PRISM54 drivers/net/wireless/prism54/Makefile + +announce RT2X00_LIB_FIRMWARE - "Ralink driver firmware support" +reject_firmware drivers/net/wireless/rt2x00/rt2x00firmware.c +clean_kconfig drivers/net/wireless/rt2x00/Kconfig 'RT2X00_LIB_FIRMWARE' +clean_mk CONFIG_RT2X00_LIB_FIRMWARE drivers/net/wireless/rt2x00/Makefile + +announce RT61PCI - "Ralink rt2501/rt61 (PCI/PCMCIA) support" +clean_blob drivers/net/wireless/rt2x00/rt61pci.h +clean_blob drivers/net/wireless/rt2x00/rt61pci.c +clean_kconfig drivers/net/wireless/rt2x00/Kconfig 'RT61PCI' +clean_mk CONFIG_RT61PCI drivers/net/wireless/rt2x00/Makefile + +announce RT73USB - "Ralink rt2501/rt73 (USB) support" +clean_blob drivers/net/wireless/rt2x00/rt73usb.h +clean_blob drivers/net/wireless/rt2x00/rt73usb.c +clean_kconfig drivers/net/wireless/rt2x00/Kconfig 'RT73USB' +clean_mk CONFIG_RT73USB drivers/net/wireless/rt2x00/Makefile + +announce RT2800PCI - "Ralink rt2800 (PCI/PCMCIA) support" +clean_blob drivers/net/wireless/rt2x00/rt2800pci.h +clean_blob drivers/net/wireless/rt2x00/rt2800pci.c +clean_kconfig drivers/net/wireless/rt2x00/Kconfig RT2800PCI +clean_mk CONFIG_RT2800PCI drivers/net/wireless/rt2x00/Makefile + +announce RT2800USB - "Ralink rt2800 (USB) support" +clean_blob drivers/net/wireless/rt2x00/rt2800usb.h +clean_blob drivers/net/wireless/rt2x00/rt2800usb.c +clean_kconfig drivers/net/wireless/rt2x00/Kconfig RT2800USB +clean_mk CONFIG_RT2800USB drivers/net/wireless/rt2x00/Makefile + +announce RTL8188EE - "Realtek RTL8188EE Wireless Network Adapter" +reject_firmware drivers/net/wireless/rtlwifi/rtl8188ee/sw.c +clean_blob drivers/net/wireless/rtlwifi/rtl8188ee/sw.c +clean_kconfig drivers/net/wireless/rtlwifi/Kconfig RTL8188EE +clean_mk CONFIG_RTL8188EE drivers/net/wireless/rtlwifi/rtl8188ee/Makefile + +announce RTL8192CE - "Realtek RTL8192CE/RTL8188CE Wireless Network Adapter" +reject_firmware drivers/net/wireless/rtlwifi/rtl8192ce/sw.c +clean_blob drivers/net/wireless/rtlwifi/rtl8192ce/sw.c +clean_kconfig drivers/net/wireless/rtlwifi/Kconfig RTL8192CE +clean_mk CONFIG_RTL8192CE drivers/net/wireless/rtlwifi/rtl8192ce/Makefile + +announce RTL8192CU - "Realtek RTL8192CU/RTL8188CU USB Wireless Network Adapter" +reject_firmware drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +clean_blob drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +clean_kconfig drivers/net/wireless/rtlwifi/Kconfig RTL8192CU +clean_mk CONFIG_RTL8192CU drivers/net/wireless/rtlwifi/rtl8192cu/Makefile + +announce RTL8192DE - "Realtek RTL8192DE/RTL8188DE PCIe Wireless Network Adapter" +reject_firmware drivers/net/wireless/rtlwifi/rtl8192de/sw.c +clean_blob drivers/net/wireless/rtlwifi/rtl8192de/sw.c +clean_kconfig drivers/net/wireless/rtlwifi/Kconfig RTL8192DE +clean_mk CONFIG_RTL8192DE drivers/net/wireless/rtlwifi/rtl8192de/Makefile + +announce RTL8192SE - "Realtek RTL8192SE/RTL8191SE PCIe Wireless Network Adapter" +reject_firmware drivers/net/wireless/rtlwifi/rtl8192se/sw.c +clean_blob drivers/net/wireless/rtlwifi/rtl8192se/sw.c +clean_kconfig drivers/net/wireless/rtlwifi/Kconfig RTL8192SE +clean_mk CONFIG_RTL8192SE drivers/net/wireless/rtlwifi/rtl8192se/Makefile + +announce RTL8192E - "RealTek RTL8192E Wireless LAN NIC driver" +reject_firmware drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c +clean_blob drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.h +clean_blob drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c +clean_blob drivers/staging/rtl8192e/rtl8192e/r8192E_hwimg.c +clean_blob drivers/staging/rtl8192e/rtl8192e/rtl_core.c +clean_kconfig drivers/staging/rtl8192e/Kconfig RTL8192E +clean_mk CONFIG_RTL8192E drivers/staging/rtl8192e/Makefile + +announce RTL8192U - "RealTek RTL8192U Wireless LAN NIC driver" +reject_firmware drivers/staging/rtl8192u/r819xU_firmware.c +clean_blob drivers/staging/rtl8192u/r819xU_firmware.c +clean_kconfig drivers/staging/rtl8192u/Kconfig 'RTL8192U' +clean_mk CONFIG_RTL8192U drivers/staging/rtl8192u/Makefile + +announce R8712U - "RealTek RTL8712U (RTL8192SU) Wireless LAN NIC driver" +reject_firmware drivers/staging/rtl8712/hal_init.c +clean_blob drivers/staging/rtl8712/hal_init.c +clean_kconfig drivers/staging/rtl8712/Kconfig 'R8712U' +clean_mk CONFIG_R8712U drivers/staging/rtl8712/Makefile + +announce RTL8723AE - "Realtek RTL8723AE PCIe Wireless Network Adapter" +reject_firmware drivers/net/wireless/rtlwifi/rtl8723ae/sw.c +clean_blob drivers/net/wireless/rtlwifi/rtl8723ae/sw.c +clean_kconfig drivers/net/wireless/rtlwifi/Kconfig 'RTL8723AE' +clean_mk CONFIG_RTL8723AE drivers/net/wireless/rtlwifi/rtl8723ae/Makefile + +announce VT6656 - "VIA Technologies VT6656 support" +reject_firmware drivers/staging/vt6656/firmware.c +clean_blob drivers/staging/vt6656/firmware.c +clean_kconfig drivers/staging/vt6656/Kconfig 'VT6656' +clean_mk CONFIG_VT6656 drivers/staging/vt6656/Makefile + +announce WL1251 - "TI wl1251 support" +reject_firmware drivers/net/wireless/ti/wl1251/main.c +clean_blob drivers/net/wireless/ti/wl1251/main.c +clean_blob drivers/net/wireless/ti/wl1251/wl1251.h +clean_kconfig drivers/net/wireless/ti/wl1251/Kconfig 'WL1251' +clean_mk CONFIG_WL1251 drivers/net/wireless/ti/wl1251/Makefile + +announce WL12XX - "TI wl12xx support" +clean_blob drivers/net/wireless/ti/wl12xx/main.c +clean_kconfig drivers/net/wireless/ti/wl12xx/Kconfig 'WL12XX' +clean_mk CONFIG_WL12XX drivers/net/wireless/ti/wl12xx/Makefile + +announce WL18XX - "TI wl18xx support" +reject_firmware drivers/net/wireless/ti/wl18xx/main.c +clean_blob drivers/net/wireless/ti/wl18xx/main.c +clean_kconfig drivers/net/wireless/ti/wl18xx/Kconfig 'WL18XX' +clean_mk CONFIG_WL18XX drivers/net/wireless/ti/wl18xx/Makefile + +announce WLCORE - "TI wlcore support" +reject_firmware drivers/net/wireless/ti/wlcore/main.c +clean_blob drivers/net/wireless/ti/wlcore/main.c +clean_blob drivers/net/wireless/ti/wlcore/wlcore_i.h +clean_kconfig drivers/net/wireless/ti/wlcore/Kconfig 'WLCORE' +clean_mk CONFIG_WLCORE drivers/net/wireless/ti/wlcore/Makefile + +announce USB_ZD1201 - "USB ZD1201 based Wireless device support" +reject_firmware drivers/net/wireless/zd1201.c +clean_blob drivers/net/wireless/zd1201.c +clean_kconfig drivers/net/wireless/Kconfig 'USB_ZD1201' +clean_mk CONFIG_USB_ZD1201 drivers/net/wireless/Makefile + +announce ZD1211RW - "ZyDAS ZD1211/ZD1211B USB-wireless support" +reject_firmware drivers/net/wireless/zd1211rw/zd_usb.c +clean_blob drivers/net/wireless/zd1211rw/zd_usb.c +clean_kconfig drivers/net/wireless/zd1211rw/Kconfig 'ZD1211RW' +clean_mk CONFIG_ZD1211RW drivers/net/wireless/zd1211rw/Makefile + +# bluetooth + +announce BT_ATH3K - "Atheros firmware download driver" +reject_firmware drivers/bluetooth/ath3k.c +clean_blob drivers/bluetooth/ath3k.c +clean_kconfig drivers/bluetooth/Kconfig 'BT_ATH3K' +clean_mk CONFIG_BT_ATH3K drivers/bluetooth/Makefile + +announce BT_HCIBCM203X - "HCI BCM203x USB driver" +reject_firmware drivers/bluetooth/bcm203x.c +clean_blob drivers/bluetooth/bcm203x.c +clean_kconfig drivers/bluetooth/Kconfig 'BT_HCIBCM203X' +clean_mk CONFIG_BT_HCIBCM203X drivers/bluetooth/Makefile + +announce BT_HCIBFUSB - "HCI BlueFRITZ! USB driver" +reject_firmware drivers/bluetooth/bfusb.c +clean_blob drivers/bluetooth/bfusb.c +clean_kconfig drivers/bluetooth/Kconfig 'BT_HCIBFUSB' +clean_mk CONFIG_BT_HCIBFUSB drivers/bluetooth/Makefile + +announce BT_HCIBT3C - "HCI BT3C (PC Card) driver" +reject_firmware drivers/bluetooth/bt3c_cs.c +clean_blob drivers/bluetooth/bt3c_cs.c +clean_kconfig drivers/bluetooth/Kconfig 'BT_HCIBT3C' +clean_mk CONFIG_BT_HCIBT3C drivers/bluetooth/Makefile + +announce BT_HCIBTUSB - "HCI USB driver" +reject_firmware drivers/bluetooth/btusb.c +clean_blob drivers/bluetooth/btusb.c +clean_kconfig drivers/bluetooth/Kconfig 'BT_HCIBTUSB' +clean_mk CONFIG_BT_HCIBTUSB drivers/bluetooth/Makefile + +announce BT_MRVL_SDIO - "Marvell BT-over-SDIO driver" +reject_firmware drivers/bluetooth/btmrvl_sdio.c +clean_blob drivers/bluetooth/btmrvl_sdio.c +clean_blob Documentation/btmrvl.txt +clean_kconfig drivers/bluetooth/Kconfig 'BT_MRVL_SDIO' +clean_mk CONFIG_BT_MRVL_SDIO drivers/bluetooth/Makefile + +announce TI_ST - "Texas Instruments shared transport line discipline" +reject_firmware drivers/misc/ti-st/st_kim.c +clean_blob drivers/misc/ti-st/st_kim.c +clean_kconfig drivers/misc/ti-st/Kconfig 'TI_ST' +clean_mk CONFIG_TI_ST drivers/misc/ti-st/Makefile + +announce USB_BTMTK - "Mediatek Bluetooth support" +reject_firmware drivers/staging/btmtk_usb/btmtk_usb.c +clean_blob drivers/staging/btmtk_usb/btmtk_usb.c +clean_kconfig drivers/staging/btmtk_usb/Kconfig 'USB_BTMTK' +clean_mk CONFIG_USB_BTMTK drivers/staging/btmtk_usb/Makefile + +# wimax + +announce WIMAX_I2400M - "Intel Wireless WiMAX Connection 2400" +reject_firmware drivers/net/wimax/i2400m/fw.c +clean_blob drivers/net/wimax/i2400m/usb.c +clean_blob Documentation/wimax/README.i2400m +clean_kconfig drivers/net/wimax/i2400m/Kconfig 'WIMAX_I2400M' +clean_mk CONFIG_WIMAX_I2400M drivers/net/wimax/i2400m/Makefile + +announce BCM_WIMAX - "Beceem BCS200/BCS220-3 and BCSM250 wimax support" +clean_blob drivers/staging/bcm/Macros.h +# This disables loading of the .cfg file as well, but it's useless without +# the firmware proper. +clean_sed ' +/^static \(inline \)\?struct file \*open_firmware_file/,/^}$/ { + s,\(flp *= *\)filp_open[^;]*,\1/*(DEBLOBBED)*/(void*)-ENOENT, +}' drivers/staging/bcm/Misc.c 'disabled non-Free firmware loading machinery' +clean_kconfig drivers/staging/bcm/Kconfig 'BCM_WIMAX' +clean_mk CONFIG_BCM_WIMAX drivers/staging/bcm/Makefile + +announce WIMAX_GDM72XX_SDIO - "GCT GDM72xx WiMAX support: SDIO interface" +reject_firmware drivers/staging/gdm72xx/sdio_boot.c +clean_blob drivers/staging/gdm72xx/sdio_boot.c +clean_kconfig drivers/staging/gdm72xx/Kconfig 'WIMAX_GDM72XX_SDIO' +clean_mk CONFIG_WIMAX_GDM72XX_SDIO drivers/staging/gdm72xx/Makefile + +announce WIMAX_GDM72XX_USB - "GCT GDM72xx WiMAX support: USB interface" +reject_firmware drivers/staging/gdm72xx/usb_boot.c +clean_blob drivers/staging/gdm72xx/usb_boot.c +clean_kconfig drivers/staging/gdm72xx/Kconfig 'WIMAX_GDM72XX_USB' +clean_mk CONFIG_WIMAX_GDM72XX_USB drivers/staging/gdm72xx/Makefile + +# infiniband + +announce INFINIBAND_QIB - "QLogic PCIe HCA support" +drop_fw_file firmware/qlogic/sd7220.fw.ihex firmware/qlogic/sd7220.fw +reject_firmware drivers/infiniband/hw/qib/qib_sd7220.c +clean_blob drivers/infiniband/hw/qib/qib_sd7220.c +clean_kconfig drivers/infiniband/hw/qib/Kconfig 'INFINIBAND_QIB' +clean_mk CONFIG_INFINIBAND_QIB drivers/infiniband/hw/qib/Makefile + +# CAN + +announce CAN_SOFTING - "Softing Gmbh CAN generic support" +reject_firmware drivers/net/can/softing/softing_fw.c +clean_kconfig drivers/net/can/softing/Kconfig 'CAN_SOFTING' +clean_mk CONFIG_CAN_SOFTING drivers/net/can/softing/Makefile + +announce CAN_SOFTING_CS - "Softing Gmbh CAN pcmcia cards" +clean_blob drivers/net/can/softing/softing_cs.c +clean_blob drivers/net/can/softing/softing_platform.h +clean_sed ' +/^config CAN_SOFTING_CS$/,${ + /You need firmware/i\ + /*(DEBLOBBED)*/ + /You need firmware/,/softing-fw.*tar\.gz/d +}' drivers/net/can/softing/Kconfig 'removed firmware notes' +clean_kconfig drivers/net/can/softing/Kconfig 'CAN_SOFTING_CS' +clean_mk CONFIG_CAN_SOFTING_CS drivers/net/can/softing/Makefile + +######## +# ISDN # +######## + +announce ISDN_DIVAS - "Support Eicon DIVA Server cards" +clean_blob drivers/isdn/hardware/eicon/cardtype.h +clean_blob drivers/isdn/hardware/eicon/dsp_defs.h +clean_kconfig drivers/isdn/hardware/eicon/Kconfig 'ISDN_DIVAS' +clean_mk CONFIG_ISDN_DIVAS drivers/isdn/hardware/eicon/Makefile + +announce MISDN_SPEEDFAX - "Support for Sedlbauer Speedfax+" +reject_firmware drivers/isdn/hardware/mISDN/speedfax.c +clean_blob drivers/isdn/hardware/mISDN/speedfax.c +clean_kconfig drivers/isdn/hardware/mISDN/Kconfig 'MISDN_SPEEDFAX' +clean_mk CONFIG_MISDN_SPEEDFAX drivers/isdn/hardware/mISDN/Makefile + +########## +# Serial # +########## + +announce SERIAL_8250_CS - "8250/16550 PCMCIA device support" +# These are not software; they're Free, but GPLed without in-tree sources. +drop_fw_file firmware/cis/MT5634ZLX.cis.ihex firmware/cis/MT5634ZLX.cis +drop_fw_file firmware/cis/RS-COM-2P.cis.ihex firmware/cis/RS-COM-2P.cis +drop_fw_file firmware/cis/COMpad2.cis.ihex firmware/cis/COMpad2.cis +drop_fw_file firmware/cis/COMpad4.cis.ihex firmware/cis/COMpad4.cis +# These are not software; they're Free, but GPLed without textual sources. +# It could be assumed that these binaries *are* sources, since they +# can be trivially converted back to a textual form, without loss, +# but we're better off safe than sorry, so remove them from our tree. +drop_fw_file firmware/cis/SW_555_SER.cis.ihex firmware/cis/SW_555_SER.cis +drop_fw_file firmware/cis/SW_7xx_SER.cis.ihex firmware/cis/SW_7xx_SER.cis +drop_fw_file firmware/cis/SW_8xx_SER.cis.ihex firmware/cis/SW_8xx_SER.cis +# clean_blob drivers/tty/serial/serial_cs.c +# clean_kconfig drivers/tty/serial/Kconfig 'SERIAL_8250_CS' +# clean_mk CONFIG_SERIAL_8250_CS drivers/tty/serial/Makefile + +announce SERIAL_ICOM - "IBM Multiport Serial Adapter" +reject_firmware drivers/tty/serial/icom.c +clean_blob drivers/tty/serial/icom.c +clean_kconfig drivers/tty/serial/Kconfig 'SERIAL_ICOM' +clean_mk CONFIG_SERIAL_ICOM drivers/tty/serial/Makefile + +announce SERIAL_QE - "Freescale QUICC Engine serial port support" +reject_firmware drivers/tty/serial/ucc_uart.c +clean_blob drivers/tty/serial/ucc_uart.c +clean_kconfig drivers/tty/serial/Kconfig 'SERIAL_QE' +clean_mk CONFIG_SERIAL_QE drivers/tty/serial/Makefile + +announce SERIAL_RP2 - "Comtrol RocketPort EXPRESS/INFINITY support" +reject_firmware drivers/tty/serial/rp2.c +clean_blob drivers/tty/serial/rp2.c +clean_kconfig drivers/tty/serial/Kconfig 'SERIAL_RP2' +clean_mk CONFIG_SERIAL_RP2 drivers/tty/serial/Makefile + +######## +# Leds # +######## + +announce LEDS_LP55XX_COMMON - "Common Driver for TI/National LP5521 and LP5523/55231" +reject_firmware drivers/leds/leds-lp55xx-common.c +clean_kconfig drivers/leds/Kconfig 'LEDS_LP55XX_COMMON' +clean_mk CONFIG_LEDS_LP55XX_COMMON drivers/leds/Makefile + +announce LEDS_LP5521 - "LED Support for N.S. LP5521 LED driver chip" +# The blob name is the chip name; no point in deblobbing that. +# clean_blob drivers/leds/leds-lp5521.c +clean_kconfig drivers/leds/Kconfig 'LEDS_LP5521' +clean_mk CONFIG_LEDS_LP5521 drivers/leds/Makefile + +announce LEDS_LP5523 - "LED Support for TI/National LP5523/55231 LED driver chip" +# The blob name is the chip name; no point in deblobbing that. +# clean_blob drivers/leds/leds-lp5523.c +clean_kconfig drivers/leds/Kconfig 'LEDS_LP5523' +clean_mk CONFIG_LEDS_LP5523 drivers/leds/Makefile + +######### +# input # +######### + +announce TOUCHSCREEN_ATMEL_MXT - "Atmel mXT I2C Touchscreen" +reject_firmware drivers/input/touchscreen/atmel_mxt_ts.c +clean_blob drivers/input/touchscreen/atmel_mxt_ts.c +clean_kconfig drivers/input/touchscreen/Kconfig 'TOUCHSCREEN_ATMEL_MXT' +clean_mk CONFIG_TOUCHSCREEN_ATMEL_MXT drivers/input/touchscreen/Makefile + +announce LIRC_ZILOG - "Zilog/Hauppauge IR Transmitter" +reject_firmware drivers/staging/media/lirc/lirc_zilog.c +clean_blob drivers/staging/media/lirc/lirc_zilog.c +clean_kconfig drivers/staging/media/lirc/Kconfig 'LIRC_ZILOG' +clean_mk CONFIG_LIRC_ZILOG drivers/staging/media/lirc/Makefile + +announce INPUT_IMS_PCU - "IMS Passenger Control Unit driver" +reject_firmware drivers/input/misc/ims-pcu.c +clean_blob drivers/input/misc/ims-pcu.c +clean_kconfig drivers/input/misc/Kconfig 'INPUT_IMS_PCU' +clean_mk CONFIG_INPUT_IMS_PCU drivers/input/misc/Makefile + +#################### +# Data acquisition # +#################### + +announce COMEDI - "Data acquisition support (comedi)" +reject_firmware drivers/staging/comedi/drivers.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI' +clean_mk CONFIG_COMEDI drivers/staging/comedi/Makefile + +announce COMEDI_DAQBOARD2000 - "IOtech DAQboard/2000 support" +clean_blob drivers/staging/comedi/drivers/daqboard2000.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_DAQBOARD2000' +clean_mk CONFIG_COMEDI_DAQBOARD2000 drivers/staging/comedi/drivers/Makefile + +announce COMEDI_JR3_PCI - "JR3/PCI force sensor board support" +clean_blob drivers/staging/comedi/drivers/jr3_pci.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_JR3_PCI' +clean_mk CONFIG_COMEDI_JR3_PCI drivers/staging/comedi/drivers/Makefile + +announce COMEDI_ME_DAQ - "Meilhaus ME-2000i, ME-2600i, ME-3000vm1 support" +clean_blob drivers/staging/comedi/drivers/me_daq.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_ME_DAQ' +clean_mk CONFIG_COMEDI_ME_DAQ drivers/staging/comedi/drivers/Makefile + +announce COMEDI_NI_PCIDIO - "NI PCI-DIO32HS, PCI-6533, PCI-6534 support" +clean_blob drivers/staging/comedi/drivers/ni_pcidio.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_NI_PCIDIO' +clean_mk CONFIG_COMEDI_NI_PCIDIO drivers/staging/comedi/drivers/Makefile + +announce COMEDI_USBDUX - "ITL USBDUX support" +clean_blob drivers/staging/comedi/drivers/usbdux.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_USBDUX' +clean_mk CONFIG_COMEDI_USBDUX drivers/staging/comedi/drivers/Makefile + +announce COMEDI_USBDUXFAST - "ITL USB-DUXfast support" +clean_blob drivers/staging/comedi/drivers/usbduxfast.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_USBDUXFAST' +clean_mk CONFIG_COMEDI_USBDUXFAST drivers/staging/comedi/drivers/Makefile + +announce COMEDI_USBDUXSIGMA - "ITL USB-DUXsigma support" +clean_blob drivers/staging/comedi/drivers/usbduxsigma.c +clean_kconfig drivers/staging/comedi/Kconfig 'COMEDI_USBDUXSIGMA' +clean_mk CONFIG_COMEDI_USBDUXSIGMA drivers/staging/comedi/drivers/Makefile + + +####### +# MMC # +####### + +announce MMC_VUB300 - "VUB300 USB to SDIO/SD/MMC Host Controller support" +clean_sed ' +/^config MMC_VUB300/,/^config /{ + /Some SDIO cards/i\ + /*(DEBLOBBED)*/ + /Some SDIO cards/,/obtainable data rate\.$/d +} +' drivers/mmc/host/Kconfig "removed firmware notes" +reject_firmware drivers/mmc/host/vub300.c +clean_blob drivers/mmc/host/vub300.c +clean_kconfig drivers/mmc/host/Kconfig 'MMC_VUB300' +clean_mk CONFIG_MMC_VUB300 drivers/mmc/host/Makefile + +######## +# SCSI # +######## + +announce SCSI_QLOGICPTI - "PTI Qlogic, ISP Driver" +drop_fw_file firmware/qlogic/isp1000.bin.ihex firmware/qlogic/isp1000.bin +reject_firmware drivers/scsi/qlogicpti.c +clean_blob drivers/scsi/qlogicpti.c +clean_kconfig drivers/scsi/Kconfig 'SCSI_QLOGICPTI' +clean_mk CONFIG_SCSI_QLOGICPTI drivers/scsi/Makefile + +announce SCSI_ADVANSYS - "AdvanSys SCSI" +drop_fw_file firmware/advansys/mcode.bin.ihex firmware/advansys/mcode.bin +drop_fw_file firmware/advansys/3550.bin.ihex firmware/advansys/3550.bin +drop_fw_file firmware/advansys/38C0800.bin.ihex firmware/advansys/38C0800.bin +drop_fw_file firmware/advansys/38C1600.bin.ihex firmware/advansys/38C1600.bin +reject_firmware drivers/scsi/advansys.c +clean_blob drivers/scsi/advansys.c +clean_kconfig drivers/scsi/Kconfig 'SCSI_ADVANSYS' +clean_mk CONFIG_SCSI_ADVANSYS drivers/scsi/Makefile + +announce SCSI_QLOGIC_1280 - "Qlogic QLA 1240/1x80/1x160 SCSI" +drop_fw_file firmware/qlogic/1040.bin.ihex firmware/qlogic/1040.bin +drop_fw_file firmware/qlogic/1280.bin.ihex firmware/qlogic/1280.bin +drop_fw_file firmware/qlogic/12160.bin.ihex firmware/qlogic/12160.bin +reject_firmware drivers/scsi/qla1280.c +clean_blob drivers/scsi/qla1280.c +clean_kconfig drivers/scsi/Kconfig 'SCSI_QLOGIC_1280' +clean_mk CONFIG_SCSI_QLOGIC_1280 drivers/scsi/Makefile + +announce SCSI_AIC94XX - "Adaptec AIC94xx SAS/SATA support" +reject_firmware drivers/scsi/aic94xx/aic94xx_seq.c +clean_blob drivers/scsi/aic94xx/aic94xx_seq.c +clean_blob drivers/scsi/aic94xx/aic94xx_seq.h +clean_kconfig drivers/scsi/aic94xx/Kconfig 'SCSI_AIC94XX' +clean_mk CONFIG_SCSI_AIC94XX drivers/scsi/aic94xx/Makefile + +announce SCSI_BFA_FC - "Brocade BFA Fibre Channel Support" +reject_firmware drivers/scsi/bfa/bfad.c +clean_blob drivers/scsi/bfa/bfad.c +clean_kconfig drivers/scsi/Kconfig 'SCSI_BFA_FC' +clean_mk CONFIG_SCSI_BFA_FC drivers/scsi/bfa/Makefile + +announce SCSI_CHELSIO_FCOE - "Chelsio Communications FCoE support" +reject_firmware drivers/scsi/csiostor/csio_hw.c +clean_blob drivers/scsi/csiostor/csio_hw_chip.h +clean_blob drivers/scsi/csiostor/csio_init.c +clean_kconfig drivers/scsi/csiostor/Kconfig 'SCSI_CHELSIO_FCOE' +clean_mk CONFIG_SCSI_CHELSIO_FCOE drivers/scsi/csiostor/Makefile + +announce SCSI_LPFC - "Emulex LightPulse Fibre Channel Support" +# The firmware name is built out of Vital Product Data read from the +# adapter. The firmware is definitely code, and I couldn't find +# evidence it is Free, so I'm disabling it. It's not clear whether +# this is the hardware or the software inducing to the installation of +# non-Free firmware. +reject_firmware drivers/scsi/lpfc/lpfc.h +reject_firmware drivers/scsi/lpfc/lpfc_crtn.h +reject_firmware drivers/scsi/lpfc/lpfc_init.c +reject_firmware drivers/scsi/lpfc/lpfc_attr.c +clean_kconfig drivers/scsi/Kconfig 'SCSI_LPFC' +clean_mk CONFIG_SCSI_LPFC drivers/scsi/lpfc/Makefile + +announce SCSI_QLA_FC - "QLogic QLA2XXX Fibre Channel Support" +reject_firmware drivers/scsi/qla2xxx/qla_gbl.h +reject_firmware drivers/scsi/qla2xxx/qla_init.c +reject_firmware drivers/scsi/qla2xxx/qla_os.c +reject_firmware drivers/scsi/qla2xxx/qla_nx.c +clean_sed ' +/^config SCSI_QLA_FC$/,/^config /{ + /^ By default, firmware/i\ + /*(DEBLOBBED)*/ + /^ By default, firmware/,/ftp:[/][/].*firmware[/]/d +}' drivers/scsi/qla2xxx/Kconfig 'removed firmware notes' +clean_blob drivers/scsi/qla2xxx/qla_os.c +clean_kconfig drivers/scsi/qla2xxx/Kconfig 'SCSI_QLA_FC' +clean_mk CONFIG_SCSI_QLA_FC drivers/scsi/qla2xxx/Makefile + + +####### +# USB # +####### + +# atm + +announce USB_CXACRU - "Conexant AccessRunner USB support" +reject_firmware drivers/usb/atm/cxacru.c +clean_blob drivers/usb/atm/cxacru.c +clean_kconfig drivers/usb/atm/Kconfig 'USB_CXACRU' +clean_mk CONFIG_USB_CXACRU drivers/usb/atm/Makefile + +announce USB_SPEEDTOUCH - "Speedtouch USB support" +reject_firmware drivers/usb/atm/speedtch.c +clean_blob drivers/usb/atm/speedtch.c +clean_kconfig drivers/usb/atm/Kconfig 'USB_SPEEDTOUCH' +clean_mk CONFIG_USB_SPEEDTOUCH drivers/usb/atm/Makefile + +announce USB_UEAGLEATM - "ADI 930 and eagle USB DSL modem" +reject_firmware drivers/usb/atm/ueagle-atm.c +clean_blob drivers/usb/atm/ueagle-atm.c +clean_kconfig drivers/usb/atm/Kconfig 'USB_UEAGLEATM' +clean_mk CONFIG_USB_UEAGLEATM drivers/usb/atm/Makefile + +# misc + +announce USB_EMI26 - "EMI 2|6 USB Audio interface" +# These files are not under the GPL, better remove them all. +drop_fw_file firmware/emi26/bitstream.HEX firmware/emi26/bitstream.fw +drop_fw_file firmware/emi26/firmware.HEX firmware/emi26/firmware.fw +drop_fw_file firmware/emi26/loader.HEX firmware/emi26/loader.fw +reject_firmware drivers/usb/misc/emi26.c +clean_blob drivers/usb/misc/emi26.c +clean_kconfig drivers/usb/misc/Kconfig 'USB_EMI26' +clean_mk CONFIG_USB_EMI26 drivers/usb/misc/Makefile + +announce USB_EMI62 - "EMI 6|2m USB Audio interface" +# These files are probably not under the GPL, better remove them all. +drop_fw_file firmware/emi62/bitstream.HEX firmware/emi62/bitstream.fw +drop_fw_file firmware/emi62/loader.HEX firmware/emi62/loader.fw +drop_fw_file firmware/emi62/midi.HEX firmware/emi62/midi.fw +drop_fw_file firmware/emi62/spdif.HEX firmware/emi62/spdif.fw +reject_firmware drivers/usb/misc/emi62.c +clean_blob drivers/usb/misc/emi62.c +clean_kconfig drivers/usb/misc/Kconfig 'USB_EMI62' +clean_mk CONFIG_USB_EMI62 drivers/usb/misc/Makefile + +announce USB_EZUSB_FX2 - "Functions for loading firmware on EZUSB chips" +maybe_reject_firmware drivers/usb/misc/ezusb.c + +announce USB_ISIGHTFW - "iSight firmware loading support" +reject_firmware drivers/usb/misc/isight_firmware.c +clean_blob drivers/usb/misc/isight_firmware.c +clean_kconfig drivers/usb/misc/Kconfig 'USB_ISIGHTFW' +clean_mk CONFIG_USB_ISIGHTFW drivers/usb/misc/Makefile + +# storage + +announce USB_STORAGE_ENE_UB6250 - "USB ENE card reader support" +reject_firmware drivers/usb/storage/ene_ub6250.c +clean_blob drivers/usb/storage/ene_ub6250.c +clean_kconfig drivers/usb/storage/Kconfig 'USB_STORAGE_ENE_UB6250' +clean_mk 'CONFIG_USB_STORAGE_ENE_UB6250' drivers/usb/storage/Makefile + +announce USB_ENESTORAGE - "USB ENE card reader support" +clean_blob drivers/staging/keucr/init.h +clean_sed ' +/^int ENE_LoadBinCode(/,/^}$/ { + /kmalloc/i\ + return /*(DEBLOBBED)*/ USB_STOR_TRANSPORT_ERROR; +} +' drivers/staging/keucr/init.c 'disable non-Free firmware loading machinery' +clean_kconfig drivers/staging/keucr/Kconfig 'USB_ENESTORAGE' +clean_mk 'CONFIG_USB_ENESTORAGE' drivers/staging/keucr/Makefile + +# serial + +announce USB_SERIAL_KEYSPAN - "USB Keyspan USA-xxx Serial Driver" +drop_fw_file firmware/keyspan/mpr.HEX firmware/keyspan/mpr.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_MPR' +drop_fw_file firmware/keyspan/usa18x.HEX firmware/keyspan/usa18x.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA18X' +drop_fw_file firmware/keyspan/usa19.HEX firmware/keyspan/usa19.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA19' +drop_fw_file firmware/keyspan/usa19qi.HEX firmware/keyspan/usa19qi.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA19QI' +drop_fw_file firmware/keyspan/usa19qw.HEX firmware/keyspan/usa19qw.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA19QW' +drop_fw_file firmware/keyspan/usa19w.HEX firmware/keyspan/usa19w.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA19W' +drop_fw_file firmware/keyspan/usa28.HEX firmware/keyspan/usa28.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA28' +drop_fw_file firmware/keyspan/usa28xa.HEX firmware/keyspan/usa28xa.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA28XA' +drop_fw_file firmware/keyspan/usa28xb.HEX firmware/keyspan/usa28xb.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA28XB' +drop_fw_file firmware/keyspan/usa28x.HEX firmware/keyspan/usa28x.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA28X' +drop_fw_file firmware/keyspan/usa49w.HEX firmware/keyspan/usa49w.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA49W' +drop_fw_file firmware/keyspan/usa49wlc.HEX firmware/keyspan/usa49wlc.fw +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN_USA49WLC' +clean_blob drivers/usb/serial/keyspan.c +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_KEYSPAN' +clean_mk CONFIG_USB_SERIAL_KEYSPAN drivers/usb/serial/Makefile + +announce USB_SERIAL_EDGEPORT - "USB Inside Out Edgeport Serial Driver" +clean_fw firmware/edgeport/boot.H16 firmware/edgeport/boot.fw +clean_fw firmware/edgeport/boot2.H16 firmware/edgeport/boot2.fw +clean_fw firmware/edgeport/down.H16 firmware/edgeport/down.fw +clean_fw firmware/edgeport/down2.H16 firmware/edgeport/down2.fw +reject_firmware drivers/usb/serial/io_edgeport.c +clean_blob drivers/usb/serial/io_edgeport.c +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_EDGEPORT' +clean_mk CONFIG_USB_SERIAL_EDGEPORT drivers/usb/serial/Makefile + +announce USB_SERIAL_EDGEPORT_TI - "USB Inside Out Edgeport Serial Driver (TI devices)" +clean_fw firmware/edgeport/down3.bin.ihex firmware/edgeport/down3.bin +reject_firmware drivers/usb/serial/io_ti.c +clean_blob drivers/usb/serial/io_ti.c +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_EDGEPORT_TI' +clean_mk CONFIG_USB_SERIAL_EDGEPORT_TI drivers/usb/serial/Makefile + +announce USB_SERIAL_TI - "USB TI 3410/5052 Serial Driver" +drop_fw_file firmware/ti_3410.fw.ihex firmware/ti_3410.fw +drop_fw_file firmware/ti_5052.fw.ihex firmware/ti_5052.fw +drop_fw_file firmware/mts_cdma.fw.ihex firmware/mts_cdma.fw +drop_fw_file firmware/mts_gsm.fw.ihex firmware/mts_gsm.fw +drop_fw_file firmware/mts_edge.fw.ihex firmware/mts_edge.fw +reject_firmware drivers/usb/serial/ti_usb_3410_5052.c +clean_blob drivers/usb/serial/ti_usb_3410_5052.c +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_TI' +clean_mk CONFIG_USB_SERIAL_TI drivers/usb/serial/Makefile + +announce USB_SERIAL_WHITEHEAT - "USB ConnectTech WhiteHEAT Serial Driver" +clean_fw firmware/whiteheat.HEX firmware/whiteheat.fw +clean_fw firmware/whiteheat_loader.HEX firmware/whiteheat_loader.fw +clean_fw firmware/whiteheat_loader_debug.HEX firmware/whiteheat_loader_debug.fw +clean_blob drivers/usb/serial/whiteheat.c +clean_kconfig drivers/usb/serial/Kconfig 'USB_SERIAL_WHITEHEAT' +clean_mk CONFIG_USB_SERIAL_WHITEHEAT drivers/usb/serial/Makefile + +# uwb + +announce UWB_I1480U - Support for Intel Wireless UWB Link 1480 HWA +reject_firmware drivers/uwb/i1480/dfu/i1480-dfu.h +reject_firmware drivers/uwb/i1480/dfu/mac.c +reject_firmware drivers/uwb/i1480/dfu/phy.c +clean_blob drivers/uwb/i1480/dfu/usb.c +clean_kconfig drivers/uwb/Kconfig 'UWB_I1480U' +clean_mk CONFIG_UWB_I1480U drivers/uwb/i1480/dfu/Makefile + + + +################ +# Programmable # +################ + +announce LATTICE_ECP3_CONFIG - "Lattice ECP3 FPGA bitstrap configuration via SPI" +reject_firmware drivers/misc/lattice-ecp3-config.c +clean_blob drivers/misc/lattice-ecp3-config.c +clean_kconfig drivers/misc/Kconfig 'LATTICE_ECP3_CONFIG' +clean_mk CONFIG_LATTICE_ECP3_CONFIG drivers/misc/Makefile + +announce STE_MODEM_RPROC - "STE-Modem remoteproc support" +maybe_reject_firmware drivers/remoteproc/remoteproc_core.c +undefine_macro SPROC_MODEM_FIRMWARE "\"/*(DEBLOBBED)*/\"" \ + "disabled non-Free firmware" drivers/remoteproc/ste_modem_rproc.c +clean_kconfig drivers/remoteproc/Kconfig 'STE_MODEM_RPROC' +clean_mk CONFIG_STE_MODEM_RPROC drivers/remoteproc/Makefile + + +######### +# Sound # +######### + +announce SND_ASIHPI - "AudioScience ASIxxxx" +reject_firmware sound/pci/asihpi/hpidspcd.c +clean_blob sound/pci/asihpi/hpidspcd.c +clean_blob sound/pci/asihpi/hpioctl.c +clean_kconfig sound/pci/Kconfig 'SND_ASIHPI' +clean_mk CONFIG_SND_ASIHPI sound/pci/asihpi/Makefile + +announce SND_CS46XX - "Cirrus Logic (Sound Fusion) CS4280/CS461x/CS462x/CS463x" +# This appears to have been extracted from some non-Free driver +clean_file sound/pci/cs46xx/cs46xx_image.h +# The following blobs are definitely extracted from non-Free drivers. +clean_file sound/pci/cs46xx/imgs/cwc4630.h +clean_file sound/pci/cs46xx/imgs/cwcasync.h +clean_file sound/pci/cs46xx/imgs/cwcsnoop.h +clean_sed ' +/^\(int \)\?snd_cs46xx_download_image([^;]*$/,/^}$/{ + /for.*BA1_MEMORY_COUNT/i\ +#if 0 + /^}$/{ + i\ +#else\ + snd_printk(KERN_ERR "cs46xx: Missing Free firmware\\n");\ + return -EINVAL;\ +#endif + } +} +s/cs46xx_dsp_load_module(chip, [&]cwc\(4630\|async\|snoop\)_module)/(snd_printk(KERN_ERR "cs46xx: Missing Free firmware\\n"),-EINVAL)/ +' sound/pci/cs46xx/cs46xx_lib.c 'report missing Free firmware' +clean_blob sound/pci/cs46xx/cs46xx_lib.c +clean_kconfig sound/pci/Kconfig 'SND_CS46XX' +clean_mk 'CONFIG_SND_CS46XX' sound/pci/cs46xx/Makefile + +announce SND_KORG1212 - "Korg 1212 IO" +drop_fw_file firmware/korg/k1212.dsp.ihex firmware/korg/k1212.dsp +reject_firmware sound/pci/korg1212/korg1212.c +clean_blob sound/pci/korg1212/korg1212.c +clean_kconfig sound/pci/Kconfig 'SND_KORG1212' +clean_mk 'CONFIG_SND_KORG1212' sound/pci/korg1212/Makefile + +announce SND_MAESTRO3 - "ESS Allegro/Maestro3" +drop_fw_file firmware/ess/maestro3_assp_kernel.fw.ihex firmware/ess/maestro3_assp_kernel.fw +drop_fw_file firmware/ess/maestro3_assp_minisrc.fw.ihex firmware/ess/maestro3_assp_minisrc.fw +reject_firmware sound/pci/maestro3.c +clean_blob sound/pci/maestro3.c +clean_kconfig sound/pci/Kconfig 'SND_MAESTRO3' +clean_mk 'CONFIG_SND_MAESTRO3' sound/pci/Makefile + +announce SND_YMFPCI - "Yamaha YMF724/740/744/754" +drop_fw_file firmware/yamaha/ds1_ctrl.fw.ihex firmware/yamaha/ds1_ctrl.fw +drop_fw_file firmware/yamaha/ds1_dsp.fw.ihex firmware/yamaha/ds1_dsp.fw +drop_fw_file firmware/yamaha/ds1e_ctrl.fw.ihex firmware/yamaha/ds1e_ctrl.fw +reject_firmware sound/pci/ymfpci/ymfpci_main.c +clean_blob sound/pci/ymfpci/ymfpci_main.c +clean_kconfig sound/pci/Kconfig 'SND_YMFPCI' +clean_mk 'CONFIG_SND_YMFPCI' sound/pci/ymfpci/Makefile + +announce SND_SB16_CSP - "SB16 Advanced Signal Processor" +drop_fw_file firmware/sb16/alaw_main.csp.ihex firmware/sb16/alaw_main.csp +drop_fw_file firmware/sb16/mulaw_main.csp.ihex firmware/sb16/mulaw_main.csp +drop_fw_file firmware/sb16/ima_adpcm_init.csp.ihex firmware/sb16/ima_adpcm_init.csp +drop_fw_file firmware/sb16/ima_adpcm_capture.csp.ihex firmware/sb16/ima_adpcm_capture.csp +drop_fw_file firmware/sb16/ima_adpcm_playback.csp.ihex firmware/sb16/ima_adpcm_playback.csp +reject_firmware sound/isa/sb/sb16_csp.c +clean_blob sound/isa/sb/sb16_csp.c +clean_kconfig sound/isa/Kconfig 'SND_SB16_CSP' +clean_mk 'CONFIG_SND_SB16_CSP' sound/isa/sb/Makefile + +announce SND_WAVEFRONT - "Turtle Beach Maui,Tropez,Tropez+ (Wavefront)" +drop_fw_file firmware/yamaha/yss225_registers.bin.ihex firmware/yamaha/yss225_registers.bin +reject_firmware sound/isa/wavefront/wavefront_fx.c +clean_blob sound/isa/wavefront/wavefront_fx.c +reject_firmware sound/isa/wavefront/wavefront_synth.c +clean_blob sound/isa/wavefront/wavefront_synth.c +clean_kconfig sound/isa/Kconfig 'SND_WAVEFRONT' +clean_mk 'CONFIG_SND_WAVEFRONT' sound/isa/wavefront/Makefile + +announce SND_VX_LIB - Digigram VX soundcards +reject_firmware sound/drivers/vx/vx_hwdep.c +clean_blob sound/drivers/vx/vx_hwdep.c +clean_kconfig sound/drivers/Kconfig 'SND_VX_LIB' +clean_mk CONFIG_SND_VX_LIB sound/drivers/vx/Makefile + +announce SND_DARLA20 - "(Echoaudio) Darla20" +clean_blob sound/pci/echoaudio/darla20.c +clean_kconfig sound/pci/Kconfig 'SND_DARLA20' +clean_mk CONFIG_SND_DARLA20 sound/pci/echoaudio/Makefile + +announce SND_DARLA24 - "(Echoaudio) Darla24" +clean_blob sound/pci/echoaudio/darla24.c +clean_kconfig sound/pci/Kconfig 'SND_DARLA24' +clean_mk CONFIG_SND_DARLA24 sound/pci/echoaudio/Makefile + +announce SND_ECHO3G - "(Echoaudio) 3G cards" +clean_blob sound/pci/echoaudio/echo3g.c +clean_kconfig sound/pci/Kconfig 'SND_ECHO3G' +clean_mk CONFIG_SND_ECHO3G sound/pci/echoaudio/Makefile + +announce SND_GINA20 - "(Echoaudio) Gina20" +clean_blob sound/pci/echoaudio/gina20.c +clean_kconfig sound/pci/Kconfig 'SND_GINA20' +clean_mk CONFIG_SND_GINA20 sound/pci/echoaudio/Makefile + +announce SND_GINA24 - "(Echoaudio) Gina24" +clean_blob sound/pci/echoaudio/gina24.c +clean_kconfig sound/pci/Kconfig 'SND_GINA24' +clean_mk CONFIG_SND_GINA24 sound/pci/echoaudio/Makefile + +announce SND_INDIGO - "(Echoaudio) Indigo" +clean_blob sound/pci/echoaudio/indigo.c +clean_kconfig sound/pci/Kconfig 'SND_INDIGO' +clean_mk CONFIG_SND_INDIGO sound/pci/echoaudio/Makefile + +announce SND_INDIGODJ - "(Echoaudio) Indigo DJ" +clean_blob sound/pci/echoaudio/indigodj.c +clean_kconfig sound/pci/Kconfig 'SND_INDIGODJ' +clean_mk CONFIG_SND_INDIGODJ sound/pci/echoaudio/Makefile + +announce SND_INDIGODJX - "(Echoaudio) Indigo DJx" +clean_blob sound/pci/echoaudio/indigodjx.c +clean_kconfig sound/pci/Kconfig 'SND_INDIGODJX' +clean_mk CONFIG_SND_INDIGODJX sound/pci/echoaudio/Makefile + +announce SND_INDIGOIO - "(Echoaudio) Indigo IO" +clean_blob sound/pci/echoaudio/indigoio.c +clean_kconfig sound/pci/Kconfig 'SND_INDIGOIO' +clean_mk CONFIG_SND_INDIGOIO sound/pci/echoaudio/Makefile + +announce SND_INDIGOIOX - "(Echoaudio) Indigo IOx" +clean_blob sound/pci/echoaudio/indigoiox.c +clean_kconfig sound/pci/Kconfig 'SND_INDIGOIOX' +clean_mk CONFIG_SND_INDIGOIOX sound/pci/echoaudio/Makefile + +announce SND_LAYLA20 - "(Echoaudio) Layla20" +clean_blob sound/pci/echoaudio/layla20.c +clean_kconfig sound/pci/Kconfig 'SND_LAYLA20' +clean_mk CONFIG_SND_LAYLA20 sound/pci/echoaudio/Makefile + +announce SND_LAYLA24 - "(Echoaudio) Layla24" +clean_blob sound/pci/echoaudio/layla24.c +clean_kconfig sound/pci/Kconfig 'SND_LAYLA24' +clean_mk CONFIG_SND_LAYLA24 sound/pci/echoaudio/Makefile + +announce SND_MIA - "(Echoaudio) Mia" +clean_blob sound/pci/echoaudio/mia.c +clean_kconfig sound/pci/Kconfig 'SND_MIA' +clean_mk CONFIG_SND_MIA sound/pci/echoaudio/Makefile + +announce SND_MONA - "(Echoaudio) Mona" +clean_blob sound/pci/echoaudio/mona.c +clean_kconfig sound/pci/Kconfig 'SND_MONA' +clean_mk CONFIG_SND_MONA sound/pci/echoaudio/Makefile + +announce SND_'<(Echoaudio)>' - "(Echoaudio) all of the above " +reject_firmware sound/pci/echoaudio/echoaudio.c +clean_blob sound/pci/echoaudio/echoaudio.c + +announce SND_EMU10K1 - "Emu10k1 (SB Live!, Audigy, E-mu APS)" +reject_firmware sound/pci/emu10k1/emu10k1_main.c +clean_blob sound/pci/emu10k1/emu10k1_main.c +clean_kconfig sound/pci/Kconfig 'SND_EMU10K1' +clean_mk CONFIG_SND_EMU10K1 sound/pci/emu10k1/Makefile + +announce SND_MIXART - "Digigram miXart" +reject_firmware sound/pci/mixart/mixart_hwdep.c +clean_blob sound/pci/mixart/mixart_hwdep.c +clean_kconfig sound/pci/Kconfig 'SND_MIXART' +clean_mk CONFIG_SND_MIXART sound/pci/mixart/Makefile + +announce SND_PCXHR - "Digigram PCXHR" +reject_firmware sound/pci/pcxhr/pcxhr_hwdep.c +clean_blob sound/pci/pcxhr/pcxhr_hwdep.c +clean_kconfig sound/pci/Kconfig 'SND_PCXHR' +clean_mk CONFIG_SND_PCXHR sound/pci/pcxhr/Makefile + +announce SND_RIPTIDE - "Conexant Riptide" +reject_firmware sound/pci/riptide/riptide.c +clean_blob sound/pci/riptide/riptide.c +clean_kconfig sound/pci/Kconfig 'SND_RIPTIDE' +clean_mk CONFIG_SND_RIPTIDE sound/pci/riptide/Makefile + +# This is ok, patch filenames are supplied as module parameters, and +# they are text files with patch instructions. +#announce SND_HDA_PATCH_LOADER - "Support initialization patch loading for HD-audio" +#reject_firmware sound/pci/hda/hda_hwdep.c +#clean_kconfig sound/pci/hda/Kconfig 'SND_HDA_PATCH_LOADER' + +announce SND_HDA_CODEC_CA0132_DSP - "Support new DSP code for CA0132 codec" +reject_firmware sound/pci/hda/patch_ca0132.c +clean_blob sound/pci/hda/patch_ca0132.c +clean_sed ' +/^config SND_HDA_CODEC_CA0132_DSP$/, /^config / { + s,(ctefx.bin),(/*(DEBLOBBED)*/),; +}' sound/pci/hda/Kconfig 'removed blob name' +clean_kconfig sound/pci/hda/Kconfig 'SND_HDA_CODEC_CA0132_DSP' +# There are no separate source files or Makefile entries for the _DSP option. +clean_mk CONFIG_SND_HDA_CODEC_CA0132 sound/pci/hda/Makefile + +announce SND_HDSP - "RME Hammerfall DSP Audio" +reject_firmware sound/pci/rme9652/hdsp.c +clean_blob sound/pci/rme9652/hdsp.c +clean_kconfig sound/pci/Kconfig 'SND_HDSP' +clean_mk CONFIG_SND_HDSP sound/pci/rme9652/Makefile + +announce SND_AICA - "Dreamcast Yamaha AICA sound" +reject_firmware sound/sh/aica.c +clean_blob sound/sh/aica.c +clean_kconfig sound/sh/Kconfig 'SND_AICA' +clean_mk CONFIG_SND_AICA sound/sh/Makefile + +announce SND_MSND_PINNACLE - "Support for Turtle Beach MultiSound Pinnacle" +clean_blob sound/isa/msnd/msnd_pinnacle.h +reject_firmware sound/isa/msnd/msnd_pinnacle.c +clean_blob sound/isa/msnd/msnd_pinnacle.c +clean_kconfig sound/isa/Kconfig 'SND_MSND_PINNACLE' +clean_mk CONFIG_SND_MSND_PINNACLE sound/isa/msnd/Makefile + +announce SND_MSND_CLASSIC - "Support for Turtle Beach MultiSound Classic, Tahiti, Monterey" +clean_blob sound/isa/msnd/msnd_classic.h +clean_kconfig sound/isa/Kconfig 'SND_MSND_CLASSIC' +clean_mk CONFIG_SND_MSND_CLASSIC sound/isa/msnd/Makefile + +announce SOUND_MSNDCLAS - "Support for Turtle Beach MultiSound Classic, Tahiti, Monterey (oss)" +clean_blob sound/oss/msnd_classic.h +clean_kconfig sound/oss/Kconfig 'SOUND_MSNDCLAS' +clean_sed ' +/^config MSNDCLAS_INIT_FILE$/, /^config / { + /^ default.*msndinit\.bin/ s,".*","/*(DEBLOBBED)*/",; +} +/^config MSNDCLAS_PERM_FILE$/, /^config / { + /^ default.*msndperm\.bin/ s,".*","/*(DEBLOBBED)*/",; +}' sound/oss/Kconfig 'removed default firmware' +clean_mk CONFIG_SOUND_MSNDCLAS sound/oss/Makefile + +announce SOUND_MSNDPIN - "Support for Turtle Beach MultiSound Pinnacle (oss)" +clean_blob sound/oss/msnd_pinnacle.h +clean_kconfig sound/oss/Kconfig 'SOUND_MSNDPIN' +clean_sed ' +/^config MSNDPIN_INIT_FILE$/, /^config / { + /^ default.*pndspini\.bin/ s,".*","/*(DEBLOBBED)*/",; +} +/^config MSNDPIN_PERM_FILE$/, /^config / { + /^ default.*pndsperm\.bin/ s,".*","/*(DEBLOBBED)*/",; +}' sound/oss/Kconfig 'removed default firmware' +clean_mk CONFIG_SOUND_MSNDPIN sound/oss/Makefile + +announce SND_SSCAPE - "Ensoniq SoundScape driver" +reject_firmware sound/isa/sscape.c +clean_blob sound/isa/sscape.c +clean_sed ' +/^config SND_SSCAPE$/, /^config / { + s,"\(scope\|sndscape\)\.co[d?]","/*(DEBLOBBED)*/",g; +}' sound/isa/Kconfig 'removed firmware names' +clean_kconfig sound/isa/Kconfig 'SND_SSCAPE' +clean_mk CONFIG_SND_SSCAPE sound/isa/Makefile + +announce SND_SOC_ADAU1701 - "ADAU1701 SigmaDSP processor" +clean_blob sound/soc/codecs/adau1701.c +clean_kconfig sound/soc/codecs/Kconfig 'SND_SOC_ADAU1701' +clean_mk CONFIG_SND_SOC_ADAU1701 sound/soc/codecs/Makefile + +announce SND_SOC_SIGMADSP - "SigmaStudio firmware loader" +maybe_reject_firmware sound/soc/codecs/sigmadsp.c + +announce SND_SOC_WM0010 - "WM0010 DSP driver" +reject_firmware sound/soc/codecs/wm0010.c +clean_blob sound/soc/codecs/wm0010.c +clean_kconfig sound/soc/codecs/Kconfig 'SND_SOC_WM0010' +clean_mk CONFIG_SND_SOC_WM0010 sound/soc/codecs/Makefile + +# It's not clear that wm2000_anc.bin is pure data. +# Check with developer, clean up for now. +announce SND_SOC_WM2000 - "WM2000 ALSA Soc Audio codecs" +reject_firmware sound/soc/codecs/wm2000.c +clean_blob sound/soc/codecs/wm2000.c +clean_kconfig sound/soc/codecs/Kconfig 'SND_SOC_WM2000' +clean_mk CONFIG_SND_SOC_WM2000 sound/soc/codecs/Makefile + +announce SND_SOC_WM8994 - "WM8994 ALSA Soc Audio codecs" +reject_firmware sound/soc/codecs/wm8958-dsp2.c +clean_blob sound/soc/codecs/wm8958-dsp2.c +clean_kconfig sound/soc/codecs/Kconfig 'SND_SOC_WM8994' +clean_mk CONFIG_SND_SOC_WM8994 sound/soc/codecs/Makefile + +# The coeff files might be pure data, but the wmfw surely aren't. +announce SND_SOC_WM_ADSP - "Wolfson ADSP support" +reject_firmware sound/soc/codecs/wm_adsp.c +clean_blob sound/soc/codecs/wm_adsp.c +clean_kconfig sound/soc/codecs/Kconfig 'SND_SOC_WM_ADSP' +clean_mk CONFIG_SND_SOC_WM_ADSP sound/soc/codecs/Makefile + +announce SND_SOC_SH4_SIU - "ALSA SoC driver for Renesas SH7343, SH7722 SIU peripheral" +reject_firmware sound/soc/sh/siu_dai.c +clean_blob sound/soc/sh/siu_dai.c +clean_kconfig sound/soc/sh/Kconfig 'SND_SOC_SH4_SIU' +clean_mk CONFIG_SND_SOC_SH4_SIU sound/soc/sh/Makefile + +announce SOUND_TRIX - "MediaTrix AudioTrix Pro support" +clean_blob sound/oss/trix.c +clean_kconfig sound/oss/Kconfig 'SOUND_TRIX' +clean_sed ' +/^config TRIX_BOOT_FILE$/, /^config / { + /^ default.*trxpro\.hex/ s,".*","/*(DEBLOBBED)*/",; +}' sound/oss/Kconfig 'removed default firmware' +clean_mk CONFIG_SOUND_TRIX sound/oss/Makefile + +announce SOUND_TRIX - "See above," +announce SOUND_PAS - "ProAudioSpectrum 16 support," +announce SOUND_SB - "100% Sound Blaster compatibles (SB16/32/64, ESS, Jazz16) support" +clean_blob sound/oss/sb_common.c +clean_kconfig sound/oss/Kconfig 'SOUND_PAS' +clean_kconfig sound/oss/Kconfig 'SOUND_SB' +clean_mk CONFIG_SOUND_PAS sound/oss/Makefile +clean_mk CONFIG_SOUND_SB sound/oss/Makefile + +announce SOUND_PSS - "PSS (AD1848, ADSP-2115, ESC614) support" +clean_sed 's,^\( [*] .*synth"\)\.$,\1/*.,' sound/oss/pss.c 'avoid nested comments' +clean_blob sound/oss/pss.c +clean_kconfig sound/oss/Kconfig 'SOUND_PSS' +clean_sed ' +/^config PSS_BOOT_FILE$/, /^config / { + /^ default.*dsp001\.ld/ s,".*","/*(DEBLOBBED)*/",; +}' sound/oss/Kconfig 'removed default firmware' +clean_mk CONFIG_SOUND_PSS sound/oss/Makefile + +announce SND_USB_6FIRE - "TerraTec DMX 6Fire USB" +reject_firmware sound/usb/6fire/firmware.c +clean_blob sound/usb/6fire/firmware.c +clean_kconfig sound/usb/Kconfig 'SND_USB_6FIRE' +clean_mk 'CONFIG_SND_USB_6FIRE' sound/usb/6fire/Makefile + +################# +# Documentation # +################# + +announce Documentation - "non-Free firmware scripts and documentation" +clean_blob Documentation/dvb/avermedia.txt +clean_blob Documentation/dvb/opera-firmware.txt +clean_blob Documentation/sound/alsa/ALSA-Configuration.txt +clean_blob Documentation/sound/oss/MultiSound +clean_blob Documentation/sound/oss/PSS +clean_blob Documentation/sound/oss/PSS-updates +clean_blob Documentation/sound/oss/README.OSS +clean_file Documentation/dvb/get_dvb_firmware +clean_file Documentation/video4linux/extract_xc3028.pl +clean_sed s,usb8388,whatever,g drivers/base/Kconfig 'removed blob name' +clean_blob firmware/README.AddingFirmware +clean_blob firmware/WHENCE + +if $errors; then + echo errors above were ignored because of --force >&2 +fi + +exit 0 diff --git a/freed-ora/current/master/deblob-check b/freed-ora/current/master/deblob-check index 06f7f9749..7ea6dded2 100755 --- a/freed-ora/current/master/deblob-check +++ b/freed-ora/current/master/deblob-check @@ -1,6 +1,6 @@ #! /bin/sh -# deblob-check version 2013-07-01 +# deblob-check version 2013-09-01 # Inspired in gNewSense's find-firmware script. # Written by Alexandre Oliva <lxoliva@fsfla.org> @@ -3392,12 +3392,218 @@ set_except () { blobname 'fimc_is_fw\.bin' drivers/media/platform/exynos4-is/fimc-is.h blobname 'setfile\.bin' drivers/media/platform/exynos4-is/fimc-is.h blobname 'rtlwifi[/]rtl8188efw\.bin' drivers/net/wireless/rtlwifi/rtl8188ee/sw.c + + # New in 3.11. + blobname 'imx[/]sdma[/]sdma-imx6sl\.bin' arch/arm/boot/dts/imx6sl.dtsi + initnc '[ ]linux,keymap[ ]=[ ]<' 'arch/arm/boot/dts/nspire-\(clp\|cx\|tp\)\.dts' + blobname '\(kernel[/]x86[/]microcode[/]\)\?AuthenticAMD\.bin' arch/x86/kernel/microcode_amd_early.c + initnc '[ ]*FMC:[ ]poor[ ]dump[ ]of[ ]sdb[ ]first[ ]level:' Documentation/fmc/parameters.txt + accept 'static[ ]int[\n ]cache_firmware[(]const[ ]char[ ][*]fw_name[)][\n][{]\([\n]\+[^\n}][^\n]*\)*ret[ ]=[ ]request_firmware[(][^\n]*\([\n]\+[^\n}][^\n]*\)*[\n]\+[}][\n]' drivers/base/firmware_class.c + defsnc 'static[ ]const[ ]int[ ]__initconst[ ]a370_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]=' drivers/clk/mvebu/armada-370.c + defsnc 'static[ ]const[ ]int[ ]__initconst[ ]axp_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]=' drivers/clk/mvebu/armada-xp.c + defsnc 'static[ ]const[ ]struct[ ]mV_pos[ ]\(vrm85\|mobilevrm\)_mV\[32\][ ]=' drivers/cpufreq/longhaul.h + defsnc 'static[ ]const[ ]unsigned[ ]char[ ]mV_\(vrm85\|mobilevrm\)\[32\][ ]=' drivers/cpufreq/longhaul.h + accept '[][ 0-9.]*fake-fmc-carrier:[ ]Mezzanine[ ]0:[ ]eeprom[ ]["]fdelay-eeprom\.bin["]' Documentation/fmc/fmc-fakedev.txt + accept '[][ 0-9.]*spec[ ][024:.]*[ ]got[ ]file[ ]["]fmc[/]spec-init\.bin["]' Documentation/fmc/fmc-write-eeprom.txt + defsnc 'static[ ]char[ ]ff_eeimg\[FF_MAX_MEZZANINES\]\[FF_EEPROM_SIZE\][ ]=' drivers/fmc/fmc-fakedev.c + accept '[ ]ret[ ]=[ ]request_firmware[(][&]fw[,][ ]gw[,][ ][&]fmc->dev[)][;]' drivers/fmc/fmc-fakedev.c + accept '[ ][ ]ret[ ]=[ ]request_firmware[(][&]fw[,][ ]ff_eeprom\[i\][,][ ][&]ff->dev[)][;]' drivers/fmc/fmc-fakedev.c + accept '[ ]if[ ][(][!]strcmp[(]last4[,][ ]["]\.bin["][)][)]' drivers/fmc/fmc-write-eeprom.c + accept '[ ]err[ ]=[ ]request_firmware[(][&]fw[,][ ]s[,][ ]dev[)][;]' drivers/fmc/fmc-write-eeprom.c + defsnc 'nvc0_grctx_init_\(icmd\|9097\|902d\|90c0\|unk40xx\|unk46xx\|unk78xx\|gpc_[01]\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc0.c + defsnc 'nvc1_grctx_init_\(icmd\|9097\|gpc_0\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c + defsnc 'nvc3_grctx_init_tpc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc3.c + defsnc 'nvc8_grctx_init_\(icmd\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc8.c + defsnc 'nvd7_grctx_init_\(unk40xx\|unk58xx\|gpc_0\|tpc\|unk\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c + defsnc 'nvd9_grctx_init_\(icmd\|90c0\|unk40xx\|unk58xx\|gpc_0\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c + defsnc 'nve4_grctx_init_\(icmd\|a097\|unk40xx\|unk46xx\|unk58xx\|unk64xx\|rop\|gpc_0\|tpc\|unk\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnve4.c + defsnc 'nvf0_grctx_init_\(unk40xx\|unk64xx\|unk88xx\|gpc_0\|tpc\|unk\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvf0.c + defsnc 'uint32_t[ ]nvd7_grgpc_code\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvd7.fuc.h + defsnc 'uint32_t[ ]nvf0_grgpc_code\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvf0.fuc.h + defsnc 'uint32_t[ ]nvd7_grhub_\(data\|code\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvd7.fuc.h + defsnc 'uint32_t[ ]nvf0_grhub_\(data\|code\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvf0.fuc.h + defsnc 'nvc0_graph_init_\(regs\|[gt]pc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c + defsnc 'nvc1_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc1.c + defsnc 'nvc3_graph_init_tpc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc3.c + defsnc 'nvc8_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc8.c + defsnc 'nvd7_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvd7.c + defsnc 'nvd9_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvd9.c + defsnc 'nve4_graph_init_\(regs\|[gt]pc\|unk\|unk88xx\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nve4.c + defsnc 'nvf0_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvf0.c + defsnc '[ ][}][ ]magic\[\][ ]=[ ][{][\n][ ][ ][{][ ]0x020520[,]' drivers/gpu/drm/nouveau/core/engine/graph/nvf0.c + blobname 'nouveau[/]nv84_xuc%03x' drivers/gpu/drm/nouveau/core/engine/graph/xtensa.c + defsnc 'nv50_fb_memtype\[0x80\][ ]=' drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c + defsnc 'static[ ]const[ ]u32[ ]\(barts\|caicos\|turks\)_\(\(cgcg_cgls\|sysls\)_\(default\|disable\|enable\)\|mgcg_default\)\[\][ ]=' drivers/gpu/drm/radeon/btc_dpm.c + defsnc 'u32[ ]btc_valid_sclk\[40\][ ]=' drivers/gpu/drm/radeon/btc_dpm.c + defsnc 'static[ ]const[ ]u32[ ]\(bonaire\|spectre\|kalindi\)_\(golden_registers\|mgcg_cgcg_init\)\[\][ ]=' drivers/gpu/drm/radeon/cik.c + defsnc 'static[ ]const[ ]u32[ ]bonaire_io_mc_regs\[BONAIRE_IO_MC_REGS_SIZE\]\[2\][ ]=' drivers/gpu/drm/radeon/cik.c + blobname 'radeon[/]\(BONAIRE\|KAVERI\|KABINI\|%s\)_\(pfp\|[mc]ec\?\|rlc\|s\?mc\|sdma\)\.bin' drivers/gpu/drm/radeon/cik.c + defsnc 'static[ ]u32[ ]sumo_rlc_save_restore_register_list\[\][ ]=' drivers/gpu/drm/radeon/evergreen.c + defsnc 'static[ ]u32[ ]tn_rlc_save_restore_register_list\[\][ ]=' drivers/gpu/drm/radeon/ni.c + blobname 'radeon[/]\(BARTS\|BTC\|TURKS\|CAICOS\|%s\)_\(pfp\|m[ec]\|rlc\|smc\)\.bin' 'drivers/gpu/drm/radeon/[ns]i\.c' + defsnc 'static[ ]const[ ]struct[ ]ni_cac_weights[ ]cac_weights_cayman_\(xt\|pro\|le\)[ ]=' drivers/gpu/drm/radeon/ni_dpm.c + blobname 'radeon[/]\(R\([67]0\|V6[1237]\|S7[1378]\)[05]\|CEDAR\|REDWOOD\|JUNIPER\|CYPRESS\|SUMO2\?\|%s\)_\(pfp\|[mc]e\|rlc\|s\?mc\)\.bin' drivers/gpu/drm/radeon/r600.c + defsnc 'static[ ]const[ ]u32[ ]cayman_\(\(cgcg_cgls\|sysls\)_\(default\|disable\|enable\)\|mgcg_default\)\[\][ ]=' drivers/gpu/drm/radeon/ni_dpm.c + blobname 'radeon[/]BONAIRE_uvd\.bin' drivers/gpu/drm/radeon/radeon_uvd.c + blobname 'radeon[/]\(TAHITI\|PITCARIN\|VERDE\|OLAND\|HAINAN\|%s\)_\(pfp\|[mc]e\|rlc\|s\?mc\)\.bin' drivers/gpu/drm/radeon/si.c + defsnc 'static[ ]struct[ ]dll_speed_setting[ ]dll_speed_table\[16\][ ]=' drivers/gpu/drm/radeon/rv740_dpm.c + defsnc 'static[ ]const[ ]u8[ ]\(rv7[7314]0\|cedar\|redwood\|juniper\|cypress\|barts\|turks\|caicos\|cayman\)_smc_int_vectors\[\][ ]=' drivers/gpu/drm/radeon/rv770_smc.c + defsnc 'static[ ]const[ ]struct[ ]si_dte_data[ ]dte_data_\(tahiti\(_le\|_pro\)\?\|new_zealand\|aruba_pro\|malta\|pitcairn\|curacao_\(xt\|pro\)\|neptune_xt\|cape_verde\|venus_\(xtx\?\|pro\)\|oland\|mars_pro\|sun_xt\)[ ]=' drivers/gpu/drm/radeon/si_dpm.c + defsnc 'static[ ]const[ ]u32[ ]trinity_\(mgcg_shls_default\|sysls_\(default\|disable\|enable\)\|override_mgpg_sequences\)\[\][ ]=' drivers/gpu/drm/radeon/trinity_dpm.c + defsnc 'static[ ]const[ ]unsigned[ ]char[ ]hex_table\[256\][ ]=' drivers/md/dm-switch.c + defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]wm5102_revb_patch\[\][ ]=' drivers/mfd/wm5102-tables.c + blobname 'c\(b\|t2\?\)fw-3\.2\.1\.0\.bin' 'drivers/\(net/ethernet/brocade/bna/cna\.h\|scsi/bfa/bfad\.c\)' + blobname 'rtl_nic[/]rtl8411-2\.fw' drivers/net/ethernet/realtek/r8169.c + blobname 'ath10k[/]QCA988X[/]hw[12]\.0' drivers/net/wireless/ath/ath10k/hw.h + blobname '\(ath10k[/]QCA988X[/]hw[12]\.0[/]\)\?\(firmware\|otp\|board\)\.bin' drivers/net/wireless/ath/ath10k/hw.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_modes_mix_ob_db_tx_gain_table_2p0\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_2p0_5g_xlna_only_rxgain\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_2p1_\(\(mac\|baseband\|radio\)_core\|common_\(mixed_\|wo_xlna_\|5g_xlna_only_\)\?rx_gain\)\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p1_initvals.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_2p1_\(\(mac\|baseband\)_postamble\|modes_\(low\|high\|mix\)_ob_db_tx_gain\)\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p1_initvals.h + blobname '\(boot_cw1x60\|\(wsm\|sdd\)_\(cw1x60\|22\|20\|11\|10\)\)\.bin' drivers/net/wireless/cw1200/fwio.h + accept '[ ][*][ ]4\.[ ]save[ ]as[ ]["]iNVM_xxx\.bin["]' drivers/net/wireless/iwlwifi/mvm/nvm.c + accept 'static[ ]const[ ]struct[ ]mwifiex_sdio_device[ ]mwifiex_sdio_sd[^ ]*[ ]=[ ][{][\n][ ]*\.firmware[ ]=' drivers/net/wireless/mwifiex/sdio.h + blobname 'sdd_sagrad_1091_1098\.bin' 'drivers/net/wireless/cw1200/cw1200_sdio\.c\|include/linux/platform_data/net-cw1200\.h' + accept '[/][*][ ]An[ ]example[^*]*[\n][ ]*\.sdd_file[ ]=[ ]["]sdd_\(sagrad_1091_1098\|myplatform\)\.bin["][,]' include/linux/platform_data/net-cw1200.h + defsnc 'static[ ]unsigned[ ]const[ ]score_pins\[BYT_NGPIO_SCORE\][ ]=' drivers/pinctrl/pinctrl-baytrail.c + defsnc 'static[ ]unsigned[ ]const[ ]sus_pins\[BYT_NGPIO_SUS\][ ]=' drivers/pinctrl/pinctrl-baytrail.c + defsnc 'static[ ]const[ ]unsigned[ ]int[ ]bsc_data32_pins\[\][ ]=' drivers/pinctrl/pinctrl-baytrail.c + blobname 'mt76\(50\|62\)\.bin' drivers/staging/btmtk_usb/btmtk_usb.c + accept '[ ]*data->firmware[ ]=[ ]firmware[;]' drivers/staging/btmtk_usb/btmtk_usb.c + accept '[ ]\[CODE_IMX\(27\|53\)\][ ]=[ ][{][\n][ ][ ]\.firmware[ ]*=' drivers/media/platform/coda.c + blobname 'exynos4_\(fimc_is_fw\|s5k6a3_setfile\)\?\.bin' drivers/media/platform/exynos4-is/fimc-is.h + accept '[ ]*ret[ ]=[ ]process_sigma_firmware[(]client[,][ ]ADAU1701_FIRMWARE[)][;]' sound/soc/codecs/adau1701.c + defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5640_reg\[RT5640_VENDOR_ID2[ ][+][ ]1\][ ]=' sound/soc/codecs/rt5640.c + defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]ssm2518_reg_defaults\[\][ ]=' sound/soc/codecs/ssm2518.c ;; */*freedo*.patch | */*logo*.patch) accept 'P[13]\([\n]#[^\n]*\)*[\n]*\([\n][0-9 ]*\)\+' drivers/video/logo/logo_libre_clut224.ppm ;; + */patch-3.10*) + # Matches for the reversed patch. + accept '[ ]*interrupts[ ]=[ ]<\(0[ ]1[0-4][0-9][ ]0x04[ \n]*\)*>[;]' 'arch/arm/boot/dts/tegra[23]0\.dtsi' + defsnc 'static[ ]const[ ]struct[ ]phy_reg[ ]exynos4_sataphy_\(cmu\|\(com\)\?lane\)\[\][ ]=' arch/arm/mach-exynos4/dev-ahci.c + accept '[ ]return[ ]_request_firmware[(]firmware_p[,]' drivers/base/firmware_class.c + defsnc 'static[ ]const[ ]int[ ]__initconst[ ]armada_370_xp_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]=' drivers/clk/mvebu/clk-core.c + defsnc 'static[ ]const[ ]struct[ ]mV_pos[ ]__cpuinitconst[ ]\(vrm85\|mobilevrm\)_mV\[32\][ ]=' drivers/cpufreq/longhaul.h + defsnc 'static[ ]const[ ]unsigned[ ]char[ ]__cpuinitconst[ ]mV_\(vrm85\|mobilevrm\)\[32\][ ]=' drivers/cpufreq/longhaul.h + defsnc 'static[ ]const[ ]struct[ ]wrpll_tmds_clock[ ]wrpll_tmds_clock_table\[\][ ]=' drivers/gpu/drm/i915/intel_ddi.c + defsnc 'static[ ]int[ ]types\[0x80\][ ]=' drivers/gpu/drm/nouveau/nv50_vram.c + defsnc '[ ]*static[ ]const[ ]u8[ ]arp_req\[36\][ ]=' drivers/staging/csr/sme_sys.c + defsnc '[ ]unsigned[ ]char[ ]regs\[128\][ ]=' drivers/staging/solo6x10/solo6010-tw28.c + # Matches of changes from 3.10 adjusted for patch. + accept '[ ]-[ ]request_firmware[(][)][ ]hotplug[ ]interface[ ]info.' Documentation/00-INDEX + accept '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?static[ ]int[ ]_request_firmware' drivers/base/firmware_class.c + accept '[ ]return[ ]_request_firmware_load[(]fw_priv[,]' drivers/base/firmware_class.c + accept '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?_request_firmware' drivers/base/firmware_class.c + accept 'request_firmware\(_nowait\)\?[(]' drivers/base/firmware_class.c + accept '[ ]ret[ ]=[ ]_request_firmware[(]' drivers/base/firmware_class.c + accept '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?request_firmware_nowait[(]' drivers/base/firmware_class.c + initnc '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?uint32_t[ ]nvc0_grgpc_\(data\|code\)\[\][ ]=[ ][{]\([*][/][;]\)\?' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvc0.fuc.h + initnc '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?uint32_t[ ]nve0_grgpc_\(data\|code\)\[\][ ]=[ ][{]\([*][/][;]\)\?' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnve0.fuc.h + initnc '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?uint32_t[ ]nvc0_grhub_\(data\|code\)\[\][ ]=[ ][{]\([*][/][;]\)\?' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvc0.fuc.h + initnc '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?uint32_t[ ]nve0_grhub_\(data\|code\)\[\][ ]=[ ][{]\([*][/][;]\)\?' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnve0.fuc.h + initnc '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?static[ ]const[ ]u32[ ]ar9462_2p0_baseband_pos\([*][/][;]\)\?' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h + accept '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?int[ ]request_firmware_nowait[(]' include/linux/firmware.h + accept 'static[ ]inline[ ]int[ ]request_firmware\?[(]' include/linux/firmware.h + # Present in 3.10, modified in 3.11 patch: + accept 'EXPORT_SYMBOL[(]request_firmware\(_nowait\)\?[)][;]' drivers/base/firmware_class.c + defsnc 'static[ ]const[ ]int[ ]__initconst[ ]\(dove\|kirkwood\)_cpu_ddr_ratios\[16\]\[2\][ ]=' drivers/clk/mvebu/clk-core.c + accept '[ ][ ]priv->firmware[ ]=[ ]true[;]' drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c + accept '[ ]bp->firmware[ ]=[ ]NULL[;]' drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c + accept '[ ][ ]card->firmware[ ]=[ ]data->firmware[;]' drivers/bluetooth/btmrvl_sdio.c + defsnc '[ ]BYTE[ ]data_ptr\[36\][ ]=' 'drivers/staging/keucr/\(ms\|s[dm]\)scsi\.c' + defsnc 'omap4430_adc_to_temp\[OMAP4430_ADC_END_VALUE[ ]-[ ]OMAP4430_ADC_START_VALUE[ ][+][ ]1\][ ]=' drivers/staging/oma-thermal/omap4-thermal.c + defsnc 'omap4460_adc_to_temp\[OMAP4460_ADC_END_VALUE[ ]-[ ]OMAP4460_ADC_START_VALUE[ ][+][ ]1\][ ]=' drivers/staging/oma-thermal/omap4-thermal.c + accept 'P[13]\([\n]#[^\n]*\)*[\n]*\([\n][0-9 ]*\)\+' drivers/video/logo/logo_linux_clut224.ppm + defsnc '[}][ ]nec_8048_init_seq\[\][ ]=' drivers/video/omap2/displays/panel-nec-nl8048hl11-01b.c + defsnc '[ ][ ]degrade_factor\[CPU_LOAD_IDX_MAX\]\[DEGRADE_SHIFT[ ][+][ ]1\][ ]=' kernel/sched.c + # New in 3.11. + blobname 'imx[/]sdma[/]sdma-imx6sl\.bin' arch/arm/boot/dts/imx6sl.dtsi + initnc '[ ]linux,keymap[ ]=[ ]<' 'arch/arm/boot/dts/nspire-\(clp\|cx\|tp\)\.dts' + blobname '\(kernel[/]x86[/]microcode[/]\)\?AuthenticAMD\.bin' arch/x86/kernel/microcode_amd_early.c + initnc '[ ]*FMC:[ ]poor[ ]dump[ ]of[ ]sdb[ ]first[ ]level:' Documentation/fmc/parameters.txt + accept 'static[ ]int[\n ]cache_firmware[(]const[ ]char[ ][*]fw_name[)][\n][{]\([\n]\+[^\n}][^\n]*\)*ret[ ]=[ ]request_firmware[(][^\n]*\([\n]\+[^\n}][^\n]*\)*[\n]\+[}][\n]' drivers/base/firmware_class.c + defsnc 'static[ ]const[ ]int[ ]__initconst[ ]a370_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]=' drivers/clk/mvebu/armada-370.c + defsnc 'static[ ]const[ ]int[ ]__initconst[ ]axp_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]=' drivers/clk/mvebu/armada-xp.c + defsnc 'static[ ]const[ ]struct[ ]mV_pos[ ]\(vrm85\|mobilevrm\)_mV\[32\][ ]=' drivers/cpufreq/longhaul.h + defsnc 'static[ ]const[ ]unsigned[ ]char[ ]mV_\(vrm85\|mobilevrm\)\[32\][ ]=' drivers/cpufreq/longhaul.h + accept '[][ 0-9.]*fake-fmc-carrier:[ ]Mezzanine[ ]0:[ ]eeprom[ ]["]fdelay-eeprom\.bin["]' Documentation/fmc/fmc-fakedev.txt + accept '[][ 0-9.]*spec[ ][024:.]*[ ]got[ ]file[ ]["]fmc[/]spec-init\.bin["]' Documentation/fmc/fmc-write-eeprom.txt + defsnc 'static[ ]char[ ]ff_eeimg\[FF_MAX_MEZZANINES\]\[FF_EEPROM_SIZE\][ ]=' drivers/fmc/fmc-fakedev.c + accept '[ ]ret[ ]=[ ]request_firmware[(][&]fw[,][ ]gw[,][ ][&]fmc->dev[)][;]' drivers/fmc/fmc-fakedev.c + accept '[ ][ ]ret[ ]=[ ]request_firmware[(][&]fw[,][ ]ff_eeprom\[i\][,][ ][&]ff->dev[)][;]' drivers/fmc/fmc-fakedev.c + accept '[ ]if[ ][(][!]strcmp[(]last4[,][ ]["]\.bin["][)][)]' drivers/fmc/fmc-write-eeprom.c + accept '[ ]err[ ]=[ ]request_firmware[(][&]fw[,][ ]s[,][ ]dev[)][;]' drivers/fmc/fmc-write-eeprom.c + defsnc 'nvc0_grctx_init_\(icmd\|9097\|902d\|90c0\|unk40xx\|unk46xx\|unk78xx\|gpc_[01]\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc0.c + defsnc 'nvc1_grctx_init_\(icmd\|9097\|gpc_0\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c + defsnc 'nvc3_grctx_init_tpc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc3.c + defsnc 'nvc8_grctx_init_\(icmd\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc8.c + defsnc 'nvd7_grctx_init_\(unk40xx\|unk58xx\|gpc_0\|tpc\|unk\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c + defsnc 'nvd9_grctx_init_\(icmd\|90c0\|unk40xx\|unk58xx\|gpc_0\|tpc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c + defsnc 'nve4_grctx_init_\(icmd\|a097\|unk40xx\|unk46xx\|unk58xx\|unk64xx\|rop\|gpc_0\|tpc\|unk\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnve4.c + defsnc 'nvf0_grctx_init_\(unk40xx\|unk64xx\|unk88xx\|gpc_0\|tpc\|unk\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvf0.c + defsnc 'uint32_t[ ]nvd7_grgpc_code\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvd7.fuc.h + defsnc 'uint32_t[ ]nvf0_grgpc_code\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnvf0.fuc.h + defsnc 'uint32_t[ ]nvd7_grhub_\(data\|code\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvd7.fuc.h + defsnc 'uint32_t[ ]nvf0_grhub_\(data\|code\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnvf0.fuc.h + defsnc 'nvc0_graph_init_\(regs\|[gt]pc\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c + defsnc 'nvc1_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc1.c + defsnc 'nvc3_graph_init_tpc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc3.c + defsnc 'nvc8_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc8.c + defsnc 'nvd7_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvd7.c + defsnc 'nvd9_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvd9.c + defsnc 'nve4_graph_init_\(regs\|[gt]pc\|unk\|unk88xx\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nve4.c + defsnc 'nvf0_graph_init_[gt]pc\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvf0.c + defsnc '[ ][}][ ]magic\[\][ ]=[ ][{][\n][ ][ ][{][ ]0x020520[,]' drivers/gpu/drm/nouveau/core/engine/graph/nvf0.c + blobname 'nouveau[/]nv84_xuc%03x' drivers/gpu/drm/nouveau/core/engine/graph/xtensa.c + defsnc 'nv50_fb_memtype\[0x80\][ ]=' drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c + defsnc 'static[ ]const[ ]u32[ ]\(barts\|caicos\|turks\)_\(\(cgcg_cgls\|sysls\)_\(default\|disable\|enable\)\|mgcg_default\)\[\][ ]=' drivers/gpu/drm/radeon/btc_dpm.c + defsnc 'u32[ ]btc_valid_sclk\[40\][ ]=' drivers/gpu/drm/radeon/btc_dpm.c + defsnc 'static[ ]const[ ]u32[ ]\(bonaire\|spectre\|kalindi\)_\(golden_registers\|mgcg_cgcg_init\)\[\][ ]=' drivers/gpu/drm/radeon/cik.c + defsnc 'static[ ]const[ ]u32[ ]bonaire_io_mc_regs\[BONAIRE_IO_MC_REGS_SIZE\]\[2\][ ]=' drivers/gpu/drm/radeon/cik.c + blobname 'radeon[/]\(BONAIRE\|KAVERI\|KABINI\|%s\)_\(pfp\|[mc]ec\?\|rlc\|s\?mc\|sdma\)\.bin' drivers/gpu/drm/radeon/cik.c + defsnc 'static[ ]u32[ ]sumo_rlc_save_restore_register_list\[\][ ]=' drivers/gpu/drm/radeon/evergreen.c + defsnc 'static[ ]u32[ ]tn_rlc_save_restore_register_list\[\][ ]=' drivers/gpu/drm/radeon/ni.c + blobname 'radeon[/]\(BARTS\|BTC\|TURKS\|CAICOS\|%s\)_\(pfp\|m[ec]\|rlc\|smc\)\.bin' 'drivers/gpu/drm/radeon/[ns]i\.c' + defsnc 'static[ ]const[ ]struct[ ]ni_cac_weights[ ]cac_weights_cayman_\(xt\|pro\|le\)[ ]=' drivers/gpu/drm/radeon/ni_dpm.c + blobname 'radeon[/]\(R\([67]0\|V6[1237]\|S7[1378]\)[05]\|CEDAR\|REDWOOD\|JUNIPER\|CYPRESS\|SUMO2\?\|%s\)_\(pfp\|[mc]e\|rlc\|s\?mc\)\.bin' drivers/gpu/drm/radeon/r600.c + defsnc 'static[ ]const[ ]u32[ ]cayman_\(\(cgcg_cgls\|sysls\)_\(default\|disable\|enable\)\|mgcg_default\)\[\][ ]=' drivers/gpu/drm/radeon/ni_dpm.c + blobname 'radeon[/]BONAIRE_uvd\.bin' drivers/gpu/drm/radeon/radeon_uvd.c + blobname 'radeon[/]\(TAHITI\|PITCARIN\|VERDE\|OLAND\|HAINAN\|%s\)_\(pfp\|[mc]e\|rlc\|s\?mc\)\.bin' drivers/gpu/drm/radeon/si.c + defsnc 'static[ ]struct[ ]dll_speed_setting[ ]dll_speed_table\[16\][ ]=' drivers/gpu/drm/radeon/rv740_dpm.c + defsnc 'static[ ]const[ ]u8[ ]\(rv7[7314]0\|cedar\|redwood\|juniper\|cypress\|barts\|turks\|caicos\|cayman\)_smc_int_vectors\[\][ ]=' drivers/gpu/drm/radeon/rv770_smc.c + defsnc 'static[ ]const[ ]struct[ ]si_dte_data[ ]dte_data_\(tahiti\(_le\|_pro\)\?\|new_zealand\|aruba_pro\|malta\|pitcairn\|curacao_\(xt\|pro\)\|neptune_xt\|cape_verde\|venus_\(xtx\?\|pro\)\|oland\|mars_pro\|sun_xt\)[ ]=' drivers/gpu/drm/radeon/si_dpm.c + defsnc 'static[ ]const[ ]u32[ ]trinity_\(mgcg_shls_default\|sysls_\(default\|disable\|enable\)\|override_mgpg_sequences\)\[\][ ]=' drivers/gpu/drm/radeon/trinity_dpm.c + defsnc 'static[ ]const[ ]unsigned[ ]char[ ]hex_table\[256\][ ]=' drivers/md/dm-switch.c + defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]wm5102_revb_patch\[\][ ]=' drivers/mfd/wm5102-tables.c + blobname 'c\(b\|t2\?\)fw-3\.2\.1\.0\.bin' 'drivers/\(net/ethernet/brocade/bna/cna\.h\|scsi/bfa/bfad\.c\)' + blobname 'rtl_nic[/]rtl8411-2\.fw' drivers/net/ethernet/realtek/r8169.c + blobname 'ath10k[/]QCA988X[/]hw[12]\.0' drivers/net/wireless/ath/ath10k/hw.h + blobname '\(ath10k[/]QCA988X[/]hw[12]\.0[/]\)\?\(firmware\|otp\|board\)\.bin' drivers/net/wireless/ath/ath10k/hw.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_modes_mix_ob_db_tx_gain_table_2p0\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_2p0_5g_xlna_only_rxgain\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_2p1_\(\(mac\|baseband\|radio\)_core\|common_\(mixed_\|wo_xlna_\|5g_xlna_only_\)\?rx_gain\)\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p1_initvals.h + defsnc 'static[ ]const[ ]u32[ ]ar9462_2p1_\(\(mac\|baseband\)_postamble\|modes_\(low\|high\|mix\)_ob_db_tx_gain\)\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p1_initvals.h + blobname '\(boot_cw1x60\|\(wsm\|sdd\)_\(cw1x60\|22\|20\|11\|10\)\)\.bin' drivers/net/wireless/cw1200/fwio.h + accept '[ ][*][ ]4\.[ ]save[ ]as[ ]["]iNVM_xxx\.bin["]' drivers/net/wireless/iwlwifi/mvm/nvm.c + accept 'static[ ]const[ ]struct[ ]mwifiex_sdio_device[ ]mwifiex_sdio_sd[^ ]*[ ]=[ ][{][\n][ ]*\.firmware[ ]=' drivers/net/wireless/mwifiex/sdio.h + blobname 'sdd_sagrad_1091_1098\.bin' 'drivers/net/wireless/cw1200/cw1200_sdio\.c\|include/linux/platform_data/net-cw1200\.h' + accept '[/][*][ ]An[ ]example[^*]*[\n][ ]*\.sdd_file[ ]=[ ]["]sdd_\(sagrad_1091_1098\|myplatform\)\.bin["][,]' include/linux/platform_data/net-cw1200.h + defsnc 'static[ ]unsigned[ ]const[ ]score_pins\[BYT_NGPIO_SCORE\][ ]=' drivers/pinctrl/pinctrl-baytrail.c + defsnc 'static[ ]unsigned[ ]const[ ]sus_pins\[BYT_NGPIO_SUS\][ ]=' drivers/pinctrl/pinctrl-baytrail.c + defsnc 'static[ ]const[ ]unsigned[ ]int[ ]bsc_data32_pins\[\][ ]=' drivers/pinctrl/pinctrl-baytrail.c + blobname 'mt76\(50\|62\)\.bin' drivers/staging/btmtk_usb/btmtk_usb.c + accept '[ ]*data->firmware[ ]=[ ]firmware[;]' drivers/staging/btmtk_usb/btmtk_usb.c + accept '[ ]\[CODE_IMX\(27\|53\)\][ ]=[ ][{][\n][ ][ ]\.firmware[ ]*=' drivers/media/platform/coda.c + blobname 'exynos4_\(fimc_is_fw\|s5k6a3_setfile\)\?\.bin' drivers/media/platform/exynos4-is/fimc-is.h + accept '[ ]*ret[ ]=[ ]process_sigma_firmware[(]client[,][ ]ADAU1701_FIRMWARE[)][;]' sound/soc/codecs/adau1701.c + defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5640_reg\[RT5640_VENDOR_ID2[ ][+][ ]1\][ ]=' sound/soc/codecs/rt5640.c + defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]ssm2518_reg_defaults\[\][ ]=' sound/soc/codecs/ssm2518.c + ;; + */patch-3.9*) initnc '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?static[ ]const[ ]u32[ ]ar9485_1_1_baseband_pos\([*][/][;]\)\?' drivers/net/wireless/ath/ath9k/ar9485_initvals.h accept '\([;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]\)\?static[ ]int[ ]_request_firmware_load\(struct[*][/][;]\)\?' drivers/base/firmware_class.c diff --git a/freed-ora/current/master/devel-pekey-secure-boot-20130502.patch b/freed-ora/current/master/devel-pekey-secure-boot-20130502.patch deleted file mode 100644 index 703bbf5ad..000000000 --- a/freed-ora/current/master/devel-pekey-secure-boot-20130502.patch +++ /dev/null @@ -1,5912 +0,0 @@ -From 888c361d20210d39863ba6f2b71adb84e0a926a7 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 18 Jan 2013 13:53:35 +0000 -Subject: [PATCH 01/47] KEYS: Load *.x509 files into kernel keyring - -Load all the files matching the pattern "*.x509" that are to be found in kernel -base source dir and base build dir into the module signing keyring. - -The "extra_certificates" file is then redundant. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - kernel/Makefile | 35 +++++++++++++++++++++++++++++------ - kernel/modsign_certificate.S | 3 +-- - 2 files changed, 30 insertions(+), 8 deletions(-) - -diff --git a/kernel/Makefile b/kernel/Makefile -index d1574d4..64c97da 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -141,17 +141,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE - $(call if_changed,bc) - - ifeq ($(CONFIG_MODULE_SIG),y) -+############################################################################### - # --# Pull the signing certificate and any extra certificates into the kernel -+# Roll all the X.509 certificates that we can find together and pull -+# them into the kernel. - # -+############################################################################### -+X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) -+X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 -+X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) -+ -+ifeq ($(X509_CERTIFICATES),) -+$(warning *** No X.509 certificates found ***) -+endif -+ -+ifneq ($(wildcard $(obj)/.x509.list),) -+ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES)) -+$(info X.509 certificate list changed) -+$(shell rm $(obj)/.x509.list) -+endif -+endif -+ -+kernel/modsign_certificate.o: $(obj)/x509_certificate_list - --quiet_cmd_touch = TOUCH $@ -- cmd_touch = touch $@ -+quiet_cmd_x509certs = CERTS $@ -+ cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ -+targets += $(obj)/x509_certificate_list -+$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list -+ $(call if_changed,x509certs) - --extra_certificates: -- $(call cmd,touch) -+targets += $(obj)/.x509.list -+$(obj)/.x509.list: -+ @echo $(X509_CERTIFICATES) >$@ - --kernel/modsign_certificate.o: signing_key.x509 extra_certificates -+clean-files := x509_certificate_list .x509.list - - ############################################################################### - # -diff --git a/kernel/modsign_certificate.S b/kernel/modsign_certificate.S -index 246b4c6..0a60203 100644 ---- a/kernel/modsign_certificate.S -+++ b/kernel/modsign_certificate.S -@@ -14,6 +14,5 @@ - .section ".init.data","aw" - - GLOBAL(modsign_certificate_list) -- .incbin "signing_key.x509" -- .incbin "extra_certificates" -+ .incbin "kernel/x509_certificate_list" - GLOBAL(modsign_certificate_list_end) --- -1.8.1.4 - - -From 26a6bf8ffbe82d706c6de06746d760d9bc425ee5 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 18:39:54 +0000 -Subject: [PATCH 02/47] KEYS: Separate the kernel signature checking keyring - from module signing - -Separate the kernel signature checking keyring from module signing so that it -can be used by code other than the module-signing code. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - include/keys/system_keyring.h | 23 ++++++++++ - init/Kconfig | 13 ++++++ - kernel/Makefile | 17 ++++--- - kernel/modsign_pubkey.c | 104 ------------------------------------------ - kernel/module-internal.h | 2 - - kernel/module_signing.c | 3 +- - kernel/system_certificates.S | 18 ++++++++ - kernel/system_keyring.c | 101 ++++++++++++++++++++++++++++++++++++++++ - 8 files changed, 168 insertions(+), 113 deletions(-) - create mode 100644 include/keys/system_keyring.h - delete mode 100644 kernel/modsign_pubkey.c - create mode 100644 kernel/system_certificates.S - create mode 100644 kernel/system_keyring.c - -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -new file mode 100644 -index 0000000..8dabc39 ---- /dev/null -+++ b/include/keys/system_keyring.h -@@ -0,0 +1,23 @@ -+/* System keyring containing trusted public keys. -+ * -+ * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#ifndef _KEYS_SYSTEM_KEYRING_H -+#define _KEYS_SYSTEM_KEYRING_H -+ -+#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING -+ -+#include <linux/key.h> -+ -+extern struct key *system_trusted_keyring; -+ -+#endif -+ -+#endif /* _KEYS_SYSTEM_KEYRING_H */ -diff --git a/init/Kconfig b/init/Kconfig -index a76d131..b9d8870 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1615,6 +1615,18 @@ config BASE_SMALL - default 0 if BASE_FULL - default 1 if !BASE_FULL - -+config SYSTEM_TRUSTED_KEYRING -+ bool "Provide system-wide ring of trusted keys" -+ depends on KEYS -+ help -+ Provide a system keyring to which trusted keys can be added. Keys in -+ the keyring are considered to be trusted. Keys may be added at will -+ by the kernel from compiled-in data and from hardware key stores, but -+ userspace may only add extra keys if those keys can be verified by -+ keys already in the keyring. -+ -+ Keys in this keyring are used by module signature checking. -+ - menuconfig MODULES - bool "Enable loadable module support" - help -@@ -1687,6 +1699,7 @@ config MODULE_SRCVERSION_ALL - config MODULE_SIG - bool "Module signature verification" - depends on MODULES -+ select SYSTEM_TRUSTED_KEYRING - select KEYS - select CRYPTO - select ASYMMETRIC_KEY_TYPE -diff --git a/kernel/Makefile b/kernel/Makefile -index 64c97da..ecff938 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -52,8 +52,9 @@ obj-$(CONFIG_SMP) += spinlock.o - obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o - obj-$(CONFIG_PROVE_LOCKING) += spinlock.o - obj-$(CONFIG_UID16) += uid16.o -+obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o - obj-$(CONFIG_MODULES) += module.o --obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o -+obj-$(CONFIG_MODULE_SIG) += module_signing.o - obj-$(CONFIG_KALLSYMS) += kallsyms.o - obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o - obj-$(CONFIG_KEXEC) += kexec.o -@@ -140,13 +141,14 @@ targets += timeconst.h - $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE - $(call if_changed,bc) - --ifeq ($(CONFIG_MODULE_SIG),y) - ############################################################################### - # --# Roll all the X.509 certificates that we can find together and pull --# them into the kernel. -+# Roll all the X.509 certificates that we can find together and pull them into -+# the kernel so that they get loaded into the system trusted keyring during -+# boot. - # - ############################################################################### -+ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) - X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 - X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) -@@ -162,10 +164,11 @@ $(shell rm $(obj)/.x509.list) - endif - endif - --kernel/modsign_certificate.o: $(obj)/x509_certificate_list -+kernel/system_certificates.o: $(obj)/x509_certificate_list - - quiet_cmd_x509certs = CERTS $@ -- cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ -+ cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo " - Including cert $(X509)") -+ - targets += $(obj)/x509_certificate_list - $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list - $(call if_changed,x509certs) -@@ -175,7 +178,9 @@ $(obj)/.x509.list: - @echo $(X509_CERTIFICATES) >$@ - - clean-files := x509_certificate_list .x509.list -+endif - -+ifeq ($(CONFIG_MODULE_SIG),y) - ############################################################################### - # - # If module signing is requested, say by allyesconfig, but a key has not been -diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c -deleted file mode 100644 -index 2b6e699..0000000 ---- a/kernel/modsign_pubkey.c -+++ /dev/null -@@ -1,104 +0,0 @@ --/* Public keys for module signature verification -- * -- * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -- * Written by David Howells (dhowells@redhat.com) -- * -- * This program is free software; you can redistribute it and/or -- * modify it under the terms of the GNU General Public Licence -- * as published by the Free Software Foundation; either version -- * 2 of the Licence, or (at your option) any later version. -- */ -- --#include <linux/kernel.h> --#include <linux/sched.h> --#include <linux/cred.h> --#include <linux/err.h> --#include <keys/asymmetric-type.h> --#include "module-internal.h" -- --struct key *modsign_keyring; -- --extern __initdata const u8 modsign_certificate_list[]; --extern __initdata const u8 modsign_certificate_list_end[]; -- --/* -- * We need to make sure ccache doesn't cache the .o file as it doesn't notice -- * if modsign.pub changes. -- */ --static __initdata const char annoy_ccache[] = __TIME__ "foo"; -- --/* -- * Load the compiled-in keys -- */ --static __init int module_verify_init(void) --{ -- pr_notice("Initialise module verification\n"); -- -- modsign_keyring = keyring_alloc(".module_sign", -- KUIDT_INIT(0), KGIDT_INIT(0), -- current_cred(), -- ((KEY_POS_ALL & ~KEY_POS_SETATTR) | -- KEY_USR_VIEW | KEY_USR_READ), -- KEY_ALLOC_NOT_IN_QUOTA, NULL); -- if (IS_ERR(modsign_keyring)) -- panic("Can't allocate module signing keyring\n"); -- -- return 0; --} -- --/* -- * Must be initialised before we try and load the keys into the keyring. -- */ --device_initcall(module_verify_init); -- --/* -- * Load the compiled-in keys -- */ --static __init int load_module_signing_keys(void) --{ -- key_ref_t key; -- const u8 *p, *end; -- size_t plen; -- -- pr_notice("Loading module verification certificates\n"); -- -- end = modsign_certificate_list_end; -- p = modsign_certificate_list; -- while (p < end) { -- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more -- * than 256 bytes in size. -- */ -- if (end - p < 4) -- goto dodgy_cert; -- if (p[0] != 0x30 && -- p[1] != 0x82) -- goto dodgy_cert; -- plen = (p[2] << 8) | p[3]; -- plen += 4; -- if (plen > end - p) -- goto dodgy_cert; -- -- key = key_create_or_update(make_key_ref(modsign_keyring, 1), -- "asymmetric", -- NULL, -- p, -- plen, -- (KEY_POS_ALL & ~KEY_POS_SETATTR) | -- KEY_USR_VIEW, -- KEY_ALLOC_NOT_IN_QUOTA); -- if (IS_ERR(key)) -- pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n", -- PTR_ERR(key)); -- else -- pr_notice("MODSIGN: Loaded cert '%s'\n", -- key_ref_to_ptr(key)->description); -- p += plen; -- } -- -- return 0; -- --dodgy_cert: -- pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n"); -- return 0; --} --late_initcall(load_module_signing_keys); -diff --git a/kernel/module-internal.h b/kernel/module-internal.h -index 24f9247..915e123 100644 ---- a/kernel/module-internal.h -+++ b/kernel/module-internal.h -@@ -9,6 +9,4 @@ - * 2 of the Licence, or (at your option) any later version. - */ - --extern struct key *modsign_keyring; -- - extern int mod_verify_sig(const void *mod, unsigned long *_modlen); -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index f2970bd..0034e36 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -14,6 +14,7 @@ - #include <crypto/public_key.h> - #include <crypto/hash.h> - #include <keys/asymmetric-type.h> -+#include <keys/system_keyring.h> - #include "module-internal.h" - - /* -@@ -157,7 +158,7 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -- key = keyring_search(make_key_ref(modsign_keyring, 1), -+ key = keyring_search(make_key_ref(system_trusted_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) - pr_warn("Request for unknown module key '%s' err %ld\n", -diff --git a/kernel/system_certificates.S b/kernel/system_certificates.S -new file mode 100644 -index 0000000..86240df ---- /dev/null -+++ b/kernel/system_certificates.S -@@ -0,0 +1,18 @@ -+/* SYMBOL_PREFIX defined on commandline from CONFIG_SYMBOL_PREFIX */ -+#ifndef SYMBOL_PREFIX -+#define ASM_SYMBOL(sym) sym -+#else -+#define PASTE2(x,y) x##y -+#define PASTE(x,y) PASTE2(x,y) -+#define ASM_SYMBOL(sym) PASTE(SYMBOL_PREFIX, sym) -+#endif -+ -+#define GLOBAL(name) \ -+ .globl ASM_SYMBOL(name); \ -+ ASM_SYMBOL(name): -+ -+ .section ".init.data","aw" -+ -+GLOBAL(system_certificate_list) -+ .incbin "kernel/x509_certificate_list" -+GLOBAL(system_certificate_list_end) -diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -new file mode 100644 -index 0000000..a3ca76f ---- /dev/null -+++ b/kernel/system_keyring.c -@@ -0,0 +1,101 @@ -+/* System trusted keyring for trusted public keys -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#include <linux/export.h> -+#include <linux/kernel.h> -+#include <linux/sched.h> -+#include <linux/cred.h> -+#include <linux/err.h> -+#include <keys/asymmetric-type.h> -+#include <keys/system_keyring.h> -+#include "module-internal.h" -+ -+struct key *system_trusted_keyring; -+EXPORT_SYMBOL_GPL(system_trusted_keyring); -+ -+extern __initdata const u8 system_certificate_list[]; -+extern __initdata const u8 system_certificate_list_end[]; -+ -+/* -+ * Load the compiled-in keys -+ */ -+static __init int system_trusted_keyring_init(void) -+{ -+ pr_notice("Initialise system trusted keyring\n"); -+ -+ system_trusted_keyring = -+ keyring_alloc(".system_keyring", -+ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), -+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ), -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); -+ if (IS_ERR(system_trusted_keyring)) -+ panic("Can't allocate system trusted keyring\n"); -+ -+ return 0; -+} -+ -+/* -+ * Must be initialised before we try and load the keys into the keyring. -+ */ -+device_initcall(system_trusted_keyring_init); -+ -+/* -+ * Load the compiled-in list of X.509 certificates. -+ */ -+static __init int load_system_certificate_list(void) -+{ -+ key_ref_t key; -+ const u8 *p, *end; -+ size_t plen; -+ -+ pr_notice("Loading compiled-in X.509 certificates\n"); -+ -+ end = system_certificate_list_end; -+ p = system_certificate_list; -+ while (p < end) { -+ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more -+ * than 256 bytes in size. -+ */ -+ if (end - p < 4) -+ goto dodgy_cert; -+ if (p[0] != 0x30 && -+ p[1] != 0x82) -+ goto dodgy_cert; -+ plen = (p[2] << 8) | p[3]; -+ plen += 4; -+ if (plen > end - p) -+ goto dodgy_cert; -+ -+ key = key_create_or_update(make_key_ref(system_trusted_keyring, 1), -+ "asymmetric", -+ NULL, -+ p, -+ plen, -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA); -+ if (IS_ERR(key)) -+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", -+ PTR_ERR(key)); -+ else -+ pr_notice("Loaded X.509 cert '%s'\n", -+ key_ref_to_ptr(key)->description); -+ p += plen; -+ } -+ -+ return 0; -+ -+dodgy_cert: -+ pr_err("Problem parsing in-kernel X.509 certificate list\n"); -+ return 0; -+} -+late_initcall(load_system_certificate_list); --- -1.8.1.4 - - -From 4e2b0f425d73360fc40b8719b36e6e3ca94d458e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Thu, 17 Jan 2013 16:25:00 +0000 -Subject: [PATCH 03/47] KEYS: Add a 'trusted' flag and a 'trusted only' flag - -Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source -or had a cryptographic signature chain that led back to a trusted key the -kernel already possessed. - -Add KEY_FLAGS_TRUSTED_ONLY to indicate that a keyring will only accept links to -keys marked with KEY_FLAGS_TRUSTED. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - include/linux/key-type.h | 1 + - include/linux/key.h | 3 +++ - kernel/system_keyring.c | 4 +++- - security/keys/key.c | 8 ++++++++ - security/keys/keyring.c | 4 ++++ - 5 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/include/linux/key-type.h b/include/linux/key-type.h -index 518a53a..f942b2d 100644 ---- a/include/linux/key-type.h -+++ b/include/linux/key-type.h -@@ -45,6 +45,7 @@ struct key_preparsed_payload { - const void *data; /* Raw data */ - size_t datalen; /* Raw datalen */ - size_t quotalen; /* Quota length for proposed payload */ -+ bool trusted; /* True if key is trusted */ - }; - - typedef int (*request_key_actor_t)(struct key_construction *key, -diff --git a/include/linux/key.h b/include/linux/key.h -index 4dfde11..0b32a09 100644 ---- a/include/linux/key.h -+++ b/include/linux/key.h -@@ -162,6 +162,8 @@ struct key { - #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ - #define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ - #define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ -+#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */ -+#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ - - /* the description string - * - this is used to match a key against search criteria -@@ -203,6 +205,7 @@ extern struct key *key_alloc(struct key_type *type, - #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ - #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */ - #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ -+#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */ - - extern void key_revoke(struct key *key); - extern void key_invalidate(struct key *key); -diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index a3ca76f..dae8778 100644 ---- a/kernel/system_keyring.c -+++ b/kernel/system_keyring.c -@@ -40,6 +40,7 @@ static __init int system_trusted_keyring_init(void) - if (IS_ERR(system_trusted_keyring)) - panic("Can't allocate system trusted keyring\n"); - -+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); - return 0; - } - -@@ -82,7 +83,8 @@ static __init int load_system_certificate_list(void) - plen, - (KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW, -- KEY_ALLOC_NOT_IN_QUOTA); -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_TRUSTED); - if (IS_ERR(key)) - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); -diff --git a/security/keys/key.c b/security/keys/key.c -index 8fb7c7b..f3de9e4 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -299,6 +299,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, - - if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) - key->flags |= 1 << KEY_FLAG_IN_QUOTA; -+ if (flags & KEY_ALLOC_TRUSTED) -+ key->flags |= 1 << KEY_FLAG_TRUSTED; - - memset(&key->type_data, 0, sizeof(key->type_data)); - -@@ -813,6 +815,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, - prep.data = payload; - prep.datalen = plen; - prep.quotalen = ktype->def_datalen; -+ prep.trusted = flags & KEY_ALLOC_TRUSTED; - if (ktype->preparse) { - ret = ktype->preparse(&prep); - if (ret < 0) { -@@ -826,6 +829,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, - goto error_free_prep; - } - -+ key_ref = ERR_PTR(-EPERM); -+ if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags)) -+ goto error_free_prep; -+ flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0; -+ - ret = __key_link_begin(keyring, ktype, description, &prealloc); - if (ret < 0) { - key_ref = ERR_PTR(ret); -diff --git a/security/keys/keyring.c b/security/keys/keyring.c -index 6ece7f2..f18d7ff 100644 ---- a/security/keys/keyring.c -+++ b/security/keys/keyring.c -@@ -1006,6 +1006,10 @@ int key_link(struct key *keyring, struct key *key) - key_check(keyring); - key_check(key); - -+ if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) && -+ !test_bit(KEY_FLAG_TRUSTED, &key->flags)) -+ return -EPERM; -+ - ret = __key_link_begin(keyring, key->type, key->description, &prealloc); - if (ret == 0) { - ret = __key_link_check_live_key(keyring, key); --- -1.8.1.4 - - -From 3deae827abdd3de9b7976b423279812d7559e580 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:32 +0000 -Subject: [PATCH 04/47] KEYS: Rename public key parameter name arrays - -Rename the arrays of public key parameters (public key algorithm names, hash -algorithm names and ID type names) so that the array name ends in "_name". - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/public_key.c | 14 +++++++------- - crypto/asymmetric_keys/x509_public_key.c | 8 ++++---- - include/crypto/public_key.h | 6 +++--- - kernel/module_signing.c | 4 ++-- - 4 files changed, 16 insertions(+), 16 deletions(-) - -diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c -index cb2e291..b313df1 100644 ---- a/crypto/asymmetric_keys/public_key.c -+++ b/crypto/asymmetric_keys/public_key.c -@@ -22,13 +22,13 @@ - - MODULE_LICENSE("GPL"); - --const char *const pkey_algo[PKEY_ALGO__LAST] = { -+const char *const pkey_algo_name[PKEY_ALGO__LAST] = { - [PKEY_ALGO_DSA] = "DSA", - [PKEY_ALGO_RSA] = "RSA", - }; --EXPORT_SYMBOL_GPL(pkey_algo); -+EXPORT_SYMBOL_GPL(pkey_algo_name); - --const char *const pkey_hash_algo[PKEY_HASH__LAST] = { -+const char *const pkey_hash_algo_name[PKEY_HASH__LAST] = { - [PKEY_HASH_MD4] = "md4", - [PKEY_HASH_MD5] = "md5", - [PKEY_HASH_SHA1] = "sha1", -@@ -38,13 +38,13 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { - [PKEY_HASH_SHA512] = "sha512", - [PKEY_HASH_SHA224] = "sha224", - }; --EXPORT_SYMBOL_GPL(pkey_hash_algo); -+EXPORT_SYMBOL_GPL(pkey_hash_algo_name); - --const char *const pkey_id_type[PKEY_ID_TYPE__LAST] = { -+const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST] = { - [PKEY_ID_PGP] = "PGP", - [PKEY_ID_X509] = "X509", - }; --EXPORT_SYMBOL_GPL(pkey_id_type); -+EXPORT_SYMBOL_GPL(pkey_id_type_name); - - /* - * Provide a part of a description of the key for /proc/keys. -@@ -56,7 +56,7 @@ static void public_key_describe(const struct key *asymmetric_key, - - if (key) - seq_printf(m, "%s.%s", -- pkey_id_type[key->id_type], key->algo->name); -+ pkey_id_type_name[key->id_type], key->algo->name); - } - - /* -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index 06007f0..afbbc36 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -49,7 +49,7 @@ static int x509_check_signature(const struct public_key *pub, - /* Allocate the hashing algorithm we're going to need and find out how - * big the hash operational data will be. - */ -- tfm = crypto_alloc_shash(pkey_hash_algo[cert->sig_hash_algo], 0, 0); -+ tfm = crypto_alloc_shash(pkey_hash_algo_name[cert->sig_hash_algo], 0, 0); - if (IS_ERR(tfm)) - return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); - -@@ -117,7 +117,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - - pr_devel("Cert Issuer: %s\n", cert->issuer); - pr_devel("Cert Subject: %s\n", cert->subject); -- pr_devel("Cert Key Algo: %s\n", pkey_algo[cert->pkey_algo]); -+ pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pkey_algo]); - pr_devel("Cert Valid From: %04ld-%02d-%02d %02d:%02d:%02d\n", - cert->valid_from.tm_year + 1900, cert->valid_from.tm_mon + 1, - cert->valid_from.tm_mday, cert->valid_from.tm_hour, -@@ -127,8 +127,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - cert->valid_to.tm_mday, cert->valid_to.tm_hour, - cert->valid_to.tm_min, cert->valid_to.tm_sec); - pr_devel("Cert Signature: %s + %s\n", -- pkey_algo[cert->sig_pkey_algo], -- pkey_hash_algo[cert->sig_hash_algo]); -+ pkey_algo_name[cert->sig_pkey_algo], -+ pkey_hash_algo_name[cert->sig_hash_algo]); - - if (!cert->fingerprint || !cert->authority) { - pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", -diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h -index f5b0224..619d570 100644 ---- a/include/crypto/public_key.h -+++ b/include/crypto/public_key.h -@@ -22,7 +22,7 @@ enum pkey_algo { - PKEY_ALGO__LAST - }; - --extern const char *const pkey_algo[PKEY_ALGO__LAST]; -+extern const char *const pkey_algo_name[PKEY_ALGO__LAST]; - - enum pkey_hash_algo { - PKEY_HASH_MD4, -@@ -36,7 +36,7 @@ enum pkey_hash_algo { - PKEY_HASH__LAST - }; - --extern const char *const pkey_hash_algo[PKEY_HASH__LAST]; -+extern const char *const pkey_hash_algo_name[PKEY_HASH__LAST]; - - enum pkey_id_type { - PKEY_ID_PGP, /* OpenPGP generated key ID */ -@@ -44,7 +44,7 @@ enum pkey_id_type { - PKEY_ID_TYPE__LAST - }; - --extern const char *const pkey_id_type[PKEY_ID_TYPE__LAST]; -+extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST]; - - /* - * Cryptographic data for the public-key subtype of the asymmetric key type. -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index 0034e36..0b6b870 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -55,7 +55,7 @@ static struct public_key_signature *mod_make_digest(enum pkey_hash_algo hash, - /* Allocate the hashing algorithm we're going to need and find out how - * big the hash operational data will be. - */ -- tfm = crypto_alloc_shash(pkey_hash_algo[hash], 0, 0); -+ tfm = crypto_alloc_shash(pkey_hash_algo_name[hash], 0, 0); - if (IS_ERR(tfm)) - return (PTR_ERR(tfm) == -ENOENT) ? ERR_PTR(-ENOPKG) : ERR_CAST(tfm); - -@@ -218,7 +218,7 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) - return -ENOPKG; - - if (ms.hash >= PKEY_HASH__LAST || -- !pkey_hash_algo[ms.hash]) -+ !pkey_hash_algo_name[ms.hash]) - return -ENOPKG; - - key = request_asymmetric_key(sig, ms.signer_len, --- -1.8.1.4 - - -From 2acf1a703de1213ad85515a71873f57535dc057d Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:33 +0000 -Subject: [PATCH 05/47] KEYS: Move the algorithm pointer array from x509 to - public_key.c - -Move the public-key algorithm pointer array from x509_public_key.c to -public_key.c as it isn't X.509 specific. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/public_key.c | 8 ++++++++ - crypto/asymmetric_keys/x509_public_key.c | 11 +---------- - include/crypto/public_key.h | 1 + - 3 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c -index b313df1..796ce08 100644 ---- a/crypto/asymmetric_keys/public_key.c -+++ b/crypto/asymmetric_keys/public_key.c -@@ -28,6 +28,14 @@ const char *const pkey_algo_name[PKEY_ALGO__LAST] = { - }; - EXPORT_SYMBOL_GPL(pkey_algo_name); - -+const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST] = { -+#if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \ -+ defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE) -+ [PKEY_ALGO_RSA] = &RSA_public_key_algorithm, -+#endif -+}; -+EXPORT_SYMBOL_GPL(pkey_algo); -+ - const char *const pkey_hash_algo_name[PKEY_HASH__LAST] = { - [PKEY_HASH_MD4] = "md4", - [PKEY_HASH_MD5] = "md5", -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index afbbc36..fe38628 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -23,15 +23,6 @@ - #include "public_key.h" - #include "x509_parser.h" - --static const --struct public_key_algorithm *x509_public_key_algorithms[PKEY_ALGO__LAST] = { -- [PKEY_ALGO_DSA] = NULL, --#if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \ -- defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE) -- [PKEY_ALGO_RSA] = &RSA_public_key_algorithm, --#endif --}; -- - /* - * Check the signature on a certificate using the provided public key - */ -@@ -174,7 +165,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - goto error_free_cert; - } - -- cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo]; -+ cert->pub->algo = pkey_algo[cert->pkey_algo]; - cert->pub->id_type = PKEY_ID_X509; - - /* Check the signature on the key */ -diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h -index 619d570..46bde25 100644 ---- a/include/crypto/public_key.h -+++ b/include/crypto/public_key.h -@@ -23,6 +23,7 @@ enum pkey_algo { - }; - - extern const char *const pkey_algo_name[PKEY_ALGO__LAST]; -+extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST]; - - enum pkey_hash_algo { - PKEY_HASH_MD4, --- -1.8.1.4 - - -From 3cc2c6f01277dfa00106c3e4f3f3ab8184025b90 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:33 +0000 -Subject: [PATCH 06/47] KEYS: Store public key algo ID in public_key struct - -Store public key algo ID in public_key struct for reference purposes. This -allows it to be removed from the x509_certificate struct and used to find a -default in public_key_verify_signature(). - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/x509_cert_parser.c | 5 +++-- - crypto/asymmetric_keys/x509_parser.h | 1 - - crypto/asymmetric_keys/x509_public_key.c | 4 ++-- - include/crypto/public_key.h | 1 + - 4 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c -index 7fabc4c..a583930 100644 ---- a/crypto/asymmetric_keys/x509_cert_parser.c -+++ b/crypto/asymmetric_keys/x509_cert_parser.c -@@ -343,8 +343,9 @@ int x509_extract_key_data(void *context, size_t hdrlen, - if (ctx->last_oid != OID_rsaEncryption) - return -ENOPKG; - -- /* There seems to be an extraneous 0 byte on the front of the data */ -- ctx->cert->pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA; -+ -+ /* Discard the BIT STRING metadata */ - ctx->key = value + 1; - ctx->key_size = vlen - 1; - return 0; -diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h -index f86dc5f..e583ad0 100644 ---- a/crypto/asymmetric_keys/x509_parser.h -+++ b/crypto/asymmetric_keys/x509_parser.h -@@ -20,7 +20,6 @@ struct x509_certificate { - char *authority; /* Authority key fingerprint as hex */ - struct tm valid_from; - struct tm valid_to; -- enum pkey_algo pkey_algo : 8; /* Public key algorithm */ - enum pkey_algo sig_pkey_algo : 8; /* Signature public key algorithm */ - enum pkey_hash_algo sig_hash_algo : 8; /* Signature hash algorithm */ - const void *tbs; /* Signed data */ -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index fe38628..fac574c 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -108,7 +108,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - - pr_devel("Cert Issuer: %s\n", cert->issuer); - pr_devel("Cert Subject: %s\n", cert->subject); -- pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pkey_algo]); -+ pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pub->pkey_algo]); - pr_devel("Cert Valid From: %04ld-%02d-%02d %02d:%02d:%02d\n", - cert->valid_from.tm_year + 1900, cert->valid_from.tm_mon + 1, - cert->valid_from.tm_mday, cert->valid_from.tm_hour, -@@ -165,7 +165,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - goto error_free_cert; - } - -- cert->pub->algo = pkey_algo[cert->pkey_algo]; -+ cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; - cert->pub->id_type = PKEY_ID_X509; - - /* Check the signature on the key */ -diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h -index 46bde25..05778df 100644 ---- a/include/crypto/public_key.h -+++ b/include/crypto/public_key.h -@@ -60,6 +60,7 @@ struct public_key { - #define PKEY_CAN_DECRYPT 0x02 - #define PKEY_CAN_SIGN 0x04 - #define PKEY_CAN_VERIFY 0x08 -+ enum pkey_algo pkey_algo : 8; - enum pkey_id_type id_type : 8; - union { - MPI mpi[5]; --- -1.8.1.4 - - -From 7dcc63793a873198d3b3c4299f896e2896292d84 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:34 +0000 -Subject: [PATCH 07/47] KEYS: Split public_key_verify_signature() and make - available - -Modify public_key_verify_signature() so that it now takes a public_key struct -rather than a key struct and supply a wrapper that takes a key struct. The -wrapper is then used by the asymmetric key subtype and the modified function is -used by X.509 self-signature checking and can be used by PKCS#7 also. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/public_key.c | 40 +++++++++++++++++++++++++------- - crypto/asymmetric_keys/public_key.h | 6 +++++ - crypto/asymmetric_keys/x509_public_key.c | 2 +- - 3 files changed, 39 insertions(+), 9 deletions(-) - -diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c -index 796ce08..49ac8d8 100644 ---- a/crypto/asymmetric_keys/public_key.c -+++ b/crypto/asymmetric_keys/public_key.c -@@ -86,21 +86,45 @@ EXPORT_SYMBOL_GPL(public_key_destroy); - /* - * Verify a signature using a public key. - */ --static int public_key_verify_signature(const struct key *key, -- const struct public_key_signature *sig) -+int public_key_verify_signature(const struct public_key *pk, -+ const struct public_key_signature *sig) - { -- const struct public_key *pk = key->payload.data; -+ const struct public_key_algorithm *algo; -+ -+ BUG_ON(!pk); -+ BUG_ON(!pk->mpi[0]); -+ BUG_ON(!pk->mpi[1]); -+ BUG_ON(!sig); -+ BUG_ON(!sig->digest); -+ BUG_ON(!sig->mpi[0]); -+ -+ algo = pk->algo; -+ if (!algo) { -+ if (pk->pkey_algo >= PKEY_ALGO__LAST) -+ return -ENOPKG; -+ algo = pkey_algo[pk->pkey_algo]; -+ if (!algo) -+ return -ENOPKG; -+ } - -- if (!pk->algo->verify_signature) -+ if (!algo->verify_signature) - return -ENOTSUPP; - -- if (sig->nr_mpi != pk->algo->n_sig_mpi) { -+ if (sig->nr_mpi != algo->n_sig_mpi) { - pr_debug("Signature has %u MPI not %u\n", -- sig->nr_mpi, pk->algo->n_sig_mpi); -+ sig->nr_mpi, algo->n_sig_mpi); - return -EINVAL; - } - -- return pk->algo->verify_signature(pk, sig); -+ return algo->verify_signature(pk, sig); -+} -+EXPORT_SYMBOL_GPL(public_key_verify_signature); -+ -+static int public_key_verify_signature_2(const struct key *key, -+ const struct public_key_signature *sig) -+{ -+ const struct public_key *pk = key->payload.data; -+ return public_key_verify_signature(pk, sig); - } - - /* -@@ -111,6 +135,6 @@ struct asymmetric_key_subtype public_key_subtype = { - .name = "public_key", - .describe = public_key_describe, - .destroy = public_key_destroy, -- .verify_signature = public_key_verify_signature, -+ .verify_signature = public_key_verify_signature_2, - }; - EXPORT_SYMBOL_GPL(public_key_subtype); -diff --git a/crypto/asymmetric_keys/public_key.h b/crypto/asymmetric_keys/public_key.h -index 5e5e356..5c37a22 100644 ---- a/crypto/asymmetric_keys/public_key.h -+++ b/crypto/asymmetric_keys/public_key.h -@@ -28,3 +28,9 @@ struct public_key_algorithm { - }; - - extern const struct public_key_algorithm RSA_public_key_algorithm; -+ -+/* -+ * public_key.c -+ */ -+extern int public_key_verify_signature(const struct public_key *pk, -+ const struct public_key_signature *sig); -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index fac574c..8cb2f70 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -76,7 +76,7 @@ static int x509_check_signature(const struct public_key *pub, - if (ret < 0) - goto error_mpi; - -- ret = pub->algo->verify_signature(pub, sig); -+ ret = public_key_verify_signature(pub, sig); - - pr_debug("Cert Verification: %d\n", ret); - --- -1.8.1.4 - - -From da18477d1a1987dce0f3c5f78b62e5b223e2bf90 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:35 +0000 -Subject: [PATCH 08/47] KEYS: Store public key algo ID in public_key_signature - struct - -Store public key algorithm ID in public_key_signature struct for reference -purposes. This allows a public_key_signature struct to be embedded in -struct x509_certificate and struct pkcs7_message more easily. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - include/crypto/public_key.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h -index 05778df..b34fda4 100644 ---- a/include/crypto/public_key.h -+++ b/include/crypto/public_key.h -@@ -90,6 +90,7 @@ struct public_key_signature { - u8 *digest; - u8 digest_size; /* Number of bytes in digest */ - u8 nr_mpi; /* Occupancy of mpi[] */ -+ enum pkey_algo pkey_algo : 8; - enum pkey_hash_algo pkey_hash_algo : 8; - union { - MPI mpi[2]; --- -1.8.1.4 - - -From 29d80acc90a95ef5614cf36d4e30835bcc014cc4 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:35 +0000 -Subject: [PATCH 09/47] X.509: struct x509_certificate needs struct tm - declaring - -struct x509_certificate needs struct tm declaring by #inclusion of linux/time.h -prior to its definition. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/x509_parser.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h -index e583ad0..2d01182 100644 ---- a/crypto/asymmetric_keys/x509_parser.h -+++ b/crypto/asymmetric_keys/x509_parser.h -@@ -9,6 +9,7 @@ - * 2 of the Licence, or (at your option) any later version. - */ - -+#include <linux/time.h> - #include <crypto/public_key.h> - - struct x509_certificate { --- -1.8.1.4 - - -From ba3ba9e41abb17a7632075668e4f0a30edb59896 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:35 +0000 -Subject: [PATCH 10/47] X.509: Add bits needed for PKCS#7 - -PKCS#7 validation requires access to the serial number and the raw names in an -X.509 certificate. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/x509.asn1 | 2 +- - crypto/asymmetric_keys/x509_cert_parser.c | 17 +++++++++++++++++ - crypto/asymmetric_keys/x509_parser.h | 10 ++++++++-- - 3 files changed, 26 insertions(+), 3 deletions(-) - -diff --git a/crypto/asymmetric_keys/x509.asn1 b/crypto/asymmetric_keys/x509.asn1 -index bf32b3d..aae0cde 100644 ---- a/crypto/asymmetric_keys/x509.asn1 -+++ b/crypto/asymmetric_keys/x509.asn1 -@@ -6,7 +6,7 @@ Certificate ::= SEQUENCE { - - TBSCertificate ::= SEQUENCE { - version [ 0 ] Version DEFAULT, -- serialNumber CertificateSerialNumber, -+ serialNumber CertificateSerialNumber ({ x509_note_serial }), - signature AlgorithmIdentifier ({ x509_note_pkey_algo }), - issuer Name ({ x509_note_issuer }), - validity Validity, -diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c -index a583930..08bebf1 100644 ---- a/crypto/asymmetric_keys/x509_cert_parser.c -+++ b/crypto/asymmetric_keys/x509_cert_parser.c -@@ -209,6 +209,19 @@ int x509_note_signature(void *context, size_t hdrlen, - } - - /* -+ * Note the certificate serial number -+ */ -+int x509_note_serial(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct x509_parse_context *ctx = context; -+ ctx->cert->raw_serial = value; -+ ctx->cert->raw_serial_size = vlen; -+ return 0; -+} -+ -+/* - * Note some of the name segments from which we'll fabricate a name. - */ - int x509_extract_name_segment(void *context, size_t hdrlen, -@@ -320,6 +333,8 @@ int x509_note_issuer(void *context, size_t hdrlen, - const void *value, size_t vlen) - { - struct x509_parse_context *ctx = context; -+ ctx->cert->raw_issuer = value; -+ ctx->cert->raw_issuer_size = vlen; - return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen); - } - -@@ -328,6 +343,8 @@ int x509_note_subject(void *context, size_t hdrlen, - const void *value, size_t vlen) - { - struct x509_parse_context *ctx = context; -+ ctx->cert->raw_subject = value; -+ ctx->cert->raw_subject_size = vlen; - return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen); - } - -diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h -index 2d01182..a6ce46f 100644 ---- a/crypto/asymmetric_keys/x509_parser.h -+++ b/crypto/asymmetric_keys/x509_parser.h -@@ -24,9 +24,15 @@ struct x509_certificate { - enum pkey_algo sig_pkey_algo : 8; /* Signature public key algorithm */ - enum pkey_hash_algo sig_hash_algo : 8; /* Signature hash algorithm */ - const void *tbs; /* Signed data */ -- size_t tbs_size; /* Size of signed data */ -+ unsigned tbs_size; /* Size of signed data */ -+ unsigned sig_size; /* Size of sigature */ - const void *sig; /* Signature data */ -- size_t sig_size; /* Size of sigature */ -+ const void *raw_serial; /* Raw serial number in ASN.1 */ -+ unsigned raw_serial_size; -+ unsigned raw_issuer_size; -+ const void *raw_issuer; /* Raw issuer name in ASN.1 */ -+ const void *raw_subject; /* Raw subject name in ASN.1 */ -+ unsigned raw_subject_size; - }; - - /* --- -1.8.1.4 - - -From 4d2f837ab3629d5b4b3bac2bbdbdf2d0060e74a8 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:36 +0000 -Subject: [PATCH 11/47] X.509: Embed public_key_signature struct and create - filler function - -Embed a public_key_signature struct in struct x509_certificate, eliminating -now unnecessary fields, and split x509_check_signature() to create a filler -function for it that attaches a digest of the signed data and an MPI that -represents the signature data. x509_free_certificate() is then modified to -deal with these. - -Whilst we're at it, export both x509_check_signature() and the new -x509_get_sig_params(). - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/x509_cert_parser.c | 30 +++++------ - crypto/asymmetric_keys/x509_parser.h | 14 ++++-- - crypto/asymmetric_keys/x509_public_key.c | 83 +++++++++++++++++-------------- - 3 files changed, 73 insertions(+), 54 deletions(-) - -diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c -index 08bebf1..931f069 100644 ---- a/crypto/asymmetric_keys/x509_cert_parser.c -+++ b/crypto/asymmetric_keys/x509_cert_parser.c -@@ -47,6 +47,8 @@ void x509_free_certificate(struct x509_certificate *cert) - kfree(cert->subject); - kfree(cert->fingerprint); - kfree(cert->authority); -+ kfree(cert->sig.digest); -+ mpi_free(cert->sig.rsa.s); - kfree(cert); - } - } -@@ -152,33 +154,33 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, - return -ENOPKG; /* Unsupported combination */ - - case OID_md4WithRSAEncryption: -- ctx->cert->sig_hash_algo = PKEY_HASH_MD5; -- ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->sig.pkey_hash_algo = PKEY_HASH_MD5; -+ ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; - break; - - case OID_sha1WithRSAEncryption: -- ctx->cert->sig_hash_algo = PKEY_HASH_SHA1; -- ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->sig.pkey_hash_algo = PKEY_HASH_SHA1; -+ ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; - break; - - case OID_sha256WithRSAEncryption: -- ctx->cert->sig_hash_algo = PKEY_HASH_SHA256; -- ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->sig.pkey_hash_algo = PKEY_HASH_SHA256; -+ ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; - break; - - case OID_sha384WithRSAEncryption: -- ctx->cert->sig_hash_algo = PKEY_HASH_SHA384; -- ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->sig.pkey_hash_algo = PKEY_HASH_SHA384; -+ ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; - break; - - case OID_sha512WithRSAEncryption: -- ctx->cert->sig_hash_algo = PKEY_HASH_SHA512; -- ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->sig.pkey_hash_algo = PKEY_HASH_SHA512; -+ ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; - break; - - case OID_sha224WithRSAEncryption: -- ctx->cert->sig_hash_algo = PKEY_HASH_SHA224; -- ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA; -+ ctx->cert->sig.pkey_hash_algo = PKEY_HASH_SHA224; -+ ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; - break; - } - -@@ -203,8 +205,8 @@ int x509_note_signature(void *context, size_t hdrlen, - return -EINVAL; - } - -- ctx->cert->sig = value; -- ctx->cert->sig_size = vlen; -+ ctx->cert->raw_sig = value; -+ ctx->cert->raw_sig_size = vlen; - return 0; - } - -diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h -index a6ce46f..6b1d877 100644 ---- a/crypto/asymmetric_keys/x509_parser.h -+++ b/crypto/asymmetric_keys/x509_parser.h -@@ -21,18 +21,17 @@ struct x509_certificate { - char *authority; /* Authority key fingerprint as hex */ - struct tm valid_from; - struct tm valid_to; -- enum pkey_algo sig_pkey_algo : 8; /* Signature public key algorithm */ -- enum pkey_hash_algo sig_hash_algo : 8; /* Signature hash algorithm */ - const void *tbs; /* Signed data */ - unsigned tbs_size; /* Size of signed data */ -- unsigned sig_size; /* Size of sigature */ -- const void *sig; /* Signature data */ -+ unsigned raw_sig_size; /* Size of sigature */ -+ const void *raw_sig; /* Signature data */ - const void *raw_serial; /* Raw serial number in ASN.1 */ - unsigned raw_serial_size; - unsigned raw_issuer_size; - const void *raw_issuer; /* Raw issuer name in ASN.1 */ - const void *raw_subject; /* Raw subject name in ASN.1 */ - unsigned raw_subject_size; -+ struct public_key_signature sig; /* Signature parameters */ - }; - - /* -@@ -40,3 +39,10 @@ struct x509_certificate { - */ - extern void x509_free_certificate(struct x509_certificate *cert); - extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); -+ -+/* -+ * x509_public_key.c -+ */ -+extern int x509_get_sig_params(struct x509_certificate *cert); -+extern int x509_check_signature(const struct public_key *pub, -+ struct x509_certificate *cert); -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index 8cb2f70..b7c81d8 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -24,72 +24,83 @@ - #include "x509_parser.h" - - /* -- * Check the signature on a certificate using the provided public key -+ * Set up the signature parameters in an X.509 certificate. This involves -+ * digesting the signed data and extracting the signature. - */ --static int x509_check_signature(const struct public_key *pub, -- const struct x509_certificate *cert) -+int x509_get_sig_params(struct x509_certificate *cert) - { -- struct public_key_signature *sig; - struct crypto_shash *tfm; - struct shash_desc *desc; - size_t digest_size, desc_size; -+ void *digest; - int ret; - - pr_devel("==>%s()\n", __func__); -- -+ -+ if (cert->sig.rsa.s) -+ return 0; -+ -+ cert->sig.rsa.s = mpi_read_raw_data(cert->raw_sig, cert->raw_sig_size); -+ if (!cert->sig.rsa.s) -+ return -ENOMEM; -+ cert->sig.nr_mpi = 1; -+ - /* Allocate the hashing algorithm we're going to need and find out how - * big the hash operational data will be. - */ -- tfm = crypto_alloc_shash(pkey_hash_algo_name[cert->sig_hash_algo], 0, 0); -+ tfm = crypto_alloc_shash(pkey_hash_algo_name[cert->sig.pkey_hash_algo], 0, 0); - if (IS_ERR(tfm)) - return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); - - desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); - digest_size = crypto_shash_digestsize(tfm); - -- /* We allocate the hash operational data storage on the end of our -- * context data. -+ /* We allocate the hash operational data storage on the end of the -+ * digest storage space. - */ - ret = -ENOMEM; -- sig = kzalloc(sizeof(*sig) + desc_size + digest_size, GFP_KERNEL); -- if (!sig) -- goto error_no_sig; -+ digest = kzalloc(digest_size + desc_size, GFP_KERNEL); -+ if (!digest) -+ goto error; - -- sig->pkey_hash_algo = cert->sig_hash_algo; -- sig->digest = (u8 *)sig + sizeof(*sig) + desc_size; -- sig->digest_size = digest_size; -+ cert->sig.digest = digest; -+ cert->sig.digest_size = digest_size; - -- desc = (void *)sig + sizeof(*sig); -- desc->tfm = tfm; -- desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; -+ desc = digest + digest_size; -+ desc->tfm = tfm; -+ desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; - - ret = crypto_shash_init(desc); - if (ret < 0) - goto error; -+ might_sleep(); -+ ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, digest); -+error: -+ crypto_free_shash(tfm); -+ pr_devel("<==%s() = %d\n", __func__, ret); -+ return ret; -+} -+EXPORT_SYMBOL_GPL(x509_get_sig_params); - -- ret = -ENOMEM; -- sig->rsa.s = mpi_read_raw_data(cert->sig, cert->sig_size); -- if (!sig->rsa.s) -- goto error; -+/* -+ * Check the signature on a certificate using the provided public key -+ */ -+int x509_check_signature(const struct public_key *pub, -+ struct x509_certificate *cert) -+{ -+ int ret; - -- ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest); -- if (ret < 0) -- goto error_mpi; -+ pr_devel("==>%s()\n", __func__); - -- ret = public_key_verify_signature(pub, sig); -+ ret = x509_get_sig_params(cert); -+ if (ret < 0) -+ return ret; - -+ ret = public_key_verify_signature(pub, &cert->sig); - pr_debug("Cert Verification: %d\n", ret); -- --error_mpi: -- mpi_free(sig->rsa.s); --error: -- kfree(sig); --error_no_sig: -- crypto_free_shash(tfm); -- -- pr_devel("<==%s() = %d\n", __func__, ret); - return ret; - } -+EXPORT_SYMBOL_GPL(x509_check_signature); - - /* - * Attempt to parse a data blob for a key as an X509 certificate. -@@ -118,8 +129,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - cert->valid_to.tm_mday, cert->valid_to.tm_hour, - cert->valid_to.tm_min, cert->valid_to.tm_sec); - pr_devel("Cert Signature: %s + %s\n", -- pkey_algo_name[cert->sig_pkey_algo], -- pkey_hash_algo_name[cert->sig_hash_algo]); -+ pkey_algo_name[cert->sig.pkey_algo], -+ pkey_hash_algo_name[cert->sig.pkey_hash_algo]); - - if (!cert->fingerprint || !cert->authority) { - pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", --- -1.8.1.4 - - -From 822175026ad1d4640240d1fdd77b1f45ddd9e7a9 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:36 +0000 -Subject: [PATCH 12/47] X.509: Check the algorithm IDs obtained from parsing an - X.509 certificate - -Check that the algorithm IDs obtained from the ASN.1 parse by OID lookup -corresponds to algorithms that are available to us. - -Reported-by: Kees Cook <keescook@chromium.org> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - crypto/asymmetric_keys/x509_public_key.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index b7c81d8..eb368d4 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -119,6 +119,17 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - - pr_devel("Cert Issuer: %s\n", cert->issuer); - pr_devel("Cert Subject: %s\n", cert->subject); -+ -+ if (cert->pub->pkey_algo >= PKEY_ALGO__LAST || -+ cert->sig.pkey_algo >= PKEY_ALGO__LAST || -+ cert->sig.pkey_hash_algo >= PKEY_HASH__LAST || -+ !pkey_algo[cert->pub->pkey_algo] || -+ !pkey_algo[cert->sig.pkey_algo] || -+ !pkey_hash_algo_name[cert->sig.pkey_hash_algo]) { -+ ret = -ENOPKG; -+ goto error_free_cert; -+ } -+ - pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pub->pkey_algo]); - pr_devel("Cert Valid From: %04ld-%02d-%02d %02d:%02d:%02d\n", - cert->valid_from.tm_year + 1900, cert->valid_from.tm_mon + 1, --- -1.8.1.4 - - -From 4a1a540f79d36d8b0b8970ea638648cef080057b Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:37 +0000 -Subject: [PATCH 13/47] X.509: Handle certificates that lack an - authorityKeyIdentifier field - -Handle certificates that lack an authorityKeyIdentifier field by assuming -they're self-signed and checking their signatures against themselves. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/x509_public_key.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index eb368d4..0f55e3b 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -143,8 +143,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - pkey_algo_name[cert->sig.pkey_algo], - pkey_hash_algo_name[cert->sig.pkey_hash_algo]); - -- if (!cert->fingerprint || !cert->authority) { -- pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", -+ if (!cert->fingerprint) { -+ pr_warn("Cert for '%s' must have a SubjKeyId extension\n", - cert->subject); - ret = -EKEYREJECTED; - goto error_free_cert; -@@ -190,8 +190,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) - cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; - cert->pub->id_type = PKEY_ID_X509; - -- /* Check the signature on the key */ -- if (strcmp(cert->fingerprint, cert->authority) == 0) { -+ /* Check the signature on the key if it appears to be self-signed */ -+ if (!cert->authority || -+ strcmp(cert->fingerprint, cert->authority) == 0) { - ret = x509_check_signature(cert->pub, cert); - if (ret < 0) - goto error_free_cert; --- -1.8.1.4 - - -From f5e443e719cfb7cae2aea764ad3c9ec9ffba4f60 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:37 +0000 -Subject: [PATCH 14/47] X.509: Export certificate parse and free functions - -Export certificate parse and free functions for use by modules. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Reviewed-by: Josh Boyer <jwboyer@redhat.com> ---- - crypto/asymmetric_keys/x509_cert_parser.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c -index 931f069..9cf0e16 100644 ---- a/crypto/asymmetric_keys/x509_cert_parser.c -+++ b/crypto/asymmetric_keys/x509_cert_parser.c -@@ -11,6 +11,7 @@ - - #define pr_fmt(fmt) "X.509: "fmt - #include <linux/kernel.h> -+#include <linux/export.h> - #include <linux/slab.h> - #include <linux/err.h> - #include <linux/oid_registry.h> -@@ -52,6 +53,7 @@ void x509_free_certificate(struct x509_certificate *cert) - kfree(cert); - } - } -+EXPORT_SYMBOL_GPL(x509_free_certificate); - - /* - * Parse an X.509 certificate -@@ -97,6 +99,7 @@ error_no_ctx: - error_no_cert: - return ERR_PTR(ret); - } -+EXPORT_SYMBOL_GPL(x509_cert_parse); - - /* - * Note an OID when we find one for later processing when we know how --- -1.8.1.4 - - -From 792a56d205765cf4ece16868929ad5fbe6b89df4 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:38 +0000 -Subject: [PATCH 15/47] PKCS#7: Implement a parser [RFC 2315] - -Implement a parser for a PKCS#7 signed-data message as described in part of -RFC 2315. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/Kconfig | 9 + - crypto/asymmetric_keys/Makefile | 13 ++ - crypto/asymmetric_keys/pkcs7.asn1 | 127 +++++++++++++ - crypto/asymmetric_keys/pkcs7_parser.c | 326 ++++++++++++++++++++++++++++++++++ - crypto/asymmetric_keys/pkcs7_parser.h | 65 +++++++ - include/linux/oid_registry.h | 1 + - 6 files changed, 541 insertions(+) - create mode 100644 crypto/asymmetric_keys/pkcs7.asn1 - create mode 100644 crypto/asymmetric_keys/pkcs7_parser.c - create mode 100644 crypto/asymmetric_keys/pkcs7_parser.h - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 6d2c2ea..413f3f6 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -35,4 +35,13 @@ config X509_CERTIFICATE_PARSER - data and provides the ability to instantiate a crypto key from a - public key packet found inside the certificate. - -+config PKCS7_MESSAGE_PARSER -+ tristate "PKCS#7 message parser" -+ depends on X509_CERTIFICATE_PARSER -+ select ASN1 -+ select OID_REGISTRY -+ help -+ This option provides support for parsing PKCS#7 format messages for -+ signature data and provides the ability to verify the signature. -+ - endif # ASYMMETRIC_KEY_TYPE -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index 0727204..59d8cad 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -25,3 +25,16 @@ $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h - - clean-files += x509-asn1.c x509-asn1.h - clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h -+ -+# -+# PKCS#7 message handling -+# -+obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o -+pkcs7_message-y := \ -+ pkcs7-asn1.o \ -+ pkcs7_parser.o -+ -+$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h -+$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h -+ -+clean-files += pkcs7-asn1.c pkcs7-asn1.h -diff --git a/crypto/asymmetric_keys/pkcs7.asn1 b/crypto/asymmetric_keys/pkcs7.asn1 -new file mode 100644 -index 0000000..7bf91ed ---- /dev/null -+++ b/crypto/asymmetric_keys/pkcs7.asn1 -@@ -0,0 +1,127 @@ -+PKCS7ContentInfo ::= SEQUENCE { -+ contentType ContentType, -+ content [0] EXPLICIT SignedData OPTIONAL -+} -+ -+ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID }) -+ -+SignedData ::= SEQUENCE { -+ version INTEGER, -+ digestAlgorithms DigestAlgorithmIdentifiers ({ pkcs7_note_digest_algo }), -+ contentInfo ContentInfo, -+ certificates CHOICE { -+ certSet [0] IMPLICIT ExtendedCertificatesAndCertificates, -+ certSequence [2] IMPLICIT Certificates -+ } OPTIONAL ({ pkcs7_note_certificate_list }), -+ crls CHOICE { -+ crlSet [1] IMPLICIT CertificateRevocationLists, -+ crlSequence [3] IMPLICIT CRLSequence -+ } OPTIONAL, -+ signerInfos SignerInfos -+} -+ -+ContentInfo ::= SEQUENCE { -+ contentType ContentType, -+ content [0] EXPLICIT Data OPTIONAL -+} -+ -+Data ::= ANY ({ pkcs7_note_data }) -+ -+DigestAlgorithmIdentifiers ::= CHOICE { -+ daSet SET OF DigestAlgorithmIdentifier, -+ daSequence SEQUENCE OF DigestAlgorithmIdentifier -+} -+ -+DigestAlgorithmIdentifier ::= SEQUENCE { -+ algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }), -+ parameters ANY OPTIONAL -+} -+ -+-- -+-- Certificates and certificate lists -+-- -+ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate -+ -+ExtendedCertificateOrCertificate ::= CHOICE { -+ certificate Certificate, -- X.509 -+ extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6 -+} -+ -+ExtendedCertificate ::= Certificate -- cheating -+ -+Certificates ::= SEQUENCE OF Certificate -+ -+CertificateRevocationLists ::= SET OF CertificateList -+ -+CertificateList ::= SEQUENCE OF Certificate -- This may be defined incorrectly -+ -+CRLSequence ::= SEQUENCE OF CertificateList -+ -+Certificate ::= ANY ({ pkcs7_extract_cert }) -- X.509 -+ -+-- -+-- Signer information -+-- -+SignerInfos ::= CHOICE { -+ siSet SET OF SignerInfo, -+ siSequence SEQUENCE OF SignerInfo -+} -+ -+SignerInfo ::= SEQUENCE { -+ version INTEGER, -+ issuerAndSerialNumber IssuerAndSerialNumber, -+ digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_note_digest_algo }), -+ authenticatedAttributes CHOICE { -+ aaSet [0] IMPLICIT SetOfAuthenticatedAttribute -+ ({ pkcs7_note_set_of_authattrs }), -+ aaSequence [2] EXPLICIT SEQUENCE OF AuthenticatedAttribute -+ -- Explicit because easier to compute digest on -+ -- sequence of attributes and then reuse encoded -+ -- sequence in aaSequence. -+ } OPTIONAL, -+ digestEncryptionAlgorithm -+ DigestEncryptionAlgorithmIdentifier ({ pkcs7_note_pkey_algo }), -+ encryptedDigest EncryptedDigest, -+ unauthenticatedAttributes CHOICE { -+ uaSet [1] IMPLICIT SET OF UnauthenticatedAttribute, -+ uaSequence [3] IMPLICIT SEQUENCE OF UnauthenticatedAttribute -+ } OPTIONAL -+} -+ -+IssuerAndSerialNumber ::= SEQUENCE { -+ issuer Name ({ pkcs7_note_issuer }), -+ serialNumber CertificateSerialNumber ({ pkcs7_note_serial }) -+} -+ -+CertificateSerialNumber ::= INTEGER -+ -+SetOfAuthenticatedAttribute ::= SET OF AuthenticatedAttribute -+ -+AuthenticatedAttribute ::= SEQUENCE { -+ type OBJECT IDENTIFIER ({ pkcs7_note_OID }), -+ values SET OF ANY ({ pkcs7_note_authenticated_attr }) -+} -+ -+UnauthenticatedAttribute ::= SEQUENCE { -+ type OBJECT IDENTIFIER ({ pkcs7_note_OID }), -+ values SET OF ANY -+} -+ -+DigestEncryptionAlgorithmIdentifier ::= SEQUENCE { -+ algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }), -+ parameters ANY OPTIONAL -+} -+ -+EncryptedDigest ::= OCTET STRING ({ pkcs7_note_signature }) -+ -+--- -+--- X.500 Name -+--- -+Name ::= SEQUENCE OF RelativeDistinguishedName -+ -+RelativeDistinguishedName ::= SET OF AttributeValueAssertion -+ -+AttributeValueAssertion ::= SEQUENCE { -+ attributeType OBJECT IDENTIFIER ({ pkcs7_note_OID }), -+ attributeValue ANY -+} -diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c -new file mode 100644 -index 0000000..231aff9 ---- /dev/null -+++ b/crypto/asymmetric_keys/pkcs7_parser.c -@@ -0,0 +1,326 @@ -+/* PKCS#7 parser -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "PKCS7: "fmt -+#include <linux/kernel.h> -+#include <linux/export.h> -+#include <linux/slab.h> -+#include <linux/err.h> -+#include <linux/oid_registry.h> -+#include "public_key.h" -+#include "pkcs7_parser.h" -+#include "pkcs7-asn1.h" -+ -+struct pkcs7_parse_context { -+ struct pkcs7_message *msg; /* Message being constructed */ -+ struct x509_certificate *certs; /* Certificate cache */ -+ struct x509_certificate **ppcerts; -+ unsigned long data; /* Start of data */ -+ enum OID last_oid; /* Last OID encountered */ -+}; -+ -+/* -+ * Free a PKCS#7 message -+ */ -+void pkcs7_free_message(struct pkcs7_message *pkcs7) -+{ -+ struct x509_certificate *cert; -+ -+ if (pkcs7) { -+ while (pkcs7->certs) { -+ cert = pkcs7->certs; -+ pkcs7->certs = cert->next; -+ x509_free_certificate(cert); -+ } -+ while (pkcs7->crl) { -+ cert = pkcs7->crl; -+ pkcs7->crl = cert->next; -+ x509_free_certificate(cert); -+ } -+ kfree(pkcs7->sig.digest); -+ mpi_free(pkcs7->sig.mpi[0]); -+ kfree(pkcs7); -+ } -+} -+EXPORT_SYMBOL_GPL(pkcs7_free_message); -+ -+/* -+ * Parse a PKCS#7 message -+ */ -+struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen) -+{ -+ struct pkcs7_parse_context *ctx; -+ struct pkcs7_message *msg; -+ long ret; -+ -+ ret = -ENOMEM; -+ msg = kzalloc(sizeof(struct pkcs7_message), GFP_KERNEL); -+ if (!msg) -+ goto error_no_sig; -+ ctx = kzalloc(sizeof(struct pkcs7_parse_context), GFP_KERNEL); -+ if (!ctx) -+ goto error_no_ctx; -+ -+ ctx->msg = msg; -+ ctx->data = (unsigned long)data; -+ ctx->ppcerts = &ctx->certs; -+ -+ /* Attempt to decode the signature */ -+ ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen); -+ if (ret < 0) -+ goto error_decode; -+ -+ while (ctx->certs) { -+ struct x509_certificate *cert = ctx->certs; -+ ctx->certs = cert->next; -+ x509_free_certificate(cert); -+ } -+ kfree(ctx); -+ return msg; -+ -+error_decode: -+ kfree(ctx); -+error_no_ctx: -+ pkcs7_free_message(msg); -+error_no_sig: -+ return ERR_PTR(ret); -+} -+EXPORT_SYMBOL_GPL(pkcs7_parse_message); -+ -+/* -+ * Note an OID when we find one for later processing when we know how -+ * to interpret it. -+ */ -+int pkcs7_note_OID(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ ctx->last_oid = look_up_OID(value, vlen); -+ if (ctx->last_oid == OID__NR) { -+ char buffer[50]; -+ sprint_oid(value, vlen, buffer, sizeof(buffer)); -+ printk("PKCS7: Unknown OID: [%lu] %s\n", -+ (unsigned long)value - ctx->data, buffer); -+ } -+ return 0; -+} -+ -+/* -+ * Note the digest algorithm for the signature. -+ */ -+int pkcs7_note_digest_algo(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ switch (ctx->last_oid) { -+ case OID_md4: -+ ctx->msg->sig.pkey_hash_algo = PKEY_HASH_MD4; -+ break; -+ case OID_md5: -+ ctx->msg->sig.pkey_hash_algo = PKEY_HASH_MD5; -+ break; -+ case OID_sha1: -+ ctx->msg->sig.pkey_hash_algo = PKEY_HASH_SHA1; -+ break; -+ case OID_sha256: -+ ctx->msg->sig.pkey_hash_algo = PKEY_HASH_SHA256; -+ break; -+ default: -+ printk("Unsupported digest algo: %u\n", ctx->last_oid); -+ return -ENOPKG; -+ } -+ return 0; -+} -+ -+/* -+ * Note the public key algorithm for the signature. -+ */ -+int pkcs7_note_pkey_algo(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ switch (ctx->last_oid) { -+ case OID_rsaEncryption: -+ ctx->msg->sig.pkey_algo = PKEY_ALGO_RSA; -+ break; -+ default: -+ printk("Unsupported pkey algo: %u\n", ctx->last_oid); -+ return -ENOPKG; -+ } -+ return 0; -+} -+ -+/* -+ * Extract a certificate and store it in the context. -+ */ -+int pkcs7_extract_cert(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ struct x509_certificate *cert; -+ -+ if (tag != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ)) { -+ pr_debug("Cert began with tag %02x at %lu\n", -+ tag, (unsigned long)ctx - ctx->data); -+ return -EBADMSG; -+ } -+ -+ /* We have to correct for the header so that the X.509 parser can start -+ * from the beginning. Note that since X.509 stipulates DER, there -+ * probably shouldn't be an EOC trailer - but it is in PKCS#7 (which -+ * stipulates BER). -+ */ -+ value -= hdrlen; -+ vlen += hdrlen; -+ -+ if (((u8*)value)[1] == 0x80) -+ vlen += 2; /* Indefinite length - there should be an EOC */ -+ -+ cert = x509_cert_parse(value, vlen); -+ if (IS_ERR(cert)) -+ return PTR_ERR(cert); -+ -+ pr_debug("Got cert for %s\n", cert->subject); -+ pr_debug("- fingerprint %s\n", cert->fingerprint); -+ -+ *ctx->ppcerts = cert; -+ ctx->ppcerts = &cert->next; -+ return 0; -+} -+ -+/* -+ * Save the certificate list -+ */ -+int pkcs7_note_certificate_list(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ pr_devel("Got cert list (%02x)\n", tag); -+ -+ *ctx->ppcerts = ctx->msg->certs; -+ ctx->msg->certs = ctx->certs; -+ ctx->certs = NULL; -+ ctx->ppcerts = &ctx->certs; -+ return 0; -+} -+ -+/* -+ * Extract the data from the signature and store that and its content type OID -+ * in the context. -+ */ -+int pkcs7_note_data(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ pr_debug("Got data\n"); -+ -+ ctx->msg->data = value; -+ ctx->msg->data_len = vlen; -+ ctx->msg->data_hdrlen = hdrlen; -+ ctx->msg->data_type = ctx->last_oid; -+ return 0; -+} -+ -+/* -+ * Parse authenticated attributes -+ */ -+int pkcs7_note_authenticated_attr(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ pr_devel("AuthAttr: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value); -+ -+ switch (ctx->last_oid) { -+ case OID_messageDigest: -+ if (tag != ASN1_OTS) -+ return -EBADMSG; -+ ctx->msg->msgdigest = value; -+ ctx->msg->msgdigest_len = vlen; -+ return 0; -+ default: -+ return 0; -+ } -+} -+ -+/* -+ * Note the set of auth attributes for digestion purposes [RFC2315 9.3] -+ */ -+int pkcs7_note_set_of_authattrs(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ -+ /* We need to switch the 'CONT 0' to a 'SET OF' when we digest */ -+ ctx->msg->authattrs = value - (hdrlen - 1); -+ ctx->msg->authattrs_len = vlen + (hdrlen - 1); -+ return 0; -+} -+ -+/* -+ * Note the issuing certificate serial number -+ */ -+int pkcs7_note_serial(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ ctx->msg->raw_serial = value; -+ ctx->msg->raw_serial_size = vlen; -+ return 0; -+} -+ -+/* -+ * Note the issuer's name -+ */ -+int pkcs7_note_issuer(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ ctx->msg->raw_issuer = value; -+ ctx->msg->raw_issuer_size = vlen; -+ return 0; -+} -+ -+/* -+ * Note the signature data -+ */ -+int pkcs7_note_signature(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pkcs7_parse_context *ctx = context; -+ MPI mpi; -+ -+ BUG_ON(ctx->msg->sig.pkey_algo != PKEY_ALGO_RSA); -+ -+ mpi = mpi_read_raw_data(value, vlen); -+ if (!mpi) -+ return -ENOMEM; -+ -+ ctx->msg->sig.mpi[0] = mpi; -+ ctx->msg->sig.nr_mpi = 1; -+ return 0; -+} -diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h -new file mode 100644 -index 0000000..5415857 ---- /dev/null -+++ b/crypto/asymmetric_keys/pkcs7_parser.h -@@ -0,0 +1,65 @@ -+/* PKCS#7 crypto data parser internal definitions -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#include <linux/oid_registry.h> -+#include "x509_parser.h" -+ -+#define kenter(FMT, ...) \ -+ pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) -+#define kleave(FMT, ...) \ -+ pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) -+ -+struct pkcs7_message { -+ struct x509_certificate *certs; /* Certificate list */ -+ struct x509_certificate *crl; /* Revocation list */ -+ struct x509_certificate *signer; /* Signing certificate (in ->certs) */ -+ -+ /* Content Data (or NULL) */ -+ enum OID data_type; /* Type of Data */ -+ size_t data_len; /* Length of Data */ -+ size_t data_hdrlen; /* Length of Data ASN.1 header */ -+ const void *data; /* Content Data (or 0) */ -+ -+ /* Message digest - the digest of the Content Data (or NULL) */ -+ const void *msgdigest; -+ unsigned msgdigest_len; -+ -+ /* Authenticated Attribute data (or NULL) */ -+ unsigned authattrs_len; -+ const void *authattrs; -+ -+ /* Issuing cert serial number and issuer's name */ -+ const void *raw_serial; -+ unsigned raw_serial_size; -+ unsigned raw_issuer_size; -+ const void *raw_issuer; -+ -+ /* Message signature. -+ * -+ * This contains the generated digest of _either_ the Content Data or -+ * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of -+ * the attributes contains the digest of the the Content Data within -+ * it. -+ */ -+ struct public_key_signature sig; -+}; -+ -+/* -+ * pkcs7_parser.c -+ */ -+extern struct pkcs7_message *pkcs7_parse_message(const void *data, -+ size_t datalen); -+extern void pkcs7_free_message(struct pkcs7_message *pkcs7); -+ -+/* -+ * pkcs7_verify.c -+ */ -+extern int pkcs7_verify(struct pkcs7_message *pkcs7); -diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h -index 6926db7..edeff85 100644 ---- a/include/linux/oid_registry.h -+++ b/include/linux/oid_registry.h -@@ -55,6 +55,7 @@ enum OID { - OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ - OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */ - OID_sha1, /* 1.3.14.3.2.26 */ -+ OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ - - /* Distinguished Name attribute IDs [RFC 2256] */ - OID_commonName, /* 2.5.4.3 */ --- -1.8.1.4 - - -From 3b4b82eecde52c1bd75ab11ef7f8a5c13ec73c40 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:38 +0000 -Subject: [PATCH 16/47] PKCS#7: Digest the data in a signed-data message - -Digest the data in a PKCS#7 signed-data message and attach to the -public_key_signature struct contained in the pkcs7_message struct. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/Makefile | 3 +- - crypto/asymmetric_keys/pkcs7_verify.c | 134 ++++++++++++++++++++++++++++++++++ - 2 files changed, 136 insertions(+), 1 deletion(-) - create mode 100644 crypto/asymmetric_keys/pkcs7_verify.c - -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index 59d8cad..b6b39e7 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -32,7 +32,8 @@ clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h - obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o - pkcs7_message-y := \ - pkcs7-asn1.o \ -- pkcs7_parser.o -+ pkcs7_parser.o \ -+ pkcs7_verify.o - - $(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h - $(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h -diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c -new file mode 100644 -index 0000000..2f9f26c ---- /dev/null -+++ b/crypto/asymmetric_keys/pkcs7_verify.c -@@ -0,0 +1,134 @@ -+/* Verify the signature on a PKCS#7 message. -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "PKCS7: "fmt -+#include <linux/kernel.h> -+#include <linux/export.h> -+#include <linux/slab.h> -+#include <linux/err.h> -+#include <linux/asn1.h> -+#include <crypto/hash.h> -+#include "public_key.h" -+#include "pkcs7_parser.h" -+ -+/* -+ * Digest the relevant parts of the PKCS#7 data -+ */ -+static int pkcs7_digest(struct pkcs7_message *pkcs7) -+{ -+ struct crypto_shash *tfm; -+ struct shash_desc *desc; -+ size_t digest_size, desc_size; -+ void *digest; -+ int ret; -+ -+ kenter(",%u", pkcs7->sig.pkey_hash_algo); -+ -+ if (pkcs7->sig.pkey_hash_algo >= PKEY_HASH__LAST || -+ !pkey_hash_algo_name[pkcs7->sig.pkey_hash_algo]) -+ return -ENOPKG; -+ -+ /* Allocate the hashing algorithm we're going to need and find out how -+ * big the hash operational data will be. -+ */ -+ tfm = crypto_alloc_shash(pkey_hash_algo_name[pkcs7->sig.pkey_hash_algo], -+ 0, 0); -+ if (IS_ERR(tfm)) -+ return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); -+ -+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); -+ pkcs7->sig.digest_size = digest_size = crypto_shash_digestsize(tfm); -+ -+ ret = -ENOMEM; -+ digest = kzalloc(digest_size + desc_size, GFP_KERNEL); -+ if (!digest) -+ goto error_no_desc; -+ -+ desc = digest + digest_size; -+ desc->tfm = tfm; -+ desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; -+ -+ /* Digest the message [RFC2315 9.3] */ -+ ret = crypto_shash_init(desc); -+ if (ret < 0) -+ goto error; -+ ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len, digest); -+ if (ret < 0) -+ goto error; -+ pr_devel("MsgDigest = [%*ph]\n", 8, digest); -+ -+ /* However, if there are authenticated attributes, there must be a -+ * message digest attribute amongst them which corresponds to the -+ * digest we just calculated. -+ */ -+ if (pkcs7->msgdigest) { -+ u8 tag; -+ -+ if (pkcs7->msgdigest_len != pkcs7->sig.digest_size) { -+ pr_debug("Invalid digest size (%u)\n", -+ pkcs7->msgdigest_len); -+ ret = -EBADMSG; -+ goto error; -+ } -+ -+ if (memcmp(digest, pkcs7->msgdigest, pkcs7->msgdigest_len) != 0) { -+ pr_debug("Message digest doesn't match\n"); -+ ret = -EKEYREJECTED; -+ goto error; -+ } -+ -+ /* We then calculate anew, using the authenticated attributes -+ * as the contents of the digest instead. Note that we need to -+ * convert the attributes from a CONT.0 into a SET before we -+ * hash it. -+ */ -+ memset(digest, 0, pkcs7->sig.digest_size); -+ -+ ret = crypto_shash_init(desc); -+ if (ret < 0) -+ goto error; -+ tag = ASN1_CONS_BIT | ASN1_SET; -+ ret = crypto_shash_update(desc, &tag, 1); -+ if (ret < 0) -+ goto error; -+ ret = crypto_shash_finup(desc, pkcs7->authattrs, -+ pkcs7->authattrs_len, digest); -+ if (ret < 0) -+ goto error; -+ pr_devel("AADigest = [%*ph]\n", 8, digest); -+ } -+ -+ pkcs7->sig.digest = digest; -+ digest = NULL; -+ -+error: -+ kfree(digest); -+error_no_desc: -+ crypto_free_shash(tfm); -+ kleave(" = %d\n", ret); -+ return ret; -+} -+ -+/* -+ * Verify a PKCS#7 message -+ */ -+int pkcs7_verify(struct pkcs7_message *pkcs7) -+{ -+ int ret; -+ -+ /* First of all, digest the data in the PKCS#7 message */ -+ ret = pkcs7_digest(pkcs7); -+ if (ret < 0) -+ return ret; -+ -+ return 0; -+} -+EXPORT_SYMBOL_GPL(pkcs7_verify); --- -1.8.1.4 - - -From e67fed4626a30dd11967abad9187013ff4185991 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:39 +0000 -Subject: [PATCH 17/47] PKCS#7: Find the right key in the PKCS#7 key list and - verify the signature - -Find the appropriate key in the PKCS#7 key list and verify the signature with -it. There may be several keys in there forming a chain. Any link in that -chain or the root of that chain may be in our keyrings. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/pkcs7_verify.c | 61 +++++++++++++++++++++++++++++++++++ - 1 file changed, 61 insertions(+) - -diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c -index 2f9f26c..3f6f0e2 100644 ---- a/crypto/asymmetric_keys/pkcs7_verify.c -+++ b/crypto/asymmetric_keys/pkcs7_verify.c -@@ -118,6 +118,53 @@ error_no_desc: - } - - /* -+ * Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7 -+ * uses the issuer's name and the issuing certificate serial number for -+ * matching purposes. These must match the certificate issuer's name (not -+ * subject's name) and the certificate serial number [RFC 2315 6.7]. -+ */ -+static int pkcs7_find_key(struct pkcs7_message *pkcs7) -+{ -+ struct x509_certificate *x509; -+ -+ kenter("%u,%u", pkcs7->raw_serial_size, pkcs7->raw_issuer_size); -+ -+ for (x509 = pkcs7->certs; x509; x509 = x509->next) { -+ pr_devel("- x509 %u,%u\n", -+ x509->raw_serial_size, x509->raw_issuer_size); -+ -+ /* I'm _assuming_ that the generator of the PKCS#7 message will -+ * encode the fields from the X.509 cert in the same way in the -+ * PKCS#7 message - but I can't be 100% sure of that. It's -+ * possible this will need element-by-element comparison. -+ */ -+ if (x509->raw_serial_size != pkcs7->raw_serial_size || -+ memcmp(x509->raw_serial, pkcs7->raw_serial, -+ pkcs7->raw_serial_size) != 0) -+ continue; -+ pr_devel("Found cert serial match\n"); -+ -+ if (x509->raw_issuer_size != pkcs7->raw_issuer_size || -+ memcmp(x509->raw_issuer, pkcs7->raw_issuer, -+ pkcs7->raw_issuer_size) != 0) { -+ pr_warn("X.509 subject and PKCS#7 issuer don't match\n"); -+ continue; -+ } -+ -+ if (x509->pub->pkey_algo != pkcs7->sig.pkey_algo) { -+ pr_warn("X.509 algo and PKCS#7 sig algo don't match\n"); -+ continue; -+ } -+ -+ pkcs7->signer = x509; -+ return 0; -+ } -+ pr_warn("Issuing X.509 cert not found (#%*ph)\n", -+ pkcs7->raw_serial_size, pkcs7->raw_serial); -+ return -ENOKEY; -+} -+ -+/* - * Verify a PKCS#7 message - */ - int pkcs7_verify(struct pkcs7_message *pkcs7) -@@ -129,6 +176,20 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) - if (ret < 0) - return ret; - -+ /* Find the key for the message signature */ -+ ret = pkcs7_find_key(pkcs7); -+ if (ret < 0) -+ return ret; -+ -+ pr_devel("Found X.509 cert\n"); -+ -+ /* Verify the PKCS#7 binary against the key */ -+ ret = public_key_verify_signature(pkcs7->signer->pub, &pkcs7->sig); -+ if (ret < 0) -+ return ret; -+ -+ pr_devel("Verified signature\n"); -+ - return 0; - } - EXPORT_SYMBOL_GPL(pkcs7_verify); --- -1.8.1.4 - - -From 87ec8d783c887617ee6e85f66a9ce1a03c627e87 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:39 +0000 -Subject: [PATCH 18/47] PKCS#7: Verify internal certificate chain - -Verify certificate chain in the X.509 certificates contained within the PKCS#7 -message as far as possible. If any signature that we should be able to verify -fails, we reject the whole lot. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/pkcs7_verify.c | 67 ++++++++++++++++++++++++++++++++++- - crypto/asymmetric_keys/x509_parser.h | 1 + - 2 files changed, 67 insertions(+), 1 deletion(-) - -diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c -index 3f6f0e2..b3774bd 100644 ---- a/crypto/asymmetric_keys/pkcs7_verify.c -+++ b/crypto/asymmetric_keys/pkcs7_verify.c -@@ -165,6 +165,70 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7) - } - - /* -+ * Verify the internal certificate chain as best we can. -+ */ -+static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7) -+{ -+ struct x509_certificate *x509 = pkcs7->signer, *p; -+ int ret; -+ -+ kenter(""); -+ -+ for (;;) { -+ pr_debug("verify %s: %s\n", x509->subject, x509->fingerprint); -+ ret = x509_get_sig_params(x509); -+ if (ret < 0) -+ return ret; -+ -+ if (x509->issuer) -+ pr_debug("- issuer %s\n", x509->issuer); -+ if (x509->authority) -+ pr_debug("- authkeyid %s\n", x509->authority); -+ -+ if (!x509->authority || -+ (x509->subject && -+ strcmp(x509->subject, x509->authority) == 0)) { -+ /* If there's no authority certificate specified, then -+ * the certificate must be self-signed and is the root -+ * of the chain. Likewise if the cert is its own -+ * authority. -+ */ -+ pr_debug("- no auth?\n"); -+ if (x509->raw_subject_size != x509->raw_issuer_size || -+ memcmp(x509->raw_subject, x509->raw_issuer, -+ x509->raw_issuer_size) != 0) -+ return 0; -+ -+ ret = x509_check_signature(x509->pub, x509); -+ if (ret < 0) -+ return ret; -+ x509->signer = x509; -+ pr_debug("- self-signed\n"); -+ return 0; -+ } -+ -+ for (p = pkcs7->certs; p; p = p->next) -+ if (!p->signer && -+ p->raw_subject_size == x509->raw_issuer_size && -+ strcmp(p->fingerprint, x509->authority) == 0 && -+ memcmp(p->raw_subject, x509->raw_issuer, -+ x509->raw_issuer_size) == 0) -+ goto found_issuer; -+ pr_debug("- top\n"); -+ return 0; -+ -+ found_issuer: -+ pr_debug("- issuer %s\n", p->subject); -+ ret = x509_check_signature(p->pub, x509); -+ if (ret < 0) -+ return ret; -+ x509->signer = p; -+ x509 = p; -+ might_sleep(); -+ } -+} -+ -+/* - * Verify a PKCS#7 message - */ - int pkcs7_verify(struct pkcs7_message *pkcs7) -@@ -190,6 +254,7 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) - - pr_devel("Verified signature\n"); - -- return 0; -+ /* Verify the internal certificate chain */ -+ return pkcs7_verify_sig_chain(pkcs7); - } - EXPORT_SYMBOL_GPL(pkcs7_verify); -diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h -index 6b1d877..5e35fba 100644 ---- a/crypto/asymmetric_keys/x509_parser.h -+++ b/crypto/asymmetric_keys/x509_parser.h -@@ -14,6 +14,7 @@ - - struct x509_certificate { - struct x509_certificate *next; -+ const struct x509_certificate *signer; /* Certificate that signed this one */ - struct public_key *pub; /* Public key details */ - char *issuer; /* Name of certificate issuer */ - char *subject; /* Name of certificate subject */ --- -1.8.1.4 - - -From cc6c40318a05330e4bb201b35378d7c0a0278aaa Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:42 +0000 -Subject: [PATCH 19/47] PKCS#7: Find intersection between PKCS#7 message and - known, trusted keys - -Find the intersection between the X.509 certificate chain contained in a PKCS#7 -message and a set of keys that we already know and trust. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/pkcs7_parser.h | 7 ++ - crypto/asymmetric_keys/pkcs7_trust.c | 149 ++++++++++++++++++++++++++++++++++ - 3 files changed, 157 insertions(+) - create mode 100644 crypto/asymmetric_keys/pkcs7_trust.c - -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index b6b39e7..d63cb43 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -33,6 +33,7 @@ obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o - pkcs7_message-y := \ - pkcs7-asn1.o \ - pkcs7_parser.o \ -+ pkcs7_trust.o \ - pkcs7_verify.o - - $(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h -diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h -index 5415857..ffa72dc 100644 ---- a/crypto/asymmetric_keys/pkcs7_parser.h -+++ b/crypto/asymmetric_keys/pkcs7_parser.h -@@ -60,6 +60,13 @@ extern struct pkcs7_message *pkcs7_parse_message(const void *data, - extern void pkcs7_free_message(struct pkcs7_message *pkcs7); - - /* -+ * pkcs7_trust.c -+ */ -+extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, -+ struct key *trust_keyring, -+ bool *_trusted); -+ -+/* - * pkcs7_verify.c - */ - extern int pkcs7_verify(struct pkcs7_message *pkcs7); -diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c -new file mode 100644 -index 0000000..cc226f5 ---- /dev/null -+++ b/crypto/asymmetric_keys/pkcs7_trust.c -@@ -0,0 +1,149 @@ -+/* Validate the trust chain of a PKCS#7 message. -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "PKCS7: "fmt -+#include <linux/kernel.h> -+#include <linux/export.h> -+#include <linux/slab.h> -+#include <linux/err.h> -+#include <linux/asn1.h> -+#include <linux/key.h> -+#include <keys/asymmetric-type.h> -+#include "public_key.h" -+#include "pkcs7_parser.h" -+ -+/* -+ * Request an asymmetric key. -+ */ -+static struct key *pkcs7_request_asymmetric_key( -+ struct key *keyring, -+ const char *signer, size_t signer_len, -+ const char *authority, size_t auth_len) -+{ -+ key_ref_t key; -+ char *id; -+ -+ kenter(",%zu,,%zu", signer_len, auth_len); -+ -+ /* Construct an identifier. */ -+ id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); -+ if (!id) -+ return ERR_PTR(-ENOMEM); -+ -+ memcpy(id, signer, signer_len); -+ id[signer_len + 0] = ':'; -+ id[signer_len + 1] = ' '; -+ memcpy(id + signer_len + 2, authority, auth_len); -+ id[signer_len + 2 + auth_len] = 0; -+ -+ pr_debug("Look up: \"%s\"\n", id); -+ -+ key = keyring_search(make_key_ref(keyring, 1), -+ &key_type_asymmetric, id); -+ if (IS_ERR(key)) -+ pr_debug("Request for module key '%s' err %ld\n", -+ id, PTR_ERR(key)); -+ kfree(id); -+ -+ if (IS_ERR(key)) { -+ switch (PTR_ERR(key)) { -+ /* Hide some search errors */ -+ case -EACCES: -+ case -ENOTDIR: -+ case -EAGAIN: -+ return ERR_PTR(-ENOKEY); -+ default: -+ return ERR_CAST(key); -+ } -+ } -+ -+ pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key))); -+ return key_ref_to_ptr(key); -+} -+ -+/* -+ * Validate that the certificate chain inside the PKCS#7 message intersects -+ * keys we already know and trust. -+ */ -+int pkcs7_validate_trust(struct pkcs7_message *pkcs7, -+ struct key *trust_keyring, -+ bool *_trusted) -+{ -+ struct public_key_signature *sig = &pkcs7->sig; -+ struct x509_certificate *x509, *last = NULL; -+ struct key *key; -+ bool trusted; -+ int ret; -+ -+ kenter(""); -+ -+ for (x509 = pkcs7->signer; x509; x509 = x509->next) { -+ /* Look to see if this certificate is present in the trusted -+ * keys. -+ */ -+ key = pkcs7_request_asymmetric_key( -+ trust_keyring, -+ x509->subject, strlen(x509->subject), -+ x509->fingerprint, strlen(x509->fingerprint)); -+ if (!IS_ERR(key)) -+ /* One of the X.509 certificates in the PKCS#7 message -+ * is apparently the same as one we already trust. -+ * Verify that the trusted variant can also validate -+ * the signature on the descendent. -+ */ -+ goto matched; -+ if (key == ERR_PTR(-ENOMEM)) -+ return -ENOMEM; -+ -+ /* Self-signed certificates form roots of their own, and if we -+ * don't know them, then we can't accept them. -+ */ -+ if (x509->next == x509) { -+ kleave(" = -EKEYREJECTED [unknown self-signed]"); -+ return -EKEYREJECTED; -+ } -+ -+ might_sleep(); -+ last = x509; -+ sig = &last->sig; -+ } -+ -+ /* No match - see if the root certificate has a signer amongst the -+ * trusted keys. -+ */ -+ if (!last || !last->issuer || !last->authority) { -+ kleave(" = -EKEYREJECTED [no backref]"); -+ return -EKEYREJECTED; -+ } -+ -+ key = pkcs7_request_asymmetric_key( -+ trust_keyring, -+ last->issuer, strlen(last->issuer), -+ last->authority, strlen(last->authority)); -+ if (IS_ERR(key)) -+ return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -EKEYREJECTED; -+ -+matched: -+ ret = verify_signature(key, sig); -+ trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags); -+ key_put(key); -+ if (ret < 0) { -+ if (ret == -ENOMEM) -+ return ret; -+ kleave(" = -EKEYREJECTED [verify %d]", ret); -+ return -EKEYREJECTED; -+ } -+ -+ *_trusted = trusted; -+ kleave(" = 0"); -+ return 0; -+} -+EXPORT_SYMBOL_GPL(pkcs7_validate_trust); --- -1.8.1.4 - - -From f20b0d77771133bd0d7e89932fef494f00687607 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:39 +0000 -Subject: [PATCH 20/47] Provide PE binary definitions - -Provide some PE binary structural and constant definitions as taken from the -pesign package sources. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - include/linux/pe.h | 448 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 448 insertions(+) - create mode 100644 include/linux/pe.h - -diff --git a/include/linux/pe.h b/include/linux/pe.h -new file mode 100644 -index 0000000..9234aef ---- /dev/null -+++ b/include/linux/pe.h -@@ -0,0 +1,448 @@ -+/* -+ * Copyright 2011 Red Hat, Inc. -+ * All rights reserved. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; version 2 of the License. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see <http://www.gnu.org/licenses/>. -+ * -+ * Author(s): Peter Jones <pjones@redhat.com> -+ */ -+#ifndef __LINUX_PE_H -+#define __LINUX_PE_H -+ -+#include <linux/types.h> -+ -+#define MZ_MAGIC 0x5a4d /* "MZ" */ -+ -+struct mz_hdr { -+ uint16_t magic; /* MZ_MAGIC */ -+ uint16_t lbsize; /* size of last used block */ -+ uint16_t blocks; /* pages in file, 0x3 */ -+ uint16_t relocs; /* relocations */ -+ uint16_t hdrsize; /* header size in "paragraphs" */ -+ uint16_t min_extra_pps; /* .bss */ -+ uint16_t max_extra_pps; /* runtime limit for the arena size */ -+ uint16_t ss; /* relative stack segment */ -+ uint16_t sp; /* initial %sp register */ -+ uint16_t checksum; /* word checksum */ -+ uint16_t ip; /* initial %ip register */ -+ uint16_t cs; /* initial %cs relative to load segment */ -+ uint16_t reloc_table_offset; /* offset of the first relocation */ -+ uint16_t overlay_num; /* overlay number. set to 0. */ -+ uint16_t reserved0[4]; /* reserved */ -+ uint16_t oem_id; /* oem identifier */ -+ uint16_t oem_info; /* oem specific */ -+ uint16_t reserved1[10]; /* reserved */ -+ uint32_t peaddr; /* address of pe header */ -+ char message[64]; /* message to print */ -+}; -+ -+struct mz_reloc { -+ uint16_t offset; -+ uint16_t segment; -+}; -+ -+#define PE_MAGIC 0x00004550 /* "PE\0\0" */ -+#define PE_OPT_MAGIC_PE32 0x010b -+#define PE_OPT_MAGIC_PE32_ROM 0x0107 -+#define PE_OPT_MAGIC_PE32PLUS 0x020b -+ -+/* machine type */ -+#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000 -+#define IMAGE_FILE_MACHINE_AM33 0x01d3 -+#define IMAGE_FILE_MACHINE_AMD64 0x8664 -+#define IMAGE_FILE_MACHINE_ARM 0x01c0 -+#define IMAGE_FILE_MACHINE_ARMV7 0x01c4 -+#define IMAGE_FILE_MACHINE_EBC 0x0ebc -+#define IMAGE_FILE_MACHINE_I386 0x014c -+#define IMAGE_FILE_MACHINE_IA64 0x0200 -+#define IMAGE_FILE_MACHINE_M32R 0x9041 -+#define IMAGE_FILE_MACHINE_MIPS16 0x0266 -+#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 -+#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 -+#define IMAGE_FILE_MACHINE_POWERPC 0x01f0 -+#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1 -+#define IMAGE_FILE_MACHINE_R4000 0x0166 -+#define IMAGE_FILE_MACHINE_SH3 0x01a2 -+#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3 -+#define IMAGE_FILE_MACHINE_SH3E 0x01a4 -+#define IMAGE_FILE_MACHINE_SH4 0x01a6 -+#define IMAGE_FILE_MACHINE_SH5 0x01a8 -+#define IMAGE_FILE_MACHINE_THUMB 0x01c2 -+#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 -+ -+/* flags */ -+#define IMAGE_FILE_RELOCS_STRIPPED 0x0001 -+#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 -+#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 -+#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 -+#define IMAGE_FILE_AGGRESSIVE_WS_TRIM 0x0010 -+#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 -+#define IMAGE_FILE_16BIT_MACHINE 0x0040 -+#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 -+#define IMAGE_FILE_32BIT_MACHINE 0x0100 -+#define IMAGE_FILE_DEBUG_STRIPPED 0x0200 -+#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 -+#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 -+#define IMAGE_FILE_SYSTEM 0x1000 -+#define IMAGE_FILE_DLL 0x2000 -+#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 -+#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 -+ -+struct pe_hdr { -+ uint32_t magic; /* PE magic */ -+ uint16_t machine; /* machine type */ -+ uint16_t sections; /* number of sections */ -+ uint32_t timestamp; /* time_t */ -+ uint32_t symbol_table; /* symbol table offset */ -+ uint32_t symbols; /* number of symbols */ -+ uint16_t opt_hdr_size; /* size of optional header */ -+ uint16_t flags; /* flags */ -+}; -+ -+#define IMAGE_FILE_OPT_ROM_MAGIC 0x107 -+#define IMAGE_FILE_OPT_PE32_MAGIC 0x10b -+#define IMAGE_FILE_OPT_PE32_PLUS_MAGIC 0x20b -+ -+#define IMAGE_SUBSYSTEM_UNKNOWN 0 -+#define IMAGE_SUBSYSTEM_NATIVE 1 -+#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 -+#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 -+#define IMAGE_SUBSYSTEM_POSIX_CUI 7 -+#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 -+#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 -+#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 -+#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 -+#define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13 -+#define IMAGE_SUBSYSTEM_XBOX 14 -+ -+#define IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE 0x0040 -+#define IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY 0x0080 -+#define IMAGE_DLL_CHARACTERISTICS_NX_COMPAT 0x0100 -+#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 -+#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 -+#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 -+#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 -+#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000 -+ -+/* the fact that pe32 isn't padded where pe32+ is 64-bit means union won't -+ * work right. vomit. */ -+struct pe32_opt_hdr { -+ /* "standard" header */ -+ uint16_t magic; /* file type */ -+ uint8_t ld_major; /* linker major version */ -+ uint8_t ld_minor; /* linker minor version */ -+ uint32_t text_size; /* size of text section(s) */ -+ uint32_t data_size; /* size of data section(s) */ -+ uint32_t bss_size; /* size of bss section(s) */ -+ uint32_t entry_point; /* file offset of entry point */ -+ uint32_t code_base; /* relative code addr in ram */ -+ uint32_t data_base; /* relative data addr in ram */ -+ /* "windows" header */ -+ uint32_t image_base; /* preferred load address */ -+ uint32_t section_align; /* alignment in bytes */ -+ uint32_t file_align; /* file alignment in bytes */ -+ uint16_t os_major; /* major OS version */ -+ uint16_t os_minor; /* minor OS version */ -+ uint16_t image_major; /* major image version */ -+ uint16_t image_minor; /* minor image version */ -+ uint16_t subsys_major; /* major subsystem version */ -+ uint16_t subsys_minor; /* minor subsystem version */ -+ uint32_t win32_version; /* reserved, must be 0 */ -+ uint32_t image_size; /* image size */ -+ uint32_t header_size; /* header size rounded up to -+ file_align */ -+ uint32_t csum; /* checksum */ -+ uint16_t subsys; /* subsystem */ -+ uint16_t dll_flags; /* more flags! */ -+ uint32_t stack_size_req;/* amt of stack requested */ -+ uint32_t stack_size; /* amt of stack required */ -+ uint32_t heap_size_req; /* amt of heap requested */ -+ uint32_t heap_size; /* amt of heap required */ -+ uint32_t loader_flags; /* reserved, must be 0 */ -+ uint32_t data_dirs; /* number of data dir entries */ -+}; -+ -+struct pe32plus_opt_hdr { -+ uint16_t magic; /* file type */ -+ uint8_t ld_major; /* linker major version */ -+ uint8_t ld_minor; /* linker minor version */ -+ uint32_t text_size; /* size of text section(s) */ -+ uint32_t data_size; /* size of data section(s) */ -+ uint32_t bss_size; /* size of bss section(s) */ -+ uint32_t entry_point; /* file offset of entry point */ -+ uint32_t code_base; /* relative code addr in ram */ -+ /* "windows" header */ -+ uint64_t image_base; /* preferred load address */ -+ uint32_t section_align; /* alignment in bytes */ -+ uint32_t file_align; /* file alignment in bytes */ -+ uint16_t os_major; /* major OS version */ -+ uint16_t os_minor; /* minor OS version */ -+ uint16_t image_major; /* major image version */ -+ uint16_t image_minor; /* minor image version */ -+ uint16_t subsys_major; /* major subsystem version */ -+ uint16_t subsys_minor; /* minor subsystem version */ -+ uint32_t win32_version; /* reserved, must be 0 */ -+ uint32_t image_size; /* image size */ -+ uint32_t header_size; /* header size rounded up to -+ file_align */ -+ uint32_t csum; /* checksum */ -+ uint16_t subsys; /* subsystem */ -+ uint16_t dll_flags; /* more flags! */ -+ uint64_t stack_size_req;/* amt of stack requested */ -+ uint64_t stack_size; /* amt of stack required */ -+ uint64_t heap_size_req; /* amt of heap requested */ -+ uint64_t heap_size; /* amt of heap required */ -+ uint32_t loader_flags; /* reserved, must be 0 */ -+ uint32_t data_dirs; /* number of data dir entries */ -+}; -+ -+struct data_dirent { -+ uint32_t virtual_address; /* relative to load address */ -+ uint32_t size; -+}; -+ -+struct data_directory { -+ struct data_dirent exports; /* .edata */ -+ struct data_dirent imports; /* .idata */ -+ struct data_dirent resources; /* .rsrc */ -+ struct data_dirent exceptions; /* .pdata */ -+ struct data_dirent certs; /* certs */ -+ struct data_dirent base_relocations; /* .reloc */ -+ struct data_dirent debug; /* .debug */ -+ struct data_dirent arch; /* reservered */ -+ struct data_dirent global_ptr; /* global pointer reg. Size=0 */ -+ struct data_dirent tls; /* .tls */ -+ struct data_dirent load_config; /* load configuration structure */ -+ struct data_dirent bound_imports; /* no idea */ -+ struct data_dirent import_addrs; /* import address table */ -+ struct data_dirent delay_imports; /* delay-load import table */ -+ struct data_dirent clr_runtime_hdr; /* .cor (object only) */ -+ struct data_dirent reserved; -+}; -+ -+struct section_header { -+ char name[8]; /* name or "/12\0" string tbl offset */ -+ uint32_t virtual_size; /* size of loaded section in ram */ -+ uint32_t virtual_address; /* relative virtual address */ -+ uint32_t raw_data_size; /* size of the section */ -+ uint32_t data_addr; /* file pointer to first page of sec */ -+ uint32_t relocs; /* file pointer to relocation entries */ -+ uint32_t line_numbers; /* line numbers! */ -+ uint16_t num_relocs; /* number of relocations */ -+ uint16_t num_lin_numbers; /* srsly. */ -+ uint32_t flags; -+}; -+ -+/* they actually defined 0x00000000 as well, but I think we'll skip that one. */ -+#define IMAGE_SCN_RESERVED_0 0x00000001 -+#define IMAGE_SCN_RESERVED_1 0x00000002 -+#define IMAGE_SCN_RESERVED_2 0x00000004 -+#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 /* don't pad - obsolete */ -+#define IMAGE_SCN_RESERVED_3 0x00000010 -+#define IMAGE_SCN_CNT_CODE 0x00000020 /* .text */ -+#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 /* .data */ -+#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 /* .bss */ -+#define IMAGE_SCN_LNK_OTHER 0x00000100 /* reserved */ -+#define IMAGE_SCN_LNK_INFO 0x00000200 /* .drectve comments */ -+#define IMAGE_SCN_RESERVED_4 0x00000400 -+#define IMAGE_SCN_LNK_REMOVE 0x00000800 /* .o only - scn to be rm'd*/ -+#define IMAGE_SCN_LNK_COMDAT 0x00001000 /* .o only - COMDAT data */ -+#define IMAGE_SCN_RESERVED_5 0x00002000 /* spec omits this */ -+#define IMAGE_SCN_RESERVED_6 0x00004000 /* spec omits this */ -+#define IMAGE_SCN_GPREL 0x00008000 /* global pointer referenced data */ -+/* spec lists 0x20000 twice, I suspect they meant 0x10000 for one of them */ -+#define IMAGE_SCN_MEM_PURGEABLE 0x00010000 /* reserved for "future" use */ -+#define IMAGE_SCN_16BIT 0x00020000 /* reserved for "future" use */ -+#define IMAGE_SCN_LOCKED 0x00040000 /* reserved for "future" use */ -+#define IMAGE_SCN_PRELOAD 0x00080000 /* reserved for "future" use */ -+/* and here they just stuck a 1-byte integer in the middle of a bitfield */ -+#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 /* it does what it says on the box */ -+#define IMAGE_SCN_ALIGN_2BYTES 0x00200000 -+#define IMAGE_SCN_ALIGN_4BYTES 0x00300000 -+#define IMAGE_SCN_ALIGN_8BYTES 0x00400000 -+#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 -+#define IMAGE_SCN_ALIGN_32BYTES 0x00600000 -+#define IMAGE_SCN_ALIGN_64BYTES 0x00700000 -+#define IMAGE_SCN_ALIGN_128BYTES 0x00800000 -+#define IMAGE_SCN_ALIGN_256BYTES 0x00900000 -+#define IMAGE_SCN_ALIGN_512BYTES 0x00a00000 -+#define IMAGE_SCN_ALIGN_1024BYTES 0x00b00000 -+#define IMAGE_SCN_ALIGN_2048BYTES 0x00c00000 -+#define IMAGE_SCN_ALIGN_4096BYTES 0x00d00000 -+#define IMAGE_SCN_ALIGN_8192BYTES 0x00e00000 -+#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 /* extended relocations */ -+#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 /* scn can be discarded */ -+#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 /* cannot be cached */ -+#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 /* not pageable */ -+#define IMAGE_SCN_MEM_SHARED 0x10000000 /* can be shared */ -+#define IMAGE_SCN_MEM_EXECUTE 0x20000000 /* can be executed as code */ -+#define IMAGE_SCN_MEM_READ 0x40000000 /* readable */ -+#define IMAGE_SCN_MEM_WRITE 0x80000000 /* writeable */ -+ -+enum x64_coff_reloc_type { -+ IMAGE_REL_AMD64_ABSOLUTE = 0, -+ IMAGE_REL_AMD64_ADDR64, -+ IMAGE_REL_AMD64_ADDR32, -+ IMAGE_REL_AMD64_ADDR32N, -+ IMAGE_REL_AMD64_REL32, -+ IMAGE_REL_AMD64_REL32_1, -+ IMAGE_REL_AMD64_REL32_2, -+ IMAGE_REL_AMD64_REL32_3, -+ IMAGE_REL_AMD64_REL32_4, -+ IMAGE_REL_AMD64_REL32_5, -+ IMAGE_REL_AMD64_SECTION, -+ IMAGE_REL_AMD64_SECREL, -+ IMAGE_REL_AMD64_SECREL7, -+ IMAGE_REL_AMD64_TOKEN, -+ IMAGE_REL_AMD64_SREL32, -+ IMAGE_REL_AMD64_PAIR, -+ IMAGE_REL_AMD64_SSPAN32, -+}; -+ -+enum arm_coff_reloc_type { -+ IMAGE_REL_ARM_ABSOLUTE, -+ IMAGE_REL_ARM_ADDR32, -+ IMAGE_REL_ARM_ADDR32N, -+ IMAGE_REL_ARM_BRANCH2, -+ IMAGE_REL_ARM_BRANCH1, -+ IMAGE_REL_ARM_SECTION, -+ IMAGE_REL_ARM_SECREL, -+}; -+ -+enum sh_coff_reloc_type { -+ IMAGE_REL_SH3_ABSOLUTE, -+ IMAGE_REL_SH3_DIRECT16, -+ IMAGE_REL_SH3_DIRECT32, -+ IMAGE_REL_SH3_DIRECT8, -+ IMAGE_REL_SH3_DIRECT8_WORD, -+ IMAGE_REL_SH3_DIRECT8_LONG, -+ IMAGE_REL_SH3_DIRECT4, -+ IMAGE_REL_SH3_DIRECT4_WORD, -+ IMAGE_REL_SH3_DIRECT4_LONG, -+ IMAGE_REL_SH3_PCREL8_WORD, -+ IMAGE_REL_SH3_PCREL8_LONG, -+ IMAGE_REL_SH3_PCREL12_WORD, -+ IMAGE_REL_SH3_STARTOF_SECTION, -+ IMAGE_REL_SH3_SIZEOF_SECTION, -+ IMAGE_REL_SH3_SECTION, -+ IMAGE_REL_SH3_SECREL, -+ IMAGE_REL_SH3_DIRECT32_NB, -+ IMAGE_REL_SH3_GPREL4_LONG, -+ IMAGE_REL_SH3_TOKEN, -+ IMAGE_REL_SHM_PCRELPT, -+ IMAGE_REL_SHM_REFLO, -+ IMAGE_REL_SHM_REFHALF, -+ IMAGE_REL_SHM_RELLO, -+ IMAGE_REL_SHM_RELHALF, -+ IMAGE_REL_SHM_PAIR, -+ IMAGE_REL_SHM_NOMODE, -+}; -+ -+enum ppc_coff_reloc_type { -+ IMAGE_REL_PPC_ABSOLUTE, -+ IMAGE_REL_PPC_ADDR64, -+ IMAGE_REL_PPC_ADDR32, -+ IMAGE_REL_PPC_ADDR24, -+ IMAGE_REL_PPC_ADDR16, -+ IMAGE_REL_PPC_ADDR14, -+ IMAGE_REL_PPC_REL24, -+ IMAGE_REL_PPC_REL14, -+ IMAGE_REL_PPC_ADDR32N, -+ IMAGE_REL_PPC_SECREL, -+ IMAGE_REL_PPC_SECTION, -+ IMAGE_REL_PPC_SECREL16, -+ IMAGE_REL_PPC_REFHI, -+ IMAGE_REL_PPC_REFLO, -+ IMAGE_REL_PPC_PAIR, -+ IMAGE_REL_PPC_SECRELLO, -+ IMAGE_REL_PPC_GPREL, -+ IMAGE_REL_PPC_TOKEN, -+}; -+ -+enum x86_coff_reloc_type { -+ IMAGE_REL_I386_ABSOLUTE, -+ IMAGE_REL_I386_DIR16, -+ IMAGE_REL_I386_REL16, -+ IMAGE_REL_I386_DIR32, -+ IMAGE_REL_I386_DIR32NB, -+ IMAGE_REL_I386_SEG12, -+ IMAGE_REL_I386_SECTION, -+ IMAGE_REL_I386_SECREL, -+ IMAGE_REL_I386_TOKEN, -+ IMAGE_REL_I386_SECREL7, -+ IMAGE_REL_I386_REL32, -+}; -+ -+enum ia64_coff_reloc_type { -+ IMAGE_REL_IA64_ABSOLUTE, -+ IMAGE_REL_IA64_IMM14, -+ IMAGE_REL_IA64_IMM22, -+ IMAGE_REL_IA64_IMM64, -+ IMAGE_REL_IA64_DIR32, -+ IMAGE_REL_IA64_DIR64, -+ IMAGE_REL_IA64_PCREL21B, -+ IMAGE_REL_IA64_PCREL21M, -+ IMAGE_REL_IA64_PCREL21F, -+ IMAGE_REL_IA64_GPREL22, -+ IMAGE_REL_IA64_LTOFF22, -+ IMAGE_REL_IA64_SECTION, -+ IMAGE_REL_IA64_SECREL22, -+ IMAGE_REL_IA64_SECREL64I, -+ IMAGE_REL_IA64_SECREL32, -+ IMAGE_REL_IA64_DIR32NB, -+ IMAGE_REL_IA64_SREL14, -+ IMAGE_REL_IA64_SREL22, -+ IMAGE_REL_IA64_SREL32, -+ IMAGE_REL_IA64_UREL32, -+ IMAGE_REL_IA64_PCREL60X, -+ IMAGE_REL_IA64_PCREL60B, -+ IMAGE_REL_IA64_PCREL60F, -+ IMAGE_REL_IA64_PCREL60I, -+ IMAGE_REL_IA64_PCREL60M, -+ IMAGE_REL_IA64_IMMGPREL6, -+ IMAGE_REL_IA64_TOKEN, -+ IMAGE_REL_IA64_GPREL32, -+ IMAGE_REL_IA64_ADDEND, -+}; -+ -+struct coff_reloc { -+ uint32_t virtual_address; -+ uint32_t symbol_table_index; -+ union { -+ enum x64_coff_reloc_type x64_type; -+ enum arm_coff_reloc_type arm_type; -+ enum sh_coff_reloc_type sh_type; -+ enum ppc_coff_reloc_type ppc_type; -+ enum x86_coff_reloc_type x86_type; -+ enum ia64_coff_reloc_type ia64_type; -+ uint16_t data; -+ }; -+}; -+ -+/* -+ * Definitions for the contents of the certs data block -+ */ -+#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 -+#define WIN_CERT_TYPE_EFI_OKCS115 0x0EF0 -+#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 -+ -+#define WIN_CERT_REVISION_1_0 0x0100 -+#define WIN_CERT_REVISION_2_0 0x0200 -+ -+struct win_certificate { -+ uint32_t length; -+ uint16_t revision; -+ uint16_t cert_type; -+}; -+ -+#endif /* __LINUX_PE_H */ --- -1.8.1.4 - - -From d329754b0c2881b6331aacafab74a26b2d9262b3 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:40 +0000 -Subject: [PATCH 21/47] pefile: Parse a PE binary to find a key and a signature - contained therein - -Parse a PE binary to find a key and a signature contained therein. Later -patches will check the signature and add the key if the signature checks out. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/Kconfig | 10 +- - crypto/asymmetric_keys/Makefile | 8 ++ - crypto/asymmetric_keys/pefile_parser.c | 185 +++++++++++++++++++++++++++++++++ - crypto/asymmetric_keys/pefile_parser.h | 31 ++++++ - 4 files changed, 233 insertions(+), 1 deletion(-) - create mode 100644 crypto/asymmetric_keys/pefile_parser.c - create mode 100644 crypto/asymmetric_keys/pefile_parser.h - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 413f3f6..2e7315c 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -31,7 +31,7 @@ config X509_CERTIFICATE_PARSER - select ASN1 - select OID_REGISTRY - help -- This option procides support for parsing X.509 format blobs for key -+ This option provides support for parsing X.509 format blobs for key - data and provides the ability to instantiate a crypto key from a - public key packet found inside the certificate. - -@@ -44,4 +44,12 @@ config PKCS7_MESSAGE_PARSER - This option provides support for parsing PKCS#7 format messages for - signature data and provides the ability to verify the signature. - -+config PE_FILE_PARSER -+ tristate "PE binary-wrapped key parser" -+ depends on X509_CERTIFICATE_PARSER -+ depends on PKCS7_MESSAGE_PARSER -+ help -+ This option provides support for parsing signed PE binaries that -+ contain an X.509 certificate in an internal section. -+ - endif # ASYMMETRIC_KEY_TYPE -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index d63cb43..2675146 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -40,3 +40,11 @@ $(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h - $(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h - - clean-files += pkcs7-asn1.c pkcs7-asn1.h -+ -+# -+# Signed PE binary-wrapped key handling -+# -+obj-$(CONFIG_PE_FILE_PARSER) += pefile_key_parser.o -+ -+pefile_key_parser-y := \ -+ pefile_parser.o -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -new file mode 100644 -index 0000000..fb80cf0 ---- /dev/null -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -0,0 +1,185 @@ -+/* Parse a signed PE binary that wraps a key. -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "PEFILE: "fmt -+#include <linux/module.h> -+#include <linux/kernel.h> -+#include <linux/slab.h> -+#include <linux/err.h> -+#include <linux/pe.h> -+#include <keys/asymmetric-subtype.h> -+#include <keys/asymmetric-parser.h> -+#include <crypto/hash.h> -+#include "asymmetric_keys.h" -+#include "public_key.h" -+#include "pefile_parser.h" -+ -+/* -+ * Parse a PE binary. -+ */ -+static int pefile_parse_binary(struct key_preparsed_payload *prep, -+ struct pefile_context *ctx) -+{ -+ const struct mz_hdr *mz = prep->data; -+ const struct pe_hdr *pe; -+ const struct pe32_opt_hdr *pe32; -+ const struct pe32plus_opt_hdr *pe64; -+ const struct data_directory *ddir; -+ const struct data_dirent *dde; -+ const struct section_header *secs, *sec; -+ unsigned loop; -+ size_t cursor, datalen = prep->datalen; -+ -+ kenter(""); -+ -+#define chkaddr(base, x, s) \ -+ do { \ -+ if ((x) < base || (s) >= datalen || (x) > datalen - (s)) \ -+ return -ELIBBAD; \ -+ } while(0) -+ -+ chkaddr(0, 0, sizeof(*mz)); -+ if (mz->magic != MZ_MAGIC) -+ return -ELIBBAD; -+ cursor = sizeof(*mz); -+ -+ chkaddr(cursor, mz->peaddr, sizeof(*pe)); -+ pe = prep->data + mz->peaddr; -+ if (pe->magic != PE_MAGIC) -+ return -ELIBBAD; -+ cursor = mz->peaddr + sizeof(*pe); -+ -+ chkaddr(0, cursor, sizeof(pe32->magic)); -+ pe32 = prep->data + cursor; -+ pe64 = prep->data + cursor; -+ -+ switch (pe32->magic) { -+ case PE_OPT_MAGIC_PE32: -+ chkaddr(0, cursor, sizeof(*pe32)); -+ ctx->image_checksum_offset = -+ (unsigned long)&pe32->csum - (unsigned long)prep->data; -+ ctx->header_size = pe32->header_size; -+ cursor += sizeof(*pe32); -+ ctx->n_data_dirents = pe32->data_dirs; -+ break; -+ -+ case PE_OPT_MAGIC_PE32PLUS: -+ chkaddr(0, cursor, sizeof(*pe64)); -+ ctx->image_checksum_offset = -+ (unsigned long)&pe64->csum - (unsigned long)prep->data; -+ ctx->header_size = pe64->header_size; -+ cursor += sizeof(*pe64); -+ ctx->n_data_dirents = pe64->data_dirs; -+ break; -+ -+ default: -+ pr_devel("Unknown PEOPT magic = %04hx\n", pe32->magic); -+ return -ELIBBAD; -+ } -+ -+ pr_devel("checksum @ %x\n", ctx->image_checksum_offset); -+ pr_devel("header size = %x\n", ctx->header_size); -+ -+ if (cursor >= ctx->header_size || ctx->header_size >= datalen) -+ return -ELIBBAD; -+ -+ if (ctx->n_data_dirents > (ctx->header_size - cursor) / sizeof(*dde) || -+ ctx->n_data_dirents < sizeof(*ddir) / sizeof(*dde)) -+ return -ELIBBAD; -+ -+ ddir = prep->data + cursor; -+ cursor += sizeof(*dde) * ctx->n_data_dirents; -+ -+ ctx->cert_dirent_offset = -+ (unsigned long)&ddir->certs - (unsigned long)prep->data; -+ ctx->certs_size = ddir->certs.size; -+ -+ if (!ddir->certs.virtual_address || !ddir->certs.size) { -+ pr_devel("Unsigned PE binary\n"); -+ return -EKEYREJECTED; -+ } -+ -+ chkaddr(ctx->header_size, ddir->certs.virtual_address, ddir->certs.size); -+ ctx->sig_offset = ddir->certs.virtual_address; -+ ctx->sig_len = ddir->certs.size; -+ pr_devel("cert = %x @%x [%*ph]\n", -+ ctx->sig_len, ctx->sig_offset, -+ ctx->sig_len, prep->data + ctx->sig_offset); -+ -+ /* Parse the section table, checking the parameters and looking for the -+ * section containing the list of keys. -+ */ -+ ctx->n_sections = pe->sections; -+ if (ctx->n_sections > (ctx->header_size - cursor) / sizeof(*sec)) -+ return -ELIBBAD; -+ ctx->secs = secs = prep->data + cursor; -+ cursor += sizeof(*sec) * ctx->n_sections; -+ -+ for (loop = 0; loop < ctx->n_sections; loop++) { -+ sec = &secs[loop]; -+ chkaddr(cursor, sec->data_addr, sec->raw_data_size); -+ if (memcmp(sec->name, ".keylist", 8) == 0) { -+ ctx->keylist_offset = sec->data_addr; -+ ctx->keylist_len = sec->raw_data_size; -+ } -+ } -+ -+ if (ctx->keylist_offset == 0) { -+ pr_devel("No .keylist section in PE binary\n"); -+ return -ENOENT; -+ } -+ -+ pr_devel("keylist = %x @%x [%*ph]\n", -+ ctx->keylist_len, ctx->keylist_offset, -+ ctx->keylist_len, prep->data + ctx->keylist_offset); -+ -+ return 0; -+} -+ -+/* -+ * Parse a PE binary. -+ */ -+static int pefile_key_preparse(struct key_preparsed_payload *prep) -+{ -+ struct pefile_context ctx; -+ int ret; -+ -+ kenter(""); -+ -+ memset(&ctx, 0, sizeof(ctx)); -+ ret = pefile_parse_binary(prep, &ctx); -+ if (ret < 0) -+ return ret; -+ -+ return -ENOANO; // Not yet complete -+} -+ -+static struct asymmetric_key_parser pefile_key_parser = { -+ .owner = THIS_MODULE, -+ .name = "pefile", -+ .parse = pefile_key_preparse, -+}; -+ -+/* -+ * Module stuff -+ */ -+static int __init pefile_key_init(void) -+{ -+ return register_asymmetric_key_parser(&pefile_key_parser); -+} -+ -+static void __exit pefile_key_exit(void) -+{ -+ unregister_asymmetric_key_parser(&pefile_key_parser); -+} -+ -+module_init(pefile_key_init); -+module_exit(pefile_key_exit); -diff --git a/crypto/asymmetric_keys/pefile_parser.h b/crypto/asymmetric_keys/pefile_parser.h -new file mode 100644 -index 0000000..82bcaf6 ---- /dev/null -+++ b/crypto/asymmetric_keys/pefile_parser.h -@@ -0,0 +1,31 @@ -+/* PE Binary parser bits -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+#include "pkcs7_parser.h" -+ -+struct pefile_context { -+ unsigned header_size; -+ unsigned image_checksum_offset; -+ unsigned cert_dirent_offset; -+ unsigned n_data_dirents; -+ unsigned n_sections; -+ unsigned certs_size; -+ unsigned sig_offset; -+ unsigned sig_len; -+ unsigned keylist_offset; -+ unsigned keylist_len; -+ const struct section_header *secs; -+ struct pkcs7_message *pkcs7; -+ -+ /* PKCS#7 MS Individual Code Signing content */ -+ const void *digest; /* Digest */ -+ unsigned digest_len; /* Digest length */ -+ enum pkey_hash_algo digest_algo; /* Digest algorithm */ -+}; --- -1.8.1.4 - - -From 3794d7963e17fc0b0c2f62164306b9a45cb2254e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:40 +0000 -Subject: [PATCH 22/47] pefile: Strip the wrapper off of the cert data block - -The certificate data block in a PE binary has a wrapper around the PKCS#7 -signature we actually want to get at. Strip this off and check that we've got -something that appears to be a PKCS#7 signature. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/pefile_parser.c | 60 ++++++++++++++++++++++++++++++++++ - 1 file changed, 60 insertions(+) - -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -index fb80cf0..f2d4df0 100644 ---- a/crypto/asymmetric_keys/pefile_parser.c -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -15,6 +15,7 @@ - #include <linux/slab.h> - #include <linux/err.h> - #include <linux/pe.h> -+#include <linux/asn1.h> - #include <keys/asymmetric-subtype.h> - #include <keys/asymmetric-parser.h> - #include <crypto/hash.h> -@@ -145,6 +146,61 @@ static int pefile_parse_binary(struct key_preparsed_payload *prep, - } - - /* -+ * Check and strip the PE wrapper from around the signature and check that the -+ * remnant looks something like PKCS#7. -+ */ -+static int pefile_strip_sig_wrapper(struct key_preparsed_payload *prep, -+ struct pefile_context *ctx) -+{ -+ struct win_certificate wrapper; -+ const u8 *pkcs7; -+ -+ if (ctx->sig_len < sizeof(wrapper)) { -+ pr_devel("Signature wrapper too short\n"); -+ return -ELIBBAD; -+ } -+ -+ memcpy(&wrapper, prep->data + ctx->sig_offset, sizeof(wrapper)); -+ pr_devel("sig wrapper = { %x, %x, %x }\n", -+ wrapper.length, wrapper.revision, wrapper.cert_type); -+ if (wrapper.length != ctx->sig_len) { -+ pr_devel("Signature wrapper len wrong\n"); -+ return -ELIBBAD; -+ } -+ if (wrapper.revision != WIN_CERT_REVISION_2_0) { -+ pr_devel("Signature is not revision 2.0\n"); -+ return -ENOTSUPP; -+ } -+ if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { -+ pr_devel("Signature certificate type is not PKCS\n"); -+ return -ENOTSUPP; -+ } -+ -+ ctx->sig_offset += sizeof(wrapper); -+ ctx->sig_len -= sizeof(wrapper); -+ if (ctx->sig_len == 0) { -+ pr_devel("Signature data missing\n"); -+ return -EKEYREJECTED; -+ } -+ -+ /* What's left should a PKCS#7 cert */ -+ pkcs7 = prep->data + ctx->sig_offset; -+ if (pkcs7[0] == (ASN1_CONS_BIT | ASN1_SEQ)) { -+ if (pkcs7[1] == 0x82 && -+ pkcs7[2] == (((ctx->sig_len - 4) >> 8) & 0xff) && -+ pkcs7[3] == ((ctx->sig_len - 4) & 0xff)) -+ return 0; -+ if (pkcs7[1] == 0x80) -+ return 0; -+ if (pkcs7[1] > 0x82) -+ return -EMSGSIZE; -+ } -+ -+ pr_devel("Signature data not PKCS#7\n"); -+ return -ELIBBAD; -+} -+ -+/* - * Parse a PE binary. - */ - static int pefile_key_preparse(struct key_preparsed_payload *prep) -@@ -159,6 +215,10 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - if (ret < 0) - return ret; - -+ ret = pefile_strip_sig_wrapper(prep, &ctx); -+ if (ret < 0) -+ return ret; -+ - return -ENOANO; // Not yet complete - } - --- -1.8.1.4 - - -From f23895761a15e08959140091dc17004e7e6e2035 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:40 +0000 -Subject: [PATCH 23/47] pefile: Parse the presumed PKCS#7 content of the - certificate blob - -Parse the content of the certificate blob, presuming it to be PKCS#7 format. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/pefile_parser.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -index f2d4df0..056500f 100644 ---- a/crypto/asymmetric_keys/pefile_parser.c -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -205,6 +205,7 @@ static int pefile_strip_sig_wrapper(struct key_preparsed_payload *prep, - */ - static int pefile_key_preparse(struct key_preparsed_payload *prep) - { -+ struct pkcs7_message *pkcs7; - struct pefile_context ctx; - int ret; - -@@ -219,7 +220,22 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - if (ret < 0) - return ret; - -- return -ENOANO; // Not yet complete -+ pkcs7 = pkcs7_parse_message(prep->data + ctx.sig_offset, ctx.sig_len); -+ if (IS_ERR(pkcs7)) -+ return PTR_ERR(pkcs7); -+ ctx.pkcs7 = pkcs7; -+ -+ if (!ctx.pkcs7->data || !ctx.pkcs7->data_len) { -+ pr_devel("PKCS#7 message does not contain data\n"); -+ ret = -EBADMSG; -+ goto error; -+ } -+ -+ ret = -ENOANO; // Not yet complete -+ -+error: -+ pkcs7_free_message(ctx.pkcs7); -+ return ret; - } - - static struct asymmetric_key_parser pefile_key_parser = { --- -1.8.1.4 - - -From fcdb91196beb6235eed676c368a662cbdf92b804 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:41 +0000 -Subject: [PATCH 24/47] pefile: Parse the "Microsoft individual code signing" - data blob - -The PKCS#7 certificate should contain a "Microsoft individual code signing" -data blob as its signed content. This blob contains a digest of the signed -content of the PE binary and the OID of the digest algorithm used (typically -SHA256). - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/Makefile | 9 ++- - crypto/asymmetric_keys/mscode.asn1 | 28 +++++++++ - crypto/asymmetric_keys/mscode_parser.c | 110 +++++++++++++++++++++++++++++++++ - crypto/asymmetric_keys/pefile_parser.c | 6 ++ - crypto/asymmetric_keys/pefile_parser.h | 5 ++ - include/linux/oid_registry.h | 6 +- - 6 files changed, 162 insertions(+), 2 deletions(-) - create mode 100644 crypto/asymmetric_keys/mscode.asn1 - create mode 100644 crypto/asymmetric_keys/mscode_parser.c - -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index 2675146..ddc64bb 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -47,4 +47,11 @@ clean-files += pkcs7-asn1.c pkcs7-asn1.h - obj-$(CONFIG_PE_FILE_PARSER) += pefile_key_parser.o - - pefile_key_parser-y := \ -- pefile_parser.o -+ pefile_parser.o \ -+ mscode_parser.o \ -+ mscode-asn1.o -+ -+$(obj)/mscode_parser.o: $(obj)/mscode-asn1.h $(obj)/mscode-asn1.h -+$(obj)/mscode-asn1.o: $(obj)/mscode-asn1.c $(obj)/mscode-asn1.h -+ -+clean-files += mscode-asn1.c mscode-asn1.h -diff --git a/crypto/asymmetric_keys/mscode.asn1 b/crypto/asymmetric_keys/mscode.asn1 -new file mode 100644 -index 0000000..6d09ba4 ---- /dev/null -+++ b/crypto/asymmetric_keys/mscode.asn1 -@@ -0,0 +1,28 @@ -+--- Microsoft individual code signing data blob parser -+--- -+--- Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+--- Written by David Howells (dhowells@redhat.com) -+--- -+--- This program is free software; you can redistribute it and/or -+--- modify it under the terms of the GNU General Public Licence -+--- as published by the Free Software Foundation; either version -+--- 2 of the Licence, or (at your option) any later version. -+--- -+ -+MSCode ::= SEQUENCE { -+ type SEQUENCE { -+ contentType ContentType, -+ parameters ANY -+ }, -+ content SEQUENCE { -+ digestAlgorithm DigestAlgorithmIdentifier, -+ digest OCTET STRING ({ mscode_note_digest }) -+ } -+} -+ -+ContentType ::= OBJECT IDENTIFIER ({ mscode_note_content_type }) -+ -+DigestAlgorithmIdentifier ::= SEQUENCE { -+ algorithm OBJECT IDENTIFIER ({ mscode_note_digest_algo }), -+ parameters ANY OPTIONAL -+} -diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c -new file mode 100644 -index 0000000..0bd68e0 ---- /dev/null -+++ b/crypto/asymmetric_keys/mscode_parser.c -@@ -0,0 +1,110 @@ -+/* Parse a Microsoft Individual Code Signing blob -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "MSCODE: "fmt -+#include <linux/kernel.h> -+#include <linux/slab.h> -+#include <linux/err.h> -+#include <linux/oid_registry.h> -+#include "pefile_parser.h" -+#include "mscode-asn1.h" -+ -+/* -+ * Parse a Microsoft Individual Code Signing blob -+ */ -+int mscode_parse(struct pefile_context *ctx) -+{ -+ pr_devel("Data: %zu [%*ph]\n", -+ ctx->pkcs7->data_len + ctx->pkcs7->data_hdrlen, -+ (unsigned)(ctx->pkcs7->data_len + ctx->pkcs7->data_hdrlen), -+ ctx->pkcs7->data - ctx->pkcs7->data_hdrlen); -+ -+ return asn1_ber_decoder(&mscode_decoder, ctx, -+ ctx->pkcs7->data - ctx->pkcs7->data_hdrlen, -+ ctx->pkcs7->data_len + ctx->pkcs7->data_hdrlen); -+} -+ -+/* -+ * Check the content type OID -+ */ -+int mscode_note_content_type(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ enum OID oid; -+ -+ oid = look_up_OID(value, vlen); -+ if (oid == OID__NR) { -+ char buffer[50]; -+ sprint_oid(value, vlen, buffer, sizeof(buffer)); -+ printk("MSCODE: Unknown OID: %s\n", buffer); -+ return -EBADMSG; -+ } -+ -+ if (oid != OID_msIndividualSPKeyPurpose) { -+ printk("MSCODE: Unexpected content type OID %u\n", oid); -+ return -EBADMSG; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Note the digest algorithm OID -+ */ -+int mscode_note_digest_algo(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pefile_context *ctx = context; -+ char buffer[50]; -+ enum OID oid; -+ -+ oid = look_up_OID(value, vlen); -+ switch (oid) { -+ case OID_md4: -+ ctx->digest_algo = PKEY_HASH_MD4; -+ break; -+ case OID_md5: -+ ctx->digest_algo = PKEY_HASH_MD5; -+ break; -+ case OID_sha1: -+ ctx->digest_algo = PKEY_HASH_SHA1; -+ break; -+ case OID_sha256: -+ ctx->digest_algo = PKEY_HASH_SHA256; -+ break; -+ -+ case OID__NR: -+ sprint_oid(value, vlen, buffer, sizeof(buffer)); -+ printk("MSCODE: Unknown OID: %s\n", buffer); -+ return -EBADMSG; -+ -+ default: -+ printk("MSCODE: Unsupported content type: %u\n", oid); -+ return -ENOPKG; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Note the digest we're guaranteeing with this certificate -+ */ -+int mscode_note_digest(void *context, size_t hdrlen, -+ unsigned char tag, -+ const void *value, size_t vlen) -+{ -+ struct pefile_context *ctx = context; -+ ctx->digest = value; -+ ctx->digest_len = vlen; -+ return 0; -+} -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -index 056500f..f1c8cc1 100644 ---- a/crypto/asymmetric_keys/pefile_parser.c -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -231,6 +231,12 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - goto error; - } - -+ ret = mscode_parse(&ctx); -+ if (ret < 0) -+ goto error; -+ -+ pr_devel("Digest: %u [%*ph]\n", ctx.digest_len, ctx.digest_len, ctx.digest); -+ - ret = -ENOANO; // Not yet complete - - error: -diff --git a/crypto/asymmetric_keys/pefile_parser.h b/crypto/asymmetric_keys/pefile_parser.h -index 82bcaf6..c3462b7 100644 ---- a/crypto/asymmetric_keys/pefile_parser.h -+++ b/crypto/asymmetric_keys/pefile_parser.h -@@ -29,3 +29,8 @@ struct pefile_context { - unsigned digest_len; /* Digest length */ - enum pkey_hash_algo digest_algo; /* Digest algorithm */ - }; -+ -+/* -+ * mscode_parser.c -+ */ -+extern int mscode_parse(struct pefile_context *ctx); -diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h -index edeff85..332dcf5 100644 ---- a/include/linux/oid_registry.h -+++ b/include/linux/oid_registry.h -@@ -52,8 +52,12 @@ enum OID { - OID_md4, /* 1.2.840.113549.2.4 */ - OID_md5, /* 1.2.840.113549.2.5 */ - -- OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ -+ /* Microsoft Authenticode & Software Publishing */ -+ OID_msIndirectData, /* 1.3.6.1.4.1.311.2.1.4 */ -+ OID_msIndividualSPKeyPurpose, /* 1.3.6.1.4.1.311.2.1.21 */ - OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */ -+ -+ OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ - OID_sha1, /* 1.3.14.3.2.26 */ - OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ - --- -1.8.1.4 - - -From 63204898d9491f8ba1b90dea8660e8ff778db993 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:41 +0000 -Subject: [PATCH 25/47] pefile: Digest the PE binary and compare to the PKCS#7 - data - -Digest the signed parts of the PE binary, canonicalising the section table -before we need it, and then compare the the resulting digest to the one in the -PKCS#7 signed content. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/pefile_parser.c | 198 +++++++++++++++++++++++++++++++++ - 1 file changed, 198 insertions(+) - -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -index f1c8cc1..dfdb85e 100644 ---- a/crypto/asymmetric_keys/pefile_parser.c -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -201,6 +201,193 @@ static int pefile_strip_sig_wrapper(struct key_preparsed_payload *prep, - } - - /* -+ * Compare two sections for canonicalisation. -+ */ -+static int pefile_compare_shdrs(const void *a, const void *b) -+{ -+ const struct section_header *shdra = a; -+ const struct section_header *shdrb = b; -+ int rc; -+ -+ if (shdra->data_addr > shdrb->data_addr) -+ return 1; -+ if (shdrb->data_addr > shdra->data_addr) -+ return -1; -+ -+ if (shdra->virtual_address > shdrb->virtual_address) -+ return 1; -+ if (shdrb->virtual_address > shdra->virtual_address) -+ return -1; -+ -+ rc = strcmp(shdra->name, shdrb->name); -+ if (rc != 0) -+ return rc; -+ -+ if (shdra->virtual_size > shdrb->virtual_size) -+ return 1; -+ if (shdrb->virtual_size > shdra->virtual_size) -+ return -1; -+ -+ if (shdra->raw_data_size > shdrb->raw_data_size) -+ return 1; -+ if (shdrb->raw_data_size > shdra->raw_data_size) -+ return -1; -+ -+ return 0; -+} -+ -+/* -+ * Load the contents of the PE binary into the digest, leaving out the image -+ * checksum and the certificate data block. -+ */ -+static int pefile_digest_pe_contents(struct key_preparsed_payload *prep, -+ struct pefile_context *ctx, -+ struct shash_desc *desc) -+{ -+ unsigned *canon, tmp, loop, i, hashed_bytes; -+ int ret; -+ -+ /* Digest the header and data directory, but leave out the image -+ * checksum and the data dirent for the signature. -+ */ -+ ret = crypto_shash_update(desc, prep->data, ctx->image_checksum_offset); -+ if (ret < 0) -+ return ret; -+ -+ tmp = ctx->image_checksum_offset + sizeof(uint32_t); -+ ret = crypto_shash_update(desc, prep->data + tmp, -+ ctx->cert_dirent_offset - tmp); -+ if (ret < 0) -+ return ret; -+ -+ tmp = ctx->cert_dirent_offset + sizeof(struct data_dirent); -+ ret = crypto_shash_update(desc, prep->data + tmp, -+ ctx->header_size - tmp); -+ if (ret < 0) -+ return ret; -+ -+ canon = kcalloc(ctx->n_sections, sizeof(unsigned), GFP_KERNEL); -+ if (!canon) -+ return -ENOMEM; -+ -+ /* We have to canonicalise the section table, so we perform an -+ * insertion sort. -+ */ -+ canon[0] = 0; -+ for (loop = 1; loop < ctx->n_sections; loop++) { -+ for (i = 0; i < loop; i++) { -+ if (pefile_compare_shdrs(&ctx->secs[canon[i]], -+ &ctx->secs[loop]) > 0) { -+ memmove(&canon[i + 1], &canon[i], -+ (loop - i) * sizeof(canon[0])); -+ break; -+ } -+ } -+ canon[i] = loop; -+ } -+ -+ hashed_bytes = ctx->header_size; -+ for (loop = 0; loop < ctx->n_sections; loop++) { -+ i = canon[loop]; -+ if (ctx->secs[i].raw_data_size == 0) -+ continue; -+ ret = crypto_shash_update(desc, -+ prep->data + ctx->secs[i].data_addr, -+ ctx->secs[i].raw_data_size); -+ if (ret < 0) { -+ kfree(canon); -+ return ret; -+ } -+ hashed_bytes += ctx->secs[i].raw_data_size; -+ } -+ kfree(canon); -+ -+ if (prep->datalen > hashed_bytes) { -+ tmp = hashed_bytes + ctx->certs_size; -+ ret = crypto_shash_update(desc, -+ prep->data + hashed_bytes, -+ prep->datalen - tmp); -+ if (ret < 0) -+ return ret; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Digest the contents of the PE binary, leaving out the image checksum and the -+ * certificate data block. -+ */ -+static int pefile_digest_pe(struct key_preparsed_payload *prep, -+ struct pefile_context *ctx) -+{ -+ struct crypto_shash *tfm; -+ struct shash_desc *desc; -+ size_t digest_size, desc_size; -+ void *digest; -+ int ret; -+ -+ kenter(",%u", ctx->digest_algo); -+ -+ /* Allocate the hashing algorithm we're going to need and find out how -+ * big the hash operational data will be. -+ */ -+ tfm = crypto_alloc_shash(pkey_hash_algo_name[ctx->digest_algo], 0, 0); -+ if (IS_ERR(tfm)) -+ return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); -+ -+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); -+ digest_size = crypto_shash_digestsize(tfm); -+ -+ if (digest_size != ctx->digest_len) { -+ pr_debug("Digest size mismatch (%zx != %x)\n", -+ digest_size, ctx->digest_len); -+ ret = -EBADMSG; -+ goto error_no_desc; -+ } -+ pr_devel("Digest: desc=%zu size=%zu\n", desc_size, digest_size); -+ -+ ret = -ENOMEM; -+ desc = kzalloc(desc_size + digest_size, GFP_KERNEL); -+ if (!desc) -+ goto error_no_desc; -+ -+ desc->tfm = tfm; -+ desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; -+ ret = crypto_shash_init(desc); -+ if (ret < 0) -+ goto error; -+ -+ ret = pefile_digest_pe_contents(prep, ctx, desc); -+ if (ret < 0) -+ goto error; -+ -+ digest = (void *)desc + desc_size; -+ ret = crypto_shash_final(desc, digest); -+ if (ret < 0) -+ goto error; -+ -+ pr_devel("Digest calc = [%*ph]\n", ctx->digest_len, digest); -+ -+ /* Check that the PE file digest matches that in the MSCODE part of the -+ * PKCS#7 certificate. -+ */ -+ if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { -+ pr_debug("Digest mismatch\n"); -+ ret = -EKEYREJECTED; -+ } else { -+ pr_debug("The digests match!\n"); -+ } -+ -+error: -+ kfree(desc); -+error_no_desc: -+ crypto_free_shash(tfm); -+ kleave(" = %d", ret); -+ return ret; -+} -+ -+/* - * Parse a PE binary. - */ - static int pefile_key_preparse(struct key_preparsed_payload *prep) -@@ -237,6 +424,17 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - - pr_devel("Digest: %u [%*ph]\n", ctx.digest_len, ctx.digest_len, ctx.digest); - -+ /* Generate the digest and check against the PKCS7 certificate -+ * contents. -+ */ -+ ret = pefile_digest_pe(prep, &ctx); -+ if (ret < 0) -+ goto error; -+ -+ ret = pkcs7_verify(pkcs7); -+ if (ret < 0) -+ goto error; -+ - ret = -ENOANO; // Not yet complete - - error: --- -1.8.1.4 - - -From 17ed825e5f3f595665abd3fc11a6c180e6762b87 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 18 Jan 2013 13:58:35 +0000 -Subject: [PATCH 26/47] PEFILE: Validate PKCS#7 trust chain - -Validate the PKCS#7 trust chain against the contents of the system keyring. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - crypto/asymmetric_keys/Kconfig | 1 + - crypto/asymmetric_keys/pefile_parser.c | 5 +++++ - 2 files changed, 6 insertions(+) - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 2e7315c..2777916 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -48,6 +48,7 @@ config PE_FILE_PARSER - tristate "PE binary-wrapped key parser" - depends on X509_CERTIFICATE_PARSER - depends on PKCS7_MESSAGE_PARSER -+ depends on SYSTEM_TRUSTED_KEYRING - help - This option provides support for parsing signed PE binaries that - contain an X.509 certificate in an internal section. -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -index dfdb85e..edad948 100644 ---- a/crypto/asymmetric_keys/pefile_parser.c -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -18,6 +18,7 @@ - #include <linux/asn1.h> - #include <keys/asymmetric-subtype.h> - #include <keys/asymmetric-parser.h> -+#include <keys/system_keyring.h> - #include <crypto/hash.h> - #include "asymmetric_keys.h" - #include "public_key.h" -@@ -435,6 +436,10 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - if (ret < 0) - goto error; - -+ ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &prep->trusted); -+ if (ret < 0) -+ goto error; -+ - ret = -ENOANO; // Not yet complete - - error: --- -1.8.1.4 - - -From ce9ca4236f691264a94bcbe10beda9ec5a035baf Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 15 Jan 2013 15:33:42 +0000 -Subject: [PATCH 27/47] PEFILE: Load the contained key if we consider the - container to be validly signed - -Load the key contained in the PE binary if the signature on the container can -be verified by following the chain of X.509 certificates in the PKCS#7 message -to a key that we already trust. Typically, the trusted key will be acquired -from a source outside of the kernel, such as the UEFI database. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Kees Cook <keescook@chromium.org> ---- - crypto/asymmetric_keys/pefile_parser.c | 11 ++++++++++- - crypto/asymmetric_keys/x509_parser.h | 3 +++ - crypto/asymmetric_keys/x509_public_key.c | 3 ++- - 3 files changed, 15 insertions(+), 2 deletions(-) - -diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c -index edad948..c3efe39 100644 ---- a/crypto/asymmetric_keys/pefile_parser.c -+++ b/crypto/asymmetric_keys/pefile_parser.c -@@ -395,6 +395,8 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - { - struct pkcs7_message *pkcs7; - struct pefile_context ctx; -+ const void *saved_data; -+ size_t saved_datalen; - int ret; - - kenter(""); -@@ -440,7 +442,14 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep) - if (ret < 0) - goto error; - -- ret = -ENOANO; // Not yet complete -+ /* We can now try to load the key */ -+ saved_data = prep->data; -+ saved_datalen = prep->datalen; -+ prep->data += ctx.keylist_offset; -+ prep->datalen = ctx.keylist_len; -+ ret = x509_key_preparse(prep); -+ prep->data = saved_data; -+ prep->datalen = saved_datalen; - - error: - pkcs7_free_message(ctx.pkcs7); -diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h -index 5e35fba..65452c4 100644 ---- a/crypto/asymmetric_keys/x509_parser.h -+++ b/crypto/asymmetric_keys/x509_parser.h -@@ -12,6 +12,8 @@ - #include <linux/time.h> - #include <crypto/public_key.h> - -+struct key_preparsed_payload; -+ - struct x509_certificate { - struct x509_certificate *next; - const struct x509_certificate *signer; /* Certificate that signed this one */ -@@ -47,3 +49,4 @@ extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen - extern int x509_get_sig_params(struct x509_certificate *cert); - extern int x509_check_signature(const struct public_key *pub, - struct x509_certificate *cert); -+extern int x509_key_preparse(struct key_preparsed_payload *prep); -diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c -index 0f55e3b..c3e5a6d 100644 ---- a/crypto/asymmetric_keys/x509_public_key.c -+++ b/crypto/asymmetric_keys/x509_public_key.c -@@ -105,7 +105,7 @@ EXPORT_SYMBOL_GPL(x509_check_signature); - /* - * Attempt to parse a data blob for a key as an X509 certificate. - */ --static int x509_key_preparse(struct key_preparsed_payload *prep) -+int x509_key_preparse(struct key_preparsed_payload *prep) - { - struct x509_certificate *cert; - struct tm now; -@@ -229,6 +229,7 @@ error_free_cert: - x509_free_certificate(cert); - return ret; - } -+EXPORT_SYMBOL_GPL(x509_key_preparse); - - static struct asymmetric_key_parser x509_key_parser = { - .owner = THIS_MODULE, --- -1.8.1.4 - - -From 395cc1b55a0645ced39f92b31ba3bcc141e59383 Mon Sep 17 00:00:00 2001 -From: Chun-Yi Lee <joeyli.kernel@gmail.com> -Date: Thu, 21 Feb 2013 19:23:49 +0800 -Subject: [PATCH 28/47] MODSIGN: Fix including certificate twice when the - signing_key.x509 already exists - -This issue was found in devel-pekey branch on linux-modsign.git tree. The -x509_certificate_list includes certificate twice when the signing_key.x509 -already exists. -We can reproduce this issue by making kernel twice, the build log of -second time looks like this: - -... - CHK kernel/config_data.h - CERTS kernel/x509_certificate_list - - Including cert /ramdisk/working/joey/linux-modsign/signing_key.x509 - - Including cert signing_key.x509 -... - -Actually the build path was the same with the srctree path when building -kernel. It causes the size of bzImage increased by packaging certificates -twice. - -Cc: Rusty Russell <rusty@rustcorp.com.au> -Cc: Josh Boyer <jwboyer@redhat.com> -Cc: Randy Dunlap <rdunlap@xenotime.net> -Cc: Herbert Xu <herbert@gondor.apana.org.au> -Cc: "David S. Miller" <davem@davemloft.net> -Cc: Michal Marek <mmarek@suse.com> -Signed-off-by: Chun-Yi Lee <jlee@suse.com> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - kernel/Makefile | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/kernel/Makefile b/kernel/Makefile -index ecff938..52f3426 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -149,7 +149,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE - # - ############################################################################### - ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) --X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) -+X509_CERTIFICATES-y := $(wildcard *.x509) -+ifneq ($(shell pwd), $(srctree)) -+X509_CERTIFICATES-y += $(wildcard $(srctree)/*.x509) -+endif - X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 - X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) - --- -1.8.1.4 - - -From 0ef575739cff3fda47dd2a9415f066ab44dcc922 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:56 -0400 -Subject: [PATCH 29/47] Secure boot: Add new capability - -Secure boot adds certain policy requirements, including that root must not -be able to do anything that could cause the kernel to execute arbitrary code. -The simplest way to handle this would seem to be to add a new capability -and gate various functionality on that. We'll then strip it from the initial -capability set if required. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - include/uapi/linux/capability.h | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h -index ba478fa..7109e65 100644 ---- a/include/uapi/linux/capability.h -+++ b/include/uapi/linux/capability.h -@@ -343,7 +343,11 @@ struct vfs_cap_data { - - #define CAP_BLOCK_SUSPEND 36 - --#define CAP_LAST_CAP CAP_BLOCK_SUSPEND -+/* Allow things that trivially permit root to modify the running kernel */ -+ -+#define CAP_COMPROMISE_KERNEL 37 -+ -+#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL - - #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) - --- -1.8.1.4 - - -From 7312bed4fb9125d4880f11a64521b110079a3c0a Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Thu, 20 Sep 2012 10:41:05 -0400 -Subject: [PATCH 30/47] SELinux: define mapping for new Secure Boot capability - -Add the name of the new Secure Boot capability. This allows SELinux -policies to properly map CAP_COMPROMISE_KERNEL to the appropriate -capability class. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - security/selinux/include/classmap.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h -index 14d04e6..ed99a2d 100644 ---- a/security/selinux/include/classmap.h -+++ b/security/selinux/include/classmap.h -@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = { - { "memprotect", { "mmap_zero", NULL } }, - { "peer", { "recv", NULL } }, - { "capability2", -- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", -- NULL } }, -+ { "mac_override", "mac_admin", "syslog", "wake_alarm", -+ "block_suspend", "compromise_kernel", NULL } }, - { "kernel_service", { "use_as_override", "create_files_as", NULL } }, - { "tun_socket", - { COMMON_SOCK_PERMS, "attach_queue", NULL } }, --- -1.8.1.4 - - -From e99e1273b0a50d874d2a53461e95f74460e1b812 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Thu, 20 Sep 2012 10:41:02 -0400 -Subject: [PATCH 31/47] Secure boot: Add a dummy kernel parameter that will - switch on Secure Boot mode - -This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset -in the init_cred struct, which everything else inherits from. This works on -any machine and can be used to develop even if the box doesn't have UEFI. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - Documentation/kernel-parameters.txt | 7 +++++++ - kernel/cred.c | 17 +++++++++++++++++ - 2 files changed, 24 insertions(+) - -diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 8c01a02..ee6c1ca 100644 ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -2744,6 +2744,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. - Note: increases power consumption, thus should only be - enabled if running jitter sensitive (HPC/RT) workloads. - -+ secureboot_enable= -+ [KNL] Enables an emulated UEFI Secure Boot mode. This -+ locks down various aspects of the kernel guarded by the -+ CAP_COMPROMISE_KERNEL capability. This includes things -+ like /dev/mem, IO port access, and other areas. It can -+ be used on non-UEFI machines for testing purposes. -+ - security= [SECURITY] Choose a security module to enable at boot. - If this boot parameter is not specified, only the first - security module asking for security registration will be -diff --git a/kernel/cred.c b/kernel/cred.c -index e0573a4..c3f4e3e 100644 ---- a/kernel/cred.c -+++ b/kernel/cred.c -@@ -565,6 +565,23 @@ void __init cred_init(void) - 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); - } - -+void __init secureboot_enable() -+{ -+ pr_info("Secure boot enabled\n"); -+ cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); -+ cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); -+} -+ -+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ -+static int __init secureboot_enable_opt(char *str) -+{ -+ int sb_enable = !!simple_strtol(str, NULL, 0); -+ if (sb_enable) -+ secureboot_enable(); -+ return 1; -+} -+__setup("secureboot_enable=", secureboot_enable_opt); -+ - /** - * prepare_kernel_cred - Prepare a set of credentials for a kernel service - * @daemon: A userspace daemon to be used as a reference --- -1.8.1.4 - - -From eeac2b5391d834eefebfae49a100244fdccc82e5 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:41:03 -0400 -Subject: [PATCH 32/47] efi: Enable secure boot lockdown automatically when - enabled in firmware - -The firmware has a set of flags that indicate whether secure boot is enabled -and enforcing. Use them to indicate whether the kernel should lock itself -down. We also indicate the machine is in secure boot mode by adding the -EFI_SECURE_BOOT bit for use with efi_enabled. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - Documentation/x86/zero-page.txt | 2 ++ - arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++ - arch/x86/include/asm/bootparam_utils.h | 8 ++++++-- - arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 7 +++++++ - include/linux/cred.h | 2 ++ - include/linux/efi.h | 1 + - 7 files changed, 52 insertions(+), 3 deletions(-) - -diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 199f453..ff651d3 100644 ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 35ee62f..0998ec7 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -906,6 +906,36 @@ fail: - return status; - } - -+static int get_secure_boot(efi_system_table_t *_table) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ - /* - * Because the x86 boot code expects to be passed a boot_params we - * need to create one ourselves (usually the bootloader would create -@@ -1200,6 +1230,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) - goto fail; - -+ boot_params->secure_boot = get_secure_boot(sys_table); -+ - setup_graphics(boot_params); - - setup_efi_vars(boot_params); -diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h -index 653668d..69a6c08 100644 ---- a/arch/x86/include/asm/bootparam_utils.h -+++ b/arch/x86/include/asm/bootparam_utils.h -@@ -38,9 +38,13 @@ static void sanitize_boot_params(struct boot_params *boot_params) - memset(&boot_params->olpc_ofw_header, 0, - (char *)&boot_params->efi_info - - (char *)&boot_params->olpc_ofw_header); -- memset(&boot_params->kbd_status, 0, -+ memset(&boot_params->kbd_status, 0, sizeof(boot_params->kbd_status)); -+ /* don't clear boot_params->secure_boot. we set that ourselves -+ * earlier. -+ */ -+ memset(&boot_params->_pad5[0], 0, - (char *)&boot_params->hdr - -- (char *)&boot_params->kbd_status); -+ (char *)&boot_params->_pad5[0]); - memset(&boot_params->_pad7[0], 0, - (char *)&boot_params->edd_mbr_sig_buffer[0] - - (char *)&boot_params->_pad7[0]); -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 0874424..56b7d39 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -132,7 +132,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ - /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 56f7fcf..3af6cf8 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1131,6 +1131,13 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -+ if (boot_params.secure_boot) { -+#ifdef CONFIG_EFI -+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility); -+#endif -+ secureboot_enable(); -+ } -+ - /* - * Parse the ACPI tables for possible boot-time SMP configuration. - */ -diff --git a/include/linux/cred.h b/include/linux/cred.h -index 04421e8..9e69542 100644 ---- a/include/linux/cred.h -+++ b/include/linux/cred.h -@@ -156,6 +156,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *); - extern int set_create_files_as(struct cred *, struct inode *); - extern void __init cred_init(void); - -+extern void secureboot_enable(void); -+ - /* - * check for validity of credentials - */ -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 2bc0ad7..10b167a 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -634,6 +634,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ - #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ - #define EFI_64BIT 5 /* Is the firmware 64-bit? */ -+#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ - - #ifdef CONFIG_EFI - # ifdef CONFIG_X86 --- -1.8.1.4 - - -From a1ac3b80b7a85d4fce665047b9701713fcfc1ea0 Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 33/47] Add EFI signature data types - -Add the data types that are used for containing hashes, keys and certificates -for cryptographic verification. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - include/linux/efi.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 10b167a..d3ef7c6 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -389,6 +389,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si - #define EFI_FILE_SYSTEM_GUID \ - EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) - -+#define EFI_CERT_SHA256_GUID \ -+ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) -+ -+#define EFI_CERT_X509_GUID \ -+ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -@@ -524,6 +530,20 @@ typedef struct { - - #define EFI_INVALID_TABLE_ADDR (~0UL) - -+typedef struct { -+ efi_guid_t signature_owner; -+ u8 signature_data[]; -+} efi_signature_data_t; -+ -+typedef struct { -+ efi_guid_t signature_type; -+ u32 signature_list_size; -+ u32 signature_header_size; -+ u32 signature_size; -+ u8 signature_header[]; -+ /* efi_signature_data_t signatures[][] */ -+} efi_signature_list_t; -+ - /* - * All runtime access to EFI goes through this structure: - */ --- -1.8.1.4 - - -From fac308c18ba449322666325f37f6a08ad818cf9f Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 34/47] Add an EFI signature blob parser and key loader. - -X.509 certificates are loaded into the specified keyring as asymmetric type -keys. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - crypto/asymmetric_keys/Kconfig | 8 +++ - crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ - include/linux/efi.h | 4 ++ - 4 files changed, 122 insertions(+) - create mode 100644 crypto/asymmetric_keys/efi_parser.c - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 2777916..429bbb7 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -53,4 +53,12 @@ config PE_FILE_PARSER - This option provides support for parsing signed PE binaries that - contain an X.509 certificate in an internal section. - -+config EFI_SIGNATURE_LIST_PARSER -+ bool "EFI signature list parser" -+ depends on EFI -+ select X509_CERTIFICATE_PARSER -+ help -+ This option provides support for parsing EFI signature lists for -+ X.509 certificates and turning them into keys. -+ - endif # ASYMMETRIC_KEY_TYPE -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index ddc64bb..360b308 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o - - obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o - obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o -+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - - # - # X.509 Certificate handling -diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c -new file mode 100644 -index 0000000..424896a ---- /dev/null -+++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,109 @@ -+/* EFI signature/key/certificate list parser -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "EFI: "fmt -+#include <linux/module.h> -+#include <linux/printk.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <keys/asymmetric-type.h> -+ -+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; -+ -+/** -+ * parse_efi_signature_list - Parse an EFI signature list for certificates -+ * @data: The data blob to parse -+ * @size: The size of the data blob -+ * @keyring: The keyring to add extracted keys to -+ */ -+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) -+{ -+ unsigned offs = 0; -+ size_t lsize, esize, hsize, elsize; -+ -+ pr_devel("-->%s(,%zu)\n", __func__, size); -+ -+ while (size > 0) { -+ efi_signature_list_t list; -+ const efi_signature_data_t *elem; -+ key_ref_t key; -+ -+ if (size < sizeof(list)) -+ return -EBADMSG; -+ -+ memcpy(&list, data, sizeof(list)); -+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", -+ offs, -+ list.signature_type.b, list.signature_list_size, -+ list.signature_header_size, list.signature_size); -+ -+ lsize = list.signature_list_size; -+ hsize = list.signature_header_size; -+ esize = list.signature_size; -+ elsize = lsize - sizeof(list) - hsize; -+ -+ if (lsize > size) { -+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", -+ __func__, offs); -+ return -EBADMSG; -+ } -+ if (lsize < sizeof(list) || -+ lsize - sizeof(list) < hsize || -+ esize < sizeof(*elem) || -+ elsize < esize || -+ elsize % esize != 0) { -+ pr_devel("- bad size combo @%x\n", offs); -+ return -EBADMSG; -+ } -+ -+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { -+ data += lsize; -+ size -= lsize; -+ offs += lsize; -+ continue; -+ } -+ -+ data += sizeof(list) + hsize; -+ size -= sizeof(list) + hsize; -+ offs += sizeof(list) + hsize; -+ -+ for (; elsize > 0; elsize -= esize) { -+ elem = data; -+ -+ pr_devel("ELEM[%04x]\n", offs); -+ -+ key = key_create_or_update( -+ make_key_ref(keyring, 1), -+ "asymmetric", -+ NULL, -+ &elem->signature_data, -+ esize - sizeof(*elem), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_TRUSTED); -+ -+ if (IS_ERR(key)) -+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", -+ PTR_ERR(key)); -+ else -+ pr_notice("Loaded cert '%s' linked to '%s'\n", -+ key_ref_to_ptr(key)->description, -+ keyring->description); -+ -+ data += esize; -+ size -= esize; -+ offs += esize; -+ } -+ } -+ -+ return 0; -+} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index d3ef7c6..4f0fbb7 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -619,6 +619,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime); - extern void efi_reserve_boot_services(void); - extern struct efi_memory_map memmap; - -+struct key; -+extern int __init parse_efi_signature_list(const void *data, size_t size, -+ struct key *keyring); -+ - /** - * efi_range_is_wc - check the WC bit on an address range - * @start: starting kvirt address --- -1.8.1.4 - - -From 75560e565cb8a4e853a3b6f6c65ed70c1ba29039 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 35/47] KEYS: Add a system blacklist keyring - -This adds an additional keyring that is used to store certificates that -are blacklisted. This keyring is searched first when loading signed modules -and if the module's certificate is found, it will refuse to load. This is -useful in cases where third party certificates are used for module signing. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - include/keys/system_keyring.h | 4 ++++ - init/Kconfig | 9 +++++++++ - kernel/module_signing.c | 12 ++++++++++++ - kernel/system_keyring.c | 17 +++++++++++++++++ - 4 files changed, 42 insertions(+) - -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index 8dabc39..e466de1 100644 ---- a/include/keys/system_keyring.h -+++ b/include/keys/system_keyring.h -@@ -18,6 +18,10 @@ - - extern struct key *system_trusted_keyring; - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+extern struct key *system_blacklist_keyring; -+#endif -+ - #endif - - #endif /* _KEYS_SYSTEM_KEYRING_H */ -diff --git a/init/Kconfig b/init/Kconfig -index b9d8870..4f9771f 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1627,6 +1627,15 @@ config SYSTEM_TRUSTED_KEYRING - - Keys in this keyring are used by module signature checking. - -+config SYSTEM_BLACKLIST_KEYRING -+ bool "Provide system-wide ring of blacklisted keys" -+ depends on KEYS -+ help -+ Provide a system keyring to which blacklisted keys can be added. Keys -+ in the keyring are considered entirely untrusted. Keys in this keyring -+ are used by the module signature checking to reject loading of modules -+ signed with a blacklisted key. -+ - menuconfig MODULES - bool "Enable loadable module support" - help -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index 0b6b870..0a29b40 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1), -+ &key_type_asymmetric, id); -+ if (!IS_ERR(key)) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key '%s' is in blacklist\n", id); -+ key_ref_put(key); -+ kfree(id); -+ return ERR_PTR(-EKEYREJECTED); -+ } -+#endif -+ - key = keyring_search(make_key_ref(system_trusted_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) -diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index dae8778..2913c70 100644 ---- a/kernel/system_keyring.c -+++ b/kernel/system_keyring.c -@@ -20,6 +20,9 @@ - - struct key *system_trusted_keyring; - EXPORT_SYMBOL_GPL(system_trusted_keyring); -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+struct key *system_blacklist_keyring; -+#endif - - extern __initdata const u8 system_certificate_list[]; - extern __initdata const u8 system_certificate_list_end[]; -@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void) - panic("Can't allocate system trusted keyring\n"); - - set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); -+ -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", -+ KUIDT_INIT(0), KGIDT_INIT(0), -+ current_cred(), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ, -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); -+ if (IS_ERR(system_blacklist_keyring)) -+ panic("Can't allocate system blacklist keyring\n"); -+ -+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags); -+#endif -+ - return 0; - } - --- -1.8.1.4 - - -From e46bf80471882ce1ab0b75dc954b2b59deec6fbb Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 36/47] MODSIGN: Import certificates from UEFI Secure Boot - -Secure Boot stores a list of allowed certificates in the 'db' variable. -This imports those certificates into the system trusted keyring. This -allows for a third party signing certificate to be used in conjunction -with signed modules. By importing the public certificate into the 'db' -variable, a user can allow a module signed with that certificate to -load. The shim UEFI bootloader has a similar certificate list stored -in the 'MokListRT' variable. We import those as well. - -In the opposite case, Secure Boot maintains a list of disallowed -certificates in the 'dbx' variable. We load those certificates into -the newly introduced system blacklist keyring and forbid any module -signed with those from loading. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - include/linux/efi.h | 6 ++++ - init/Kconfig | 9 +++++ - kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 110 insertions(+) - create mode 100644 kernel/modsign_uefi.c - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 4f0fbb7..7ac7a17 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -395,6 +395,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si - #define EFI_CERT_X509_GUID \ - EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) - -+#define EFI_IMAGE_SECURITY_DATABASE_GUID \ -+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) -+ -+#define EFI_SHIM_LOCK_GUID \ -+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -diff --git a/init/Kconfig b/init/Kconfig -index 4f9771f..da92f1c 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1745,6 +1745,15 @@ config MODULE_SIG_ALL - comment "Do not forget to sign required modules with scripts/sign-file" - depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL - -+config MODULE_SIG_UEFI -+ bool "Allow modules signed with certs stored in UEFI" -+ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI -+ select EFI_SIGNATURE_LIST_PARSER -+ help -+ This will import certificates stored in UEFI and allow modules -+ signed with those to be loaded. It will also disallow loading -+ of modules stored in the UEFI dbx variable. -+ - choice - prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG -diff --git a/kernel/Makefile b/kernel/Makefile -index 52f3426..e2a616f 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -55,6 +55,7 @@ obj-$(CONFIG_UID16) += uid16.o - obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o - obj-$(CONFIG_MODULES) += module.o - obj-$(CONFIG_MODULE_SIG) += module_signing.o -+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o - obj-$(CONFIG_KALLSYMS) += kallsyms.o - obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o - obj-$(CONFIG_KEXEC) += kexec.o -@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o - - $(obj)/configs.o: $(obj)/config_data.h - -+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar -+ - # config_data.h contains the same information as ikconfig.h but gzipped. - # Info from config_data can be extracted from /proc/config* - targets += config_data.gz -diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -new file mode 100644 -index 0000000..94b0eb3 ---- /dev/null -+++ b/kernel/modsign_uefi.c -@@ -0,0 +1,92 @@ -+#include <linux/kernel.h> -+#include <linux/sched.h> -+#include <linux/cred.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <linux/slab.h> -+#include <keys/asymmetric-type.h> -+#include <keys/system_keyring.h> -+#include "module-internal.h" -+ -+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) -+{ -+ efi_status_t status; -+ unsigned long lsize = 4; -+ unsigned long tmpdb[4]; -+ void *db = NULL; -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); -+ if (status != EFI_BUFFER_TOO_SMALL) { -+ pr_err("Couldn't get size: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ db = kmalloc(lsize, GFP_KERNEL); -+ if (!db) { -+ pr_err("Couldn't allocate memory for uefi cert list\n"); -+ goto out; -+ } -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, db); -+ if (status != EFI_SUCCESS) { -+ kfree(db); -+ db = NULL; -+ pr_err("Error reading db var: 0x%lx\n", status); -+ } -+out: -+ *size = lsize; -+ return db; -+} -+ -+/* -+ * * Load the certs contained in the UEFI databases -+ * */ -+static int __init load_uefi_certs(void) -+{ -+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; -+ void *db = NULL, *dbx = NULL, *mok = NULL; -+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -+ int rc = 0; -+ -+ /* Check if SB is enabled and just return if not */ -+ if (!efi_enabled(EFI_SECURE_BOOT)) -+ return 0; -+ -+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't -+ * an error if we can't get them. -+ */ -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } -+ -+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -+ if (!mok) { -+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); -+ } else { -+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring); -+ if (rc) -+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); -+ kfree(mok); -+ } -+ -+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); -+ if (!dbx) { -+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); -+ } else { -+ rc = parse_efi_signature_list(dbx, dbxsize, -+ system_blacklist_keyring); -+ if (rc) -+ pr_err("Couldn't parse dbx signatures: %d\n", rc); -+ kfree(dbx); -+ } -+ -+ return rc; -+} -+late_initcall(load_uefi_certs); --- -1.8.1.4 - - -From 8724600edad99706cce510645eff15f28787561a Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:57 -0400 -Subject: [PATCH 37/47] PCI: Lock down BAR access in secure boot environments - -Any hardware that can potentially generate DMA has to be locked down from -userspace in order to avoid it being possible for an attacker to cause -arbitrary kernel behaviour. Default to paranoid - in future we can -potentially relax this for sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 8 +++++++- - drivers/pci/syscall.c | 2 +- - 3 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 5b4a9d9..db2ff9e 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -622,6 +622,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8*) buf; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -928,6 +931,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - resource_size_t start, end; - int i; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - for (i = 0; i < PCI_ROM_RESOURCE; i++) - if (res == &pdev->resource[i]) - break; -@@ -1035,6 +1041,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 0812608..544132d 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -136,6 +136,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof - int size = dev->cfg_size; - int cnt; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -215,6 +218,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -253,7 +259,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - /* Make sure the caller is mapping a real resource for this device */ -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index e1c1ec5..97e785f 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); --- -1.8.1.4 - - -From 2361c561632c00e3974a092454ecc7daafb7cdf6 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:58 -0400 -Subject: [PATCH 38/47] x86: Lock down IO port access in secure boot - environments - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO register -space. This would potentially permit root to trigger arbitrary DMA, so lock -it down by default. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - arch/x86/kernel/ioport.c | 4 ++-- - drivers/char/mem.c | 3 +++ - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 4ddaf66..f505995 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))) - return -EPERM; - - /* -@@ -103,7 +103,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 2c644af..7eee4d8 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, - unsigned long i = *ppos; - const char __user *tmp = buf; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - while (count-- > 0 && i < 65536) { --- -1.8.1.4 - - -From e97f4dd5b1baaae0854e8a5c87aa4be4d03d1854 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:59 -0400 -Subject: [PATCH 39/47] ACPI: Limit access to custom_method - -It must be impossible for even root to get code executed in kernel context -under a secure boot environment. custom_method effectively allows arbitrary -access to system memory, so it needs to have a capability check here. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index 12b62f2..edf0710 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -1.8.1.4 - - -From f0389c3a6d823e2386ab4e21d9e012c4ebd310ac Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:41:00 -0400 -Subject: [PATCH 40/47] asus-wmi: Restrict debugfs interface - -We have no way of validating what all of the Asus WMI methods do on a -given machine, and there's a risk that some will allow hardware state to -be manipulated in such a way that arbitrary code can be executed in the -kernel. Add a capability check to prevent that. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/platform/x86/asus-wmi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index c11b242..6d5f88f 100644 ---- a/drivers/platform/x86/asus-wmi.c -+++ b/drivers/platform/x86/asus-wmi.c -@@ -1617,6 +1617,9 @@ static int show_dsts(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - - if (err < 0) -@@ -1633,6 +1636,9 @@ static int show_devs(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, - &retval); - -@@ -1657,6 +1663,9 @@ static int show_call(struct seq_file *m, void *data) - union acpi_object *obj; - acpi_status status; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, - 1, asus->debug.method_id, - &input, &output); --- -1.8.1.4 - - -From 2e507337fc23547c7a15e5a102647becf20dba77 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:41:01 -0400 -Subject: [PATCH 41/47] Restrict /dev/mem and /dev/kmem in secure boot setups - -Allowing users to write to address space makes it possible for the kernel -to be subverted. Restrict this when we need to protect the kernel. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/char/mem.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 7eee4d8..772ee2b 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, - unsigned long copied; - void *ptr; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!valid_phys_addr_range(p, count)) - return -EFAULT; - -@@ -530,6 +533,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (p < (unsigned long) high_memory) { - unsigned long to_write = min_t(unsigned long, count, - (unsigned long)high_memory - p); --- -1.8.1.4 - - -From ff22d9716846844f8c249dbc965684a8014efed0 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Thu, 20 Sep 2012 10:41:04 -0400 -Subject: [PATCH 42/47] acpi: Ignore acpi_rsdp kernel parameter in a secure - boot environment - -This option allows userspace to pass the RSDP address to the kernel. This -could potentially be used to circumvent the secure boot trust model. -This is setup through the setup_arch function, which is called before the -security_init function sets up the security_ops, so we cannot use a -capable call here. We ignore the setting if we are booted in Secure Boot -mode. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - drivers/acpi/osl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index e721863..ed82da7 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -245,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); - acpi_physical_address __init acpi_os_get_root_pointer(void) - { - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !efi_enabled(EFI_SECURE_BOOT)) - return acpi_rsdp; - #endif - --- -1.8.1.4 - - -From b08ac626fbcf917bc219133d49c347d7d58eaae1 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Tue, 4 Sep 2012 11:55:13 -0400 -Subject: [PATCH 43/47] kexec: Disable in a secure boot environment - -kexec could be used as a vector for a malicious user to use a signed kernel -to circumvent the secure boot trust model. In the long run we'll want to -support signed kexec payloads, but for the moment we should just disable -loading entirely in that situation. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - kernel/kexec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 59f7b55..8bf1336 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -939,7 +939,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - int result; - - /* We only trust the superuser with rebooting the system. */ -- if (!capable(CAP_SYS_BOOT)) -+ if (!capable(CAP_SYS_BOOT) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - /* --- -1.8.1.4 - - -From f0d9c2906c1145585882fb7eb167e47e998c2e24 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 5 Oct 2012 10:12:48 -0400 -Subject: [PATCH 44/47] MODSIGN: Always enforce module signing in a Secure Boot - environment - -If a machine is booted into a Secure Boot environment, we need to -protect the trust model. This requires that all modules be signed -with a key that is in the kernel's _modsign keyring. The checks for -this are already done via the 'sig_enforce' module parameter. Make -this visible within the kernel and force it to be true. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - kernel/cred.c | 8 ++++++++ - kernel/module.c | 4 ++-- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/kernel/cred.c b/kernel/cred.c -index c3f4e3e..c5554e0 100644 ---- a/kernel/cred.c -+++ b/kernel/cred.c -@@ -565,11 +565,19 @@ void __init cred_init(void) - 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); - } - -+#ifdef CONFIG_MODULE_SIG -+extern bool sig_enforce; -+#endif -+ - void __init secureboot_enable() - { - pr_info("Secure boot enabled\n"); - cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); - cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); -+#ifdef CONFIG_MODULE_SIG -+ /* Enable module signature enforcing */ -+ sig_enforce = true; -+#endif - } - - /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ -diff --git a/kernel/module.c b/kernel/module.c -index 0925c9a..af4a476 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ - - #ifdef CONFIG_MODULE_SIG - #ifdef CONFIG_MODULE_SIG_FORCE --static bool sig_enforce = true; -+bool sig_enforce = true; - #else --static bool sig_enforce = false; -+bool sig_enforce = false; - - static int param_set_bool_enable_only(const char *val, - const struct kernel_param *kp) --- -1.8.1.4 - - -From 1c6bfec7db39e46eeb456fb84e3153281690bbe0 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 26 Oct 2012 14:02:09 -0400 -Subject: [PATCH 45/47] hibernate: Disable in a Secure Boot environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the secure boot trust model, -so until we can work with signed hibernate images we disable it in -a Secure Boot environment. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - kernel/power/hibernate.c | 15 ++++++++++++++- - kernel/power/main.c | 7 ++++++- - kernel/power/user.c | 3 +++ - 3 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index b26f5f1..7f63cb4 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -28,6 +28,7 @@ - #include <linux/syscore_ops.h> - #include <linux/ctype.h> - #include <linux/genhd.h> -+#include <linux/efi.h> - - #include "power.h" - -@@ -632,6 +633,10 @@ int hibernate(void) - { - int error; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) { -+ return -EPERM; -+ } -+ - lock_system_sleep(); - /* The snapshot device should not be opened while we're running */ - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -@@ -723,7 +728,7 @@ static int software_resume(void) - /* - * If the user said "noresume".. bail out early. - */ -- if (noresume) -+ if (noresume || !capable(CAP_COMPROMISE_KERNEL)) - return 0; - - /* -@@ -889,6 +894,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, - int i; - char *start = buf; - -+ if (efi_enabled(EFI_SECURE_BOOT)) { -+ buf += sprintf(buf, "[%s]\n", "disabled"); -+ return buf-start; -+ } -+ - for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { - if (!hibernation_modes[i]) - continue; -@@ -923,6 +933,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, - char *p; - int mode = HIBERNATION_INVALID; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - p = memchr(buf, '\n', n); - len = p ? p - buf : n; - -diff --git a/kernel/power/main.c b/kernel/power/main.c -index d77663b..78f8ed5 100644 ---- a/kernel/power/main.c -+++ b/kernel/power/main.c -@@ -15,6 +15,7 @@ - #include <linux/workqueue.h> - #include <linux/debugfs.h> - #include <linux/seq_file.h> -+#include <linux/efi.h> - - #include "power.h" - -@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, - } - #endif - #ifdef CONFIG_HIBERNATION -- s += sprintf(s, "%s\n", "disk"); -+ if (!efi_enabled(EFI_SECURE_BOOT)) { -+ s += sprintf(s, "%s\n", "disk"); -+ } else { -+ s += sprintf(s, "\n"); -+ } - #else - if (s != buf) - /* convert the last space to a newline */ -diff --git a/kernel/power/user.c b/kernel/power/user.c -index 4ed81e7..b11a0f4 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -48,6 +48,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) - struct snapshot_data *data; - int error; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { --- -1.8.1.4 - - -From 07cda990d2f18774522889ece30bddf67c703157 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 46/47] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 0998ec7..4945ee5 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -908,8 +908,9 @@ fail: - - static int get_secure_boot(efi_system_table_t *_table) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -933,6 +934,23 @@ static int get_secure_boot(efi_system_table_t *_table) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -1.8.1.4 - - -From e61066577405c37c2758f9b7fb2694967bdbe921 Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 47/47] x86: Lock down MSR writing in secure boot - -Writing to MSRs should not be allowed unless CAP_COMPROMISE_KERNEL is -set since it could lead to execution of arbitrary code in kernel mode. - -Signed-off-by: Kees Cook <keescook@chromium.org> ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index ce13049..fa4dc6c 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (!capable(CAP_COMPROMISE_KERNEL)) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; --- -1.8.1.4 - diff --git a/freed-ora/current/master/drm-exynos-fix-multiple-definition-build-error.patch b/freed-ora/current/master/drm-exynos-fix-multiple-definition-build-error.patch deleted file mode 100644 index 8242f20fd..000000000 --- a/freed-ora/current/master/drm-exynos-fix-multiple-definition-build-error.patch +++ /dev/null @@ -1,53 +0,0 @@ -From patchwork Fri Apr 26 05:03:10 2013 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: drm/exynos: fix multiple definition build error -Date: Fri, 26 Apr 2013 05:03:10 -0000 -From: Inki Dae <inki.dae@samsung.com> -X-Patchwork-Id: 2490831 -Message-Id: <1366952590-11652-1-git-send-email-inki.dae@samsung.com> -To: airlied@linux.ie, dri-devel@lists.freedesktop.org -Cc: kyungmin.park@samsung.com, sw0312.kim@samsung.com - -This patch fixes multiple definition error like below when building it -as moudle with device tree support. - -drivers/gpu/drm/exynos/exynos_drm_g2d.o: In function `.LANCHOR1': -exynos_drm_g2d.c:(.rodata+0x6c): multiple definition of `__mod_of_device_table' -drivers/gpu/drm/exynos/exynos_drm_fimd.o:exynos_drm_fimd.c:(.rodata+0x144): first defined here - -Signed-off-by: Inki Dae <inki.dae@samsung.com> -Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> - ---- -drivers/gpu/drm/exynos/exynos_drm_fimd.c | 2 +- - drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c -index 746b282..1e02d13 100644 ---- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c -+++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c -@@ -117,7 +117,7 @@ static const struct of_device_id fimd_driver_dt_match[] = { - .data = &exynos5_fimd_driver_data }, - {}, - }; --MODULE_DEVICE_TABLE(of, fimd_driver_dt_match); -+MODULE_DEVICE_TABLE(of_fimd, fimd_driver_dt_match); - #endif - - static inline struct fimd_driver_data *drm_fimd_get_driver_data( -diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c -index 47a493c..6a01ff1 100644 ---- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c -+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c -@@ -1525,7 +1525,7 @@ static const struct of_device_id exynos_g2d_match[] = { - { .compatible = "samsung,exynos5250-g2d" }, - {}, - }; --MODULE_DEVICE_TABLE(of, exynos_g2d_match); -+MODULE_DEVICE_TABLE(of_g2d, exynos_g2d_match); - #endif - - struct platform_driver g2d_driver = { diff --git a/freed-ora/current/master/fanotify-info-leak-in-copy_event_to_user.patch b/freed-ora/current/master/fanotify-info-leak-in-copy_event_to_user.patch deleted file mode 100644 index 92b218b1c..000000000 --- a/freed-ora/current/master/fanotify-info-leak-in-copy_event_to_user.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 6c80083..77cc85d 100644 ---- a/fs/notify/fanotify/fanotify_user.c -+++ b/fs/notify/fanotify/fanotify_user.c -@@ -122,6 +122,7 @@ static int fill_event_metadata(struct fsnotify_group *group, - metadata->event_len = FAN_EVENT_METADATA_LEN; - metadata->metadata_len = FAN_EVENT_METADATA_LEN; - metadata->vers = FANOTIFY_METADATA_VERSION; -+ metadata->reserved = 0; - metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS; - metadata->pid = pid_vnr(event->tgid); - if (unlikely(event->mask & FAN_Q_OVERFLOW)) - -
\ No newline at end of file diff --git a/freed-ora/current/master/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch b/freed-ora/current/master/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch deleted file mode 100644 index 424d60350..000000000 --- a/freed-ora/current/master/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch +++ /dev/null @@ -1,25 +0,0 @@ -This triggers on a MacBook Pro. - -Signed-off-by: Andy Lutomirski <luto@amacapital.net> -https://bugzilla.redhat.com/show_bug.cgi?id=948262 ---- - drivers/iommu/intel_irq_remapping.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c -index f3b8f23..a7e0ad1 100644 ---- a/drivers/iommu/intel_irq_remapping.c -+++ b/drivers/iommu/intel_irq_remapping.c -@@ -654,8 +654,7 @@ error: - */ - - if (x2apic_present) -- WARN(1, KERN_WARNING -- "Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); -+ pr_warn("Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); - - return -1; - } --- -1.8.1.4 - diff --git a/freed-ora/current/master/iwl3945-better-skb-management-in-rx-path.patch b/freed-ora/current/master/iwl3945-better-skb-management-in-rx-path.patch new file mode 100644 index 000000000..5d85af7d4 --- /dev/null +++ b/freed-ora/current/master/iwl3945-better-skb-management-in-rx-path.patch @@ -0,0 +1,97 @@ +From: Eric Dumazet <edumazet@google.com> + +Steinar reported reallocations of skb->head with IPv6, leading to +a warning in skb_try_coalesce() + +It turns out iwl3945 has several problems : + +1) skb->truesize is underestimated. + We really consume PAGE_SIZE bytes for a fragment, + not the frame length. +2) 128 bytes of initial headroom is a bit low and forces reallocations. +3) We can avoid consuming a full page for small enough frames. + +Reported-by: Steinar H. Gunderson <sesse@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Paul Stewart <pstew@google.com> +--- +v3: use regular memcpy(skb_put(...),...) +v2: SMALL_PACKET_SIZE define + + drivers/net/wireless/iwlegacy/3945.c | 31 +++++++++++++++---------- + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/3945.c b/drivers/net/wireless/iwlegacy/3945.c +index c092033..f09e257 100644 +--- a/drivers/net/wireless/iwlegacy/3945.c ++++ b/drivers/net/wireless/iwlegacy/3945.c +@@ -475,6 +475,8 @@ il3945_is_network_packet(struct il_priv *il, struct ieee80211_hdr *header) + } + } + ++#define SMALL_PACKET_SIZE 256 ++ + static void + il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, + struct ieee80211_rx_status *stats) +@@ -483,14 +485,13 @@ il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)IL_RX_DATA(pkt); + struct il3945_rx_frame_hdr *rx_hdr = IL_RX_HDR(pkt); + struct il3945_rx_frame_end *rx_end = IL_RX_END(pkt); +- u16 len = le16_to_cpu(rx_hdr->len); ++ u32 len = le16_to_cpu(rx_hdr->len); + struct sk_buff *skb; + __le16 fc = hdr->frame_control; ++ u32 fraglen = PAGE_SIZE << il->hw_params.rx_page_order; + + /* We received data from the HW, so stop the watchdog */ +- if (unlikely +- (len + IL39_RX_FRAME_SIZE > +- PAGE_SIZE << il->hw_params.rx_page_order)) { ++ if (unlikely(len + IL39_RX_FRAME_SIZE > fraglen)) { + D_DROP("Corruption detected!\n"); + return; + } +@@ -506,26 +507,32 @@ il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, + D_INFO("Woke queues - frame received on passive channel\n"); + } + +- skb = dev_alloc_skb(128); ++ skb = dev_alloc_skb(SMALL_PACKET_SIZE); + if (!skb) { + IL_ERR("dev_alloc_skb failed\n"); + return; + } + + if (!il3945_mod_params.sw_crypto) +- il_set_decrypted_flag(il, (struct ieee80211_hdr *)rxb_addr(rxb), ++ il_set_decrypted_flag(il, (struct ieee80211_hdr *)pkt, + le32_to_cpu(rx_end->status), stats); + +- skb_add_rx_frag(skb, 0, rxb->page, +- (void *)rx_hdr->payload - (void *)pkt, len, +- len); +- ++ /* If frame is small enough to fit into skb->head, copy it ++ * and do not consume a full page ++ */ ++ if (len <= SMALL_PACKET_SIZE) { ++ memcpy(skb_put(skb, len), rx_hdr->payload, len); ++ } else { ++ skb_add_rx_frag(skb, 0, rxb->page, ++ (void *)rx_hdr->payload - (void *)pkt, len, ++ fraglen); ++ il->alloc_rxb_page--; ++ rxb->page = NULL; ++ } + il_update_stats(il, false, fc, len); + memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats)); + + ieee80211_rx(il->hw, skb); +- il->alloc_rxb_page--; +- rxb->page = NULL; + } + + #define IL_DELAY_NEXT_SCAN_AFTER_ASSOC (HZ*6) + + diff --git a/freed-ora/current/master/iwl4965-better-skb-management-in-rx-path.patch b/freed-ora/current/master/iwl4965-better-skb-management-in-rx-path.patch new file mode 100644 index 000000000..904ff04f6 --- /dev/null +++ b/freed-ora/current/master/iwl4965-better-skb-management-in-rx-path.patch @@ -0,0 +1,65 @@ +4965 version of Eric patch "iwl3945: better skb management in rx path". +It fixes several problems : + +1) skb->truesize is underestimated. + We really consume PAGE_SIZE bytes for a fragment, + not the frame length. +2) 128 bytes of initial headroom is a bit low and forces reallocations. +3) We can avoid consuming a full page for small enough frames. + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +--- + drivers/net/wireless/iwlegacy/4965-mac.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c +index d287fd2..4e5d408 100644 +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -574,9 +574,11 @@ il4965_translate_rx_status(struct il_priv *il, u32 decrypt_in) + return decrypt_out; + } + ++#define SMALL_PACKET_SIZE 256 ++ + static void + il4965_pass_packet_to_mac80211(struct il_priv *il, struct ieee80211_hdr *hdr, +- u16 len, u32 ampdu_status, struct il_rx_buf *rxb, ++ u32 len, u32 ampdu_status, struct il_rx_buf *rxb, + struct ieee80211_rx_status *stats) + { + struct sk_buff *skb; +@@ -598,21 +600,25 @@ il4965_pass_packet_to_mac80211(struct il_priv *il, struct ieee80211_hdr *hdr, + il_set_decrypted_flag(il, hdr, ampdu_status, stats)) + return; + +- skb = dev_alloc_skb(128); ++ skb = dev_alloc_skb(SMALL_PACKET_SIZE); + if (!skb) { + IL_ERR("dev_alloc_skb failed\n"); + return; + } + +- skb_add_rx_frag(skb, 0, rxb->page, (void *)hdr - rxb_addr(rxb), len, +- len); ++ if (len <= SMALL_PACKET_SIZE) { ++ memcpy(skb_put(skb, len), hdr, len); ++ } else { ++ skb_add_rx_frag(skb, 0, rxb->page, (void *)hdr - rxb_addr(rxb), ++ len, PAGE_SIZE << il->hw_params.rx_page_order); ++ il->alloc_rxb_page--; ++ rxb->page = NULL; ++ } + + il_update_stats(il, false, fc, len); + memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats)); + + ieee80211_rx(il->hw, skb); +- il->alloc_rxb_page--; +- rxb->page = NULL; + } + + /* Called for N_RX (legacy ABG frames), or +-- +1.7.11.7 + diff --git a/freed-ora/current/master/kernel.spec b/freed-ora/current/master/kernel.spec index 7fb54730e..949ac3373 100644 --- a/freed-ora/current/master/kernel.spec +++ b/freed-ora/current/master/kernel.spec @@ -6,7 +6,7 @@ Summary: The Linux kernel # For a stable, released kernel, released_kernel should be 1. For rawhide # and/or a kernel built from an rc or git snapshot, released_kernel should # be 0. -%global released_kernel 1 +%global released_kernel 0 # Sign modules on x86. Make sure the config files match this setting if more # architectures are added. @@ -78,9 +78,9 @@ Summary: The Linux kernel %define basegnu -gnu%{?librev} # To be inserted between "patch" and "-2.6.". -#define stablelibre -3.9%{?stablegnux} -#define rcrevlibre -3.9%{?rcrevgnux} -#define gitrevlibre -3.9%{?gitrevgnux} +#define stablelibre -3.10%{?stablegnux} +%define rcrevlibre -3.10%{?rcrevgnux} +#define gitrevlibre -3.10%{?gitrevgnux} %if 0%{?stablelibre:1} %define stablegnu -gnu%{?librev} @@ -131,9 +131,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 0 +%define rcrev 7 # The git snapshot level -%define gitrev 0 +%define gitrev 4 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -196,7 +196,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -209,7 +209,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 0 +%define rawhide_skip_docs 1 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -478,33 +478,10 @@ Summary: The Linux kernel %define cpupowerarchs %{ix86} x86_64 ppc ppc64 ppc64p7 %{arm} aarch64 # -# Three sets of minimum package version requirements in the form of Conflicts: -# to versions below the minimum -# - -# -# First the general kernel 2.6 required versions as per -# Documentation/Changes -# -%define kernel_dot_org_conflicts ppp < 2.4.3-3, isdn4k-utils < 3.2-32, nfs-utils < 1.2.5-7.fc17, e2fsprogs < 1.37-4, util-linux < 2.12, jfsutils < 1.1.7-2, reiserfs-utils < 3.6.19-2, xfsprogs < 2.6.13-4, procps < 3.2.5-6.3, oprofile < 0.9.1-2, device-mapper-libs < 1.02.63-2, mdadm < 3.2.1-5 - -# -# Then a series of requirements that are distribution specific, either -# because we add patches for something, or the older versions have -# problems with the newer kernel or lack certain things that make -# integration in the distro harder than needed. -# -%define package_conflicts initscripts < 7.23, udev < 063-6, iptables < 1.3.2-1, ipw2200-firmware < 2.4, iwl4965-firmware < 228.57.2, selinux-policy-targeted < 1.25.3-14, squashfs-tools < 4.0, wireless-tools < 29-3 - -# We moved the drm include files into kernel-headers, make sure there's -# a recent enough libdrm-devel on the system that doesn't have those. -%define kernel_headers_conflicts libdrm-devel < 2.4.0-0.15 - -# # Packages that need to be installed before the kernel is, because the %%post # scripts use them. # -%define kernel_prereq fileutils, module-init-tools >= 3.16-4, initscripts >= 8.11.1-1, systemd >= 203-2 +%define kernel_prereq fileutils, systemd >= 203-2 %define initrd_prereq dracut >= 027 # @@ -516,36 +493,34 @@ Summary: The Linux kernel %define kernel_reqprovconf \ Provides: kernel = %{rpmversion}-%{pkg_release}\ Provides: kernel-libre = %{rpmversion}-%{pkg_release}\ -Provides: kernel-%{_target_cpu} = %{rpmversion}-%{pkg_release}%{?1:.%{1}}\ -Provides: kernel-libre-%{_target_cpu} = %{rpmversion}-%{pkg_release}%{?1:.%{1}}\ +Provides: kernel-%{_target_cpu} = %{rpmversion}-%{pkg_release}%{?1:+%{1}}\ +Provides: kernel-libre-%{_target_cpu} = %{rpmversion}-%{pkg_release}%{?1:+%{1}}\ Provides: kernel-drm = 4.3.0\ Provides: kernel-libre-drm = 4.3.0\ Provides: kernel-drm-nouveau = 16\ Provides: kernel-libre-drm-nouveau = 16\ Provides: kernel-modeset = 1\ Provides: kernel-libre-modeset = 1\ -Provides: kernel-uname-r = %{KVERREL}%{?1:.%{1}}\ -Provides: kernel-libre-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-libre-uname-r = %{KVERREL}%{?1:+%{1}}\ Provides: kernel-highbank\ Provides: kernel-libre-highbank\ -Provides: kernel-highbank-uname-r = %{KVERREL}%{?1:.%{1}}\ -Provides: kernel-libre-highbank-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-highbank-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-libre-highbank-uname-r = %{KVERREL}%{?1:+%{1}}\ Provides: kernel-omap\ -Provides: kernel-libre-nomap\ -Provides: kernel-omap-uname-r = %{KVERREL}%{?1:.%{1}}\ -Provides: kernel-libre-omap-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-libre-omap\ +Provides: kernel-omap-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-libre-omap-uname-r = %{KVERREL}%{?1:+%{1}}\ Provides: kernel-tegra\ Provides: kernel-libre-tegra\ -Provides: kernel-tegra-uname-r = %{KVERREL}%{?1:.%{1}}\ -Provides: kernel-libre-tegra-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-tegra-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-libre-tegra-uname-r = %{KVERREL}%{?1:+%{1}}\ Requires(pre): %{kernel_prereq}\ Requires(pre): %{initrd_prereq}\ %if %{with_firmware}\ Requires(pre): kernel-libre-firmware >= %{rpmversion}-%{pkg_release}\ %endif\ Requires(preun): systemd >= 200\ -Conflicts: %{kernel_dot_org_conflicts}\ -Conflicts: %{package_conflicts}\ %{expand:%%{?kernel%{?1:_%{1}}_conflicts:Conflicts: %%{kernel%{?1:_%{1}}_conflicts}}}\ %{expand:%%{?kernel%{?1:_%{1}}_obsoletes:Obsoletes: %%{kernel%{?1:_%{1}}_obsoletes}}}\ %{expand:%%{?kernel%{?1:_%{1}}_provides:Provides: %%{kernel%{?1:_%{1}}_provides}}}\ @@ -615,9 +590,7 @@ Source4: deblob-check Source5: deblob-%{kversion} #Source6: deblob-3.%{upstream_sublevel} -%if %{signmodules} Source11: x509.genkey -%endif Source15: merge.pl Source16: mod-extra.list @@ -721,7 +694,6 @@ Patch110: vmbugon-warnon.patch Patch201: debug-bad-pte-modules.patch Patch390: defaults-acpi-video.patch -Patch391: acpi-video-dos.patch Patch396: acpi-sony-nonvs-blacklist.patch Patch450: input-kill-stupid-messages.patch @@ -739,7 +711,10 @@ Patch800: crash-driver.patch # crypto/ # secure boot -Patch1000: devel-pekey-secure-boot-20130502.patch +Patch1000: secure-modules.patch +Patch1001: modsign-uefi.patch +Patch1002: sb-hibernate.patch +Patch1003: sysrq-secure-boot.patch # virt + ksm patches @@ -780,21 +755,27 @@ Patch15000: nowatchdog-on-virt.patch # ARM64 -Patch16000: arm64-makefile-vdso_install.patch - # ARM # lpae Patch21001: arm-lpae-ax88796.patch -Patch21002: drm-exynos-fix-multiple-definition-build-error.patch - -Patch21003: v2-thermal-cpu_cooling-fix-stub-function.patch +Patch21003: arm-dma-amba_pl08x-avoid-64bit-division.patch +Patch21004: arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch +Patch21005: arm-exynos-mp.patch # ARM omap -Patch21004: arm-omap-load-tfp410.patch +Patch21010: arm-omap-load-tfp410.patch # ARM tegra -Patch21005: arm-tegra-usb-no-reset-linux33.patch +Patch21020: arm-tegra-usb-no-reset-linux33.patch + +# ARM wandboard +Patch21030: arm-wandboard-quad.patch +# https://git.kernel.org/cgit/linux/kernel/git/broonie/sound.git/patch/?id=3f1a91aa25579ba5e7268a47a73d2a83e4802c62 +Patch21031: arm-imx-fixsound.patch + +# AM33xx +Patch21040: arm-omap-bbb-dts.patch #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -816,38 +797,29 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch #rhbz 927469 Patch23006: fix-child-thread-introspection.patch -#rhbz 948262 -Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch - -#CVE-2013-2140 rhbz 971146 971148 -Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch - #CVE-2013-2147 rhbz 971242 971249 Patch25032: cve-2013-2147-ciss-info-leak.patch -#CVE-2013-2148 rhbz 971258 971261 -Patch25033: fanotify-info-leak-in-copy_event_to_user.patch - -#CVE-2013-2851 rhbz 969515 971662 -Patch25035: block-do-not-pass-disk-names-as-format-strings.patch - -#CVE-2013-2164 rhbz 973100 973109 -Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch +Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 969644 -Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch +#rhbz 977040 +Patch25056: iwl3945-better-skb-management-in-rx-path.patch +Patch25057: iwl4965-better-skb-management-in-rx-path.patch -Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch +#rhbz 963715 +Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#rhbz 903741 -Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch +#rhbz 989269 +Patch25079: mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch -#rhbz 880035 -Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch -Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch +Patch25090: mei-me-fix-hardware-reset-flow.patch -#rhbz 977558 -Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch +#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 +#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 +#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 +#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 +#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 +Patch25099: HID-CVE-fixes.patch # END OF PATCH DEFINITIONS @@ -1038,7 +1010,7 @@ AutoReqProv: no\ %description -n %{name}%{?1:-%{1}}-debuginfo\ This package provides debug information for package %{name}%{?1:-%{1}}.\ This is required to use SystemTap with %{name}%{?1:-%{1}}-%{KVERREL}.\ -%{expand:%%global debuginfo_args %{?debuginfo_args} -p '/.*/%%{KVERREL}%{?1:\.%{1}}/.*|/.*%%{KVERREL}%{?1:\.%{1}}(\.debug)?' -o debuginfo%{?1}.list}\ +%{expand:%%global debuginfo_args %{?debuginfo_args} -p '/.*/%%{KVERREL}%{?1:\+%{1}}/.*|/.*%%{KVERREL}%{?1:\+%{1}}(\.debug)?' -o debuginfo%{?1}.list}\ %{nil} # @@ -1051,12 +1023,12 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} Group: System Environment/Kernel\ Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{version}-%{release}\ Provides: kernel-libre%{?1:-%{1}}-devel-%{_target_cpu} = %{version}-%{release}\ -Provides: kernel-devel-%{_target_cpu} = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-libre-devel-%{_target_cpu} = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-devel = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-libre-devel = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-devel-uname-r = %{KVERREL}%{?1:.%{1}}\ -Provides: kernel-libre-devel-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-devel-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-libre-devel-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-devel = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-libre-devel = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-libre-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ AutoReqProv: no\ Requires(pre): /usr/bin/find\ Requires: perl\ @@ -1067,23 +1039,23 @@ against the %{?2:%{2} }kernel package.\ # # This macro creates a kernel-<subpackage>-modules-extra package. -# %%kernel_modules-extra_package <subpackage> <pretty-name> +# %%kernel_modules_extra_package <subpackage> <pretty-name> # -%define kernel_modules-extra_package() \ +%define kernel_modules_extra_package() \ %package %{?1:%{1}-}modules-extra\ Summary: Extra kernel modules to match the %{?2:%{2} }kernel\ Group: System Environment/Kernel\ Provides: kernel%{?1:-%{1}}-modules-extra-%{_target_cpu} = %{version}-%{release}\ Provides: kernel-libre%{?1:-%{1}}-modules-extra-%{_target_cpu} = %{version}-%{release}\ -Provides: kernel-modules-extra-%{_target_cpu} = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-libre-modules-extra-%{_target_cpu} = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-modules-extra = %{version}-%{release}%{?1:.%{1}}\ -Provides: kernel-libre-modules-extra = %{version}-%{release}%{?1:.%{1}}\ +Provides: kernel-modules-extra-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-libre-modules-extra-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-modules-extra = %{version}-%{release}%{?1:+%{1}}\ +Provides: kernel-libre-modules-extra = %{version}-%{release}%{?1:+%{1}}\ Provides: installonlypkg(kernel-module)\ -Provides: kernel-modules-extra-uname-r = %{KVERREL}%{?1:.%{1}}\ -Provides: kernel-libre-modules-extra-uname-r = %{KVERREL}%{?1:.%{1}}\ -Requires: kernel-uname-r = %{KVERREL}%{?1:.%{1}}\ -Requires: kernel-libre-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: installonlypkg(kernel-libre-module)\ +Provides: kernel-modules-extra-uname-r = %{KVERREL}%{?1:+%{1}}\ +Provides: kernel-libre-modules-extra-uname-r = %{KVERREL}%{?1:+%{1}}\ +Requires: kernel-libre-uname-r = %{KVERREL}%{?1:+%{1}}\ AutoReqProv: no\ %description -n kernel%{?variant}%{?1:-%{1}}-modules-extra\ This package provides less commonly used kernel modules for the %{?2:%{2} }kernel package.\ @@ -1100,14 +1072,14 @@ Summary: %{variant_summary}\ Group: System Environment/Kernel\ %kernel_reqprovconf\ %{expand:%%kernel_devel_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\ -%{expand:%%kernel_modules-extra_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\ +%{expand:%%kernel_modules_extra_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\ %{expand:%%kernel_debuginfo_package %1}\ %{nil} # First the auxiliary packages of the main kernel package. %kernel_devel_package -%kernel_modules-extra_package +%kernel_modules_extra_package %kernel_debuginfo_package @@ -1459,17 +1431,19 @@ ApplyPatch debug-bad-pte-modules.patch # x86(-64) # ARM64 -ApplyPatch arm64-makefile-vdso_install.patch # # ARM # ApplyPatch arm-lpae-ax88796.patch -ApplyPatch drm-exynos-fix-multiple-definition-build-error.patch +ApplyPatch arm-dma-amba_pl08x-avoid-64bit-division.patch +ApplyPatch arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch +ApplyPatch arm-exynos-mp.patch ApplyPatch arm-omap-load-tfp410.patch -ApplyPatch v2-thermal-cpu_cooling-fix-stub-function.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch - +ApplyPatch arm-wandboard-quad.patch +ApplyPatch arm-imx-fixsound.patch +#ApplyPatch arm-omap-bbb-dts.patch # # bugfixes to drivers and filesystems # @@ -1490,7 +1464,6 @@ ApplyPatch arm-tegra-usb-no-reset-linux33.patch # ACPI ApplyPatch defaults-acpi-video.patch -ApplyPatch acpi-video-dos.patch ApplyPatch acpi-sony-nonvs-blacklist.patch # @@ -1534,7 +1507,10 @@ ApplyPatch crash-driver.patch # crypto/ # secure boot -ApplyPatch devel-pekey-secure-boot-20130502.patch +ApplyPatch secure-modules.patch +ApplyPatch modsign-uefi.patch +ApplyPatch sb-hibernate.patch +ApplyPatch sysrq-secure-boot.patch # Assorted Virt Fixes @@ -1548,6 +1524,8 @@ ApplyPatch devel-pekey-secure-boot-20130502.patch ApplyOptionalPatch drm-intel-next.patch ApplyPatch drm-i915-dp-stfu.patch +# Radeon DRM + # silence the ACPI blacklist code ApplyPatch silence-acpi-blacklist.patch @@ -1592,38 +1570,29 @@ ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -#rhbz 948262 -ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch - -#CVE-2013-2140 rhbz 971146 971148 -ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch - #CVE-2013-2147 rhbz 971242 971249 ApplyPatch cve-2013-2147-ciss-info-leak.patch -#CVE-2013-2148 rhbz 971258 971261 -ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch - -#CVE-2013-2851 rhbz 969515 971662 -ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch - -#CVE-2013-2164 rhbz 973100 973109 -ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch +ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 969644 -ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch +#rhbz 977040 +ApplyPatch iwl3945-better-skb-management-in-rx-path.patch +ApplyPatch iwl4965-better-skb-management-in-rx-path.patch -ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch +#rhbz 963715 +ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#rhbz 903741 -ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch +#rhbz 989269 +ApplyPatch mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch -#rhbz 880035 -ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch -ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch +ApplyPatch mei-me-fix-hardware-reset-flow.patch -#rhbz 977558 -ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch +#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 +#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 +#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 +#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 +#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 +ApplyPatch HID-CVE-fixes.patch # END OF PATCH APPLICATIONS @@ -1705,7 +1674,7 @@ BuildKernel() { MakeTarget=$1 KernelImage=$2 Flavour=$3 - Flav=${Flavour:+.${Flavour}} + Flav=${Flavour:++${Flavour}} InstallName=${4:-vmlinuz} # Pick the right config file for the kernel we're building @@ -1782,6 +1751,10 @@ BuildKernel() { %if %{signmodules} # Sign the image if we're using EFI %pesign -s -i $KernelImage -o vmlinuz.signed + if [ ! -s vmlinuz.signed ]; then + echo "pesigning failed" + exit 1 + fi mv vmlinuz.signed $KernelImage %endif $CopyKernel $KernelImage \ @@ -2003,8 +1976,8 @@ chmod +x tools/power/cpupower/utils/version-gen.sh %endif %if %{with_doc} -# Make the HTML and man pages. -make htmldocs mandocs || %{doc_build_fail} +# Make the HTML pages. +make htmldocs || %{doc_build_fail} # sometimes non-world-readable files sneak into the kernel source tree chmod -R a=rX Documentation @@ -2025,13 +1998,13 @@ find Documentation -type d | xargs chmod u+w %define __modsign_install_post \ if [ "%{signmodules}" -eq "1" ]; then \ if [ "%{with_pae}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign.%{pae} signing_key.x509.sign.%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \ + %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ fi \ if [ "%{with_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign.debug signing_key.x509.sign.debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \ + %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ fi \ if [ "%{with_pae_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign.%{pae}debug signing_key.x509.sign.%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \ + %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ fi \ if [ "%{with_up}" -ne "0" ]; then \ %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ @@ -2081,17 +2054,11 @@ cd linux-%{KVERREL} %if %{with_doc} docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{rpmversion} -man9dir=$RPM_BUILD_ROOT%{_datadir}/man/man9 # copy the source over mkdir -p $docdir tar -h -f - --exclude=man --exclude='.*' -c Documentation | tar xf - -C $docdir -# Install man pages for the kernel API. -mkdir -p $man9dir -find Documentation/DocBook/man -name '*.9.gz' -print0 | -xargs -0 --no-run-if-empty %{__install} -m 444 -t $man9dir $m -ls $man9dir | grep -q '' || > $man9dir/BROKEN %endif # with_doc # We have to do the headers install before the tools install because the @@ -2202,7 +2169,7 @@ then\ fi\ if [ "$HARDLINK" != "no" -a -x /usr/sbin/hardlink ]\ then\ - (cd /usr/src/kernels/%{KVERREL}%{?1:.%{1}} &&\ + (cd /usr/src/kernels/%{KVERREL}%{?1:+%{1}} &&\ /usr/bin/find . -type f | while read f; do\ hardlink -c /usr/src/kernels/*.fc*.*/$f $f\ done)\ @@ -2211,11 +2178,11 @@ fi\ # # This macro defines a %%post script for a kernel*-modules-extra package. -# %%kernel_modules-extra_post [<subpackage>] +# %%kernel_modules_extra_post [<subpackage>] # %define kernel_modules_extra_post() \ %{expand:%%post %{?1:%{1}-}modules-extra}\ -/sbin/depmod -a %{KVERREL}%{?1:.%{1}}\ +/sbin/depmod -a %{KVERREL}%{?1:+%{1}}\ %{nil} # This macro defines a %%posttrans script for a kernel package. @@ -2224,7 +2191,7 @@ fi\ # %define kernel_variant_posttrans() \ %{expand:%%posttrans %{?1}}\ -/bin/kernel-install add %{KVERREL}%{?1:.%{1}} /%{image_install_path}/vmlinuz-%{KVERREL}%{?1:.%{1}} || exit $?\ +/bin/kernel-install add %{KVERREL}%{?1:+%{1}} /%{image_install_path}/vmlinuz-%{KVERREL}%{?1:+%{1}} || exit $?\ %{nil} # @@ -2250,7 +2217,7 @@ fi}\ # %define kernel_variant_preun() \ %{expand:%%preun %{?1}}\ -/bin/kernel-install remove %{KVERREL}%{?1:.%{1}} /%{image_install_path}/vmlinuz-%{KVERREL}%{?1:.%{1}} || exit $?\ +/bin/kernel-install remove %{KVERREL}%{?1:+%{1}} /%{image_install_path}/vmlinuz-%{KVERREL}%{?1:+%{1}} || exit $?\ %{nil} %kernel_variant_preun @@ -2304,7 +2271,6 @@ fi %{_datadir}/doc/kernel-doc-%{rpmversion}/Documentation/* %dir %{_datadir}/doc/kernel-doc-%{rpmversion}/Documentation %dir %{_datadir}/doc/kernel-doc-%{rpmversion} -%{_datadir}/man/man9/* %endif %if %{with_perf} @@ -2379,30 +2345,30 @@ fi %if %{1}\ %{expand:%%files %{?2}}\ %defattr(-,root,root)\ -/%{image_install_path}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-%{KVERREL}%{?2:.%{2}}\ -/%{image_install_path}/.vmlinuz-%{KVERREL}%{?2:.%{2}}.hmac \ +/%{image_install_path}/%{?-k:%{-k*}}%{!?-k:vmlinuz}-%{KVERREL}%{?2:+%{2}}\ +/%{image_install_path}/.vmlinuz-%{KVERREL}%{?2:+%{2}}.hmac \ %ifarch %{arm}\ -/%{image_install_path}/dtb-%{KVERREL}%{?2:.%{2}} \ +/%{image_install_path}/dtb-%{KVERREL}%{?2:+%{2}} \ %endif\ -%attr(600,root,root) /boot/System.map-%{KVERREL}%{?2:.%{2}}\ -/boot/config-%{KVERREL}%{?2:.%{2}}\ -%dir /lib/modules/%{KVERREL}%{?2:.%{2}}\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/kernel\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/build\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/source\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/updates\ +%attr(600,root,root) /boot/System.map-%{KVERREL}%{?2:+%{2}}\ +/boot/config-%{KVERREL}%{?2:+%{2}}\ +%dir /lib/modules/%{KVERREL}%{?2:+%{2}}\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/kernel\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/build\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/source\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/updates\ %ifarch %{vdso_arches}\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/vdso\ -/etc/ld.so.conf.d/kernel-%{KVERREL}%{?2:.%{2}}.conf\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/vdso\ +/etc/ld.so.conf.d/kernel-%{KVERREL}%{?2:+%{2}}.conf\ %endif\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/modules.*\ -%ghost /boot/initramfs-%{KVERREL}%{?2:.%{2}}.img\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/modules.*\ +%ghost /boot/initramfs-%{KVERREL}%{?2:+%{2}}.img\ %{expand:%%files %{?2:%{2}-}devel}\ %defattr(-,root,root)\ -/usr/src/kernels/%{KVERREL}%{?2:.%{2}}\ +/usr/src/kernels/%{KVERREL}%{?2:+%{2}}\ %{expand:%%files %{?2:%{2}-}modules-extra}\ %defattr(-,root,root)\ -/lib/modules/%{KVERREL}%{?2:.%{2}}/extra\ +/lib/modules/%{KVERREL}%{?2:+%{2}}/extra\ %if %{with_debuginfo}\ %ifnarch noarch\ %{expand:%%files -f debuginfo%{?2}.list %{?2:%{2}-}debuginfo}\ @@ -2421,17 +2387,317 @@ fi # plz don't put in a version string unless you're going to tag # and build. - -# ___________________________________________________________ -# / This branch is for Fedora 20. You probably want to commit \ -# \ to the F-19 branch instead, or in addition to this one. / -# ----------------------------------------------------------- -# \ ^__^ -# \ (@@)\_______ -# (__)\ )\/\ -# ||----w | -# || || +# +# +# ___________________________________________________________ +# / This branch is for Fedora 21. You probably want to commit \ +# _____ ____ _ \ to the F-20 branch instead, or in addition to this one. / +# | ___|___ \/ | ----------------------------------------------------------- +# | |_ __) | | \ ^__^ +# | _| / __/| | \ (@@)\_______ +# |_| |_____|_| (__)\ )\/\ +# ||----w | +# || || %changelog +* Sat Aug 31 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 3.11-rc7-gnu 42-g9deda0f. + +* Sat Aug 31 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc7.git4.1 +- Linux v3.11-rc7-42-gd9eda0f + +* Fri Aug 30 2013 Josh Boyer <jwboyer@fedoraproject.org> +- Fix HID CVEs. Absurd. +- CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 +- CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 +- CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 +- CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 +- CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 + +* Fri Aug 30 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc7.git3.1 +- Linux v3.11-rc7-30-g41615e8 + +* Fri Aug 30 2013 Josh Boyer <jwboyer@fedoraproject.org> +- Rework Secure Boot support to use the secure_modules approach +- Drop pekey + +* Thu Aug 29 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc7.git2.1 +- Linux v3.11-rc7-24-gc95389b +- Add mei patches that fix various s/r issues (rhbz 994824 989373) + +* Wed Aug 28 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc7.git1.1 +- Linux v3.11-rc7-14-gfa8218d +- Reenable debugging options. + +* Tue Aug 27 2013 Kyle McMartin <kyle@redhat.com> +- [arm] build pinctrl-single in, needed to prevent deferral of + omap_serial registration. + +* Mon Aug 26 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc7.git0.1 +- Linux v3.11-rc7 +- Disable debugging options. + +* Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git4.1 +- Linux v3.11-rc6-139-g89b53e5 + +* Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git3.1 +- Linux v3.11-rc6-76-g6a7492a + +* Fri Aug 23 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Minor ARM config cleanups +- Enable some IOMMU drivers on ARM +- Enable some i.MX sound drivers + +* Thu Aug 22 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git2.1 +- Linux v3.11-rc6-72-g1f8b766 + +* Thu Aug 22 2013 Kyle McMartin <kyle@redhat.com> +- Drop arm-tegra-remove-direct-vbus-regulator-control.patch, proper fix + will be in the next rebase. + +* Wed Aug 21 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git1.2 +- Add patch to fix brcmsmac oops (rhbz 989269) +- CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) + +* Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git1.1 +- Linux v3.11-rc6-28-gfd3930f +- Reenable debugging options. + +* Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> +- Disable Dell RBU so userspace firmware path isn't selected (rhbz 997149) + +* Mon Aug 19 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git0.1 +- Linux v3.11-rc6 +- Disable debugging options. + +* Mon Aug 19 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Minor kernel configs cleanup merging duplicated config opts into generic + +* Sun Aug 18 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc5.git6.1 +- Linux v3.11-rc5-168-ga08797e + +* Sat Aug 17 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc5.git5.1 +- Linux v3.11-rc5-165-g215b28a + +* Fri Aug 16 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Update ARM drivers config for Zynq 7000 devices + +* Fri Aug 16 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc5.git4.1 +- Linux v3.11-rc5-150-g0f7dd1a + +* Fri Aug 16 2013 Josh Boyer <jwboyer@fedoraproject.org> +- Add patch from Nathanael Noblet to fix mic on Gateway LT27 (rhbz 845699) + +* Thu Aug 15 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Major cleanup of arm64 config +- Add patch to enable build exynos5 as multi platform for lpae +- Minor cleanup of ARMv7 configs + +* Thu Aug 15 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc5.git3.1 +- Enable CONFIG_HID_SENSOR_HUB (rhbz 995510) +- Add patch to fix regression on TeVII S471 devices (rhbz 963715) +- Linux v3.11-rc5-35-gf1d6e17 + +* Wed Aug 14 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc5.git2.1 +- Linux v3.11-rc5-21-g28fbc8b +- Disable WIMAX. It's fairly broken and abandoned upstream. + +* Tue Aug 13 2013 Josh Boyer <jwboyer@gmail.com> - 3.11.0-0.rc5.git1.1 +- Linux v3.11-rc5-13-g584d88b +- Reenable debugging options. + +* Mon Aug 12 2013 Josh Boyer <jwboyer@gmail.com> - 3.11.0-0.rc5.git0.1 +- Linux v3.11-rc5 +- Disable debugging options. + +* Sun Aug 11 2013 Josh Boyer <jwboyer@gmail.com> - 3.11.0-0.rc4.git5.1 +- Linux v3.11-rc4-216-g77f63b4 + +* Sun Aug 11 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Drop a bunch of generic dupe config from aarch64 + +* Sat Aug 10 2013 Josh Boyer <jwboyer@gmail.com> - 3.11.0-0.rc4.git4.1 +- Linux v3.11-rc4-162-g14e9419 + +* Fri Aug 09 2013 Josh Boyer <jwboyer@gmail.com> - 3.11.0-0.rc4.git3.1 +- Linux v3.11-rc4-103-g6c2580c + +* Wed Aug 07 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc4.git2.1 +- Linux v3.11-rc4-27-ge4ef108 +- Add zero file length check to make sure pesign didn't fail (rhbz 991808) + +* Tue Aug 06 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc4.git1.1 +- Linux v3.11-rc4-20-g0fff106 +- Reenable debugging options. +- Don't package API man pages in -doc (rhbz 993905) + +* Mon Aug 05 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc4.git0.1 +- Linux v3.11-rc4 +- Disable debugging options. + +* Sun Aug 04 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc3.git4.1 +- Linux v3.11-rc3-376-g72a67a9 + +* Sat Aug 03 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc3.git3.1 +- Linux v3.11-rc3-288-gabe0308 + +* Fri Aug 02 2013 Kyle McMartin <kyle@redhat.com> - 3.11.0-0.rc3.git2.1 +- radeon-si_calculate_leakage-use-div64.patch: fix a compile error on i686. +- arm: disable CONFIG_LOCK_STAT, bloats .data massively, revisit shortly. +- arm: build-in more rtc drivers. + +* Fri Aug 02 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc3.git2.1 +- Linux v3.11-rc3-207-g64ccccf + +* Thu Aug 1 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Minor ARM config update + +* Thu Aug 01 2013 Josh Boyer <jwboyer@redhat.com> +- Fix mac80211 connection issues (rhbz 981445) +- Fix firmware issues with iwl4965 and rfkill (rhbz 977053) +- Drop hid-logitech-dj patch that was breaking enumeration (rhbz 989138) + +* Tue Jul 30 2013 Josh Boyer <jwboyer@redhat.com> - 3.11.0-0.rc3.git1.1 +- Linux v3.11-rc3-4-g36f571e +- Reenable debugging options. + +* Tue Jul 30 2013 Josh Boyer <jwboyer@redhat.com> +- Revert some changes to make Logitech devices function properly (rhbz 989138) + +* Mon Jul 29 2013 Kyle McMartin <kyle@redhat.com> - 3.11.0-0.rc3.git0.1 +- arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch: ditto + +* Mon Jul 29 2013 Kyle McMartin <kyle@redhat.com> +- arm-dma-amba_pl08x-avoid-64bit-division.patch: STAHP libgcc callouts + +* Mon Jul 29 2013 Josh Boyer <jwboyer@redhat.com> +- Linux v3.11-rc3 +- Disable debugging options. +- Always include x509.genkey in Sources list + +* Fri Jul 26 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc2.git4.1 +- Linux v3.11-rc2-333-ga9b5f02 + +* Fri Jul 26 2013 Josh Boyer <jwboyer@redhat.com> +- Add patch to fix NULL deref in iwlwifi (rhbz 979581) + +* Thu Jul 25 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc2.git3.1 +- Linux v3.11-rc2-185-g07bc9dc + +* Wed Jul 24 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc2.git2.1 +- Linux v3.11-rc2-158-g04012e3 + +* Tue Jul 23 2013 Kyle McMartin <kyle@redhat.com> +- arm-tegra-remove-direct-vbus-regulator-control.patch: backport patches + to fix ehci-tegra. + +* Tue Jul 23 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc2.git1.1 +- Linux v3.11-rc2-93-gb3a3a9c + +* Mon Jul 22 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc2.git0.2 +- let flavors/variants end with "+$flavor" in the uname patch from harald@redhat.com +- Reenable debugging options. + +* Mon Jul 22 2013 Josh Boyer <jwboyer@redhat.com> +- Fix timer issue in bridge code (rhbz 980254) + +* Mon Jul 22 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc2.git0.1 +- Linux v3.11-rc2 +- Disable debugging options. + +* Sun Jul 21 2013 Kyle McMartin <kmcmartin@redhat.com> - 3.11.0-0.rc1.git4.1 +- Linux v3.11-rc1-247-g90db76e + +* Sun Jul 21 2013 Kyle McMartin <kyle@redhat.com> +- arm-omap-bbb-dts.patch: disable for now, it needs too much work for + a sunday morning. + +* Fri Jul 19 2013 Kyle McMartin <kyle@redhat.com> +- arm-omap-bbb-dts.patch: fix arch/arm/boot/dtb/Makefile rule + +* Fri Jul 19 2013 Kyle McMartin <kmcmartin@redhat.com> - 3.11.0-0.rc1.git3.1 +- Linux v3.11-rc1-181-gb8a33fc + +* Fri Jul 19 2013 Kyle McMartin <kmcmartin@redhat.com> - 3.11.0-0.rc1.git2.1 +- Linux v3.11-rc1-135-g0a693ab + +* Thu Jul 18 2013 Kyle McMartin <kyle@redhat.com> +- Applied patch from Kay Sievers to kill initscripts Conflicts & Requires and + udev Conflicts... +- And then clean up some of the ancient crap from our Conflicts and Requires + which reference versions not shipped since 2006. + +* Thu Jul 18 2013 Kyle McMartin <kyle@redhat.com> +- devel-sysrq-secure-boot-20130717.patch: add a patch that allows the user to + disable secure boot restrictions from the local console or local serial + (but not /proc/sysrq-trigger or via uinput) by using SysRQ-x. + +* Wed Jul 17 2013 Kyle McMartin <kyle@redhat.com> - 3.11.0-0.rc1.git1.1 +- Linux v3.11-rc1-19-gc0d15cc +- Reenable debugging options. + +* Wed Jul 17 2013 Kyle McMartin <kyle@redhat.com> +- update s390x config [Dan Horák] + +* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 3.11.0-0.rc1.git0.2 +- Perl 5.18 rebuild + +* Wed Jul 17 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Add patch for BeagleBone Black DTB + +* Tue Jul 16 2013 Kyle McMartin <kyle@redhat.com> - 3.11.0-0.rc1.git0.1 +- Linux v3.11-rc1 +- Disable debugging options. +- Fix %kernel_modules warning. + +* Sun Jul 14 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Update ARM config +- Enable USB gadget module on ARM to fix build i.MX usb modules + +* Sun Jul 14 2013 Dennis Gilmore <dennis@ausil.us> +- update and reenable wandboard quad dtb patch + +* Fri Jul 12 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc0.git7.1 +- Linux v3.10-9289-g9903883 + +* Fri Jul 12 2013 Dave Jones <davej@redhat.com> - 3.11.0-0.rc0.git6.4 +- Disable LATENCYTOP/SCHEDSTATS in non-debug builds. + +* Fri Jul 12 2013 Josh Boyer <jwboyer@redhat.com> +- Add iwlwifi fix for connection issue (rhbz 885407) + +* Thu Jul 11 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc0.git6.1 +- Linux v3.10-9080-g19d2f8e + +* Thu Jul 11 2013 Kyle McMartin <kyle@redhat.com> +- Enable USB on Wandboard Duallite and other i.MX based boards, patch + from Niels de Vos. + +* Thu Jul 11 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- ARM config cleanups and changes for 3.11 + +* Wed Jul 10 2013 Kyle McMartin <kyle@redhat.com> +- Fix crash-driver.patch to properly use page_is_ram. + +* Tue Jul 09 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc0.git3.1 +- Linux v3.10-6378-ga82a729 + +* Mon Jul 8 2013 Peter Robinson <pbrobinson@fedoraproject.org> +- Initial ARM config for 3.11 + +* Mon Jul 08 2013 Justin M. Forbes <jforbes@redhat.com> - 3.11.0-0.rc0.git2.1 +- Linux v3.10-6005-gd2b4a64 +- Reenable debugging options. + +* Fri Jul 05 2013 Josh Boyer <jwboyer@redhat.com> +- Add vhost-net use-after-free fix (rhbz 976789 980643) +- Add fix for timer issue in bridge code (rhbz 980254) + +* Wed Jul 03 2013 Josh Boyer <jwboyer@redhat.com> +- Add patches to fix iwl skb managment (rhbz 977040) + +* Tue Jul 02 2013 Dennis Gilmore <dennis@ausil.us> - 3.10-2 +- create a dtb for wandboard quad + * Mon Jul 1 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre - GNU Linux-libre 3.10-gnu. diff --git a/freed-ora/current/master/mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch b/freed-ora/current/master/mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch new file mode 100644 index 000000000..ff2e52eac --- /dev/null +++ b/freed-ora/current/master/mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch @@ -0,0 +1,135 @@ +Path: news.gmane.org!not-for-mail +From: Felix Fietkau <nbd-p3rKhJxN3npAfugRpC6u6w@public.gmane.org> +Newsgroups: gmane.linux.kernel.wireless.general +Subject: [PATCH 3.11] mac80211: add a flag to indicate CCK support for HT clients +Date: Tue, 20 Aug 2013 19:43:54 +0200 +Lines: 95 +Approved: news@gmane.org +Message-ID: <1377020634-27064-1-git-send-email-nbd@openwrt.org> +NNTP-Posting-Host: plane.gmane.org +X-Trace: ger.gmane.org 1377020641 9980 80.91.229.3 (20 Aug 2013 17:44:01 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Tue, 20 Aug 2013 17:44:01 +0000 (UTC) +Cc: johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org, teg-B22kvLQNl6c@public.gmane.org +To: linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Original-X-From: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 20 19:44:03 2013 +Return-path: <linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> +Envelope-to: glkwg-linux-wireless-wOFGN7rlS/M9smdsby/KFg@public.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from <linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>) + id 1VBpyL-00057G-5h + for glkwg-linux-wireless-wOFGN7rlS/M9smdsby/KFg@public.gmane.org; Tue, 20 Aug 2013 19:44:01 +0200 +Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand + id S1751487Ab3HTRn7 (ORCPT + <rfc822;glkwg-linux-wireless@m.gmane.org>); + Tue, 20 Aug 2013 13:43:59 -0400 +Original-Received: from nbd.name ([46.4.11.11]:60925 "EHLO nbd.name" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1751339Ab3HTRn7 (ORCPT <rfc822;linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); + Tue, 20 Aug 2013 13:43:59 -0400 +Original-Received: by nf.lan (Postfix, from userid 501) + id 5604D5001ADE; Tue, 20 Aug 2013 19:43:54 +0200 (CEST) +X-Mailer: git-send-email 1.8.0.2 +Original-Sender: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Precedence: bulk +List-ID: <linux-wireless.vger.kernel.org> +X-Mailing-List: linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Xref: news.gmane.org gmane.linux.kernel.wireless.general:112209 +Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.wireless.general/112209> + +brcm80211 cannot handle sending frames with CCK rates as part of an +A-MPDU session. Other drivers may have issues too. Set the flag in all +drivers that have been tested with CCK rates. + +This fixes a reported brcmsmac regression introduced in +commit ef47a5e4f1aaf1d0e2e6875e34b2c9595897bef6 +"mac80211/minstrel_ht: fix cck rate sampling" + +Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org # 3.10 +Reported-by: Tom Gundersen <teg-B22kvLQNl6c@public.gmane.org> +Signed-off-by: Felix Fietkau <nbd-p3rKhJxN3npAfugRpC6u6w@public.gmane.org> +--- + drivers/net/wireless/ath/ath9k/init.c | 3 ++- + drivers/net/wireless/ath/carl9170/main.c | 3 ++- + drivers/net/wireless/rt2x00/rt2800lib.c | 3 ++- + include/net/mac80211.h | 1 + + net/mac80211/rc80211_minstrel_ht.c | 3 +++ + 5 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c +index 16f8b20..026a2a0 100644 +--- a/drivers/net/wireless/ath/ath9k/init.c ++++ b/drivers/net/wireless/ath/ath9k/init.c +@@ -802,7 +802,8 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw) + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_SPECTRUM_MGMT | + IEEE80211_HW_REPORTS_TX_ACK_STATUS | +- IEEE80211_HW_SUPPORTS_RC_TABLE; ++ IEEE80211_HW_SUPPORTS_RC_TABLE | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_HT) { + hw->flags |= IEEE80211_HW_AMPDU_AGGREGATION; +diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c +index 4a33c6e..349fa22 100644 +--- a/drivers/net/wireless/ath/carl9170/main.c ++++ b/drivers/net/wireless/ath/carl9170/main.c +@@ -1860,7 +1860,8 @@ void *carl9170_alloc(size_t priv_size) + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC | + IEEE80211_HW_SUPPORTS_RC_TABLE | +- IEEE80211_HW_SIGNAL_DBM; ++ IEEE80211_HW_SIGNAL_DBM | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + if (!modparam_noht) { + /* +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c +index 1f80ea5..1b41c8e 100644 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -6133,7 +6133,8 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + IEEE80211_HW_SUPPORTS_PS | + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_AMPDU_AGGREGATION | +- IEEE80211_HW_REPORTS_TX_ACK_STATUS; ++ IEEE80211_HW_REPORTS_TX_ACK_STATUS | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + /* + * Don't set IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING for USB devices +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 5b7a3da..551ba6a 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -1499,6 +1499,7 @@ enum ieee80211_hw_flags { + IEEE80211_HW_SUPPORTS_RC_TABLE = 1<<24, + IEEE80211_HW_P2P_DEV_ADDR_FOR_INTF = 1<<25, + IEEE80211_HW_TIMING_BEACON_ONLY = 1<<26, ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES = 1<<27, + }; + + /** +diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c +index f5aed96..f3bbea1 100644 +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -828,6 +828,9 @@ minstrel_ht_update_cck(struct minstrel_priv *mp, struct minstrel_ht_sta *mi, + if (sband->band != IEEE80211_BAND_2GHZ) + return; + ++ if (!(mp->hw->flags & IEEE80211_HW_SUPPORTS_HT_CCK_RATES)) ++ return; ++ + mi->cck_supported = 0; + mi->cck_supported_short = 0; + for (i = 0; i < 4; i++) { +-- +1.8.0.2 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + diff --git a/freed-ora/current/master/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch b/freed-ora/current/master/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch new file mode 100644 index 000000000..2a28a2fe1 --- /dev/null +++ b/freed-ora/current/master/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch @@ -0,0 +1,30 @@ +From b43ea8068d2090cb1e44632c8a938ab40d2c7419 Mon Sep 17 00:00:00 2001 +From: Johannes Koch <johannes@ortsraum.de> +Date: Wed, 17 Jul 2013 17:28:16 +0000 +Subject: [media] cx23885: Fix TeVii S471 regression since introduction of ts2020 + +Patch to make TeVii S471 cards use the ts2020 tuner, since ds3000 driver no +longer contains tuning code. + +Signed-off-by: Johannes Koch <johannes@ortsraum.de> +Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com> +--- +(limited to 'drivers/media/pci/cx23885/cx23885-dvb.c') + +diff --git a/drivers/media/pci/cx23885/cx23885-dvb.c b/drivers/media/pci/cx23885/cx23885-dvb.c +index 9c5ed10..bb291c6 100644 +--- a/drivers/media/pci/cx23885/cx23885-dvb.c ++++ b/drivers/media/pci/cx23885/cx23885-dvb.c +@@ -1249,6 +1249,10 @@ static int dvb_register(struct cx23885_tsport *port) + fe0->dvb.frontend = dvb_attach(ds3000_attach, + &tevii_ds3000_config, + &i2c_bus->i2c_adap); ++ if (fe0->dvb.frontend != NULL) { ++ dvb_attach(ts2020_attach, fe0->dvb.frontend, ++ &tevii_ts2020_config, &i2c_bus->i2c_adap); ++ } + break; + case CX23885_BOARD_PROF_8000: + i2c_bus = &dev->i2c_bus[0]; +-- +cgit v0.9.2 diff --git a/freed-ora/current/master/mei-me-fix-hardware-reset-flow.patch b/freed-ora/current/master/mei-me-fix-hardware-reset-flow.patch new file mode 100644 index 000000000..b0c6c34b5 --- /dev/null +++ b/freed-ora/current/master/mei-me-fix-hardware-reset-flow.patch @@ -0,0 +1,104 @@ +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp116477oab; + Sun, 25 Aug 2013 02:53:06 -0700 (PDT) +X-Received: by 10.66.146.42 with SMTP id sz10mr8515943pab.78.1377424384757; + Sun, 25 Aug 2013 02:53:04 -0700 (PDT) +Return-Path: <stable-owner@vger.kernel.org> +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id zu9si6326866pbc.308.1969.12.31.16.00.00; + Sun, 25 Aug 2013 02:53:04 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756391Ab3HYJwW (ORCPT <rfc822;outmanzhao@gmail.com> + + 58 others); Sun, 25 Aug 2013 05:52:22 -0400 +Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1756361Ab3HYJwT (ORCPT <rfc822;stable@vger.kernel.org>); + Sun, 25 Aug 2013 05:52:19 -0400 +Received: from azsmga001.ch.intel.com ([10.2.17.19]) + by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:18 -0700 +X-ExtLoop1: 1 +X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; + d="scan'208";a="351301674" +Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) + by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:16 -0700 +From: Tomas Winkler <tomas.winkler@intel.com> +To: gregkh@linuxfoundation.org +Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, + Tomas Winkler <tomas.winkler@intel.com>, + stable@vger.kernel.org, Shuah Khan <shuah.kh@samsung.com>, + Konstantin Khlebnikov <khlebnikov@openvz.org> +Subject: [3.10][PATCH 4/4] mei: me: fix hardware reset flow +Date: Sun, 25 Aug 2013 12:49:49 +0300 +Message-Id: <1377424189-5508-5-git-send-email-tomas.winkler@intel.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: <stable.vger.kernel.org> +X-Mailing-List: stable@vger.kernel.org + +stable: 3.10 +commit ff96066e3171acdea356b331163495957cb833d0 char-misc + + +Both H_IS and H_IE needs to be set to receive H_RDY +interrupt + +1. Assert H_IS to clear the interrupts during hw reset +and use mei_me_reg_write instead of mei_hcsr_set as the later +strips down the H_IS + +2. fix interrupt disablement embarrassing typo + hcsr |= ~H_IE -> hcsr &= ~H_IE; +this will remove the unwanted interrupt on power down + +3. remove useless debug print outs + +Cc: stable@vger.kernel.org +Cc: Shuah Khan <shuah.kh@samsung.com> +Cc: Konstantin Khlebnikov <khlebnikov@openvz.org> +Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Conflicts: + drivers/misc/mei/hw-me.c + +--- + drivers/misc/mei/hw-me.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c +index 700fe55..1bf3f8b 100644 +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -176,16 +176,14 @@ static void mei_me_hw_reset(struct mei_device *dev, bool intr_enable) + struct mei_me_hw *hw = to_me_hw(dev); + u32 hcsr = mei_hcsr_read(hw); + +- dev_dbg(&dev->pdev->dev, "before reset HCSR = 0x%08x.\n", hcsr); +- +- hcsr |= (H_RST | H_IG); ++ hcsr |= H_RST | H_IG | H_IS; + + if (intr_enable) + hcsr |= H_IE; + else +- hcsr |= ~H_IE; ++ hcsr &= ~H_IE; + +- mei_hcsr_set(hw, hcsr); ++ mei_me_reg_write(hw, H_CSR, hcsr); + + if (dev->dev_state == MEI_DEV_POWER_DOWN) + mei_me_hw_reset_release(dev); +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/freed-ora/current/master/mod-extra.list b/freed-ora/current/master/mod-extra.list index 53f8c36b9..2803a4325 100644 --- a/freed-ora/current/master/mod-extra.list +++ b/freed-ora/current/master/mod-extra.list @@ -76,7 +76,6 @@ softing_cs.ko softing.ko ems_usb.ko esd_usb2.ko -wimax.ko nfc.ko nci.ko mptbase.ko diff --git a/freed-ora/current/master/modsign-uefi.patch b/freed-ora/current/master/modsign-uefi.patch new file mode 100644 index 000000000..3c043f658 --- /dev/null +++ b/freed-ora/current/master/modsign-uefi.patch @@ -0,0 +1,528 @@ +From cff9d37c9529fca5ff853f0050c7f0de0e819ea7 Mon Sep 17 00:00:00 2001 +From: Dave Howells <dhowells@redhat.com> +Date: Tue, 23 Oct 2012 09:30:54 -0400 +Subject: [PATCH 1/4] Add EFI signature data types + +Add the data types that are used for containing hashes, keys and certificates +for cryptographic verification. + +Signed-off-by: David Howells <dhowells@redhat.com> +--- + include/linux/efi.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index eed2202..1da1b3c 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -389,6 +389,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si + #define EFI_FILE_SYSTEM_GUID \ + EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) + ++#define EFI_CERT_SHA256_GUID \ ++ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) ++ ++#define EFI_CERT_X509_GUID \ ++ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +@@ -524,6 +530,20 @@ typedef struct { + + #define EFI_INVALID_TABLE_ADDR (~0UL) + ++typedef struct { ++ efi_guid_t signature_owner; ++ u8 signature_data[]; ++} efi_signature_data_t; ++ ++typedef struct { ++ efi_guid_t signature_type; ++ u32 signature_list_size; ++ u32 signature_header_size; ++ u32 signature_size; ++ u8 signature_header[]; ++ /* efi_signature_data_t signatures[][] */ ++} efi_signature_list_t; ++ + /* + * All runtime access to EFI goes through this structure: + */ +-- +1.8.3.1 + + +From 2ce1c1d0d7110c4b06d65e4c8506f6c54aa72628 Mon Sep 17 00:00:00 2001 +From: Dave Howells <dhowells@redhat.com> +Date: Tue, 23 Oct 2012 09:36:28 -0400 +Subject: [PATCH 2/4] Add an EFI signature blob parser and key loader. + +X.509 certificates are loaded into the specified keyring as asymmetric type +keys. + +Signed-off-by: David Howells <dhowells@redhat.com> +--- + crypto/asymmetric_keys/Kconfig | 8 +++ + crypto/asymmetric_keys/Makefile | 1 + + crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 4 ++ + 4 files changed, 121 insertions(+) + create mode 100644 crypto/asymmetric_keys/efi_parser.c + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index 6d2c2ea..ace9c30 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -35,4 +35,12 @@ config X509_CERTIFICATE_PARSER + data and provides the ability to instantiate a crypto key from a + public key packet found inside the certificate. + ++config EFI_SIGNATURE_LIST_PARSER ++ bool "EFI signature list parser" ++ depends on EFI ++ select X509_CERTIFICATE_PARSER ++ help ++ This option provides support for parsing EFI signature lists for ++ X.509 certificates and turning them into keys. ++ + endif # ASYMMETRIC_KEY_TYPE +diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile +index 0727204..cd8388e 100644 +--- a/crypto/asymmetric_keys/Makefile ++++ b/crypto/asymmetric_keys/Makefile +@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o + + obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o + obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o ++obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o + + # + # X.509 Certificate handling +diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c +new file mode 100644 +index 0000000..636feb1 +--- /dev/null ++++ b/crypto/asymmetric_keys/efi_parser.c +@@ -0,0 +1,108 @@ ++/* EFI signature/key/certificate list parser ++ * ++ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) "EFI: "fmt ++#include <linux/module.h> ++#include <linux/printk.h> ++#include <linux/err.h> ++#include <linux/efi.h> ++#include <keys/asymmetric-type.h> ++ ++static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; ++ ++/** ++ * parse_efi_signature_list - Parse an EFI signature list for certificates ++ * @data: The data blob to parse ++ * @size: The size of the data blob ++ * @keyring: The keyring to add extracted keys to ++ */ ++int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) ++{ ++ unsigned offs = 0; ++ size_t lsize, esize, hsize, elsize; ++ ++ pr_devel("-->%s(,%zu)\n", __func__, size); ++ ++ while (size > 0) { ++ efi_signature_list_t list; ++ const efi_signature_data_t *elem; ++ key_ref_t key; ++ ++ if (size < sizeof(list)) ++ return -EBADMSG; ++ ++ memcpy(&list, data, sizeof(list)); ++ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", ++ offs, ++ list.signature_type.b, list.signature_list_size, ++ list.signature_header_size, list.signature_size); ++ ++ lsize = list.signature_list_size; ++ hsize = list.signature_header_size; ++ esize = list.signature_size; ++ elsize = lsize - sizeof(list) - hsize; ++ ++ if (lsize > size) { ++ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", ++ __func__, offs); ++ return -EBADMSG; ++ } ++ if (lsize < sizeof(list) || ++ lsize - sizeof(list) < hsize || ++ esize < sizeof(*elem) || ++ elsize < esize || ++ elsize % esize != 0) { ++ pr_devel("- bad size combo @%x\n", offs); ++ return -EBADMSG; ++ } ++ ++ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { ++ data += lsize; ++ size -= lsize; ++ offs += lsize; ++ continue; ++ } ++ ++ data += sizeof(list) + hsize; ++ size -= sizeof(list) + hsize; ++ offs += sizeof(list) + hsize; ++ ++ for (; elsize > 0; elsize -= esize) { ++ elem = data; ++ ++ pr_devel("ELEM[%04x]\n", offs); ++ ++ key = key_create_or_update( ++ make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ &elem->signature_data, ++ esize - sizeof(*elem), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW, ++ KEY_ALLOC_NOT_IN_QUOTA); ++ ++ if (IS_ERR(key)) ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ else ++ pr_notice("Loaded cert '%s' linked to '%s'\n", ++ key_ref_to_ptr(key)->description, ++ keyring->description); ++ ++ data += esize; ++ size -= esize; ++ offs += esize; ++ } ++ } ++ ++ return 0; ++} +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 1da1b3c..42a1d25 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -619,6 +619,10 @@ extern int efi_set_rtc_mmss(const struct timespec *now); + extern void efi_reserve_boot_services(void); + extern struct efi_memory_map memmap; + ++struct key; ++extern int __init parse_efi_signature_list(const void *data, size_t size, ++ struct key *keyring); ++ + /** + * efi_range_is_wc - check the WC bit on an address range + * @start: starting kvirt address +-- +1.8.3.1 + + +From 0e4e8acfd0932bbf6b02112218092c810d9469a5 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 26 Oct 2012 12:36:24 -0400 +Subject: [PATCH 3/4] MODSIGN: Add module certificate blacklist keyring + +This adds an additional keyring that is used to store certificates that +are blacklisted. This keyring is searched first when loading signed modules +and if the module's certificate is found, it will refuse to load. This is +useful in cases where third party certificates are used for module signing. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + init/Kconfig | 8 ++++++++ + kernel/modsign_pubkey.c | 14 ++++++++++++++ + kernel/module-internal.h | 3 +++ + kernel/module_signing.c | 12 ++++++++++++ + 4 files changed, 37 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index fed81b5..b4fa2d1 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1772,6 +1772,14 @@ config MODULE_SIG_ALL + comment "Do not forget to sign required modules with scripts/sign-file" + depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL + ++config MODULE_SIG_BLACKLIST ++ bool "Support for blacklisting module signature certificates" ++ depends on MODULE_SIG ++ help ++ This adds support for keeping a blacklist of certificates that ++ should not pass module signature verification. If a module is ++ signed with something in this keyring, the load will be rejected. ++ + choice + prompt "Which hash algorithm should modules be signed with?" + depends on MODULE_SIG +diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c +index 2b6e699..4cd408d 100644 +--- a/kernel/modsign_pubkey.c ++++ b/kernel/modsign_pubkey.c +@@ -17,6 +17,9 @@ + #include "module-internal.h" + + struct key *modsign_keyring; ++#ifdef CONFIG_MODULE_SIG_BLACKLIST ++struct key *modsign_blacklist; ++#endif + + extern __initdata const u8 modsign_certificate_list[]; + extern __initdata const u8 modsign_certificate_list_end[]; +@@ -43,6 +46,17 @@ static __init int module_verify_init(void) + if (IS_ERR(modsign_keyring)) + panic("Can't allocate module signing keyring\n"); + ++#ifdef CONFIG_MODULE_SIG_BLACKLIST ++ modsign_blacklist = keyring_alloc(".modsign_blacklist", ++ KUIDT_INIT(0), KGIDT_INIT(0), ++ current_cred(), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ, ++ KEY_ALLOC_NOT_IN_QUOTA, NULL); ++ if (IS_ERR(modsign_blacklist)) ++ panic("Can't allocate module signing blacklist keyring\n"); ++#endif ++ + return 0; + } + +diff --git a/kernel/module-internal.h b/kernel/module-internal.h +index 24f9247..51a8380 100644 +--- a/kernel/module-internal.h ++++ b/kernel/module-internal.h +@@ -10,5 +10,8 @@ + */ + + extern struct key *modsign_keyring; ++#ifdef CONFIG_MODULE_SIG_BLACKLIST ++extern struct key *modsign_blacklist; ++#endif + + extern int mod_verify_sig(const void *mod, unsigned long *_modlen); +diff --git a/kernel/module_signing.c b/kernel/module_signing.c +index f2970bd..5423195 100644 +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -157,6 +157,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, + + pr_debug("Look up: \"%s\"\n", id); + ++#ifdef CONFIG_MODULE_SIG_BLACKLIST ++ key = keyring_search(make_key_ref(modsign_blacklist, 1), ++ &key_type_asymmetric, id); ++ if (!IS_ERR(key)) { ++ /* module is signed with a cert in the blacklist. reject */ ++ pr_err("Module key '%s' is in blacklist\n", id); ++ key_ref_put(key); ++ kfree(id); ++ return ERR_PTR(-EKEYREJECTED); ++ } ++#endif ++ + key = keyring_search(make_key_ref(modsign_keyring, 1), + &key_type_asymmetric, id); + if (IS_ERR(key)) +-- +1.8.3.1 + + +From c558b46370e850851a94795df67b7c57aecc48ea Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 26 Oct 2012 12:42:16 -0400 +Subject: [PATCH 4/4] MODSIGN: Import certificates from UEFI Secure Boot + +Secure Boot stores a list of allowed certificates in the 'db' variable. +This imports those certificates into the module signing keyring. This +allows for a third party signing certificate to be used in conjunction +with signed modules. By importing the public certificate into the 'db' +variable, a user can allow a module signed with that certificate to +load. The shim UEFI bootloader has a similar certificate list stored +in the 'MokListRT' variable. We import those as well. + +In the opposite case, Secure Boot maintains a list of disallowed +certificates in the 'dbx' variable. We load those certificates into +the newly introduced module blacklist keyring and forbid any module +signed with those from loading. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + include/linux/efi.h | 6 ++++ + init/Kconfig | 9 +++++ + kernel/Makefile | 3 ++ + kernel/modsign_uefi.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 109 insertions(+) + create mode 100644 kernel/modsign_uefi.c + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 42a1d25..d3e6036 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -395,6 +395,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si + #define EFI_CERT_X509_GUID \ + EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) + ++#define EFI_IMAGE_SECURITY_DATABASE_GUID \ ++ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) ++ ++#define EFI_SHIM_LOCK_GUID \ ++ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +diff --git a/init/Kconfig b/init/Kconfig +index b4fa2d1..94ce526 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1780,6 +1780,15 @@ config MODULE_SIG_BLACKLIST + should not pass module signature verification. If a module is + signed with something in this keyring, the load will be rejected. + ++config MODULE_SIG_UEFI ++ bool "Allow modules signed with certs stored in UEFI" ++ depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI ++ select EFI_SIGNATURE_LIST_PARSER ++ help ++ This will import certificates stored in UEFI and allow modules ++ signed with those to be loaded. It will also disallow loading ++ of modules stored in the UEFI dbx variable. ++ + choice + prompt "Which hash algorithm should modules be signed with?" + depends on MODULE_SIG +diff --git a/kernel/Makefile b/kernel/Makefile +index 35ef118..6ca1fea 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o + obj-$(CONFIG_UID16) += uid16.o + obj-$(CONFIG_MODULES) += module.o + obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o ++obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o + obj-$(CONFIG_KALLSYMS) += kallsyms.o + obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o + obj-$(CONFIG_KEXEC) += kexec.o +@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o + + $(obj)/configs.o: $(obj)/config_data.h + ++$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar ++ + # config_data.h contains the same information as ikconfig.h but gzipped. + # Info from config_data can be extracted from /proc/config* + targets += config_data.gz +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +new file mode 100644 +index 0000000..7eae5b4 +--- /dev/null ++++ b/kernel/modsign_uefi.c +@@ -0,0 +1,91 @@ ++#include <linux/kernel.h> ++#include <linux/sched.h> ++#include <linux/cred.h> ++#include <linux/err.h> ++#include <linux/efi.h> ++#include <linux/slab.h> ++#include <keys/asymmetric-type.h> ++#include "module-internal.h" ++ ++static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) ++{ ++ efi_status_t status; ++ unsigned long lsize = 4; ++ unsigned long tmpdb[4]; ++ void *db = NULL; ++ ++ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); ++ if (status != EFI_BUFFER_TOO_SMALL) { ++ pr_err("Couldn't get size: 0x%lx\n", status); ++ return NULL; ++ } ++ ++ db = kmalloc(lsize, GFP_KERNEL); ++ if (!db) { ++ pr_err("Couldn't allocate memory for uefi cert list\n"); ++ goto out; ++ } ++ ++ status = efi.get_variable(name, guid, NULL, &lsize, db); ++ if (status != EFI_SUCCESS) { ++ kfree(db); ++ db = NULL; ++ pr_err("Error reading db var: 0x%lx\n", status); ++ } ++out: ++ *size = lsize; ++ return db; ++} ++ ++/* ++ * * Load the certs contained in the UEFI databases ++ * */ ++static int __init load_uefi_certs(void) ++{ ++ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; ++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; ++ void *db = NULL, *dbx = NULL, *mok = NULL; ++ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; ++ int rc = 0; ++ ++ /* Check if SB is enabled and just return if not */ ++ if (!efi_enabled(EFI_SECURE_BOOT)) ++ return 0; ++ ++ /* Get db, MokListRT, and dbx. They might not exist, so it isn't ++ * an error if we can't get them. ++ */ ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, modsign_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } ++ ++ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); ++ if (!mok) { ++ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); ++ } else { ++ rc = parse_efi_signature_list(mok, moksize, modsign_keyring); ++ if (rc) ++ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); ++ kfree(mok); ++ } ++ ++ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); ++ if (!dbx) { ++ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); ++ } else { ++ rc = parse_efi_signature_list(dbx, dbxsize, ++ modsign_blacklist); ++ if (rc) ++ pr_err("Couldn't parse dbx signatures: %d\n", rc); ++ kfree(dbx); ++ } ++ ++ return rc; ++} ++late_initcall(load_uefi_certs); +-- +1.8.3.1 + diff --git a/freed-ora/current/master/nowatchdog-on-virt.patch b/freed-ora/current/master/nowatchdog-on-virt.patch index b20642204..87ab11a0f 100644 --- a/freed-ora/current/master/nowatchdog-on-virt.patch +++ b/freed-ora/current/master/nowatchdog-on-virt.patch @@ -12,7 +12,7 @@ Just disable the detector on VMs. Signed-off-by: Dave Jones <davej@redhat.com> diff --git a/kernel/watchdog.c b/kernel/watchdog.c -index 05039e3..a28aab9 100644 +index 1241d8c..b2dc4e4 100644 --- a/kernel/watchdog.c +++ b/kernel/watchdog.c @@ -24,6 +24,7 @@ @@ -30,7 +30,7 @@ index 05039e3..a28aab9 100644 +static int disable_watchdog(const struct dmi_system_id *d) +{ + printk(KERN_INFO "watchdog: disabled (inside virtual machine)\n"); -+ watchdog_enabled = 0; ++ watchdog_user_enabled = 0; + return 0; +} + @@ -56,12 +56,12 @@ index 05039e3..a28aab9 100644 /* * Hard-lockup warnings should be triggered after just a few seconds. Soft- * lockups can have false positives under extreme conditions. So we generally -@@ -543,6 +570,8 @@ static struct smp_hotplug_thread watchdog_threads = { +@@ -551,6 +578,8 @@ int proc_dowatchdog(struct ctl_table *table, int write, void __init lockup_detector_init(void) { + dmi_check_system(watchdog_virt_dmi_table); + set_sample_period(); - if (smpboot_register_percpu_thread(&watchdog_threads)) { - pr_err("Failed to create watchdog threads, disabled\n"); + + #ifdef CONFIG_NO_HZ_FULL diff --git a/freed-ora/current/master/patch-3.10-gnu-3.11-rc7-gnu.xz.sign b/freed-ora/current/master/patch-3.10-gnu-3.11-rc7-gnu.xz.sign new file mode 100644 index 000000000..31b272167 --- /dev/null +++ b/freed-ora/current/master/patch-3.10-gnu-3.11-rc7-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.19 (GNU/Linux) + +iEYEABECAAYFAlIiiJUACgkQvLfPh359R6dHoQCfXK7l8OiIJeqEzXlaVGFKHNru +iYgAoJE8ybfl5AraJne54V6R7aWBH7GE +=bcnU +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/master/sb-hibernate.patch b/freed-ora/current/master/sb-hibernate.patch new file mode 100644 index 000000000..966024b9b --- /dev/null +++ b/freed-ora/current/master/sb-hibernate.patch @@ -0,0 +1,123 @@ +From 4fe6d11d21b548d6e8272cc8cad5fcc6150ef081 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 26 Oct 2012 14:02:09 -0400 +Subject: [PATCH] hibernate: Disable in a signed modules environment + +There is currently no way to verify the resume image when returning +from hibernate. This might compromise the signed modules trust model, +so until we can work with signed hibernate images we disable it in +a secure modules environment. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com> +--- + kernel/power/hibernate.c | 16 +++++++++++++++- + kernel/power/main.c | 7 ++++++- + kernel/power/user.c | 5 +++++ + 3 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index b26f5f1..e65228b 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -28,6 +28,8 @@ + #include <linux/syscore_ops.h> + #include <linux/ctype.h> + #include <linux/genhd.h> ++#include <linux/efi.h> ++#include <linux/module.h> + + #include "power.h" + +@@ -632,6 +634,10 @@ int hibernate(void) + { + int error; + ++ if (secure_modules()) { ++ return -EPERM; ++ } ++ + lock_system_sleep(); + /* The snapshot device should not be opened while we're running */ + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { +@@ -723,7 +729,7 @@ static int software_resume(void) + /* + * If the user said "noresume".. bail out early. + */ +- if (noresume) ++ if (noresume || secure_modules()) + return 0; + + /* +@@ -889,6 +895,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, + int i; + char *start = buf; + ++ if (efi_enabled(EFI_SECURE_BOOT)) { ++ buf += sprintf(buf, "[%s]\n", "disabled"); ++ return buf-start; ++ } ++ + for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { + if (!hibernation_modes[i]) + continue; +@@ -923,6 +934,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, + char *p; + int mode = HIBERNATION_INVALID; + ++ if (secure_modules()) ++ return -EPERM; ++ + p = memchr(buf, '\n', n); + len = p ? p - buf : n; + +diff --git a/kernel/power/main.c b/kernel/power/main.c +index 1d1bf63..300f300 100644 +--- a/kernel/power/main.c ++++ b/kernel/power/main.c +@@ -15,6 +15,7 @@ + #include <linux/workqueue.h> + #include <linux/debugfs.h> + #include <linux/seq_file.h> ++#include <linux/efi.h> + + #include "power.h" + +@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, + } + #endif + #ifdef CONFIG_HIBERNATION +- s += sprintf(s, "%s\n", "disk"); ++ if (!efi_enabled(EFI_SECURE_BOOT)) { ++ s += sprintf(s, "%s\n", "disk"); ++ } else { ++ s += sprintf(s, "\n"); ++ } + #else + if (s != buf) + /* convert the last space to a newline */ +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 4ed81e7..b714ee6 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -24,6 +24,8 @@ + #include <linux/console.h> + #include <linux/cpu.h> + #include <linux/freezer.h> ++#include <linux/efi.h> ++#include <linux/module.h> + + #include <asm/uaccess.h> + +@@ -48,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) + struct snapshot_data *data; + int error; + ++ if (secure_modules()) ++ return -EPERM; ++ + lock_system_sleep(); + + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { +-- +1.8.3.1 + diff --git a/freed-ora/current/master/scripts/generate-git-snapshot.sh b/freed-ora/current/master/scripts/generate-git-snapshot.sh index 239b846c9..b6fe0d6c1 100755 --- a/freed-ora/current/master/scripts/generate-git-snapshot.sh +++ b/freed-ora/current/master/scripts/generate-git-snapshot.sh @@ -2,6 +2,8 @@ # # Set LINUX_GIT to point to an upstream Linux git tree in your .bashrc or wherever. +[ ! -d "$LINUX_GIT" ] && echo "error: set \$LINUX_GIT to point at upstream git tree" && exit 1 + VER=$(grep patch sources | head -n1 | awk '{ print $2 }' | sed s/patch-// | sed s/-git.*// | sed s/.xz//) OLDGIT=$(grep gitrev kernel.spec | head -n1 | sed s/%define\ gitrev\ //) diff --git a/freed-ora/current/master/secure-boot-20130218.patch b/freed-ora/current/master/secure-boot-20130218.patch deleted file mode 100644 index 29ac46cd9..000000000 --- a/freed-ora/current/master/secure-boot-20130218.patch +++ /dev/null @@ -1,1434 +0,0 @@ -From 0c5837031a4e996877930fd023a5877dd1d615ba Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:56 -0400 -Subject: [PATCH 01/19] Secure boot: Add new capability - -Secure boot adds certain policy requirements, including that root must not -be able to do anything that could cause the kernel to execute arbitrary code. -The simplest way to handle this would seem to be to add a new capability -and gate various functionality on that. We'll then strip it from the initial -capability set if required. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - include/uapi/linux/capability.h | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h -index ba478fa..7109e65 100644 ---- a/include/uapi/linux/capability.h -+++ b/include/uapi/linux/capability.h -@@ -343,7 +343,11 @@ struct vfs_cap_data { - - #define CAP_BLOCK_SUSPEND 36 - --#define CAP_LAST_CAP CAP_BLOCK_SUSPEND -+/* Allow things that trivially permit root to modify the running kernel */ -+ -+#define CAP_COMPROMISE_KERNEL 37 -+ -+#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL - - #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) - --- -1.8.1.2 - - -From 87c8fddbcb3042fc4174b53763adbf66045a12be Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Thu, 20 Sep 2012 10:41:05 -0400 -Subject: [PATCH 02/19] SELinux: define mapping for new Secure Boot capability - -Add the name of the new Secure Boot capability. This allows SELinux -policies to properly map CAP_COMPROMISE_KERNEL to the appropriate -capability class. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - security/selinux/include/classmap.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h -index 14d04e6..ed99a2d 100644 ---- a/security/selinux/include/classmap.h -+++ b/security/selinux/include/classmap.h -@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = { - { "memprotect", { "mmap_zero", NULL } }, - { "peer", { "recv", NULL } }, - { "capability2", -- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", -- NULL } }, -+ { "mac_override", "mac_admin", "syslog", "wake_alarm", -+ "block_suspend", "compromise_kernel", NULL } }, - { "kernel_service", { "use_as_override", "create_files_as", NULL } }, - { "tun_socket", - { COMMON_SOCK_PERMS, "attach_queue", NULL } }, --- -1.8.1.2 - - -From df14b5319bf3ed2110839e233ac61e6136745be8 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Thu, 20 Sep 2012 10:41:02 -0400 -Subject: [PATCH 03/19] Secure boot: Add a dummy kernel parameter that will - switch on Secure Boot mode - -This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset -in the init_cred struct, which everything else inherits from. This works on -any machine and can be used to develop even if the box doesn't have UEFI. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - Documentation/kernel-parameters.txt | 7 +++++++ - kernel/cred.c | 17 +++++++++++++++++ - 2 files changed, 24 insertions(+) - -diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 6c72381..7dffdd5 100644 ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. - Note: increases power consumption, thus should only be - enabled if running jitter sensitive (HPC/RT) workloads. - -+ secureboot_enable= -+ [KNL] Enables an emulated UEFI Secure Boot mode. This -+ locks down various aspects of the kernel guarded by the -+ CAP_COMPROMISE_KERNEL capability. This includes things -+ like /dev/mem, IO port access, and other areas. It can -+ be used on non-UEFI machines for testing purposes. -+ - security= [SECURITY] Choose a security module to enable at boot. - If this boot parameter is not specified, only the first - security module asking for security registration will be -diff --git a/kernel/cred.c b/kernel/cred.c -index e0573a4..c3f4e3e 100644 ---- a/kernel/cred.c -+++ b/kernel/cred.c -@@ -565,6 +565,23 @@ void __init cred_init(void) - 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); - } - -+void __init secureboot_enable() -+{ -+ pr_info("Secure boot enabled\n"); -+ cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); -+ cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); -+} -+ -+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ -+static int __init secureboot_enable_opt(char *str) -+{ -+ int sb_enable = !!simple_strtol(str, NULL, 0); -+ if (sb_enable) -+ secureboot_enable(); -+ return 1; -+} -+__setup("secureboot_enable=", secureboot_enable_opt); -+ - /** - * prepare_kernel_cred - Prepare a set of credentials for a kernel service - * @daemon: A userspace daemon to be used as a reference --- -1.8.1.2 - - -From 49c76a665e8a09da48cbe271ea40266ca1a226c0 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:41:03 -0400 -Subject: [PATCH 04/19] efi: Enable secure boot lockdown automatically when - enabled in firmware - -The firmware has a set of flags that indicate whether secure boot is enabled -and enforcing. Use them to indicate whether the kernel should lock itself -down. We also indicate the machine is in secure boot mode by adding the -EFI_SECURE_BOOT bit for use with efi_enabled. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - Documentation/x86/zero-page.txt | 2 ++ - arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++ - arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 7 +++++++ - include/linux/cred.h | 2 ++ - include/linux/efi.h | 1 + - 6 files changed, 46 insertions(+), 1 deletion(-) - -diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 199f453..ff651d3 100644 ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index f8fa411..96bd86b 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -849,6 +849,36 @@ fail: - return status; - } - -+static int get_secure_boot(efi_system_table_t *_table) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ - /* - * Because the x86 boot code expects to be passed a boot_params we - * need to create one ourselves (usually the bootloader would create -@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) - goto fail; - -+ boot_params->secure_boot = get_secure_boot(sys_table); -+ - setup_graphics(boot_params); - - setup_efi_pci(boot_params); -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index c15ddaf..85d7685 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -131,7 +131,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ - /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 8b24289..d74b441 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1042,6 +1042,13 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -+ if (boot_params.secure_boot) { -+#ifdef CONFIG_EFI -+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility); -+#endif -+ secureboot_enable(); -+ } -+ - /* - * Parse the ACPI tables for possible boot-time SMP configuration. - */ -diff --git a/include/linux/cred.h b/include/linux/cred.h -index 04421e8..9e69542 100644 ---- a/include/linux/cred.h -+++ b/include/linux/cred.h -@@ -156,6 +156,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *); - extern int set_create_files_as(struct cred *, struct inode *); - extern void __init cred_init(void); - -+extern void secureboot_enable(void); -+ - /* - * check for validity of credentials - */ -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 7a9498a..1ae16b6 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ - #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ - #define EFI_64BIT 5 /* Is the firmware 64-bit? */ -+#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ - - #ifdef CONFIG_EFI - # ifdef CONFIG_X86 --- -1.8.1.2 - - -From d4d1b3ad3e1a553c807b4ecafcbde4bf816e4db2 Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 05/19] Add EFI signature data types - -Add the data types that are used for containing hashes, keys and certificates -for cryptographic verification. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - include/linux/efi.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 1ae16b6..de7021d 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, - #define EFI_FILE_SYSTEM_GUID \ - EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) - -+#define EFI_CERT_SHA256_GUID \ -+ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) -+ -+#define EFI_CERT_X509_GUID \ -+ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -@@ -523,6 +529,20 @@ typedef struct { - - #define EFI_INVALID_TABLE_ADDR (~0UL) - -+typedef struct { -+ efi_guid_t signature_owner; -+ u8 signature_data[]; -+} efi_signature_data_t; -+ -+typedef struct { -+ efi_guid_t signature_type; -+ u32 signature_list_size; -+ u32 signature_header_size; -+ u32 signature_size; -+ u8 signature_header[]; -+ /* efi_signature_data_t signatures[][] */ -+} efi_signature_list_t; -+ - /* - * All runtime access to EFI goes through this structure: - */ --- -1.8.1.2 - - -From 3cffca89eadf7e0f0a266c370f8034f33723831a Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 06/19] Add an EFI signature blob parser and key loader. - -X.509 certificates are loaded into the specified keyring as asymmetric type -keys. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - crypto/asymmetric_keys/Kconfig | 8 +++ - crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ - include/linux/efi.h | 4 ++ - 4 files changed, 121 insertions(+) - create mode 100644 crypto/asymmetric_keys/efi_parser.c - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 6d2c2ea..ace9c30 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -35,4 +35,12 @@ config X509_CERTIFICATE_PARSER - data and provides the ability to instantiate a crypto key from a - public key packet found inside the certificate. - -+config EFI_SIGNATURE_LIST_PARSER -+ bool "EFI signature list parser" -+ depends on EFI -+ select X509_CERTIFICATE_PARSER -+ help -+ This option provides support for parsing EFI signature lists for -+ X.509 certificates and turning them into keys. -+ - endif # ASYMMETRIC_KEY_TYPE -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index 0727204..cd8388e 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o - - obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o - obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o -+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - - # - # X.509 Certificate handling -diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c -new file mode 100644 -index 0000000..636feb1 ---- /dev/null -+++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,108 @@ -+/* EFI signature/key/certificate list parser -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "EFI: "fmt -+#include <linux/module.h> -+#include <linux/printk.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <keys/asymmetric-type.h> -+ -+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; -+ -+/** -+ * parse_efi_signature_list - Parse an EFI signature list for certificates -+ * @data: The data blob to parse -+ * @size: The size of the data blob -+ * @keyring: The keyring to add extracted keys to -+ */ -+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) -+{ -+ unsigned offs = 0; -+ size_t lsize, esize, hsize, elsize; -+ -+ pr_devel("-->%s(,%zu)\n", __func__, size); -+ -+ while (size > 0) { -+ efi_signature_list_t list; -+ const efi_signature_data_t *elem; -+ key_ref_t key; -+ -+ if (size < sizeof(list)) -+ return -EBADMSG; -+ -+ memcpy(&list, data, sizeof(list)); -+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", -+ offs, -+ list.signature_type.b, list.signature_list_size, -+ list.signature_header_size, list.signature_size); -+ -+ lsize = list.signature_list_size; -+ hsize = list.signature_header_size; -+ esize = list.signature_size; -+ elsize = lsize - sizeof(list) - hsize; -+ -+ if (lsize > size) { -+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", -+ __func__, offs); -+ return -EBADMSG; -+ } -+ if (lsize < sizeof(list) || -+ lsize - sizeof(list) < hsize || -+ esize < sizeof(*elem) || -+ elsize < esize || -+ elsize % esize != 0) { -+ pr_devel("- bad size combo @%x\n", offs); -+ return -EBADMSG; -+ } -+ -+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { -+ data += lsize; -+ size -= lsize; -+ offs += lsize; -+ continue; -+ } -+ -+ data += sizeof(list) + hsize; -+ size -= sizeof(list) + hsize; -+ offs += sizeof(list) + hsize; -+ -+ for (; elsize > 0; elsize -= esize) { -+ elem = data; -+ -+ pr_devel("ELEM[%04x]\n", offs); -+ -+ key = key_create_or_update( -+ make_key_ref(keyring, 1), -+ "asymmetric", -+ NULL, -+ &elem->signature_data, -+ esize - sizeof(*elem), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA); -+ -+ if (IS_ERR(key)) -+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", -+ PTR_ERR(key)); -+ else -+ pr_notice("Loaded cert '%s' linked to '%s'\n", -+ key_ref_to_ptr(key)->description, -+ keyring->description); -+ -+ data += esize; -+ size -= esize; -+ offs += esize; -+ } -+ } -+ -+ return 0; -+} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index de7021d..64b3e55 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime); - extern void efi_reserve_boot_services(void); - extern struct efi_memory_map memmap; - -+struct key; -+extern int __init parse_efi_signature_list(const void *data, size_t size, -+ struct key *keyring); -+ - /** - * efi_range_is_wc - check the WC bit on an address range - * @start: starting kvirt address --- -1.8.1.2 - - -From 89ea7424726ae4f7265ab84e703cf2da77acda57 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 07/19] MODSIGN: Add module certificate blacklist keyring - -This adds an additional keyring that is used to store certificates that -are blacklisted. This keyring is searched first when loading signed modules -and if the module's certificate is found, it will refuse to load. This is -useful in cases where third party certificates are used for module signing. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - init/Kconfig | 8 ++++++++ - kernel/modsign_pubkey.c | 14 ++++++++++++++ - kernel/module-internal.h | 3 +++ - kernel/module_signing.c | 12 ++++++++++++ - 4 files changed, 37 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index be8b7f5..d972b77 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1665,6 +1665,14 @@ config MODULE_SIG_FORCE - Reject unsigned modules or signed modules for which we don't have a - key. Without this, such modules will simply taint the kernel. - -+config MODULE_SIG_BLACKLIST -+ bool "Support for blacklisting module signature certificates" -+ depends on MODULE_SIG -+ help -+ This adds support for keeping a blacklist of certificates that -+ should not pass module signature verification. If a module is -+ signed with something in this keyring, the load will be rejected. -+ - choice - prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG -diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c -index 2b6e699..4cd408d 100644 ---- a/kernel/modsign_pubkey.c -+++ b/kernel/modsign_pubkey.c -@@ -17,6 +17,9 @@ - #include "module-internal.h" - - struct key *modsign_keyring; -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+struct key *modsign_blacklist; -+#endif - - extern __initdata const u8 modsign_certificate_list[]; - extern __initdata const u8 modsign_certificate_list_end[]; -@@ -43,6 +46,17 @@ static __init int module_verify_init(void) - if (IS_ERR(modsign_keyring)) - panic("Can't allocate module signing keyring\n"); - -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+ modsign_blacklist = keyring_alloc(".modsign_blacklist", -+ KUIDT_INIT(0), KGIDT_INIT(0), -+ current_cred(), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ, -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); -+ if (IS_ERR(modsign_blacklist)) -+ panic("Can't allocate module signing blacklist keyring\n"); -+#endif -+ - return 0; - } - -diff --git a/kernel/module-internal.h b/kernel/module-internal.h -index 24f9247..51a8380 100644 ---- a/kernel/module-internal.h -+++ b/kernel/module-internal.h -@@ -10,5 +10,8 @@ - */ - - extern struct key *modsign_keyring; -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+extern struct key *modsign_blacklist; -+#endif - - extern int mod_verify_sig(const void *mod, unsigned long *_modlen); -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index f2970bd..5423195 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -157,6 +157,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+ key = keyring_search(make_key_ref(modsign_blacklist, 1), -+ &key_type_asymmetric, id); -+ if (!IS_ERR(key)) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key '%s' is in blacklist\n", id); -+ key_ref_put(key); -+ kfree(id); -+ return ERR_PTR(-EKEYREJECTED); -+ } -+#endif -+ - key = keyring_search(make_key_ref(modsign_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) --- -1.8.1.2 - - -From 733a5c25b896d8d5fa0051825a671911b50cb47d Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 08/19] MODSIGN: Import certificates from UEFI Secure Boot - -Secure Boot stores a list of allowed certificates in the 'db' variable. -This imports those certificates into the module signing keyring. This -allows for a third party signing certificate to be used in conjunction -with signed modules. By importing the public certificate into the 'db' -variable, a user can allow a module signed with that certificate to -load. The shim UEFI bootloader has a similar certificate list stored -in the 'MokListRT' variable. We import those as well. - -In the opposite case, Secure Boot maintains a list of disallowed -certificates in the 'dbx' variable. We load those certificates into -the newly introduced module blacklist keyring and forbid any module -signed with those from loading. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - include/linux/efi.h | 6 ++++ - init/Kconfig | 9 ++++++ - kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 108 insertions(+) - create mode 100644 kernel/modsign_uefi.c - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 64b3e55..76fe526 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, - #define EFI_CERT_X509_GUID \ - EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) - -+#define EFI_IMAGE_SECURITY_DATABASE_GUID \ -+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) -+ -+#define EFI_SHIM_LOCK_GUID \ -+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -diff --git a/init/Kconfig b/init/Kconfig -index d972b77..27e3a82 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1673,6 +1673,15 @@ config MODULE_SIG_BLACKLIST - should not pass module signature verification. If a module is - signed with something in this keyring, the load will be rejected. - -+config MODULE_SIG_UEFI -+ bool "Allow modules signed with certs stored in UEFI" -+ depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI -+ select EFI_SIGNATURE_LIST_PARSER -+ help -+ This will import certificates stored in UEFI and allow modules -+ signed with those to be loaded. It will also disallow loading -+ of modules stored in the UEFI dbx variable. -+ - choice - prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG -diff --git a/kernel/Makefile b/kernel/Makefile -index 6c072b6..8848829 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o - obj-$(CONFIG_UID16) += uid16.o - obj-$(CONFIG_MODULES) += module.o - obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o -+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o - obj-$(CONFIG_KALLSYMS) += kallsyms.o - obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o - obj-$(CONFIG_KEXEC) += kexec.o -@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o - - $(obj)/configs.o: $(obj)/config_data.h - -+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar -+ - # config_data.h contains the same information as ikconfig.h but gzipped. - # Info from config_data can be extracted from /proc/config* - targets += config_data.gz -diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -new file mode 100644 -index 0000000..b9237d7 ---- /dev/null -+++ b/kernel/modsign_uefi.c -@@ -0,0 +1,90 @@ -+#include <linux/kernel.h> -+#include <linux/sched.h> -+#include <linux/cred.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <keys/asymmetric-type.h> -+#include "module-internal.h" -+ -+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) -+{ -+ efi_status_t status; -+ unsigned long lsize = 4; -+ unsigned long tmpdb[4]; -+ void *db = NULL; -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); -+ if (status != EFI_BUFFER_TOO_SMALL) { -+ pr_err("Couldn't get size: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ db = kmalloc(lsize, GFP_KERNEL); -+ if (!db) { -+ pr_err("Couldn't allocate memory for uefi cert list\n"); -+ goto out; -+ } -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, db); -+ if (status != EFI_SUCCESS) { -+ kfree(db); -+ db = NULL; -+ pr_err("Error reading db var: 0x%lx\n", status); -+ } -+out: -+ *size = lsize; -+ return db; -+} -+ -+/* -+ * * Load the certs contained in the UEFI databases -+ * */ -+static int __init load_uefi_certs(void) -+{ -+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; -+ void *db = NULL, *dbx = NULL, *mok = NULL; -+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -+ int rc = 0; -+ -+ /* Check if SB is enabled and just return if not */ -+ if (!efi_enabled(EFI_SECURE_BOOT)) -+ return 0; -+ -+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't -+ * an error if we can't get them. -+ */ -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list(db, dbsize, modsign_keyring); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } -+ -+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -+ if (!mok) { -+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); -+ } else { -+ rc = parse_efi_signature_list(mok, moksize, modsign_keyring); -+ if (rc) -+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); -+ kfree(mok); -+ } -+ -+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); -+ if (!dbx) { -+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); -+ } else { -+ rc = parse_efi_signature_list(dbx, dbxsize, -+ modsign_blacklist); -+ if (rc) -+ pr_err("Couldn't parse dbx signatures: %d\n", rc); -+ kfree(dbx); -+ } -+ -+ return rc; -+} -+late_initcall(load_uefi_certs); --- -1.8.1.2 - - -From 16027d676baed34a9de804dac68d48096a688b39 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:57 -0400 -Subject: [PATCH 09/19] PCI: Lock down BAR access in secure boot environments - -Any hardware that can potentially generate DMA has to be locked down from -userspace in order to avoid it being possible for an attacker to cause -arbitrary kernel behaviour. Default to paranoid - in future we can -potentially relax this for sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 8 +++++++- - drivers/pci/syscall.c | 2 +- - 3 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 9c6e9bb..b966089 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -622,6 +622,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8*) buf; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -928,6 +931,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - resource_size_t start, end; - int i; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - for (i = 0; i < PCI_ROM_RESOURCE; i++) - if (res == &pdev->resource[i]) - break; -@@ -1035,6 +1041,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 9b8505c..35580bc 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -139,6 +139,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof - int size = dp->size; - int cnt; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -219,6 +222,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -259,7 +265,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - /* Make sure the caller is mapping a real resource for this device */ -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index e1c1ec5..97e785f 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); --- -1.8.1.2 - - -From 9ff1537bbe8c22bbf7f992027da43d4fe8da0860 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:58 -0400 -Subject: [PATCH 10/19] x86: Lock down IO port access in secure boot - environments - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO register -space. This would potentially permit root to trigger arbitrary DMA, so lock -it down by default. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - arch/x86/kernel/ioport.c | 4 ++-- - drivers/char/mem.c | 3 +++ - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 8c96897..a2578c4 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))) - return -EPERM; - - /* -@@ -102,7 +102,7 @@ long sys_iopl(unsigned int level, struct pt_regs *regs) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index c6fa3bc..fc28099 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, - unsigned long i = *ppos; - const char __user * tmp = buf; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - while (count-- > 0 && i < 65536) { --- -1.8.1.2 - - -From 3b27408b1ced1ec83a3ce27f9d51161dbf7cea9a Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:40:59 -0400 -Subject: [PATCH 11/19] ACPI: Limit access to custom_method - -It must be impossible for even root to get code executed in kernel context -under a secure boot environment. custom_method effectively allows arbitrary -access to system memory, so it needs to have a capability check here. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index 5d42c24..247d58b 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -1.8.1.2 - - -From fb618a04089d454b7ade68c00a2b9c7dbac013f9 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:41:00 -0400 -Subject: [PATCH 12/19] asus-wmi: Restrict debugfs interface - -We have no way of validating what all of the Asus WMI methods do on a -given machine, and there's a risk that some will allow hardware state to -be manipulated in such a way that arbitrary code can be executed in the -kernel. Add a capability check to prevent that. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/platform/x86/asus-wmi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index f80ae4d..059195f 100644 ---- a/drivers/platform/x86/asus-wmi.c -+++ b/drivers/platform/x86/asus-wmi.c -@@ -1521,6 +1521,9 @@ static int show_dsts(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - - if (err < 0) -@@ -1537,6 +1540,9 @@ static int show_devs(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, - &retval); - -@@ -1561,6 +1567,9 @@ static int show_call(struct seq_file *m, void *data) - union acpi_object *obj; - acpi_status status; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, - 1, asus->debug.method_id, - &input, &output); --- -1.8.1.2 - - -From e515bbd5410d00835390fd8981aa9029e7b22b73 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Thu, 20 Sep 2012 10:41:01 -0400 -Subject: [PATCH 13/19] Restrict /dev/mem and /dev/kmem in secure boot setups - -Allowing users to write to address space makes it possible for the kernel -to be subverted. Restrict this when we need to protect the kernel. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - drivers/char/mem.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index fc28099..b5df7a8 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, - unsigned long copied; - void *ptr; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!valid_phys_addr_range(p, count)) - return -EFAULT; - -@@ -530,6 +533,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (p < (unsigned long) high_memory) { - unsigned long to_write = min_t(unsigned long, count, - (unsigned long)high_memory - p); --- -1.8.1.2 - - -From fe27dd192ef250abcbaba973a14d43b21d7be497 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Thu, 20 Sep 2012 10:41:04 -0400 -Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure - boot environment - -This option allows userspace to pass the RSDP address to the kernel. This -could potentially be used to circumvent the secure boot trust model. -We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - drivers/acpi/osl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index bd22f86..88251d2 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); - acpi_physical_address __init acpi_os_get_root_pointer(void) - { - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL)) - return acpi_rsdp; - #endif - --- -1.8.1.2 - - -From c937b2c8e179bfdadb6617c0028f558e4d701e46 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg@redhat.com> -Date: Tue, 4 Sep 2012 11:55:13 -0400 -Subject: [PATCH 15/19] kexec: Disable in a secure boot environment - -kexec could be used as a vector for a malicious user to use a signed kernel -to circumvent the secure boot trust model. In the long run we'll want to -support signed kexec payloads, but for the moment we should just disable -loading entirely in that situation. - -Signed-off-by: Matthew Garrett <mjg@redhat.com> ---- - kernel/kexec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 5e4bd78..dd464e0 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -943,7 +943,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - int result; - - /* We only trust the superuser with rebooting the system. */ -- if (!capable(CAP_SYS_BOOT)) -+ if (!capable(CAP_SYS_BOOT) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - /* --- -1.8.1.2 - - -From f08e390045266d53543a55afa16ca4be5a1c6316 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 5 Oct 2012 10:12:48 -0400 -Subject: [PATCH 16/19] MODSIGN: Always enforce module signing in a Secure Boot - environment - -If a machine is booted into a Secure Boot environment, we need to -protect the trust model. This requires that all modules be signed -with a key that is in the kernel's _modsign keyring. The checks for -this are already done via the 'sig_enforce' module parameter. Make -this visible within the kernel and force it to be true. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - kernel/cred.c | 8 ++++++++ - kernel/module.c | 4 ++-- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/kernel/cred.c b/kernel/cred.c -index c3f4e3e..c5554e0 100644 ---- a/kernel/cred.c -+++ b/kernel/cred.c -@@ -565,11 +565,19 @@ void __init cred_init(void) - 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); - } - -+#ifdef CONFIG_MODULE_SIG -+extern bool sig_enforce; -+#endif -+ - void __init secureboot_enable() - { - pr_info("Secure boot enabled\n"); - cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); - cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); -+#ifdef CONFIG_MODULE_SIG -+ /* Enable module signature enforcing */ -+ sig_enforce = true; -+#endif - } - - /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ -diff --git a/kernel/module.c b/kernel/module.c -index eab0827..93a16dc 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ - - #ifdef CONFIG_MODULE_SIG - #ifdef CONFIG_MODULE_SIG_FORCE --static bool sig_enforce = true; -+bool sig_enforce = true; - #else --static bool sig_enforce = false; -+bool sig_enforce = false; - - static int param_set_bool_enable_only(const char *val, - const struct kernel_param *kp) --- -1.8.1.2 - - -From 54ba1eec5847d964b1d458a240b50271b9a356a4 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Fri, 26 Oct 2012 14:02:09 -0400 -Subject: [PATCH 17/19] hibernate: Disable in a Secure Boot environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the secure boot trust model, -so until we can work with signed hibernate images we disable it in -a Secure Boot environment. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - kernel/power/hibernate.c | 15 ++++++++++++++- - kernel/power/main.c | 7 ++++++- - kernel/power/user.c | 3 +++ - 3 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index b26f5f1..7f63cb4 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -28,6 +28,7 @@ - #include <linux/syscore_ops.h> - #include <linux/ctype.h> - #include <linux/genhd.h> -+#include <linux/efi.h> - - #include "power.h" - -@@ -632,6 +633,10 @@ int hibernate(void) - { - int error; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) { -+ return -EPERM; -+ } -+ - lock_system_sleep(); - /* The snapshot device should not be opened while we're running */ - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -@@ -723,7 +728,7 @@ static int software_resume(void) - /* - * If the user said "noresume".. bail out early. - */ -- if (noresume) -+ if (noresume || !capable(CAP_COMPROMISE_KERNEL)) - return 0; - - /* -@@ -889,6 +894,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, - int i; - char *start = buf; - -+ if (efi_enabled(EFI_SECURE_BOOT)) { -+ buf += sprintf(buf, "[%s]\n", "disabled"); -+ return buf-start; -+ } -+ - for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { - if (!hibernation_modes[i]) - continue; -@@ -923,6 +933,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, - char *p; - int mode = HIBERNATION_INVALID; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - p = memchr(buf, '\n', n); - len = p ? p - buf : n; - -diff --git a/kernel/power/main.c b/kernel/power/main.c -index 1c16f91..4f915fc 100644 ---- a/kernel/power/main.c -+++ b/kernel/power/main.c -@@ -15,6 +15,7 @@ - #include <linux/workqueue.h> - #include <linux/debugfs.h> - #include <linux/seq_file.h> -+#include <linux/efi.h> - - #include "power.h" - -@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, - } - #endif - #ifdef CONFIG_HIBERNATION -- s += sprintf(s, "%s\n", "disk"); -+ if (!efi_enabled(EFI_SECURE_BOOT)) { -+ s += sprintf(s, "%s\n", "disk"); -+ } else { -+ s += sprintf(s, "\n"); -+ } - #else - if (s != buf) - /* convert the last space to a newline */ -diff --git a/kernel/power/user.c b/kernel/power/user.c -index 4ed81e7..b11a0f4 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -48,6 +48,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) - struct snapshot_data *data; - int error; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { --- -1.8.1.2 - - -From 686090054f6c3784218b318c7adcc3c1f0ca5069 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 18/19] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 96bd86b..6e1331c 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -851,8 +851,9 @@ fail: - - static int get_secure_boot(efi_system_table_t *_table) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -1.8.1.2 - - -From df607d2d5061b04f8a686cd74edd72c1f2836d8c Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 19/19] x86: Lock down MSR writing in secure boot - -Writing to MSRs should not be allowed unless CAP_COMPROMISE_KERNEL is -set since it could lead to execution of arbitrary code in kernel mode. - -Signed-off-by: Kees Cook <keescook@chromium.org> ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 4929502..adaab3d 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (!capable(CAP_COMPROMISE_KERNEL)) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; --- -1.8.1.2 - diff --git a/freed-ora/current/master/secure-modules.patch b/freed-ora/current/master/secure-modules.patch new file mode 100644 index 000000000..d9beaa29f --- /dev/null +++ b/freed-ora/current/master/secure-modules.patch @@ -0,0 +1,850 @@ +From 17832506ee9b52bc8e00c2ec89b49257998171ed Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:02 -0400 +Subject: [PATCH 01/13] Add secure_modules() call + +Provide a single call to allow kernel code to determine whether the system +has been configured to either disable module loading entirely or to load +only modules signed with a trusted key. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + include/linux/module.h | 7 +++++++ + kernel/module.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/include/linux/module.h b/include/linux/module.h +index 46f1ea0..0c266b2 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block * nb); + + extern void print_modules(void); + ++extern bool secure_modules(void); ++ + #else /* !CONFIG_MODULES... */ + + /* Given an address, look for it in the exception tables. */ +@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb) + static inline void print_modules(void) + { + } ++ ++static inline bool secure_modules(void) ++{ ++ return false; ++} + #endif /* CONFIG_MODULES */ + + #ifdef CONFIG_SYSFS +diff --git a/kernel/module.c b/kernel/module.c +index 2069158..499ee57 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3852,3 +3852,13 @@ void module_layout(struct module *mod, + } + EXPORT_SYMBOL(module_layout); + #endif ++ ++bool secure_modules(void) ++{ ++#ifdef CONFIG_MODULE_SIG ++ return (sig_enforce || modules_disabled); ++#else ++ return modules_disabled; ++#endif ++} ++EXPORT_SYMBOL_GPL(secure_modules); +-- +1.8.3.1 + + +From e347503648ace6a4b71dfb566365f1aa19657746 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:03 -0400 +Subject: [PATCH 02/13] PCI: Lock down BAR access when module security is + enabled + +Any hardware that can potentially generate DMA has to be locked down from +userspace in order to avoid it being possible for an attacker to modify +kernel code, allowing them to circumvent disabled module loading or module +signing. Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/pci/pci-sysfs.c | 10 ++++++++++ + drivers/pci/proc.c | 8 +++++++- + drivers/pci/syscall.c | 3 ++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index c0dbe1f..cd4e35f 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -29,6 +29,7 @@ + #include <linux/slab.h> + #include <linux/vgaarb.h> + #include <linux/pm_runtime.h> ++#include <linux/module.h> + #include "pci.h" + + static int sysfs_initialized; /* = 0 */ +@@ -624,6 +625,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8*) buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -930,6 +934,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + resource_size_t start, end; + int i; + ++ if (secure_modules()) ++ return -EPERM; ++ + for (i = 0; i < PCI_ROM_RESOURCE; i++) + if (res == &pdev->resource[i]) + break; +@@ -1037,6 +1044,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (secure_modules()) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index cdc7836..e3d498b 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof + int size = dev->cfg_size; + int cnt; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -234,7 +240,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + + /* Make sure the caller is mapping a real resource for this device */ +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index e1c1ec5..bffbf71 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -10,6 +10,7 @@ + #include <linux/errno.h> + #include <linux/pci.h> + #include <linux/syscalls.h> ++#include <linux/module.h> + #include <asm/uaccess.h> + #include "pci.h" + +@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || secure_modules()) + return -EPERM; + + dev = pci_get_bus_and_slot(bus, dfn); +-- +1.8.3.1 + + +From b846e3958d3f4ff875ec958efba8b681ccbae04e Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:04 -0400 +Subject: [PATCH 03/13] x86: Lock down IO port access when module security is + enabled + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO register +space. This would potentially permit root to trigger arbitrary DMA, so lock +it down by default. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + arch/x86/kernel/ioport.c | 5 +++-- + drivers/char/mem.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 4ddaf66..00b4403 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -15,6 +15,7 @@ + #include <linux/thread_info.h> + #include <linux/syscalls.h> + #include <linux/bitmap.h> ++#include <linux/module.h> + #include <asm/syscalls.h> + + /* +@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) + return -EPERM; + + /* +@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index f895a8c..1af8664 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -28,6 +28,7 @@ + #include <linux/export.h> + #include <linux/io.h> + #include <linux/aio.h> ++#include <linux/module.h> + + #include <asm/uaccess.h> + +@@ -563,6 +564,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, + unsigned long i = *ppos; + const char __user *tmp = buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!access_ok(VERIFY_READ, buf, count)) + return -EFAULT; + while (count-- > 0 && i < 65536) { +-- +1.8.3.1 + + +From 8c11e2cc989eece2d4978cfbc83f9b898f3cd1aa Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:05 -0400 +Subject: [PATCH 04/13] ACPI: Limit access to custom_method + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if any such restrictions have been enabled. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/acpi/custom_method.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index 12b62f2..55a013f 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -7,6 +7,7 @@ + #include <linux/kernel.h> + #include <linux/uaccess.h> + #include <linux/debugfs.h> ++#include <linux/module.h> + #include <acpi/acpi_drivers.h> + + #include "internal.h" +@@ -29,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +1.8.3.1 + + +From 968ccfb32df5d5c9673c57641ebf90b25c0df880 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:06 -0400 +Subject: [PATCH 05/13] asus-wmi: Restrict debugfs interface when module + loading is restricted + +We have no way of validating what all of the Asus WMI methods do on a +given machine, and there's a risk that some will allow hardware state to +be manipulated in such a way that arbitrary code can be executed in the +kernel, circumventing module loading restrictions. Prevent that if any of +these features are enabled. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 19c313b..db18ef66 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1618,6 +1618,9 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1634,6 +1637,9 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1658,6 +1664,9 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 1, asus->debug.method_id, + &input, &output); +-- +1.8.3.1 + + +From e492d0a80bb591c34391757f97fc5aa8eb198e4f Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:07 -0400 +Subject: [PATCH 06/13] Restrict /dev/mem and /dev/kmem when module loading is + restricted + +Allowing users to write to address space makes it possible for the kernel +to be subverted, avoiding module loading restrictions. Prevent this when +any restrictions have been imposed on loading modules. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + drivers/char/mem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 1af8664..61406c8 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -159,6 +159,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, + unsigned long copied; + void *ptr; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!valid_phys_addr_range(p, count)) + return -EFAULT; + +@@ -497,6 +500,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (p < (unsigned long) high_memory) { + unsigned long to_write = min_t(unsigned long, count, + (unsigned long)high_memory - p); +-- +1.8.3.1 + + +From 145913d656bfe8216032b38a576ac150699521e5 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Mon, 19 Aug 2013 13:26:08 -0400 +Subject: [PATCH 07/13] acpi: Ignore acpi_rsdp kernel parameter when module + loading is restricted + +This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to circumvent any restrictions imposed on +loading modules. Disable it in that case. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +--- + drivers/acpi/osl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 6ab2c35..e4c4410 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -45,6 +45,7 @@ + #include <linux/list.h> + #include <linux/jiffies.h> + #include <linux/semaphore.h> ++#include <linux/module.h> + + #include <asm/io.h> + #include <asm/uaccess.h> +@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); + acpi_physical_address __init acpi_os_get_root_pointer(void) + { + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && !secure_modules()) + return acpi_rsdp; + #endif + +-- +1.8.3.1 + + +From 012ac79f54ab746114d8276d8858a3df18b10e22 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:10 -0400 +Subject: [PATCH 08/13] x86: Restrict MSR access when module loading is + restricted + +Writing to MSRs should not be allowed if module loading is restricted, +since it could lead to execution of arbitrary code in kernel mode. Based +on a patch by Kees Cook. + +Cc: Kees Cook <keescook@chromium.org> +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + arch/x86/kernel/msr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 88458fa..d08f7e3 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EBADF; + break; + } ++ if (secure_modules()) { ++ err = -EPERM; ++ break; ++ } + if (copy_from_user(®s, uregs, sizeof regs)) { + err = -EFAULT; + break; +-- +1.8.3.1 + + +From a44d2968968fd667c8cbeba7c043f674d17e7ce7 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:09 -0400 +Subject: [PATCH 09/13] kexec: Disable at runtime if the kernel enforces module + loading restrictions + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that module signing enforcement is meant to prevent. It makes +sense to disable kexec in this situation. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + kernel/kexec.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 59f7b55..1a7690f 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -32,6 +32,7 @@ + #include <linux/vmalloc.h> + #include <linux/swap.h> + #include <linux/syscore_ops.h> ++#include <linux/module.h> + + #include <asm/page.h> + #include <asm/uaccess.h> +@@ -1645,6 +1646,9 @@ int kernel_kexec(void) + goto Unlock; + } + ++ if (secure_modules()) ++ return -EPERM; ++ + #ifdef CONFIG_KEXEC_JUMP + if (kexec_image->preserve_context) { + lock_system_sleep(); +-- +1.8.3.1 + + +From f8f879da5dcc060a990a3b660aa5f340429cc4ed Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Mon, 19 Aug 2013 13:26:11 -0400 +Subject: [PATCH 10/13] Add option to automatically enforce module signatures + when in Secure Boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that enforces this automatically when enabled. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + Documentation/x86/zero-page.txt | 2 ++ + arch/x86/Kconfig | 10 ++++++++++ + arch/x86/boot/compressed/eboot.c | 33 +++++++++++++++++++++++++++++++++ + arch/x86/include/asm/bootparam_utils.h | 8 ++++++-- + arch/x86/include/uapi/asm/bootparam.h | 3 ++- + arch/x86/kernel/setup.c | 6 ++++++ + include/linux/module.h | 6 ++++++ + kernel/module.c | 7 +++++++ + 8 files changed, 72 insertions(+), 3 deletions(-) + +diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt +index 199f453..ec38acf 100644 +--- a/Documentation/x86/zero-page.txt ++++ b/Documentation/x86/zero-page.txt +@@ -30,6 +30,8 @@ Offset Proto Name Meaning + 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) + 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer + (below) ++1EB/001 ALL kbd_status Numlock is enabled ++1EC/001 ALL secure_boot Secure boot is enabled in the firmware + 1EF/001 ALL sentinel Used to detect broken bootloaders + 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures + 2D0/A00 ALL e820_map E820 memory map table +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index b32ebf9..6a6c19b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1581,6 +1581,16 @@ config EFI_STUB + + See Documentation/x86/efi-stub.txt for more information. + ++config EFI_SECURE_BOOT_SIG_ENFORCE ++ def_bool n ++ prompt "Force module signing when UEFI Secure Boot is enabled" ++ ---help--- ++ UEFI Secure Boot provides a mechanism for ensuring that the ++ firmware will only load signed bootloaders and kernels. Certain ++ use cases may also require that all kernel modules also be signed. ++ Say Y here to automatically enable module signature enforcement ++ when a system boots with UEFI Secure Boot enabled. ++ + config SECCOMP + def_bool y + prompt "Enable seccomp to safely compute untrusted bytecode" +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index b7388a4..145294d 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -861,6 +861,37 @@ fail: + return status; + } + ++static int get_secure_boot(efi_system_table_t *_table) ++{ ++ u8 sb, setup; ++ unsigned long datasize = sizeof(sb); ++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; ++ efi_status_t status; ++ ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"SecureBoot", &var_guid, NULL, &datasize, &sb); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (sb == 0) ++ return 0; ++ ++ ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"SetupMode", &var_guid, NULL, &datasize, ++ &setup); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (setup == 1) ++ return 0; ++ ++ return 1; ++} ++ ++ + /* + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create +@@ -1169,6 +1200,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, + if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) + goto fail; + ++ boot_params->secure_boot = get_secure_boot(sys_table); ++ + setup_graphics(boot_params); + + setup_efi_pci(boot_params); +diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h +index 4a8cb8d..25f9cf1 100644 +--- a/arch/x86/include/asm/bootparam_utils.h ++++ b/arch/x86/include/asm/bootparam_utils.h +@@ -38,9 +38,13 @@ static void sanitize_boot_params(struct boot_params *boot_params) + memset(&boot_params->ext_ramdisk_image, 0, + (char *)&boot_params->efi_info - + (char *)&boot_params->ext_ramdisk_image); +- memset(&boot_params->kbd_status, 0, ++ memset(&boot_params->kbd_status, 0, sizeof(boot_params->kbd_status)); ++ /* don't clear boot_params->secure_boot. we set that ourselves ++ * earlier. ++ */ ++ memset(&boot_params->_pad5[0], 0, + (char *)&boot_params->hdr - +- (char *)&boot_params->kbd_status); ++ (char *)&boot_params->_pad5[0]); + memset(&boot_params->_pad7[0], 0, + (char *)&boot_params->edd_mbr_sig_buffer[0] - + (char *)&boot_params->_pad7[0]); +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index c15ddaf..d35da96 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -131,7 +131,8 @@ struct boot_params { + __u8 eddbuf_entries; /* 0x1e9 */ + __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ + __u8 kbd_status; /* 0x1eb */ +- __u8 _pad5[3]; /* 0x1ec */ ++ __u8 secure_boot; /* 0x1ec */ ++ __u8 _pad5[2]; /* 0x1ec */ + /* + * The sentinel is set to a nonzero value (0xff) in header.S. + * +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index f8ec578..deeb7bc 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) + + io_delay_init(); + ++#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE ++ if (boot_params.secure_boot) { ++ enforce_signed_modules(); ++ } ++#endif ++ + /* + * Parse the ACPI tables for possible boot-time SMP configuration. + */ +diff --git a/include/linux/module.h b/include/linux/module.h +index 0c266b2..5a6374a 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -184,6 +184,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); + + struct notifier_block; + ++#ifdef CONFIG_MODULE_SIG ++extern void enforce_signed_modules(void); ++#else ++static inline void enforce_signed_modules(void) {}; ++#endif ++ + #ifdef CONFIG_MODULES + + extern int modules_disabled; /* for sysctl */ +diff --git a/kernel/module.c b/kernel/module.c +index 499ee57..bc7c987 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3853,6 +3853,13 @@ void module_layout(struct module *mod, + EXPORT_SYMBOL(module_layout); + #endif + ++#ifdef CONFIG_MODULE_SIG ++void enforce_signed_modules(void) ++{ ++ sig_enforce = true; ++} ++#endif ++ + bool secure_modules(void) + { + #ifdef CONFIG_MODULE_SIG +-- +1.8.3.1 + + +From b1604407fff69b17b598af03888a9efda0d58f2b Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Tue, 5 Feb 2013 19:25:05 -0500 +Subject: [PATCH 11/13] efi: Disable secure boot if shim is in insecure mode + +A user can manually tell the shim boot loader to disable validation of +images it loads. When a user does this, it creates a UEFI variable called +MokSBState that does not have the runtime attribute set. Given that the +user explicitly disabled validation, we can honor that and not enable +secure boot mode if that variable is set. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +--- + arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 145294d..545d4a6 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -863,8 +863,9 @@ fail: + + static int get_secure_boot(efi_system_table_t *_table) + { +- u8 sb, setup; ++ u8 sb, setup, moksbstate; + unsigned long datasize = sizeof(sb); ++ u32 attr; + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + +@@ -888,6 +889,23 @@ static int get_secure_boot(efi_system_table_t *_table) + if (setup == 1) + return 0; + ++ /* See if a user has put shim into insecure_mode. If so, and the variable ++ * doesn't have the runtime attribute set, we might as well honor that. ++ */ ++ var_guid = EFI_SHIM_LOCK_GUID; ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"MokSBState", &var_guid, &attr, &datasize, ++ &moksbstate); ++ ++ /* If it fails, we don't care why. Default to secure */ ++ if (status != EFI_SUCCESS) ++ return 1; ++ ++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ if (moksbstate == 1) ++ return 0; ++ } ++ + return 1; + } + +-- +1.8.3.1 + + +From 4d8b5cab923a2df15e1f33b3f0511366f9f98756 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 27 Aug 2013 13:28:43 -0400 +Subject: [PATCH 12/13] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI + +The functionality of the config option is dependent upon the platform being +UEFI based. Reflect this in the config deps. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 6a6c19b..10498ec 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1582,7 +1582,8 @@ config EFI_STUB + See Documentation/x86/efi-stub.txt for more information. + + config EFI_SECURE_BOOT_SIG_ENFORCE +- def_bool n ++ def_bool n ++ depends on EFI + prompt "Force module signing when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the +-- +1.8.3.1 + + +From a87ca6498b8a9f8e3c1d7e6ef7ef4e233ec8639d Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 27 Aug 2013 13:33:03 -0400 +Subject: [PATCH 13/13] efi: Add EFI_SECURE_BOOT bit + +UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit +for use with efi_enabled. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/kernel/setup.c | 2 ++ + include/linux/efi.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index deeb7bc..08dc16e 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1131,7 +1131,9 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE + if (boot_params.secure_boot) { ++ set_bit(EFI_SECURE_BOOT, &x86_efi_facility); + enforce_signed_modules(); ++ pr_info("Secure boot enabled\n"); + } + #endif + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 5f8f176..eed2202 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -634,6 +634,7 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ + #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ + #define EFI_64BIT 5 /* Is the firmware 64-bit? */ ++#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ + + #ifdef CONFIG_EFI + # ifdef CONFIG_X86 +-- +1.8.3.1 + diff --git a/freed-ora/current/master/sources b/freed-ora/current/master/sources index 4187c2a6b..cbbc5ab96 100644 --- a/freed-ora/current/master/sources +++ b/freed-ora/current/master/sources @@ -1 +1,3 @@ d562fd52580a3b6b18b6eeb5921d1d5c linux-libre-3.10-gnu.tar.xz +e30db9f359d23061520e2c2374d1346c patch-3.10-gnu-3.11-rc7-gnu.xz +e43c8a5104addf0726694242bb3baa72 patch-3.11-rc7-git4.xz diff --git a/freed-ora/current/master/sysrq-secure-boot.patch b/freed-ora/current/master/sysrq-secure-boot.patch new file mode 100644 index 000000000..b4bb80d00 --- /dev/null +++ b/freed-ora/current/master/sysrq-secure-boot.patch @@ -0,0 +1,243 @@ +From 71aac34ed679daa0bf772051eb40412b5bd95da3 Mon Sep 17 00:00:00 2001 +From: Kyle McMartin <kyle@redhat.com> +Date: Fri, 30 Aug 2013 09:28:51 -0400 +Subject: [PATCH] Add sysrq option to disable secure boot mode + +--- + arch/x86/kernel/setup.c | 35 +++++++++++++++++++++++++++++++++++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 +++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + kernel/module.c | 4 ++-- + 7 files changed, 64 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 08dc16e..6971f8e 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -70,6 +70,11 @@ + #include <linux/tboot.h> + #include <linux/jiffies.h> + ++#include <linux/fips.h> ++#include <linux/cred.h> ++#include <linux/sysrq.h> ++#include <linux/init_task.h> ++ + #include <video/edid.h> + + #include <asm/mtrr.h> +@@ -1253,3 +1258,33 @@ void __init i386_reserve_resources(void) + } + + #endif /* CONFIG_X86_32 */ ++ ++#ifdef CONFIG_MAGIC_SYSRQ ++#ifdef CONFIG_MODULE_SIG ++extern bool sig_enforce; ++#endif ++ ++static void sysrq_handle_secure_boot(int key) ++{ ++ if (!efi_enabled(EFI_SECURE_BOOT)) ++ return; ++ ++ pr_info("Secure boot disabled\n"); ++#ifdef CONFIG_MODULE_SIG ++ sig_enforce = fips_enabled; ++#endif ++} ++static struct sysrq_key_op secure_boot_sysrq_op = { ++ .handler = sysrq_handle_secure_boot, ++ .help_msg = "unSB(x)", ++ .action_msg = "Disabling Secure Boot restrictions", ++ .enable_mask = SYSRQ_DISABLE_USERSPACE, ++}; ++static int __init secure_boot_sysrq(void) ++{ ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ register_sysrq_key('x', &secure_boot_sysrq_op); ++ return 0; ++} ++late_initcall(secure_boot_sysrq); ++#endif /*CONFIG_MAGIC_SYSRQ*/ +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index a0a4bba..3327cc3 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -351,6 +351,7 @@ static int uinput_allocate_device(struct uinput_device *udev) + if (!udev->dev) + return -ENOMEM; + ++ udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; + udev->dev->event = uinput_dev_event; + input_set_drvdata(udev->dev, udev); + +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c +index d5cc3ac..05b33f5 100644 +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -461,6 +461,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { + &sysrq_showstate_blocked_op, /* w */ + /* x: May be registered on ppc/powerpc for xmon */ + /* x: May be registered on sparc64 for global PMU dump */ ++ /* x: May be registered on x86_64 for disabling secure boot */ + NULL, /* x */ + /* y: May be registered on sparc64 for global register dump */ + NULL, /* y */ +@@ -504,7 +505,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) + sysrq_key_table[i] = op_p; + } + +-void __handle_sysrq(int key, bool check_mask) ++void __handle_sysrq(int key, int from) + { + struct sysrq_key_op *op_p; + int orig_log_level; +@@ -524,11 +525,15 @@ void __handle_sysrq(int key, bool check_mask) + + op_p = __sysrq_get_key_op(key); + if (op_p) { ++ /* Ban synthetic events from some sysrq functionality */ ++ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && ++ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) ++ printk("This sysrq operation is disabled from userspace.\n"); + /* + * Should we check for enabled operations (/proc/sysrq-trigger + * should not) and is the invoked operation enabled? + */ +- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { ++ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + printk("%s\n", op_p->action_msg); + console_loglevel = orig_log_level; + op_p->handler(key); +@@ -559,7 +564,7 @@ void __handle_sysrq(int key, bool check_mask) + void handle_sysrq(int key) + { + if (sysrq_on()) +- __handle_sysrq(key, true); ++ __handle_sysrq(key, SYSRQ_FROM_KERNEL); + } + EXPORT_SYMBOL(handle_sysrq); + +@@ -639,7 +644,7 @@ static void sysrq_do_reset(unsigned long _state) + static void sysrq_handle_reset_request(struct sysrq_state *state) + { + if (state->reset_requested) +- __handle_sysrq(sysrq_xlate[KEY_B], false); ++ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); + + if (sysrq_reset_downtime_ms) + mod_timer(&state->keyreset_timer, +@@ -756,8 +761,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, + + default: + if (sysrq->active && value && value != 2) { ++ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? ++ SYSRQ_FROM_SYNTHETIC : 0; + sysrq->need_reinject = false; +- __handle_sysrq(sysrq_xlate[code], true); ++ __handle_sysrq(sysrq_xlate[code], from); + } + break; + } +@@ -1038,7 +1045,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, + + if (get_user(c, buf)) + return -EFAULT; +- __handle_sysrq(c, false); ++ __handle_sysrq(c, SYSRQ_FROM_PROC); + } + + return count; +diff --git a/include/linux/input.h b/include/linux/input.h +index 82ce323..9e534f2 100644 +--- a/include/linux/input.h ++++ b/include/linux/input.h +@@ -42,6 +42,7 @@ struct input_value { + * @phys: physical path to the device in the system hierarchy + * @uniq: unique identification code for the device (if device has it) + * @id: id of the device (struct input_id) ++ * @flags: input device flags (SYNTHETIC, etc.) + * @propbit: bitmap of device properties and quirks + * @evbit: bitmap of types of events supported by the device (EV_KEY, + * EV_REL, etc.) +@@ -124,6 +125,8 @@ struct input_dev { + const char *uniq; + struct input_id id; + ++ unsigned int flags; ++ + unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; + + unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; +@@ -190,6 +193,8 @@ struct input_dev { + }; + #define to_input_dev(d) container_of(d, struct input_dev, dev) + ++#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 ++ + /* + * Verify that we are in sync with input_device_id mod_devicetable.h #defines + */ +diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h +index 7faf933..87ae634 100644 +--- a/include/linux/sysrq.h ++++ b/include/linux/sysrq.h +@@ -31,6 +31,8 @@ + #define SYSRQ_ENABLE_BOOT 0x0080 + #define SYSRQ_ENABLE_RTNICE 0x0100 + ++#define SYSRQ_DISABLE_USERSPACE 0x00010000 ++ + struct sysrq_key_op { + void (*handler)(int); + char *help_msg; +@@ -45,8 +47,12 @@ struct sysrq_key_op { + * are available -- else NULL's). + */ + ++#define SYSRQ_FROM_KERNEL 0x0001 ++#define SYSRQ_FROM_PROC 0x0002 ++#define SYSRQ_FROM_SYNTHETIC 0x0004 ++ + void handle_sysrq(int key); +-void __handle_sysrq(int key, bool check_mask); ++void __handle_sysrq(int key, int from); + int register_sysrq_key(int key, struct sysrq_key_op *op); + int unregister_sysrq_key(int key, struct sysrq_key_op *op); + struct sysrq_key_op *__sysrq_get_key_op(int key); +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index 00eb8f7..54fbbcc 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1921,7 +1921,7 @@ static int kdb_sr(int argc, const char **argv) + if (argc != 1) + return KDB_ARGCOUNT; + kdb_trap_printk++; +- __handle_sysrq(*argv[1], false); ++ __handle_sysrq(*argv[1], SYSRQ_FROM_KERNEL); + kdb_trap_printk--; + + return 0; +diff --git a/kernel/module.c b/kernel/module.c +index bc7c987..5e4e2c2 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ + + #ifdef CONFIG_MODULE_SIG + #ifdef CONFIG_MODULE_SIG_FORCE +-static bool sig_enforce = true; ++bool sig_enforce = true; + #else +-static bool sig_enforce = false; ++bool sig_enforce = false; + + static int param_set_bool_enable_only(const char *val, + const struct kernel_param *kp) +-- +1.8.3.1 + diff --git a/freed-ora/current/master/v2-thermal-cpu_cooling-fix-stub-function.patch b/freed-ora/current/master/v2-thermal-cpu_cooling-fix-stub-function.patch deleted file mode 100644 index 55a5e7c30..000000000 --- a/freed-ora/current/master/v2-thermal-cpu_cooling-fix-stub-function.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/include/linux/cpu_cooling.h b/include/linux/cpu_cooling.h -index 282e270..a5d52ee 100644 ---- a/include/linux/cpu_cooling.h -+++ b/include/linux/cpu_cooling.h -@@ -41,7 +41,7 @@ cpufreq_cooling_register(const struct cpumask *clip_cpus); - */ - void cpufreq_cooling_unregister(struct thermal_cooling_device *cdev); - --unsigned long cpufreq_cooling_get_level(unsigned int, unsigned int); -+unsigned long cpufreq_cooling_get_level(unsigned int cpu, unsigned int freq); - #else /* !CONFIG_CPU_THERMAL */ - static inline struct thermal_cooling_device * - cpufreq_cooling_register(const struct cpumask *clip_cpus) -@@ -54,7 +54,7 @@ void cpufreq_cooling_unregister(struct thermal_cooling_device *cdev) - return; - } - static inline --unsigned long cpufreq_cooling_get_level(unsigned int, unsigned int) -+unsigned long cpufreq_cooling_get_level(unsigned int cpu, unsigned int freq) - { - return THERMAL_CSTATE_INVALID; - } diff --git a/freed-ora/current/master/xen-blkback-Check-device-permissions-before-allowing.patch b/freed-ora/current/master/xen-blkback-Check-device-permissions-before-allowing.patch deleted file mode 100644 index 933e82890..000000000 --- a/freed-ora/current/master/xen-blkback-Check-device-permissions-before-allowing.patch +++ /dev/null @@ -1,54 +0,0 @@ -From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk () oracle com> -Date: Wed, 16 Jan 2013 11:33:52 -0500 -Subject: [PATCH] xen/blkback: Check device permissions before allowing - OP_DISCARD - -We need to make sure that the device is not RO or that -the request is not past the number of sectors we want to -issue the DISCARD operation for. - -Cc: stable () vger kernel org -Acked-by: Jan Beulich <JBeulich () suse com> -Acked-by: Ian Campbell <Ian.Campbell () citrix com> -[v1: Made it pr_warn instead of pr_debug] -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk () oracle com> ---- - drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c -index e79ab45..4119bcd 100644 ---- a/drivers/block/xen-blkback/blkback.c -+++ b/drivers/block/xen-blkback/blkback.c -@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, - int status = BLKIF_RSP_OKAY; - struct block_device *bdev = blkif->vbd.bdev; - unsigned long secure; -+ struct phys_req preq; -+ -+ preq.sector_number = req->u.discard.sector_number; -+ preq.nr_sects = req->u.discard.nr_sectors; - -+ err = xen_vbd_translate(&preq, blkif, WRITE); -+ if (err) { -+ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", -+ preq.sector_number, -+ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); -+ goto fail_response; -+ } - blkif->st_ds_req++; - - xen_blkif_get(blkif); -@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, - err = blkdev_issue_discard(bdev, req->u.discard.sector_number, - req->u.discard.nr_sectors, - GFP_KERNEL, secure); -- -+fail_response: - if (err == -EOPNOTSUPP) { - pr_debug(DRV_PFX "discard op failed, not supported\n"); - status = BLKIF_RSP_EOPNOTSUPP; --- -1.8.1.4 - |
