~ubuntu-kernel/ubuntu/+source/linux/+git/unstable:master-5.5

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

4669fbf... by Seth Forshee on 2019-10-10

UBUNTU: [Config] Enable lockdown under secure boot

Set CONFIG_LOCK_DOWN_IN_SECURE_BOOT=y and
CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ=y to automatically enable
lockdown when booted under secure boot and to allow lifting of
lockdown via sysrq.

Signed-off-by: Seth Forshee <email address hidden>

Signed-off-by: Seth Forshee <email address hidden>

191ba24... by Philipp Rudo on 2019-08-09

UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted secure

Signed-off-by: Philipp Rudo <email address hidden>
Signed-off-by: Dimitri John Ledkov <email address hidden>
[ saf: update for integration with lockdown LSM ]
Signed-off-by: Seth Forshee <email address hidden>

4d1e798... by Seth Forshee on 2019-10-10

UBUNTU: SAUCE: (lockdown) security: lockdown: Make CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT more generic

s390 supports secure boot which is not based on EFI. Change the
config option to be more generic, and allow it to be enabled on
s390.

Signed-off-by: Seth Forshee <email address hidden>

5c3c8fd... by Seth Forshee on 2019-10-10

UBUNTU: SAUCE: (lockdown) arm64: Allow locking down the kernel under EFI secure boot

Add support to arm64 for the CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
option. When enabled the lockdown LSM will be enabled with
maximum confidentiality when booted under EFI secure boot.

Based on an earlier patch by Linn Crosetto.

Signed-off-by: Seth Forshee <email address hidden>

1bf1398... by Robert Holmes <email address hidden> on 2019-04-23

UBUNTU: SAUCE: (lockdown) KEYS: Make use of platform keyring for module signature verify

This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.

As such, kernel modules signed with keys from the MokList variable
were not successfully verified.

Signed-off-by: Robert Holmes <email address hidden>
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit 8e2df2a3e5be1a5df79626d9f4ca48fd8f3d5dd1
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>

4cd8ae4... by Kyle McMartin <email address hidden> on 2018-04-09

UBUNTU: SAUCE: (lockdown) Add a SysRq option to lift kernel lockdown

Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified.

On x86 this is triggered with SysRq+x, but this key may not be available on
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
Since this macro must be defined in an arch to be able to use this facility
for that arch, the Kconfig option is restricted to arches that support it.

Signed-off-by: Kyle McMartin <email address hidden>
Signed-off-by: David Howells <email address hidden>
cc: <email address hidden>
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit bfc44a33d244f31034d404b9b9409f1a921ca2ad
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>

013f8a9... by David Howells on 2019-09-30

UBUNTU: SAUCE: (lockdown) efi: Lock down the kernel if booted in secure boot mode

UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Certain use cases may
also require that all kernel modules also be signed. Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.

Signed-off-by: David Howells <email address hidden>
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit bcb4411f59b479c8e1491f89bd3e07b5dc76b81b
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>

fd1865e... by David Howells on 2018-02-27

UBUNTU: SAUCE: (lockdown) efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode

UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.

Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.

Suggested-by: Ard Biesheuvel <email address hidden>
Signed-off-by: David Howells <email address hidden>
Reviewed-by: Ard Biesheuvel <email address hidden>
cc: <email address hidden>
[Rebased for context; efi_is_table_address was moved to arch/x86]
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit 564c4c48f3da7be8bb4ecef034c35b93493f2fc4
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>

c470299... by Jeremy Cline <email address hidden> on 2019-09-30

UBUNTU: SAUCE: (lockdown) security: lockdown: expose a hook to lock the kernel down

In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the lock_kernel_down() hook.

Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit bde8f92115af1f6cf0d08ed568836f5025865334
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>

6be29d5... by Peter Jones on 2017-10-02

UBUNTU: SAUCE: (lockdown) Make get_cert_list() use efi_status_to_str() to print error messages.

Signed-off-by: Peter Jones <email address hidden>
(cherry picked from commit ec5b039301822ee069bbd1822b270d1d9a81297a
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>