Merge branch 'sid' into sid-embargoed

debian/changelog: Move unreleased changes to a new entry

6 files changed, 220 insertions, 28 deletions

diff --git a/debian/changelog b/debian/changelog
index 3eeb1f5cb6b9..dc589a8e660a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,32 @@
-linux (5.3.9-1) UNRELEASED; urgency=medium
+linux (5.3.9-2) UNRELEASED; urgency=medium
+
+  * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
+    - x86/msr: Add the IA32_TSX_CTRL MSR
+    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
+    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
+    - x86/speculation/taa: Add mitigation for TSX Async Abort
+    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
+    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
+    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
+    - x86/speculation/taa: Add documentation for TSX Async Abort
+    - x86/tsx: Add config options to set tsx=on|off|auto
+    - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
+    TSX is now disabled by default; see
+    Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+  * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
+    (aka iTLB multi-hit, CVE-2018-12207):
+    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
+    - x86/bugs: Add ITLB_MULTIHIT bug infrastructure
+    - x86/cpu: Add Tremont to the cpu vulnerability whitelist
+    - cpu/speculation: Uninline and export CPU mitigations helpers
+    - kvm: mmu: ITLB_MULTIHIT mitigation
+    - kvm: Add helper function for creating VM worker threads
+    - kvm: x86: mmu: Recovery of shattered NX large pages
+    - Documentation: Add ITLB_MULTIHIT documentation
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 09 Nov 2019 18:53:39 +0000
+
+linux (5.3.9-1) unstable; urgency=medium
 
   * New version hopefully closes: #942881
   * New upstream stable update:
@@ -109,7 +137,7 @@ linux (5.3.9-1) UNRELEASED; urgency=medium
     - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
     - ACPI: NFIT: Fix unlock on error in scrub_show()
     - iwlwifi: pcie: change qu with jf devices to use qu configuration
-    - cfg80211: wext: avoid copying malformed SSIDs
+    - cfg80211: wext: avoid copying malformed SSIDs (CVE-2019-17133)
     - mac80211: Reject malformed SSID elements
     - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50
     - drm/ttm: Restore ttm prefaulting
@@ -377,29 +405,9 @@ linux (5.3.9-1) UNRELEASED; urgency=medium
       CROSS_COMPILE_COMPAT_VDSO
   * crypto: Enable PKCS8_PRIVATE_KEY_PARSER as module (Closes: #924705)
   * Bump ABI to 2
-  * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
-    - x86/msr: Add the IA32_TSX_CTRL MSR
-    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
-    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
-    - x86/speculation/taa: Add mitigation for TSX Async Abort
-    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
-    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
-    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
-    - x86/speculation/taa: Add documentation for TSX Async Abort
-    - x86/tsx: Add config options to set tsx=on|off|auto
-    - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
-    TSX is now disabled by default; see
-    Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
-  * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
-    (aka iTLB multi-hit, CVE-2018-12207):
-    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
-    - x86/bugs: Add ITLB_MULTIHIT bug infrastructure
-    - x86/cpu: Add Tremont to the cpu vulnerability whitelist
-    - cpu/speculation: Uninline and export CPU mitigations helpers
-    - kvm: mmu: ITLB_MULTIHIT mitigation
-    - kvm: Add helper function for creating VM worker threads
-    - kvm: x86: mmu: Recovery of shattered NX large pages
-    - Documentation: Add ITLB_MULTIHIT documentation
+  * [arm64] atmel_mxt_ts: Disable TOUCHSCREEN_ATMEL_MXT_T37 to avoid V4L
+    dependency
+  * random: try to actively add entropy rather than passively wait for it
 
   [ Bastian Blank ]
   * [amd64/cloud-amd64] Re-enable RTC drivers. (closes: #931341)
@@ -413,11 +421,16 @@ linux (5.3.9-1) UNRELEASED; urgency=medium
   [ Alper Nebi Yasak ]
   * [arm64] udeb: Add i2c-rk3x to i2c-modules
   * [arm64,armhf] udeb: Add rockchip-io-domain to kernel-image
+  * udeb: Add atmel_mxt_ts to input-modules
 
   [ Noah Meyerhans ]
   * drivers/net/ethernet/amazon: Backport driver fixes from v5.4-rc5
 
- -- Ben Hutchings <ben@decadent.org.uk>  Wed, 23 Oct 2019 18:32:15 +0100
+  [ Niv Sardi ]
+  * KEYS: Make use of platform keyring for module signature verify
+    (closes: #935945)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 09 Nov 2019 15:42:49 +0000
 
 linux (5.3.7-1) unstable; urgency=medium
 
diff --git a/debian/config/arm64/config b/debian/config/arm64/config
index 2a151425197e..c9c26442b1a4 100644
--- a/debian/config/arm64/config
+++ b/debian/config/arm64/config
@@ -472,8 +472,6 @@ CONFIG_MOUSE_ELAN_I2C=m
 ## file: drivers/input/touchscreen/Kconfig
 ##
 CONFIG_INPUT_TOUCHSCREEN=y
-CONFIG_TOUCHSCREEN_ATMEL_MXT=m
-CONFIG_TOUCHSCREEN_ATMEL_MXT_T37=y
 CONFIG_TOUCHSCREEN_ELAN=m
 
 ##
diff --git a/debian/installer/modules/input-modules b/debian/installer/modules/input-modules
index 70212b890e9a..754d740e9fda 100644
--- a/debian/installer/modules/input-modules
+++ b/debian/installer/modules/input-modules
@@ -33,6 +33,7 @@ hid-zydacron -
 wacom -
 
 # Miscellaneous input drivers
+atmel_mxt_ts ?
 synaptics_usb ?
 wistron_btns ?
 gpio_keys ?
diff --git a/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
new file mode 100644
index 000000000000..f00bf3d243ae
--- /dev/null
+++ b/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
@@ -0,0 +1,37 @@
+From: Robert Holmes <robeholmes@gmail.com>
+Date: Tue, 23 Apr 2019 07:39:29 +0000
+Subject: [PATCH] KEYS: Make use of platform keyring for module signature
+ verify
+Bug-Debian: https://bugs.debian.org/935945
+Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+
+This patch completes commit 278311e417be ("kexec, KEYS: Make use of
+platform keyring for signature verify") which, while adding the
+platform keyring for bzImage verification, neglected to also add
+this keyring for module verification.
+
+As such, kernel modules signed with keys from the MokList variable
+were not successfully verified.
+
+Signed-off-by: Robert Holmes <robeholmes@gmail.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ kernel/module_signing.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -135,6 +135,13 @@ int mod_verify_sig(const void *mod, stru
+ 				      VERIFYING_MODULE_SIGNATURE,
+ 				      NULL, NULL);
+ 	pr_devel("verify_pkcs7_signature() = %d\n", ret);
++	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++				VERIFY_USE_PLATFORM_KEYRING,
++				VERIFYING_MODULE_SIGNATURE,
++				NULL, NULL);
++                pr_devel("verify_pkcs7_signature() = %d\n", ret);
++	}
+ 
+ 	/* checking hash of module is in blacklist */
+ 	if (!ret)
diff --git a/debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch b/debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch
new file mode 100644
index 000000000000..9c22a21576e3
--- /dev/null
+++ b/debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch
@@ -0,0 +1,141 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 28 Sep 2019 16:53:52 -0700
+Subject: random: try to actively add entropy rather than passively wait for it
+Origin: https://git.kernel.org/linus/50ee7529ec4500c88f8664560770a7a1b65db72b
+
+For 5.3 we had to revert a nice ext4 IO pattern improvement, because it
+caused a bootup regression due to lack of entropy at bootup together
+with arguably broken user space that was asking for secure random
+numbers when it really didn't need to.
+
+See commit 72dbcf721566 (Revert "ext4: make __ext4_get_inode_loc plug").
+
+This aims to solve the issue by actively generating entropy noise using
+the CPU cycle counter when waiting for the random number generator to
+initialize.  This only works when you have a high-frequency time stamp
+counter available, but that's the case on all modern x86 CPU's, and on
+most other modern CPU's too.
+
+What we do is to generate jitter entropy from the CPU cycle counter
+under a somewhat complex load: calling the scheduler while also
+guaranteeing a certain amount of timing noise by also triggering a
+timer.
+
+I'm sure we can tweak this, and that people will want to look at other
+alternatives, but there's been a number of papers written on jitter
+entropy, and this should really be fairly conservative by crediting one
+bit of entropy for every timer-induced jump in the cycle counter.  Not
+because the timer itself would be all that unpredictable, but because
+the interaction between the timer and the loop is going to be.
+
+Even if (and perhaps particularly if) the timer actually happens on
+another CPU, the cacheline interaction between the loop that reads the
+cycle counter and the timer itself firing is going to add perturbations
+to the cycle counter values that get mixed into the entropy pool.
+
+As Thomas pointed out, with a modern out-of-order CPU, even quite simple
+loops show a fair amount of hard-to-predict timing variability even in
+the absense of external interrupts.  But this tries to take that further
+by actually having a fairly complex interaction.
+
+This is not going to solve the entropy issue for architectures that have
+no CPU cycle counter, but it's not clear how (and if) that is solvable,
+and the hardware in question is largely starting to be irrelevant.  And
+by doing this we can at least avoid some of the even more contentious
+approaches (like making the entropy waiting time out in order to avoid
+the possibly unbounded waiting).
+
+Cc: Ahmed Darwish <darwish.07@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Nicholas Mc Guire <hofrat@opentech.at>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Alexander E. Patrakov <patrakov@gmail.com>
+Cc: Lennart Poettering <mzxreary@0pointer.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ drivers/char/random.c | 62 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 5d5ea4ce1442..2fda6166c1dd 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1731,6 +1731,56 @@ void get_random_bytes(void *buf, int nbytes)
+ }
+ EXPORT_SYMBOL(get_random_bytes);
+ 
++
++/*
++ * Each time the timer fires, we expect that we got an unpredictable
++ * jump in the cycle counter. Even if the timer is running on another
++ * CPU, the timer activity will be touching the stack of the CPU that is
++ * generating entropy..
++ *
++ * Note that we don't re-arm the timer in the timer itself - we are
++ * happy to be scheduled away, since that just makes the load more
++ * complex, but we do not want the timer to keep ticking unless the
++ * entropy loop is running.
++ *
++ * So the re-arming always happens in the entropy loop itself.
++ */
++static void entropy_timer(struct timer_list *t)
++{
++	credit_entropy_bits(&input_pool, 1);
++}
++
++/*
++ * If we have an actual cycle counter, see if we can
++ * generate enough entropy with timing noise
++ */
++static void try_to_generate_entropy(void)
++{
++	struct {
++		unsigned long now;
++		struct timer_list timer;
++	} stack;
++
++	stack.now = random_get_entropy();
++
++	/* Slow counter - or none. Don't even bother */
++	if (stack.now == random_get_entropy())
++		return;
++
++	timer_setup_on_stack(&stack.timer, entropy_timer, 0);
++	while (!crng_ready()) {
++		if (!timer_pending(&stack.timer))
++			mod_timer(&stack.timer, jiffies+1);
++		mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
++		schedule();
++		stack.now = random_get_entropy();
++	}
++
++	del_timer_sync(&stack.timer);
++	destroy_timer_on_stack(&stack.timer);
++	mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
++}
++
+ /*
+  * Wait for the urandom pool to be seeded and thus guaranteed to supply
+  * cryptographically secure random numbers. This applies to: the /dev/urandom
+@@ -1745,7 +1795,17 @@ int wait_for_random_bytes(void)
+ {
+ 	if (likely(crng_ready()))
+ 		return 0;
+-	return wait_event_interruptible(crng_init_wait, crng_ready());
++
++	do {
++		int ret;
++		ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
++		if (ret)
++			return ret > 0 ? 0 : ret;
++
++		try_to_generate_entropy();
++	} while (!crng_ready());
++
++	return 0;
+ }
+ EXPORT_SYMBOL(wait_for_random_bytes);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index d2732d1a8f7e..7f486571e2e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -86,6 +86,7 @@ debian/revert-objtool-fix-config_stack_validation-y-warning.patch
 bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
 
 # Miscellaneous features
+features/all/random-try-to-actively-add-entropy-rather-than-passi.patch
 
 # Lockdown (formerly 'securelevel') patchset
 features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch
@@ -135,6 +136,7 @@ features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
 features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
 features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
 features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
+features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch