diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-11-09 18:54:23 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-11-09 18:54:23 +0000 |
commit | b9ba9fabba1914083e1aa790513de3e40661e9cf (patch) | |
tree | 0b8b0a639e30b5479d27e133bede3f01a1cf13e4 | |
parent | 5934b689b14c6b71f213e369b6ae6d7a89f7dff7 (diff) | |
parent | b202260a282eb9083bbd5efca4dab8807fe0aec6 (diff) | |
download | kernel_replicant_linux-b9ba9fabba1914083e1aa790513de3e40661e9cf.tar.gz kernel_replicant_linux-b9ba9fabba1914083e1aa790513de3e40661e9cf.tar.bz2 kernel_replicant_linux-b9ba9fabba1914083e1aa790513de3e40661e9cf.zip |
Merge branch 'sid' into sid-embargoed
debian/changelog: Move unreleased changes to a new entry
-rw-r--r-- | debian/changelog | 65 | ||||
-rw-r--r-- | debian/config/arm64/config | 2 | ||||
-rw-r--r-- | debian/installer/modules/input-modules | 1 | ||||
-rw-r--r-- | debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch | 37 | ||||
-rw-r--r-- | debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch | 141 | ||||
-rw-r--r-- | debian/patches/series | 2 |
6 files changed, 220 insertions, 28 deletions
diff --git a/debian/changelog b/debian/changelog index 3eeb1f5cb6b9..dc589a8e660a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,32 @@ -linux (5.3.9-1) UNRELEASED; urgency=medium +linux (5.3.9-2) UNRELEASED; urgency=medium + + * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): + - x86/msr: Add the IA32_TSX_CTRL MSR + - x86/cpu: Add a helper function x86_read_arch_cap_msr() + - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default + - x86/speculation/taa: Add mitigation for TSX Async Abort + - x86/speculation/taa: Add sysfs reporting for TSX Async Abort + - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled + - x86/tsx: Add "auto" option to the tsx= cmdline parameter + - x86/speculation/taa: Add documentation for TSX Async Abort + - x86/tsx: Add config options to set tsx=on|off|auto + - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs + TSX is now disabled by default; see + Documentation/admin-guide/hw-vuln/tsx_async_abort.rst + * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change + (aka iTLB multi-hit, CVE-2018-12207): + - kvm: x86, powerpc: do not allow clearing largepages debugfs entry + - x86/bugs: Add ITLB_MULTIHIT bug infrastructure + - x86/cpu: Add Tremont to the cpu vulnerability whitelist + - cpu/speculation: Uninline and export CPU mitigations helpers + - kvm: mmu: ITLB_MULTIHIT mitigation + - kvm: Add helper function for creating VM worker threads + - kvm: x86: mmu: Recovery of shattered NX large pages + - Documentation: Add ITLB_MULTIHIT documentation + + -- Ben Hutchings <ben@decadent.org.uk> Sat, 09 Nov 2019 18:53:39 +0000 + +linux (5.3.9-1) unstable; urgency=medium * New version hopefully closes: #942881 * New upstream stable update: @@ -109,7 +137,7 @@ linux (5.3.9-1) UNRELEASED; urgency=medium - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() - ACPI: NFIT: Fix unlock on error in scrub_show() - iwlwifi: pcie: change qu with jf devices to use qu configuration - - cfg80211: wext: avoid copying malformed SSIDs + - cfg80211: wext: avoid copying malformed SSIDs (CVE-2019-17133) - mac80211: Reject malformed SSID elements - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 - drm/ttm: Restore ttm prefaulting @@ -377,29 +405,9 @@ linux (5.3.9-1) UNRELEASED; urgency=medium CROSS_COMPILE_COMPAT_VDSO * crypto: Enable PKCS8_PRIVATE_KEY_PARSER as module (Closes: #924705) * Bump ABI to 2 - * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - - x86/msr: Add the IA32_TSX_CTRL MSR - - x86/cpu: Add a helper function x86_read_arch_cap_msr() - - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - - x86/speculation/taa: Add mitigation for TSX Async Abort - - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - - x86/tsx: Add "auto" option to the tsx= cmdline parameter - - x86/speculation/taa: Add documentation for TSX Async Abort - - x86/tsx: Add config options to set tsx=on|off|auto - - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs - TSX is now disabled by default; see - Documentation/admin-guide/hw-vuln/tsx_async_abort.rst - * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change - (aka iTLB multi-hit, CVE-2018-12207): - - kvm: x86, powerpc: do not allow clearing largepages debugfs entry - - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - - x86/cpu: Add Tremont to the cpu vulnerability whitelist - - cpu/speculation: Uninline and export CPU mitigations helpers - - kvm: mmu: ITLB_MULTIHIT mitigation - - kvm: Add helper function for creating VM worker threads - - kvm: x86: mmu: Recovery of shattered NX large pages - - Documentation: Add ITLB_MULTIHIT documentation + * [arm64] atmel_mxt_ts: Disable TOUCHSCREEN_ATMEL_MXT_T37 to avoid V4L + dependency + * random: try to actively add entropy rather than passively wait for it [ Bastian Blank ] * [amd64/cloud-amd64] Re-enable RTC drivers. (closes: #931341) @@ -413,11 +421,16 @@ linux (5.3.9-1) UNRELEASED; urgency=medium [ Alper Nebi Yasak ] * [arm64] udeb: Add i2c-rk3x to i2c-modules * [arm64,armhf] udeb: Add rockchip-io-domain to kernel-image + * udeb: Add atmel_mxt_ts to input-modules [ Noah Meyerhans ] * drivers/net/ethernet/amazon: Backport driver fixes from v5.4-rc5 - -- Ben Hutchings <ben@decadent.org.uk> Wed, 23 Oct 2019 18:32:15 +0100 + [ Niv Sardi ] + * KEYS: Make use of platform keyring for module signature verify + (closes: #935945) + + -- Ben Hutchings <ben@decadent.org.uk> Sat, 09 Nov 2019 15:42:49 +0000 linux (5.3.7-1) unstable; urgency=medium diff --git a/debian/config/arm64/config b/debian/config/arm64/config index 2a151425197e..c9c26442b1a4 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -472,8 +472,6 @@ CONFIG_MOUSE_ELAN_I2C=m ## file: drivers/input/touchscreen/Kconfig ## CONFIG_INPUT_TOUCHSCREEN=y -CONFIG_TOUCHSCREEN_ATMEL_MXT=m -CONFIG_TOUCHSCREEN_ATMEL_MXT_T37=y CONFIG_TOUCHSCREEN_ELAN=m ## diff --git a/debian/installer/modules/input-modules b/debian/installer/modules/input-modules index 70212b890e9a..754d740e9fda 100644 --- a/debian/installer/modules/input-modules +++ b/debian/installer/modules/input-modules @@ -33,6 +33,7 @@ hid-zydacron - wacom - # Miscellaneous input drivers +atmel_mxt_ts ? synaptics_usb ? wistron_btns ? gpio_keys ? diff --git a/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch new file mode 100644 index 000000000000..f00bf3d243ae --- /dev/null +++ b/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch @@ -0,0 +1,37 @@ +From: Robert Holmes <robeholmes@gmail.com> +Date: Tue, 23 Apr 2019 07:39:29 +0000 +Subject: [PATCH] KEYS: Make use of platform keyring for module signature + verify +Bug-Debian: https://bugs.debian.org/935945 +Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch + +This patch completes commit 278311e417be ("kexec, KEYS: Make use of +platform keyring for signature verify") which, while adding the +platform keyring for bzImage verification, neglected to also add +this keyring for module verification. + +As such, kernel modules signed with keys from the MokList variable +were not successfully verified. + +Signed-off-by: Robert Holmes <robeholmes@gmail.com> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + kernel/module_signing.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -135,6 +135,13 @@ int mod_verify_sig(const void *mod, stru + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + pr_devel("verify_pkcs7_signature() = %d\n", ret); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ pr_devel("verify_pkcs7_signature() = %d\n", ret); ++ } + + /* checking hash of module is in blacklist */ + if (!ret) diff --git a/debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch b/debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch new file mode 100644 index 000000000000..9c22a21576e3 --- /dev/null +++ b/debian/patches/features/all/random-try-to-actively-add-entropy-rather-than-passi.patch @@ -0,0 +1,141 @@ +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Sat, 28 Sep 2019 16:53:52 -0700 +Subject: random: try to actively add entropy rather than passively wait for it +Origin: https://git.kernel.org/linus/50ee7529ec4500c88f8664560770a7a1b65db72b + +For 5.3 we had to revert a nice ext4 IO pattern improvement, because it +caused a bootup regression due to lack of entropy at bootup together +with arguably broken user space that was asking for secure random +numbers when it really didn't need to. + +See commit 72dbcf721566 (Revert "ext4: make __ext4_get_inode_loc plug"). + +This aims to solve the issue by actively generating entropy noise using +the CPU cycle counter when waiting for the random number generator to +initialize. This only works when you have a high-frequency time stamp +counter available, but that's the case on all modern x86 CPU's, and on +most other modern CPU's too. + +What we do is to generate jitter entropy from the CPU cycle counter +under a somewhat complex load: calling the scheduler while also +guaranteeing a certain amount of timing noise by also triggering a +timer. + +I'm sure we can tweak this, and that people will want to look at other +alternatives, but there's been a number of papers written on jitter +entropy, and this should really be fairly conservative by crediting one +bit of entropy for every timer-induced jump in the cycle counter. Not +because the timer itself would be all that unpredictable, but because +the interaction between the timer and the loop is going to be. + +Even if (and perhaps particularly if) the timer actually happens on +another CPU, the cacheline interaction between the loop that reads the +cycle counter and the timer itself firing is going to add perturbations +to the cycle counter values that get mixed into the entropy pool. + +As Thomas pointed out, with a modern out-of-order CPU, even quite simple +loops show a fair amount of hard-to-predict timing variability even in +the absense of external interrupts. But this tries to take that further +by actually having a fairly complex interaction. + +This is not going to solve the entropy issue for architectures that have +no CPU cycle counter, but it's not clear how (and if) that is solvable, +and the hardware in question is largely starting to be irrelevant. And +by doing this we can at least avoid some of the even more contentious +approaches (like making the entropy waiting time out in order to avoid +the possibly unbounded waiting). + +Cc: Ahmed Darwish <darwish.07@gmail.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Theodore Ts'o <tytso@mit.edu> +Cc: Nicholas Mc Guire <hofrat@opentech.at> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Kees Cook <keescook@chromium.org> +Cc: Willy Tarreau <w@1wt.eu> +Cc: Alexander E. Patrakov <patrakov@gmail.com> +Cc: Lennart Poettering <mzxreary@0pointer.de> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + drivers/char/random.c | 62 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 61 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 5d5ea4ce1442..2fda6166c1dd 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1731,6 +1731,56 @@ void get_random_bytes(void *buf, int nbytes) + } + EXPORT_SYMBOL(get_random_bytes); + ++ ++/* ++ * Each time the timer fires, we expect that we got an unpredictable ++ * jump in the cycle counter. Even if the timer is running on another ++ * CPU, the timer activity will be touching the stack of the CPU that is ++ * generating entropy.. ++ * ++ * Note that we don't re-arm the timer in the timer itself - we are ++ * happy to be scheduled away, since that just makes the load more ++ * complex, but we do not want the timer to keep ticking unless the ++ * entropy loop is running. ++ * ++ * So the re-arming always happens in the entropy loop itself. ++ */ ++static void entropy_timer(struct timer_list *t) ++{ ++ credit_entropy_bits(&input_pool, 1); ++} ++ ++/* ++ * If we have an actual cycle counter, see if we can ++ * generate enough entropy with timing noise ++ */ ++static void try_to_generate_entropy(void) ++{ ++ struct { ++ unsigned long now; ++ struct timer_list timer; ++ } stack; ++ ++ stack.now = random_get_entropy(); ++ ++ /* Slow counter - or none. Don't even bother */ ++ if (stack.now == random_get_entropy()) ++ return; ++ ++ timer_setup_on_stack(&stack.timer, entropy_timer, 0); ++ while (!crng_ready()) { ++ if (!timer_pending(&stack.timer)) ++ mod_timer(&stack.timer, jiffies+1); ++ mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now)); ++ schedule(); ++ stack.now = random_get_entropy(); ++ } ++ ++ del_timer_sync(&stack.timer); ++ destroy_timer_on_stack(&stack.timer); ++ mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now)); ++} ++ + /* + * Wait for the urandom pool to be seeded and thus guaranteed to supply + * cryptographically secure random numbers. This applies to: the /dev/urandom +@@ -1745,7 +1795,17 @@ int wait_for_random_bytes(void) + { + if (likely(crng_ready())) + return 0; +- return wait_event_interruptible(crng_init_wait, crng_ready()); ++ ++ do { ++ int ret; ++ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); ++ if (ret) ++ return ret > 0 ? 0 : ret; ++ ++ try_to_generate_entropy(); ++ } while (!crng_ready()); ++ ++ return 0; + } + EXPORT_SYMBOL(wait_for_random_bytes); + diff --git a/debian/patches/series b/debian/patches/series index d2732d1a8f7e..7f486571e2e7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -86,6 +86,7 @@ debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch # Miscellaneous features +features/all/random-try-to-actively-add-entropy-rather-than-passi.patch # Lockdown (formerly 'securelevel') patchset features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -135,6 +136,7 @@ features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch +features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch |