release 6.12.4 (preliminary)

debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -141,10 +141,10 @@ arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
  
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -766,7 +766,8 @@ extern void efi_mem_reserve(phys_addr_t
+@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
+ extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
  extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
- extern void efi_initialize_iomem_resources(struct resource *code_resource,
- 		struct resource *data_resource, struct resource *bss_resource);
 -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
 +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
 +			      u32 *secure_boot);

debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch

@@ -31,7 +31,7 @@ cc: linux-efi@vger.kernel.org
 
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1065,19 +1065,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,19 +1070,7 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -106,7 +106,7 @@ cc: linux-efi@vger.kernel.org
 +}
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -877,6 +877,14 @@ static inline int efi_range_is_wc(unsign
+@@ -875,6 +875,14 @@ static inline int efi_range_is_wc(unsign
  #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
  #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
  #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
@@ -121,7 +121,7 @@ cc: linux-efi@vger.kernel.org
  
  #ifdef CONFIG_EFI
  /*
-@@ -901,6 +909,7 @@ static inline bool efi_rt_services_suppo
+@@ -899,6 +907,7 @@ static inline bool efi_rt_services_suppo
  	return (efi.runtime_supported_mask & mask) == mask;
  }
  extern void efi_find_mirror(void);
@@ -129,7 +129,7 @@ cc: linux-efi@vger.kernel.org
  #else
  static inline bool efi_enabled(int feature)
  {
-@@ -920,6 +929,7 @@ static inline bool efi_rt_services_suppo
+@@ -918,6 +927,7 @@ static inline bool efi_rt_services_suppo
  }
  
  static inline void efi_find_mirror(void) {}
@@ -137,7 +137,7 @@ cc: linux-efi@vger.kernel.org
  #endif
  
  extern int efi_status_to_err(efi_status_t status);
-@@ -1138,13 +1148,6 @@ static inline bool efi_runtime_disabled(
+@@ -1136,13 +1146,6 @@ static inline bool efi_runtime_disabled(
  extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
  extern unsigned long efi_call_virt_save_flags(void);
  

debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -35,7 +35,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
  	reserve_ibft_region();
  	x86_init.resources.dmi_setup();
  
-@@ -1065,8 +1067,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -67,26 +67,26 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
  		default:
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -509,6 +509,7 @@ int security_inode_getsecctx(struct inod
+@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
  int security_locked_down(enum lockdown_reason what);
++int lock_kernel_down(const char *where, enum lockdown_reason level);
  int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
  		      void *val, size_t val_len, u64 id, u64 flags);
-+int lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
- 
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1483,6 +1484,11 @@ static inline int lsm_fill_user_ctx(stru
+ int security_bdev_alloc(struct block_device *bdev);
+@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
  {
- 	return -EOPNOTSUPP;
+ 	return 0;
  }
 +static inline int
 +lock_kernel_down(const char *where, enum lockdown_reason level)
 +{
 +	return -EOPNOTSUPP;
 +}
- #endif	/* CONFIG_SECURITY */
- 
- #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
+ 				    u32 *uctx_len, void *val, size_t val_len,
+ 				    u64 id, u64 flags)
 --- a/security/lockdown/Kconfig
 +++ b/security/lockdown/Kconfig
 @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI

debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/include/linux/perf_event.h
 +++ b/include/linux/perf_event.h
-@@ -1589,6 +1589,11 @@ int perf_cpu_time_max_percent_handler(co
+@@ -1617,6 +1617,11 @@ int perf_cpu_time_max_percent_handler(co
  int perf_event_max_stack_handler(const struct ctl_table *table, int write,
  		void *buffer, size_t *lenp, loff_t *ppos);
  
@@ -36,7 +36,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -419,8 +419,13 @@ static struct kmem_cache *perf_event_cac
+@@ -449,8 +449,13 @@ static struct kmem_cache *perf_event_cac
   *   0 - disallow raw tracepoint access for unpriv
   *   1 - disallow cpu events for unpriv
   *   2 - disallow kernel profiling for unpriv
@@ -50,7 +50,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -12506,6 +12511,9 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -12681,6 +12686,9 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (err)
  		return err;