release 6.12.4 (preliminary)

2024-12-10 06:44:25 +03:00
parent 9debc8729c
commit 407e7bac82
246 changed files with 4681 additions and 5758 deletions
--- a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -141,10 +141,10 @@ arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
 
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -766,7 +766,8 @@ extern void efi_mem_reserve(phys_addr_t
+@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
+ extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
 extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
- extern void efi_initialize_iomem_resources(struct resource *code_resource,
- 		struct resource *data_resource, struct resource *bss_resource);
 -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
 +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
 +			      u32 *secure_boot);
--- a/debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
+++ b/debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
@@ -31,7 +31,7 @@ cc: linux-efi@vger.kernel.org

 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1065,19 +1065,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,19 +1070,7 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
@@ -106,7 +106,7 @@ cc: linux-efi@vger.kernel.org
 +}
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -877,6 +877,14 @@ static inline int efi_range_is_wc(unsign
+@@ -875,6 +875,14 @@ static inline int efi_range_is_wc(unsign
 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
 #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
 #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
@@ -121,7 +121,7 @@ cc: linux-efi@vger.kernel.org
 
 #ifdef CONFIG_EFI
 /*
-@@ -901,6 +909,7 @@ static inline bool efi_rt_services_suppo
+@@ -899,6 +907,7 @@ static inline bool efi_rt_services_suppo
 	return (efi.runtime_supported_mask & mask) == mask;
 }
 extern void efi_find_mirror(void);
@@ -129,7 +129,7 @@ cc: linux-efi@vger.kernel.org
 #else
 static inline bool efi_enabled(int feature)
 {
-@@ -920,6 +929,7 @@ static inline bool efi_rt_services_suppo
+@@ -918,6 +927,7 @@ static inline bool efi_rt_services_suppo
 }
 
 static inline void efi_find_mirror(void) {}
@@ -137,7 +137,7 @@ cc: linux-efi@vger.kernel.org
 #endif
 
 extern int efi_status_to_err(efi_status_t status);
-@@ -1138,13 +1148,6 @@ static inline bool efi_runtime_disabled(
+@@ -1136,13 +1146,6 @@ static inline bool efi_runtime_disabled(
 extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
 extern unsigned long efi_call_virt_save_flags(void);
 
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -35,7 +35,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
 	reserve_ibft_region();
 	x86_init.resources.dmi_setup();
 
-@@ -1065,8 +1067,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
@@ -67,26 +67,26 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
 		default:
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -509,6 +509,7 @@ int security_inode_getsecctx(struct inod
+@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 int security_locked_down(enum lockdown_reason what);
+int lock_kernel_down(const char *where, enum lockdown_reason level);
 int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
 		      void *val, size_t val_len, u64 id, u64 flags);
-+int lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
- 
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1483,6 +1484,11 @@ static inline int lsm_fill_user_ctx(stru
+ int security_bdev_alloc(struct block_device *bdev);
+@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
 {
- 	return -EOPNOTSUPP;
+ 	return 0;
 }
 +static inline int
 +lock_kernel_down(const char *where, enum lockdown_reason level)
 +{
 +	return -EOPNOTSUPP;
 +}
- #endif	/* CONFIG_SECURITY */
- 
- #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+ static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
+ 				    u32 *uctx_len, void *val, size_t val_len,
+ 				    u64 id, u64 flags)
 --- a/security/lockdown/Kconfig
 +++ b/security/lockdown/Kconfig
@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI