refresh patches

debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch

@@ -39,7 +39,7 @@ Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
  #include <uapi/linux/module.h>
  #include "internal.h"
  
-@@ -37,13 +39,60 @@
+@@ -37,13 +39,60 @@ void set_module_sig_enforced(void)
  	sig_enforce = true;
  }
  
@@ -101,7 +101,7 @@ Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
  	int ret;
  
  	pr_devel("==>%s(,%zu)\n", __func__, modlen);
-@@ -51,6 +100,7 @@
+@@ -51,6 +100,7 @@ int mod_verify_sig(const void *mod, stru
  	if (modlen <= sizeof(ms))
  		return -EBADMSG;
  
@@ -109,7 +109,7 @@ Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
  	memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
  
  	ret = mod_check_sig(&ms, modlen, "module");
-@@ -61,10 +111,17 @@
+@@ -61,10 +111,17 @@ int mod_verify_sig(const void *mod, stru
  	modlen -= sig_len + sizeof(ms);
  	info->len = modlen;
  

debian/patches/features/all/db-mok-keyring/trust-machine-keyring-by-default.patch

@@ -11,8 +11,6 @@ To keep backward compatibility skip this check.
  security/integrity/platform_certs/machine_keyring.c | 5 +----
  1 file changed, 1 insertion(+), 4 deletions(-)
 
-diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
-index a401640a63cd..0627f14eacbe 100644
 --- a/security/integrity/platform_certs/machine_keyring.c
 +++ b/security/integrity/platform_certs/machine_keyring.c
 @@ -68,10 +68,7 @@ static bool __init trust_moklist(void)

debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch

@@ -11,11 +11,9 @@ a version of the script which is directly derived from the driver.
  drivers/media/dvb/dvb-usb/af9005-fe.c |   66 ++++++++++++++++++++++++++------
  2 files changed, 54 insertions(+), 14 deletions(-)
 
-Index: debian-kernel/drivers/media/usb/dvb-usb/Kconfig
-===================================================================
---- debian-kernel.orig/drivers/media/usb/dvb-usb/Kconfig
-+++ debian-kernel/drivers/media/usb/dvb-usb/Kconfig
-@@ -260,10 +260,10 @@ config DVB_USB_OPERA1
+--- a/drivers/media/usb/dvb-usb/Kconfig
++++ b/drivers/media/usb/dvb-usb/Kconfig
+@@ -35,10 +35,10 @@ config DVB_USB_A800
  
  config DVB_USB_AF9005
  	tristate "Afatech AF9005 DVB-T USB1.1 support"
@@ -27,10 +25,8 @@ Index: debian-kernel/drivers/media/usb/dvb-usb/Kconfig
  	help
  	  Say Y here to support the Afatech AF9005 based DVB-T USB1.1 receiver
  	  and the TerraTec Cinergy T USB XE (Rev.1)
-Index: debian-kernel/drivers/media/usb/dvb-usb/af9005-fe.c
-===================================================================
---- debian-kernel.orig/drivers/media/usb/dvb-usb/af9005-fe.c
-+++ debian-kernel/drivers/media/usb/dvb-usb/af9005-fe.c
+--- a/drivers/media/usb/dvb-usb/af9005-fe.c
++++ b/drivers/media/usb/dvb-usb/af9005-fe.c
 @@ -9,10 +9,26 @@
   * see Documentation/driver-api/media/drivers/dvb-usb.rst for more information
   */

debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -1,153 +0,0 @@
-From: Linn Crosetto <linn@hpe.com>
-Date: Tue, 30 Aug 2016 11:54:38 -0600
-Subject: arm64: add kernel config option to lock down when in Secure Boot mode
-Bug-Debian: https://bugs.debian.org/831827
-Forwarded: no
-
-Add a kernel configuration option to lock down the kernel, to restrict
-userspace's ability to modify the running kernel when UEFI Secure Boot is
-enabled. Based on the x86 patch by Matthew Garrett.
-
-Determine the state of Secure Boot in the EFI stub and pass this to the
-kernel using the FDT.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-[bwh: Forward-ported to 4.10: adjust context]
-[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
-[bwh: Forward-ported to 4.15 and lockdown patch set:
- - Pass result of efi_get_secureboot() in stub through to
-   efi_set_secure_boot() in main kernel
- - Use lockdown API and naming]
-[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
-[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
-[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
-[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
- sys_table parameter]
-[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
- - Add Secure Boot mode to the parameter enumeration in fdtparams.c
- - Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
- - Since Xen does not have a property name defined for Secure Boot mode,
-   change efi_get_fdt_prop() to handle a missing property name by clearing
-   the output variable]
-[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
-arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
----
- drivers/firmware/efi/efi-init.c    |    5 ++++-
- drivers/firmware/efi/fdtparams.c   |   12 +++++++++++-
- drivers/firmware/efi/libstub/fdt.c |    6 ++++++
- include/linux/efi.h                |    3 ++-
- 4 files changed, 23 insertions(+), 3 deletions(-)
-
---- a/drivers/firmware/efi/efi-init.c
-+++ b/drivers/firmware/efi/efi-init.c
-@@ -213,9 +213,10 @@ void __init efi_init(void)
- {
- 	struct efi_memory_map_data data;
- 	u64 efi_system_table;
-+	u32 secure_boot;
- 
- 	/* Grab UEFI information placed in FDT by stub */
--	efi_system_table = efi_get_fdt_params(&data);
-+	efi_system_table = efi_get_fdt_params(&data, &secure_boot);
- 	if (!efi_system_table)
- 		return;
- 
-@@ -237,6 +238,8 @@ void __init efi_init(void)
- 		return;
- 	}
- 
-+	efi_set_secure_boot(secure_boot);
-+
- 	reserve_regions();
- 	/*
- 	 * For memblock manipulation, the cap should come after the memblock_add().
---- a/drivers/firmware/efi/fdtparams.c
-+++ b/drivers/firmware/efi/fdtparams.c
-@@ -16,6 +16,7 @@ enum {
- 	MMSIZE,
- 	DCSIZE,
- 	DCVERS,
-+	SBMODE,
- 
- 	PARAMCOUNT
- };
-@@ -26,6 +27,7 @@ static __initconst const char name[][22]
- 	[MMSIZE] = "MemMap Size          ",
- 	[DCSIZE] = "MemMap Desc. Size    ",
- 	[DCVERS] = "MemMap Desc. Version ",
-+	[SBMODE] = "Secure Boot Enabled  ",
- };
- 
- static __initconst const struct {
-@@ -43,6 +45,7 @@ static __initconst const struct {
- 			[MMSIZE] = "xen,uefi-mmap-size",
- 			[DCSIZE] = "xen,uefi-mmap-desc-size",
- 			[DCVERS] = "xen,uefi-mmap-desc-ver",
-+			[SBMODE] = "",
- 		}
- 	}, {
- #endif
-@@ -53,6 +56,7 @@ static __initconst const struct {
- 			[MMSIZE] = "linux,uefi-mmap-size",
- 			[DCSIZE] = "linux,uefi-mmap-desc-size",
- 			[DCVERS] = "linux,uefi-mmap-desc-ver",
-+			[SBMODE] = "linux,uefi-secure-boot",
- 		}
- 	}
- };
-@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const
- 	int len;
- 	u64 val;
- 
-+	if (!pname[0]) {
-+		memset(var, 0, size);
-+		return 0;
-+	}
-+
- 	prop = fdt_getprop(fdt, node, pname, &len);
- 	if (!prop)
- 		return 1;
-@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const
- 	return 0;
- }
- 
--u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
-+u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
- {
- 	const void *fdt = initial_boot_params;
- 	unsigned long systab;
-@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi
- 		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
- 		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
- 		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
-+		[SBMODE] = { secure_boot,       sizeof(*secure_boot) },
- 	};
- 
- 	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
---- a/drivers/firmware/efi/libstub/fdt.c
-+++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *ori
- 		}
- 	}
- 
-+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
-+	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
-+			     &fdt_val32, sizeof(fdt_val32));
-+	if (status)
-+		goto fdt_set_fail;
-+
- 	/* Shrink the FDT back to its minimum size: */
- 	fdt_pack(fdt);
- 
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -764,7 +764,8 @@ extern int efi_mem_desc_lookup(u64 phys_
- extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
- extern void efi_mem_reserve(phys_addr_t addr, u64 size);
- extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
--extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
-+extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
-+			      u32 *secure_boot);
- extern struct kobject *efi_kobj;
- 
- extern int efi_reboot_quirk_mode;

debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch

@@ -1,153 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:03 +0000
-Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
-
-UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
-flag that can be passed to efi_enabled() to find out whether secure boot is
-enabled.
-
-Move the switch-statement in x86's setup_arch() that inteprets the
-secure_boot boot parameter to generic code and set the bit there.
-
-Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-cc: linux-efi@vger.kernel.org
-[rperier: Forward-ported to 5.5:
- - Use pr_warn()
- - Adjust context]
-[bwh: Forward-ported to 5.6: adjust context]
-[bwh: Forward-ported to 5.7:
- - Use the next available bit in efi.flags
- - Adjust context]
----
- arch/x86/kernel/setup.c           | 14 +----------
- drivers/firmware/efi/Makefile     |  1 +
- drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
- include/linux/efi.h               | 16 ++++++++-----
- 4 files changed, 51 insertions(+), 19 deletions(-)
- create mode 100644 drivers/firmware/efi/secureboot.c
-
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1070,19 +1070,7 @@ void __init setup_arch(char **cmdline_p)
- 	/* Allocate bigger log buffer */
- 	setup_log_buf(1);
- 
--	if (efi_enabled(EFI_BOOT)) {
--		switch (boot_params.secure_boot) {
--		case efi_secureboot_mode_disabled:
--			pr_info("Secure boot disabled\n");
--			break;
--		case efi_secureboot_mode_enabled:
--			pr_info("Secure boot enabled\n");
--			break;
--		default:
--			pr_info("Secure boot could not be determined\n");
--			break;
--		}
--	}
-+	efi_set_secure_boot(boot_params.secure_boot);
- 
- 	reserve_initrd();
- 
---- a/drivers/firmware/efi/Makefile
-+++ b/drivers/firmware/efi/Makefile
-@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
- obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
- obj-$(CONFIG_EFI_TEST)			+= test/
- obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
-+obj-$(CONFIG_EFI)			+= secureboot.o
- obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
- obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
- obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
---- /dev/null
-+++ b/drivers/firmware/efi/secureboot.c
-@@ -0,0 +1,39 @@
-+
-+/* Core kernel secure boot support.
-+ *
-+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-+
-+#include <linux/efi.h>
-+#include <linux/kernel.h>
-+#include <linux/printk.h>
-+
-+/*
-+ * Decide what to do when UEFI secure boot mode is enabled.
-+ */
-+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
-+{
-+	if (efi_enabled(EFI_BOOT)) {
-+		switch (mode) {
-+		case efi_secureboot_mode_disabled:
-+			pr_info("Secure boot disabled\n");
-+			break;
-+		case efi_secureboot_mode_enabled:
-+			set_bit(EFI_SECURE_BOOT, &efi.flags);
-+			pr_info("Secure boot enabled\n");
-+			break;
-+		default:
-+			pr_warn("Secure boot could not be determined (mode %u)\n",
-+				mode);
-+			break;
-+		}
-+	}
-+}
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -864,6 +864,14 @@ static inline int efi_range_is_wc(unsign
- #define EFI_MEM_ATTR		9	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
- #define EFI_MEM_NO_SOFT_RESERVE	10	/* Is the kernel configured to ignore soft reservations? */
- #define EFI_PRESERVE_BS_REGIONS	11	/* Are EFI boot-services memory segments available? */
-+#define EFI_SECURE_BOOT		12	/* Are we in Secure Boot mode? */
-+
-+enum efi_secureboot_mode {
-+	efi_secureboot_mode_unset,
-+	efi_secureboot_mode_unknown,
-+	efi_secureboot_mode_disabled,
-+	efi_secureboot_mode_enabled,
-+};
- 
- #ifdef CONFIG_EFI
- /*
-@@ -888,6 +896,7 @@ static inline bool efi_rt_services_suppo
- 	return (efi.runtime_supported_mask & mask) == mask;
- }
- extern void efi_find_mirror(void);
-+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
- #else
- static inline bool efi_enabled(int feature)
- {
-@@ -907,6 +916,7 @@ static inline bool efi_rt_services_suppo
- }
- 
- static inline void efi_find_mirror(void) {}
-+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
- #endif
- 
- extern int efi_status_to_err(efi_status_t status);
-@@ -1125,13 +1135,6 @@ static inline bool efi_runtime_disabled(
- extern void efi_call_virt_check_flags(unsigned long flags, const void *caller);
- extern unsigned long efi_call_virt_save_flags(void);
- 
--enum efi_secureboot_mode {
--	efi_secureboot_mode_unset,
--	efi_secureboot_mode_unknown,
--	efi_secureboot_mode_disabled,
--	efi_secureboot_mode_enabled,
--};
--
- static inline
- enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
- {

debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -1,121 +0,0 @@
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Tue, 10 Sep 2019 11:54:28 +0100
-Subject: efi: Lock down the kernel if booted in secure boot mode
-
-Based on an earlier patch by David Howells, who wrote the following
-description:
-
-> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-> only load signed bootloaders and kernels.  Certain use cases may also
-> require that all kernel modules also be signed.  Add a configuration option
-> that to lock down the kernel - which includes requiring validly signed
-> modules - if the kernel is secure-booted.
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
-help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
-lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
-Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
----
- arch/x86/kernel/setup.c           |    4 ++--
- drivers/firmware/efi/secureboot.c |    3 +++
- include/linux/security.h          |    6 ++++++
- security/lockdown/Kconfig         |   15 +++++++++++++++
- security/lockdown/lockdown.c      |    2 +-
- 5 files changed, 27 insertions(+), 3 deletions(-)
-
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -904,6 +904,8 @@ void __init setup_arch(char **cmdline_p)
- 	if (efi_enabled(EFI_BOOT))
- 		efi_init();
- 
-+	efi_set_secure_boot(boot_params.secure_boot);
-+
- 	reserve_ibft_region();
- 	x86_init.resources.dmi_setup();
- 
-@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
- 	/* Allocate bigger log buffer */
- 	setup_log_buf(1);
- 
--	efi_set_secure_boot(boot_params.secure_boot);
--
- 	reserve_initrd();
- 
- 	acpi_table_upgrade();
---- a/drivers/firmware/efi/secureboot.c
-+++ b/drivers/firmware/efi/secureboot.c
-@@ -15,6 +15,7 @@
- #include <linux/efi.h>
- #include <linux/kernel.h>
- #include <linux/printk.h>
-+#include <linux/security.h>
- 
- /*
-  * Decide what to do when UEFI secure boot mode is enabled.
-@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
- 			break;
- 		case efi_secureboot_mode_enabled:
- 			set_bit(EFI_SECURE_BOOT, &efi.flags);
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+			lock_kernel_down("EFI Secure Boot",
-+					 LOCKDOWN_INTEGRITY_MAX);
-+#endif
- 			pr_info("Secure boot enabled\n");
- 			break;
- 		default:
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
- int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
- int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
- int security_locked_down(enum lockdown_reason what);
-+int lock_kernel_down(const char *where, enum lockdown_reason level);
- int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
- 		      void *val, size_t val_len, u64 id, u64 flags);
- int security_bdev_alloc(struct block_device *bdev);
-@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
- {
- 	return 0;
- }
-+static inline int
-+lock_kernel_down(const char *where, enum lockdown_reason level)
-+{
-+	return -EOPNOTSUPP;
-+}
- static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
- 				    u32 *uctx_len, void *val, size_t val_len,
- 				    u64 id, u64 flags)
---- a/security/lockdown/Kconfig
-+++ b/security/lockdown/Kconfig
-@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
- 	 disabled.
- 
- endchoice
-+
-+config LOCK_DOWN_IN_EFI_SECURE_BOOT
-+	bool "Lock down the kernel in EFI Secure Boot mode"
-+	default n
-+	depends on SECURITY_LOCKDOWN_LSM
-+	depends on EFI
-+	select SECURITY_LOCKDOWN_LSM_EARLY
-+	help
-+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
-+	  will only load signed bootloaders and kernels.  Secure boot mode may
-+	  be determined from EFI variables provided by the system firmware if
-+	  not indicated by the boot parameters.
-+
-+	  Enabling this option results in kernel lockdown being
-+	  triggered in integrity mode if EFI Secure Boot is set.
---- a/security/lockdown/lockdown.c
-+++ b/security/lockdown/lockdown.c
-@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
- /*
-  * Put the kernel into lock-down mode.
-  */
--static int lock_kernel_down(const char *where, enum lockdown_reason level)
-+int lock_kernel_down(const char *where, enum lockdown_reason level)
- {
- 	if (kernel_locked_down >= level)
- 		return -EPERM;

debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch

@@ -1,75 +0,0 @@
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Fri, 30 Aug 2019 15:54:24 +0100
-Subject: mtd: phram,slram: Disable when the kernel is locked down
-Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
-
-These drivers allow mapping arbitrary memory ranges as MTD devices.
-This should be disabled to preserve the kernel's integrity when it is
-locked down.
-
-* Add the HWPARAM flag to the module parameters
-* When slram is built-in, it uses __setup() to read kernel parameters,
-  so add an explicit check security_locked_down() check
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Cc: Matthew Garrett <mjg59@google.com>
-Cc: David Howells <dhowells@redhat.com>
-Cc: Joern Engel <joern@lazybastard.org>
-Cc: linux-mtd@lists.infradead.org
----
- drivers/mtd/devices/phram.c | 6 +++++-
- drivers/mtd/devices/slram.c | 9 ++++++++-
- 2 files changed, 13 insertions(+), 2 deletions(-)
-
---- a/drivers/mtd/devices/phram.c
-+++ b/drivers/mtd/devices/phram.c
-@@ -364,7 +364,11 @@ static int phram_param_call(const char *
- #endif
- }
- 
--module_param_call(phram, phram_param_call, NULL, NULL, 0200);
-+static const struct kernel_param_ops phram_param_ops = {
-+	.set = phram_param_call
-+};
-+__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
-+		    0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);
- MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
- 
- #ifdef CONFIG_OF
---- a/drivers/mtd/devices/slram.c
-+++ b/drivers/mtd/devices/slram.c
-@@ -43,6 +43,7 @@
- #include <linux/ioctl.h>
- #include <linux/init.h>
- #include <linux/io.h>
-+#include <linux/security.h>
- 
- #include <linux/mtd/mtd.h>
- 
-@@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
- #ifdef MODULE
- static char *map[SLRAM_MAX_DEVICES_PARAMS];
- 
--module_param_array(map, charp, NULL, 0);
-+module_param_hw_array(map, charp, iomem, NULL, 0);
- MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
- #else
- static char *map;
-@@ -281,11 +282,17 @@ static int __init init_slram(void)
- #ifndef MODULE
- 	char *devstart;
- 	char *devlength;
-+	int ret;
- 
- 	if (!map) {
- 		E("slram: not enough parameters.\n");
- 		return(-EINVAL);
- 	}
-+
-+	ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);
-+	if (ret)
-+		return ret;
-+
- 	while (map) {
- 		devname = devstart = devlength = NULL;
- 

debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/include/linux/perf_event.h
 +++ b/include/linux/perf_event.h
-@@ -1617,6 +1617,11 @@ int perf_cpu_time_max_percent_handler(co
+@@ -1659,6 +1659,11 @@ int perf_cpu_time_max_percent_handler(co
  int perf_event_max_stack_handler(const struct ctl_table *table, int write,
  		void *buffer, size_t *lenp, loff_t *ppos);
  
@@ -50,7 +50,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -12681,6 +12686,9 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -12821,6 +12826,9 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (err)
  		return err;
  

debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch

@@ -15,7 +15,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
 --- a/drivers/iommu/intel/Kconfig
 +++ b/drivers/iommu/intel/Kconfig
-@@ -57,13 +57,24 @@ config INTEL_IOMMU_SVM
+@@ -56,13 +56,24 @@ config INTEL_IOMMU_SVM
  	  to access DMA resources through process address space by
  	  means of a Process Address Space ID (PASID).
  
@@ -48,7 +48,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  	def_bool y
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
-@@ -218,13 +218,13 @@ static LIST_HEAD(dmar_satc_units);
+@@ -204,13 +204,13 @@ static LIST_HEAD(dmar_satc_units);
  
  static void intel_iommu_domain_free(struct iommu_domain *domain);
  
@@ -64,7 +64,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  static int intel_iommu_superpage = 1;
  static int iommu_identity_mapping;
  static int iommu_skip_te_disable;
-@@ -263,6 +263,7 @@ static int __init intel_iommu_setup(char
+@@ -249,6 +249,7 @@ static int __init intel_iommu_setup(char
  	while (*str) {
  		if (!strncmp(str, "on", 2)) {
  			dmar_disabled = 0;

debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch

@@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2218,6 +2218,8 @@
+@@ -2247,6 +2247,8 @@
  			bypassed by not enabling DMAR with this option. In
  			this case, gfx device will use physical address for
  			DMA.
@@ -33,7 +33,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  		sp_off [Default Off]
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
-@@ -36,6 +36,9 @@
+@@ -35,6 +35,9 @@
  #define CONTEXT_SIZE		VTD_PAGE_SIZE
  
  #define IS_GFX_DEVICE(pdev) ((pdev->class >> 16) == PCI_BASE_CLASS_DISPLAY)
@@ -43,7 +43,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #define IS_USB_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_SERIAL_USB)
  #define IS_ISA_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA)
  #define IS_AZALIA(pdev) ((pdev)->vendor == 0x8086 && (pdev)->device == 0x3a3e)
-@@ -208,12 +211,14 @@ int intel_iommu_sm = IS_ENABLED(CONFIG_I
+@@ -207,12 +210,14 @@ int intel_iommu_sm = IS_ENABLED(CONFIG_I
  int intel_iommu_enabled = 0;
  EXPORT_SYMBOL_GPL(intel_iommu_enabled);
  
@@ -58,7 +58,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  const struct iommu_ops intel_iommu_ops;
  static const struct iommu_dirty_ops intel_dirty_ops;
-@@ -253,6 +258,9 @@ static int __init intel_iommu_setup(char
+@@ -252,6 +257,9 @@ static int __init intel_iommu_setup(char
  		} else if (!strncmp(str, "igfx_off", 8)) {
  			disable_igfx_iommu = 1;
  			pr_info("Disable GFX device mapping\n");
@@ -68,7 +68,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  		} else if (!strncmp(str, "forcedac", 8)) {
  			pr_warn("intel_iommu=forcedac deprecated; use iommu.forcedac instead\n");
  			iommu_dma_forcedac = true;
-@@ -2034,6 +2042,9 @@ static int device_def_domain_type(struct
+@@ -1902,6 +1910,9 @@ static int device_def_domain_type(struct
  
  		if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
  			return IOMMU_DOMAIN_IDENTITY;
@@ -78,7 +78,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  	}
  
  	return 0;
-@@ -2332,6 +2343,9 @@ static int __init init_dmars(void)
+@@ -2196,6 +2207,9 @@ static int __init init_dmars(void)
  		iommu_set_root_entry(iommu);
  	}
  

debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch

@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -6498,6 +6498,10 @@
+@@ -6982,6 +6982,10 @@
  			later by a loaded module cannot be set this way.
  			Example: sysctl.vm.swappiness=40
  
@@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			Ignore sysrq setting - this boot parameter will
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -3058,6 +3058,14 @@ config COMPAT_32
+@@ -3186,6 +3186,14 @@ config COMPAT_32
  	select HAVE_UID16
  	select OLD_SIGSUSPEND3
  
@@ -80,7 +80,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #include <linux/syscalls.h>
  #include <asm/syscall.h>
  
-@@ -20,3 +23,46 @@
+@@ -23,3 +26,46 @@ long x32_sys_call(const struct pt_regs *
  	default: return __x64_sys_ni_syscall(regs);
  	}
  };
@@ -159,7 +159,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #include <asm/thread_info.h>	/* for TS_COMPAT */
  #include <asm/unistd.h>
  
-@@ -28,6 +29,18 @@ extern const sys_call_ptr_t ia32_sys_cal
+@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p
  extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
  extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
  

debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch

@@ -15,7 +15,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/mm/memtest.c
 +++ b/mm/memtest.c
-@@ -26,6 +26,10 @@ static u64 patterns[] __initdata = {
+@@ -31,6 +31,10 @@ static u64 patterns[] __initdata = {
  
  static void __init reserve_bad_mem(u64 pattern, phys_addr_t start_bad, phys_addr_t end_bad)
  {