← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot

 

This bug was fixed in the package linux - 4.4.0-18.34

---------------
linux (4.4.0-18.34) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1566868

  * [i915_bpo] Fix RC6 on SKL GT3 & GT4 (LP: #1564759)
    - SAUCE: i915_bpo: drm/i915/skl: Fix rc6 based gpu/system hang
    - SAUCE: i915_bpo: drm/i915/skl: Fix spurious gpu hang with gt3/gt4 revs

  * CONFIG_ARCH_ROCKCHIP not enabled in armhf generic kernel (LP: #1566283)
    - [Config] CONFIG_ARCH_ROCKCHIP=y

  * [Feature] Memory Bandwidth Monitoring (LP: #1397880)
    - perf/x86/cqm: Fix CQM handling of grouping events into a cache_group
    - perf/x86/cqm: Fix CQM memory leak and notifier leak
    - x86/cpufeature: Carve out X86_FEATURE_*
    - Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
    - x86/topology: Create logical package id
    - perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init
    - perf/x86/mbm: Add memory bandwidth monitoring event management
    - perf/x86/mbm: Implement RMID recycling
    - perf/x86/mbm: Add support for MBM counter overflow handling

  * User namespace mount updates (LP: #1566505)
    - SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns
    - SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids
    - SAUCE: fuse: Don't initialize user_id or group_id in mount options
    - SAUCE: cgroup: Use a new super block when mounting in a cgroup namespace
    - SAUCE: fs: fix a posible leak of allocated superblock

  * [arm64] kernel BUG at /build/linux-StrpB2/linux-4.4.0/fs/ext4/inode.c:2394!
    (LP: #1566518)
    - arm64: Honour !PTE_WRITE in set_pte_at() for kernel mappings
    - arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission

  * [Feature]USB core and xHCI tasks for USB 3.1 SuperSpeedPlus (SSP) support
    for Alpine Ridge on SKL (LP: #1519623)
    - usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices
    - usb: set USB 3.1 roothub device speed to USB_SPEED_SUPER_PLUS
    - usb: show speed "10000" in sysfs for USB 3.1 SuperSpeedPlus devices
    - usb: add device descriptor for usb 3.1 root hub
    - usb: Support USB 3.1 extended port status request
    - xhci: Make sure xhci handles USB_SPEED_SUPER_PLUS devices.
    - xhci: set roothub speed to USB_SPEED_SUPER_PLUS for USB3.1 capable controllers
    - xhci: USB 3.1 add default Speed Attributes to SuperSpeedPlus device capability
    - xhci: set slot context speed field to SuperSpeedPlus for USB 3.1 SSP devices
    - usb: Add USB3.1 SuperSpeedPlus Isoc Endpoint Companion descriptor
    - usb: Parse the new USB 3.1 SuperSpeedPlus Isoc endpoint companion descriptor
    - usb: Add USB 3.1 Precision time measurement capability descriptor support
    - xhci: refactor and cleanup endpoint initialization.
    - xhci: Add SuperSpeedPlus high bandwidth isoc support to xhci endpoints
    - xhci: cleanup isoc tranfers queuing code
    - xhci: Support extended burst isoc TRB structure used by xhci 1.1 for USB 3.1
    - SAUCE: (noup) usb: fix regression in SuperSpeed endpoint descriptor parsing

  * wrong/missing permissions for device file /dev/prandom (prng.ko)
    (LP: #1558275)
    - s390/crypto: provide correct file mode at device register.

  * The Front MIC jack can't work on a HP desktop machine (LP: #1564712)
    - ALSA: hda - fix front mic problem for a HP desktop

  * HP Notebook Probook 440 G3  HDA Intel PCH horrible sounds while booting
    (LP: #1556228)
    - ALSA: hda - Apply reboot D3 fix for CX20724 codec, too

  * please provide mmc-modules udeb (LP: #1565765)
    - [Config] Add mmc block drivers to d-i

  * linux: Enforce signed module loading when UEFI secure boot (LP: #1566221)
    - Add secure_modules() call
    - PCI: Lock down BAR access when module security is enabled
    - x86: Lock down IO port access when module security is enabled
    - ACPI: Limit access to custom_method
    - asus-wmi: Restrict debugfs interface when module loading is restricted
    - Restrict /dev/mem and /dev/kmem when module loading is restricted
    - acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
    - kexec: Disable at runtime if the kernel enforces module loading restrictions
    - x86: Restrict MSR access when module loading is restricted
    - [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=n
    - Add option to automatically enforce module signatures when in Secure Boot mode
    - efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
    - efi: Add EFI_SECURE_BOOT bit
    - hibernate: Disable in a signed modules environment

  * [Hyper-V] Additional PCI passthrough commits (LP: #1565967)
    - PCI: Add fwnode_handle to x86 pci_sysdata
    - PCI: Look up IRQ domain by fwnode_handle
    - [Config] CONFIG_PCI_HYPERV=m
    - PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs

  * [Bug]Lenovo Yoga 260 and Carbon X1 4th gen freeze on HWP enable
    (LP: #1559923)
    - ACPI / processor: Request native thermal interrupt handling via _OSC

  * Sync kernel zfs 0.6.5.6 - align with zfsutils-linux and spl packages
    (LP: #1564591)
    - SAUCE: (noup) Update spl to 0.6.5.6-0ubuntu1, zfs to 0.6.5.6-0ubuntu3

  * [Ubuntu 16.04.1] RELEASE and ACQUIRE atomics on Power (LP: #1556096)
    - atomics: Allow architectures to define their own __atomic_op_* helpers
    - powerpc: atomic: Implement atomic{, 64}_*_return_* variants
    - powerpc: atomic: Implement acquire/release/relaxed variants for xchg
    - powerpc: atomic: Implement acquire/release/relaxed variants for cmpxchg

  * fix for do_tools_cpupower when cross-compiling (LP: #1564206)
    - [Debian] cpupower uses non-standard CROSS

  * ISST:LTE: Regression: roselp2 Oops in kernel during setup io (LP: #1546439)
    - SAUCE: block: partition: initialize percpuref before sending out KOBJ_ADD

  * Unable to migrate container (LP: #1563921)
    - SAUCE: cgroup mount: ignore nsroot=

  * [Hyper-V] patch inclusion in 16.04 for NIC hot add/remove (LP: #1563688)
    - hv_netvsc: Move subchannel waiting to rndis_filter_device_remove()

  * /proc/$pid/maps performance regression (LP: #1547231)
    - proc: revert /proc/<pid>/maps [stack:TID] annotation

  * TPM2.0 trusted keys fixes (LP: #1398274)
    - tpm: remove unneeded include of actbl2.h
    - tpm: fix checks for policy digest existence in tpm2_seal_trusted()
    - tpm_crb: Use the common ACPI definition of struct acpi_tpm2
    - tpm_tis: Disable interrupt auto probing on a per-device basis
    - tpm_tis: Do not fall back to a hardcoded address for TPM2
    - tpm_tis: Use devm_ioremap_resource
    - tpm_tis: Clean up the force=1 module parameter
    - tpm_crb: Drop le32_to_cpu(ioread32(..))
    - tpm_crb: Use devm_ioremap_resource
    - tpm: fix the rollback in tpm_chip_register()
    - tpm: fix the cleanup of struct tpm_chip
    - tpm: fix: set continueSession attribute for the unseal operation
    - tpm: fix: return rc when devm_add_action() fails
    - tpm_eventlog.c: fix binary_bios_measurements
    - tpm_crb/tis: fix: use dev_name() for /proc/iomem
    - tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister()
    - tpm_tis: fix build warning with tpm_tis_resume

  * [Feature]intel_idle driver support for Knights Landing (LP: #1461365)
    - intel_idle: Support for Intel Xeon Phi Processor x200 Product Family

  * cxlflash: Backport upstream cxlflash commits and submitting a noup patch to
    Xenial (LP: #1563485)
    - cxlflash: Fix to avoid unnecessary scan with internal LUNs
    - cxlflash: Increase cmd_per_lun for better throughput
    - SAUCE: (noup) cxlflash: Move to exponential back-off when cmd_room is not available

  * Miscellaneous Ubuntu changes
    - [Config] do_zfs_powerpc64-smp  = true
    - [Debian] fix linux_tools when cross-compiling
    - [Config] do_zfs_powerpc64-smp use default value
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: i915_bpo: Disable preliminary hw support

 -- Tim Gardner <tim.gardner@xxxxxxxxxxxxx>  Tue, 29 Mar 2016 15:31:33
-0600

** Changed in: linux (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1566221

Title:
  linux: Enforce signed module loading when UEFI secure boot

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Add code to implement secure boot checks. Unsigned or incorrectly
  signed modules will continue to install while tainting the kernel
  _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions


References