← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1593075] Re: linux: Implement secure boot state variables

 

This bug was fixed in the package linux - 3.13.0-101.148

---------------
linux (3.13.0-101.148) trusty; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635430

  * [arm64] nova instances can't boot with 3.13.0-92 (LP: #1608854)
    - Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog
      calls"
    - Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()"
    - Revert "x86/efi: Store upper bits of command line buffer address in
      ext_cmd_line_ptr"
    - Revert "efivarfs: Ensure VariableName is NUL-terminated"
    - Revert "efi/libstub: Fix boundary checking in efi_high_alloc()"
    - Revert "arm64: efi: only attempt efi map setup if booting via EFI"
    - Revert "UBUNTU: arm64: Implement efi_enabled()"
    - Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled"
    - Revert "doc: arm64: add description of EFI stub support"
    - Revert "UBUNTU: Move get_dram_base to arm private file"
    - Revert "arm64: efi: add EFI stub"
    - Revert "arm64: add EFI runtime services"
    - Revert "efi: Add shared FDT related functions for ARM/ARM64"
    - Revert "efi: add helper function to get UEFI params from FDT"
    - Revert "doc: efi-stub.txt updates for ARM"
    - Revert "efi: Add get_dram_base() helper function"
    - Revert "efi: create memory map iteration helper"
    - Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to
      pci_vga_fixup()"
    - Revert "firmware: Do not use WARN_ON(!spin_is_locked())"
    - Revert "efi-pstore: Fix an overflow on 32-bit builds"
    - Revert "x86/efi: Fix 32-bit fallout"
    - Revert "x86/efi: Check krealloc return value"
    - Revert "x86/efi: Runtime services virtual mapping"
    - Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation"
    - x86/efi: Simplify EFI_DEBUG
    - x86/efi: Runtime services virtual mapping
    - x86/efi: Check krealloc return value
    - SAUCE: Merge tag 'efi-next' of
      git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/efi
    - doc: Fix trivial spelling mistake in efi-stub.txt
    - x86/efi: Remove unused variables in __map_region()
    - x86/efi: Add a wrapper function efi_map_region_fixed()
    - x86/efi: Fix off-by-one bug in EFI Boot Services reservation
    - x86/efi: Cleanup efi_enter_virtual_mode() function
    - efi: Export more EFI table variables to sysfs
    - [Config] CONFIG_EFI_RUNTIME_MAP=y
    - efi: Export EFI runtime memory mapping to sysfs
    - x86/efi: Pass necessary EFI data for kexec via setup_data
    - x86/efi: Delete superfluous global variables
    - x86/efi: parse_efi_setup() build fix
    - SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts
    - x86/efi: Allow mapping BGRT on x86-32
    - x86/efi: Fix 32-bit fallout
    - x86/efi: Check status field to validate BGRT header
    - x86/efi: Quirk out SGI UV
    - v3.14 - Bacported EFI up to v3.14
    - efi: Move facility flags to struct efi
    - efi: Set feature flags inside feature init functions
    - efivarfs: 'efivarfs_file_write' function reorganization
    - x86/efi: Delete out-of-date comments of efi_query_variable_store
    - x86/efi: Style neatening
    - x86/efi: Dump the EFI page table
    - x86, pageattr: Export page unmapping interface
    - x86/efi: Make efi virtual runtime map passing more robust
    - x86/efi: Split efi_enter_virtual_mode
    - ia64/efi: Implement efi_enabled()
    - efi: Use NULL instead of 0 for pointer
    - x86, tools: Consolidate #ifdef code
    - x86/efi: Delete dead code when checking for non-native
    - efi: Add separate 32-bit/64-bit definitions
    - x86/efi: Build our own EFI services pointer table
    - x86/efi: Add early thunk code to go from 64-bit to 32-bit
    - x86/efi: Firmware agnostic handover entry points
    - [Config] CONFIG_EFI_MIXED=y
    - x86/efi: Wire up CONFIG_EFI_MIXED
    - x86/efi: Re-disable interrupts after calling firmware services
    - SAUCE: Merge remote-tracking branch 'tip/x86/efi-mixed' into efi-for-mingo
    - x86, tools: Fix up compiler warnings
    - x86/efi: Preserve segment registers in mixed mode
    - x86/efi: Rip out phys_efi_get_time()
    - x86/efi: Restore 'attr' argument to query_variable_info()
    - SAUCE: merge with v3.15
    - fs/efivarfs/super.c: use static const for dentry_operations
    - SAUCE: merge with v3.16
    - efi: efi-stub-helper cleanup
    - efi: create memory map iteration helper
    - efi: Add shared printk wrapper for consistent prefixing
    - efi: Add get_dram_base() helper function
    - efi: x86: Handle arbitrary Unicode characters
    - x86/efi: Delete most of the efi_call* macros
    - x86/efi: Implement a __efi_call_virt macro
    - x86/efi: Save and restore FPU context around efi_calls (x86_64)
    - x86/efi: Save and restore FPU context around efi_calls (i386)
    - efivars: Use local variables instead of a pointer dereference
    - efivars: Check size of user object
    - efivars: Stop passing a struct argument to efivar_validate()
    - efivars: Refactor sanity checking code into separate function
    - efivars: Add compatibility code for compat tasks
    - doc: efi-stub.txt updates for ARM
    - efi: add helper function to get UEFI params from FDT
    - efi: Add shared FDT related functions for ARM/ARM64
    - [Config] CONFIG_LIBFDT=y
    - arm64: add EFI runtime services
    - arm64: efi: add EFI stub
    - doc: arm64: add description of EFI stub support
    - efi/arm64: ignore dtb= when UEFI SecureBoot is enabled
    - arm64: efi: only attempt efi map setup if booting via EFI
    - efi-pstore: Fix an overflow on 32-bit builds
    - firmware: Do not use WARN_ON(!spin_is_locked())
    - x86, ia64: Move EFI_FB vga_default_device() initialization to
      pci_vga_fixup()
    - efivarfs: Ensure VariableName is NUL-terminated
    - x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr
    - x86/efi: Use all 64 bit of efi_memmap in setup_e820()
    - efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
    - x86/efi: Fix boot failure with EFI stub
    - x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime,
      instead of top-down
    - efi/libstub: Fix boundary checking in efi_high_alloc()
    - efi: Fix compiler warnings (unused, const, type)
    - efi: fdt: Do not report an error during boot if UEFI is not available
    - efi: Make our variable validation list include the guid
    - lib/ucs2_string: Add ucs2 -> utf8 helper functions
    - efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version
    - efi/reboot: Add generic wrapper around EfiResetSystem()
    - efi/arm64: efistub: remove local copy of linux_banner
    - x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag
    - efi/reboot: Allow powering off machines using EFI
    - efi: Fix error handling in add_sysfs_runtime_map_entry()
    - efi: Small leak on error in runtime map code
    - arm64/efi: map the entire UEFI vendor string before reading it
    - arm64/efi: add missing call to early_ioremap_reset()
    - efi/arm64: Store Runtime Services revision
    - SAUCE: UEFI: Add secure_modules() call
    - SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
    - SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
    - SAUCE: UEFI: ACPI: Limit access to custom_method
    - SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is
      restricted
    - SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
      restricted
    - SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is
      restricted
    - SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading
      restrictions
    - SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
    - [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
    - SAUCE: UEFI: Add option to automatically enforce module signatures when in
      Secure Boot mode
    - SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
    - SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
    - SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
    - SAUCE: UEFI: Display MOKSBState when disabled
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
    - SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility
    - Revert "x86/efi: Save and restore FPU context around efi_calls (x86_64)"
    - [Config] CONFIG_RTC_DRV_EFI=y

  * proc_keys_show crash when reading /proc/keys (LP: #1634496)
    - KEYS: ensure xbuf is large enough to fix buffer overflow in proc_keys_show
      (LP: #1634496)

  * [Trusty->Yakkety] powerpc/64: Fix incorrect return value from
    __copy_tofrom_user (LP: #1632462)
    - SAUCE: (no-up) powerpc/64: Fix incorrect return value from
      __copy_tofrom_user

  * Ubuntu 16.10: Oops panic in move_page_tables/page_remove_rmap after running
    memory_stress_ng. (LP: #1628976)
    - SAUCE: (no-up) powerpc/pseries: Fix stack corruption in htpe code

  * sha1-powerpc returning wrong results (LP: #1629977)
    - crypto: sha1-powerpc - little-endian support

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
    - SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility

  * linux: MokSBState is ignored (LP: #1571691)
    - SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
    - SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
    - SAUCE: UEFI: Display MOKSBState when disabled

  * linux: Enforce signed module loading when UEFI secure boot (LP: #1566221)
    - SAUCE: UEFI: Add secure_modules() call
    - SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
    - SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
    - SAUCE: UEFI: ACPI: Limit access to custom_method
    - SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is
      restricted
    - SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
      restricted
    - SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is
      restricted
    - SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading
      restrictions
    - SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
    - SAUCE: UEFI: Add option to automatically enforce module signatures when in
      Secure Boot mode
    - SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
    - SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
    - SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
    - SAUCE: UEFI: Display MOKSBState when disabled

  * Utopic update to 3.16.7-ckt5 stable release (LP: #1419125)
    - arm64/efi: add missing call to early_ioremap_reset()

  * Trusty update to 3.16.7-ckt17 stable release (LP: #1500484)
    - arm64/efi: map the entire UEFI vendor string before reading it

  * Utopic update to 3.16.7-ckt8 stable release (LP: #1434595)
    - efi: Small leak on error in runtime map code

  * Utopic update to 3.16.7-ckt12 stable release (LP: #1465613)
    - efi/reboot: Add generic wrapper around EfiResetSystem()
    - x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag
    - efi/reboot: Allow powering off machines using EFI
    - efi: Fix error handling in add_sysfs_runtime_map_entry()

  * Trusty update to 3.16.7-ckt26 stable release (LP: #1563345)
    - efi: Make our variable validation list include the guid
    - lib/ucs2_string: Add ucs2 -> utf8 helper functions
    - efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version

  * Utopic update to 3.16.7-ckt9 stable release (LP: #1441317)
    - efi/libstub: Fix boundary checking in efi_high_alloc()

  * Trusty update to 3.16.7-ckt19 stable release (LP: #1514911)
    - x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime,
      instead of top-down

  * Boot failure with EFI stub (LP: #1603476)
    - x86/efi: Fix boot failure with EFI stub

  * Trusty update to v3.13.11-ckt33 stable release (LP: #1538756)
    - efi: Disable interrupts around EFI calls, not in the epilog/prolog calls

  * Trusty update to 3.13.11-ckt26 stable release (LP: #1493305)
    - x86/efi: Use all 64 bit of efi_memmap in setup_e820()

  * Trusty update to v3.13.11.9 stable release (LP: #1381234)
    - x86, ia64: Move EFI_FB vga_default_device() initialization to
      pci_vga_fixup()

  * CVE-2015-7833
    - usbvision: revert commit 588afcc1

  * CVE-2014-9904
    - ALSA: compress: fix an integer overflow check

  * CVE-2015-3288
    - mm: avoid setting up anonymous pages into file mapping

  * CVE-2016-3961 (LP: #1571020)
    - mm: hugetlb: allow hugepages_supported to be architecture specific
    - s390/hugetlb: add hugepages_supported define
    - x86/mm/xen: Suppress hugetlbfs in PV guests

 -- Seth Forshee <seth.forshee@xxxxxxxxxxxxx>  Thu, 20 Oct 2016 16:50:48
-0500

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9904

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-3288

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7833

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3961

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1593075

Title:
  linux: Implement secure boot state variables

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  User space needs a way to determine the state of secure boot and
  MOKSBState.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1593075/+subscriptions


References