kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #171114
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 4.4.0-18.34
---------------
linux (4.4.0-18.34) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1566868
* [i915_bpo] Fix RC6 on SKL GT3 & GT4 (LP: #1564759)
- SAUCE: i915_bpo: drm/i915/skl: Fix rc6 based gpu/system hang
- SAUCE: i915_bpo: drm/i915/skl: Fix spurious gpu hang with gt3/gt4 revs
* CONFIG_ARCH_ROCKCHIP not enabled in armhf generic kernel (LP: #1566283)
- [Config] CONFIG_ARCH_ROCKCHIP=y
* [Feature] Memory Bandwidth Monitoring (LP: #1397880)
- perf/x86/cqm: Fix CQM handling of grouping events into a cache_group
- perf/x86/cqm: Fix CQM memory leak and notifier leak
- x86/cpufeature: Carve out X86_FEATURE_*
- Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
- x86/topology: Create logical package id
- perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init
- perf/x86/mbm: Add memory bandwidth monitoring event management
- perf/x86/mbm: Implement RMID recycling
- perf/x86/mbm: Add support for MBM counter overflow handling
* User namespace mount updates (LP: #1566505)
- SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns
- SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids
- SAUCE: fuse: Don't initialize user_id or group_id in mount options
- SAUCE: cgroup: Use a new super block when mounting in a cgroup namespace
- SAUCE: fs: fix a posible leak of allocated superblock
* [arm64] kernel BUG at /build/linux-StrpB2/linux-4.4.0/fs/ext4/inode.c:2394!
(LP: #1566518)
- arm64: Honour !PTE_WRITE in set_pte_at() for kernel mappings
- arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission
* [Feature]USB core and xHCI tasks for USB 3.1 SuperSpeedPlus (SSP) support
for Alpine Ridge on SKL (LP: #1519623)
- usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices
- usb: set USB 3.1 roothub device speed to USB_SPEED_SUPER_PLUS
- usb: show speed "10000" in sysfs for USB 3.1 SuperSpeedPlus devices
- usb: add device descriptor for usb 3.1 root hub
- usb: Support USB 3.1 extended port status request
- xhci: Make sure xhci handles USB_SPEED_SUPER_PLUS devices.
- xhci: set roothub speed to USB_SPEED_SUPER_PLUS for USB3.1 capable controllers
- xhci: USB 3.1 add default Speed Attributes to SuperSpeedPlus device capability
- xhci: set slot context speed field to SuperSpeedPlus for USB 3.1 SSP devices
- usb: Add USB3.1 SuperSpeedPlus Isoc Endpoint Companion descriptor
- usb: Parse the new USB 3.1 SuperSpeedPlus Isoc endpoint companion descriptor
- usb: Add USB 3.1 Precision time measurement capability descriptor support
- xhci: refactor and cleanup endpoint initialization.
- xhci: Add SuperSpeedPlus high bandwidth isoc support to xhci endpoints
- xhci: cleanup isoc tranfers queuing code
- xhci: Support extended burst isoc TRB structure used by xhci 1.1 for USB 3.1
- SAUCE: (noup) usb: fix regression in SuperSpeed endpoint descriptor parsing
* wrong/missing permissions for device file /dev/prandom (prng.ko)
(LP: #1558275)
- s390/crypto: provide correct file mode at device register.
* The Front MIC jack can't work on a HP desktop machine (LP: #1564712)
- ALSA: hda - fix front mic problem for a HP desktop
* HP Notebook Probook 440 G3 HDA Intel PCH horrible sounds while booting
(LP: #1556228)
- ALSA: hda - Apply reboot D3 fix for CX20724 codec, too
* please provide mmc-modules udeb (LP: #1565765)
- [Config] Add mmc block drivers to d-i
* linux: Enforce signed module loading when UEFI secure boot (LP: #1566221)
- Add secure_modules() call
- PCI: Lock down BAR access when module security is enabled
- x86: Lock down IO port access when module security is enabled
- ACPI: Limit access to custom_method
- asus-wmi: Restrict debugfs interface when module loading is restricted
- Restrict /dev/mem and /dev/kmem when module loading is restricted
- acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted
- kexec: Disable at runtime if the kernel enforces module loading restrictions
- x86: Restrict MSR access when module loading is restricted
- [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=n
- Add option to automatically enforce module signatures when in Secure Boot mode
- efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- efi: Add EFI_SECURE_BOOT bit
- hibernate: Disable in a signed modules environment
* [Hyper-V] Additional PCI passthrough commits (LP: #1565967)
- PCI: Add fwnode_handle to x86 pci_sysdata
- PCI: Look up IRQ domain by fwnode_handle
- [Config] CONFIG_PCI_HYPERV=m
- PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs
* [Bug]Lenovo Yoga 260 and Carbon X1 4th gen freeze on HWP enable
(LP: #1559923)
- ACPI / processor: Request native thermal interrupt handling via _OSC
* Sync kernel zfs 0.6.5.6 - align with zfsutils-linux and spl packages
(LP: #1564591)
- SAUCE: (noup) Update spl to 0.6.5.6-0ubuntu1, zfs to 0.6.5.6-0ubuntu3
* [Ubuntu 16.04.1] RELEASE and ACQUIRE atomics on Power (LP: #1556096)
- atomics: Allow architectures to define their own __atomic_op_* helpers
- powerpc: atomic: Implement atomic{, 64}_*_return_* variants
- powerpc: atomic: Implement acquire/release/relaxed variants for xchg
- powerpc: atomic: Implement acquire/release/relaxed variants for cmpxchg
* fix for do_tools_cpupower when cross-compiling (LP: #1564206)
- [Debian] cpupower uses non-standard CROSS
* ISST:LTE: Regression: roselp2 Oops in kernel during setup io (LP: #1546439)
- SAUCE: block: partition: initialize percpuref before sending out KOBJ_ADD
* Unable to migrate container (LP: #1563921)
- SAUCE: cgroup mount: ignore nsroot=
* [Hyper-V] patch inclusion in 16.04 for NIC hot add/remove (LP: #1563688)
- hv_netvsc: Move subchannel waiting to rndis_filter_device_remove()
* /proc/$pid/maps performance regression (LP: #1547231)
- proc: revert /proc/<pid>/maps [stack:TID] annotation
* TPM2.0 trusted keys fixes (LP: #1398274)
- tpm: remove unneeded include of actbl2.h
- tpm: fix checks for policy digest existence in tpm2_seal_trusted()
- tpm_crb: Use the common ACPI definition of struct acpi_tpm2
- tpm_tis: Disable interrupt auto probing on a per-device basis
- tpm_tis: Do not fall back to a hardcoded address for TPM2
- tpm_tis: Use devm_ioremap_resource
- tpm_tis: Clean up the force=1 module parameter
- tpm_crb: Drop le32_to_cpu(ioread32(..))
- tpm_crb: Use devm_ioremap_resource
- tpm: fix the rollback in tpm_chip_register()
- tpm: fix the cleanup of struct tpm_chip
- tpm: fix: set continueSession attribute for the unseal operation
- tpm: fix: return rc when devm_add_action() fails
- tpm_eventlog.c: fix binary_bios_measurements
- tpm_crb/tis: fix: use dev_name() for /proc/iomem
- tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister()
- tpm_tis: fix build warning with tpm_tis_resume
* [Feature]intel_idle driver support for Knights Landing (LP: #1461365)
- intel_idle: Support for Intel Xeon Phi Processor x200 Product Family
* cxlflash: Backport upstream cxlflash commits and submitting a noup patch to
Xenial (LP: #1563485)
- cxlflash: Fix to avoid unnecessary scan with internal LUNs
- cxlflash: Increase cmd_per_lun for better throughput
- SAUCE: (noup) cxlflash: Move to exponential back-off when cmd_room is not available
* Miscellaneous Ubuntu changes
- [Config] do_zfs_powerpc64-smp = true
- [Debian] fix linux_tools when cross-compiling
- [Config] do_zfs_powerpc64-smp use default value
- SAUCE: apparmor: Fix FTBFS due to bad include path
- SAUCE: i915_bpo: Disable preliminary hw support
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Tue, 29 Mar 2016 15:31:33
-0600
** Changed in: linux (Ubuntu Xenial)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1566221
Title:
linux: Enforce signed module loading when UEFI secure boot
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
Add code to implement secure boot checks. Unsigned or incorrectly
signed modules will continue to install while tainting the kernel
_until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions
References