On Thu, Nov 9, 2023 at 8:29 AM Josh Boyer wrote:
>
> On Thu, Nov 9, 2023 at 8:23 AM Prarit Bhargava wrote:
> >
> > On 11/9/23 08:13, Josh Boyer wrote:
> > > On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote:
> > >>
> > >> On 11/8/23
On Thu, Nov 9, 2023 at 8:23 AM Prarit Bhargava wrote:
>
> On 11/9/23 08:13, Josh Boyer wrote:
> > On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote:
> >>
> >> On 11/8/23 08:33, Prarit Bhargava wrote:
> >>> Hey everyone,
>
On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote:
>
> On 11/8/23 08:33, Prarit Bhargava wrote:
> > Hey everyone,
> >
> > The current kernel configs generate
> >
> > # CONFIG_MODULE_SIG_FORCE is not set
> > CONFIG_MODULE_SIG_ALL=y
> > # CONFIG_MODULE_SIG_SHA256 is not set
> > #
On Wed, Dec 2, 2020 at 4:18 PM Paul Bolle wrote:
>
> Paul Bolle schreef op wo 02-12-2020 om 21:30 [+0100]:
> > Currently there seem to be over 6000 texlive packages. (Quick and dirty
> > measurements, sorry.) So splitting the kernel into an absurd number of
> > packages for (obscure) modules
On Wed, Dec 2, 2020 at 3:32 PM Paul Bolle wrote:
>
> Marcelo Ricardo Leitner schreef op wo 02-12-2020 om 17:11 [-0300]:
> > Maybe, then taking it to the extreme, less common modules can all have its
> > own rpm package ;-)
>
> Vague ideas like this crossed my mind too.
>
> The local build I just
On Wed, Dec 2, 2020 at 2:15 PM Matthew Miller wrote:
>
> On Wed, Dec 02, 2020 at 10:31:17AM -0500, Bastien Nocera wrote:
> > You should see the hoops people go through to make their controllers work,
> > either installing user-space drivers, or finding out how to solve the
> > problem
> > by
On Wed, Mar 11, 2020 at 1:26 PM Josh Boyer wrote:
>
> On Wed, Mar 11, 2020 at 1:21 PM Jeremy Cline wrote:
> >
> > On Wed, 2020-03-11 at 12:58 -0400, Josh Boyer wrote:
> > > On Wed, Mar 11, 2020 at 12:41 PM Jeremy Cline
> > > wrote:
> > >
On Wed, Apr 15, 2020 at 5:32 AM Thorsten Leemhuis wrote:
>
> Am 15.04.20 um 00:37 schrieb Jeremy Cline:
> > On Tue, 2020-04-07 at 15:33 +, Jeremy Cline wrote:
> >> On Wed, 2020-03-11 at 16:40 +, Jeremy Cline wrote:
> >>
> >> Just a note folks, the plan is to do this starting next week
On Fri, Mar 13, 2020 at 9:49 AM Neal Gompa wrote:
>
> On Fri, Mar 13, 2020 at 9:42 AM Josh Boyer wrote:
> >
> > On Fri, Mar 13, 2020 at 7:08 AM Neal Gompa wrote:
> > >
> > > On Fri, Mar 13, 2020 at 7:02 AM Bastien Nocera wrote:
> > > >
On Fri, Mar 13, 2020 at 9:51 AM Peter Robinson wrote:
>
> > > > > >> The git tags are still signed by Linus. Does that cover your
> > > > > >> concerns?
> > > > > >
> > > > > > Not really, no. I think that multiplying the intermediaries between
> > > > > > kernel.org
> > > > > > and the Fedora
On Fri, Mar 13, 2020 at 7:08 AM Neal Gompa wrote:
>
> On Fri, Mar 13, 2020 at 7:02 AM Bastien Nocera wrote:
> >
> >
> >
> > - Original Message -
> > >
> > >
> > > On 3/12/20 10:57 AM, Bastien Nocera wrote:
> > > >
> > > >
> > > > - Original Message -
> > > >
> > > >> The git
On Wed, Mar 11, 2020 at 1:21 PM Jeremy Cline wrote:
>
> On Wed, 2020-03-11 at 12:58 -0400, Josh Boyer wrote:
> > On Wed, Mar 11, 2020 at 12:41 PM Jeremy Cline
> > wrote:
> > > Hi folks,
> > >
> > > This should come as no surprise to those who ha
On Wed, Mar 11, 2020 at 12:41 PM Jeremy Cline wrote:
>
> Hi folks,
>
> This should come as no surprise to those who have been following the
> kernel list and/or saw Laura's Flock talk last summer, but there are
> some changes to the way the Fedora kernel is maintained coming in the
> next couple
On Wed, Aug 28, 2019 at 2:40 PM Josef Bacik wrote:
>
> On Wed, Aug 28, 2019 at 02:35:39PM -0400, Laura Abbott wrote:
> > On 8/28/19 1:58 PM, Josef Bacik wrote:
> > > On Tue, Aug 27, 2019 at 07:53:20AM -0400, Laura Abbott wrote:
> > > > On 8/26/19 11:39 PM, Neal Gompa wrote:
> > > > > On Mon, Aug
On Tue, Aug 27, 2019 at 8:48 AM Neal Gompa wrote:
>
> On Tue, Aug 27, 2019 at 8:30 AM Josh Boyer wrote:
> >
> > On Tue, Aug 27, 2019 at 8:10 AM Neal Gompa wrote:
> > >
> > > On Tue, Aug 27, 2019 at 7:41 AM Josh Boyer
> > > wrote:
> > >
On Tue, Aug 27, 2019 at 8:10 AM Neal Gompa wrote:
>
> On Tue, Aug 27, 2019 at 7:41 AM Josh Boyer wrote:
> >
> > On Tue, Aug 27, 2019 at 7:19 AM Neal Gompa wrote:
> > >
> > > On Tue, Aug 27, 2019 at 5:55 AM wrote:
> > > >
> > &
On Tue, Aug 27, 2019 at 7:19 AM Neal Gompa wrote:
>
> On Tue, Aug 27, 2019 at 5:55 AM wrote:
> >
> > On Mon, 2019-08-26 at 23:54 -0400, Neal Gompa wrote:
> > > On Mon, Aug 26, 2019 at 7:16 AM wrote:
> > > >
> > > > I understand them. The point is, for them and even us (the
> > > > installer)
>
On Wed, Aug 21, 2019 at 2:47 PM Paul Moore wrote:
>
> Hello,
>
> Last year there was a change to how the kernel-headers package is
> built, and unfortunately that change made it so that changes to the
> kernel's buildid variable do not carryover to the the kernel-header's
> build. While I
On Thu, Aug 15, 2019 at 3:58 PM Laura Abbott wrote:
>
> We've come a long way. Let's just leave these drivers alone.
Can we not build them at all instead? Or put them in modules-extra if
we're too chicken to disable them entirely.
josh
> Signed-off-by: Laura Abbott
> ---
>
f --git a/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
> b/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
> deleted file mode 100644
> index 5e6d6611e..00000
> --- a/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
> +++ /dev/null
> @@ -1,34
On Thu, Aug 15, 2019 at 4:02 PM Laura Abbott wrote:
>
> This has since been replaced by other in kernel pieces. We
> can finally drop it.
Which pieces?
josh
>
> Signed-off-by: Laura Abbott
> ---
> crash-driver.patch | 722 -
> kernel.spec|
On Mon, Aug 12, 2019 at 11:23 AM Paul Moore wrote:
>
> On Fri, Aug 9, 2019 at 8:31 AM Paul Moore wrote:
> >
> > Hello all,
> >
> > I'm not sure if this is the place for this, but if not perhaps you
> > could point me in the right direction?
> >
> > I'm looking for the certificate associated with
On Thu, Oct 25, 2018 at 7:50 AM Nicolas Chauvet wrote:
>
> Le mar. 23 oct. 2018 à 17:54, Josh Boyer a écrit :
> >
> > On Tue, Oct 23, 2018 at 11:12 AM Nicolas Chauvet wrote:
> > >
> > > Cross compiled kernel headers are installed into /usr/*-linux-gnu/includ
On Tue, Oct 23, 2018 at 11:12 AM Nicolas Chauvet wrote:
>
> Cross compiled kernel headers are installed into /usr/*-linux-gnu/include/
> instead of /usr/*-linux-gnu/sys-root/usr/include/ where they can be
> found by default by the Fedora cross compiler toolchain.
Is that a new change in how the
On Sun, Jul 22, 2018 at 10:54 AM stan wrote:
>
> I've been having an issue with Fedora virtual consoles coming up with
> the wrong color scheme for a while. Instead of coming up with white on
> black, they come up as grey on white. When I startx, X resets the
> parameters and they revert to
On Tue, Jan 9, 2018 at 1:51 PM, Maxim Burgerhout wrote:
> I'm getting kernel panics in a VM that functions as a hypervisor, the moment
> I spin up the nested guest (on AMD ThreadRipper / Fedora 27). That is
> annoying, of course, so I try to be a good citizen and file a bug.
>
>
On Tue, Jan 2, 2018 at 4:55 PM, Paul Bolle wrote:
> On Tue, 2018-01-02 at 12:32 -0800, Laura Abbott wrote:
>> On 01/02/2018 08:35 AM, Paul Bolle wrote:
>> > A bit off topic: I suppose at the ultimate goal is to do rpmbuild from
>> > within
>> > a proper git clone of the
On Tue, Jan 2, 2018 at 4:35 PM, Paul Bolle <pebo...@tiscali.nl> wrote:
> On Tue, 2018-01-02 at 16:28 -0500, Josh Boyer wrote:
>> So if you want to use git apply instead of patch, I have no objections
>> that I can remember. It'll just require some extra work to make sure
>
On Sun, Dec 31, 2017 at 9:13 PM, Laura Abbott wrote:
> On 12/30/2017 04:52 AM, Paul Bolle wrote:
>>
>> 0) The v4.14.10 stable updates adds a new executable (tools/objtool/sync-
>> check.sh). Somehow this was added non-executable during my local build of
>> v4.14.10 (on fc26,
On Tue, Dec 19, 2017 at 6:03 AM, Hans de Goede wrote:
> Hi All,
>
> Good news, the vboxguest driver has been queued for
> upstream merging in char-misc-next. This just happened
> so I want to wait for a couple of days to make sure
> they stick and they do not get reverted for
On Wed, Nov 29, 2017 at 10:16 AM, Prarit Bhargava <pra...@redhat.com> wrote:
>
>
> On 11/29/2017 10:07 AM, Josh Boyer wrote:
>> On Wed, Nov 29, 2017 at 9:58 AM, Prarit Bhargava <pra...@redhat.com> wrote:
>>> On 11/28/2017 09:16 PM, Josh Boyer wrote:
>>
On Wed, Nov 29, 2017 at 9:58 AM, Prarit Bhargava <pra...@redhat.com> wrote:
> On 11/28/2017 09:16 PM, Josh Boyer wrote:
>> On Tue, Nov 28, 2017 at 5:03 PM, Laura Abbott <labb...@redhat.com> wrote:
>>> Like all good bits of software, the kernel.spec has grown over tim
On Tue, Nov 28, 2017 at 5:03 PM, Laura Abbott wrote:
> Like all good bits of software, the kernel.spec has grown over time.
> Part of this growth has come from building more of the userspace
> tools that live under the tools directory of the kernel. I've been
> experimenting
On Wed, Nov 15, 2017 at 6:09 PM, R P Herrold wrote:
> On Tue, 14 Nov 2017, Steven Whitehouse wrote:
>
>> I think it is probably overdue in the DECnet case, however I
>> did get a very happy with it for the most part. Anyway it is
>> clear that nobody is maintaining it and it
On Wed, Nov 8, 2017 at 2:14 PM, Don Zickus <dzic...@redhat.com> wrote:
> On Wed, Nov 08, 2017 at 01:48:36PM -0500, Josh Boyer wrote:
>> >> [1] https://github.com/npmccallum/census
>> >> [2] https://github.com/npmccallum/census/blob/master/client/plugins/
>&g
On Wed, Nov 8, 2017 at 12:34 PM, Don Zickus wrote:
> On Tue, Nov 07, 2017 at 10:49:02PM +, Jeremy Cline wrote:
>> Hey folks,
>>
>> For some time now, Fedora has operated without a database of hardware
>> users have. Smolt, the old hardware database, was retired in 2012[0]
On Mon, Sep 11, 2017 at 1:22 PM, Justin Forbes wrote:
> On Fri, Sep 8, 2017 at 9:41 PM, Jeff Backus wrote:
>
>> (Apologies - resending because I wasn't subscribed earlier)
>>
>> Hi list,
>>
>> I'm contacting you on behalf of the x86 SIG. Today FESCo
On Tue, Sep 5, 2017 at 6:25 PM, James Hogarth wrote:
>
>
> On 5 September 2017 at 22:40, Chris Murphy wrote:
>>
>> On Tue, Sep 5, 2017 at 3:38 PM, Chris Murphy
>> wrote:
>>
>> > FWIW, you can just download the F27
On Fri, Aug 11, 2017 at 6:25 AM, Dan Horák wrote:
> All supported platforms have IOMMU, thus disable.
> ---
> baseconfig/powerpc/CONFIG_SWIOTLB | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I fixed this up to have a blurb in the kernel.spec changelog and
pushed it to
On Mon, Jul 24, 2017 at 9:40 AM, Nicolas Chauvet <kwiz...@gmail.com> wrote:
> 2017-07-24 15:28 GMT+02:00 Josh Boyer <jwbo...@fedoraproject.org>:
>> On Mon, Jul 24, 2017 at 9:20 AM, Nicolas Chauvet <kwiz...@gmail.com> wrote:
>>
>> Please add a descriptive ch
On Fri, Jul 14, 2017 at 7:46 AM, Sérgio Basto wrote:
> Hi,
> I have a bug report that can't build virtualbox kmods for kernels on
> rawhide
>
> Larry Finger for opensuse wrote:
>
> Yes, it does not work for kernel 4.11. The "#ifndef" will eventually be
> replaced
> by "#if
On Thu, Jul 13, 2017 at 8:24 AM, Petr Pisar <ppi...@redhat.com> wrote:
> On Thu, Jul 13, 2017 at 08:15:14AM -0400, Josh Boyer wrote:
>> On Thu, Jul 13, 2017 at 3:54 AM, <notificati...@fedoraproject.org> wrote:
>> > From 575a9e2f6afcad8fa21ca7b0c38278730e2670db Mon
On Thu, Jul 13, 2017 at 3:54 AM, wrote:
> From 575a9e2f6afcad8fa21ca7b0c38278730e2670db Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?=
> Date: Thu, 13 Jul 2017 09:54:13 +0200
> Subject: perl dependency renamed to
On Fri, Jun 9, 2017 at 9:02 AM, wrote:
>
> Hi Laura,
>
> Thanks for the reply, and indeed it works like a charm when I put that
> #x86_64 header in the config file, likewise the kernel-local file also works
> perfectly, when I keep the header in the file.
>
> One of
On Tue, Feb 28, 2017 at 4:02 AM, Nicolas Chauvet wrote:
> 2017-02-16 19:33 GMT+01:00 Nicolas Chauvet :
>> 2017-02-16 19:26 GMT+01:00 Nicolas Chauvet :
>>> ---
>>> kernel.spec | 1 -
>>> 1 file changed, 1 deletion(-)
>>>
>>> diff --git
On Fri, Feb 3, 2017 at 2:13 PM, Justin Forbes <jfor...@redhat.com> wrote:
> On Fri, Feb 3, 2017 at 11:08 AM, Josh Boyer <jwbo...@fedoraproject.org>
> wrote:
>>
>> On Thu, Feb 2, 2017 at 11:53 AM, Dan Horák <d...@danny.cz> wrote:
>>
>> Ack. We did s
On Thu, Feb 2, 2017 at 11:53 AM, Dan Horák wrote:
Ack. We did similar changes in rpm macros already so that gcc builds
for this platform by default. Glibc will be making equivalent changes
as well.
josh
> ---
> baseconfig/s390x/CONFIG_MARCH_Z900 | 1 -
>
On Wed, Jan 18, 2017 at 9:28 AM, Hans de Goede <hdego...@redhat.com> wrote:
> Hi,
>
>
> On 18-01-17 13:10, Josh Boyer wrote:
>>
>> On Wed, Jan 18, 2017 at 5:18 AM, Hans de Goede <hdego...@redhat.com>
>>> And I still end up at my original unanswered ques
On Wed, Jan 18, 2017 at 5:18 AM, Hans de Goede wrote:
> Hi,
>
>
> On 17-01-17 21:59, Laura Abbott wrote:
>>
>> On 01/17/2017 05:19 AM, Hans de Goede wrote:
>>>
>>> Hi,
>>>
>>> On 17-01-17 14:12, Thorsten Leemhuis wrote:
Lo! Three quick question from someone who for
On Thu, Jan 12, 2017 at 8:47 AM, Benson Muite
<benson_mu...@emailplus.org> wrote:
>
>
> On 01/12/2017 03:32 PM, Josh Boyer wrote:
>>
>> On Thu, Jan 12, 2017 at 8:22 AM, Benson Muite
>> <benson_mu...@emailplus.org> wrote:
>>>
>>> Hi
On Thu, Jan 12, 2017 at 8:22 AM, Benson Muite
wrote:
> Hi,
>
> Is there a repository of compiled linux kernels for Fedora similar to that
> for Ubunutu at:
> http://kernel.ubuntu.com/~kernel-ppa/mainline/
Nothing quite like that, no. All the kernels built and shipped
On Tue, Dec 20, 2016 at 1:18 PM, Jóhann B. Guðmundsson
<johan...@gmail.com> wrote:
> On 12/15/2016 12:01 PM, Josh Boyer wrote:
>
>> On Thu, Dec 15, 2016 at 5:37 AM, Hans de Goede <hdego...@redhat.com>
>> wrote:
>>>
>>> Hi,
>>>
>>
On Thu, Dec 15, 2016 at 5:37 AM, Hans de Goede wrote:
> Hi,
>
> I stumbled over this while looking into something completely different,
> according to:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=172411
>
> As this point in time it is better to not enable
>
On Thu, Dec 1, 2016 at 9:58 AM, Don Zickus wrote:
> On Thu, Dec 01, 2016 at 07:53:06AM -0600, Justin Forbes wrote:
>> On Wed, Nov 30, 2016 at 8:03 PM, Don Zickus wrote:
>>
>> > On Wed, Nov 30, 2016 at 04:25:30PM -0800, Laura Abbott wrote:
>> > > > I don't
On Wed, Nov 30, 2016 at 6:19 PM, Justin Forbes <jfor...@redhat.com> wrote:
> On Wed, Nov 30, 2016 at 4:33 PM, Josh Boyer <jwbo...@fedoraproject.org>
> wrote:
>>
>> On Wed, Nov 30, 2016 at 5:29 PM, Paul Bolle <pebo...@tiscali.nl> wrote:
>> > On Wed
On Wed, Nov 30, 2016 at 5:29 PM, Paul Bolle wrote:
> On Wed, 2016-11-30 at 17:15 -0500, Don Zickus wrote:
>> I noticed that CONFIG_MODVERSIONS was not enabled in Fedora. I do not know
>> the history and would be curious to know if someone knew.
>>
>> Otherwise, I would like
On Tue, Nov 22, 2016 at 2:14 PM, Jon Masters wrote:
> Hi Folks,
>
> A quick reminder that, while 48-bit VA is enabled in rawhide/26:
>
> commit c0f22caded1d549e532d2ab3ce767f8f3d2206f8
> Author: Peter Robinson
> Date: Mon Oct 31 15:45:58 2016
On Tue, Nov 15, 2016 at 6:11 AM, Dan Horák wrote:
> This is intended for f26/rawhide only.
>
>
> Dan
>
> On Tue, 15 Nov 2016 11:38:25 +0100
> Dan Horák wrote:
>
>> ---
>> config-s390x | 4 +---
>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>
>>
On Mon, Nov 14, 2016 at 2:08 PM, Paul Bolle <pebo...@tiscali.nl> wrote:
> On Thu, 2016-11-10 at 19:38 -0500, Josh Boyer wrote:
>> [...] but it can't be at the expense of people that have
>> to do things with this package multiple times a day.
>
> Sure.
>
> But -
On Thu, Nov 10, 2016 at 4:03 PM, Peter Robinson wrote:
> On Thu, Nov 10, 2016 at 8:59 PM, Paul Bolle wrote:
>> On Thu, 2016-11-10 at 20:28 +, Peter Robinson wrote:
>>> I agree with Josh, what is it that you're actually trying to achieve here?
>>
>>
On Thu, Nov 10, 2016 at 11:08 AM, Paul Bolle wrote:
> During the %prep phase we run "make listnewconfig" and "make oldnoconfig" for
> all six supported architectures (arm64, arm, i386, powerpc, s390, and x86_64).
> We only care about the set of .configs that is relevant for
On Thu, Nov 10, 2016 at 11:08 AM, Paul Bolle wrote:
> We don't build for (31 bits) s390 but only for (64 bits) s390x. So remove a
> few
> irrelevant references to s390.
>
> Signed-off-by: Paul Bolle
Seems fine.
josh
> ---
> kernel.spec | 8
>
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
Have the uefi import code look for this and not import things from the db
variable.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.
certificates into
the newly introduced system blacklist keyring and forbid any module
signed with those from loading.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
---
certs/system_keyring.c| 13 ++
include/keys/system_keyring.h | 1 +
init/Kconfig
.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
---
certs/system_keyring.c| 22 ++
include/keys/system_keyring.h | 4
init/Kconfig | 9 +
3 files changed, 35 insertions(+)
diff --git a/certs/system_keyring.c b
From: Kyle McMartin
Bugzilla: N/A
Upstream-status: Fedora mustard
---
arch/x86/kernel/setup.c | 36
drivers/input/misc/uinput.c | 1 +
drivers/tty/sysrq.c | 19 +--
include/linux/input.h | 5 +
From: Dave Howells
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
[labb...@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
Signed-off-by: David Howells
---
crypto/asymmetric_keys/Kconfig | 8 +++
From: Matthew Garrett
Writing to MSRs should not be allowed if module loading is restricted,
since it could lead to execution of arbitrary code in kernel mode. Based
on a patch by Kees Cook.
Cc: Kees Cook
Signed-off-by: Matthew Garrett
From: Dave Howells
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
Bugzilla: N/A
Upstream-status: Fedora mustard for now
Signed-off-by: David Howells
---
include/linux/efi.h | 17
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it in
a secure modules environment.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
---
arch/x86/kernel/setup.c | 2 ++
include/linux/efi.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/set
boot mode if that variable is set.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
---
arch/x86/boot/compressed/eboot.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
From: Matthew Garrett
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that all kernel modules also be signed. Add a configuration option
that enforces this
Add the definitions for shim and image security database, both of which
are used widely in various Linux distros.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
---
include/linux/efi.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
From: Matthew Garrett
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if any such restrictions have been enabled.
Signed-off-by: Matthew Garrett
From: Matthew Garrett
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that module signing enforcement is meant to prevent. It makes
sense to disable kexec in this situation.
Signed-off-by: Matthew Garrett
From: Matthew Garrett
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
be manipulated in such a way that arbitrary code can be executed in the
kernel, circumventing module
From: Matthew Garrett
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
kernel code, allowing them to circumvent disabled module loading or module
signing. Default to
From: Matthew Garrett
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
only modules signed with a trusted key.
Bugzilla: N/A
Upstream-status: Fedora mustard. Replaced
From: Matthew Garrett
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
space. This would potentially permit root to trigger arbitrary DMA, so lock
it down by default.
The upstream 0-day bot found an issue with the existing patchset in the
rawhide kernel. Everything builds fine as a whole, but if one were to
bisect the patches, a build would break because the shim GUID is used
in a patch before it is actually defined.
Fix this by inserting a patch in the
On Mon, Oct 10, 2016 at 2:02 PM, Peter Robinson wrote:
> Hi Laura, Justin, et el,
>
> I've been playing with a handful of cheap USB wireless modules for
> support on the Raspberry Pi and other similar devices.
>
> I've noticed that there's a bunch of overlap regarding usb
On Mon, Aug 22, 2016 at 9:18 PM, Jarod Wilson <ja...@redhat.com> wrote:
> On Mon, Aug 22, 2016 at 08:34:02PM -0400, Josh Boyer wrote:
>> On Mon, Aug 22, 2016 at 8:22 PM, Jarod Wilson <ja...@redhat.com> wrote:
>> > On Mon, Aug 22, 2016 at 03:50:22PM -0600, Chris Murp
On Tue, Aug 23, 2016 at 4:05 AM, Peter Robinson wrote:
The secure boot patches have been around in the Fedora tree for a
while
now.
They work well enough but there has not been much active work in
getting
them accepted
On Mon, Aug 22, 2016 at 8:22 PM, Jarod Wilson wrote:
> On Mon, Aug 22, 2016 at 03:50:22PM -0600, Chris Murphy wrote:
>> On Mon, Aug 22, 2016 at 3:14 PM, Laura Abbott wrote:
>> > On 08/22/2016 01:16 PM, Chris Murphy wrote:
>> >>
>> >> On Mon, Aug 22, 2016 at
On Mon, Aug 22, 2016 at 6:05 AM, Edward O'Callaghan
wrote:
> Hi,
>
> Is there any movement on this? Sorry to rush but, without 4.7, polaris GPU's
> are unsupported. Thus the changesets in amdgpu are critical for that hw
> bringup, hence *really* looking forward to
On Tue, Aug 16, 2016 at 9:31 PM, Zbigniew Jędrzejewski-Szmek
wrote:
> Unfortunately, due to the disagreements in the kernel development
> community, CPU controller cgroup v2 support has not been merged and
> enabling it requires applying two small out-of-tree kernel
> patches.
On Tue, Aug 9, 2016 at 2:32 PM, Josh Boyer <jwbo...@fedoraproject.org> wrote:
> Hi kernel people,
>
> Recently the upstream 0-Day build testing project started building the
> exploded kernel git tree for Fedora on kernel.org:
>
> https://git.kernel.org/cgit/linux/kerne
Hi kernel people,
Recently the upstream 0-Day build testing project started building the
exploded kernel git tree for Fedora on kernel.org:
https://git.kernel.org/cgit/linux/kernel/git/jwboyer/fedora.git/
That was somewhat of a surprise. It has found a few things here and
there, mostly in
On Fri, Jul 29, 2016 at 9:03 AM, Bastien Nocera wrote:
> Yes, see the upstream "Input: surface3_spi - add surface pen support for
> Surface 3" patch.
> But that's just the tip of the pen, the button at the top of it is a
> Bluetooth device, so if you want to be more precise
On Thu, Jul 28, 2016 at 7:35 AM, Bastien Nocera wrote:
> From: Bastien Nocera
>
> ---
> config-x86-generic | 2 +-
> kernel.spec| 5 -
> 2 files changed, 5 insertions(+), 2 deletions(-)
Fixed up to apply and pushed. A small comment below.
>
On Sat, Jul 16, 2016 at 6:29 AM, Hans de Goede <hdego...@redhat.com> wrote:
> Hi,
>
> On 14-07-16 15:31, Josh Boyer wrote:
>>
>> On Thu, Jul 14, 2016 at 8:48 AM, Hans de Goede <hdego...@redhat.com>
>> wrote:
>>>
>>> Hi Kernel-team,
>>
On Thu, Jul 14, 2016 at 8:48 AM, Hans de Goede wrote:
> Hi Kernel-team,
>
> I'm going on vacation for 2 weeks starting tomorrow, so I do
> not have time to do proper follow-up on these 3 patches,
> but IMHO it would be good to include these in the next
> Fedora kernel build:
On Thu, Jun 30, 2016 at 8:21 AM, Christopher Covington
wrote:
> Hi,
>
> Apologies if this is already documented somewhere, but I wasn't able to
> find it. What upstream kernel version(s) might Fedora 25 use?
We don't know yet. It depends on the upstream kernel release
On Fri, Jun 17, 2016 at 1:54 PM, Hans de Goede wrote:
> Hi,
>
> On 17-06-16 18:35, Peter Robinson wrote:
>>
>> On Fri, Jun 17, 2016 at 5:21 PM, Justin Forbes wrote:
>>>
>>> This does indeed sound like a good plan, and would be much appreciated.
>>
>>
>>
On Wed, Jun 15, 2016 at 11:29 AM, Jiri Pirko wrote:
> Wed, Jun 15, 2016 at 05:22:23PM CEST, ido...@idosch.org wrote:
>>Wed, Jun 15, 2016 at 06:15:29PM IDT, labb...@redhat.com wrote:
>>>On 06/15/2016 02:55 AM, Ido Schimmel wrote:
Hi,
I work on a driver
On Tue, Jun 14, 2016 at 3:47 PM, Laura Abbott wrote:
> On 06/13/2016 12:54 PM, Paul Bolle wrote:
>>
>> On vr, 2016-06-10 at 12:42 -0700, Miguel Flores Silverio wrote:
>>>
>>> +rpmbuild --target $1 --without debuginfo --without perf --without tools
>>> --rebuild $2
>>
>>
>>
On Mon, Jun 13, 2016 at 4:34 PM, Prarit Bhargava <pra...@redhat.com> wrote:
>
>
> On 06/13/2016 03:35 PM, Laura Abbott wrote:
>> On 06/13/2016 11:41 AM, Josh Boyer wrote:
>>> On Mon, Jun 13, 2016 at 2:32 PM, Prarit Bhargava <pra...@redhat.com> wrote:
>&g
On Fri, Jun 10, 2016 at 3:23 PM, Miguel Flores Silverio
wrote:
> No longer needed. Use rpmdev-bumpspec instead.
Ack. Not too long ago rpmdev-bumpspec didn't actually parse the
kernel spec's macro handling so it wouldn't work. That has been fixed
for a while though.
On Fri, Jun 10, 2016 at 3:30 PM, Miguel Flores Silverio
wrote:
> Functionality already implemented in kernel.spec file.
Ack.
For the history inclined, DaveJ tried to speed up 'make prep' in the
kernel spec by removing this functionality and only doing it for the
current
1 - 100 of 591 matches
Mail list logo