Merge tag 'asoc-fix-v5.18-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v5.18

A collection of fixes that came in since the merge window, plus

Merge tag 'asoc-fix-v5.18-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v5.18

A collection of fixes that came in since the merge window, plus one new
device ID for an x86 laptop. Nothing that really stands out with
particularly big impact outside of the affected device.

show more ...

Merge drm/drm-fixes into drm-misc-fixes

Let's start the 5.18 fixes cycle.

Signed-off-by: Maxime Ripard <maxime@cerno.tech>

Merge remote-tracking branch 'torvalds/master' into perf/core

To pick up fixes that went thru perf/urgent and now are fixed by an
upcoming patch.

Signed-off-by: Arnaldo Carvalho de Melo <acme@redha

Merge remote-tracking branch 'torvalds/master' into perf/core

To pick up fixes that went thru perf/urgent and now are fixed by an
upcoming patch.

Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

show more ...

Merge tag 'tpmdd-next-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd

Pull tpm updates from Jarkko Sakkinen:
"In order to split the work a bit we've aligned with David

Merge tag 'tpmdd-next-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd

Pull tpm updates from Jarkko Sakkinen:
"In order to split the work a bit we've aligned with David Howells more
or less that I take more hardware/firmware aligned keyring patches,
and he takes care more of the framework aligned patches.

For TPM the patches worth of highlighting are the fixes for
refcounting provided by Lino Sanfilippo and James Bottomley.

Eric B. has done a bunch obvious (but important) fixes but there's one
a bit controversial: removal of asym_tpm. It was added in 2018 when
TPM1 was already declared as insecure and world had moved on to TPM2.
I don't know how this has passed all the filters but I did not have a
chance to see the patches when they were out. I simply cannot commit
to maintaining this because it was from all angles just wrong to take
it in the first place to the mainline kernel. Nobody should use this
module really for anything.

Finally, there is a new keyring '.machine' to hold MOK keys ('Machine
Owner Keys'). In the mok side MokListTrustedRT UEFI variable can be
set, from which kernel knows that MOK keys are kernel trusted keys and
they are populated to the machine keyring. This keyring linked to the
secondary trusted keyring, which means that can be used like any
kernel trusted keys. This keyring of course can be used to hold other
MOK'ish keys in other platforms in future"

* tag 'tpmdd-next-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: (24 commits)
tpm: use try_get_ops() in tpm-space.c
KEYS: asymmetric: properly validate hash_algo and encoding
KEYS: asymmetric: enforce that sig algo matches key algo
KEYS: remove support for asym_tpm keys
tpm: fix reference counting for struct tpm_chip
integrity: Only use machine keyring when uefi_check_trust_mok_keys is true
integrity: Trust MOK keys if MokListTrustedRT found
efi/mokvar: move up init order
KEYS: Introduce link restriction for machine keys
KEYS: store reference to machine keyring
integrity: add new keyring handler for mok keys
integrity: Introduce a Linux keyring called machine
integrity: Fix warning about missing prototypes
KEYS: trusted: Avoid calling null function trusted_key_exit
KEYS: trusted: Fix trusted key backends when building as module
tpm: xen-tpmfront: Use struct_size() helper
KEYS: x509: remove dead code that set ->unsupported_sig
KEYS: x509: remove never-set ->unsupported_key flag
KEYS: x509: remove unused fields
KEYS: x509: clearly distinguish between key and signature algorithms
...

show more ...

KEYS: Introduce link restriction for machine keys

Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added bein

KEYS: Introduce link restriction for machine keys

Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added being vouched for by a key in any of these three keyrings.

With the introduction of the machine keyring, the end-user may choose to
trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
trust them, the .machine keyring will contain these keys. If not, the
machine keyring will always be empty. Update the restriction check to
allow the secondary trusted keyring to also trust machine keys.

Allow the .machine keyring to be linked to the secondary_trusted_keys.
After the link is created, keys contained in the .machine keyring will
automatically be searched when searching secondary_trusted_keys.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

show more ...

KEYS: store reference to machine keyring

Expose the .machine keyring created in integrity code by adding
a reference. Store a reference to the machine keyring in
system keyring code. The system key

KEYS: store reference to machine keyring

Expose the .machine keyring created in integrity code by adding
a reference. Store a reference to the machine keyring in
system keyring code. The system keyring code needs this to complete
the keyring link to the machine keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

show more ...

Merge branch 'next' into for-linus

Prepare input updates for 5.15 merge window.

Merge tag 'v5.13' into next

Sync up with the mainline to get the latest parport API.

Merge branch 'for-5.14/amd-sfh' into for-linus

- support for Renoir and Cezanne SoCs
- support for Ambient Light Sensor
- support for Human Presence Detection sensor

all from Basavaraj Natikar

Merge tag 'v5.13-rc3' into asoc-5.13

Linux 5.13-rc3

Merge drm/drm-next into drm-intel-gt-next

Pulling in -rc2 fixes and TTM changes that next upcoming patches depend
on.

Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

Merge tag 'v5.13-rc2' into spi-5.13

Linux 5.13-rc2

Merge branch 'fixes-rc1' into fixes

Merge drm/drm-next into drm-intel-next

Time to get back in sync...

Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

Merge drm/drm-next into drm-misc-next

Backmerging to get v5.12 fixes. Requested for vmwgfx.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>

Merge drm/drm-fixes into drm-misc-fixes

Start this new release drm-misc-fixes branch

Signed-off-by: Maxime Ripard <maxime@cerno.tech>

Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull IMA updates from Mimi Zohar:
"In addition to loading the kernel module signing key onto the b

Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull IMA updates from Mimi Zohar:
"In addition to loading the kernel module signing key onto the builtin
keyring, load it onto the IMA keyring as well.

Also six trivial changes and bug fixes"

* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
ima: Fix fall-through warnings for Clang
integrity: Add declarations to init_once void arguments.
ima: Fix function name error in comment.
ima: enable loading of build time generated key on .ima keyring
ima: enable signing of modules with build time generated key
keys: cleanup build time module signing keys
ima: Fix the error code for restoring the PCR value
ima: without an IMA policy loaded, return quickly

show more ...

Merge tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull x509 dbx/mokx UEFI support from David Howells:
"Here's a set of patches from Eric Snowberg

Merge tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull x509 dbx/mokx UEFI support from David Howells:
"Here's a set of patches from Eric Snowberg[1] that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such
entries cause matching certificates to be rejected).

These are currently ignored and only the hash entries are made use of.

Additionally Eric included his patches to allow such certificates to
be preloaded.

These patches deal with CVE-2020-26541.

To quote Eric:
'This is the fifth patch series for adding support for
EFI_CERT_X509_GUID entries [2]. It has been expanded to not only
include dbx entries but also entries in the mokx. Additionally
my series to preload these certificate [3] has also been
included'"

Link: https://lore.kernel.org/r/20210122181054.32635-1-eric.snowberg@oracle.com [1]
Link: https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/ [2]
Link: https://lore.kernel.org/patchwork/cover/1315485/ [3]

* tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
integrity: Load mokx variables into the blacklist keyring
certs: Add ability to preload revocation certs
certs: Move load_system_certificate_list to a common function
certs: Add EFI_CERT_X509_GUID support for dbx entries

show more ...

Merge branch 'ima-module-signing-v4' into next-integrity

From the series cover letter:

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a

Merge branch 'ima-module-signing-v4' into next-integrity

From the series cover letter:

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring. On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings. The original version of this patch set
created and loaded a kernel-CA key onto the builtin keyring. The kernel-CA
key signed the kernel module signing key, allowing it to be loaded onto the
IMA trusted keyring.

However, missing from this version was support for the kernel-CA to sign the
hardware token certificate. Adding that support would add additional
complexity.

Since the kernel module signing key is embedded into the Linux kernel at
build time, instead of creating and loading a kernel-CA onto the builtin
trusted keyring, this version makes an exception and allows the
self-signed kernel module signing key to be loaded directly onto the
trusted IMA keyring.

show more ...

ima: enable loading of build time generated key on .ima keyring

The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the I

ima: enable loading of build time generated key on .ima keyring

The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

show more ...

certs: Add EFI_CERT_X509_GUID support for dbx entries

This fixes CVE-2020-26541.

The Secure Boot Forbidden Signature Database, dbx, contains a list of now
revoked signatures and keys previously app

certs: Add EFI_CERT_X509_GUID support for dbx entries

This fixes CVE-2020-26541.

The Secure Boot Forbidden Signature Database, dbx, contains a list of now
revoked signatures and keys previously approved to boot with UEFI Secure
Boot enabled. The dbx is capable of containing any number of
EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID
entries.

Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are
skipped.

Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
is found, it is added as an asymmetrical key to the .blacklist keyring.
Anytime the .platform keyring is used, the keys in the .blacklist keyring
are referenced, if a matching key is found, the key will be rejected.

[DH: Made the following changes:
- Added to have a config option to enable the facility. This allows a
Kconfig solution to make sure that pkcs7_validate_trust() is
enabled.[1][2]
- Moved the functions out from the middle of the blacklist functions.
- Added kerneldoc comments.]

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
cc: Randy Dunlap <rdunlap@infradead.org>
cc: Mickaël Salaün <mic@digikod.net>
cc: Arnd Bergmann <arnd@kernel.org>
cc: keyrings@vger.kernel.org
Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc
Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2
Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3
Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4
Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5
Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/
Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2
Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3
Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1]
Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2]

show more ...

Merge drm-intel-next-queued into gvt-next

Backmerge to pull in
https://patchwork.freedesktop.org/patch/353621/?series=73544&rev=1

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>

Merge tag 'v5.5-rc4' into locking/kcsan, to resolve conflicts

Conflicts:
init/main.c
lib/Kconfig.debug

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge branch 'next' into for-linus

Prepare input updates for 5.6 merge window.

Merge tag 'v5.5-rc5' into next

Sync up with mainline to get SPI "delay" API changes.