[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947021: marked as done (linux-image-4.19.0-6-amd64: root can lift kernel lockdown)

Your message dated Mon, 30 Mar 2020 08:10:09 +0000
with message-id <E1jIpUn-000G6p-1H@fasolo.debian.org>
and subject line Bug#947021: fixed in linux 5.5.13-1
has caused the Debian Bug report #947021,
regarding linux-image-4.19.0-6-amd64: root can lift kernel lockdown
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947021: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947021
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: src:linux
Version: 4.19.67-2+deb10u2
Severity: normal

Dear Maintainer,

echoing "x" into /proc/sysrq-trigger disables kernel lockdown, even though it shouldn't.

Kernel lockdown is meant to create a barrier between root and the kernel that can only be broken with physical access to the system.
But a bug in debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch allows root to easily circumvent this security measure:

vagrant@buster:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown
vagrant@buster:~$ sudo dmesg | grep locked
[    0.000000] Kernel is locked down from command line; see https://wiki.debian.org/SecureBoot
vagrant@buster:~$ sudo sysctl kernel.sysrq=1
kernel.sysrq = 1
vagrant@buster:~$ sudo sh -c "echo x > /proc/sysrq-trigger"
vagrant@buster:~$ sudo dmesg | tail
[    3.050592] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device
[    3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0
[    3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    3.223529] Adding 1045500k swap on /dev/sda5.  Priority:-2 extents:1 across:1045500k FS
[    5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[    5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   42.660726] sysrq: SysRq : 
[   42.660728] This sysrq operation is disabled from userspace.
[   42.660797] Disabling Secure Boot restrictions
[   42.660830] Lifting lockdown

I already reported this bug to Ubuntu at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851380
but it also affects Debian. (There's a bit more context and a patch in that bug report.)

Looking at the patch on salsa I think that this bug doesn't just exist in Buster, but that's the version I used to test it.

Best regards,
Niklas Sombert

-- Package-specific info:
** Version:
Linux version 4.19.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown

** Tainted: C (1024)
 * Module from drivers/staging has been loaded.

** Kernel log:
[    1.080252] Loading compiled-in X.509 certificates
[    1.123039] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[    1.123062] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def'
[    1.123095] zswap: loaded using pool lzo/zbud
[    1.123659] AppArmor: AppArmor sha1 policy hashing enabled
[    1.124095] rtc_cmos rtc_cmos: setting system clock to 2019-12-19 14:23:08 UTC (1576765388)
[    1.124123] Lockdown: Hibernation is restricted; see https://wiki.debian.org/SecureBoot
[    1.125951] Freeing unused kernel image memory: 1584K
[    1.148274] Write protecting the kernel read-only data: 16384k
[    1.150291] Freeing unused kernel image memory: 2028K
[    1.150967] Freeing unused kernel image memory: 772K
[    1.165327] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[    1.165329] x86/mm: Checking user space page tables
[    1.173508] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[    1.173511] Run /init as init process
[    1.274579] piix4_smbus 0000:00:07.0: SMBus Host Controller at 0x4100, revision 0
[    1.280038] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    1.280040] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.288044] SCSI subsystem initialized
[    1.297356] FDC 0 is an 82078.
[    1.306225] cryptd: max_cpu_qlen set to 1000
[    1.317316] libata version 3.00 loaded.
[    1.323785] ahci 0000:00:0d.0: version 3.0
[    1.324687] ahci 0000:00:0d.0: SSS flag set, parallel bus scan disabled
[    1.324882] ahci 0000:00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode
[    1.324884] ahci 0000:00:0d.0: flags: 64bit ncq stag only ccc 
[    1.325243] scsi host0: ahci
[    1.325387] ata1: SATA max UDMA/133 abar m8192@0xf0804000 port 0xf0804100 irq 21
[    1.336127] AVX2 version of gcm_enc/dec engaged.
[    1.336128] AES CTR mode by8 optimization enabled
[    1.553903] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input2
[    1.647971] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
[    1.648249] ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA/133
[    1.648253] ata1.00: 41533440 sectors, multi 128: LBA48 NCQ (depth 32)
[    1.649141] ata1.00: configured for UDMA/133
[    1.652372] scsi 0:0:0:0: Direct-Access     ATA      VBOX HARDDISK    1.0  PQ: 0 ANSI: 5
[    1.661577] sd 0:0:0:0: [sda] 41533440 512-byte logical blocks: (21.3 GB/19.8 GiB)
[    1.661585] sd 0:0:0:0: [sda] Write Protect is off
[    1.661587] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    1.661596] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    1.662652]  sda: sda1 sda2 < sda5 >
[    1.662960] sd 0:0:0:0: [sda] Attached SCSI disk
[    1.726642] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:00:27:8d:c0:4d
[    1.726649] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[    1.925326] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[    2.173566] systemd[1]: Inserted module 'autofs4'
[    2.192803] systemd[1]: systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
[    2.192854] systemd[1]: Detected virtualization oracle.
[    2.192860] systemd[1]: Detected architecture x86-64.
[    2.203626] systemd[1]: Set hostname to <buster>.
[    2.204816] systemd[1]: Failed to bump fs.file-max, ignoring: Invalid argument
[    2.208030] Lockdown: BPF is restricted; see https://wiki.debian.org/SecureBoot
[    2.276511] systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
[    2.276515] systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[    2.341968] systemd[1]: Listening on udev Control Socket.
[    2.350693] systemd[1]: Created slice system-getty.slice.
[    2.350718] systemd[1]: Reached target Remote File Systems.
[    2.437728] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    2.561461] systemd-journald[211]: Received request to flush runtime journal from PID 1
[    2.716029] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input3
[    2.717863] ACPI: Power Button [PWRF]
[    2.718080] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input4
[    2.718097] ACPI: Sleep Button [SLPF]
[    2.730497] ACPI: AC Adapter [AC] (on-line)
[    2.750810] battery: ACPI: Battery Slot [BAT0] (battery present)
[    2.773327] ACPI: Video Device [GFX0] (multi-head: yes  rom: no  post: no)
[    2.773420] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/LNXVIDEO:00/input/input5
[    2.779831] vboxguest: host-version: 5.2.34r133883 0x1
[    2.781683] vbg_heartbeat_init: Setting up heartbeat to trigger every 2000 milliseconds
[    2.781868] input: VirtualBox mouse integration as /devices/pci0000:00/0000:00:04.0/input/input6
[    2.798688] vboxguest: misc device minor 58, IRQ 20, I/O port d020, MMIO at 0x00000000f0400000 (size 0x0000000000400000)
[    2.817525] input: PC Speaker as /devices/platform/pcspkr/input/input7
[    2.841065] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    2.869452] RAPL PMU: API unit is 2^-32 Joules, 4 fixed counters, 10737418240 ms ovfl timer
[    2.869454] RAPL PMU: hw unit of domain pp0-core 2^-0 Joules
[    2.869455] RAPL PMU: hw unit of domain package 2^-0 Joules
[    2.869456] RAPL PMU: hw unit of domain dram 2^-0 Joules
[    2.869456] RAPL PMU: hw unit of domain pp1-gpu 2^-0 Joules
[    2.961287] audit: type=1400 audit(1576765390.336:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=268 comm="apparmor_parser"
[    2.961291] audit: type=1400 audit(1576765390.336:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=268 comm="apparmor_parser"
[    2.961650] audit: type=1400 audit(1576765390.336:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=267 comm="apparmor_parser"
[    2.961652] audit: type=1400 audit(1576765390.336:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=267 comm="apparmor_parser"
[    2.961654] audit: type=1400 audit(1576765390.336:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=267 comm="apparmor_parser"
[    3.030128] vboxvideo: module is from the staging directory, the quality is unknown, you have been warned.
[    3.036508] [drm] VRAM 00800000
[    3.036740] [TTM] Zone  kernel: Available graphics memory: 247382 kiB
[    3.036741] [TTM] Initializing pool allocator
[    3.036745] [TTM] Initializing DMA pool allocator
[    3.039735] fbcon: vboxdrmfb (fb0) is primary device
[    3.048398] Console: switching to colour frame buffer device 100x37
[    3.050592] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device
[    3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0
[    3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    3.223529] Adding 1045500k swap on /dev/sda5.  Priority:-2 extents:1 across:1045500k FS
[    5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[    5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   42.660726] sysrq: SysRq : 
[   42.660728] This sysrq operation is disabled from userspace.
[   42.660797] Disabling Secure Boot restrictions
[   42.660830] Lifting lockdown

** Model information
sys_vendor: innotek GmbH
product_name: VirtualBox
product_version: 1.2
chassis_vendor: Oracle Corporation
chassis_version: 
bios_vendor: innotek GmbH
bios_version: VirtualBox
board_vendor: Oracle Corporation
board_name: VirtualBox
board_version: 1.2

** Loaded modules:
crct10dif_pclmul
crc32_pclmul
vboxvideo(C)
ttm
joydev
drm_kms_helper
ghash_clmulni_intel
intel_rapl_perf
drm
evdev
sg
serio_raw
pcspkr
vboxguest
battery
ac
video
button
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
crc32c_generic
fscrypto
ecb
sd_mod
crc32c_intel
psmouse
aesni_intel
ahci
libahci
libata
aes_x86_64
crypto_simd
cryptd
glue_helper
scsi_mod
e1000
i2c_piix4
floppy

** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
	Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-

00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
	Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Latency: 0

00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef] (prog-if 00 [VGA controller])
	Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Interrupt: pin A routed to IRQ 18
	Region 0: Memory at e0000000 (32-bit, prefetchable) [size=8M]
	[virtual] Expansion ROM at 000c0000 [disabled] [size=128K]
	Kernel driver in use: vboxvideo
	Kernel modules: vboxvideo

00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)
	Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
	Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Latency: 64 (63750ns min)
	Interrupt: pin A routed to IRQ 19
	Region 0: Memory at f0000000 (32-bit, non-prefetchable) [size=128K]
	Region 2: I/O ports at d000 [size=8]
	Capabilities: <access denied>
	Kernel driver in use: e1000
	Kernel modules: e1000

00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest Service [80ee:cafe]
	Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Interrupt: pin A routed to IRQ 20
	Region 0: I/O ports at d020 [size=32]
	Region 1: Memory at f0400000 (32-bit, non-prefetchable) [size=4M]
	Region 2: Memory at f0800000 (32-bit, prefetchable) [size=16K]
	Kernel driver in use: vboxguest
	Kernel modules: vboxguest

00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 08)
	Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Interrupt: pin A routed to IRQ 9
	Kernel driver in use: piix4_smbus
	Kernel modules: i2c_piix4

00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] [8086:2829] (rev 02) (prog-if 01 [AHCI 1.0])
	Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Latency: 64
	Interrupt: pin A routed to IRQ 21
	Region 0: I/O ports at d040 [size=8]
	Region 1: I/O ports at d048 [size=4]
	Region 2: I/O ports at d050 [size=8]
	Region 3: I/O ports at d058 [size=4]
	Region 4: I/O ports at d060 [size=16]
	Region 5: Memory at f0804000 (32-bit, non-prefetchable) [size=8K]
	Capabilities: <access denied>
	Kernel driver in use: ahci
	Kernel modules: ahci


** USB devices:
not available


-- System Information:
Debian Release: 10.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages linux-image-4.19.0-6-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.133+deb10u1
ii  kmod                                    26-1
ii  linux-base                              4.6

Versions of packages linux-image-4.19.0-6-amd64 recommends:
ii  apparmor             2.13.2-10
ii  firmware-linux-free  3.4

Versions of packages linux-image-4.19.0-6-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-pc                 2.02+dfsg1-20
pn  linux-doc-4.19          <none>

Versions of packages linux-image-4.19.0-6-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: linux
Source-Version: 5.5.13-1
Done: Ben Hutchings <benh@debian.org>

We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947021@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <benh@debian.org> (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2020 03:03:47 +0100
Source: linux
Architecture: source
Version: 5.5.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Closes: 945604 947021 949863 950578 953386 953569 953680 953683 954088 955004
Changes:
 linux (5.5.13-1) unstable; urgency=medium
 .
   * New upstream release: https://kernelnewbies.org/Linux_5.5
     (Closes: #953680)
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.1
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.2
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.3
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.4
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.5
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.6
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.7
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.8
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.9
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.11
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.12
     https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.13
 .
   [ Ben Hutchings ]
   * aufs: Update support patchset to aufs5.x-rcN 20200120; no functional
     change
   * net: Enable NET_SWITCHDEV; disable on armel/marvell (Closes: #949863)
   * [armhf] net/ethernet/ti: Enable TI_CPSW_SWITCHDEV as module; enable TI_CPTS
   * wireless: Enable regulatory.db direct loading:
     - Drop "wireless: Disable regulatory.db direct loading"
     - linux-image: Add Breaks: relation with old wireless-regdb versions
     - Regenerate my wireless-regdb certificate with expected attributes
   * [x86] Drop "Add a SysRq option to lift kernel lockdown" (Closes: #947021)
     - This patch allowed remotely disabling lockdown using usbip
     - Lockdown can be disabled by running "mokutil --disable-validation",
       rebooting, and confirming the change when prompted
   * Set PYTHON=python3 for document build (fixes FTBFS)
   * [x86,arm64] Move linux-headers metapackages to src:linux-signed-*.
     This should ensure that src:linux and src:linux-signed-* transition to
     testing together.
   * debian/bin/gencontrol_signed.py: Generate valid versions in a linux binNMU
   * udeb: Drop zlib-modules packages, as zlib_deflate is now always built-in
     (fixes FTBFS on several architectures)
   * [mips*/octeon] Fix and re-enable the Octeon Ethernet driver
   * [mips*] Fix FTBFS:
     - Increase RELOCATION_TABLE_SIZE to 0x160000
     - Fix exception handler memcpy()
   * debian/config: Delete redundant arch/flavour-specific "debug-info: true"
   * linux-source: Suggest qtbase5-dev instead of the removed libqt4-dev
     (Closes: #953386)
   * Add WireGuard driver and required crypto changes from 5.6-rc7 and
     cryptodev-2.6, thanks to Jason A. Donenfeld (Closes: #953569)
   * drivers/net: Enable WIREGUARD as module
   * debian/control: Use my debian.org email in Uploaders field
   * debian/certs: Rename Romain Perier's certificate to match email address
   * security/integrity/platform_certs: Rebase db-mok-keyring patch set for
     5.5.9
   * [x86] Enable X86_UMIP (previously configured as X86_INTEL_UMIP)
   * Set ABI to 1
   * [amd64] Enable Intel GVT-g (except cloud-amd64) (Closes: #954088):
     - vfio: Enable VFIO_MDEV, VFIO_MDEV_DEVICE as modules
     - i915: Enable DRM_I915_GVT; enable DRM_I915_GVT_KVMGT as module
   * drivers/net/wireless: Enable MT76x0E as module (Closes: #953683)
   * bcmgenet: Backport ACPI support, supporting Raspberry Pi 4
     (Closes: #950578)
 .
   [ Aurelien Jarno ]
   * [riscv64] Enable SECCOMP.
 .
   [ Romain Perier ]
   * [arm64] Enable BCMGENET
   * [arm64] Fix CONFIG_INFINIBAND_HNS_HIP06 and CONFIG_INFINIBAND_HNS_HIP08
     from tristate to boolean
   * debian/certs: Add my own certificate for wireless-regdb
   * debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch:
     Add the hexdump of my certificate to this patch, so the kernel can
     directly load the regulatory db and trust it if have I signed it.
 .
   [ Noah Meyerhans ]
   * [arm64] Enable KVM_ARM_HOST and KVM_ARM_PMU
   * [arm64] Enable CONFIG_ARM64_ERRATUM_1418040
   * [arm64/cloud-arm64] Introduce cloud build flavour
   * [cloud] random: Enable RANDOM_TRUST_BOOTLOADER
 .
   [ Mark Pearson ]
   * [amd64] ASoC: Enable SND_SOC_SOF_COMETLAKE_LP_SUPPORT,
     SND_SOC_SOF_COMETLAKE_H_SUPPORT
 .
   [ Christian Barcenas ]
   * lockdown: honor LOCK_DOWN_IN_EFI_SECURE_BOOT=n (Closes: #945604)
 .
   [ Salvatore Bonaccorso ]
   * libcpupower: Lower back soname version to 1 and add new
     cpufreq_{get,put}_boost_frequencies methods
 .
   [ Joel Stanley ]
   * [armhf] Enable ASPEED AST2600 SoC family. This includes all ASPEED symbols
     for the AST2600 and FTGMAC100, the network device used by this SoC. The
     SoC has 5 UARTs so CONFIG_SERIAL_8250_NR_UARTS is bumped to 5 from 4
     in order to correctly register UART5, the boot console.
 .
   [ Petr Stastny ]
   * [x86] i2c: Enable I2C_AMD_MP2 as module (Closes: #955004)
 .
   [ Vagrant Cascadian ]
   * [arm64] Add patch from next-20200325 to enable device-tree for
     Pinebook Pro.
Checksums-Sha1:
 7d23287fd1b736c342a9964c72def423ff94a0bd 198545 linux_5.5.13-1.dsc
 4bc86cf976089e0c5d25e7eeec8280ab65405ef1 115213136 linux_5.5.13.orig.tar.xz
 7b1455a92c5f08c4d082db95f95fd8eb0ccbf930 1341956 linux_5.5.13-1.debian.tar.xz
 facec78ea15d743a0da220023f51cc8f95bc0298 48666 linux_5.5.13-1_source.buildinfo
Checksums-Sha256:
 935e91789324492ba3309ad328fb3eeb76b6557790fa5ab535af6e2f14e0895d 198545 linux_5.5.13-1.dsc
 9ddb6f65228a16d108351d2da104b52e16a2fbdcb31f985e06eb344f7687354f 115213136 linux_5.5.13.orig.tar.xz
 79c37f71acae6ce518a7d04d7403bd2b8bba5af6d95eb8eb26cef24ebf2de0ec 1341956 linux_5.5.13-1.debian.tar.xz
 e0cfeeea1ccc1ac39a2aec4b35dc38ced59b833c55e52b4158e3d75e5beaa198 48666 linux_5.5.13-1_source.buildinfo
Files:
 97bdc90e05a329a57a4e68dae4114512 198545 kernel optional linux_5.5.13-1.dsc
 a46b6750c3c3ca2f9edfe14e2925e65b 115213136 kernel optional linux_5.5.13.orig.tar.xz
 b1b2ccc3d5200390c761b2a2589319ca 1341956 kernel optional linux_5.5.13-1.debian.tar.xz
 1af87a5f797707e93edd41c5c936eb9c 48666 kernel optional linux_5.5.13-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl6BZK0ACgkQ57/I7JWG
EQlL2BAAk0Lp7wsVR/tQtrqbIPSVJ3NwxeHigxj5du7Stnow5VSTP7ZDk3VIw4U5
oC9+Sq3OcLezJuEAfZXmcCZBHOt6P4zapT3aFQVbx+0cWQOBWBY6l6v4hyihEuUu
IfOb/THD1kdC2/O874/Pogk+Eq0ckjH9MTINs5JpNuGjOqA4CdD5IYxTpbxFILT5
c+jXxebY0pPok86+m4skdmnPLtpQTP+Bbiw8hBS25WJiG79S3m1DIr6BNJLA2bsK
fGOkNqyqkpM8BgNfJBVFxzI/SmgCJMuUkZcABEvdzkJw4LSTwLS4sA8wQKN6XOS6
mO3rdUcIUkUnffF0up04e1LLkE6bJGe9UcwZMuPUFRb2VYTLqVwB+NyDS9+W5VjL
/DbgvTkA2wys51ZxsYh+K2LVkI9wLBt7TFfar8WSLXOrl0j1IQdjEZF+GPA8wifi
M4TvwCofV4g090X5NTb/8HnXuE/nGlo/Q70L7C/i6xbv0BQdTyYkEDXsg61V4FYp
c71yLDqzCqOoufMPNCCoTYiZgvawWgOTbRjmIHpKy4rWUAPoD4UmnqXs8XM571nd
FZtlwoX2YNUb69Q/1CbzWCNs5Z8oxzsS4v7BEGNsIq7qTJKAKb2S81yGDGxJveWq
org3AdCiennfTJQjywulYakx+Md8AxJmcyWHW0ACHUJauDdq1jo=
=9AFk
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: