From mboxrd@z Thu Jan 1 00:00:00 1970 From: jlee@suse.com (joeyli) Date: Fri, 20 Oct 2017 14:46:12 +0800 Subject: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down In-Reply-To: <150842475442.7923.12198790224494561644.stgit@warthog.procyon.org.uk> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842475442.7923.12198790224494561644.stgit@warthog.procyon.org.uk> Message-ID: <20171020064612.GX3285@linux-l9pv.suse> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, Oct 19, 2017 at 03:52:34PM +0100, David Howells wrote: > From: Linn Crosetto > > >From the kernel documentation (initrd_table_override.txt): > > If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible > to override nearly any ACPI table provided by the BIOS with an > instrumented, modified one. > > When securelevel is set, the kernel should disallow any unauthenticated > changes to kernel space. ACPI tables contain code invoked by the kernel, > so do not allow ACPI tables to be overridden if the kernel is locked down. > > Signed-off-by: Linn Crosetto > Signed-off-by: David Howells I have reviewed this patch. Please feel free to add: Reviewed-by: "Lee, Chun-Yi" Thanks! Joey Lee > cc: linux-acpi at vger.kernel.org > --- > > drivers/acpi/tables.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c > index 80ce2a7d224b..5cc13c42daf9 100644 > --- a/drivers/acpi/tables.c > +++ b/drivers/acpi/tables.c > @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void) > if (table_nr == 0) > return; > > + if (kernel_is_locked_down("ACPI table override")) { > + pr_notice("kernel is locked down, ignoring table override\n"); > + return; > + } > + > acpi_tables_addr = > memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, > all_tables_size, PAGE_SIZE); > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo at vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html