From mboxrd@z Thu Jan 1 00:00:00 1970 From: jlee@suse.com (joeyli) Date: Fri, 20 Oct 2017 14:47:05 +0800 Subject: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down In-Reply-To: <150842476188.7923.14340260837257633120.stgit@warthog.procyon.org.uk> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842476188.7923.14340260837257633120.stgit@warthog.procyon.org.uk> Message-ID: <20171020064705.GY3285@linux-l9pv.suse> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, Oct 19, 2017 at 03:52:41PM +0100, David Howells wrote: > From: Linn Crosetto > > ACPI provides an error injection mechanism, EINJ, for debugging and testing > the ACPI Platform Error Interface (APEI) and other RAS features. If > supported by the firmware, ACPI specification 5.0 and later provide for a > way to specify a physical memory address to which to inject the error. > > Injecting errors through EINJ can produce errors which to the platform are > indistinguishable from real hardware errors. This can have undesirable > side-effects, such as causing the platform to mark hardware as needing > replacement. > > While it does not provide a method to load unauthenticated privileged code, > the effect of these errors may persist across reboots and affect trust in > the underlying hardware, so disable error injection through EINJ if > the kernel is locked down. > > Signed-off-by: Linn Crosetto > Signed-off-by: David Howells I have reviewed this patch. Please feel free to add: Reviewed-by: "Lee, Chun-Yi" Thanks! Joey Lee > cc: linux-acpi at vger.kernel.org > --- > > drivers/acpi/apei/einj.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c > index b38737c83a24..6d71e1e97b20 100644 > --- a/drivers/acpi/apei/einj.c > +++ b/drivers/acpi/apei/einj.c > @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, > int rc; > u64 base_addr, size; > > + if (kernel_is_locked_down("ACPI error injection")) > + return -EPERM; > + > /* If user manually set "flags", make sure it is legal */ > if (flags && (flags & > ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo at vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html