[SRU Focal] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Tue Dec 1 20:50:50 UTC 2020
RTAS may be used to read arbritary memory, which we do not want to allow when
Secure Boot is used. It is restricted to only some allowed operations, which
are the ones that are used by distributed tools.
CVE-2020-27777
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
debian.master/config/annotations | 2 ++
1 file changed, 2 insertions(+)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 98104f78179c..b3e6d6cfe7e2 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12460,11 +12460,13 @@ CONFIG_EXTRA_TARGETS policy<{'ppc64el': '""'}>
CONFIG_PPC_MEM_KEYS policy<{'ppc64el': 'n'}>
CONFIG_PPC_SECURE_BOOT policy<{'ppc64el': 'y'}>
CONFIG_PPC_SECVAR_SYSFS policy<{'ppc64el': 'y'}>
+CONFIG_PPC_RTAS_FILTER policy<{'ppc64el': 'y'}>
#
CONFIG_FA_DUMP note<LP:1415562>
CONFIG_PPC_MEM_KEYS flag<REVIEW> note<LP:1776967>
CONFIG_PPC_SECURE_BOOT mark<ENFORCED> note<LP:1866909> note<LP:1855668>
CONFIG_PPC_SECVAR_SYSFS mark<ENFORCED> note<LP:1866909>
+CONFIG_PPC_RTAS_FILTER mark<ENFORCED> note<CVE-2020-27777>
# Menu: Processor type and features >> Architecture: s390
CONFIG_SCHED_TOPOLOGY policy<{'s390x': 'y'}>
--
2.27.0
More information about the kernel-team
mailing list