[SRU Groovy 2/2] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Tue Dec 1 20:50:52 UTC 2020
RTAS may be used to read arbritary memory, which we do not want to allow when
Secure Boot is used. It is restricted to only some allowed operations, which
are the ones that are used by distributed tools.
CVE-2020-27777
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
debian.master/config/annotations | 2 ++
debian.master/config/config.common.ubuntu | 1 +
2 files changed, 3 insertions(+)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index bd37e327165f..5d517529597c 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12813,11 +12813,13 @@ CONFIG_EXTRA_TARGETS policy<{'ppc64el': '""'}>
CONFIG_PPC_MEM_KEYS policy<{'ppc64el': 'n'}>
CONFIG_PPC_SECURE_BOOT policy<{'ppc64el': 'y'}>
CONFIG_PPC_SECVAR_SYSFS policy<{'ppc64el': 'y'}>
+CONFIG_PPC_RTAS_FILTER policy<{'ppc64el': 'y'}>
#
CONFIG_FA_DUMP note<LP:1415562>
CONFIG_PPC_MEM_KEYS flag<REVIEW> note<LP:1776967>
CONFIG_PPC_SECURE_BOOT mark<ENFORCED> note<LP:1866909> note<LP:1855668>
CONFIG_PPC_SECVAR_SYSFS mark<ENFORCED> note<LP:1866909>
+CONFIG_PPC_RTAS_FILTER mark<ENFORCED> note<CVE-2020-27777>
# Menu: Processor type and features >> Architecture: s390
CONFIG_KERNEL_NOBP policy<{'s390x': 'n'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 59899f8dc47b..71b64b8d4198 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -7720,6 +7720,7 @@ CONFIG_PPC_RADIX_MMU=y
CONFIG_PPC_RADIX_MMU_DEFAULT=y
CONFIG_PPC_RTAS=y
CONFIG_PPC_RTAS_DAEMON=y
+CONFIG_PPC_RTAS_FILTER=y
CONFIG_PPC_SECURE_BOOT=y
CONFIG_PPC_SECVAR_SYSFS=y
CONFIG_PPC_SMLPAR=y
--
2.27.0
More information about the kernel-team
mailing list