NAK: [PATCH] UBUNTU: SAUCE: (efi-lockdown) efi: ignore efivar_ssdt cmdline parameter when locked down

Seth Forshee seth.forshee at canonical.com
Fri Jul 17 19:05:04 UTC 2020


On Thu, Jul 16, 2020 at 10:42:51PM -0600, Kelsey Skunberg wrote:
> Hi Jason,
> 
> Seth included a similar patch in the patch set he mentioned in this
> email thread. You can see that patch set here:
> 
> https://lists.ubuntu.com/archives/kernel-team/2020-June/111231.html
> 
> Patch Series: [PATCH 0/6][B] Lockdown updates
> Patch: [PATCH 2/6][B] efi: Restrict efivar_ssdt_load when the kernel is locked down
> 
> The above patch set is in a list of patches I'm currently applying to
> Bionic/master-next.
> 
> Thank you for taking the time to submit and your help! :) 

Yes, sorry, I meant to send a nack after I sent those. I guess I forgot.

Jason, since there was an upstream commit for this particular change I
included a (virtually identical) backport of that instead of using your
patch. Having it as a backport helps our scripting in cases where we
want to know if a particular upstream commit as been backported to our
supported kernels.

> 
> -Kelsey
> 
> On 2020-06-14 23:50:17 , Jason A. Donenfeld wrote:
> > The efivar_ssdt variable makes it possible for the root user to inject a
> > custom ACPI table that can be used to modify kernel memory and therefore
> > disable lockdown. So, this commit restricts efivar_ssdt when the kernel
> > is locked down. An example of this technique may be found at the link in
> > the trailer.
> > 
> > Fixes: 49b04f8acc77 ("UBUNTU: SAUCE: (efi-lockdown) Add the ability to lock down access to the running kernel image")
> > Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh
> > Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> > ---
> >  drivers/firmware/efi/efi.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> > index 4b4dd5532725..3d21488e35df 100644
> > --- a/drivers/firmware/efi/efi.c
> > +++ b/drivers/firmware/efi/efi.c
> > @@ -228,6 +228,8 @@ static void generic_ops_unregister(void)
> >  static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
> >  static int __init efivar_ssdt_setup(char *str)
> >  {
> > +	if (kernel_is_locked_down("efivar-specified ACPI SSDT"))
> > +		return -EPERM;
> >  	if (strlen(str) < sizeof(efivar_ssdt))
> >  		memcpy(efivar_ssdt, str, strlen(str));
> >  	else
> > -- 
> > 2.27.0
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list