[PATCH] UBUNTU: SAUCE: (efi-lockdown) efi: ignore efivar_ssdt cmdline parameter when locked down
Jason A. Donenfeld
Jason at zx2c4.com
Mon Jun 15 05:50:17 UTC 2020
The efivar_ssdt variable makes it possible for the root user to inject a
custom ACPI table that can be used to modify kernel memory and therefore
disable lockdown. So, this commit restricts efivar_ssdt when the kernel
is locked down. An example of this technique may be found at the link in
the trailer.
Fixes: 49b04f8acc77 ("UBUNTU: SAUCE: (efi-lockdown) Add the ability to lock down access to the running kernel image")
Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
drivers/firmware/efi/efi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 4b4dd5532725..3d21488e35df 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -228,6 +228,8 @@ static void generic_ops_unregister(void)
static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
static int __init efivar_ssdt_setup(char *str)
{
+ if (kernel_is_locked_down("efivar-specified ACPI SSDT"))
+ return -EPERM;
if (strlen(str) < sizeof(efivar_ssdt))
memcpy(efivar_ssdt, str, strlen(str));
else
--
2.27.0
More information about the kernel-team
mailing list