ACK/Cmnt: [PATCH] UBUNTU: SAUCE: (efi-lockdown) efi: ignore efivar_ssdt cmdline parameter when locked down
Stefan Bader
stefan.bader at canonical.com
Tue Jun 16 12:49:44 UTC 2020
On 15.06.20 07:50, Jason A. Donenfeld wrote:
> The efivar_ssdt variable makes it possible for the root user to inject a
> custom ACPI table that can be used to modify kernel memory and therefore
> disable lockdown. So, this commit restricts efivar_ssdt when the kernel
> is locked down. An example of this technique may be found at the link in
> the trailer.
>
> Fixes: 49b04f8acc77 ("UBUNTU: SAUCE: (efi-lockdown) Add the ability to lock down access to the running kernel image")
> Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh
> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
Formally all SRU patches need to have a public Launchpad bug open and patches
refer to those with
BugLink: https://bugs.launchpad.net/bugs/<#>
Is there already one open?
-Stefan
> drivers/firmware/efi/efi.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 4b4dd5532725..3d21488e35df 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -228,6 +228,8 @@ static void generic_ops_unregister(void)
> static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
> static int __init efivar_ssdt_setup(char *str)
> {
> + if (kernel_is_locked_down("efivar-specified ACPI SSDT"))
> + return -EPERM;
> if (strlen(str) < sizeof(efivar_ssdt))
> memcpy(efivar_ssdt, str, strlen(str));
> else
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200616/cdf11970/attachment.sig>
More information about the kernel-team
mailing list