ACK: [PATCH] UBUNTU: SAUCE: (efi-lockdown) efi: ignore efivar_ssdt cmdline parameter when locked down

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Tue Jun 16 15:50:19 UTC 2020


On Tue, Jun 16, 2020 at 07:19:20AM -0500, Seth Forshee wrote:
> On Sun, Jun 14, 2020 at 11:55:24PM -0600, Jason A. Donenfeld wrote:
> > Sorry, I guess I should have prefixed the subject with "[SRU][B]",
> > though I don't know if there are additional subtitles and tags beyond
> > those ones. You'll probably also want to look whether this applies to
> > the other kernels; I was only concerned with Bionic in my brief
> > investigation. Should be easy enough to open up
> > drivers/firmware/efi/efi.c and see if efivar_ssdt_setup has anything
> > about lockdown at the top of the function.
> 
> The patch looks good to me.
> 
> Acked-by: Seth Forshee <seth.forshee at canonical.com>
> 
> I'm having a look at our other kernel trees to see which might need a
> similar patch. The lockdown patches have been evolving for a number of
> years now, and it looks like we missed flagging this addition to later
> versions as something which needed to be backported.
> 
> Seth

>From what I saw, this would be needed in 5.3 and 5.0 kernels too. And the patch
applies cleanly on those two.

For 5.4 forward, there is already 1957a85b0032a81e6482ca4aab883643b8dae06e
("efi: Restrict efivar_ssdt_load when the kernel is locked down").

Cascardo.



More information about the kernel-team mailing list