Re: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down
On Sat, 22 Jun 2019 at 02:05, Matthew Garrett wrote: > > efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an > EFI variable, which gives arbitrary code execution in ring 0. Prevent > that when the kernel is locked down. > > Signed-off-by: Matthew Garrett > Cc: Ard Biesheuvel > Cc: linux-efi@vger.kernel.org Acked-by: Ard Biesheuvel > --- > drivers/firmware/efi/efi.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > index 55b77c576c42..9f92a013ab27 100644 > --- a/drivers/firmware/efi/efi.c > +++ b/drivers/firmware/efi/efi.c > @@ -31,6 +31,7 @@ > #include > #include > #include > +#include > > #include > > @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) > static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; > static int __init efivar_ssdt_setup(char *str) > { > + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); > + > + if (ret) > + return ret; > + > if (strlen(str) < sizeof(efivar_ssdt)) > memcpy(efivar_ssdt, str, strlen(str)); > else > -- > 2.22.0.410.gd8fdbe21b5-goog >
Re: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down
On Fri, Jun 21, 2019 at 05:03:57PM -0700, Matthew Garrett wrote: > efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an > EFI variable, which gives arbitrary code execution in ring 0. Prevent > that when the kernel is locked down. > > Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook -Kees > Cc: Ard Biesheuvel > Cc: linux-efi@vger.kernel.org > --- > drivers/firmware/efi/efi.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > index 55b77c576c42..9f92a013ab27 100644 > --- a/drivers/firmware/efi/efi.c > +++ b/drivers/firmware/efi/efi.c > @@ -31,6 +31,7 @@ > #include > #include > #include > +#include > > #include > > @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) > static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; > static int __init efivar_ssdt_setup(char *str) > { > + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); > + > + if (ret) > + return ret; > + > if (strlen(str) < sizeof(efivar_ssdt)) > memcpy(efivar_ssdt, str, strlen(str)); > else > -- > 2.22.0.410.gd8fdbe21b5-goog > -- Kees Cook
[PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down
efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Signed-off-by: Matthew Garrett Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/efi.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 55b77c576c42..9f92a013ab27 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -31,6 +31,7 @@ #include #include #include +#include #include @@ -242,6 +243,11 @@ static void generic_ops_unregister(void) static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; static int __init efivar_ssdt_setup(char *str) { + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; + if (strlen(str) < sizeof(efivar_ssdt)) memcpy(efivar_ssdt, str, strlen(str)); else -- 2.22.0.410.gd8fdbe21b5-goog