| Message ID | 1363642353-30749-10-git-send-email-matthew.garrett@nebula.com |
|---|---|
| State | Not Applicable |
| Headers | show |
On 03/19/2013 05:32 AM, Matthew Garrett wrote: > From: Josh Boyer <jwboyer@redhat.com> > > This option allows userspace to pass the RSDP address to the kernel. This > could potentially be used to circumvent the secure boot trust model. > We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability. > > Signed-off-by: Josh Boyer <jwboyer@redhat.com> > --- > drivers/acpi/osl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c > index 586e7e9..0ef63f1 100644 > --- a/drivers/acpi/osl.c > +++ b/drivers/acpi/osl.c > @@ -245,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); > acpi_physical_address __init acpi_os_get_root_pointer(void) > { > #ifdef CONFIG_KEXEC > - if (acpi_rsdp) > + if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL)) > return acpi_rsdp; > #endif > > This does not work because capable is not usable at this early point. Josh, could you update your fix here?
On Tue, Mar 19, 2013 at 04:47:27PM +0800, Dave Young wrote: > On 03/19/2013 05:32 AM, Matthew Garrett wrote: > > From: Josh Boyer <jwboyer@redhat.com> > > > > This option allows userspace to pass the RSDP address to the kernel. This > > could potentially be used to circumvent the secure boot trust model. > > We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability. > > > > Signed-off-by: Josh Boyer <jwboyer@redhat.com> > > --- > > drivers/acpi/osl.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c > > index 586e7e9..0ef63f1 100644 > > --- a/drivers/acpi/osl.c > > +++ b/drivers/acpi/osl.c > > @@ -245,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); > > acpi_physical_address __init acpi_os_get_root_pointer(void) > > { > > #ifdef CONFIG_KEXEC > > - if (acpi_rsdp) > > + if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL)) > > return acpi_rsdp; > > #endif > > > > > > This does not work because capable is not usable at this early point. Right. > Josh, could you update your fix here? I have. Twice. Matthew sent out a stale patch. josh -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index 586e7e9..0ef63f1 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -245,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC - if (acpi_rsdp) + if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL)) return acpi_rsdp; #endif