From patchwork Fri Jun 19 16:49:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1313150 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pPtr3Gn1zB3wn; Sat, 20 Jun 2020 02:50:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmKDg-0006nz-Sy; Fri, 19 Jun 2020 16:50:24 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKDW-0006iS-MH for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:50:14 +0000 Received: from mail-io1-f71.google.com ([209.85.166.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKDW-0006JS-Bq for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:50:14 +0000 Received: by mail-io1-f71.google.com with SMTP id l22so7158637iob.23 for ; Fri, 19 Jun 2020 09:50:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=D7YsGSyHRip+TZFLXlLyMc+vJKnHoZ1C6gCCK6mFUz0=; b=PLd5hte+f3wyDuyc6kOrwmMGSHzUylM9xyHzFkTigXjzpx8u3nochfkSPw6kBYJTQB 7osrRnrz9VGaVgOqUUv8AP+4peMlckzp8GDK/Kjbzx8SvweUkQxxI6zPwljz86ijR/bR 31znD8kGRujhbAF4Ue0ga/sWMxT0cb1oVtuHwafTsnVdALD3N0DHN9D+gUB3glj4MRp4 DUhtwCDk/a+bZkYyXeWXXJF6MIDkekWT1avLkxxpLR7m7YzHr+EerU+wh+YtCXHaBBfW 4mfXTb36vmiElyrarXg32t6/XM4C0VEnmF6PwgZVeS7st+Z1AyG0Nwy8S/kdo31Hdb72 Exgg== X-Gm-Message-State: AOAM530O6DoVRwOF1OVwC48uYqAqoVsEev75UEHyuss8w0hMxbuSVjP8 gKKix8JLxkmzn8nvtMLBRiezX/tdX+Nc3AXEN4mraEsgaNfByq3d7/XYKOMa7ij9H9kADQvizl0 dVbVwt3BMyOnoAM2UChd9th5SgIoj2Fhscq9z7eZoYg== X-Received: by 2002:a6b:5906:: with SMTP id n6mr5271401iob.202.1592585413202; Fri, 19 Jun 2020 09:50:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLGg6xKQDj8NNrM3sdruR275gB3Z8JmGQWJqL2+I+hgoT9NTLcAGiqTkqtomJ4HirwE/WqtQ== X-Received: by 2002:a6b:5906:: with SMTP id n6mr5271386iob.202.1592585412947; Fri, 19 Jun 2020 09:50:12 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id v18sm3514771ilk.6.2020.06.19.09.50.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 09:50:12 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH v2 01/57][X] acpi: Disable ACPI table override if the kernel is locked down Date: Fri, 19 Jun 2020 11:49:14 -0500 Message-Id: <20200619165010.645925-2-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619165010.645925-1-seth.forshee@canonical.com> References: <20200619165010.645925-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Linn Crosetto BugLink: https://bugs.launchpad.net/bugs/1884159 >From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook cc: linux-acpi@vger.kernel.org Signed-off-by: James Morris (backported from commit 6ea0e815fc5e18597724169caa6e4d46dd8e693d) Signed-off-by: Seth Forshee --- drivers/acpi/osl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index 62a2a564a46e..3b6d3247a4c9 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -675,6 +675,11 @@ void __init acpi_initrd_override(void *data, size_t size) if (table_nr == 0) return; + if (secure_modules()) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT, all_tables_size, PAGE_SIZE);