diff mbox series

[SRU,Focal] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER

Message ID 20201201205052.2627748-5-cascardo@canonical.com
State New
Headers show
Series [SRU,Focal] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER | expand

Commit Message

Thadeu Lima de Souza Cascardo Dec. 1, 2020, 8:50 p.m. UTC 
RTAS may be used to read arbritary memory, which we do not want to allow when
Secure Boot is used. It is restricted to only some allowed operations, which
are the ones that are used by distributed tools.

CVE-2020-27777
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 debian.master/config/annotations | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 98104f78179c..b3e6d6cfe7e2 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12460,11 +12460,13 @@  CONFIG_EXTRA_TARGETS                            policy<{'ppc64el': '""'}>
 CONFIG_PPC_MEM_KEYS                             policy<{'ppc64el': 'n'}>
 CONFIG_PPC_SECURE_BOOT                          policy<{'ppc64el': 'y'}>
 CONFIG_PPC_SECVAR_SYSFS                         policy<{'ppc64el': 'y'}>
+CONFIG_PPC_RTAS_FILTER                          policy<{'ppc64el': 'y'}>
 #
 CONFIG_FA_DUMP                                  note<LP:1415562>
 CONFIG_PPC_MEM_KEYS                             flag<REVIEW> note<LP:1776967>
 CONFIG_PPC_SECURE_BOOT                          mark<ENFORCED> note<LP:1866909> note<LP:1855668>
 CONFIG_PPC_SECVAR_SYSFS                         mark<ENFORCED> note<LP:1866909>
+CONFIG_PPC_RTAS_FILTER                          mark<ENFORCED> note<CVE-2020-27777>
 
 # Menu: Processor type and features >> Architecture: s390
 CONFIG_SCHED_TOPOLOGY                           policy<{'s390x': 'y'}>