From patchwork Tue Dec 1 20:50:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1409086 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4ClvQX70sNz9sVX; Wed, 2 Dec 2020 07:51:16 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kkCcD-0001EV-AN; Tue, 01 Dec 2020 20:51:13 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kkCcB-0001DU-EM for kernel-team@lists.ubuntu.com; Tue, 01 Dec 2020 20:51:11 +0000 Received: from 1.general.cascardo.us.vpn ([10.172.70.58] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kkCcA-0000Dp-Jl for kernel-team@lists.ubuntu.com; Tue, 01 Dec 2020 20:51:11 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Focal] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER Date: Tue, 1 Dec 2020 17:50:50 -0300 Message-Id: <20201201205052.2627748-5-cascardo@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201201205052.2627748-1-cascardo@canonical.com> References: <20201201205052.2627748-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" RTAS may be used to read arbritary memory, which we do not want to allow when Secure Boot is used. It is restricted to only some allowed operations, which are the ones that are used by distributed tools. CVE-2020-27777 Signed-off-by: Thadeu Lima de Souza Cascardo --- debian.master/config/annotations | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 98104f78179c..b3e6d6cfe7e2 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -12460,11 +12460,13 @@ CONFIG_EXTRA_TARGETS policy<{'ppc64el': '""'}> CONFIG_PPC_MEM_KEYS policy<{'ppc64el': 'n'}> CONFIG_PPC_SECURE_BOOT policy<{'ppc64el': 'y'}> CONFIG_PPC_SECVAR_SYSFS policy<{'ppc64el': 'y'}> +CONFIG_PPC_RTAS_FILTER policy<{'ppc64el': 'y'}> # CONFIG_FA_DUMP note CONFIG_PPC_MEM_KEYS flag note CONFIG_PPC_SECURE_BOOT mark note note CONFIG_PPC_SECVAR_SYSFS mark note +CONFIG_PPC_RTAS_FILTER mark note # Menu: Processor type and features >> Architecture: s390 CONFIG_SCHED_TOPOLOGY policy<{'s390x': 'y'}>