diff mbox series

[SRU,Groovy,2/2] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER

Message ID 20201201205052.2627748-7-cascardo@canonical.com
State New
Headers show
Series None | expand

Commit Message

Thadeu Lima de Souza Cascardo Dec. 1, 2020, 8:50 p.m. UTC 
RTAS may be used to read arbritary memory, which we do not want to allow when
Secure Boot is used. It is restricted to only some allowed operations, which
are the ones that are used by distributed tools.

CVE-2020-27777
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 debian.master/config/annotations          | 2 ++
 debian.master/config/config.common.ubuntu | 1 +
 2 files changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index bd37e327165f..5d517529597c 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12813,11 +12813,13 @@  CONFIG_EXTRA_TARGETS                            policy<{'ppc64el': '""'}>
 CONFIG_PPC_MEM_KEYS                             policy<{'ppc64el': 'n'}>
 CONFIG_PPC_SECURE_BOOT                          policy<{'ppc64el': 'y'}>
 CONFIG_PPC_SECVAR_SYSFS                         policy<{'ppc64el': 'y'}>
+CONFIG_PPC_RTAS_FILTER                          policy<{'ppc64el': 'y'}>
 #
 CONFIG_FA_DUMP                                  note<LP:1415562>
 CONFIG_PPC_MEM_KEYS                             flag<REVIEW> note<LP:1776967>
 CONFIG_PPC_SECURE_BOOT                          mark<ENFORCED> note<LP:1866909> note<LP:1855668>
 CONFIG_PPC_SECVAR_SYSFS                         mark<ENFORCED> note<LP:1866909>
+CONFIG_PPC_RTAS_FILTER                          mark<ENFORCED> note<CVE-2020-27777>
 
 # Menu: Processor type and features >> Architecture: s390
 CONFIG_KERNEL_NOBP                              policy<{'s390x': 'n'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 59899f8dc47b..71b64b8d4198 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -7720,6 +7720,7 @@  CONFIG_PPC_RADIX_MMU=y
 CONFIG_PPC_RADIX_MMU_DEFAULT=y
 CONFIG_PPC_RTAS=y
 CONFIG_PPC_RTAS_DAEMON=y
+CONFIG_PPC_RTAS_FILTER=y
 CONFIG_PPC_SECURE_BOOT=y
 CONFIG_PPC_SECVAR_SYSFS=y
 CONFIG_PPC_SMLPAR=y