Commit 6ea0e815 authored by Linn Crosetto's avatar Linn Crosetto Committed by James Morris

acpi: Disable ACPI table override if the kernel is locked down

>From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

When lockdown is enabled, the kernel should disallow any unauthenticated
changes to kernel space.  ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: default avatarLinn Crosetto <lcrosetto@gmail.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
cc: linux-acpi@vger.kernel.org
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 41fa1ee9
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
#include <linux/memblock.h> #include <linux/memblock.h>
#include <linux/earlycpio.h> #include <linux/earlycpio.h>
#include <linux/initrd.h> #include <linux/initrd.h>
#include <linux/security.h>
#include "internal.h" #include "internal.h"
#ifdef CONFIG_ACPI_CUSTOM_DSDT #ifdef CONFIG_ACPI_CUSTOM_DSDT
...@@ -577,6 +578,11 @@ void __init acpi_table_upgrade(void) ...@@ -577,6 +578,11 @@ void __init acpi_table_upgrade(void)
if (table_nr == 0) if (table_nr == 0)
return; return;
if (security_locked_down(LOCKDOWN_ACPI_TABLES)) {
pr_notice("kernel is locked down, ignoring table override\n");
return;
}
acpi_tables_addr = acpi_tables_addr =
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
all_tables_size, PAGE_SIZE); all_tables_size, PAGE_SIZE);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment