]> www.infradead.org Git - users/jedix/linux-maple.git/commitdiff
acpi: Disable ACPI table override if securelevel is set
authorLinn Crosetto <linn@hpe.com>
Wed, 16 Nov 2016 20:33:52 +0000 (12:33 -0800)
committerChuck Anderson <chuck.anderson@oracle.com>
Wed, 16 Nov 2016 20:33:52 +0000 (12:33 -0800)
From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel, so
do not allow ACPI tables to be overridden if securelevel is set.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Orabug: 25058372
CVE: CVE-2016-3699
Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: Guru Anbalagane <guru.anbalagane@oracle.com>
arch/x86/kernel/setup.c
drivers/acpi/osl.c

index 97838c712a96a319e73c29b46e3929afd07873e0..5813e2d48eb731824faa0f148ff0459af6469182 100644 (file)
@@ -1147,6 +1147,14 @@ void __init setup_arch(char **cmdline_p)
        /* Allocate bigger log buffer */
        setup_log_buf(1);
 
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
+       if (boot_params.secure_boot) {
+               set_bit(EFI_SECURE_BOOT, &efi.flags);
+               set_securelevel(1);
+               pr_info("Secure boot enabled\n");
+       }
+#endif
+
        reserve_initrd();
 
 #if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)
@@ -1157,14 +1165,6 @@ void __init setup_arch(char **cmdline_p)
 
        io_delay_init();
 
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-       if (boot_params.secure_boot) {
-               set_bit(EFI_SECURE_BOOT, &efi.flags);
-               set_securelevel(1);
-               pr_info("Secure boot enabled\n");
-       }
-#endif
-
        /*
         * Parse the ACPI tables for possible boot-time SMP configuration.
         */
index 5a2e173cf31583857db755998635b9ed0171d402..82a5b1f6d4645fbc86b0c313e05d153b5b16604d 100644 (file)
@@ -651,6 +651,12 @@ void __init acpi_initrd_override(void *data, size_t size)
        if (table_nr == 0)
                return;
 
+       if (get_securelevel() > 0) {
+               pr_notice(PREFIX
+                       "securelevel enabled, ignoring table override\n");
+               return;
+}
+
        acpi_tables_addr =
                memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT,
                                       all_tables_size, PAGE_SIZE);