Received: by 10.192.165.156 with SMTP id m28csp934760imm; Wed, 11 Apr 2018 09:30:33 -0700 (PDT) X-Google-Smtp-Source: AIpwx48UYxPJVvC4Np2Icshg6eYrz7uoiW4iA4dPYA8ptSO8iCOEtY8aSsfc3Y5CL6TuggMQKzoo X-Received: by 10.101.76.207 with SMTP id n15mr4007280pgt.313.1523464233613; Wed, 11 Apr 2018 09:30:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523464233; cv=none; d=google.com; s=arc-20160816; b=JOn1EYsOOwHUGqQ9FniYUrWTwnFwQQrYaGDKRTXTFjcmMZ6v01radcjlZ/V84iy8XP HrpWgD3VIAJPWoWmMo06oAaWzEPhbN4C6HUDUr0x7i27ovi8MYrlLg38OG6AwM7jSp3J eVmiCfQeytIEEo7Pzb1nRVjl4CzEsOY6k9vhnECuJ8e7cBLYmTb1zbNEEDyDo1MZeP6z CRLL5s4VdVx59B0vMDKomN06daoayCoT+SHGUrvozisRkvzh09DJ329nFmvrXnLJSUFn KGaukZflmgpRJkR3Gn6jYKjurBp0GlikVvPI/8a3/vL+DuQsstneJtaACeU1jsZmWI0Z 6STA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=tnqQdTqvvzhYatmrszKXgDLsQ3RgV2PaSN/DBXxw5Ig=; b=wZYittMJIYwH/MrjhN6IAbOKIw8hmgxlOQcdXEa0qBoU+ie93xTOzwxdDtJKp5j6xs lpGT08+KMBcMnr5dPpaNEBh8uVz2UY+tuFBJ4xl2qUnO9qZ7gNcSYVO1hTQqae6HlwN8 fwtxaADH+ngRo4z/2nQjGLHeDiwVzQzHJaZPNlzMQ0fNzUHgwlR/vbGLy76qBbJ31k7T JRnLZ3aM801BGMO9yj0ABbNI6q9pLJ14oyh0qvGYzbk7d4FeVH/pKlVn3Lw+y5yPpcCB D6tBc/5abqBb0/JxtVXG76Aq4TiQkr0hVN39b3FtFCQ0ybIPPxrMH+7Sn7fvpNYei66s RWKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5-v6si1465568plm.443.2018.04.11.09.29.56; Wed, 11 Apr 2018 09:30:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754207AbeDKQ0Q (ORCPT + 99 others); Wed, 11 Apr 2018 12:26:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:45208 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753424AbeDKQ0M (ORCPT ); Wed, 11 Apr 2018 12:26:12 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CC3818182D2E; Wed, 11 Apr 2018 16:26:11 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-8.rdu2.redhat.com [10.10.120.8]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0446D215CDAF; Wed, 11 Apr 2018 16:26:10 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 14/24] acpi: Disable ACPI table override if the kernel is locked down From: David Howells To: torvalds@linux-foundation.org Cc: linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org Date: Wed, 11 Apr 2018 17:26:10 +0100 Message-ID: <152346397054.4030.6635609558509282651.stgit@warthog.procyon.org.uk> In-Reply-To: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 11 Apr 2018 16:26:11 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 11 Apr 2018 16:26:11 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linn Crosetto >From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When securelevel is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 849c4fb19b03..6c5ee7e66842 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE);