Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4527826imb; Wed, 6 Mar 2019 16:02:18 -0800 (PST) X-Google-Smtp-Source: APXvYqxLPFYcsszGIqkyKGltkjA6HcvGUn8uD/pL4OTuSF1t1gc0rTtBG+UeLsX8hxE6JbPeUoMl X-Received: by 2002:a62:574d:: with SMTP id l74mr10095316pfb.9.1551916937997; Wed, 06 Mar 2019 16:02:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551916937; cv=none; d=google.com; s=arc-20160816; b=S6BItxaMl5b9uJM3CFDPG2npJ05P74szGujZvnk+UXVHv5+UqTdTnrFYvOLi8YolGH pfXAmFRVeJFzZgLHqXAE3h3wSz+xhCB8wh4GGy1kBGP1JevuAA5Ry2J9kXfnwEtwrjRC Sg+qvIV6aKBH/Pq+xZyNFZLLExq6sNpTKbZA5V/hRgNK/JuhW+JH6I/Mfi/cCA8aRkUN nqaxjENtGGDEt7Wd7Zje1uoafMIgRqJ4u6YIBfUGan8oQYjbmgt0srOOtUQITBQOSmjN 1Czt7Aex8CqzAHA8ayOALeziGMW/Zc8i/i6WNO3thbe1qWQ1cy5+GAHyQXLgkdOIrEoM 0/4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=VGdoKwvSOpDfBZXQlfYkzECG5jzVJCUvh3oP5CjQxIk=; b=XB5C1wwRSegwhfnEDhyqlzwQk6Lii0cbHZj7EhsUHG1bCF189RTDWEqb8mMXCcpyGI YJ4ajWnQPOy4Fyslo0MnggP++gJEQZV0BYCy7rKCd3rke/B1MwlJNBhStHfTYs7AKDuj cRKWVeJhNGWv3D+K9BNM4hQwQ+OsXHxKXSVGEpR+7jCo1Dv+TR4VVQeOMN18ulyBKywr PbGGn9YsxU0seWLIqa08slP9XGN7ExctFkB2EhCbu6MELIDjMT9th+OC8Urpmyd3f+QC 3fhNdBLlcKxgHBg8oUtMIss2CrouO4UhMc0if2A5/KfMBuHgk5oqIJuf9wAYaox1MibZ lBnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RTrNjVLx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h8si2522171pgr.492.2019.03.06.16.02.02; Wed, 06 Mar 2019 16:02:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RTrNjVLx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726596AbfCGAAK (ORCPT + 99 others); Wed, 6 Mar 2019 19:00:10 -0500 Received: from mail-oi1-f202.google.com ([209.85.167.202]:39911 "EHLO mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726585AbfCGAAI (ORCPT ); Wed, 6 Mar 2019 19:00:08 -0500 Received: by mail-oi1-f202.google.com with SMTP id u132so7277951oif.6 for ; Wed, 06 Mar 2019 16:00:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=VGdoKwvSOpDfBZXQlfYkzECG5jzVJCUvh3oP5CjQxIk=; b=RTrNjVLxRZTgAOBWsuKxkprHBBIqH7DjzBBpSZ7zQaQvDgTODrf7K0sFB9SUJRlT7e nrhZ2WsILQ0S8qG1E11K49GiC0Ap915AQ3z07gV7UXjsAVQsZQGCrnM/EauC6Kr9jLQm 1jMsZ8KUgIipeXp3iPgZURAieKlLWPBY/rRglPTe5asNog9rVGmQpJZ9A+RiSfA5S4sH QmzdOSdUvGjhm+mK9M7CoaoT0v+Gixaz5/+r4AaO/ypu1URtdl2Bh09k+mVxnj8YFqoF XA3qj2pwgStFGwNo6JJx84TB9t/L1s4Wjjc+fs07jfWOK+UD2/JHe26Bzm+zQ2MwR6qO JT3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=VGdoKwvSOpDfBZXQlfYkzECG5jzVJCUvh3oP5CjQxIk=; b=hzcr23FVdAQhY1VuNJhBRG8Dxj8VJD/dNjKxwF568UEnyyu8Kgh/pny6AzhnPPRCPe 9uTY06l7C9zX/uMH2J+d5jbwUeVM7r+0negiCB85fRxnaF/9kNs0RLBWjmajNR2sEUhZ nLej8kRXn5wzfKCfePSnN4Wg4vJVkjqYjnb8HglkNJChoCKCCwkiQQ7woSKJtJPpwuNa GzsM+odCVUDOSIp9eUqR9m+TumEueIXCnQbhY273S6wBUXqd58ZBJTnuVvigLd6QdIus efg0l0valJxLF4v/H9qmnTfBHqdTIt5X49svGpCbUQDC22Q7e19MPCft0jtVntPKZCxI jrZQ== X-Gm-Message-State: APjAAAXCvnP72QjSr6b7WCnL4IC9xvoHbwKxJqvBWDw7yCqSkeFfOuZJ b/KxcMRoK+fZaBKs7I+dgZ2eRR8UPOP0+FQPrp0Zhg== X-Received: by 2002:aca:4e93:: with SMTP id c141mr18809217oib.27.1551916807574; Wed, 06 Mar 2019 16:00:07 -0800 (PST) Date: Wed, 6 Mar 2019 15:59:02 -0800 In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com> Message-Id: <20190306235913.6631-17-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190306235913.6631-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When securelevel is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-acpi@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..f3b4117cd8f3 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- 2.21.0.352.gf09ad66450-goog