Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3662670img; Mon, 25 Mar 2019 15:11:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqzJ842vf5dCNHJbebc0cFULrAa4C8hHXX1VeSniMxlBnGgydiH+Ekrt5+p2MLFGfMHTlsVb X-Received: by 2002:a63:e303:: with SMTP id f3mr25420627pgh.374.1553551917477; Mon, 25 Mar 2019 15:11:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553551917; cv=none; d=google.com; s=arc-20160816; b=dBC/Xu5wkGyz1AfVwzPcvtnZ1u0029DcvDtRjh+slWRRYrYaeQx4f765g3HhhqXRXM gxrzfY0zT+eRCbP323BF81qX3WxOQUsAOE0PSfnph/oLjYjPwSUif4ONMYIXT29Zw2iI PM2q5eDlS4ydRPyG3xFVzi9XHpHoEfORAzN3AjtAS9oxLGaZyKS1B7jZvOfg2QmrpQJT jGO+rxxE++ZDCD8H6bQb0BFrmmokR6d7vC5kgTEjIbZzqMaOSfPdRxsP7LB1OWI6TKuB inNNFnWfnI2RhTdOmRk6Q2/sI1rNikj6X+FVXuaZbfI6NoUuVW2oaeWrwc1cXqYRxj1O Ustg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=hmYNaFdsLzMxO/YCEIEvJsYLVrtmlenBIeDGJtGu3OM=; b=HSFTngGNolyJlY8q62sigCg1pJEUPR+CKQ1fpAwux8+i3g5Q6o32y9QX8ciqaPmXdL 0hoXGB9IymPG/D4lhTh5lGiXm53+FwkrHR8HOow+dI3kUf6HJ/FyH4ssQ9lcd5ri/8i4 eQc9DQyjbQU41w91hcfyx22FlNSpCAFqjB0nohyUnx0qEzl+F4ElB9T/agqquXVSKg3V 140ZyiR+Q6sXuFjGdzpQXMYAzajUMNkWp5GdoPK4TZ6qfvNXcwiXzM0eBSx5fm83XxX3 z4Es4iYFZbj06oemT3AzK+VWsgG0kwD+fftALS9Ll91w4k1xNZ7nCwcuXwUNIvcyB/rn WJ5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=WJr9K5Ng; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r66si14333921pfr.196.2019.03.25.15.11.42; Mon, 25 Mar 2019 15:11:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=WJr9K5Ng; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731048AbfCYWKi (ORCPT + 99 others); Mon, 25 Mar 2019 18:10:38 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:53746 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731033AbfCYWKh (ORCPT ); Mon, 25 Mar 2019 18:10:37 -0400 Received: by mail-pf1-f201.google.com with SMTP id o67so10569400pfa.20 for ; Mon, 25 Mar 2019 15:10:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=hmYNaFdsLzMxO/YCEIEvJsYLVrtmlenBIeDGJtGu3OM=; b=WJr9K5NgaEvPnAiYcVXgNCci/FaQmP1mLDAruGRbuoJYCIIIAIHCe8AoJ7Kr/r7XTQ GQw08DDyEUVpKvHTAEIb+sEPYXaATnoEYcMU6RUM1j1Tho9BRATvED8dklQVfey1WoCS 5Zw2P9yQRsZ3CfcPkjLEJGSVsIfKaucUb4rie3Em8mgNadzfJUISMHz/jGWDE1Fa8RBq AE2BTFqdLHnL2BpGCs/nUCP1iEIBaaePrRAiduat/JTEYNX3z9pzJ+ITXdHdNLZkF0N4 S8pT0CxX6x4PrXc7LM2QN3tHBFsDnMAzcAJRZmMLq007lOBsanWryVyF2DgZD6WVGgwW Iyhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=hmYNaFdsLzMxO/YCEIEvJsYLVrtmlenBIeDGJtGu3OM=; b=A0slRVDSmJxXhpvLLPXUziJ/LuYgwo+fQFwl1M8ujEYWt6fU+Yivrwi952uTgzAIR3 a7FgyBnLOCK8f+cxWSVIyp+ke6dS7VFvq0pXnVNExNQjiLmn1RD7SH1A853k4UstEg1x zgu5q1sYWLv6y8QqOm4PeN6k24WIDE+eyU95y93jkS/QIIXTd3OSUifBhEO1wTaBiD0X rXtAbYvYwOPIwRmzujOLCe9FW57DHpxxibnbVckOZCGUC0HmD5Sy/b+fcxE1+ZBuXDmd X+d89cqg5eLX3C+/yY0HLhOUPKGVAYoBE//e+Fyz9pMwTUTt5KWoykYCr1ReQqlOEJeS 9iVA== X-Gm-Message-State: APjAAAUR+Syqyygv0dLwUtFHff3HnxGOSU6jwmEPaxcNhv/OgX0roV4n 6HMrn070y0FajMFjExXd95fN6ErvuGLrGNRY27zbog== X-Received: by 2002:a63:4e10:: with SMTP id c16mr26146963pgb.302.1553551836682; Mon, 25 Mar 2019 15:10:36 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:42 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 15/27] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Linn Crosetto , linux-acpi@vger.kernel.org, Matthew Garrett Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When securelevel is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells cc: linux-acpi@vger.kernel.org Signed-off-by: Matthew Garrett --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..f3b4117cd8f3 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override")) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- 2.21.0.392.gf8f6787159e-goog