Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4545573img; Tue, 26 Mar 2019 11:31:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqyNY+e8e/Yxgu2yFa7MhPJdXpq1reGrdjPtfy1SiGMgUPUXUXQcujImWgTO16aGBlaaH7+m X-Received: by 2002:a17:902:8c8b:: with SMTP id t11mr32086563plo.148.1553625066778; Tue, 26 Mar 2019 11:31:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553625066; cv=none; d=google.com; s=arc-20160816; b=e7KQbljhfOTh9s1X7NVapBtZGM+zhGR8ZFfH6L6mGPityvhvXj1AZamBUseYUlPrEX KqrwHdQrtEmgp51ndFW+dIeSojaYGvoEARVULWTkdHwHw2dQ6FobfV2F1ULGXjYRyUD4 sBcoi4SBW32DD7nonEXF4EsJ4ovKmEC+rRWJwz/qanpRw9ncHEEO+m1Yc/YeynBZj7j/ +72CEmiNIkfcw/pM0kMUvopgl4ApRCi5me8f9Zcx95TxU7UzCWjaBOoZSPdI3LdGFQIC 1TxV4o1Do9bg3UJQw3A/FS4QZ9aRDoBbkwR7Jd0ho3w4c7vFxJnaXpZkowsVWFW+ho/S tLOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=voZu+NWmTXT7TJVtWYHm/lEvxxvfN2NkWgBDXBYAt6xxVWBA27s7d0i5ezs0G/K2Cl nmht6XQ/nqwB8sqxp5YPe+Ii3/15YFvRXzr9PFXhRR1Nb/+FwXduGyq7hj6U5qsV/K3x uBh+qjNN5dolXJRQVzwOhRwSt3Uo6s2rsYOdhAkCDy8bkGLJAhbUkLGhSp8vSxFEqJpp 8q/T2cna9RrCfh+LmVADOuDtypwxxoVoQMMOl6C53gFcZtkBokS+mCsdfmmub62NNpL3 WaQk4HKqJIuN4ZWykcrjz/mKzXsjvzCtNqhNEOO7u0mQ3OY8CTVgnf/M21egRg3xoJ1D HnJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=AxYQmILS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 73si16459881pgb.250.2019.03.26.11.30.51; Tue, 26 Mar 2019 11:31:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=AxYQmILS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732807AbfCZS3k (ORCPT + 99 others); Tue, 26 Mar 2019 14:29:40 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:54871 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732762AbfCZS2d (ORCPT ); Tue, 26 Mar 2019 14:28:33 -0400 Received: by mail-pf1-f202.google.com with SMTP id h69so12440126pfd.21 for ; Tue, 26 Mar 2019 11:28:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=AxYQmILSdFg0+F/o39f/WfXSvOMkaN5wYJO4P7AP0HLuNoMiYIIvFwFvfk0hUBiR13 4UAMjUq31t9bSPe0MnXikCSkC2eyMupf0ei8U0Ch/JsGWJCIxjQKrkYNixwHJNhsKf+8 ewiscQ7iVR6PbhjFJ6irRmuxUVbZLX5V1eFKDgOc+diXskj2lcYCgwC0GRCcxdXfP6YA uW7rY+3bIfIzXqyMc9UiOcDQaANdLrPOlfGEVIiD5evpn8H4GKKNhOV6Dgx16grRJ0Oi rDHP+gZaykXlVyw38TJLvk19ALMIfOGPG8dCFPBpoaR2er4L7WOE5TXOO0+zJmre7Hh8 8mgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=agUe5s3AKdizV0ALkeq41X8u0EyYBdxm9D9biQdwVJj1q6CGewhJ/feoJV7yc5uz2w HOqGW3N0tgy34BIAZxX8JpO26Gu9R1W1/p+nj10AMbKIXOp0zpWVDn0OqIUHiJY5zVnZ sTh9bATV4CG/V3tjl06k+HxVFeBCjmYi3kD61kNgBe/X2cbtLbVQh4rx67PnLYPDRX4Q F+9erTO6JVbGlL4PczHqeuOgGtYASotNJt7wcLPIos4DufggIaFFQJDVixRN7hRS+6O+ OOFKIlu9I2+nGbDQLWfUIbbQkb0RH2zy8K/gskhhANyqH4bTkgT+OkCADjtPhSXmm0f7 3oKA== X-Gm-Message-State: APjAAAV2weh4/5H8Mrj+veR7ousA37mJRkrzzyV87BiB+x8Y7Nq8vXxq qjFCOpGXJF9Gbox47j1VbkT7xXuGuRHDWByfBAhPSg== X-Received: by 2002:a65:5343:: with SMTP id w3mr13108859pgr.232.1553624912801; Tue, 26 Mar 2019 11:28:32 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:31 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 15/25] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Linn Crosetto , Matthew Garrett , linux-acpi@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..0dc561210c86 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override", LOCKDOWN_INTEGRITY)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- 2.21.0.392.gf8f6787159e-goog