Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp684142yba; Wed, 3 Apr 2019 17:34:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqx02kBFj1XQM7XZmA4BMh5HgAKcBpAs2bJVWbF/hf3AaPfLWap/7ZAiw/EsOfA70PRzzxH3 X-Received: by 2002:a17:902:2a2a:: with SMTP id i39mr2998002plb.211.1554338091316; Wed, 03 Apr 2019 17:34:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554338091; cv=none; d=google.com; s=arc-20160816; b=XC0PE4YP8MKKmHudMLxiSZC2wjl4oVbVxGHrtszG4z/3uGxHoNojDwZA6rLxcon19d 4PWboR90xE8I9WolMZT0zbUKZKUqGZzTTQ2L/A4lq4Dh6upvnHVdsZALbLyYkt/EsW6W Wfy3g1aORBGNDQqp2dBfnskawa+6j8fo0s1OyExaCFfxqALJ+M58fFTix70VZMcx9pup RDWxws+mNXLn7czW4aRyGQfW6IqvTdOI8/6sH+meRWXM7E8NDsoFVGVrLyWnSoiRNbJf 5fxJdMzEPbEaptvbs1XewdAiEFICGdOl+MtfxJ3CUpUSbRObOJNWfnMl0UeNTh3awRiH BAYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=GnkpoeiH09FQzLtIRW7bVGTYcmq1aLvbgpD+k1RIIpeAvTiVQMx+HU0MLXEjuyg0sw kA5Amzm0uPYBG+IhnRlHBH/e9u5tv/H8JXmd9RTqAvphvj1V6eWKsnvlYyBkLVLO+uKG 3XzNDMv3e70pddNLogwUVWpYU9bgfJaz4EVc31XfRZ19otdWF7ZKn8cy4olc4mwAGCG5 rWcV+X0beK4vm4Wfc65OENwVIT3iBYtbhMN1Ja9nUNJVWBL6u5tkLEZIr8eaGU96fGRR ozZloX+Rvq+kbMK7QqRdGt/FbSvcLLXmi8Licdx/2nrvqjpE9lb5XYBOFFtoyIfXk3Xt UozA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kd5rMP1Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g12si5303785plp.340.2019.04.03.17.34.36; Wed, 03 Apr 2019 17:34:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kd5rMP1Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727190AbfDDAdf (ORCPT + 99 others); Wed, 3 Apr 2019 20:33:35 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:54149 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727071AbfDDAdd (ORCPT ); Wed, 3 Apr 2019 20:33:33 -0400 Received: by mail-yw1-f74.google.com with SMTP id 68so723996ywb.20 for ; Wed, 03 Apr 2019 17:33:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=kd5rMP1Qtyn082YVhSc0Jd3M947vR51IQTEVj2AYZe7cP2NTWS4KxRVONQxH1eCAHY uvwAEXznChwulgOwt2Boe2ySEQwdCbPfh7kQoYHty5eAl3+zzx7niYRClw2AtT2KwaJb RuL2vZbSfNY58VDgVp1bDUeyn7GIHu0NUo/P4ytyqVubpRSETOMI0RRAe9HOmTbZmI5H 7o5SSn0FVGFdJsLWtzQwd7sQ7dq5p2N0JmoExed3CG/CxjtgBgcvgRxnnhqCxmxa78X4 G6ejZSklQZTk5KWaEsE7h/NVEBp/kgyj6aCo94XIBgZC03f4VTnaUttGivPPzWWz+eLm 1I+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=3FVj0Vux23rW7dwNJJDnKT59ZHynyqjKA3q4fn8QSso=; b=Er+fVQf71o/LDPjneiXEE5je5cVvESLlxeY0JFazJYYBYc6LUi0hi3Xpkr+ir7kwVF II1eZ5jN/1zoMpgiQSVEPtDYC11JQR19lDP5n1PTGuTf1JXfkXMS6xsTR7nfLZzcYkES oFyNL2ooO2R2jYM5tjKIo5MTEg2pxriI/CSchRVM6rOsneVcoa1dl3Tr6qBvmKdVsHmA UUDCjnCVN2Xm/0MA7jbwIRa1sGFBlIJ77Vy3kolKzEYxNCpQAGX141SDfwVQY0EJW2yu zNnaQAAnl1rH1SHezf6K1JdSf8V8YZ0C0B5lz8jYwBhSeRTnwd4FFB/NPyU9zWE/K3dB UJRw== X-Gm-Message-State: APjAAAUKpkXdHBv15OD0SFzHGq+14/Gt+MJ0GTwPfwtC3pdA9mRaUrUZ 2+OyTVm/DB05qO3tTyaES5PdUwQNAJh0h3kGBMdDtQ== X-Received: by 2002:a25:3d85:: with SMTP id k127mr784700yba.101.1554338012791; Wed, 03 Apr 2019 17:33:32 -0700 (PDT) Date: Wed, 3 Apr 2019 17:32:37 -0700 In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com> Message-Id: <20190404003249.14356-16-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190404003249.14356-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V32 15/27] acpi: Disable ACPI table override if the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Linn Crosetto , Matthew Garrett , linux-acpi@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linn Crosetto From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When lockdown is enabled, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: linux-acpi@vger.kernel.org --- drivers/acpi/tables.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 48eabb6c2d4f..0dc561210c86 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -531,6 +531,11 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (kernel_is_locked_down("ACPI table override", LOCKDOWN_INTEGRITY)) { + pr_notice("kernel is locked down, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- 2.21.0.392.gf8f6787159e-goog