* [PATCH V33 30/30] efi: Restrict efivar_ssdt_load when the kernel is locked down
[not found] <20190621011941.186255-1-matthewgarrett@google.com>
@ 2019-06-21 1:19 ` Matthew Garrett
0 siblings, 0 replies; only message in thread
From: Matthew Garrett @ 2019-06-21 1:19 UTC (permalink / raw)
To: jmorris
Cc: linux-security, linux-kernel, linux-api, Matthew Garrett,
Matthew Garrett, Ard Biesheuvel, linux-efi
efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
EFI variable, which gives arbitrary code execution in ring 0. Prevent
that when the kernel is locked down.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: linux-efi@vger.kernel.org
---
drivers/firmware/efi/efi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 55b77c576c42..a9ea649e0512 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -31,6 +31,7 @@
#include <linux/acpi.h>
#include <linux/ucs2_string.h>
#include <linux/memblock.h>
+#include <linux/security.h>
#include <asm/early_ioremap.h>
@@ -242,6 +243,9 @@ static void generic_ops_unregister(void)
static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
static int __init efivar_ssdt_setup(char *str)
{
+ if (security_is_locked_down(LOCKDOWN_ACPI_TABLES))
+ return -EPERM;
+
if (strlen(str) < sizeof(efivar_ssdt))
memcpy(efivar_ssdt, str, strlen(str));
else
--
2.22.0.410.gd8fdbe21b5-goog
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-06-21 1:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20190621011941.186255-1-matthewgarrett@google.com>
2019-06-21 1:19 ` [PATCH V33 30/30] efi: Restrict efivar_ssdt_load when the kernel is locked down Matthew Garrett
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).