projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a944324) | patch
efi: Restrict efivar_ssdt_load when the kernel is locked down
authorMatthew Garrett <matthewgarrett@google.com>
Wed, 31 Jul 2019 22:16:16 +0000 (15:16 -0700)
committerBen Hutchings <ben@decadent.org.uk>
Tue, 19 Nov 2019 01:43:33 +0000 (01:43 +0000)
commit7252306ce2baa0e2a0de6df4d8b5c2d0a0c951de
tree9dc70f84bae759ec7ff3b1b6cb7a5117e8467efctree | snapshot
parenta944324573942ffdbf6539fd4117cd1569f46389commit | diff
efi: Restrict efivar_ssdt_load when the kernel is locked down

efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
EFI variable, which gives arbitrary code execution in ring 0. Prevent
that when the kernel is locked down.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: linux-efi@vger.kernel.org
[bwh: Convert back to the non-LSM lockdown API]

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch
drivers/firmware/efi/efi.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.