From 1f583a46fcaf2130748d0a3dcf4be75bf559d8ff Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Fri, 4 Mar 2016 16:08:24 -0700 Subject: [PATCH] acpi: Disable ACPI table override if securelevel is set From the kernel documentation (initrd_table_override.txt): If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to override nearly any ACPI table provided by the BIOS with an instrumented, modified one. When securelevel is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if securelevel is set. Signed-off-by: Linn Crosetto [bwh: Forward-ported to 4.7: ACPI override code moved to drivers/acpi/tables.c] Gbp-Pq: Topic features/all/securelevel Gbp-Pq: Name acpi-disable-acpi-table-override-if-securelevel-is-s.patch --- arch/x86/kernel/setup.c | 12 ++++++------ drivers/acpi/tables.c | 7 +++++++ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index a851532da8b..e2d0b6104de 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1153,6 +1153,12 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); +#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL + if (boot_params.secure_boot) { + set_securelevel(1); + } +#endif + reserve_initrd(); acpi_table_upgrade(); @@ -1161,12 +1167,6 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); -#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL - if (boot_params.secure_boot) { - set_securelevel(1); - } -#endif - /* * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c index 9f0ad6ebb36..0969d0b7b42 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -36,6 +36,7 @@ #include #include #include +#include #include "internal.h" #ifdef CONFIG_ACPI_CUSTOM_DSDT @@ -543,6 +544,12 @@ void __init acpi_table_upgrade(void) if (table_nr == 0) return; + if (get_securelevel() > 0) { + pr_notice(PREFIX + "securelevel enabled, ignoring table override\n"); + return; + } + acpi_tables_addr = memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- 2.30.2