From the kernel documentation (initrd_table_override.txt):
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
to override nearly any ACPI table provided by the BIOS with an
instrumented, modified one.
When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel, so
do not allow ACPI tables to be overridden if securelevel is set.
Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.7: ACPI override code moved to drivers/acpi/tables.c]
[bwh: Forward-ported to 4.9: adjust context]
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name acpi-disable-acpi-table-override-if-securelevel-is-s.patch
/* Allocate bigger log buffer */
setup_log_buf(1);
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
+ if (boot_params.secure_boot) {
+ set_securelevel(1);
+ }
+#endif
+
reserve_initrd();
acpi_table_upgrade();
io_delay_init();
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
- if (boot_params.secure_boot) {
- set_securelevel(1);
- }
-#endif
-
/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
#include <linux/earlycpio.h>
#include <linux/memblock.h>
#include <linux/initrd.h>
+#include <linux/security.h>
#include "internal.h"
#ifdef CONFIG_ACPI_CUSTOM_DSDT
if (table_nr == 0)
return;
+ if (get_securelevel() > 0) {
+ pr_notice(PREFIX
+ "securelevel enabled, ignoring table override\n");
+ return;
+ }
+
acpi_tables_addr =
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
all_tables_size, PAGE_SIZE);
projects / linux-4.9.git / commitdiff