ACK/Cmnt: [PATCH] UBUNTU: SAUCE: (efi-lockdown) efi: ignore efivar_ssdt cmdline parameter when locked down

[Seth Forshee]

On Tue, Jun 16, 2020 at 02:49:44PM +0200, Stefan Bader wrote:
> On 15.06.20 07:50, Jason A. Donenfeld wrote:
> > The efivar_ssdt variable makes it possible for the root user to inject a
> > custom ACPI table that can be used to modify kernel memory and therefore
> > disable lockdown. So, this commit restricts efivar_ssdt when the kernel
> > is locked down. An example of this technique may be found at the link in
> > the trailer.
> > 
> > Fixes: 49b04f8acc77 ("UBUNTU: SAUCE: (efi-lockdown) Add the ability to lock down access to the running kernel image")
> > Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh
> > Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
> > ---
> 
> Formally all SRU patches need to have a public Launchpad bug open and patches
> refer to those with
> 
> BugLink: https://bugs.launchpad.net/bugs/<#>
> 
> Is there already one open?

I've identified other lockdown enhancements which should be backported,
so I'll create a bug and send them all as a group once the backports are
done.

> 
> -Stefan
> 
> >  drivers/firmware/efi/efi.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> > index 4b4dd5532725..3d21488e35df 100644
> > --- a/drivers/firmware/efi/efi.c
> > +++ b/drivers/firmware/efi/efi.c
> > @@ -228,6 +228,8 @@ static void generic_ops_unregister(void)
> >  static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
> >  static int __init efivar_ssdt_setup(char *str)
> >  {
> > +	if (kernel_is_locked_down("efivar-specified ACPI SSDT"))
> > +		return -EPERM;
> >  	if (strlen(str) < sizeof(efivar_ssdt))
> >  		memcpy(efivar_ssdt, str, strlen(str));
> >  	else
> > 
> 
> 




> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team