ACK/Cmnt: [PATCH] UBUNTU: SAUCE: (efi-lockdown) efi: ignore efivar_ssdt cmdline parameter when locked down
Jason A. Donenfeld
Jason at zx2c4.com
Tue Jun 16 18:36:49 UTC 2020
On Tue, Jun 16, 2020 at 6:50 AM Stefan Bader <stefan.bader at canonical.com> wrote:
>
> On 15.06.20 07:50, Jason A. Donenfeld wrote:
> > The efivar_ssdt variable makes it possible for the root user to inject a
> > custom ACPI table that can be used to modify kernel memory and therefore
> > disable lockdown. So, this commit restricts efivar_ssdt when the kernel
> > is locked down. An example of this technique may be found at the link in
> > the trailer.
> >
> > Fixes: 49b04f8acc77 ("UBUNTU: SAUCE: (efi-lockdown) Add the ability to lock down access to the running kernel image")
> > Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh
> > Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
> > ---
>
> Formally all SRU patches need to have a public Launchpad bug open and patches
> refer to those with
>
> BugLink: https://bugs.launchpad.net/bugs/<#>
>
> Is there already one open?
I'll leave it to you all to do the administrivia. I simply did some
volunteer security research and provided a patch; the intricacies of
paperwork for getting this into your commercial distro seem a bit
above my pay grade.
More information about the kernel-team
mailing list