65 lines
1.9 KiB
Diff
65 lines
1.9 KiB
Diff
From: Linn Crosetto <linn@hpe.com>
|
|
Date: Fri, 4 Mar 2016 16:08:24 -0700
|
|
Subject: [16/18] acpi: Disable ACPI table override if securelevel is set
|
|
Origin: https://github.com/mjg59/linux/commit/a4a5ed2835e8ea042868b7401dced3f517cafa76
|
|
|
|
From the kernel documentation (initrd_table_override.txt):
|
|
|
|
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
|
|
to override nearly any ACPI table provided by the BIOS with an
|
|
instrumented, modified one.
|
|
|
|
When securelevel is set, the kernel should disallow any unauthenticated
|
|
changes to kernel space. ACPI tables contain code invoked by the kernel, so
|
|
do not allow ACPI tables to be overridden if securelevel is set.
|
|
|
|
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
|
---
|
|
arch/x86/kernel/setup.c | 12 ++++++------
|
|
drivers/acpi/osl.c | 6 ++++++
|
|
2 files changed, 12 insertions(+), 6 deletions(-)
|
|
|
|
--- a/arch/x86/kernel/setup.c
|
|
+++ b/arch/x86/kernel/setup.c
|
|
@@ -1136,6 +1136,12 @@ void __init setup_arch(char **cmdline_p)
|
|
/* Allocate bigger log buffer */
|
|
setup_log_buf(1);
|
|
|
|
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
|
|
+ if (boot_params.secure_boot) {
|
|
+ set_securelevel(1);
|
|
+ }
|
|
+#endif
|
|
+
|
|
reserve_initrd();
|
|
|
|
#if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)
|
|
@@ -1146,12 +1152,6 @@ void __init setup_arch(char **cmdline_p)
|
|
|
|
io_delay_init();
|
|
|
|
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
|
|
- if (boot_params.secure_boot) {
|
|
- set_securelevel(1);
|
|
- }
|
|
-#endif
|
|
-
|
|
/*
|
|
* Parse the ACPI tables for possible boot-time SMP configuration.
|
|
*/
|
|
--- a/drivers/acpi/osl.c
|
|
+++ b/drivers/acpi/osl.c
|
|
@@ -698,6 +698,12 @@ void __init acpi_initrd_override(void *d
|
|
if (table_nr == 0)
|
|
return;
|
|
|
|
+ if (get_securelevel() > 0) {
|
|
+ pr_notice(PREFIX
|
|
+ "securelevel enabled, ignoring table override\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
acpi_tables_addr =
|
|
memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT,
|
|
all_tables_size, PAGE_SIZE);
|