2016-04-03 03:04:45 +00:00
|
|
|
From: Linn Crosetto <linn@hpe.com>
|
|
|
|
Date: Fri, 4 Mar 2016 16:08:24 -0700
|
|
|
|
Subject: [16/18] acpi: Disable ACPI table override if securelevel is set
|
|
|
|
Origin: https://github.com/mjg59/linux/commit/a4a5ed2835e8ea042868b7401dced3f517cafa76
|
|
|
|
|
|
|
|
From the kernel documentation (initrd_table_override.txt):
|
|
|
|
|
|
|
|
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
|
|
|
|
to override nearly any ACPI table provided by the BIOS with an
|
|
|
|
instrumented, modified one.
|
|
|
|
|
|
|
|
When securelevel is set, the kernel should disallow any unauthenticated
|
|
|
|
changes to kernel space. ACPI tables contain code invoked by the kernel, so
|
|
|
|
do not allow ACPI tables to be overridden if securelevel is set.
|
|
|
|
|
|
|
|
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
2016-06-09 00:55:39 +00:00
|
|
|
[bwh: Forward-ported to 4.7: ACPI override code moved to drivers/acpi/tables.c]
|
2016-04-03 03:04:45 +00:00
|
|
|
---
|
|
|
|
arch/x86/kernel/setup.c | 12 ++++++------
|
2016-06-09 00:55:39 +00:00
|
|
|
drivers/acpi/tables.c | 6 ++++++
|
2016-04-03 03:04:45 +00:00
|
|
|
2 files changed, 12 insertions(+), 6 deletions(-)
|
|
|
|
|
|
|
|
--- a/arch/x86/kernel/setup.c
|
|
|
|
+++ b/arch/x86/kernel/setup.c
|
2016-06-09 00:55:39 +00:00
|
|
|
@@ -1145,6 +1145,12 @@ void __init setup_arch(char **cmdline_p)
|
2016-04-03 03:04:45 +00:00
|
|
|
/* Allocate bigger log buffer */
|
|
|
|
setup_log_buf(1);
|
|
|
|
|
|
|
|
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
|
|
|
|
+ if (boot_params.secure_boot) {
|
|
|
|
+ set_securelevel(1);
|
|
|
|
+ }
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
reserve_initrd();
|
|
|
|
|
2016-06-09 00:55:39 +00:00
|
|
|
early_initrd_acpi_init();
|
|
|
|
@@ -1153,12 +1159,6 @@ void __init setup_arch(char **cmdline_p)
|
2016-04-03 03:04:45 +00:00
|
|
|
|
|
|
|
io_delay_init();
|
|
|
|
|
|
|
|
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
|
|
|
|
- if (boot_params.secure_boot) {
|
|
|
|
- set_securelevel(1);
|
|
|
|
- }
|
|
|
|
-#endif
|
|
|
|
-
|
|
|
|
/*
|
|
|
|
* Parse the ACPI tables for possible boot-time SMP configuration.
|
|
|
|
*/
|
2016-06-09 00:55:39 +00:00
|
|
|
--- a/drivers/acpi/tables.c
|
|
|
|
+++ b/drivers/acpi/tables.c
|
|
|
|
@@ -34,6 +34,7 @@
|
|
|
|
#include <linux/bootmem.h>
|
|
|
|
#include <linux/earlycpio.h>
|
|
|
|
#include <linux/memblock.h>
|
|
|
|
+#include <linux/security.h>
|
|
|
|
#include "internal.h"
|
|
|
|
|
|
|
|
#ifdef CONFIG_ACPI_CUSTOM_DSDT
|
|
|
|
@@ -539,6 +540,12 @@ static void __init acpi_table_initrd_ini
|
2016-04-03 03:04:45 +00:00
|
|
|
if (table_nr == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
+ if (get_securelevel() > 0) {
|
|
|
|
+ pr_notice(PREFIX
|
|
|
|
+ "securelevel enabled, ignoring table override\n");
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
acpi_tables_addr =
|
|
|
|
memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT,
|
|
|
|
all_tables_size, PAGE_SIZE);
|