Skip to content
Permalink
Browse files Browse the repository at this point in the history
acpi: Disable ACPI table override if securelevel is set
From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel, so
do not allow ACPI tables to be overridden if securelevel is set.

Signed-off-by: Linn Crosetto <linn@hpe.com>
  • Loading branch information
Linn Crosetto authored and Matthew Garrett committed Apr 3, 2016
1 parent 4b2b64d commit a4a5ed2
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 6 deletions.
12 changes: 6 additions & 6 deletions arch/x86/kernel/setup.c
Expand Up @@ -1137,6 +1137,12 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);

#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
if (boot_params.secure_boot) {
set_securelevel(1);
}
#endif

reserve_initrd();

#if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)
Expand All @@ -1147,12 +1153,6 @@ void __init setup_arch(char **cmdline_p)

io_delay_init();

#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
if (boot_params.secure_boot) {
set_securelevel(1);
}
#endif

/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
Expand Down
6 changes: 6 additions & 0 deletions drivers/acpi/osl.c
Expand Up @@ -707,6 +707,12 @@ void __init acpi_initrd_override(void *data, size_t size)
if (table_nr == 0)
return;

if (get_securelevel() > 0) {
pr_notice(PREFIX
"securelevel enabled, ignoring table override\n");
return;
}

acpi_tables_addr =
memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT,
all_tables_size, PAGE_SIZE);
Expand Down

0 comments on commit a4a5ed2

Please sign in to comment.