grub2/SOURCES/0377-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch

73 lines
2.7 KiB
Diff
Raw Normal View History

2021-03-30 15:50:09 +00:00
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:41 +0200
Subject: [PATCH] acpi: Don't register the acpi command when locked down
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The command is not allowed when lockdown is enforced. Otherwise an
attacker can instruct the GRUB to load an SSDT table to overwrite
the kernel lockdown configuration and later load and execute
unsigned code.
Fixes: CVE-2020-14372
Reported-by: Máté Kukri <km@mkukri.xyz>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/acpi.c | 15 ++++++++-------
docs/grub.texi | 5 +++++
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
index 5a1499aa0e3..1215f2a62ef 100644
--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@@ -27,6 +27,7 @@
#include <grub/mm.h>
#include <grub/memory.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
#ifdef GRUB_MACHINE_EFI
#include <grub/efi/efi.h>
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
GRUB_MOD_INIT(acpi)
{
- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
- "--load-only=TABLE1,TABLE2] FILE1"
- " [FILE2] [...]"),
- N_("Load host ACPI tables and tables "
- "specified by arguments."),
- options);
+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+ "--load-only=TABLE1,TABLE2] FILE1"
+ " [FILE2] [...]"),
+ N_("Load host ACPI tables and tables "
+ "specified by arguments."),
+ options);
}
GRUB_MOD_FINI(acpi)
diff --git a/docs/grub.texi b/docs/grub.texi
index 755de88d7d8..01acf672b80 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4038,6 +4038,11 @@ Normally, this command will replace the Root System Description Pointer
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
@option{--no-ebda} option is used, the new tables will be known only to
GRUB, but may be used by GRUB's EFI emulation.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
+ overwrite the kernel lockdown configuration and later load and execute
+ unsigned code.
@end deffn