73 lines
2.7 KiB
Diff
73 lines
2.7 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||
|
Date: Mon, 28 Sep 2020 20:08:41 +0200
|
||
|
Subject: [PATCH] acpi: Don't register the acpi command when locked down
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
The command is not allowed when lockdown is enforced. Otherwise an
|
||
|
attacker can instruct the GRUB to load an SSDT table to overwrite
|
||
|
the kernel lockdown configuration and later load and execute
|
||
|
unsigned code.
|
||
|
|
||
|
Fixes: CVE-2020-14372
|
||
|
|
||
|
Reported-by: Máté Kukri <km@mkukri.xyz>
|
||
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||
|
---
|
||
|
grub-core/commands/acpi.c | 15 ++++++++-------
|
||
|
docs/grub.texi | 5 +++++
|
||
|
2 files changed, 13 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
|
||
|
index 5a1499aa0e3..1215f2a62ef 100644
|
||
|
--- a/grub-core/commands/acpi.c
|
||
|
+++ b/grub-core/commands/acpi.c
|
||
|
@@ -27,6 +27,7 @@
|
||
|
#include <grub/mm.h>
|
||
|
#include <grub/memory.h>
|
||
|
#include <grub/i18n.h>
|
||
|
+#include <grub/lockdown.h>
|
||
|
|
||
|
#ifdef GRUB_MACHINE_EFI
|
||
|
#include <grub/efi/efi.h>
|
||
|
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
|
||
|
|
||
|
GRUB_MOD_INIT(acpi)
|
||
|
{
|
||
|
- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
|
||
|
- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
|
||
|
- "--load-only=TABLE1,TABLE2] FILE1"
|
||
|
- " [FILE2] [...]"),
|
||
|
- N_("Load host ACPI tables and tables "
|
||
|
- "specified by arguments."),
|
||
|
- options);
|
||
|
+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
|
||
|
+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
|
||
|
+ "--load-only=TABLE1,TABLE2] FILE1"
|
||
|
+ " [FILE2] [...]"),
|
||
|
+ N_("Load host ACPI tables and tables "
|
||
|
+ "specified by arguments."),
|
||
|
+ options);
|
||
|
}
|
||
|
|
||
|
GRUB_MOD_FINI(acpi)
|
||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||
|
index 755de88d7d8..01acf672b80 100644
|
||
|
--- a/docs/grub.texi
|
||
|
+++ b/docs/grub.texi
|
||
|
@@ -4038,6 +4038,11 @@ Normally, this command will replace the Root System Description Pointer
|
||
|
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
|
||
|
@option{--no-ebda} option is used, the new tables will be known only to
|
||
|
GRUB, but may be used by GRUB's EFI emulation.
|
||
|
+
|
||
|
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||
|
+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
|
||
|
+ overwrite the kernel lockdown configuration and later load and execute
|
||
|
+ unsigned code.
|
||
|
@end deffn
|
||
|
|
||
|
|