From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:41 +0200
Subject: [PATCH] acpi: Don't register the acpi command when locked down
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The command is not allowed when lockdown is enforced. Otherwise an
attacker can instruct the GRUB to load an SSDT table to overwrite
the kernel lockdown configuration and later load and execute
unsigned code.

Fixes: CVE-2020-14372

Reported-by: Máté Kukri <km@mkukri.xyz>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/commands/acpi.c | 15 ++++++++-------
 docs/grub.texi            |  5 +++++
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
index 5a1499aa0..1215f2a62 100644
--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@@ -27,6 +27,7 @@
 #include <grub/mm.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>
 
 #ifdef GRUB_MACHINE_EFI
 #include <grub/efi/efi.h>
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
 
 GRUB_MOD_INIT(acpi)
 {
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
-			      "--load-only=TABLE1,TABLE2] FILE1"
-			      " [FILE2] [...]"),
-			      N_("Load host ACPI tables and tables "
-			      "specified by arguments."),
-			      options);
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
+                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+                                          "--load-only=TABLE1,TABLE2] FILE1"
+                                          " [FILE2] [...]"),
+                                       N_("Load host ACPI tables and tables "
+                                          "specified by arguments."),
+                                       options);
 }
 
 GRUB_MOD_FINI(acpi)
diff --git a/docs/grub.texi b/docs/grub.texi
index 755de88d7..01acf672b 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4038,6 +4038,11 @@ Normally, this command will replace the Root System Description Pointer
 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
 @option{--no-ebda} option is used, the new tables will be known only to
 GRUB, but may be used by GRUB's EFI emulation.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      Otherwise an attacker can instruct the GRUB to load an SSDT table to
+      overwrite the kernel lockdown configuration and later load and execute
+      unsigned code.
 @end deffn