Blame SOURCES/0340-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Date: Mon, 28 Sep 2020 20:08:41 +0200
b1bcb2
Subject: [PATCH] acpi: Don't register the acpi command when locked down
b1bcb2
MIME-Version: 1.0
b1bcb2
Content-Type: text/plain; charset=UTF-8
b1bcb2
Content-Transfer-Encoding: 8bit
b1bcb2
b1bcb2
The command is not allowed when lockdown is enforced. Otherwise an
b1bcb2
attacker can instruct the GRUB to load an SSDT table to overwrite
b1bcb2
the kernel lockdown configuration and later load and execute
b1bcb2
unsigned code.
b1bcb2
b1bcb2
Fixes: CVE-2020-14372
b1bcb2
b1bcb2
Reported-by: Máté Kukri <km@mkukri.xyz>
b1bcb2
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/commands/acpi.c | 15 ++++++++-------
b1bcb2
 docs/grub.texi            |  5 +++++
b1bcb2
 2 files changed, 13 insertions(+), 7 deletions(-)
b1bcb2
b1bcb2
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
b1bcb2
index 97c2cf282f9..230e710a19e 100644
b1bcb2
--- a/grub-core/commands/acpi.c
b1bcb2
+++ b/grub-core/commands/acpi.c
b1bcb2
@@ -27,6 +27,7 @@
b1bcb2
 #include <grub/mm.h>
b1bcb2
 #include <grub/memory.h>
b1bcb2
 #include <grub/i18n.h>
b1bcb2
+#include <grub/lockdown.h>
b1bcb2
 
b1bcb2
 #ifdef GRUB_MACHINE_EFI
b1bcb2
 #include <grub/efi/efi.h>
b1bcb2
@@ -779,13 +780,13 @@ static grub_extcmd_t cmd;
b1bcb2
 
b1bcb2
 GRUB_MOD_INIT(acpi)
b1bcb2
 {
b1bcb2
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
b1bcb2
-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
b1bcb2
-			      "--load-only=TABLE1,TABLE2] FILE1"
b1bcb2
-			      " [FILE2] [...]"),
b1bcb2
-			      N_("Load host ACPI tables and tables "
b1bcb2
-			      "specified by arguments."),
b1bcb2
-			      options);
b1bcb2
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
b1bcb2
+                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
b1bcb2
+                                          "--load-only=TABLE1,TABLE2] FILE1"
b1bcb2
+                                          " [FILE2] [...]"),
b1bcb2
+                                       N_("Load host ACPI tables and tables "
b1bcb2
+                                          "specified by arguments."),
b1bcb2
+                                       options);
b1bcb2
 }
b1bcb2
 
b1bcb2
 GRUB_MOD_FINI(acpi)
b1bcb2
diff --git a/docs/grub.texi b/docs/grub.texi
b1bcb2
index 6f331422bd3..741f6c3fb51 100644
b1bcb2
--- a/docs/grub.texi
b1bcb2
+++ b/docs/grub.texi
b1bcb2
@@ -3917,6 +3917,11 @@ Normally, this command will replace the Root System Description Pointer
b1bcb2
 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
b1bcb2
 @option{--no-ebda} option is used, the new tables will be known only to
b1bcb2
 GRUB, but may be used by GRUB's EFI emulation.
b1bcb2
+
b1bcb2
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
b1bcb2
+      Otherwise an attacker can instruct the GRUB to load an SSDT table to
b1bcb2
+      overwrite the kernel lockdown configuration and later load and execute
b1bcb2
+      unsigned code.
b1bcb2
 @end deffn
b1bcb2
 
b1bcb2