|
 |
b1bcb2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b1bcb2 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
b1bcb2 |
Date: Mon, 28 Sep 2020 20:08:41 +0200
|
|
|
b1bcb2 |
Subject: [PATCH] acpi: Don't register the acpi command when locked down
|
|
|
b1bcb2 |
MIME-Version: 1.0
|
|
|
b1bcb2 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b1bcb2 |
Content-Transfer-Encoding: 8bit
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
The command is not allowed when lockdown is enforced. Otherwise an
|
|
|
b1bcb2 |
attacker can instruct the GRUB to load an SSDT table to overwrite
|
|
|
b1bcb2 |
the kernel lockdown configuration and later load and execute
|
|
|
b1bcb2 |
unsigned code.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Fixes: CVE-2020-14372
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Reported-by: Máté Kukri <km@mkukri.xyz>
|
|
|
b1bcb2 |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
b1bcb2 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b1bcb2 |
---
|
|
|
b1bcb2 |
grub-core/commands/acpi.c | 15 ++++++++-------
|
|
|
b1bcb2 |
docs/grub.texi | 5 +++++
|
|
|
b1bcb2 |
2 files changed, 13 insertions(+), 7 deletions(-)
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
|
|
|
b1bcb2 |
index 97c2cf282f9..230e710a19e 100644
|
|
|
b1bcb2 |
--- a/grub-core/commands/acpi.c
|
|
|
b1bcb2 |
+++ b/grub-core/commands/acpi.c
|
|
|
b1bcb2 |
@@ -27,6 +27,7 @@
|
|
|
b1bcb2 |
#include <grub/mm.h>
|
|
|
b1bcb2 |
#include <grub/memory.h>
|
|
|
b1bcb2 |
#include <grub/i18n.h>
|
|
|
b1bcb2 |
+#include <grub/lockdown.h>
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
#ifdef GRUB_MACHINE_EFI
|
|
|
b1bcb2 |
#include <grub/efi/efi.h>
|
|
|
b1bcb2 |
@@ -779,13 +780,13 @@ static grub_extcmd_t cmd;
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
GRUB_MOD_INIT(acpi)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
|
|
|
b1bcb2 |
- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
|
|
|
b1bcb2 |
- "--load-only=TABLE1,TABLE2] FILE1"
|
|
|
b1bcb2 |
- " [FILE2] [...]"),
|
|
|
b1bcb2 |
- N_("Load host ACPI tables and tables "
|
|
|
b1bcb2 |
- "specified by arguments."),
|
|
|
b1bcb2 |
- options);
|
|
|
b1bcb2 |
+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
|
|
|
b1bcb2 |
+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
|
|
|
b1bcb2 |
+ "--load-only=TABLE1,TABLE2] FILE1"
|
|
|
b1bcb2 |
+ " [FILE2] [...]"),
|
|
|
b1bcb2 |
+ N_("Load host ACPI tables and tables "
|
|
|
b1bcb2 |
+ "specified by arguments."),
|
|
|
b1bcb2 |
+ options);
|
|
|
b1bcb2 |
}
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
GRUB_MOD_FINI(acpi)
|
|
|
b1bcb2 |
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
|
b1bcb2 |
index 6f331422bd3..741f6c3fb51 100644
|
|
|
b1bcb2 |
--- a/docs/grub.texi
|
|
|
b1bcb2 |
+++ b/docs/grub.texi
|
|
|
b1bcb2 |
@@ -3917,6 +3917,11 @@ Normally, this command will replace the Root System Description Pointer
|
|
|
b1bcb2 |
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
|
|
|
b1bcb2 |
@option{--no-ebda} option is used, the new tables will be known only to
|
|
|
b1bcb2 |
GRUB, but may be used by GRUB's EFI emulation.
|
|
|
b1bcb2 |
+
|
|
|
b1bcb2 |
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
|
|
b1bcb2 |
+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
|
|
|
b1bcb2 |
+ overwrite the kernel lockdown configuration and later load and execute
|
|
|
b1bcb2 |
+ unsigned code.
|
|
|
b1bcb2 |
@end deffn
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
|