Blame SOURCES/0377-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Javier Martinez Canillas <javierm@redhat.com>
468bd4
Date: Mon, 28 Sep 2020 20:08:41 +0200
468bd4
Subject: [PATCH] acpi: Don't register the acpi command when locked down
468bd4
MIME-Version: 1.0
468bd4
Content-Type: text/plain; charset=UTF-8
468bd4
Content-Transfer-Encoding: 8bit
468bd4
468bd4
The command is not allowed when lockdown is enforced. Otherwise an
468bd4
attacker can instruct the GRUB to load an SSDT table to overwrite
468bd4
the kernel lockdown configuration and later load and execute
468bd4
unsigned code.
468bd4
468bd4
Fixes: CVE-2020-14372
468bd4
468bd4
Reported-by: Máté Kukri <km@mkukri.xyz>
468bd4
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/commands/acpi.c | 15 ++++++++-------
468bd4
 docs/grub.texi            |  5 +++++
468bd4
 2 files changed, 13 insertions(+), 7 deletions(-)
468bd4
468bd4
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
468bd4
index 5a1499aa0e3..1215f2a62ef 100644
468bd4
--- a/grub-core/commands/acpi.c
468bd4
+++ b/grub-core/commands/acpi.c
468bd4
@@ -27,6 +27,7 @@
468bd4
 #include <grub/mm.h>
468bd4
 #include <grub/memory.h>
468bd4
 #include <grub/i18n.h>
468bd4
+#include <grub/lockdown.h>
468bd4
 
468bd4
 #ifdef GRUB_MACHINE_EFI
468bd4
 #include <grub/efi/efi.h>
468bd4
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
468bd4
 
468bd4
 GRUB_MOD_INIT(acpi)
468bd4
 {
468bd4
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
468bd4
-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
468bd4
-			      "--load-only=TABLE1,TABLE2] FILE1"
468bd4
-			      " [FILE2] [...]"),
468bd4
-			      N_("Load host ACPI tables and tables "
468bd4
-			      "specified by arguments."),
468bd4
-			      options);
468bd4
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
468bd4
+                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
468bd4
+                                          "--load-only=TABLE1,TABLE2] FILE1"
468bd4
+                                          " [FILE2] [...]"),
468bd4
+                                       N_("Load host ACPI tables and tables "
468bd4
+                                          "specified by arguments."),
468bd4
+                                       options);
468bd4
 }
468bd4
 
468bd4
 GRUB_MOD_FINI(acpi)
468bd4
diff --git a/docs/grub.texi b/docs/grub.texi
468bd4
index 755de88d7d8..01acf672b80 100644
468bd4
--- a/docs/grub.texi
468bd4
+++ b/docs/grub.texi
468bd4
@@ -4038,6 +4038,11 @@ Normally, this command will replace the Root System Description Pointer
468bd4
 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
468bd4
 @option{--no-ebda} option is used, the new tables will be known only to
468bd4
 GRUB, but may be used by GRUB's EFI emulation.
468bd4
+
468bd4
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
468bd4
+      Otherwise an attacker can instruct the GRUB to load an SSDT table to
468bd4
+      overwrite the kernel lockdown configuration and later load and execute
468bd4
+      unsigned code.
468bd4
 @end deffn
468bd4
 
468bd4