1*4882a593SmuzhiyunFrom 3e8e4c0549240fa209acffceb473e1e509b50c95 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Javier Martinez Canillas <javierm@redhat.com> 3*4882a593SmuzhiyunDate: Mon, 28 Sep 2020 20:08:41 +0200 4*4882a593SmuzhiyunSubject: [PATCH] acpi: Don't register the acpi command when locked down 5*4882a593SmuzhiyunMIME-Version: 1.0 6*4882a593SmuzhiyunContent-Type: text/plain; charset=UTF-8 7*4882a593SmuzhiyunContent-Transfer-Encoding: 8bit 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunThe command is not allowed when lockdown is enforced. Otherwise an 10*4882a593Smuzhiyunattacker can instruct the GRUB to load an SSDT table to overwrite 11*4882a593Smuzhiyunthe kernel lockdown configuration and later load and execute 12*4882a593Smuzhiyununsigned code. 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunFixes: CVE-2020-14372 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunReported-by: Máté Kukri <km@mkukri.xyz> 17*4882a593SmuzhiyunSigned-off-by: Javier Martinez Canillas <javierm@redhat.com> 18*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 19*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 20*4882a593Smuzhiyun--- 21*4882a593Smuzhiyun docs/grub.texi | 5 +++++ 22*4882a593Smuzhiyun grub-core/commands/acpi.c | 15 ++++++++------- 23*4882a593Smuzhiyun 2 files changed, 13 insertions(+), 7 deletions(-) 24*4882a593Smuzhiyun 25*4882a593Smuzhiyundiff --git a/docs/grub.texi b/docs/grub.texi 26*4882a593Smuzhiyunindex bbe60a4..98592d3 100644 27*4882a593Smuzhiyun--- a/docs/grub.texi 28*4882a593Smuzhiyun+++ b/docs/grub.texi 29*4882a593Smuzhiyun@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer 30*4882a593Smuzhiyun (RSDP) in the Extended BIOS Data Area to point to the new tables. If the 31*4882a593Smuzhiyun @option{--no-ebda} option is used, the new tables will be known only to 32*4882a593Smuzhiyun GRUB, but may be used by GRUB's EFI emulation. 33*4882a593Smuzhiyun+ 34*4882a593Smuzhiyun+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). 35*4882a593Smuzhiyun+ Otherwise an attacker can instruct the GRUB to load an SSDT table to 36*4882a593Smuzhiyun+ overwrite the kernel lockdown configuration and later load and execute 37*4882a593Smuzhiyun+ unsigned code. 38*4882a593Smuzhiyun @end deffn 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun 41*4882a593Smuzhiyundiff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c 42*4882a593Smuzhiyunindex 5a1499a..1215f2a 100644 43*4882a593Smuzhiyun--- a/grub-core/commands/acpi.c 44*4882a593Smuzhiyun+++ b/grub-core/commands/acpi.c 45*4882a593Smuzhiyun@@ -27,6 +27,7 @@ 46*4882a593Smuzhiyun #include <grub/mm.h> 47*4882a593Smuzhiyun #include <grub/memory.h> 48*4882a593Smuzhiyun #include <grub/i18n.h> 49*4882a593Smuzhiyun+#include <grub/lockdown.h> 50*4882a593Smuzhiyun 51*4882a593Smuzhiyun #ifdef GRUB_MACHINE_EFI 52*4882a593Smuzhiyun #include <grub/efi/efi.h> 53*4882a593Smuzhiyun@@ -775,13 +776,13 @@ static grub_extcmd_t cmd; 54*4882a593Smuzhiyun 55*4882a593Smuzhiyun GRUB_MOD_INIT(acpi) 56*4882a593Smuzhiyun { 57*4882a593Smuzhiyun- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0, 58*4882a593Smuzhiyun- N_("[-1|-2] [--exclude=TABLE1,TABLE2|" 59*4882a593Smuzhiyun- "--load-only=TABLE1,TABLE2] FILE1" 60*4882a593Smuzhiyun- " [FILE2] [...]"), 61*4882a593Smuzhiyun- N_("Load host ACPI tables and tables " 62*4882a593Smuzhiyun- "specified by arguments."), 63*4882a593Smuzhiyun- options); 64*4882a593Smuzhiyun+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0, 65*4882a593Smuzhiyun+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|" 66*4882a593Smuzhiyun+ "--load-only=TABLE1,TABLE2] FILE1" 67*4882a593Smuzhiyun+ " [FILE2] [...]"), 68*4882a593Smuzhiyun+ N_("Load host ACPI tables and tables " 69*4882a593Smuzhiyun+ "specified by arguments."), 70*4882a593Smuzhiyun+ options); 71*4882a593Smuzhiyun } 72*4882a593Smuzhiyun 73*4882a593Smuzhiyun GRUB_MOD_FINI(acpi) 74*4882a593Smuzhiyun-- 75*4882a593Smuzhiyun2.14.2 76*4882a593Smuzhiyun 77