boot/grub2/0039-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch - buildroot - Git at Google

 From 3e8e4c0549240fa209acffceb473e1e509b50c95 Mon Sep 17 00:00:00 2001
 From: Javier Martinez Canillas <javierm@redhat.com>
 Date: Mon, 28 Sep 2020 20:08:41 +0200
 Subject: [PATCH] acpi: Don't register the acpi command when locked down
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 The command is not allowed when lockdown is enforced. Otherwise an
 attacker can instruct the GRUB to load an SSDT table to overwrite
 the kernel lockdown configuration and later load and execute
 unsigned code.

 Fixes: CVE-2020-14372

 Reported-by: Máté Kukri <km@mkukri.xyz>
 Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
 ---
  docs/grub.texi            |  5 +++++
  grub-core/commands/acpi.c | 15 ++++++++-------
  2 files changed, 13 insertions(+), 7 deletions(-)

 diff --git a/docs/grub.texi b/docs/grub.texi
 index bbe60a4..98592d3 100644
 --- a/docs/grub.texi
 +++ b/docs/grub.texi
 @@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer
  (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
  @option{--no-ebda} option is used, the new tables will be known only to
  GRUB, but may be used by GRUB's EFI emulation.
 +
 +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
 +      Otherwise an attacker can instruct the GRUB to load an SSDT table to
 +      overwrite the kernel lockdown configuration and later load and execute
 +      unsigned code.
  @end deffn


 diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
 index 5a1499a..1215f2a 100644
 --- a/grub-core/commands/acpi.c
 +++ b/grub-core/commands/acpi.c
 @@ -27,6 +27,7 @@
  #include <grub/mm.h>
  #include <grub/memory.h>
  #include <grub/i18n.h>
 +#include <grub/lockdown.h>

  #ifdef GRUB_MACHINE_EFI
  #include <grub/efi/efi.h>
 @@ -775,13 +776,13 @@ static grub_extcmd_t cmd;

  GRUB_MOD_INIT(acpi)
  {
 -  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
 -			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
 -			      "--load-only=TABLE1,TABLE2] FILE1"
 -			      " [FILE2] [...]"),
 -			      N_("Load host ACPI tables and tables "
 -			      "specified by arguments."),
 -			      options);
 +  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
 +                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
 +                                          "--load-only=TABLE1,TABLE2] FILE1"
 +                                          " [FILE2] [...]"),
 +                                       N_("Load host ACPI tables and tables "
 +                                          "specified by arguments."),
 +                                       options);
  }

  GRUB_MOD_FINI(acpi)
 --
 2.14.2
	From 3e8e4c0549240fa209acffceb473e1e509b50c95 Mon Sep 17 00:00:00 2001
	From: Javier Martinez Canillas <javierm@redhat.com>
	Date: Mon, 28 Sep 2020 20:08:41 +0200
	Subject: [PATCH] acpi: Don't register the acpi command when locked down
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	The command is not allowed when lockdown is enforced. Otherwise an
	attacker can instruct the GRUB to load an SSDT table to overwrite
	the kernel lockdown configuration and later load and execute
	unsigned code.

	Fixes: CVE-2020-14372

	Reported-by: Máté Kukri <km@mkukri.xyz>
	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
	---
	docs/grub.texi \| 5 +++++
	grub-core/commands/acpi.c \| 15 ++++++++-------
	2 files changed, 13 insertions(+), 7 deletions(-)

	diff --git a/docs/grub.texi b/docs/grub.texi
	index bbe60a4..98592d3 100644
	--- a/docs/grub.texi
	+++ b/docs/grub.texi
	@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer
	(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
	@option{--no-ebda} option is used, the new tables will be known only to
	GRUB, but may be used by GRUB's EFI emulation.
	+
	+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
	+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
	+ overwrite the kernel lockdown configuration and later load and execute
	+ unsigned code.
	@end deffn


	diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
	index 5a1499a..1215f2a 100644
	--- a/grub-core/commands/acpi.c
	+++ b/grub-core/commands/acpi.c
	@@ -27,6 +27,7 @@
	#include <grub/mm.h>
	#include <grub/memory.h>
	#include <grub/i18n.h>
	+#include <grub/lockdown.h>

	#ifdef GRUB_MACHINE_EFI
	#include <grub/efi/efi.h>
	@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;

	GRUB_MOD_INIT(acpi)
	{
	- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
	- N_("[-1\|-2] [--exclude=TABLE1,TABLE2\|"
	- "--load-only=TABLE1,TABLE2] FILE1"
	- " [FILE2] [...]"),
	- N_("Load host ACPI tables and tables "
	- "specified by arguments."),
	- options);
	+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
	+ N_("[-1\|-2] [--exclude=TABLE1,TABLE2\|"
	+ "--load-only=TABLE1,TABLE2] FILE1"
	+ " [FILE2] [...]"),
	+ N_("Load host ACPI tables and tables "
	+ "specified by arguments."),
	+ options);
	}

	GRUB_MOD_FINI(acpi)
	--
	2.14.2