[SECURITY PATCH 007/117] acpi: Don't register the acpi command when lock

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 007/117] acpi: Don't register the acpi command when lock

From:	Daniel Kiper
Subject:	[SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down
Date:	Tue, 2 Mar 2021 19:00:14 +0100

From: Javier Martinez Canillas <javierm@redhat.com>

The command is not allowed when lockdown is enforced. Otherwise an
attacker can instruct the GRUB to load an SSDT table to overwrite
the kernel lockdown configuration and later load and execute
unsigned code.

Fixes: CVE-2020-14372

Reported-by: Máté Kukri <km@mkukri.xyz>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 docs/grub.texi            |  5 +++++
 grub-core/commands/acpi.c | 15 ++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index c3e015d4f..4ce31c2d4 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4074,6 +4074,11 @@ Normally, this command will replace the Root System 
Description Pointer
 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
 @option{--no-ebda} option is used, the new tables will be known only to
 GRUB, but may be used by GRUB's EFI emulation.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      Otherwise an attacker can instruct the GRUB to load an SSDT table to
+      overwrite the kernel lockdown configuration and later load and execute
+      unsigned code.
 @end deffn
 
 
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
index 5a1499aa0..1215f2a62 100644
--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@@ -27,6 +27,7 @@
 #include <grub/mm.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>
 
 #ifdef GRUB_MACHINE_EFI
 #include <grub/efi/efi.h>
@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
 
 GRUB_MOD_INIT(acpi)
 {
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
-                             N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
-                             "--load-only=TABLE1,TABLE2] FILE1"
-                             " [FILE2] [...]"),
-                             N_("Load host ACPI tables and tables "
-                             "specified by arguments."),
-                             options);
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
+                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+                                          "--load-only=TABLE1,TABLE2] FILE1"
+                                          " [FILE2] [...]"),
+                                       N_("Load host ACPI tables and tables "
+                                          "specified by arguments."),
+                                       options);
 }
 
 GRUB_MOD_FINI(acpi)
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Daniel Kiper, 2021/03/02
  - Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Colin Watson, 2021/03/17
    - Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Michael Chang, 2021/03/18
- [SECURITY PATCH 002/117] efi: Move the shim_lock verifier to the GRUB core, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 004/117] kern/lockdown: Set a variable if the GRUB is locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 005/117] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 003/117] kern: Add lockdown support, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 006/117] efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down, Daniel Kiper <=
- [SECURITY PATCH 009/117] commands: Restrict commands that can load BIOS or DT blobs when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 010/117] commands/setpci: Restrict setpci command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 012/117] gdb: Restrict GDB access when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 015/117] dl: Only allow unloading modules that are not dependencies, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 013/117] loader/xnu: Don't allow loading extension and packages when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 011/117] commands/hdparm: Restrict hdparm command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 014/117] docs: Document the cutmem command, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 021/117] kern/efi: Fix memory leak on failure, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 019/117] net/tftp: Fix dangling memory pointer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 018/117] net/net: Fix possible dereference to of a NULL pointer, Daniel Kiper, 2021/03/02

Prev by Date: [SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced
Next by Date: [SECURITY PATCH 009/117] commands: Restrict commands that can load BIOS or DT blobs when locked down
Previous by thread: [SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced
Next by thread: [SECURITY PATCH 009/117] commands: Restrict commands that can load BIOS or DT blobs when locked down
Index(es):
- Date
- Thread