[PATCH V33 30/30] efi: Restrict efivar_ssdt_load when the kernel is locked down

2019-06-20 Thread Matthew Garrett 
efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
EFI variable, which gives arbitrary code execution in ring 0. Prevent
that when the kernel is locked down.

Signed-off-by: Matthew Garrett 
Cc: Ard Biesheuvel 
Cc: linux-efi@vger.kernel.org
---
 drivers/firmware/efi/efi.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 55b77c576c42..a9ea649e0512 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -31,6 +31,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -242,6 +243,9 @@ static void generic_ops_unregister(void)
 static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
 static int __init efivar_ssdt_setup(char *str)
 {
+   if (security_is_locked_down(LOCKDOWN_ACPI_TABLES))
+   return -EPERM;
+
if (strlen(str) < sizeof(efivar_ssdt))
memcpy(efivar_ssdt, str, strlen(str));
else
-- 
2.22.0.410.gd8fdbe21b5-goog

Re: [PATCH] drivers: firmware: efi: fix gcc warning -Wint-conversion

2019-06-20 Thread Matthew Garrett 
On Thu, Jun 20, 2019 at 2:37 PM Jarkko Sakkinen
 wrote:
> Right! OK, I squashed just the fix to the earlier patch. Master and
> next are updated. Can you take a peek of [1] and see if it looks
> legit given all the fuzz around these changes? Then I'm confident
> enough to do the 5.3 PR.

All looks good to me. Thanks!

Re: [PATCH] drivers: firmware: efi: fix gcc warning -Wint-conversion

2019-06-20 Thread Jarkko Sakkinen 
On Wed, Jun 19, 2019 at 03:48:23PM -0700, Matthew Garrett wrote:
> On Wed, Jun 19, 2019 at 2:55 AM Ard Biesheuvel
>  wrote:
> >
> > (+ Jarkko, tpmdd, Matthew)
> >
> > On Sat, 15 Jun 2019 at 06:02, Hariprasad Kelam
> >  wrote:
> > >
> > > This patch fixes below warning
> > >
> > > drivers/firmware/efi/tpm.c:78:38: warning: passing argument 1 of
> > > ‘tpm2_calc_event_log_size’ makes pointer from integer without a cast
> > > [-Wint-conversion]
> > >
> > > Signed-off-by: Hariprasad Kelam 
> >
> > I think we already have a fix queued for this, no?
> 
> It looks like I fixed this in "Don't duplicate events from the final
> event log in the TCG2 log" rather than a separate patch - I'm fine
> merging this, based on Jarkko's preferences.

Right! OK, I squashed just the fix to the earlier patch. Master and
next are updated. Can you take a peek of [1] and see if it looks
legit given all the fuzz around these changes? Then I'm confident
enough to do the 5.3 PR.

[1] git://git.infradead.org/users/jjs/linux-tpmdd.git

/Jarkko