From b82e5e2ae143a0ce48ec800fbc9dfcf0a7c95311 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
Date: Thu, 10 Mar 2016 18:25:03 -0700
Subject: [PATCH] acpi: Disable ACPI table override when UEFI Secure Boot is
enabled
Patch-mainline: Queued in subsystem maintainer repository
Git-repo: https://github.com/mjg59/linux
Git-commit: a4a5ed2835e8ea042868b7401dced3f517cafa76
References: bsc#970604
From the kernel documentation (initrd_table_override.txt):
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
to override nearly any ACPI table provided by the BIOS with an
instrumented, modified one.
Do not allow ACPI tables to be overridden if UEFI Secure Boot is enabled.
Signed-off-by: Linn Crosetto <linn@hpe.com>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
arch/x86/kernel/setup.c | 12 ++++++------
drivers/acpi/osl.c | 6 ++++++
2 files changed, 12 insertions(+), 6 deletions(-)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1134,6 +1134,12 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
+ if (boot_params.secure_boot) {
+ set_securelevel(1);
+ }
+#endif
+
reserve_initrd();
#if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)
@@ -1144,12 +1150,6 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
- if (boot_params.secure_boot) {
- set_securelevel(1);
- }
-#endif
-
/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -669,6 +669,12 @@ void __init acpi_initrd_override(void *d
if (table_nr == 0)
return;
+ if (get_securelevel() > 0) {
+ pr_notice(PREFIX
+ "securelevel enabled, ignoring table override\n");
+ return;
+ }
+
acpi_tables_addr =
memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT,
all_tables_size, PAGE_SIZE);