From b82e5e2ae143a0ce48ec800fbc9dfcf0a7c95311 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
Date: Thu, 10 Mar 2016 18:25:03 -0700
Subject: [PATCH] acpi: Disable ACPI table override when UEFI Secure Boot is
 enabled

Patch-mainline: Queued in subsystem maintainer repository
Git-repo: https://github.com/mjg59/linux
Git-commit: a4a5ed2835e8ea042868b7401dced3f517cafa76
References: bsc#970604

From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

Do not allow ACPI tables to be overridden if UEFI Secure Boot is enabled.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Acked-by: Lee, Chun-Yi <jlee@suse.com> 
---
 arch/x86/kernel/setup.c |   12 ++++++------
 drivers/acpi/osl.c      |    6 ++++++
 2 files changed, 12 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1134,6 +1134,12 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
+	if (boot_params.secure_boot) {
+		set_securelevel(1);
+	}
+#endif
+
 	reserve_initrd();
 
 #if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)
@@ -1144,12 +1150,6 @@ void __init setup_arch(char **cmdline_p)
 
 	io_delay_init();
 
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-	if (boot_params.secure_boot) {
-		set_securelevel(1);
-	}
-#endif
-
 	/*
 	 * Parse the ACPI tables for possible boot-time SMP configuration.
 	 */
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -669,6 +669,12 @@ void __init acpi_initrd_override(void *d
 	if (table_nr == 0)
 		return;
 
+	if (get_securelevel() > 0) {
+		pr_notice(PREFIX
+			"securelevel enabled, ignoring table override\n");
+		return;
+	}
+
 	acpi_tables_addr =
 		memblock_find_in_range(0, max_low_pfn_mapped << PAGE_SHIFT,
 				       all_tables_size, PAGE_SIZE);