acpi: Don't register the acpi command when locked down

The command is not allowed when lockdown is enforced. Otherwise an attacker can instruct the GRUB to load an SSDT table to overwrite the kernel lockdown configuration and later load and execute unsigned code. Fixes: CVE-2020-14372 Reported-by: Máté Kukri <km@mkukri.xyz> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-09-28 20:08:41 +02:00 · 2020-09-28 20:08:41 +02:00 · 3e8e4c0549
commit 3e8e4c0549
parent 8f73052885
2 changed files with 13 additions and 7 deletions
--- a/docs/grub.texi
+++ b/docs/grub.texi
@ -4074,6 +4074,11 @@ Normally, this command will replace the Root System Description Pointer
 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
@option{--no-ebda} option is used, the new tables will be known only to
 GRUB, but may be used by GRUB's EFI emulation.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      Otherwise an attacker can instruct the GRUB to load an SSDT table to
+      overwrite the kernel lockdown configuration and later load and execute
+      unsigned code.
@end deffn


--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@ -27,6 +27,7 @@
 #include <grub/mm.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 #ifdef GRUB_MACHINE_EFI
 #include <grub/efi/efi.h>
@ -775,13 +776,13 @@ static grub_extcmd_t cmd;

 GRUB_MOD_INIT(acpi)
 {
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
-			      "--load-only=TABLE1,TABLE2] FILE1"
-			      " [FILE2] [...]"),
-			      N_("Load host ACPI tables and tables "
-			      "specified by arguments."),
-			      options);
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
+                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+                                          "--load-only=TABLE1,TABLE2] FILE1"
+                                          " [FILE2] [...]"),
+                                       N_("Load host ACPI tables and tables "
+                                          "specified by arguments."),
+                                       options);
 }

 GRUB_MOD_FINI(acpi)