| Message ID | 150842476188.7923.14340260837257633120.stgit@warthog.procyon.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Oct 19, 2017 at 03:52:41PM +0100, David Howells wrote: > From: Linn Crosetto <linn@hpe.com> > > ACPI provides an error injection mechanism, EINJ, for debugging and testing > the ACPI Platform Error Interface (APEI) and other RAS features. If > supported by the firmware, ACPI specification 5.0 and later provide for a > way to specify a physical memory address to which to inject the error. > > Injecting errors through EINJ can produce errors which to the platform are > indistinguishable from real hardware errors. This can have undesirable > side-effects, such as causing the platform to mark hardware as needing > replacement. > > While it does not provide a method to load unauthenticated privileged code, > the effect of these errors may persist across reboots and affect trust in > the underlying hardware, so disable error injection through EINJ if > the kernel is locked down. > > Signed-off-by: Linn Crosetto <linn@hpe.com> > Signed-off-by: David Howells <dhowells@redhat.com> I have reviewed this patch. Please feel free to add: Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> Thanks! Joey Lee > cc: linux-acpi@vger.kernel.org > --- > > drivers/acpi/apei/einj.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c > index b38737c83a24..6d71e1e97b20 100644 > --- a/drivers/acpi/apei/einj.c > +++ b/drivers/acpi/apei/einj.c > @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, > int rc; > u64 base_addr, size; > > + if (kernel_is_locked_down("ACPI error injection")) > + return -EPERM; > + > /* If user manually set "flags", make sure it is legal */ > if (flags && (flags & > ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c index b38737c83a24..6d71e1e97b20 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, int rc; u64 base_addr, size; + if (kernel_is_locked_down("ACPI error injection")) + return -EPERM; + /* If user manually set "flags", make sure it is legal */ if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))