1 files changed, 40 insertions, 0 deletions

diff --git a/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
new file mode 100644
index 000000000..fd12eedb2
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
@@ -0,0 +1,40 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [17/29] acpi: Disable ACPI table override if the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=5976d26de05569951641ebeb95f7240993b66063
+
+From the kernel documentation (initrd_table_override.txt):
+
+  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
+  to override nearly any ACPI table provided by the BIOS with an
+  instrumented, modified one.
+
+When securelevel is set, the kernel should disallow any unauthenticated
+changes to kernel space.  ACPI tables contain code invoked by the kernel,
+so do not allow ACPI tables to be overridden if the kernel is locked down.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: linux-acpi@vger.kernel.org
+---
+ drivers/acpi/tables.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: linux/drivers/acpi/tables.c
+===================================================================
+--- linux.orig/drivers/acpi/tables.c
++++ linux/drivers/acpi/tables.c
+@@ -532,6 +532,11 @@ void __init acpi_table_upgrade(void)
+ 	if (table_nr == 0)
+ 		return;
+ 
++	if (kernel_is_locked_down("ACPI table override")) {
++		pr_notice("kernel is locked down, ignoring table override\n");
++		return;
++	}
++
+ 	acpi_tables_addr =
+ 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
+ 				       all_tables_size, PAGE_SIZE);