@@ -12813,11 +12813,13 @@ CONFIG_EXTRA_TARGETS policy<{'ppc64el': '""'}>
CONFIG_PPC_MEM_KEYS policy<{'ppc64el': 'n'}>
CONFIG_PPC_SECURE_BOOT policy<{'ppc64el': 'y'}>
CONFIG_PPC_SECVAR_SYSFS policy<{'ppc64el': 'y'}>
+CONFIG_PPC_RTAS_FILTER policy<{'ppc64el': 'y'}>
#
CONFIG_FA_DUMP note<LP:1415562>
CONFIG_PPC_MEM_KEYS flag<REVIEW> note<LP:1776967>
CONFIG_PPC_SECURE_BOOT mark<ENFORCED> note<LP:1866909> note<LP:1855668>
CONFIG_PPC_SECVAR_SYSFS mark<ENFORCED> note<LP:1866909>
+CONFIG_PPC_RTAS_FILTER mark<ENFORCED> note<CVE-2020-27777>
# Menu: Processor type and features >> Architecture: s390
CONFIG_KERNEL_NOBP policy<{'s390x': 'n'}>
@@ -7720,6 +7720,7 @@ CONFIG_PPC_RADIX_MMU=y
CONFIG_PPC_RADIX_MMU_DEFAULT=y
CONFIG_PPC_RTAS=y
CONFIG_PPC_RTAS_DAEMON=y
+CONFIG_PPC_RTAS_FILTER=y
CONFIG_PPC_SECURE_BOOT=y
CONFIG_PPC_SECVAR_SYSFS=y
CONFIG_PPC_SMLPAR=y
RTAS may be used to read arbritary memory, which we do not want to allow when Secure Boot is used. It is restricted to only some allowed operations, which are the ones that are used by distributed tools. CVE-2020-27777 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> --- debian.master/config/annotations | 2 ++ debian.master/config/config.common.ubuntu | 1 + 2 files changed, 3 insertions(+)