From patchwork Tue Dec 1 20:50:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1409083 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4ClvQV0CHRz9sVH; Wed, 2 Dec 2020 07:51:14 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kkCc8-0001Ax-MD; Tue, 01 Dec 2020 20:51:08 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kkCc7-0001AN-Ao for kernel-team@lists.ubuntu.com; Tue, 01 Dec 2020 20:51:07 +0000 Received: from 1.general.cascardo.us.vpn ([10.172.70.58] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kkCc6-0000Dp-Jz for kernel-team@lists.ubuntu.com; Tue, 01 Dec 2020 20:51:07 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER Date: Tue, 1 Dec 2020 17:50:47 -0300 Message-Id: <20201201205052.2627748-2-cascardo@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201201205052.2627748-1-cascardo@canonical.com> References: <20201201205052.2627748-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" RTAS may be used to read arbritary memory, which we do not want to allow when Secure Boot is used. It is restricted to only some allowed operations, which are the ones that are used by distributed tools. CVE-2020-27777 Signed-off-by: Thadeu Lima de Souza Cascardo --- debian.master/config/annotations | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 9d75dd744c4c..52fa132d2063 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -159,6 +159,9 @@ CONFIG_ISA policy<{'i386': 'y'}> # Menu: Bus options (PCI etc.) >> Architecture: powerpc CONFIG_FSL_LBC policy<{'ppc64el': 'y'}> +CONFIG_PPC_RTAS_FILTER policy<{'ppc64el': 'y'}> +# +CONFIG_PPC_RTAS_FILTER mark note # Menu: Bus options (PCI etc.) >> Architecture: s390 CONFIG_QDIO policy<{'s390x': 'm'}> From patchwork Tue Dec 1 20:50:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1409085 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4ClvQX3w4Tz9sVH; Wed, 2 Dec 2020 07:51:16 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kkCcB-0001D7-1h; Tue, 01 Dec 2020 20:51:11 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kkCcA-0001Bw-0e for kernel-team@lists.ubuntu.com; Tue, 01 Dec 2020 20:51:10 +0000 Received: from 1.general.cascardo.us.vpn ([10.172.70.58] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kkCc9-0000Dp-9w for kernel-team@lists.ubuntu.com; Tue, 01 Dec 2020 20:51:09 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Xenial 2/2] UBUNTU: [Config]: Set CONFIG_PPC_RTAS_FILTER Date: Tue, 1 Dec 2020 17:50:49 -0300 Message-Id: <20201201205052.2627748-4-cascardo@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201201205052.2627748-1-cascardo@canonical.com> References: <20201201205052.2627748-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" RTAS may be used to read arbritary memory, which we do not want to allow when Secure Boot is used. It is restricted to only some allowed operations, which are the ones that are used by distributed tools. CVE-2020-27777 Signed-off-by: Thadeu Lima de Souza Cascardo --- debian.master/config/annotations | 3 +++ debian.master/config/config.common.ubuntu | 1 + 2 files changed, 4 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index d31f2e35f8fd..68f4c169f538 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -80,6 +80,9 @@ CONFIG_ISA policy<{'i386': 'y', 'powerpc-po # Menu: Bus options (PCI etc.) >> Architecture: powerpc CONFIG_FSL_LBC policy<{'powerpc': 'y', 'ppc64el': 'y'}> +CONFIG_PPC_RTAS_FILTER policy<{'powerpc-powerpc-smp': 'y', 'powerpc-powerpc64-smp': 'y', 'ppc64el': 'y'}> +# +CONFIG_PPC_RTAS_FILTER mark note # Menu: Bus options (PCI etc.) >> Architecture: s390 CONFIG_QDIO policy<{'s390x': 'm'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 7f7cc8c24173..2c4d5230a16d 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -6004,6 +6004,7 @@ CONFIG_PPC_PS3=y CONFIG_PPC_PSERIES=y CONFIG_PPC_QEMU_E500=y CONFIG_PPC_RTAS_DAEMON=y +CONFIG_PPC_RTAS_FILTER=y CONFIG_PPC_SCOM=y CONFIG_PPC_SMP_MUXED_IPI=y CONFIG_PPC_STD_MMU=y