[PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down

From: Nathan Lynch
Date: Mon Sep 26 2022 - 10:52:07 EST

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH v2 2/2] perf parse-events: Remove "not supported" hybrid cache events"
Previous message: Nathan Lynch: "[PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down"
Next in thread: Nathan Lynch: "[PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Add two new lockdown reasons for use in powerpc's pseries platform
code.

The pseries platform allows hardware-level error injection via certain
calls to the RTAS (Run Time Abstraction Services) firmware. ACPI-based
error injection is already restricted in lockdown; this facility
should be restricted for the same reasons.

pseries also allows nearly arbitrary device tree changes via
/proc/powerpc/ofdt. Just as overriding ACPI tables is not allowed
while locked down, so should this facility be restricted.

Changes since v1:
* Move LOCKDOWN_DEVICE_TREE next to LOCKDOWN_ACPI_TABLES.

Nathan Lynch (2):
powerpc/pseries: block untrusted device tree changes when locked down
powerpc/rtas: block error injection when locked down

arch/powerpc/kernel/rtas.c | 25 ++++++++++++++++++++++-
arch/powerpc/platforms/pseries/reconfig.c | 5 +++++
include/linux/security.h | 2 ++
security/security.c | 2 ++
4 files changed, 33 insertions(+), 1 deletion(-)

--
2.37.3

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH v2 2/2] perf parse-events: Remove "not supported" hybrid cache events"
Previous message: Nathan Lynch: "[PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down"
Next in thread: Nathan Lynch: "[PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]