When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this includes prohibiting access to things like /dev/mem, it must also prevent access by means of configuring driver modules in such a way as to cause a device to access or modify the kernel image. The eata driver takes a single string parameter that contains a slew of settings, including hardware resource configuration. Prohibit use of the parameter if the kernel is locked down. Suggested-by: Alan Cox <gnomes@xxxxxxxxxxxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> cc: Dario Ballabio <ballabio_dario@xxxxxxx> cc: "James E.J. Bottomley" <jejb@xxxxxxxxxxxxxxxxxx> cc: "Martin K. Petersen" <martin.petersen@xxxxxxxxxx> cc: linux-scsi@xxxxxxxxxxxxxxx --- drivers/scsi/eata.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c index 6501c330d8c8..72fceaa8f3da 100644 --- a/drivers/scsi/eata.c +++ b/drivers/scsi/eata.c @@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt) tpnt->proc_name = "eata2x"; - if (strlen(boot_options)) + if (strlen(boot_options)) { + if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) + return -EPERM; option_setup(boot_options); + } #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html