Another Attack Vector Uncovered For Bypassing Linux Lockdown Via ACPI Tables

Written by Michael Larabel in Linux Security on 15 June 2020 at 07:06 AM EDT. 10 Comments
This weekend we reported on how injecting ACPI tables could lead to bypassing Linux's lockdown / UEFI Secure Boot protections and let attackers load unsigned kernel modules. That earlier issue was found on a patched version of the Ubuntu 18.04 LTS kernel while now a similar attack vector has been discovered on the mainline Linux kernel.

WireGuard lead developer Jason Donenfeld discovered both of these vulnerabilities in recent days. This newest discovery is more pressing in that it works on a current mainline Linux kernel rather than just Ubuntu's heavily patched older kernel code-base. Fortunately, Donenfeld has already sent off a patch to the mailing list for addressing this issue.

This newest discovery is loading new ACPI tables to disable lockdown. It's also more active than the former discovery in that no kernel reboot is required for this exploit. The issue stems from the ConfigFS module for ACPI allowing arbitrary ACPI tables to be added at run-time. Kernel Address Space Layout Randomization is still worked around by calculating the physical base address and symbol addresses from /proc/kcore and /proc/ksallsysm, respectively. Root access is required for this kernel lockdown bypass.

On a signed kernel with UEFI Secure Boot enabled, it's as simple as running this new proof-of-concept script to then be able to load arbitrary, unsigned kernel modules on the system.

The kernel patch in addressing this issue is just 5 lines of new code and simply checks the status of the kernel's LOCKDOWN functionality before allowing the ACPI table writes. The patch is marked for back-porting to the kernel stable series and presumably will be picked up quickly as it's quite straight-forward.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week