[Update: added Dmytro tweet URL.]
From the OSS-Security mailing list. I wonder what other Linux distros have this issue, besides Ubuntu?
[…]I noticed that Ubuntu 18.04’s 4.15 kernels forgot to protect efivar_ssdt with lockdown, making that a vector for disabling lockdown on an efi secure boot machine. I wrote a little PoC exploit to demonstrate these types of ACPI shenanigans:[,,,]
This exploit takes advantage of the efivar_ssdt entry point for injecting acpi tables into Ubuntu Bionic 18.04 kernels, where efivar_ssdt is not protected by kernel lockdown. The result is that one can subsequently load unsigned kernel drivers into systems with Secure Boot enabled, without needing to sign the modules.[…]