Andrew Donnellan [off-list ref] writes:

On Mon, 2022-09-26 at 08:16 -0500, Nathan Lynch wrote:

quoted

The error injection facility on pseries VMs allows corruption of
arbitrary guest memory, potentially enabling a sufficiently
privileged
user to disable lockdown or perform other modifications of the
running
kernel via the rtas syscall.

Block the PAPR error injection facility from being opened or called
when locked down.

Signed-off-by: Nathan Lynch <redacted>

Is there any circumstance (short of arbitrary code execution etc) where
the rtas_call() check will actually trigger rather than the sys_rtas()
check? (Not that it matters, defence in depth is good.)

Fair question! There are no in-kernel users of rtas_call() that pass the
error injection tokens as far as I could tell. Nor am I aware of any
out-of-tree users, for that matter. But rtas_call() is the likely most
appropriate place to have the lockdown gate should that situation change
(as it might, see https://github.com/ibm-power-utilities/librtas/issues/29).