Re: [PATCH 0/2] efivars: reading variables can generate SMIs

From: Matthew Garrett
Date: Fri Feb 16 2018 - 16:58:55 EST

Next message: Matthew Wilcox: "Re: [PATCH v21 1/5] xbitmap: Introduce xbitmap"
Previous message: Victor Kamensky: "Re: [PATCH v3 01/15] Documentation: add newcx initramfs format description"
In reply to: Andy Lutomirski: "Re: [PATCH 0/2] efivars: reading variables can generate SMIs"
Next in thread: Luck, Tony: "RE: [PATCH 0/2] efivars: reading variables can generate SMIs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 16, 2018 at 1:45 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> I'm going to go out on a limb and suggest that the fact that
> unprivileged users can read efi variables at all is a mistake
> regardless of SMI issues.

Why? They should never contain sensitive material.

> Also, chmod() just shouldn't work on efi variables, and the mode
> passed to creat() should be ignored. After all, there's no backing
> store for the mode.

If the default is 600 then it makes sense to allow a privileged service to
selectively make certain variables world readable at runtime.

Next message: Matthew Wilcox: "Re: [PATCH v21 1/5] xbitmap: Introduce xbitmap"
Previous message: Victor Kamensky: "Re: [PATCH v3 01/15] Documentation: add newcx initramfs format description"
In reply to: Andy Lutomirski: "Re: [PATCH 0/2] efivars: reading variables can generate SMIs"
Next in thread: Luck, Tony: "RE: [PATCH 0/2] efivars: reading variables can generate SMIs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]