Re: [PATCH v3 1/5] efi: vars: prohibit reading random seed variables

From: Matthew Garrett
Date: Sun Nov 27 2022 - 16:19:07 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH net-next v2 2/7] dt-bindings: net: marvell,dfx-server: Convert to yaml"
Previous message: Krzysztof Kozlowski: "Re: [PATCH net-next v2 1/7] Revert "dt-bindings: marvell,prestera: Add description for device-tree bindings""
Next in thread: Jason A. Donenfeld: "Re: [PATCH v3 1/5] efi: vars: prohibit reading random seed variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 22, 2022 at 03:04:00AM +0100, Jason A. Donenfeld wrote:
> In anticipation of putting random seeds in EFI variables, it's important
> that the random GUID namespace of variables remains hidden from
> userspace. We accomplish this by not populating efivarfs with entries
> from that GUID, as well as denying the creation of new ones in that
> GUID.

What's the concern here? Booting an older kernel would allow a malicious
actor to either read the seed variable or set it to a value under their
control, so we can't guarantee that the information is secret.

Next message: Krzysztof Kozlowski: "Re: [PATCH net-next v2 2/7] dt-bindings: net: marvell,dfx-server: Convert to yaml"
Previous message: Krzysztof Kozlowski: "Re: [PATCH net-next v2 1/7] Revert "dt-bindings: marvell,prestera: Add description for device-tree bindings""
Next in thread: Jason A. Donenfeld: "Re: [PATCH v3 1/5] efi: vars: prohibit reading random seed variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]