RE: [PATCH 0/2] efivars: reading variables can generate SMIs

From: Luck, Tony
Date: Fri Feb 16 2018 - 16:09:39 EST


> That said, I'm not sure how many non-root users run the toolkit to
> extract their EFI certificates or check on the secure boot status of
> the system, but I suspect it might be non-zero: I can see the tinfoil
> hat people wanting at least to check the secure boot status when they
> log in.

Another fix option might be to rate limit EFI calls for non-root users (on X86
since only we have the SMI problem). That would:

1) Avoid using memory to cache all the variables
2) Catch any other places where non-root users can call EFI

-Tony