Re: /dev/mem and secure boot

From: Thomas Renninger
Date: Thu Sep 12 2019 - 06:44:41 EST

On Monday, September 9, 2019 3:09:57 PM CEST Jean Delvare wrote:
> Hi Greg,


> > Sure, feel free to not register it at all if the mode is enabled.

> Now I feel sorry that I asked my question upstream when there's nothing
> to be done there. I'll go bother SUSE kernel folks instead, sorry for
> the noise. And thanks for the advice.

I also/still think /dev/mem should vanish in secure boot mode, also upstream.
There may have been strong reasons why it has been restricted to /dev/ioport
which I do not know.

Whatever the exact definition for kernel behaviour in secure boot mode in the
UEFI books is (if there is any), it should close quite some possible doors
for hijacking a machine or read sensible data and if anyhow possible secure
boot mode should head for this feature (IMHO): Get rid of /dev/mem.

Thanks for bringing this up,