[PATCH 0/2] efivars: reading variables can generate SMIs

From: Joe Konno
Date: Thu Feb 15 2018 - 13:22:16 EST

Next message: Steven Sistare: "Re: [RFC 1/2] sched: reduce migration cost between faster caches for idle_balance"
Previous message: Michael S. Tsirkin: "Re: [PATCH v14 2/9] fw_cfg: add a public uapi header"
Next in thread: Joe Konno: "[PATCH 1/2] fs/efivarfs: restrict inode permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joe Konno <joe.konno@xxxxxxxxx>

It was pointed out that normal, unprivileged users reading certain EFI
variables (through efivarfs) can generate SMIs. Given these nodes are created
with 0644 permissions, normal users could generate a lot of SMIs. By
restricting permissions a bit (patch 1), we can make it harder for normal users
to generate spurious SMIs.

A normal user could generate lots of SMIs by reading the efivarfs in a trivial
loop:

```
while true; do
cat /sys/firmware/efi/evivars/* > /dev/null
done
```

Patch 1 in this series limits read and write permissions on efivarfs to the
owner/superuser. Group and world cannot access.

Patch 2 is for consistency and hygiene. If we restrict permissions for either
efivarfs or efi/vars, the other interface should get the same treatment.

Joe Konno (2):
fs/efivarfs: restrict inode permissions
efi: restrict top-level attribute permissions

drivers/firmware/efi/efi.c | 10 ++++++----
fs/efivarfs/super.c | 4 ++--
2 files changed, 8 insertions(+), 6 deletions(-)

--
2.14.1

Next message: Steven Sistare: "Re: [RFC 1/2] sched: reduce migration cost between faster caches for idle_balance"
Previous message: Michael S. Tsirkin: "Re: [PATCH v14 2/9] fw_cfg: add a public uapi header"
Next in thread: Joe Konno: "[PATCH 1/2] fs/efivarfs: restrict inode permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]