Re: [PATCH 0/2] efivars: reading variables can generate SMIs
From: Ard Biesheuvel
Date: Fri Feb 16 2018 - 05:41:51 EST
On 15 February 2018 at 18:22, Joe Konno <joe.konno@xxxxxxxxxxxxxxx> wrote:
> From: Joe Konno <joe.konno@xxxxxxxxx>
>
> It was pointed out that normal, unprivileged users reading certain EFI
> variables (through efivarfs) can generate SMIs. Given these nodes are created
> with 0644 permissions, normal users could generate a lot of SMIs. By
> restricting permissions a bit (patch 1), we can make it harder for normal users
> to generate spurious SMIs.
>
> A normal user could generate lots of SMIs by reading the efivarfs in a trivial
> loop:
>
> ```
> while true; do
> cat /sys/firmware/efi/evivars/* > /dev/null
> done
> ```
>
> Patch 1 in this series limits read and write permissions on efivarfs to the
> owner/superuser. Group and world cannot access.
>
> Patch 2 is for consistency and hygiene. If we restrict permissions for either
> efivarfs or efi/vars, the other interface should get the same treatment.
>
I am inclined to apply this as a fix, but I will give the x86 guys a
chance to respond as well.
> Joe Konno (2):
> fs/efivarfs: restrict inode permissions
> efi: restrict top-level attribute permissions
>
> drivers/firmware/efi/efi.c | 10 ++++++----
> fs/efivarfs/super.c | 4 ++--
> 2 files changed, 8 insertions(+), 6 deletions(-)
>
> --
> 2.14.1
>