RE: [PATCH 1/2] fs/efivarfs: restrict inode permissions
From: Luck, Tony
Date: Wed Feb 21 2018 - 14:59:01 EST
> It's not about slowing down.
>
> It's about "user Xyz is messing with the system and reading efi vars
> all the time" resulting in "user 'torvalds' is installing a kernel,
> and actually wants to read efi vars, but can't".
>
> if you don't make it per-user, you're just replacing one DoS attack
> with another one!
How are you envisioning this rate-limiting to be implemented? Are
you going to fail an EFI call if the rate is too high? I'm thinking that
we just add a delay to each call so that we can't exceed the limit.
That means your kernel install will complete, just slower than it
would without the delays.
I think I want a small random delay anyway to prevent users from
causing an SMI at the precise moment of their choosing.
-Tony