/dev/mem and secure boot

From: Jean Delvare
Date: Fri Sep 06 2019 - 07:02:14 EST


I've been bitten recently by mcelog not working on machines started in
secure boot mode. mcelog tries to read DMI information from /dev/mem
and fails to open it.

This made me wonder: if not even root can read /dev/mem (nor, I
suppose, /dev/kmem and /dev/port) in secure boot mode, why are we
creating these device nodes at all in the first place? Can't we detect
that we are in secure boot mode and skip that step, and reap the rewards
(faster boot, lower memory footprint and less confusion)?

Thanks,
--
Jean Delvare
SUSE L3 Support