Re: [PATCH v3 1/5] efi: vars: prohibit reading random seed variables

From: Matthew Garrett
Date: Sun Nov 27 2022 - 16:19:07 EST


On Tue, Nov 22, 2022 at 03:04:00AM +0100, Jason A. Donenfeld wrote:
> In anticipation of putting random seeds in EFI variables, it's important
> that the random GUID namespace of variables remains hidden from
> userspace. We accomplish this by not populating efivarfs with entries
> from that GUID, as well as denying the creation of new ones in that
> GUID.

What's the concern here? Booting an older kernel would allow a malicious
actor to either read the seed variable or set it to a value under their
control, so we can't guarantee that the information is secret.