Received: by 10.223.185.116 with SMTP id b49csp1047678wrg; Fri, 16 Feb 2018 11:26:57 -0800 (PST) X-Google-Smtp-Source: AH8x224GTCRMFSEcBjcx/mQX090IuBHr6a69OskPXj9TMzfpT9L5qhnhbdaU1ndljLsqOtNhvaVA X-Received: by 10.99.140.29 with SMTP id m29mr6086142pgd.320.1518809216938; Fri, 16 Feb 2018 11:26:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518809216; cv=none; d=google.com; s=arc-20160816; b=V1maYfyBPi3c8VXrFfpTm+HhhPhoHm/EK0W419r0AKcHfEduz+7pDWno+WjHQyN8gA iyunhXSaYv0RQIIT/YqZqrfc+zPYT1LQaDvNKPIUaawFhTjOyV4GfsBX+WYP80g8IQA7 51yRUsEyRzDiYFPzKuh0bR8JTYuIWsg9zVeOqQSY04Ey074A5RbRklMRm9wnwBZsOW9w U96my454P4Ro/MKuS7CcWw+JGUsKch4c5U8VXpPNN2U/DFxAdquLBdMO7L17kNSsBEEE g8BrsWaeMflOt7qvcVWZsDSZv6Ukbn44DDv7dzyaeMIfDkkFLBmGWRjjbQstTriJj5mr 0iWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=Yq9YR1gnuQEfR7XiFoZ4wmKlNSK5tXli6F6l13TOXFU=; b=HCvQl1FGwF86FgYCmULIpClPSOZMXLxPA8LYhMS06yIRBAOSqOBNharmuDxIjquCe1 ajP506mYC6hEvHz58DJF5PEOuir1SWLHT3QAsB04Q0LDJtfoNo79E/aQsMqilcYRjdnK nXAPBk0GUdzfeoa6+huOkX7zbULXYVsHFmJa3w6Co7zrTzap+ykpsjIE0tCjeSu0s3SS xzd4hTDur9dbvCxHmW1YQ5/eUaiSB5fpWZi7fpZgfXoeYapr/+u/5aw0RHnouKUwMI3o f1aMhYmwlCuq1NNzODpK0oYyrDw+m2WL69PLnCkHYh1FOgBYFwRrF4DJNzlCfY0/Cv3b eFRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f12si1620416pgn.455.2018.02.16.11.26.42; Fri, 16 Feb 2018 11:26:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753975AbeBPTW4 (ORCPT + 99 others); Fri, 16 Feb 2018 14:22:56 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:48056 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750955AbeBPTWY (ORCPT ); Fri, 16 Feb 2018 14:22:24 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5C44840FB653; Fri, 16 Feb 2018 19:22:23 +0000 (UTC) Received: from redhat.com (dhcp-10-20-1-221.bss.redhat.com [10.20.1.221]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7643FB07B8; Fri, 16 Feb 2018 19:22:22 +0000 (UTC) Date: Fri, 16 Feb 2018 14:22:21 -0500 From: Peter Jones To: Joe Konno Cc: Ard Biesheuvel , Borislav Petkov , Matthew Garrett , Ingo Molnar , Andy Lutomirski , linux-efi@vger.kernel.org, Linux Kernel Mailing List , Jeremy Kerr , Andi Kleen , Tony Luck , Benjamin Drung Subject: Re: [PATCH 0/2] efivars: reading variables can generate SMIs Message-ID: <20180216192220.wljl23g533sc3oxg@redhat.com> References: <20180215182208.35003-1-joe.konno@linux.intel.com> <20180216105548.GA29042@pd.tnic> <20180216110821.GB29042@pd.tnic> <20180216184832.sqreq5zhar3jqdae@jbkonno-saint14> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180216184832.sqreq5zhar3jqdae@jbkonno-saint14> User-Agent: NeoMutt/20171215 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 16 Feb 2018 19:22:23 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 16 Feb 2018 19:22:23 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'pjones@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 16, 2018 at 10:48:32AM -0800, Joe Konno wrote: > On Fri, Feb 16, 2018 at 11:18:12AM +0000, Ard Biesheuvel wrote: > > On 16 February 2018 at 11:08, Borislav Petkov wrote: > > > On Fri, Feb 16, 2018 at 10:58:47AM +0000, Ard Biesheuvel wrote: > > >> By your own reasoning above, that's a no-no as well. > > > > > > I'm sure we can come up with some emulation - the same way we did the > > > BIOS emulation. > > > > > >> But thanks for your input. Anyone else got something constructive to contribute? > > > > > > The not-breaking userspace is constructive contribution. The last > > > paragraph is my usual rant. > > > > > > > Fair enough. And I am not disagreeing with you either. > > > > So question to Joe: is it well defined which variables may exhibit > > this behavior? > > For brevity's sake, "not yet." Folks-- e.g. firmware writers and > equipment makers-- may use SMIs more (or less) than others. So, how many > SMIs generated by the reference shell script can, and will, vary > platform to platform. I and my colleagues are digging into this. As a first guess: anything generated during boot is probably not an SMI. Everything else is probably an SMI. In fact, I would expect that for most systems, the entire list of things that *don't* generate an SMI (aside from a few IBV specific variables) is all the variables in Table 10 of the UEFI spec that don't have the NV flag. > > Given that UEFI variables are GUID scoped, would whitelisting certain > > GUIDs (the ones userland currently relies on to be readable my > > non-privileged users) and making everything else user-only solve this > > problem as well? > > Perhaps. I don't want us chasing white rabbits just yet, but the > whitelist is but one approach under consideration. We may see some other > patches or RFCs about caching and/or shadowing variable values in > efivarfs to reduce the number of direct EFI reads, with the goal of > reducing how many SMIs are generated. > > Any obvious EFI variables that userspace tools have come to depend on-- > those which normal, unprivileged users need to read-- are helpful inputs > to this discussion. So, our big userland consumers are efibootmgr, fwupdate, and "systemctl reboot --firmware-setup". efibootmgr and fwupdate can do the "show the current status" half of their job as a user right now, but they rely on root for the other half anyway. I don't think we normally use libfwup as non-root even for reading status. So basically, the use case from userland that this will effect looks like: efibootmgr -v *scratch head* sudo su - efibootmgr -b 0000 -B efibootmgr -b 0000 -c -L "fixed entry" ... exit I don't feel really bad about people having to move the third line up to the top of that. It's also not a use case you can have very much of: it means you manually booted without any valid boot entries. fallback.efi would have created a valid boot entry if you didn't do it manually. "systemctl reboot --firmware-setup" effectively runs as root in all cases. The only thing we really must ensure to preserve the other workflows is making sure creat() and open() with 0644 doesn't return an error (it obviously won't be preserved across a reboot), because that would break the existing tools. But I don't see anything in this patchset which will cause that. tl;dr: I think changing everything to 0600 is probably completely fine, and whitelisting is probably pointless. -- Peter