Received: by 10.223.185.116 with SMTP id b49csp1121047wrg; Fri, 16 Feb 2018 12:52:54 -0800 (PST) X-Google-Smtp-Source: AH8x226sHwnjFx+QoxIaYNeysbYSS9WA7O6FZftxGRPzU4ysSmfCSOLzLWvDlDdZmMRY5GGWmtLU X-Received: by 10.98.137.130 with SMTP id n2mr5077809pfk.175.1518814374852; Fri, 16 Feb 2018 12:52:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518814374; cv=none; d=google.com; s=arc-20160816; b=rrPqtA9aPPBE1m19O3YUJ4A8qJTVfJBvRyEqCzVSKYo3+0kBPo1l3vpMrYCZQPADz/ tZtkXHCzRtuRrpM0jQjiNBusCzwU4KgvbPy9mumuyIcwnbPdGzN/fMGj/lqv1OBhtZYm xrhPhG3SRkWhPph1AOFAlafb7/7Ot9PdQZIZr3+H7Q9npjSCqcMF6zUubbunFkihmfV4 WpdSIeTvKW3oey8zgTj8gyUR1CZ8knkOdYE2dxovxUx/pHEPRZoX2QP+Q1fvdOQKCQTG lFP6McYLzS2oWAa5jp080EFZTjL08xg/RJkTo7+zUquPfxe7Mt/1G+UH5De9ZwRnxjec 9V9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=YMKCCaYazzrGqpmzijsBSW0IU3sj9hyyLiRrS6e08i8=; b=OZT43iSSak1088Uhsq1zyGf+dIh1HG/5l5zueNR82CdvB6bbuqQmW/OoO3H3wl7n6D etSQGTUS2L+UytP4crPmBkmBECxlX7tzI9krTNmIym7jl91nHv9nX2sfxGioHu3K0SZn dVQkQSfSEQC3eXn+lGa0AeGeLjD+eShFvlIZhrVhaGDkBofSA6kkKOP7GTZyZ/qLzPGN MV6NFtDCIFFKyV6xgzx/6QQ0BW6Tijk9aASxatKlZBx41Cdj5O2Sf1jkmHEZYAiHaJXa TT9+LTTPyF0gxGx2ShJjzr315MRRfGDxB4PVYbFem/jldBMsK95V9wfcLVWGWM/ngZEO pAWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=MLvxntRs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m11-v6si36460pla.639.2018.02.16.12.52.40; Fri, 16 Feb 2018 12:52:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=MLvxntRs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750808AbeBPUwD (ORCPT + 99 others); Fri, 16 Feb 2018 15:52:03 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:52716 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750713AbeBPUwC (ORCPT ); Fri, 16 Feb 2018 15:52:02 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 5C2BF8EE0DD; Fri, 16 Feb 2018 12:52:01 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOUBZVaLQqj3; Fri, 16 Feb 2018 12:52:01 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id A16BB8EE07E; Fri, 16 Feb 2018 12:52:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1518814321; bh=f63hvbJz4HyuEgTfvB1HV/dH1X/yQe8ci1duH3Rwtzs=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=MLvxntRsoZxVnfUPDUMqu7wwxCtyCnmLTcDQg/EX/cN18N0Fe7Q3ZLAisGhwFA/l9 8q8YYbNG1SvfYuvw0B0sjcUoblhMSdQjoYqrOmQXxBBpb6tHH2HbUbnNNZ0aoZgBgb BZG2H5BFj2MVu/lQ3NdFN22QsHr6oD9jTBpE/Sw8= Message-ID: <1518814319.4419.10.camel@HansenPartnership.com> Subject: Re: [PATCH 0/2] efivars: reading variables can generate SMIs From: James Bottomley To: Ard Biesheuvel , Joe Konno , Matthew Garrett , Ingo Molnar , Andy Lutomirski , Borislav Petkov Cc: linux-efi@vger.kernel.org, Linux Kernel Mailing List , Jeremy Kerr , Andi Kleen , Tony Luck , Benjamin Drung , Peter Jones Date: Fri, 16 Feb 2018 12:51:59 -0800 In-Reply-To: References: <20180215182208.35003-1-joe.konno@linux.intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-02-16 at 10:41 +0000, Ard Biesheuvel wrote: > On 15 February 2018 at 18:22, Joe Konno > wrote: > > > > From: Joe Konno > > > > It was pointed out that normal, unprivileged users reading certain > > EFI > > variables (through efivarfs) can generate SMIs. Given these nodes > > are created > > with 0644 permissions, normal users could generate a lot of SMIs. > > By > > restricting permissions a bit (patch 1), we can make it harder for > > normal users > > to generate spurious SMIs. > > > > A normal user could generate lots of SMIs by reading the efivarfs > > in a trivial > > loop: > > > > ``` > > while true; do > >     cat /sys/firmware/efi/evivars/* > /dev/null > > done > > ``` > > > > Patch 1 in this series limits read and write permissions on > > efivarfs to the > > owner/superuser. Group and world cannot access. > > > > Patch 2 is for consistency and hygiene. If we restrict permissions > > for either > > efivarfs or efi/vars, the other interface should get the same > > treatment. > > > > I am inclined to apply this as a fix, but I will give the x86 guys a > chance to respond as well. It would break my current efi certificate tools because right at the moment you can read the EFI secure boot variables as an unprivileged user. That said, I'm not sure how many non-root users run the toolkit to extract their EFI certificates or check on the secure boot status of the system, but I suspect it might be non-zero: I can see the tinfoil hat people wanting at least to check the secure boot status when they log in. James