Received: by 10.223.185.116 with SMTP id b49csp1100400wrg; Tue, 20 Feb 2018 13:20:14 -0800 (PST) X-Google-Smtp-Source: AH8x226ybKyRMy1Kq48sMO2qRkpZbNULuEyNVGhH06+qQF41gIN3Sb6aXnVgGDZOgaI8Xd4A4nVo X-Received: by 10.98.3.131 with SMTP id 125mr923029pfd.65.1519161614568; Tue, 20 Feb 2018 13:20:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519161614; cv=none; d=google.com; s=arc-20160816; b=MzXoe7veYl3jUHhVmoFO8TdMDUl6qW7r491MShi2uX2vFXd9j97Szk0mcsuwjzIoMo APokR0kAb/SIqhWdSaZ1YncgKl/WVIHP9x6lODEwiUDzJYc120VU510TcmqihpkwmL9u 5m/CKUdeaZIoW8Iup4MilwUHoRKZQEZlSUUhW6YE0L7O1V2CnXPZggu8G5N18K/IPWL+ EouLm95mXQ5CuY/xwVCreIZGZG2M22e1r6aDFHFkMuDggJD2Org3RNPmuEapTJ1dGEEs rO+b59XpWfEZTcIbPpur7nWNThhJ4j3bU5eMWne7H9F+K3JdwlNb+iw2nTEOnO1v4p8X 9vVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=Ywhx4NoNtW0IRnaNlXyzhieM+LPl2Of40sz1OmWepV0=; b=kRJy0T4gk0XB444E9TqMNYWtth7+SE+SGPLp4BrlGsXzikMf5VyU3SnQpPdcV9LDyn P/DXBa3bMUuAU1fNDpEsutrcbgGMPbU0PeO2Pzt2Qu0l17uZUnChVPde/KLFsEMh/9il bo8MSO4vqR3ZLRKDXJp8T935txtZ0bPO2d/8Yo/LRYMBOu7u0qTZ9RwbsfxPVMJb2tZH g4mR+5RqKyLWjRwLeruphnt5F6Bd2XUP3GQsj/oNMehbBHKJfSNhu1AuLyzsr2Ft6qku q18FkgGMemd9UWkLW1uhuDFM2nKCDSC+tcq41RcxVa9b43VntW6qpAebcL4rknbrqgve nXJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12si249219pgt.558.2018.02.20.13.19.59; Tue, 20 Feb 2018 13:20:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751503AbeBTVSz (ORCPT + 99 others); Tue, 20 Feb 2018 16:18:55 -0500 Received: from mga06.intel.com ([134.134.136.31]:30793 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750799AbeBTVSy (ORCPT ); Tue, 20 Feb 2018 16:18:54 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Feb 2018 13:18:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,541,1511856000"; d="scan'208";a="202527153" Received: from agluck-desk.sc.intel.com (HELO agluck-desk) ([10.3.52.160]) by orsmga005.jf.intel.com with ESMTP; 20 Feb 2018 13:18:53 -0800 Date: Tue, 20 Feb 2018 13:18:50 -0800 From: "Luck, Tony" To: Linus Torvalds Cc: Joe Konno , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, ard.biesheuvel@linaro.org, matthew.garrett@nebula.com, jk@ozlabs.org, ak@linux.intel.com, mjg59@google.com, pjones@redhat.com, Andy Lutomirski , james.bottomley@hansenpartnership.com Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions Message-ID: <20180220211849.fqjb6rdmypl6opir@agluck-desk> References: <20180215182208.35003-1-joe.konno@linux.intel.com> <20180215182208.35003-2-joe.konno@linux.intel.com> <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 20, 2018 at 11:18:57AM -0800, Andy Lutomirski wrote: > On 02/15/2018 10:22 AM, Joe Konno wrote: > > From: Joe Konno > > > > Efivarfs nodes are created with group and world readable permissions. > > Reading certain EFI variables trigger SMIs. So, this is a potential DoS > > surface. > > > > Make permissions more restrictive-- only the owner may read or write to > > created inodes. ... > The discussion in this thread has gone on too long, so: > > Acked-by: Andy Lutomirski > > And yes, this patch will break a couple of minor usecases, but IMO those > usecases deserve to break. ... > > - inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | 0644, 0, > > + inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | 0600, 0, > > is_removable); Linus, Does this rate an exception to the "don't break userspace" for a security issue? What breaks: User can't run efibootmgr(8) to see things like BootOrder. Also "fwupdate", "dbxtool", "mokutil", and "tpmtotp" have some modes where ordinary users need read access to some EFI variables. We looked at some other options. 1) When mounting efivarfs have it read all the variables and cache the values. Then user can read without making an EFI call because we just copyout the cached copy. Rejected as there can be a lot of variables (70 on Peter Jones system) and EFI dropped the 1KB per variable limit. So this pins a bunch of memory for a few obscure use cases. 2) Rate limit EFI calls for non-root This solution still has some cheer-leaders. Obviously a bit more code than just changing the permissions. But would also preemptively fix any other places where an ordinary user can trigger an EFI call. -Tony