Received: by 10.223.185.116 with SMTP id b49csp100864wrg; Tue, 20 Feb 2018 16:50:21 -0800 (PST) X-Google-Smtp-Source: AH8x226edgsYzqd2LSZ4tpFSCKZYb4OKy1uAnLLGiCUO8WkRZBfMciL5gdB9hpx735cUk94NJwn4 X-Received: by 2002:a17:902:3084:: with SMTP id v4-v6mr1394506plb.131.1519174221808; Tue, 20 Feb 2018 16:50:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519174221; cv=none; d=google.com; s=arc-20160816; b=nUhyBJi20DPLDTbnhgp/hPShWFz3Xkz8PYXRvYaCoKBxpZh14XzkDtndpKMQB9/ggr BqBHMql5/yzs3xfawiThhjRp1M7tsA/1hXOuasDhaGC14X5UoP4ikCb8S+cBVK4Elno8 L8pnYFxPzTynQRhtQA9jHZrP8OQEPs4N8Ywi/Muv2QbHzMve/Dyghy9ekpbi96Dd13y5 ox9Pw9+U6SONmW59SpjJQVIGP1XlZdma/DqoFBdrhgU3C/XERthoxJs3NvQZLa2/LBYO fgYQtJ1+hCLr7OvN0eKzqPHFs9tM9CJ3w3TmUCcxVum995SZsJfaW90PQx30qm2nTt1G vetw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=lVNuOLGf4fvhuLkGK/b/NZo4DHkkuyX+Bf7CpxBzFWg=; b=TfDg6ut2mwcYbU1iCcuMKvTTNEsuTunRz0fDzt1OH1B0I/TzJ3zxBXt2VVXYmCVKIx LkNhlINYNNk4N/OUtYroc+56bPUjr1nNxFO907fl0aB8Twb62gH9OlLlGH5UNp14Dw+j Ln3wLJAkQKs3MCkxJfiuO1jDwPMeXvQxYjzfT1aP6IJtWouVOBOhmVt/P+zwQSUknNNQ DP+KhIepd03KRRvWq6q0zEPetiC9DK5IGSMbDhUUlO0pQAA0d9jVvQp9rSEs/9vKg1EJ 9afI4IgTMAuuco/9xL155tO+5/+W0XF3uxHm6Dv9MFg7CgxeN7o5N/9h8Y1zyahS7c20 jAlw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r15-v6si567736pli.431.2018.02.20.16.50.08; Tue, 20 Feb 2018 16:50:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751168AbeBUAtH (ORCPT + 99 others); Tue, 20 Feb 2018 19:49:07 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43826 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750735AbeBUAtF (ORCPT ); Tue, 20 Feb 2018 19:49:05 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B42208182D1E; Wed, 21 Feb 2018 00:49:04 +0000 (UTC) Received: from redhat.com (ovpn-121-182.rdu2.redhat.com [10.10.121.182]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 73F0B2166BAE; Wed, 21 Feb 2018 00:49:02 +0000 (UTC) Date: Tue, 20 Feb 2018 19:49:00 -0500 From: Peter Jones To: Linus Torvalds Cc: "Luck, Tony" , Joe Konno , linux-efi@vger.kernel.org, Linux Kernel Mailing List , Ard Biesheuvel , Matthew Garrett , Jeremy Kerr , Andi Kleen , Matthew Garrett , Andy Lutomirski , James Bottomley Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions Message-ID: <20180221004859.7s4ltxt4pavf4mji@redhat.com> References: <20180215182208.35003-1-joe.konno@linux.intel.com> <20180215182208.35003-2-joe.konno@linux.intel.com> <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> <20180220211849.fqjb6rdmypl6opir@agluck-desk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171215 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 21 Feb 2018 00:49:05 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 21 Feb 2018 00:49:05 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'pjones@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 20, 2018 at 02:01:51PM -0800, Linus Torvalds wrote: > Which variables are actually used by user space tools? It sounds like > it may be exactly those boot order things that we already have flags > and special behavior for. Not that many are really part of a non-root workflow. The biggest consumer that there's a real /user/ workflow for is Matthew's tpmtotp, which lets you pick your own when you set it up as root and merely read from it as a user in perpetuity. Most workflows are of the same form as "I run efibootmgr as a user to list things and then use sudo when I actually need to make some changes." > And no, I don't believe in the "SMI can trigger a DoS" argument. Those > garbage efivars that *do* trigger SMI's should me marked and shamed, > and maybe _they_ need to be added to the list of things that you > should look out for. Root or not. It's all of them except the very few that are generated during bootup. It's worth noting, though, that EFI does not actually require this implementation behavior in any way. This is all about Intel's choice to use SMI to protect the variable store. > And just on general principlies, I don't want to see weasel-wordy > commit messages like > > "Reading certain EFI variables trigger SMIs" > > I understand *writing* them causing SMI's due to some flash protection > scheme. What's the reading thing? And why aren't we calling that > garbage out? Assuming most Intel CPUs work more or less the same as Galileo in this particular regard, what's going on is the SPI part is connected to the North Cluster, which presents an MMIO interface to program it, and SMM is configured so that touching those addresses triggers an SMI. This way they can protect the the "authenticated" variables by checking signatures inside SMM. So basically it's not "Reading certain variables trigger SMIs", it's "reading any variable that's not completely fake causes SMI". The result is any user can not merely trigger an SMI, but really more like they can hold it asserted. > So even if we do need to limit reading, I want out comments (in core > or commits) to actually explain *Why*., instead of this kind of > non-specific fear-mongering that nobody can really say yay or nay > about. Yeah, makes sense. There are other options, but they're not great either. For example, On most systems the total data is <100kB, so we could make a default-on config option to just cache it all during boot by default. Like the options suggested so far, it has downsides, but it's not the end of the world for most systems. -- Peter