Received: by 10.223.185.116 with SMTP id b49csp100864wrg;
        Tue, 20 Feb 2018 16:50:21 -0800 (PST)
X-Google-Smtp-Source: AH8x226edgsYzqd2LSZ4tpFSCKZYb4OKy1uAnLLGiCUO8WkRZBfMciL5gdB9hpx735cUk94NJwn4
X-Received: by 2002:a17:902:3084:: with SMTP id v4-v6mr1394506plb.131.1519174221808;
        Tue, 20 Feb 2018 16:50:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519174221; cv=none;
        d=google.com; s=arc-20160816;
        b=nUhyBJi20DPLDTbnhgp/hPShWFz3Xkz8PYXRvYaCoKBxpZh14XzkDtndpKMQB9/ggr
         BqBHMql5/yzs3xfawiThhjRp1M7tsA/1hXOuasDhaGC14X5UoP4ikCb8S+cBVK4Elno8
         L8pnYFxPzTynQRhtQA9jHZrP8OQEPs4N8Ywi/Muv2QbHzMve/Dyghy9ekpbi96Dd13y5
         ox9Pw9+U6SONmW59SpjJQVIGP1XlZdma/DqoFBdrhgU3C/XERthoxJs3NvQZLa2/LBYO
         fgYQtJ1+hCLr7OvN0eKzqPHFs9tM9CJ3w3TmUCcxVum995SZsJfaW90PQx30qm2nTt1G
         vetw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=lVNuOLGf4fvhuLkGK/b/NZo4DHkkuyX+Bf7CpxBzFWg=;
        b=TfDg6ut2mwcYbU1iCcuMKvTTNEsuTunRz0fDzt1OH1B0I/TzJ3zxBXt2VVXYmCVKIx
         LkNhlINYNNk4N/OUtYroc+56bPUjr1nNxFO907fl0aB8Twb62gH9OlLlGH5UNp14Dw+j
         Ln3wLJAkQKs3MCkxJfiuO1jDwPMeXvQxYjzfT1aP6IJtWouVOBOhmVt/P+zwQSUknNNQ
         DP+KhIepd03KRRvWq6q0zEPetiC9DK5IGSMbDhUUlO0pQAA0d9jVvQp9rSEs/9vKg1EJ
         9afI4IgTMAuuco/9xL155tO+5/+W0XF3uxHm6Dv9MFg7CgxeN7o5N/9h8Y1zyahS7c20
         jAlw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r15-v6si567736pli.431.2018.02.20.16.50.08;
        Tue, 20 Feb 2018 16:50:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751168AbeBUAtH (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Tue, 20 Feb 2018 19:49:07 -0500
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43826 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1750735AbeBUAtF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Feb 2018 19:49:05 -0500
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id B42208182D1E;
        Wed, 21 Feb 2018 00:49:04 +0000 (UTC)
Received: from redhat.com (ovpn-121-182.rdu2.redhat.com [10.10.121.182])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 73F0B2166BAE;
        Wed, 21 Feb 2018 00:49:02 +0000 (UTC)
Date:   Tue, 20 Feb 2018 19:49:00 -0500
From:   Peter Jones <pjones@redhat.com>
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     "Luck, Tony" <tony.luck@intel.com>,
        Joe Konno <joe.konno@linux.intel.com>,
        linux-efi@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Matthew Garrett <matthew.garrett@nebula.com>,
        Jeremy Kerr <jk@ozlabs.org>, Andi Kleen <ak@linux.intel.com>,
        Matthew Garrett <mjg59@google.com>,
        Andy Lutomirski <luto@kernel.org>,
        James Bottomley <james.bottomley@hansenpartnership.com>
Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions
Message-ID: <20180221004859.7s4ltxt4pavf4mji@redhat.com>
References: <20180215182208.35003-1-joe.konno@linux.intel.com>
 <20180215182208.35003-2-joe.konno@linux.intel.com>
 <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org>
 <20180220211849.fqjb6rdmypl6opir@agluck-desk>
 <CA+55aFzjyB=E+=q-W9oYZ7Py7nJwm8YQHFjfbWTib6wvkP9B_A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CA+55aFzjyB=E+=q-W9oYZ7Py7nJwm8YQHFjfbWTib6wvkP9B_A@mail.gmail.com>
User-Agent: NeoMutt/20171215
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 21 Feb 2018 00:49:05 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 21 Feb 2018 00:49:05 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'pjones@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 20, 2018 at 02:01:51PM -0800, Linus Torvalds wrote:

> Which variables are actually used by user space tools? It sounds like
> it may be exactly those boot order things that we already have flags
> and special behavior for.

Not that many are really part of a non-root workflow.  The biggest
consumer that there's a real /user/ workflow for is Matthew's tpmtotp,
which lets you pick your own when you set it up as root and merely read
from it as a user in perpetuity.  Most workflows are of the same form as
"I run efibootmgr as a user to list things and then use sudo when I
actually need to make some changes."

> And no, I don't believe in the "SMI can trigger a DoS" argument. Those
> garbage efivars that *do* trigger SMI's should me marked and shamed,
> and maybe _they_ need to be added to the list of things that you
> should look out for. Root or not.

It's all of them except the very few that are generated during bootup.
It's worth noting, though, that EFI does not actually require this
implementation behavior in any way.  This is all about Intel's
choice to use SMI to protect the variable store.

> And just on general principlies, I don't want to see weasel-wordy
> commit messages like
> 
>  "Reading certain EFI variables trigger SMIs"
> 
> I understand *writing* them causing SMI's due to some flash protection
> scheme. What's the reading thing? And why aren't we calling that
> garbage out?

Assuming most Intel CPUs work more or less the same as Galileo in this
particular regard, what's going on is the SPI part is connected to the
North Cluster, which presents an MMIO interface to program it, and SMM
is configured so that touching those addresses triggers an SMI.  This
way they can protect the the "authenticated" variables by checking
signatures inside SMM.

So basically it's not "Reading certain variables trigger SMIs", it's
"reading any variable that's not completely fake causes SMI".  The
result is any user can not merely trigger an SMI, but really more like
they can hold it asserted.

> So even if we do need to limit reading, I want out comments (in core
> or commits) to actually explain *Why*., instead of this kind of
> non-specific fear-mongering that nobody can really say yay or nay
> about.

Yeah, makes sense.

There are other options, but they're not great either.  For example, On
most systems the total data is <100kB, so we could make a default-on
config option to just cache it all during boot by default.  Like the
options suggested so far, it has downsides, but it's not the end of the
world for most systems.

-- 
        Peter