Received: by 10.223.185.116 with SMTP id b49csp467706wrg; Wed, 21 Feb 2018 01:15:39 -0800 (PST) X-Google-Smtp-Source: AH8x224C9PCx4OmbkUSddUUd3rFh6+oJCiapnmR27lXnXw6XCWQcI45KZNwc5c9wakCeQM8hxFt9 X-Received: by 10.98.200.80 with SMTP id z77mr2586196pff.85.1519204539772; Wed, 21 Feb 2018 01:15:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519204539; cv=none; d=google.com; s=arc-20160816; b=Rm+G6ynyuPn79dS0VOptoNj+Yqis8l2/lgZTJsw1RehB2a2a4//Wg0Zz9O/XvrNJmK KNpO+SHGsnDLYevX+xknDGkZJLnQaNWDNN+Og9c6NBEEbFP+AKfrL3CzM4/aoIDfOxVg AqXmXnQMPF4EFqCWShpzygFdp1E4/3psjkk/QJNPc6tjMSeZ4Gt+jb7w8PpWlRAbAR1i sJflBM+JsBVlU+h56UUnmE0y5vefaZ3K13vq7kMhPGJBXLgO1jEN4LsamsiqWRNGrBPP nmbt5cYMt37ylUUFfnpwrD2I2mVvw9SujDedIRDzAjX6FdAoaSNDtwhFILRUdYqR7oLg DJKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=gSkUf89hdpYLS3s+1H/6cDNLBtWJVqpJa++S/5HCYDc=; b=h+1cF92lGCotNzI4yrp+eEeqGj+gB52ElMrnfKD1Kbn0OOITi2vD4Z7SsWTC2mtRMR gorwqflYnstLXnlzyfy4Syf3cPgktbpmqZoRSw03fPDZAg7DsH3CmTQyMVyMZREQMUtv +uP+G99RxlXl4KVWlOcHo3P1f9LAtWm+gL0DdXODhMZaOoatSANKwUxRYos64vMww0aP P935azwinp699+IQUfTuLZOHeH7V6afN9AKnBz5SEMRmTQ2HwyzBH5+9Yj5VSHd8E6mO OWSTDK5F85mgDCcEafhcFapvXQLc0g3dTDr0vqgusCAkFzUbmo+UixqW59MRasDUoz0B 96SA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B1+4KU8V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7si2696840pfj.360.2018.02.21.01.15.25; Wed, 21 Feb 2018 01:15:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B1+4KU8V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752963AbeBUJDF (ORCPT + 99 others); Wed, 21 Feb 2018 04:03:05 -0500 Received: from mail-it0-f46.google.com ([209.85.214.46]:54274 "EHLO mail-it0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752698AbeBUJDC (ORCPT ); Wed, 21 Feb 2018 04:03:02 -0500 Received: by mail-it0-f46.google.com with SMTP id p204so1420992itc.4 for ; Wed, 21 Feb 2018 01:03:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gSkUf89hdpYLS3s+1H/6cDNLBtWJVqpJa++S/5HCYDc=; b=B1+4KU8VZTEnKJKLlMio1e4M6k60e7nQ/1SQOO8L5diPhQmVou36qrsPqZFK9/cxNT r1z/dfEO2Z2IH1pY//3kDGtMrKDUTc7rj+MfVQYu6NluIZboGbq+f78UDCFntICs8YYc fR8VuLbnnq50i08mLex0mmSFWZXTGRepD9ScU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gSkUf89hdpYLS3s+1H/6cDNLBtWJVqpJa++S/5HCYDc=; b=tpOmcujIFWpSpUL7QzDynBLW8vNxNL6KloUajkCs0ppdcWtgAN1dQzGbISXcd2G3bx 4OTO7u9zfKy3e/OQr4NS1SBygQ05ufhDmJGMQzHLC1eyEBizEfKZMZktVqMvwCQY0A+j IJ7hefKI8et0hP6XfhuQ1bRvmRBM8jr+xIb9yyf6UWZP5IWrtTK9pVpTE6DCb1yBc41L Uu/787Zcf2+TRAmLHjlB7CExeGTghdMd6yin6DzIfjMuWUeyrcc2yUgRZqosB8OWMseF 43JP3VjIhhj6P48J4NGrCd5nHhj8ejfbU7TyRKekq5KON3Cz6sNZB3/yM1uXvVTy60M1 5Zlw== X-Gm-Message-State: APf1xPBUd3IqwblZl77zPsojau6zcl5Qoi3yQJNajQGusS0UoA5uU0h9 cUgIYJfP35IFuYuQ3EBF0ogJvT5JNFVUDfMGYlISYQ== X-Received: by 10.36.90.5 with SMTP id v5mr2327232ita.138.1519203781322; Wed, 21 Feb 2018 01:03:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.138.209 with HTTP; Wed, 21 Feb 2018 01:03:00 -0800 (PST) In-Reply-To: References: <20180215182208.35003-1-joe.konno@linux.intel.com> <20180215182208.35003-2-joe.konno@linux.intel.com> <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> <20180220211849.fqjb6rdmypl6opir@agluck-desk> <20180220233008.55rfm7zw62hrao5p@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37DE1B@ORSMSX110.amr.corp.intel.com> From: Ard Biesheuvel Date: Wed, 21 Feb 2018 09:03:00 +0000 Message-ID: Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions To: Linus Torvalds Cc: "Luck, Tony" , Joe Konno , "linux-efi@vger.kernel.org" , Linux Kernel Mailing List , Matthew Garrett , Jeremy Kerr , Andi Kleen , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21 February 2018 at 02:16, Linus Torvalds wrote: > On Tue, Feb 20, 2018 at 5:05 PM, Luck, Tony wrote: >>>> EFI[1] stinks. Reading any file in /sys/firmware/efi/efivars/ generates >>>> 4 (yes FOUR!) SMIs. >> >>> Is that actualkly the normal implementation? >> >> I don't know if there are other implementations. This is what I see on my >> lab system. > > Ok. I'm not a huge fan of EFI. Over-designed to the hilt. Happily at > least the loadable drivers are a thing of the past. > I don't think there is any disagreement on that aspect of the discussion. > Do we have a list of things normal users care about? Because one thing > that would solve it is caching of the values. We don't want to do that > in general, but maybe we could just do it for the subset that we think > are "user accessible". > > Although maybe just that "rate limit" thing would be simplest. > The thing I like about rate limiting (for everyone including root) is that it does not break anybody's workflow (unless EFI variable access occurs on a hot path, in which case you're either a) asking for it, or b) the guy trying to DoS us), and that it can make exploitation of any potential Spectre v1 vulnerabilities impractical at the same time. At present, we don't know if this is a concern, but we cannot rule it out, and what we do know is that those shiny new Spectre-proof kernels that we will have any day now will be running on systems with UEFI firmware that may contain vulnerable code paths and may never get updated. Perhaps I am being overly paranoid here, but if we end up adding rate limiting, let's just apply it to root as well. > I don't want to break existing users, although it's not entirely clear > to me if there are any real use cases that matter to users. If tpmtotp > is the main case, maybe that can be changed to work around it and just > cache a value or something? > > So I could imagine just applying Joe's / Andy's patch to see if > anybody even notices. But if somebody does, we'd have to go to the > alternatives anyway. > > Linus