←back to thread

Linux 4.5-rc5: efivarfs fixed to avoid “rm -rf /” bricking UEFI

(git.kernel.org)
279 points the_why_of_y | 1 comments | 22 Feb 16 18:08 UTC | HN request time: 0.272s | source
Show context
nkurz ◴[22 Feb 16 19:19 UTC] No.11153467[source]
For context, this is in reference to a bug that was discussed a couple weeks ago: https://news.ycombinator.com/item?id=10999335

  Systemd mounted efivarfs read-write, allowing motherboard bricking via 'rm'
Essentially, systemd defaulted to a configuration where the computer's motherboard could be permanently destroyed by removing a 'file' from the command line. The bug reporter argued that this was unduly dangerous, but the systemd developers thought that systemd was working as intended.

Here's a reasonably impartial discussion on a FreeBSD list that gives an overview: https://forums.freebsd.org/threads/54951/

And from that thread, here's a link to Matthew Garrett (the creator of efivarfs) saying that efivarfs is at fault here rather than systemd: https://twitter.com/mjg59/status/693494314941288448

replies(3): >>11153507 #>>11153589 #>>11153676 #
kbenson ◴[22 Feb 16 19:23 UTC] No.11153507[source]
> but the developer's thought that it was working as intended

Really? Is that evidenced by Lennart's response to this, which stated "The ability to hose a system is certainly reason enought to make sure it's well protected and only writable to root."[1]? I think it implies the opposite.

1: https://github.com/systemd/systemd/issues/2402

replies(6): >>11153532 #>>11153561 #>>11153670 #>>11153711 #>>11153722 #>>11154994 #
nkurz ◴[22 Feb 16 19:45 UTC] No.11153670[source]
I was going from memory, and didn't reread Lennart's responses in the thread. But looking at it again now, I still think it's an accurate summary. Lennart's line after you quoted is "But beyond that: root can do anything really."

I read this as Lennart saying that when root issues an 'rm' in efivarfs, the variable should be removed even if this renders the motherboard unusable without physical repairs. What's your interpretation?

I've edited to fix my terrible punctuation, and to make it clear that 'it' refers to 'systemd', and to add a link to MJG's response on Twitter. I can edit further if you have a way to make it clearer.

replies(1): >>11154101 #
1. kbenson ◴[22 Feb 16 20:38 UTC] No.11154101[source]
My interpretation, stemming from his statement that it is a problem to brick machines and his statement that some programs need write access, is that something needs to be put in place, but we can't unilaterally restrict root (which would be very un-Unixy to do). I think he was fairly ambigous in details on how to fix it (possibly because he wasn't sure the best path to take), and included with some fairly blanket statements about policy/belief that allowed people to interpret his statements however they were inclined. Unfortunately due to the polarizing effect of systemd (and Lennart's prior projects, and possibly Lennart himself), there are plenty of people inclined to believe he doesn't care.