Linux 4.5-rc5: efivarfs fixed to avoid “rm -rf /” bricking UEFI

(git.kernel.org)

279 points the_why_of_y | 1 comments | 22 Feb 16 18:08 UTC | HN request time: 0.334s | source

Show context

nkurz ◴[22 Feb 16 19:19 UTC] No.11153467[source]▶

For context, this is in reference to a bug that was discussed a couple weeks ago: https://news.ycombinator.com/item?id=10999335

  Systemd mounted efivarfs read-write, allowing motherboard bricking via 'rm'

Essentially, systemd defaulted to a configuration where the computer's motherboard could be permanently destroyed by removing a 'file' from the command line. The bug reporter argued that this was unduly dangerous, but the systemd developers thought that systemd was working as intended.

Here's a reasonably impartial discussion on a FreeBSD list that gives an overview: https://forums.freebsd.org/threads/54951/

And from that thread, here's a link to Matthew Garrett (the creator of efivarfs) saying that efivarfs is at fault here rather than systemd: https://twitter.com/mjg59/status/693494314941288448

replies(3): >>11153507 #>>11153589 #>>11153676 #

kbenson ◴[22 Feb 16 19:23 UTC] No.11153507[source]▶

>>11153467 #

> but the developer's thought that it was working as intended

Really? Is that evidenced by Lennart's response to this, which stated "The ability to hose a system is certainly reason enought to make sure it's well protected and only writable to root."[1]? I think it implies the opposite.

1: https://github.com/systemd/systemd/issues/2402

replies(6): >>11153532 #>>11153561 #>>11153670 #>>11153711 #>>11153722 #>>11154994 #

pyre ◴[22 Feb 16 19:53 UTC] No.11153722[source]▶

>>11153507 #

You're missing the end of that quote:

> But beyond that: root can do anything really.

... so running "rm -rf /" as root should brick your motherboard because it's the responsibility of the motherboard manufacturer to protect against this. That's all fine and dandy in an idealized world, but in the "real world" there are going to be motherboard manufacturers that play fast and loose with these things.

replies(3): >>11153841 #>>11153983 #>>11154137 #

noja ◴[22 Feb 16 20:43 UTC] No.11154137[source]▶

>>11153722 #

The kernel should mount it read-only. If root wishes to delete or modify the contents, root can remount it read-write.

replies(1): >>11154906 #

ekimekim ◴[22 Feb 16 22:38 UTC] No.11154906[source]▶

>>11154137 #

The kernel isn't in charge of mount options, that's the job of userspace (generally an init system). In any case, you would end up needing a way to mount it RW to accommodate legit uses of the non-broken EFI vars, at which point you're back where you started. This fix addresses it by having the kernel identify and protect only broken (or at least, non-standard) EFI vars.

replies(1): >>11155338 #

pyre ◴[22 Feb 16 23:53 UTC] No.11155338[source]▶

>>11154906 #

> In any case, you would end up needing a way to mount it RW to accommodate legit uses of the non-broken EFI vars, at which point you're back where you started.

Not necessarily. Leaving it "wide open" for anything to accidentally write to it all of the time vs. just mounting it readwrite when you actually need to write to it are two different risk profiles.

replies(1): >>11157670 #

1. EmanueleAina ◴[23 Feb 16 09:34 UTC] No.11157670[source]▶

>>11155338 #

Your approach still bricks motherboards if somebody forgets to remount ro after having remounted rw.

The kernel fix doesn't have such drawback.

↑