The simple answer of "Make it read-only" is missing the point - there's a bunch of legitimate reasons to want to be able to write here
systemd is not responsible for allowing kernel code that I wrote to destroy your shitty firmware. I think you get to blame me instead.
-
-
-
This is a kernel problem that needs to be fixed in the kernel
-
(The kernel already sanitises a bunch of UEFI accesses to deal with shitty BDS implementations that affected >50% of all shipped hardware)
-
For the record, if rm /sys/firmware/efi/efivars/* bricks your laptop under Linux, it's a 20-line app to do the same under Windows
-
@mjg59 there's a big difference between "writing an app" and "making a typo". -
@mhoye There is, but fixing the typo case without fixing the underlying problem still makes it possible for malicious actors to do damage -
@mhoye We need to fix the actual problem rather than implementing an inherently racy solution that blocks other legitimate use cases -
@mjg59 Mounting read-only on boot does not meaningfully block any legitimate usecases, but prevents occasional disaster. - 2 more replies
New conversation -
-
-
@mjg59 It is when that kernel code should not even be reachable unless someone manually decides they want to access EFI vars & mounts it. -
@RichFelker it was intended to be globally accessible because it's incredibly useful -
@mjg59 You should be able to count the # of programs that need to access any particular hardware-related thing on one hand. Pref one finger. -
@mjg59 EFI should be completely out of the way as soon as bootloader has transferred control to kernel and kernel has enumerated devices. -
@RichFelker cool story but no -
@mjg59 So you like having hardware-vendor-provided binary blobs compromising your system? Fun. -
@RichFelker no, which is why I support people producing open implementations -
@mjg59 Well most users don't have the luxury of open implementations. Running firmware code with kernel privs compromises their security. - 1 more reply
New conversation -
-
-
@mjg59 Any chance you can add a mount option that prohibits deletions and enable it by default? AFAICS that should not cause trouble. -
@sharhalakis it actually does - you need to be able to delete boot options -
@mjg59 darn... In that case I guess the only clean solution is a whitelist of what can be deleted. E.g. only allow BootXXXX
End of conversation
New conversation -
-
-
@mjg59 whoever writes bad code these days gets to blame systemd and nobody told me? Now I can stop taking the blame for Clutter! -
- End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.