> -----Original Message----- > From: Andy Lutomirski [mailto:luto@xxxxxxxxxxxxxx] > Sent: Friday, March 06, 2015 7:09 AM > > On Mar 5, 2015 1:19 AM, "Kweh, Hock Leong" <hock.leong.kweh@xxxxxxxxx> > wrote: > > > > > > This really is not a big deal. User should cope with it. > > > > > > No, it's a big deal, and the user should not cope. > > > > > > The user *should not* be required to have write access to anything in > > > /lib to install a UEFI capsule that they download from their > > > motherboard vendor's website. /lib belongs to the distro, and UEFI > > > capsules do not belong to the distro. In this regard, UEFI capsules > > > are completely unlike your wireless card firmware, your cpu microcode, > > > etc. > > > > > > Imagine systems using NFS root, Atomic-style systems (e.g. ostree), > > > systems that boot off squashfs, etc. They should still be able to > > > load capsules. The basic user interface that should work is: > > > > > > # uefi-load-capsule /path/to/capsule > > > > > > or: > > > > > > # uefi-load-capsule - </path/to/capsule > > > > > > I don't really care how uefi-load-capsule is implemented, as long as > > > it's straightforward, because people will screw it up if it isn't > > > straightforward. > > > > > > Why is it so hard to have a file in sysfs that you write the capsule > > > to using *cat* (not echo) and that will return an error code if cat > > > fails? Is it because you don't know where the end of the capsule is? > > > if so, ioctl is designed for exactly this purpose. > > > > > > TBH, I find this thread kind of ridiculous. The problem that you're > > > trying to solve is extremely simple, the functionality that userspace > > > needs is trivial, and all of these complex proposals for how it should > > > work are an artifact of the fact that the kernel-internal interfaces > > > you're using for it are not well suited to the problem at hand. > > > > > > --Andy > > > > Sorry, I may not catch your point correctly. Are you trying to tell that > > a "normal" user can perform efi capsule update. But a "normal" user > > does not have the right to install or copy the capsule binary into > > "/lib/firmware/". So, there is a need to make this capsule module to > > allow uploading the capsule binary at any path or location other than > > "/lib/firmware/". > > > > Is this what you mean? > > No. Only root should be able to load capsules, but even root may not > be able to write to /lib. > > --Andy > Okay, I accept that only root user can perform the load capsule. It is new to me that root user may not have the access right to "/lib/firmware". But I remember you do mention that CPU micro code and wifi firmware they are different and able to write in /lib/firmware. I am curious why efi capsule binary have such a restriction. What is preventing it being write to that location? I even went to check out the FHS: http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard I do not find any restriction calling out for that. Would you mind to educate me on that? Thanks. Regards, Wilson ��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥