On Tue, Feb 20, 2018 at 02:01:51PM -0800, Linus Torvalds wrote: > Which variables are actually used by user space tools? It sounds like > it may be exactly those boot order things that we already have flags > and special behavior for. Not that many are really part of a non-root workflow. The biggest consumer that there's a real /user/ workflow for is Matthew's tpmtotp, which lets you pick your own when you set it up as root and merely read from it as a user in perpetuity. Most workflows are of the same form as "I run efibootmgr as a user to list things and then use sudo when I actually need to make some changes." > And no, I don't believe in the "SMI can trigger a DoS" argument. Those > garbage efivars that *do* trigger SMI's should me marked and shamed, > and maybe _they_ need to be added to the list of things that you > should look out for. Root or not. It's all of them except the very few that are generated during bootup. It's worth noting, though, that EFI does not actually require this implementation behavior in any way. This is all about Intel's choice to use SMI to protect the variable store. > And just on general principlies, I don't want to see weasel-wordy > commit messages like > > "Reading certain EFI variables trigger SMIs" > > I understand *writing* them causing SMI's due to some flash protection > scheme. What's the reading thing? And why aren't we calling that > garbage out? Assuming most Intel CPUs work more or less the same as Galileo in this particular regard, what's going on is the SPI part is connected to the North Cluster, which presents an MMIO interface to program it, and SMM is configured so that touching those addresses triggers an SMI. This way they can protect the the "authenticated" variables by checking signatures inside SMM. So basically it's not "Reading certain variables trigger SMIs", it's "reading any variable that's not completely fake causes SMI". The result is any user can not merely trigger an SMI, but really more like they can hold it asserted. > So even if we do need to limit reading, I want out comments (in core > or commits) to actually explain *Why*., instead of this kind of > non-specific fear-mongering that nobody can really say yay or nay > about. Yeah, makes sense. There are other options, but they're not great either. For example, On most systems the total data is <100kB, so we could make a default-on config option to just cache it all during boot by default. Like the options suggested so far, it has downsides, but it's not the end of the world for most systems. -- Peter -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html