On 24 February 2018 at 20:06, Alan Cox <gnomes@xxxxxxxxxxxxxxxxxxx> wrote: > On Wed, 21 Feb 2018 09:03:00 +0000 >> The thing I like about rate limiting (for everyone including root) is >> that it does not break anybody's workflow (unless EFI variable access >> occurs on a hot path, in which case you're either a) asking for it, or >> b) the guy trying to DoS us), and that it can make exploitation of any >> potential Spectre v1 vulnerabilities impractical at the same time. At > > b) doesn't make spectre v1 much harder alas. What matters there is that > you turn on the right CPU protections before calling into EFI and turn > them off afterwards. EFI firmware internally isn't built with retpoline > anyway. > Well, that is exactly my concern. The parsing code in the authenticated variable routines in UEFI may well contain sequences that are exploitable, due to UEFI's heavy reliance on protocols involving function pointers, and the fact that a variable update is structured data (with bounds that may need checking). Also, this code is highly likely to remain unpatched on many systems, and it usually appears in the same place in memory regardless of KASLR. However, only root can call SetVariable(), so perhaps the risk is limited after all? I had a stab (for arm64) at unmapping the kernel while UEFI calls are in progress, which is a fairly big hammer, but effective, given that UEFI itself does not keep any secrets in the first place, and so if the kernel isn't mapped, there isn't anything to steal to begin with. Note that on arm64, Spectre v2 should not be a concern, due to the branch predictor maintenance that takes place when entering the kernel. But Spectre v1 in UEFI runtime service code is currently unmitigated, and I wonder what the risk level really is. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
