On Mon, Jul 18, 2022 at 9:28 AM Borislav Petkov <bp@xxxxxxx> wrote:
>
> So I'm being told we need to untrain on return from EFI to protect the
> kernel from it.
Why would we have to protect the kernel from EFI?
If we can't trust EFI, then the machine is already compromised. We
just *called* an EFI routine, if EFI is untrusted, it did something
random.
I mean, it could have already done something bad at boot time when it
loaded the kernel.
So no, let's not "protect ourselves from EFI".
Linus
