On Wed, 16 Nov 2022 at 17:17, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > Variables in the random seed GUID must remain secret, so deny all reads > to them. > > Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx> > --- > fs/efivarfs/file.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c > index d57ee15874f9..08996ba3a373 100644 > --- a/fs/efivarfs/file.c > +++ b/fs/efivarfs/file.c > @@ -76,6 +76,9 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, > while (!__ratelimit(&file->f_cred->user->ratelimit)) > msleep(50); > > + if (guid_equal(&var->var.VendorGuid, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) > + return -EPERM; > + > err = efivar_entry_size(var, &datasize); > > /* I'd prefer it if we could just disregard them entirely, i.e., never enumerate them so that they don't appear in the file system.
