On Wed, Nov 16, 2022 at 6:05 PM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Wed, 16 Nov 2022 at 17:17, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > > Variables in the random seed GUID must remain secret, so deny all reads > > to them. > > > > Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx> > > --- > > fs/efivarfs/file.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c > > index d57ee15874f9..08996ba3a373 100644 > > --- a/fs/efivarfs/file.c > > +++ b/fs/efivarfs/file.c > > @@ -76,6 +76,9 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, > > while (!__ratelimit(&file->f_cred->user->ratelimit)) > > msleep(50); > > > > + if (guid_equal(&var->var.VendorGuid, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) > > + return -EPERM; > > + > > err = efivar_entry_size(var, &datasize); > > > > /* > > I'd prefer it if we could just disregard them entirely, i.e., never > enumerate them so that they don't appear in the file system. Okay, sure, I can make that happen I think. And then I suppose that if you try to create anything under that GUID, it should just fail. Jason
