On Tue, Nov 22, 2022 at 03:04:00AM +0100, Jason A. Donenfeld wrote: > In anticipation of putting random seeds in EFI variables, it's important > that the random GUID namespace of variables remains hidden from > userspace. We accomplish this by not populating efivarfs with entries > from that GUID, as well as denying the creation of new ones in that > GUID. What's the concern here? Booting an older kernel would allow a malicious actor to either read the seed variable or set it to a value under their control, so we can't guarantee that the information is secret.
