From: Andrew Savchenko <bircoph@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only
Date: Thu, 13 Jul 2017 15:17:52 +0300 [thread overview]
Message-ID: <20170713151752.3efcc3c2096c62cd6c810316@gentoo.org> (raw)
In-Reply-To: <32458e65-d66d-fcdc-5b0a-97d3c480d14a@iee.org>
[-- Attachment #1: Type: text/plain, Size: 1120 bytes --]
On Thu, 13 Jul 2017 12:35:50 +0100 M. J. Everitt wrote:
> On 13/07/17 12:09, Rich Freeman wrote:
> > Presumably you'd only want to remount it if it was mounted ro to
> > start, since it sounds like openrc will be diverging from systemd
> > behavior here.
> >
> > While it seems like a good idea I'm not sure how big an improvement it
> > is in the larger scheme. We're worried about root accidentially
> > modifying efivars, but we have no safeguards against root writing to
> > /dev/sda, and the latter seems much more likely to cause harm, and is
> > harder to fix.
> >
> In case you weren't aware, Rich, rewriting the efivars actually writes
> to the system BIOS, which renders the computer completely unbootable ..
> not quite the same as erasing the boot sector of your hard disk, where
> you simply plug in another device, and Off you go ...
It may be even worse. Some parts of efivars may be stored not in the
BIOS chip, but on other chips like AC control or IME. So simple
BIOS reflashing (e.g. from backup BIOS available on many boards)
will not help.
Best regards,
Andrew Savchenko
[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-07-13 12:18 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 15:42 [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only William Hubbs
2017-07-12 15:50 ` M. J. Everitt
2017-07-12 20:03 ` Mike Gilbert
2017-07-12 21:44 ` William Hubbs
2017-07-12 23:04 ` Matt Turner
2017-07-13 0:29 ` Lucas Ramage
2017-07-13 0:42 ` Matt Turner
2017-07-13 1:27 ` Lucas Ramage
2017-07-13 6:30 ` Andrew Savchenko
2017-07-13 11:09 ` Rich Freeman
2017-07-13 11:35 ` M. J. Everitt
2017-07-13 12:17 ` Andrew Savchenko [this message]
2017-07-13 14:29 ` Mike Gilbert
2017-07-13 14:35 ` Ben Kohler
2017-07-13 14:58 ` Andrew Savchenko
2017-07-13 15:06 ` Andrew Savchenko
2017-07-13 15:40 ` Rich Freeman
2017-07-13 16:45 ` Mike Gilbert
2017-07-13 16:47 ` Mike Gilbert
2017-07-13 11:43 ` Andrew Savchenko
2017-07-13 11:54 ` Rich Freeman
2017-07-13 12:14 ` Andrew Savchenko
2017-07-13 12:45 ` Rich Freeman
2017-07-13 2:38 ` Mike Gilbert
2017-07-14 0:09 ` DarKRaveR
2017-07-14 11:02 ` Lucas Ramage
2017-07-13 10:30 ` Kristian Fiskerstrand
2017-07-13 13:52 ` William Hubbs
2017-07-13 23:30 ` William Hubbs
[not found] ` <CAJ0EP434FLFWQCTTqNr16oij=VfYem4ARr+C_-9NoQPBucWKmw@mail.gmail.com>
2017-07-14 0:05 ` Mike Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170713151752.3efcc3c2096c62cd6c810316@gentoo.org \
--to=bircoph@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox