From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-81417-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 3B5BD139694
	for <garchives@archives.gentoo.org>; Thu, 13 Jul 2017 12:18:03 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8ABB52741AD;
	Thu, 13 Jul 2017 12:17:58 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 43C6F274191
	for <gentoo-dev@lists.gentoo.org>; Thu, 13 Jul 2017 12:17:58 +0000 (UTC)
Received: from localhost (unknown [91.246.102.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: bircoph)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 41D03341952
	for <gentoo-dev@lists.gentoo.org>; Thu, 13 Jul 2017 12:17:56 +0000 (UTC)
Date: Thu, 13 Jul 2017 15:17:52 +0300
From: Andrew Savchenko <bircoph@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only
Message-Id: <20170713151752.3efcc3c2096c62cd6c810316@gentoo.org>
In-Reply-To: <32458e65-d66d-fcdc-5b0a-97d3c480d14a@iee.org>
References: <20170712154236.GA10286@whubbs1.gaikai.biz>
	<CAJ0EP43wsGZfBqM604LKy9K0tx6h03gOumShAEawYkdrVj=inw@mail.gmail.com>
	<20170712214408.GA13328@whubbs1.gaikai.biz>
	<CAEdQ38G4SZ13PTcUkEx1ra4T9BXs9upG7Yfqth0WJPNZT_6wpA@mail.gmail.com>
	<CAKkjsY_WD1AmDkNNf3d3Q-Zyoid7ux0Cgs6ZT=zbuCkwb2cW+g@mail.gmail.com>
	<CAEdQ38G4VcM48bM460Q0o-Gm0MjFwksCMfH6uXQVGdEhKZHGCA@mail.gmail.com>
	<20170713093021.2b0bcf21b6ebb6921245fbe0@gentoo.org>
	<CAGfcS_=fdA3HBr-tFw02tSGkC+yNBCAZBBapEw7oPej-89ix4g@mail.gmail.com>
	<32458e65-d66d-fcdc-5b0a-97d3c480d14a@iee.org>
X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.30; i686-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="PGP-SHA512";
 boundary="Signature=_Thu__13_Jul_2017_15_17_52_+0300_REsxkNkRgOts0Oef"
X-Archives-Salt: e18da46f-5bcb-4f89-8b44-c14e3f34781f
X-Archives-Hash: e784d76652964addeb7463d0459d24b7

--Signature=_Thu__13_Jul_2017_15_17_52_+0300_REsxkNkRgOts0Oef
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, 13 Jul 2017 12:35:50 +0100 M. J. Everitt wrote:
> On 13/07/17 12:09, Rich Freeman wrote:
> > Presumably you'd only want to remount it if it was mounted ro to
> > start, since it sounds like openrc will be diverging from systemd
> > behavior here.
> >
> > While it seems like a good idea I'm not sure how big an improvement it
> > is in the larger scheme.  We're worried about root accidentially
> > modifying efivars, but we have no safeguards against root writing to
> > /dev/sda, and the latter seems much more likely to cause harm, and is
> > harder to fix.
> >
> In case you weren't aware, Rich, rewriting the efivars actually writes
> to the system BIOS, which renders the computer completely unbootable ..
> not quite the same as erasing the boot sector of your hard disk, where
> you simply plug in another device, and Off you go ...
=20
It may be even worse. Some parts of efivars may be stored not in the
BIOS chip, but on other chips like AC control or IME. So simple
BIOS reflashing (e.g. from backup BIOS available on many boards)
will not help.

Best regards,
Andrew Savchenko

--Signature=_Thu__13_Jul_2017_15_17_52_+0300_REsxkNkRgOts0Oef
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAllnZPAACgkQ9lNaM7oe
5I1Rcg//WM30nyING6rde3Vpbwlaxsou9T1dwU8PuhxdIJmpRsQFqv7Y3VFHOLmq
+TnwUpj41/Da5TQT37GOl5gNDT4bYq36NXhwtqMJstBPbkaGnpjaijf3f55YIvPI
1/O5Xc4GhQC+CUkgFJ2fOrdDTdFjW/BUsrcRCbrrdN2SDThpKMFJmIJo9vEFR4Af
mkBAm6JmmP70dA6S5DtGGfJ/1o9NJtrUzg3+iVAkOFr067CYcDNIHQPZERVe6gAq
a+9DnR9uLkhLO3Gae3H/Q+iBBySbIhdtRuG9RfYVBmkDCEuty6pDacmb7s8UZNXq
MsfN4l6PXwIAGcO7FNeBo7PdZlr30G5NzxlN6XANZIB+7zwqazPu6AUMPJJhkpvU
Wz6sTe8P/PxYnL5qsxMAwpqvV8pp99RaChebZJnaDYrOdb1CLmpOUDh59kq/iQRw
yW/o49iYrP6kr30mo4DC8r3f53TVcVmgSP+vWho9klTkZLVFUWHNCIFVlSa1ArZ1
gUvHyCabS691G/kl0h+gWmh7KUE8MGnotTacb0w2xXCt9LJxi8Qy28gRjbrmSJO9
zLL2l79vDlkK0q7euUEaZ7ahz6LckUlUrTlFl5nGSzbZR9aLN7Q7WeKc//H0RHTO
M/plE96vo2/i3sNNMUk0tkHM+ddnwXK2ebVLgwkR8S9ov5weL54=
=gkKz
-----END PGP SIGNATURE-----

--Signature=_Thu__13_Jul_2017_15_17_52_+0300_REsxkNkRgOts0Oef--