From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E02BC139694 for ; Thu, 13 Jul 2017 14:29:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ACC32E0ECD; Thu, 13 Jul 2017 14:29:30 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 67844E0EA3 for ; Thu, 13 Jul 2017 14:29:30 +0000 (UTC) Received: from mail-it0-f45.google.com (mail-it0-f45.google.com [209.85.214.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: floppym) by smtp.gentoo.org (Postfix) with ESMTPSA id 3263A34197E for ; Thu, 13 Jul 2017 14:29:29 +0000 (UTC) Received: by mail-it0-f45.google.com with SMTP id m84so46883102ita.0 for ; Thu, 13 Jul 2017 07:29:29 -0700 (PDT) X-Gm-Message-State: AIVw1120LwH5mQQ5YAP0tu14ukdPJLMe7nFgXT0VeX1B1MMJWSBgE8qa cML3SatcBX3O1DfH8rKIkAAzXen/yw== X-Received: by 10.107.163.69 with SMTP id m66mr3647151ioe.227.1499956167315; Thu, 13 Jul 2017 07:29:27 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.107.175.210 with HTTP; Thu, 13 Jul 2017 07:29:06 -0700 (PDT) In-Reply-To: <32458e65-d66d-fcdc-5b0a-97d3c480d14a@iee.org> References: <20170712154236.GA10286@whubbs1.gaikai.biz> <20170712214408.GA13328@whubbs1.gaikai.biz> <20170713093021.2b0bcf21b6ebb6921245fbe0@gentoo.org> <32458e65-d66d-fcdc-5b0a-97d3c480d14a@iee.org> From: Mike Gilbert Date: Thu, 13 Jul 2017 10:29:06 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only To: Gentoo Dev Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 9d2b138b-7c34-4f6f-becc-87ef36a01618 X-Archives-Hash: f5b4ed8c61ed013033556411a79d8655 On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt wrote: > On 13/07/17 12:09, Rich Freeman wrote: >> Presumably you'd only want to remount it if it was mounted ro to >> start, since it sounds like openrc will be diverging from systemd >> behavior here. >> >> While it seems like a good idea I'm not sure how big an improvement it >> is in the larger scheme. We're worried about root accidentially >> modifying efivars, but we have no safeguards against root writing to >> /dev/sda, and the latter seems much more likely to cause harm, and is >> harder to fix. >> > In case you weren't aware, Rich, rewriting the efivars actually writes > to the system BIOS, which renders the computer completely unbootable .. > not quite the same as erasing the boot sector of your hard disk, where > you simply plug in another device, and Off you go ... > We are actually talking about protecting people who run something like rm -rf /sys/firmware/efi/efivars/ as root. If you are dumb enough to do something like that, you almost deserve to spend a couple hundred on a new motherboard.