[gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[William Hubbs]

[-- Attachment #1.1: Type: text/plain, Size: 195 bytes --]

OpenRC 0.28 will mount efivars read only by default due to concerns
about users bricking systems by writing to this filesystem unexpectedly.

Here is the newsitem covering this change.

William


[-- Attachment #1.2: 2017-07-15-efivars_readonly.en.txt --]
[-- Type: text/plain, Size: 668 bytes --]

Title: Mounting efivars read only
Author: William Hubbs <williamh@gentoo.org>
Content-Type: text/plain
Posted: 2017-07-15
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: <=sys-apps/openrc-0.28

OpenRC 0.28 mounts efivars read only due to concerns about changes in
this file system making systems unbootable.  If you need to change something
in this path, you will need to re-mount it read-write, make the change
and re-mount it read-only.

Also, you can override this behavior by adding a line for efivars to
fstab if you want efivars mounted read-write.

For more information on this issue, see the following url:

https://github.com/openrc/openrc/issues/134

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 406 bytes --]

On 12/07/17 16:42, William Hubbs wrote:
> OpenRC 0.28 will mount efivars read only by default due to concerns
> about users bricking systems by writing to this filesystem unexpectedly.
>
> Here is the newsitem covering this change.
>
> William
>
Very sensible .. I seem to recall something about systemd doing the
reverse by default .. and this becoming a regular occurrence.

+1 for sanity.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Mike Gilbert]

On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote:
> OpenRC 0.28 will mount efivars read only by default due to concerns
> about users bricking systems by writing to this filesystem unexpectedly.
>
> Here is the newsitem covering this change.
>
> William
>

This will break boot loader installers, like grub-install and bootctl
(systemd-boot). Please update any relevant documents on the wiki, or
find someone who can do it for you.

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 687 bytes --]

On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote:
> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote:
> > OpenRC 0.28 will mount efivars read only by default due to concerns
> > about users bricking systems by writing to this filesystem unexpectedly.
> >
> > Here is the newsitem covering this change.
> >
> > William
> >
> 
> This will break boot loader installers, like grub-install and bootctl
> (systemd-boot). Please update any relevant documents on the wiki, or
> find someone who can do it for you.

I'm not stopping anyone from making those updates, so if someone knows
what needs to be changed, go for it. :-)

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Matt Turner]

On Wed, Jul 12, 2017 at 2:44 PM, William Hubbs <williamh@gentoo.org> wrote:
> On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote:
>> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote:
>> > OpenRC 0.28 will mount efivars read only by default due to concerns
>> > about users bricking systems by writing to this filesystem unexpectedly.
>> >
>> > Here is the newsitem covering this change.
>> >
>> > William
>> >
>>
>> This will break boot loader installers, like grub-install and bootctl
>> (systemd-boot). Please update any relevant documents on the wiki, or
>> find someone who can do it for you.
>
> I'm not stopping anyone from making those updates, so if someone knows
> what needs to be changed, go for it. :-)

That's now how this works. You can't leave something as crucial as
boot loader installation documentation in a bad state.

It's your responsibility to ensure that happens.

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Lucas Ramage]

[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]

What needs to be changed for the bootloaders? I may be able to assist.

On Wed, Jul 12, 2017 at 7:04 PM, Matt Turner <mattst88@gentoo.org> wrote:

> On Wed, Jul 12, 2017 at 2:44 PM, William Hubbs <williamh@gentoo.org>
> wrote:
> > On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote:
> >> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org>
> wrote:
> >> > OpenRC 0.28 will mount efivars read only by default due to concerns
> >> > about users bricking systems by writing to this filesystem
> unexpectedly.
> >> >
> >> > Here is the newsitem covering this change.
> >> >
> >> > William
> >> >
> >>
> >> This will break boot loader installers, like grub-install and bootctl
> >> (systemd-boot). Please update any relevant documents on the wiki, or
> >> find someone who can do it for you.
> >
> > I'm not stopping anyone from making those updates, so if someone knows
> > what needs to be changed, go for it. :-)
>
> That's now how this works. You can't leave something as crucial as
> boot loader installation documentation in a bad state.
>
> It's your responsibility to ensure that happens.
>
>


-- 

Regards,

[image: View my Portfolio] <https://lramage94.github.io>

Lucas Ramage / Software Engineer
ramage.lucas94@gmail.com / (941)-467-2354

Visit online journal
lramage94.github.io

[image: Google Plus]  <https://plus.google.com/+LucasRamage>[image:
Linkedin] <https://www.linkedin.com/pub/lucas-ramage/4a/719/757>

[-- Attachment #2: Type: text/html, Size: 4589 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Matt Turner]

On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote:
> What needs to be changed for the bootloaders? I may be able to assist.

The documentation should be updated to say that with OpenRC 0.28 that
you'll have to remount efivars as RW before you can install the
bootloader (e.g., grub-install)

The command I use locally to remount rw (since I have configured
efivars to be mounted read-only in fstab) is

mount -o remount,rw /sys/firmware/efi/efivars

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Lucas Ramage]

[-- Attachment #1: Type: text/plain, Size: 933 bytes --]

I am working on it! Thanks!

On Wed, Jul 12, 2017 at 8:42 PM, Matt Turner <mattst88@gentoo.org> wrote:

> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com>
> wrote:
> > What needs to be changed for the bootloaders? I may be able to assist.
>
> The documentation should be updated to say that with OpenRC 0.28 that
> you'll have to remount efivars as RW before you can install the
> bootloader (e.g., grub-install)
>
> The command I use locally to remount rw (since I have configured
> efivars to be mounted read-only in fstab) is
>
> mount -o remount,rw /sys/firmware/efi/efivars
>
>


-- 

Regards,

[image: View my Portfolio] <https://lramage94.github.io>

Lucas Ramage / Software Engineer
ramage.lucas94@gmail.com / (941)-467-2354

Visit online journal
lramage94.github.io

[image: Google Plus]  <https://plus.google.com/+LucasRamage>[image:
Linkedin] <https://www.linkedin.com/pub/lucas-ramage/4a/719/757>

[-- Attachment #2: Type: text/html, Size: 3888 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Mike Gilbert]

On Wed, Jul 12, 2017 at 5:44 PM, William Hubbs <williamh@gentoo.org> wrote:
> On Wed, Jul 12, 2017 at 04:03:25PM -0400, Mike Gilbert wrote:
>> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote:
>> > OpenRC 0.28 will mount efivars read only by default due to concerns
>> > about users bricking systems by writing to this filesystem unexpectedly.
>> >
>> > Here is the newsitem covering this change.
>> >
>> > William
>> >
>>
>> This will break boot loader installers, like grub-install and bootctl
>> (systemd-boot). Please update any relevant documents on the wiki, or
>> find someone who can do it for you.
>
> I'm not stopping anyone from making those updates, so if someone knows
> what needs to be changed, go for it. :-)
>
> William
>

Give me a few days, and I'll be happy to help with that. I don't have
a lot of free time this week, but I should have some time this
weekend.

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote:
> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote:
> > What needs to be changed for the bootloaders? I may be able to assist.
> 
> The documentation should be updated to say that with OpenRC 0.28 that
> you'll have to remount efivars as RW before you can install the
> bootloader (e.g., grub-install)
> 
> The command I use locally to remount rw (since I have configured
> efivars to be mounted read-only in fstab) is
> 
> mount -o remount,rw /sys/firmware/efi/efivars

We don't have that much efi bootloaders. Maybe it will be better
to update their scripting to remount efivars rw and back ro when
needed? The same way we have non-efi bootloaders to mount /boot
partition when needed.


Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 810 bytes --]

On 07/12/2017 05:42 PM, William Hubbs wrote:
> OpenRC 0.28 will mount efivars read only by default due to concerns
> about users bricking systems by writing to this filesystem unexpectedly.
> 
> Here is the newsitem covering this change.

Although the changes seems sensible, I'm wondering if a news item is
necessary for this case versus other documentation and script updates to
reflect this change. For one thing it seems it will have minimal effect
on a running system and not needing a migration path / configuration
updates except in cases where bootloader installs are done; how
intuitive is the feedback in this process when it is read-only?

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Rich Freeman]

On Thu, Jul 13, 2017 at 2:30 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
> On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote:
>> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote:
>> > What needs to be changed for the bootloaders? I may be able to assist.
>>
>> The documentation should be updated to say that with OpenRC 0.28 that
>> you'll have to remount efivars as RW before you can install the
>> bootloader (e.g., grub-install)
>>
>> The command I use locally to remount rw (since I have configured
>> efivars to be mounted read-only in fstab) is
>>
>> mount -o remount,rw /sys/firmware/efi/efivars
>
> We don't have that much efi bootloaders. Maybe it will be better
> to update their scripting to remount efivars rw and back ro when
> needed? The same way we have non-efi bootloaders to mount /boot
> partition when needed.
>

Presumably you'd only want to remount it if it was mounted ro to
start, since it sounds like openrc will be diverging from systemd
behavior here.

While it seems like a good idea I'm not sure how big an improvement it
is in the larger scheme.  We're worried about root accidentially
modifying efivars, but we have no safeguards against root writing to
/dev/sda, and the latter seems much more likely to cause harm, and is
harder to fix.

-- 
Rich

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 780 bytes --]

On 13/07/17 12:09, Rich Freeman wrote:
> Presumably you'd only want to remount it if it was mounted ro to
> start, since it sounds like openrc will be diverging from systemd
> behavior here.
>
> While it seems like a good idea I'm not sure how big an improvement it
> is in the larger scheme.  We're worried about root accidentially
> modifying efivars, but we have no safeguards against root writing to
> /dev/sda, and the latter seems much more likely to cause harm, and is
> harder to fix.
>
In case you weren't aware, Rich, rewriting the efivars actually writes
to the system BIOS, which renders the computer completely unbootable ..
not quite the same as erasing the boot sector of your hard disk, where
you simply plug in another device, and Off you go ...


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2148 bytes --]

On Thu, 13 Jul 2017 07:09:45 -0400 Rich Freeman wrote:
> On Thu, Jul 13, 2017 at 2:30 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
> > On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote:
> >> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote:
> >> > What needs to be changed for the bootloaders? I may be able to assist.
> >>
> >> The documentation should be updated to say that with OpenRC 0.28 that
> >> you'll have to remount efivars as RW before you can install the
> >> bootloader (e.g., grub-install)
> >>
> >> The command I use locally to remount rw (since I have configured
> >> efivars to be mounted read-only in fstab) is
> >>
> >> mount -o remount,rw /sys/firmware/efi/efivars
> >
> > We don't have that much efi bootloaders. Maybe it will be better
> > to update their scripting to remount efivars rw and back ro when
> > needed? The same way we have non-efi bootloaders to mount /boot
> > partition when needed.
> >
> 
> Presumably you'd only want to remount it if it was mounted ro to
> start, since it sounds like openrc will be diverging from systemd
> behavior here.
> 
> While it seems like a good idea I'm not sure how big an improvement it
> is in the larger scheme.  We're worried about root accidentially
> modifying efivars, but we have no safeguards against root writing to
> /dev/sda, and the latter seems much more likely to cause harm, and is
> harder to fix.

Writing to /dev/sda may kill data stored there, but hardware itself
will survive. Writing to efivars kills hardware and this is the
motivation for this change. See [1] and [2] for details. Poettering
says this is OK to hard brick device, well fine, this is systemd
way. OpenRC is smarter here and protects users from unintended
disaster.

Data can be restored from backup, but hard bricked hardware may
become completely dead beyond repair or require a very complicated
soldering. So I see this issue much more serious than writing
to /dev/sda.

[1] https://github.com/openrc/openrc/issues/134
[2] https://github.com/systemd/systemd/issues/2402

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Rich Freeman]

On Thu, Jul 13, 2017 at 7:43 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
> On Thu, 13 Jul 2017 07:09:45 -0400 Rich Freeman wrote:
>> On Thu, Jul 13, 2017 at 2:30 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
>> > On Wed, 12 Jul 2017 17:42:50 -0700 Matt Turner wrote:
>> >> On Wed, Jul 12, 2017 at 5:29 PM, Lucas Ramage <ramage.lucas94@gmail.com> wrote:
>> >> > What needs to be changed for the bootloaders? I may be able to assist.
>> >>
>> >> The documentation should be updated to say that with OpenRC 0.28 that
>> >> you'll have to remount efivars as RW before you can install the
>> >> bootloader (e.g., grub-install)
>> >>
>> >> The command I use locally to remount rw (since I have configured
>> >> efivars to be mounted read-only in fstab) is
>> >>
>> >> mount -o remount,rw /sys/firmware/efi/efivars
>> >
>> > We don't have that much efi bootloaders. Maybe it will be better
>> > to update their scripting to remount efivars rw and back ro when
>> > needed? The same way we have non-efi bootloaders to mount /boot
>> > partition when needed.
>> >
>>
>> Presumably you'd only want to remount it if it was mounted ro to
>> start, since it sounds like openrc will be diverging from systemd
>> behavior here.
>>
>> While it seems like a good idea I'm not sure how big an improvement it
>> is in the larger scheme.  We're worried about root accidentially
>> modifying efivars, but we have no safeguards against root writing to
>> /dev/sda, and the latter seems much more likely to cause harm, and is
>> harder to fix.
>
> Writing to /dev/sda may kill data stored there, but hardware itself
> will survive. Writing to efivars kills hardware and this is the
> motivation for this change. See [1] and [2] for details. Poettering
> says this is OK to hard brick device, well fine, this is systemd
> way. OpenRC is smarter here and protects users from unintended
> disaster.

Reading through those apparently bricking is considered to be a
hardware bug.  Granted, it is still desirable to avoid.

In any case, tools would still need to be compatible with both
approaches.  Apparently there are commands like systemctl reboot
--firmware-setup that expect this to be writable.  If we aren't going
to make the default ro under systemd then tools will need to handle
both cases.  If we decide to change the default for systemd (or put a
line in the default fstab) then this issue would go away.

-- 
Rich

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2032 bytes --]

On Thu, 13 Jul 2017 07:54:44 -0400 Rich Freeman wrote:
[...]
> >> Presumably you'd only want to remount it if it was mounted ro to
> >> start, since it sounds like openrc will be diverging from systemd
> >> behavior here.
> >>
> >> While it seems like a good idea I'm not sure how big an improvement it
> >> is in the larger scheme.  We're worried about root accidentially
> >> modifying efivars, but we have no safeguards against root writing to
> >> /dev/sda, and the latter seems much more likely to cause harm, and is
> >> harder to fix.
> >
> > Writing to /dev/sda may kill data stored there, but hardware itself
> > will survive. Writing to efivars kills hardware and this is the
> > motivation for this change. See [1] and [2] for details. Poettering
> > says this is OK to hard brick device, well fine, this is systemd
> > way. OpenRC is smarter here and protects users from unintended
> > disaster.
> 
> Reading through those apparently bricking is considered to be a
> hardware bug.  Granted, it is still desirable to avoid.

Yes, it can be considered as a hardware bug, as well as thousands
of other issues, look at how many quirks are inside the kernel.
This is how it works: software works around hardware bugs, because
software is so much easier to update than hardware.

> In any case, tools would still need to be compatible with both
> approaches.  Apparently there are commands like systemctl reboot
> --firmware-setup that expect this to be writable.  If we aren't going
> to make the default ro under systemd then tools will need to handle
> both cases.  If we decide to change the default for systemd (or put a
> line in the default fstab) then this issue would go away.

I see no problems with compatibility. In case of software needs to
write to efivars (bootloader installation, etc) algo is simple:

flag = false;
if (mounted(efivars) == RO) { remount(efivars, RW); flag = true; }
do_usual_stuff();
if (flag) remount(efivars, RO);

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1120 bytes --]

On Thu, 13 Jul 2017 12:35:50 +0100 M. J. Everitt wrote:
> On 13/07/17 12:09, Rich Freeman wrote:
> > Presumably you'd only want to remount it if it was mounted ro to
> > start, since it sounds like openrc will be diverging from systemd
> > behavior here.
> >
> > While it seems like a good idea I'm not sure how big an improvement it
> > is in the larger scheme.  We're worried about root accidentially
> > modifying efivars, but we have no safeguards against root writing to
> > /dev/sda, and the latter seems much more likely to cause harm, and is
> > harder to fix.
> >
> In case you weren't aware, Rich, rewriting the efivars actually writes
> to the system BIOS, which renders the computer completely unbootable ..
> not quite the same as erasing the boot sector of your hard disk, where
> you simply plug in another device, and Off you go ...
 
It may be even worse. Some parts of efivars may be stored not in the
BIOS chip, but on other chips like AC control or IME. So simple
BIOS reflashing (e.g. from backup BIOS available on many boards)
will not help.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Rich Freeman]

On Thu, Jul 13, 2017 at 8:14 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
>
> I see no problems with compatibility. In case of software needs to
> write to efivars (bootloader installation, etc) algo is simple:
>
> flag = false;
> if (mounted(efivars) == RO) { remount(efivars, RW); flag = true; }
> do_usual_stuff();
> if (flag) remount(efivars, RO);
>

Certainly.  I was just pointing out that we shouldn't make
assumptions.  Honestly, that is probably better in the openrc case as
well, in case a user should want to mount efivars differently for
whatever reason.

-- 
Rich

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1232 bytes --]

On Thu, Jul 13, 2017 at 12:30:12PM +0200, Kristian Fiskerstrand wrote:
> On 07/12/2017 05:42 PM, William Hubbs wrote:
> > OpenRC 0.28 will mount efivars read only by default due to concerns
> > about users bricking systems by writing to this filesystem unexpectedly.
> > 
> > Here is the newsitem covering this change.
> 
> Although the changes seems sensible, I'm wondering if a news item is
> necessary for this case versus other documentation and script updates to
> reflect this change. For one thing it seems it will have minimal effect
> on a running system and not needing a migration path / configuration
> updates except in cases where bootloader installs are done; how
> intuitive is the feedback in this process when it is read-only?

I have no idea; I've never used an efi system.

For people who are not using efi systems, and as long as you don't mess
with your boot loader, you are correct that this change means nothing.
There is no migration path and nothing really for a user to do.

This is already documented in NEWS.md upstream and in the ChangeLog.

I can spin up the release in an hour or so, and if there is no need for a
newsitem, I will consider the newsitem canceled.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Mike Gilbert]

On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote:
> On 13/07/17 12:09, Rich Freeman wrote:
>> Presumably you'd only want to remount it if it was mounted ro to
>> start, since it sounds like openrc will be diverging from systemd
>> behavior here.
>>
>> While it seems like a good idea I'm not sure how big an improvement it
>> is in the larger scheme.  We're worried about root accidentially
>> modifying efivars, but we have no safeguards against root writing to
>> /dev/sda, and the latter seems much more likely to cause harm, and is
>> harder to fix.
>>
> In case you weren't aware, Rich, rewriting the efivars actually writes
> to the system BIOS, which renders the computer completely unbootable ..
> not quite the same as erasing the boot sector of your hard disk, where
> you simply plug in another device, and Off you go ...
>

We are actually talking about protecting people who run something like
rm -rf /sys/firmware/efi/efivars/ as root.

If you are dumb enough to do something like that, you almost deserve
to spend a couple hundred on a new motherboard.

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Ben Kohler]

[-- Attachment #1: Type: text/plain, Size: 933 bytes --]

On Thu, Jul 13, 2017 at 9:29 AM, Mike Gilbert <floppym@gentoo.org> wrote:

>
> We are actually talking about protecting people who run something like
> rm -rf /sys/firmware/efi/efivars/ as root.
>
> If you are dumb enough to do something like that, you almost deserve
> to spend a couple hundred on a new motherboard.
>
> While I can think of a few ways you can accidentally do this via
bindmounts and such, I think it's also worth mentioning that this
"bricking" only happens on a very very small number of systems with a
specific buggy UEFI implementation, the vast majority of UEFI hardware will
not be "bricked" by wiping efivars.

I'm still onboard with protecting users from this out of the box, but it's
not like without this change, we'll have gentoo boxes dropping dead all
over the place every week.  We're protecting from something that requires
both a very specific firmware bug AND serious user error, to trigger.

-Ben

[-- Attachment #2: Type: text/html, Size: 1466 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1856 bytes --]

On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote:
> On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote:
> > On 13/07/17 12:09, Rich Freeman wrote:
> >> Presumably you'd only want to remount it if it was mounted ro to
> >> start, since it sounds like openrc will be diverging from systemd
> >> behavior here.
> >>
> >> While it seems like a good idea I'm not sure how big an improvement it
> >> is in the larger scheme.  We're worried about root accidentially
> >> modifying efivars, but we have no safeguards against root writing to
> >> /dev/sda, and the latter seems much more likely to cause harm, and is
> >> harder to fix.
> >>
> > In case you weren't aware, Rich, rewriting the efivars actually writes
> > to the system BIOS, which renders the computer completely unbootable ..
> > not quite the same as erasing the boot sector of your hard disk, where
> > you simply plug in another device, and Off you go ...
> >
> 
> We are actually talking about protecting people who run something like
> rm -rf /sys/firmware/efi/efivars/ as root.
>
> If you are dumb enough to do something like that, you almost deserve
> to spend a couple hundred on a new motherboard.
 
Or just rm -rf /
[pedantic]
of course with newer rm versions one needs to run:
rm -rf --no-preserve-root /
or
rm -rf /* /.*
[/pedantic]

But in some scenarios this command is normal. E.g. user installs
Gentoo from some live dvd/flash, makes some mistakes, understands
that system is broken beyond repair and decides to start over again.
If there is no need to recreate filesystem itself or partition
layout, running rm -rf / as above is quite reasonable.

When running this command user expects to kill the data, but not
the hardware. That is my point. I can't call such action dumb.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2288 bytes --]

On Thu, 13 Jul 2017 17:58:29 +0300 Andrew Savchenko wrote:
> On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote:
> > On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote:
> > > On 13/07/17 12:09, Rich Freeman wrote:
> > >> Presumably you'd only want to remount it if it was mounted ro to
> > >> start, since it sounds like openrc will be diverging from systemd
> > >> behavior here.
> > >>
> > >> While it seems like a good idea I'm not sure how big an improvement it
> > >> is in the larger scheme.  We're worried about root accidentially
> > >> modifying efivars, but we have no safeguards against root writing to
> > >> /dev/sda, and the latter seems much more likely to cause harm, and is
> > >> harder to fix.
> > >>
> > > In case you weren't aware, Rich, rewriting the efivars actually writes
> > > to the system BIOS, which renders the computer completely unbootable ..
> > > not quite the same as erasing the boot sector of your hard disk, where
> > > you simply plug in another device, and Off you go ...
> > >
> > 
> > We are actually talking about protecting people who run something like
> > rm -rf /sys/firmware/efi/efivars/ as root.
> >
> > If you are dumb enough to do something like that, you almost deserve
> > to spend a couple hundred on a new motherboard.
>  
> Or just rm -rf /
> [pedantic]
> of course with newer rm versions one needs to run:
> rm -rf --no-preserve-root /
> or
> rm -rf /* /.*
> [/pedantic]
> 
> But in some scenarios this command is normal. E.g. user installs
> Gentoo from some live dvd/flash, makes some mistakes, understands
> that system is broken beyond repair and decides to start over again.
> If there is no need to recreate filesystem itself or partition
> layout, running rm -rf / as above is quite reasonable.
> 
> When running this command user expects to kill the data, but not
> the hardware. That is my point. I can't call such action dumb.

One more example: remember the bumblebee install script bug[1]: due
to a typo the whole /usr was removed, the same may happen with /sys
one day.

If simple file removal results in dead hardware this is no go.

[1]
https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Rich Freeman]

On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
>
> But in some scenarios this command is normal. E.g. user installs
> Gentoo from some live dvd/flash, makes some mistakes, understands
> that system is broken beyond repair and decides to start over again.
> If there is no need to recreate filesystem itself or partition
> layout, running rm -rf / as above is quite reasonable.
>

Honestly, this is one of those reasons that I think the handbook
should be tweaked to use a container instead of a chroot.  That fixes
a lot of special filesystem issues and general makes things cleaner.
With systemd it is pretty trivial due to nspawn, but I'm not sure how
hard it would be to make this change on an openrc-based install CD
(presumably you'd need to include lxc tools on it, though a bit of
scripting with unshare is probably sufficient).

-- 
Rich

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Mike Gilbert]

On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
> On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote:
>> On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote:
>> > On 13/07/17 12:09, Rich Freeman wrote:
>> >> Presumably you'd only want to remount it if it was mounted ro to
>> >> start, since it sounds like openrc will be diverging from systemd
>> >> behavior here.
>> >>
>> >> While it seems like a good idea I'm not sure how big an improvement it
>> >> is in the larger scheme.  We're worried about root accidentially
>> >> modifying efivars, but we have no safeguards against root writing to
>> >> /dev/sda, and the latter seems much more likely to cause harm, and is
>> >> harder to fix.
>> >>
>> > In case you weren't aware, Rich, rewriting the efivars actually writes
>> > to the system BIOS, which renders the computer completely unbootable ..
>> > not quite the same as erasing the boot sector of your hard disk, where
>> > you simply plug in another device, and Off you go ...
>> >
>>
>> We are actually talking about protecting people who run something like
>> rm -rf /sys/firmware/efi/efivars/ as root.
>>
>> If you are dumb enough to do something like that, you almost deserve
>> to spend a couple hundred on a new motherboard.
>
> Or just rm -rf /
> [pedantic]
> of course with newer rm versions one needs to run:
> rm -rf --no-preserve-root /
> or
> rm -rf /* /.*
> [/pedantic]
>
> But in some scenarios this command is normal. E.g. user installs
> Gentoo from some live dvd/flash, makes some mistakes, understands
> that system is broken beyond repair and decides to start over again.
> If there is no need to recreate filesystem itself or partition
> layout, running rm -rf / as above is quite reasonable.
>
> When running this command user expects to kill the data, but not
> the hardware. That is my point. I can't call such action dumb.
>
> Best regards,
> Andrew Savchenko

Point taken.

Although, if the user is in the process of installing Gentoo, efivarfs
is likely to be mounted rw anyway so that the user can install a boot
loader. Having grub-install perform the remount would minimize this
small risk I suppose.

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Mike Gilbert]

On Thu, Jul 13, 2017 at 12:45 PM, Mike Gilbert <floppym@gentoo.org> wrote:
> On Thu, Jul 13, 2017 at 10:58 AM, Andrew Savchenko <bircoph@gentoo.org> wrote:
>> On Thu, 13 Jul 2017 10:29:06 -0400 Mike Gilbert wrote:
>>> On Thu, Jul 13, 2017 at 7:35 AM, M. J. Everitt <m.j.everitt@iee.org> wrote:
>>> > On 13/07/17 12:09, Rich Freeman wrote:
>>> >> Presumably you'd only want to remount it if it was mounted ro to
>>> >> start, since it sounds like openrc will be diverging from systemd
>>> >> behavior here.
>>> >>
>>> >> While it seems like a good idea I'm not sure how big an improvement it
>>> >> is in the larger scheme.  We're worried about root accidentially
>>> >> modifying efivars, but we have no safeguards against root writing to
>>> >> /dev/sda, and the latter seems much more likely to cause harm, and is
>>> >> harder to fix.
>>> >>
>>> > In case you weren't aware, Rich, rewriting the efivars actually writes
>>> > to the system BIOS, which renders the computer completely unbootable ..
>>> > not quite the same as erasing the boot sector of your hard disk, where
>>> > you simply plug in another device, and Off you go ...
>>> >
>>>
>>> We are actually talking about protecting people who run something like
>>> rm -rf /sys/firmware/efi/efivars/ as root.
>>>
>>> If you are dumb enough to do something like that, you almost deserve
>>> to spend a couple hundred on a new motherboard.
>>
>> Or just rm -rf /
>> [pedantic]
>> of course with newer rm versions one needs to run:
>> rm -rf --no-preserve-root /
>> or
>> rm -rf /* /.*
>> [/pedantic]
>>
>> But in some scenarios this command is normal. E.g. user installs
>> Gentoo from some live dvd/flash, makes some mistakes, understands
>> that system is broken beyond repair and decides to start over again.
>> If there is no need to recreate filesystem itself or partition
>> layout, running rm -rf / as above is quite reasonable.
>>
>> When running this command user expects to kill the data, but not
>> the hardware. That is my point. I can't call such action dumb.
>>
>> Best regards,
>> Andrew Savchenko
>
> Point taken.
>
> Although, if the user is in the process of installing Gentoo, efivarfs
> is likely to be mounted rw anyway so that the user can install a boot
> loader. Having grub-install perform the remount would minimize this
> small risk I suppose.

s/grub-install/efibootmgr/; grub-install does not update efivarfs
directly, but rather calls efibootmgr to do it.

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1523 bytes --]

On Thu, Jul 13, 2017 at 08:52:23AM -0500, William Hubbs wrote:
> On Thu, Jul 13, 2017 at 12:30:12PM +0200, Kristian Fiskerstrand wrote:
> > On 07/12/2017 05:42 PM, William Hubbs wrote:
> > > OpenRC 0.28 will mount efivars read only by default due to concerns
> > > about users bricking systems by writing to this filesystem unexpectedly.
> > > 
> > > Here is the newsitem covering this change.
> > 
> > Although the changes seems sensible, I'm wondering if a news item is
> > necessary for this case versus other documentation and script updates to
> > reflect this change. For one thing it seems it will have minimal effect
> > on a running system and not needing a migration path / configuration
> > updates except in cases where bootloader installs are done; how
> > intuitive is the feedback in this process when it is read-only?
> 
> I have no idea; I've never used an efi system.
> 
> For people who are not using efi systems, and as long as you don't mess
> with your boot loader, you are correct that this change means nothing.
> There is no migration path and nothing really for a user to do.
> 
> This is already documented in NEWS.md upstream and in the ChangeLog.
> 
> I can spin up the release in an hour or so, and if there is no need for a
> newsitem, I will consider the newsitem canceled.

No one objected to me putting out the release, so it is now available.

I'll give another 24 hours for someone to tell me if they think we still
need a newsitem.

Thanks,

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Mike Gilbert]

[-- Attachment #1: Type: text/plain, Size: 1768 bytes --]

On Jul 13, 2017 7:42 PM, "Mike Gilbert" <floppymaster@gmail.com> wrote:

On Jul 13, 2017 7:30 PM, "William Hubbs" <williamh@gentoo.org> wrote:

On Thu, Jul 13, 2017 at 08:52:23AM -0500, William Hubbs wrote:
> On Thu, Jul 13, 2017 at 12:30:12PM +0200, Kristian Fiskerstrand wrote:
> > On 07/12/2017 05:42 PM, William Hubbs wrote:
> > > OpenRC 0.28 will mount efivars read only by default due to concerns
> > > about users bricking systems by writing to this filesystem
unexpectedly.
> > >
> > > Here is the newsitem covering this change.
> >
> > Although the changes seems sensible, I'm wondering if a news item is
> > necessary for this case versus other documentation and script updates to
> > reflect this change. For one thing it seems it will have minimal effect
> > on a running system and not needing a migration path / configuration
> > updates except in cases where bootloader installs are done; how
> > intuitive is the feedback in this process when it is read-only?
>
> I have no idea; I've never used an efi system.
>
> For people who are not using efi systems, and as long as you don't mess
> with your boot loader, you are correct that this change means nothing.
> There is no migration path and nothing really for a user to do.
>
> This is already documented in NEWS.md upstream and in the ChangeLog.
>
> I can spin up the release in an hour or so, and if there is no need for a
> newsitem, I will consider the newsitem canceled.

No one objected to me putting out the release, so it is now available.

I'll give another 24 hours for someone to tell me if they think we still
need a newsitem.

Thanks,

William


We still need documentation updates for packages that use efivarfs, but
apparently you don't care.


Sorry, I missed the replies from Lucas.

[-- Attachment #2: Type: text/html, Size: 2865 bytes --]

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[DarKRaveR]

Am 12.07.2017 um 22:03 schrieb Mike Gilbert:
> On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org> wrote:
>> OpenRC 0.28 will mount efivars read only by default due to concerns
>> about users bricking systems by writing to this filesystem unexpectedly.
>>
>> Here is the newsitem covering this change.
>>
>> William
>>
> This will break boot loader installers, like grub-install and bootctl
> (systemd-boot). Please update any relevant documents on the wiki, or
> find someone who can do it for you.
>

Not only bootloader installers.
It will break things like efibootmgr which can be used to change EFI 
bootmanager's behavior/configuration.
I am not sure how sane these tools react when efivar is RO.

Regards

-Sven

Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only

[Lucas Ramage]

[-- Attachment #1: Type: text/plain, Size: 927 bytes --]

The documentation is being updated. There is no need to worry about that.

On Thu, Jul 13, 2017, 8:09 PM DarKRaveR <dark@verfeiert.org> wrote:

> Am 12.07.2017 um 22:03 schrieb Mike Gilbert:
> > On Wed, Jul 12, 2017 at 11:42 AM, William Hubbs <williamh@gentoo.org>
> wrote:
> >> OpenRC 0.28 will mount efivars read only by default due to concerns
> >> about users bricking systems by writing to this filesystem unexpectedly.
> >>
> >> Here is the newsitem covering this change.
> >>
> >> William
> >>
> > This will break boot loader installers, like grub-install and bootctl
> > (systemd-boot). Please update any relevant documents on the wiki, or
> > find someone who can do it for you.
> >
>
> Not only bootloader installers.
> It will break things like efibootmgr which can be used to change EFI
> bootmanager's behavior/configuration.
> I am not sure how sane these tools react when efivar is RO.
>
> Regards
>
> -Sven
>
>

[-- Attachment #2: Type: text/html, Size: 1358 bytes --]