From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2E79B139694 for ; Thu, 13 Jul 2017 14:35:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F2E65E0F15; Thu, 13 Jul 2017 14:35:04 +0000 (UTC) Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 87650E0ED3 for ; Thu, 13 Jul 2017 14:35:04 +0000 (UTC) Received: by mail-wr0-x22d.google.com with SMTP id k67so54017498wrc.2 for ; Thu, 13 Jul 2017 07:35:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=GL9N1/TV4mnH1I1DXH/YwpxY79R20uMh+jHhaBf6Dk0=; b=I9C3QmJJRefAeuQMX3fciEHduZcBj5nNvz5VLNMiOh6Flamde7p5N5b6GILAB002LT ZuZu8JXTKYExXdxnoGc8WspgmXA6qb1hUTJXf5jMYeqZ12pTd72RyIiTo9wFX1GaUI7b eUwJEAU6KqEkceu3HoE7Bh1KLbWTUaFiCdSxZqnGKNa+YMIhsAxHKa7R1uOq/fuHmHGl uGfWzW9AR5ONSaI5XQG33W1XDwkW+Qzz/KrB+Rq8VDFALAHaD34ANf31qEVSOXK8Pme5 SDRm+053+vbbhfV3scU57c8+Mu68WqaZuw0KNXxXTTlDHWU2/oYCSjvWRSJw6pPquhOk 2A1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=GL9N1/TV4mnH1I1DXH/YwpxY79R20uMh+jHhaBf6Dk0=; b=bgLKxY6o92o+s6WTIkyDmcudbJ4Wnb8UhSikSCkVqSgv2KtykRw90RjIsM9zDCBM6q YyZKSDZPt1WdjfTOL9k5Fke2o1cHU6WjQU/XXWQxxXgLPwjGn8XH8yYVbe8UDEZVAiVp c1SuQORzrpnSyA/kcJjsZrNLX0QFTBc5CHwl9m6ChIYrMbf4d2olnrNeAF+65WBYVR2Z 9tjOQaQQ+IZM3S1ajkmoOJN2N8/nwzyClY5TfbOYVfiOGSpGxHPiNhodLDXQLmpOd1r7 kfUw6v9EQP5p7jejUPnnpVuHpdWyw6kTqZVS7mTUEp2FISoIKarFMLY5kTX1uLWDHWan rfXQ== X-Gm-Message-State: AIVw113PLgdVmcL36ePG8kTTYgLfDjZpFKPTNp72ZoOKF+L0ooQk1b1C jnSmxeQUfJXeeBHWjKWy4QlpwMjT0w== X-Received: by 10.223.179.13 with SMTP id j13mr1827486wrd.108.1499956503040; Thu, 13 Jul 2017 07:35:03 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.28.84.19 with HTTP; Thu, 13 Jul 2017 07:35:02 -0700 (PDT) In-Reply-To: References: <20170712154236.GA10286@whubbs1.gaikai.biz> <20170712214408.GA13328@whubbs1.gaikai.biz> <20170713093021.2b0bcf21b6ebb6921245fbe0@gentoo.org> <32458e65-d66d-fcdc-5b0a-97d3c480d14a@iee.org> From: Ben Kohler Date: Thu, 13 Jul 2017 09:35:02 -0500 Message-ID: Subject: Re: [gentoo-dev] newsitem: openrc-0.28 mounts efivars read only To: gentoo-dev@lists.gentoo.org Content-Type: multipart/alternative; boundary="94eb2c1b4eb48ad671055433d6e7" X-Archives-Salt: 4bdcaaa8-1d65-4daf-9e62-efad2278fa81 X-Archives-Hash: 4189737800940b4731435590556d91b2 --94eb2c1b4eb48ad671055433d6e7 Content-Type: text/plain; charset="UTF-8" On Thu, Jul 13, 2017 at 9:29 AM, Mike Gilbert wrote: > > We are actually talking about protecting people who run something like > rm -rf /sys/firmware/efi/efivars/ as root. > > If you are dumb enough to do something like that, you almost deserve > to spend a couple hundred on a new motherboard. > > While I can think of a few ways you can accidentally do this via bindmounts and such, I think it's also worth mentioning that this "bricking" only happens on a very very small number of systems with a specific buggy UEFI implementation, the vast majority of UEFI hardware will not be "bricked" by wiping efivars. I'm still onboard with protecting users from this out of the box, but it's not like without this change, we'll have gentoo boxes dropping dead all over the place every week. We're protecting from something that requires both a very specific firmware bug AND serious user error, to trigger. -Ben --94eb2c1b4eb48ad671055433d6e7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Jul 13, 2017 at 9:29 AM, Mike Gilbert <floppym@gentoo.org= > wrote:
=

We are actually talking about protecting people who run somethi= ng like
rm -rf /sys/firmware/efi/efivars/ as root.

If you are dumb enough to do something like that, you almost deserve
to spend a couple hundred on a new motherboard.

While I can think of a few ways you can accidentally do = this via bindmounts and such, I think it's also worth mentioning that t= his "bricking" only happens on a very very small number of system= s with a specific buggy UEFI implementation, the vast majority of UEFI hard= ware will not be "bricked" by wiping efivars.

I'm still onboard wit= h protecting users from this out of the box, but it's not like without = this change, we'll have gentoo boxes dropping dead all over the place e= very week.=C2=A0 We're protecting from something that requires both a v= ery specific firmware bug AND serious user error, to trigger.

-Ben
--94eb2c1b4eb48ad671055433d6e7--