Bug 1304078

Summary: systemd should mount efivarfs as read-only by default
Product: [Fedora] Fedora Reporter: Japheth Cleaver <cleaver-redhat>
Component: systemdAssignee: systemd-maint
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: johannbg, lnykryn, msekleta, muadda, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-02 21:42:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Japheth Cleaver 2016-02-02 19:54:17 UTC 
Description of problem:

Given various problems with some motherboard manufacturers' implementations of UEFI, efivarfs is even more fragile than might otherwise be expected for an exposed firmware interface. For this and general safety reasons, efivarfs (if kept mounted at all by default) should be mounted read-only.

Utilities needing to write into it (cf bug 886208) should be responsible for taking steps/getting permissions as needed, or instructing the administrator to remount it in rw mode before continuing. 

This may help prevent errant accidents with non-firmware-related commands from causing actual firmware problems.


Additional info:
Upstream bug closed: https://github.com/systemd/systemd/issues/2402

https://github.com/systemd/systemd/blob/master/src/core/mount-setup.c#L109
Comment 1 Jóhann B. Guðmundsson 2016-02-02 21:42:09 UTC 
This got closed as WONTFIX upstream no need to carry on with this here...