1304078 – systemd should mount efivarfs as read-only by default

Bug 1304078 - systemd should mount efivarfs as read-only by default

Summary: systemd should mount efivarfs as read-only by default

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-02 19:54 UTC by Japheth Cleaver
Modified:	2016-02-02 21:42 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-02-02 21:42:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Japheth Cleaver 2016-02-02 19:54:17 UTC

Description of problem:

Given various problems with some motherboard manufacturers' implementations of UEFI, efivarfs is even more fragile than might otherwise be expected for an exposed firmware interface. For this and general safety reasons, efivarfs (if kept mounted at all by default) should be mounted read-only.

Utilities needing to write into it (cf bug 886208) should be responsible for taking steps/getting permissions as needed, or instructing the administrator to remount it in rw mode before continuing. 

This may help prevent errant accidents with non-firmware-related commands from causing actual firmware problems.


Additional info:
Upstream bug closed: https://github.com/systemd/systemd/issues/2402

https://github.com/systemd/systemd/blob/master/src/core/mount-setup.c#L109

Comment 1 Jóhann B. Guðmundsson 2016-02-02 21:42:09 UTC

This got closed as WONTFIX upstream no need to carry on with this here...

Note You need to log in before you can comment on or make changes to this bug.