Feature request: please apply
[PATCH] efi/efi_test: require CAP_SYS_ADMIN to open the chardev
to the Fedora kernel, and then please enable building the "efi_test" driver as a module.
Use case (excerpt from the patch linked above):
Currently the GetVariable() UEFI runtime service is used (through the
efivar sysfs interface) to test that OVMF is able to enter into SMM.
But there's a proposal to add a UEFI variable cache outside of SMM, to
speedup GetVariable() calls. So the plan is to call QueryVariableInfo()
instead that's also read-only and sufficiently infrequently called that
is not planned to be cached anytime soon.
Building the efi_test module will allow us to call this EFI service by
using the fwts uefivarinfo test.
fwts is packaged for Fedora, and it would rely on the "efi_test" driver -- but the kernel driver is currently unavailable.
CONFIG_EFI_TEST makes sense wherever EFI does ("depends on EFI"). i686, x86_64, and aarch64 seem relevant.
Also, it would be nice if the module were available for production kernels (not just for debug kernels). It's not expected that the module is going to be auto-loaded (it has no modalias).
I think allowing userland to pass arbitrary arguments to firmware calls is probably something that should be lockdown gated. I'll write a patch for upstream.
(In reply to Matthew Garrett from comment #1)
> I think allowing userland to pass arbitrary arguments to firmware calls is
> probably something that should be lockdown gated. I'll write a patch for
I can post a v2 of that patch that also locks down the module besides requiring the CAP_SYS_ADMIN capability.
I've posted a v2 of the patch that also locks down access to the chardev as suggested by Matthew: