Feature request: please apply [PATCH] efi/efi_test: require CAP_SYS_ADMIN to open the chardev http://mid.mail-archive.com/20191003100712.31045-1-javierm@redhat.com https://www.spinics.net/lists/linux-efi/msg16593.html to the Fedora kernel, and then please enable building the "efi_test" driver as a module. Use case (excerpt from the patch linked above): """ Currently the GetVariable() UEFI runtime service is used (through the efivar sysfs interface) to test that OVMF is able to enter into SMM. But there's a proposal to add a UEFI variable cache outside of SMM, to speedup GetVariable() calls. So the plan is to call QueryVariableInfo() instead that's also read-only and sufficiently infrequently called that is not planned to be cached anytime soon. Building the efi_test module will allow us to call this EFI service by using the fwts uefivarinfo test. """ fwts is packaged for Fedora, and it would rely on the "efi_test" driver -- but the kernel driver is currently unavailable. CONFIG_EFI_TEST makes sense wherever EFI does ("depends on EFI"). i686, x86_64, and aarch64 seem relevant. Also, it would be nice if the module were available for production kernels (not just for debug kernels). It's not expected that the module is going to be auto-loaded (it has no modalias). Thanks!
I think allowing userland to pass arbitrary arguments to firmware calls is probably something that should be lockdown gated. I'll write a patch for upstream.
(In reply to Matthew Garrett from comment #1) > I think allowing userland to pass arbitrary arguments to firmware calls is > probably something that should be lockdown gated. I'll write a patch for > upstream. I can post a v2 of that patch that also locks down the module besides requiring the CAP_SYS_ADMIN capability.
I've posted a v2 of the patch that also locks down access to the chardev as suggested by Matthew: https://lkml.org/lkml/2019/10/8/309
(In reply to Javier Martinez Canillas from comment #3) > I've posted a v2 of the patch that also locks down access to the chardev as > suggested by Matthew: > > https://lkml.org/lkml/2019/10/8/309 Merged upstream as commit 359efcc2c910 ("efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN", 2019-10-31); included in Linux v5.4. Meaning CONFIG_EFI_TEST=m should be acceptable at least in Fedora 32. In the <https://gitlab.com/cki-project/kernel-ark.git> repo, the CONFIG_EFI_TEST=m change seems to have been made already, in commit c84606a7c8b6 ("[redhat] Align some configs for Fedora", 2019-11-20). That commit is a part of tag "kernel-5.6.0-1.fc33". "kernel-core-5.6.0-1.fc33.aarch64.rpm" and "kernel-core-5.6.0-1.fc33.x86_64.rpm" agree. Fedora 33 seems "branched" and not "rawhide" at this moment, so I'm closing this as NEXTRELEASE. Thanks.