1759325 – please set CONFIG_EFI_TEST to "m"

Bug 1759325 - please set CONFIG_EFI_TEST to "m"

Summary: please set CONFIG_EFI_TEST to "m"

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-07 20:36 UTC by Laszlo Ersek
Modified:	2020-05-06 00:03 UTC (History)
CC List:	18 users (show)
Fixed In Version:	kernel-5.6.0-1.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-06 00:03:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Laszlo Ersek 2019-10-07 20:36:50 UTC

Feature request: please apply

[PATCH] efi/efi_test: require CAP_SYS_ADMIN to open the chardev
http://mid.mail-archive.com/20191003100712.31045-1-javierm@redhat.com
https://www.spinics.net/lists/linux-efi/msg16593.html

to the Fedora kernel, and then please enable building the "efi_test" driver as a module.

Use case (excerpt from the patch linked above):

"""
Currently the GetVariable() UEFI runtime service is used (through the
efivar sysfs interface) to test that OVMF is able to enter into SMM.

But there's a proposal to add a UEFI variable cache outside of SMM, to
speedup GetVariable() calls. So the plan is to call QueryVariableInfo()
instead that's also read-only and sufficiently infrequently called that
is not planned to be cached anytime soon.

Building the efi_test module will allow us to call this EFI service by
using the fwts uefivarinfo test.
"""

fwts is packaged for Fedora, and it would rely on the "efi_test" driver -- but the kernel driver is currently unavailable.

CONFIG_EFI_TEST makes sense wherever EFI does ("depends on EFI"). i686, x86_64, and aarch64 seem relevant.

Also, it would be nice if the module were available for production kernels (not just for debug kernels). It's not expected that the module is going to be auto-loaded (it has no modalias).

Thanks!

Comment 1 Matthew Garrett 2019-10-07 21:03:20 UTC

I think allowing userland to pass arbitrary arguments to firmware calls is probably something that should be lockdown gated. I'll write a patch for upstream.

Comment 2 Javier Martinez Canillas 2019-10-08 07:33:06 UTC

(In reply to Matthew Garrett from comment #1)
> I think allowing userland to pass arbitrary arguments to firmware calls is
> probably something that should be lockdown gated. I'll write a patch for
> upstream.

I can post a v2 of that patch that also locks down the module besides requiring the CAP_SYS_ADMIN capability.

Comment 3 Javier Martinez Canillas 2019-10-08 10:57:54 UTC

I've posted a v2 of the patch that also locks down access to the chardev as suggested by Matthew:

https://lkml.org/lkml/2019/10/8/309

Comment 4 Laszlo Ersek 2020-05-06 00:03:02 UTC

(In reply to Javier Martinez Canillas from comment #3)
> I've posted a v2 of the patch that also locks down access to the chardev as
> suggested by Matthew:
> 
> https://lkml.org/lkml/2019/10/8/309

Merged upstream as commit 359efcc2c910 ("efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN", 2019-10-31); included in Linux v5.4.

Meaning CONFIG_EFI_TEST=m should be acceptable at least in Fedora 32.

In the <https://gitlab.com/cki-project/kernel-ark.git> repo, the CONFIG_EFI_TEST=m change seems to have been made already, in commit c84606a7c8b6 ("[redhat] Align some configs for Fedora", 2019-11-20). That commit is a part of tag "kernel-5.6.0-1.fc33".

"kernel-core-5.6.0-1.fc33.aarch64.rpm" and "kernel-core-5.6.0-1.fc33.x86_64.rpm" agree.

Fedora 33 seems "branched" and not "rawhide" at this moment, so I'm closing this as NEXTRELEASE. Thanks.

Note You need to log in before you can comment on or make changes to this bug.