| 1 |
On Thu, Aug 17, 2017 at 10:29 AM, Peter Humphrey <peter@××××××××××××.uk> wrote: |
| 2 |
> On Tuesday 15 August 2017 22:12:41 Mick wrote: |
| 3 |
>> On Tuesday 15 Aug 2017 16:02:19 Mike Gilbert wrote: |
| 4 |
>> > On Tue, Aug 15, 2017 at 2:17 PM, Rich Freeman <rich0@g.o> wrote: |
| 5 |
>> > > On Tue, Aug 15, 2017 at 11:04 AM, Mick <michaelkintzios@×××××.com> |
| 6 |
> wrote: |
| 7 |
>> > >> I can't recall if I did this myself in a moment of security induced |
| 8 |
>> > >> inspiration. I doubt I did. So how did this happen? What is |
| 9 |
>> > >> responsible for mounting this fs? |
| 10 |
>> > > |
| 11 |
>> > > It looks like this never did turn into a news item: |
| 12 |
>> > > https://archives.gentoo.org/gentoo-dev/message/35304b0db4de9e06fea3222 |
| 13 |
>> > > 7537 9fa81 |
| 14 |
>> > > |
| 15 |
>> > > You can remount it as rw if your tools don't do it automatically. It |
| 16 |
>> > > might not hurt to file a bug if one doesn't already exist for the tool |
| 17 |
>> > > that isn't remounting it. |
| 18 |
>> > |
| 19 |
>> > Please bother efibootmgr upstream about it, or bother the OpenRC |
| 20 |
>> > maintainer who decided to break things. |
| 21 |
>> |
| 22 |
>> Thank you Rich, I suspected it was an intentional change and from a |
| 23 |
>> security perspective it is to be commended. However, it could cause |
| 24 |
>> uninformed users like myself some lost time, thinking something may have |
| 25 |
>> gone wrong on our system. |
| 26 |
>> |
| 27 |
>> I submitted bug #627964: |
| 28 |
>> |
| 29 |
>> https://bugs.gentoo.org/show_bug.cgi?id=627964 |
| 30 |
>> |
| 31 |
>> I think a news item although useful, on its own is not sufficient. If |
| 32 |
>> remounting 'rw' and back again to 'ro' is not performed by the legit |
| 33 |
>> commands which touch efivars (e.g. efibootmgr, GRUB, et al), the HandBook |
| 34 |
>> should also be amended if it hasn't been already, because newbies will |
| 35 |
>> have one more excuse to pack it in and go back to *buntu. |
| 36 |
> |
| 37 |
> That was an instructive conversation - thanks all. I had the same problem |
| 38 |
> with systemd-boot while rebuild this box over the last few days. I don't |
| 39 |
> know whether to raise a similar bug against systemd-boot now, after reading |
| 40 |
> your bug report, Mick. |
| 41 |
|
| 42 |
Given that systemd-boot is ripped out of systemd, and systemd always |
| 43 |
mounts efivarfs as read/write, there is really no chance of them |
| 44 |
altering bootctl to re-mount efivarfs on demand. |
| 45 |
|
| 46 |
Reporting a bug against systemd-boot would probably be a waste of your |
| 47 |
time since I will almost certainly close it as WONTFIX. ;-) |
Archives