1 |
On Thursday 17 Aug 2017 11:25:04 Mike Gilbert wrote: |
2 |
> On Thu, Aug 17, 2017 at 10:29 AM, Peter Humphrey <peter@××××××××××××.uk> |
3 |
wrote: |
4 |
> > On Tuesday 15 August 2017 22:12:41 Mick wrote: |
5 |
> >> On Tuesday 15 Aug 2017 16:02:19 Mike Gilbert wrote: |
6 |
> >> > On Tue, Aug 15, 2017 at 2:17 PM, Rich Freeman <rich0@g.o> wrote: |
7 |
> >> > > On Tue, Aug 15, 2017 at 11:04 AM, Mick <michaelkintzios@×××××.com> |
8 |
> > |
9 |
> > wrote: |
10 |
> >> > >> I can't recall if I did this myself in a moment of security induced |
11 |
> >> > >> inspiration. I doubt I did. So how did this happen? What is |
12 |
> >> > >> responsible for mounting this fs? |
13 |
> >> > > |
14 |
> >> > > It looks like this never did turn into a news item: |
15 |
> >> > > https://archives.gentoo.org/gentoo-dev/message/35304b0db4de9e06fea322 |
16 |
> >> > > 2 |
17 |
> >> > > 7537 9fa81 |
18 |
> >> > > |
19 |
> >> > > You can remount it as rw if your tools don't do it automatically. It |
20 |
> >> > > might not hurt to file a bug if one doesn't already exist for the |
21 |
> >> > > tool |
22 |
> >> > > that isn't remounting it. |
23 |
> >> > |
24 |
> >> > Please bother efibootmgr upstream about it, or bother the OpenRC |
25 |
> >> > maintainer who decided to break things. |
26 |
> >> |
27 |
> >> Thank you Rich, I suspected it was an intentional change and from a |
28 |
> >> security perspective it is to be commended. However, it could cause |
29 |
> >> uninformed users like myself some lost time, thinking something may have |
30 |
> >> gone wrong on our system. |
31 |
> >> |
32 |
> >> I submitted bug #627964: |
33 |
> >> |
34 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=627964 |
35 |
> >> |
36 |
> >> I think a news item although useful, on its own is not sufficient. If |
37 |
> >> remounting 'rw' and back again to 'ro' is not performed by the legit |
38 |
> >> commands which touch efivars (e.g. efibootmgr, GRUB, et al), the HandBook |
39 |
> >> should also be amended if it hasn't been already, because newbies will |
40 |
> >> have one more excuse to pack it in and go back to *buntu. |
41 |
> > |
42 |
> > That was an instructive conversation - thanks all. I had the same problem |
43 |
> > with systemd-boot while rebuild this box over the last few days. I don't |
44 |
> > know whether to raise a similar bug against systemd-boot now, after |
45 |
> > reading |
46 |
> > your bug report, Mick. |
47 |
> |
48 |
> Given that systemd-boot is ripped out of systemd, and systemd always |
49 |
> mounts efivarfs as read/write, there is really no chance of them |
50 |
> altering bootctl to re-mount efivarfs on demand. |
51 |
> |
52 |
> Reporting a bug against systemd-boot would probably be a waste of your |
53 |
> time since I will almost certainly close it as WONTFIX. ;-) |
54 |
|
55 |
TBH once the user/sysadmin knows the cause of the problem is that efivarfs is |
56 |
mounted as 'ro', it is one simple step to remount it as 'rw' before executing |
57 |
successfully whichever boot manager command is desired. The main problem is |
58 |
that having been accustomed to boot managers functioning without this |
59 |
additional step for the last 4-5 years, some users will be wondering what is |
60 |
suddenly wrong with their system. It is for this reason I suggested that a |
61 |
portage news item wouldn't go amiss, since OpenRC is a cornerstone of the |
62 |
Gentoo system and its impacts can be significant. |
63 |
|
64 |
Although I proposed it as an option, I am not sure if each and every boot |
65 |
manager software should be scripted to automatically detect if the efivarfs is |
66 |
mounted as 'ro' and remount 'rw'/execute/remount 'ro' on its own and without |
67 |
user confirmation. I think it should not do so without requiring user input, |
68 |
if only to make sure the protection of mounting efivarfs as 'ro' is retained. |
69 |
-- |
70 |
Regards, |
71 |
Mick |