summaryrefslogtreecommitdiffstats
path: root/fs/efivarfs
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2022-11-22 03:04:00 +0100
committerArd Biesheuvel <ardb@kernel.org>2022-12-01 09:51:21 +0100
commit63ffb573df66aea034d07fd00483d0a3cd4fed66 (patch)
tree32b54fd05eaec67a46a333e7cb95254cd04d1f1b /fs/efivarfs
parent196dff2712ca5a2e651977bb2fe6b05474111a83 (diff)
downloadlinux-63ffb573df66aea034d07fd00483d0a3cd4fed66.tar.gz
linux-63ffb573df66aea034d07fd00483d0a3cd4fed66.tar.bz2
linux-63ffb573df66aea034d07fd00483d0a3cd4fed66.zip
efi: vars: prohibit reading random seed variables
In anticipation of putting random seeds in EFI variables, it's important that the random GUID namespace of variables remains hidden from userspace. We accomplish this by not populating efivarfs with entries from that GUID, as well as denying the creation of new ones in that GUID. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Diffstat (limited to 'fs/efivarfs')
-rw-r--r--fs/efivarfs/inode.c4
-rw-r--r--fs/efivarfs/super.c3
2 files changed, 7 insertions, 0 deletions
diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c
index 939e5e242b98..617f3ad2485e 100644
--- a/fs/efivarfs/inode.c
+++ b/fs/efivarfs/inode.c
@@ -91,6 +91,10 @@ static int efivarfs_create(struct user_namespace *mnt_userns, struct inode *dir,
err = guid_parse(dentry->d_name.name + namelen + 1, &var->var.VendorGuid);
if (err)
goto out;
+ if (guid_equal(&var->var.VendorGuid, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) {
+ err = -EPERM;
+ goto out;
+ }
if (efivar_variable_is_removable(var->var.VendorGuid,
dentry->d_name.name, namelen))
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 6780fc81cc11..07e82e246666 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -116,6 +116,9 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor,
int err = -ENOMEM;
bool is_removable = false;
+ if (guid_equal(&vendor, &LINUX_EFI_RANDOM_SEED_TABLE_GUID))
+ return 0;
+
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
if (!entry)
return err;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-18 02:02:34 +0000