| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Mar 2015 15:08:42 -0800 From: Andy Lutomirski <luto@...capital.net> To: Kweh Hock Leong <hock.leong.kweh@...el.com> Cc: Borislav Petkov <bp@...en8.de>, Matt Fleming <matt@...sole-pimps.org>, "Ong, Boon Leong" <boon.leong.ong@...el.com>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Sam Protsenko <semen.protsenko@...aro.org>, LKML <linux-kernel@...r.kernel.org>, Ming Lei <ming.lei@...onical.com> Subject: RE: Re: [PATCH v2 3/3] efi: Capsule update with user helper interface On Mar 5, 2015 1:19 AM, "Kweh, Hock Leong" <hock.leong.kweh@...el.com> wrote: > > > -----Original Message----- > > From: Andy Lutomirski [mailto:luto@...capital.net] > > Sent: Wednesday, March 04, 2015 4:38 AM > > > > On Mon, Mar 2, 2015 at 9:56 PM, Kweh, Hock Leong > > <hock.leong.kweh@...el.com> wrote: > > > > > > Just to call out that using firmware class auto locate binary feature is limited > > > to locations: > > > - "/lib/firmware/updates/" UTS_RELEASE, > > > - "/lib/firmware/updates", > > > - "/lib/firmware/" UTS_RELEASE, > > > - "/lib/firmware" > > > and one custom path which inputted during firmware_class module load > > > time or kernel boot up time. > > > > > > It is just not like the user helper interface which allow load the binary at > > > any path/location. > > > > > > This really is not a big deal. User should cope with it. > > > > No, it's a big deal, and the user should not cope. > > > > The user *should not* be required to have write access to anything in > > /lib to install a UEFI capsule that they download from their > > motherboard vendor's website. /lib belongs to the distro, and UEFI > > capsules do not belong to the distro. In this regard, UEFI capsules > > are completely unlike your wireless card firmware, your cpu microcode, > > etc. > > > > Imagine systems using NFS root, Atomic-style systems (e.g. ostree), > > systems that boot off squashfs, etc. They should still be able to > > load capsules. The basic user interface that should work is: > > > > # uefi-load-capsule /path/to/capsule > > > > or: > > > > # uefi-load-capsule - </path/to/capsule > > > > I don't really care how uefi-load-capsule is implemented, as long as > > it's straightforward, because people will screw it up if it isn't > > straightforward. > > > > Why is it so hard to have a file in sysfs that you write the capsule > > to using *cat* (not echo) and that will return an error code if cat > > fails? Is it because you don't know where the end of the capsule is? > > if so, ioctl is designed for exactly this purpose. > > > > TBH, I find this thread kind of ridiculous. The problem that you're > > trying to solve is extremely simple, the functionality that userspace > > needs is trivial, and all of these complex proposals for how it should > > work are an artifact of the fact that the kernel-internal interfaces > > you're using for it are not well suited to the problem at hand. > > > > --Andy > > Sorry, I may not catch your point correctly. Are you trying to tell that > a "normal" user can perform efi capsule update. But a "normal" user > does not have the right to install or copy the capsule binary into > "/lib/firmware/". So, there is a need to make this capsule module to > allow uploading the capsule binary at any path or location other than > "/lib/firmware/". > > Is this what you mean? No. Only root should be able to load capsules, but even root may not be able to write to /lib. --Andy > > > Regards, > Wilson -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists