[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180224200617.75cfe5f2@alans-desktop>
Date: Sat, 24 Feb 2018 20:06:17 +0000
From: Alan Cox <gnomes@...rguk.ukuu.org.uk>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
"Luck, Tony" <tony.luck@...el.com>,
Joe Konno <joe.konno@...ux.intel.com>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Matthew Garrett <matthew.garrett@...ula.com>,
Jeremy Kerr <jk@...abs.org>, Andi Kleen <ak@...ux.intel.com>,
Matthew Garrett <mjg59@...gle.com>,
Peter Jones <pjones@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
James Bottomley <james.bottomley@...senpartnership.com>
Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions
On Wed, 21 Feb 2018 09:03:00 +0000
> The thing I like about rate limiting (for everyone including root) is
> that it does not break anybody's workflow (unless EFI variable access
> occurs on a hot path, in which case you're either a) asking for it, or
> b) the guy trying to DoS us), and that it can make exploitation of any
> potential Spectre v1 vulnerabilities impractical at the same time. At
b) doesn't make spectre v1 much harder alas. What matters there is that
you turn on the right CPU protections before calling into EFI and turn
them off afterwards. EFI firmware internally isn't built with retpoline
anyway.
Alan
Powered by blists - more mailing lists