> That said, I'm not sure how many non-root users run the toolkit to > extract their EFI certificates or check on the secure boot status of > the system, but I suspect it might be non-zero: I can see the tinfoil > hat people wanting at least to check the secure boot status when they > log in.
Another fix option might be to rate limit EFI calls for non-root users (on X86 since only we have the SMI problem). That would: 1) Avoid using memory to cache all the variables 2) Catch any other places where non-root users can call EFI -Tony
