On Fri, Feb 16, 2018 at 1:45 PM Andy Lutomirski <l...@kernel.org> wrote: > I'm going to go out on a limb and suggest that the fact that > unprivileged users can read efi variables at all is a mistake > regardless of SMI issues.
Why? They should never contain sensitive material. > Also, chmod() just shouldn't work on efi variables, and the mode > passed to creat() should be ignored. After all, there's no backing > store for the mode. If the default is 600 then it makes sense to allow a privileged service to selectively make certain variables world readable at runtime.
