OpenCloudOS-Kernel/drivers/firmware/efi
Javier Martinez Canillas 359efcc2c9 efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Matthew Garrett <mjg59@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-10-31 09:40:21 +01:00
..
libstub x86, efi: Never relocate kernel below lowest acceptable address 2019-10-31 09:40:19 +01:00
test efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN 2019-10-31 09:40:21 +01:00
Kconfig efi: Make CONFIG_EFI_RCI2_TABLE selectable on x86 only 2019-10-31 09:40:16 +01:00
Makefile efi: Export Runtime Configuration Interface table to sysfs 2019-08-08 11:10:25 +03:00
apple-properties.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
arm-init.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
arm-runtime.c efi: Unify DMI setup code over the arm/arm64, ia64 and x86 architectures 2019-03-29 07:35:00 +01:00
capsule-loader.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
capsule.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
cper-arm.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
cper-x86.c efi: Decode IA32/X64 Context Info structure 2018-05-14 08:57:48 +02:00
cper.c efi/cper: Fix endianness of PCIe class code 2019-10-07 15:24:35 +02:00
dev-path-parser.c bus_find_device: Unify the match callback with class_find_device 2019-06-24 05:22:31 +02:00
earlycon.c efi/x86: Convert x86 EFI earlyprintk into generic earlycon implementation 2019-02-04 08:27:30 +01:00
efi-bgrt.c efi/bgrt: Drop BGRT status field reserved bits check 2019-06-11 16:13:05 +02:00
efi-pstore.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
efi.c efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness 2019-10-31 09:40:18 +01:00
efibc.c efibc: Replace variable set function in notifier call 2019-06-22 10:24:57 +02:00
efivars.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
esrt.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
fake_mem.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
memattr.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
memmap.c efi/arm: Revert deferred unmap of early memmap mapping 2018-11-15 10:04:46 +01:00
rci2-table.c efi: Make unexported efi_rci2_sysfs_init() static 2019-10-07 15:24:36 +02:00
reboot.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
runtime-map.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00
runtime-wrappers.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 428 2019-06-05 17:37:16 +02:00
tpm.c efi/tpm: Return -EINVAL when determining tpm final events log size fails 2019-10-31 09:40:17 +01:00
vars.c efi: Replace GPL license boilerplate with SPDX headers 2019-02-04 08:27:25 +01:00