Test disabling EFI_VARS in hardened-host-kernel

phabricator-migrator · February 19, 2024, 5:20pm

Information

ID: 967
PHID: PHID-TASK-nntpe3vv5b3l2moddb4u
Author: madaidan
Status at Migration Time: open
Priority at Migration Time: Normal

Description

CONFIG_EFI_VARS exposes a lot of attack surface as it allows you to mess with EFI variables.

github.com

torvalds/linux/blob/master/drivers/firmware/efi/Kconfig

# SPDX-License-Identifier: GPL-2.0-only
menu "EFI (Extensible Firmware Interface) Support"
	depends on EFI

config EFI_ESRT
	bool
	depends on EFI
	default y

config EFI_VARS_PSTORE
	tristate "Register efivars backend for pstore"
	depends on PSTORE
	select UCS2_STRING
	default y
	help
	  Say Y here to enable use efivars as a backend to pstore. This
	  will allow writing console messages, crash dumps, or anything
	  else supported by pstore to EFI variables.

config EFI_VARS_PSTORE_DEFAULT_DISABLE

This file has been truncated. show original

There have been cases of people bricking their computers by accidentally deleting EFI variables. An attacker might be able to do far more by writing specific things to them.

CLIP OS disables this.

github.com

clipos/src_platform_config-linux-hardware/blob/master/kernel_config/blacklist#L60


      
          CONFIG_PROC_VMCORE
          CONFIG_HWPOISON_INJECT
          CONFIG_PROC_PAGE_MONITOR
          CONFIG_USELIB
          CONFIG_CHECKPOINT_RESTORE
          CONFIG_USERFAULTFD
          CONFIG_MEM_SOFT_DIRTY
          CONFIG_LIVEPATCH
          CONFIG_IP_DCCP
          CONFIG_IP_SCTP
          CONFIG_FTRACE
          CONFIG_PROFILING
          CONFIG_NOTIFIER_ERROR_INJECTION
          CONFIG_EFI_VARS
          CONFIG_EFI_CUSTOM_SSDT_OVERLAYS
          CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM
          CONFIG_DRM_LEGACY
          CONFIG_UEVENT_HELPER
          CONFIG_UEVENT_HELPER_PATH
          CONFIG_PCI_P2PDMA
          CONFIG_LDISC_AUTOLOAD

CONFIG_EFI_VARS also seems to be a legacy option replaced by efivarfs.

github.com

torvalds/linux/blob/master/fs/efivarfs/Kconfig

# SPDX-License-Identifier: GPL-2.0-only
config EFIVAR_FS
	tristate "EFI Variable filesystem"
	depends on EFI
	default m
	help
	  efivarfs is a replacement filesystem for the old EFI
	  variable support via sysfs, as it doesn't suffer from the
	  same 1024-byte variable size limit.

	  To compile this file system support as a module, choose M
	  here. The module will be called efivarfs.

	  If unsure, say N.

This may break some things and requires testing and more research.

Test disabling EFI_VARS in hardened-host-kernel

Information

Description

Comments