linux/drivers/firmware
Javier Martinez Canillas 359efcc2c9 efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Matthew Garrett <mjg59@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-10-31 09:40:21 +01:00
..
arm_scmi firmware: arm_scmi: reset: fix reset_state assignment in scmi_domain_reset 2019-09-18 13:42:16 +01:00
broadcom firmware: bcm47xx_nvram: _really_ correct size_t printf format 2019-09-22 11:31:15 -07:00
efi efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN 2019-10-31 09:40:21 +01:00
google firmware: google: increment VPD key_len properly 2019-10-11 08:41:34 +02:00
imx firmware: imx: Add DSP IPC protocol interface 2019-08-12 15:19:25 +02:00
meson treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 446 2019-06-05 17:37:18 +02:00
psci PSCI: cpuidle: Refactor CPU suspend power_state parameter handling 2019-08-09 17:51:39 +01:00
tegra firmware: tegra: Changes for v5.3-rc1 2019-06-25 05:41:44 -07:00
xilinx firmware: xilinx: Add fpga API's 2019-04-15 10:22:51 +02:00
Kconfig Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
Makefile Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
arm_scpi.c firmware: arm_scpi: convert platform driver to use dev_groups 2019-08-02 13:18:42 +02:00
arm_sdei.c firmware: arm_sdei: Prohibit probing in '_sdei_handler' 2019-04-29 16:50:48 +01:00
dmi-id.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 191 2019-05-30 11:29:21 -07:00
dmi-sysfs.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
dmi_scan.c firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices 2019-10-14 21:41:24 +02:00
edd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 287 2019-06-05 17:36:37 +02:00
iscsi_ibft.c Merge branch 'for-linus-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft 2019-07-26 09:43:43 -07:00
iscsi_ibft_find.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 287 2019-06-05 17:36:37 +02:00
memmap.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 287 2019-06-05 17:36:37 +02:00
pcdp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcdp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
qcom_scm-32.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 267 2019-06-05 17:30:29 +02:00
qcom_scm-64.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
qcom_scm.c firmware: qcom_scm: Cleanup code in qcom_scm_assign_mem() 2019-07-22 16:25:20 -07:00
qcom_scm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
qemu_fw_cfg.c media: headers: fix linux/mod_devicetable.h inclusions 2018-08-02 18:30:54 -04:00
raspberrypi.c firmware: raspberrypi: register clk device 2019-06-25 16:04:26 -07:00
scpi_pm_domain.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
stratix10-rsu.c firmware: add Intel Stratix10 remote system update driver 2019-09-04 13:31:28 +02:00
stratix10-svc.c firmware: stratix10-svc: extend svc to support new RSU features 2019-09-04 13:31:28 +02:00
ti_sci.c firmware: ti_sci: Allow for device shared and exclusive requests 2019-09-04 20:44:33 +02:00
ti_sci.h ARM: SoC-related driver updates 2019-07-19 17:13:56 -07:00
trusted_foundations.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
turris-mox-rwtm.c firmware: Add Turris Mox rWTM firmware driver 2019-09-04 17:32:13 +02:00