On Thursday 17 Aug 2017 11:25:04 Mike Gilbert wrote: > On Thu, Aug 17, 2017 at 10:29 AM, Peter Humphrey <pe...@prh.myzen.co.uk> wrote: > > On Tuesday 15 August 2017 22:12:41 Mick wrote: > >> On Tuesday 15 Aug 2017 16:02:19 Mike Gilbert wrote: > >> > On Tue, Aug 15, 2017 at 2:17 PM, Rich Freeman <ri...@gentoo.org> wrote: > >> > > On Tue, Aug 15, 2017 at 11:04 AM, Mick <michaelkintz...@gmail.com> > > > > wrote: > >> > >> I can't recall if I did this myself in a moment of security induced > >> > >> inspiration. I doubt I did. So how did this happen? What is > >> > >> responsible for mounting this fs? > >> > > > >> > > It looks like this never did turn into a news item: > >> > > https://archives.gentoo.org/gentoo-dev/message/35304b0db4de9e06fea322 > >> > > 2 > >> > > 7537 9fa81 > >> > > > >> > > You can remount it as rw if your tools don't do it automatically. It > >> > > might not hurt to file a bug if one doesn't already exist for the > >> > > tool > >> > > that isn't remounting it. > >> > > >> > Please bother efibootmgr upstream about it, or bother the OpenRC > >> > maintainer who decided to break things. > >> > >> Thank you Rich, I suspected it was an intentional change and from a > >> security perspective it is to be commended. However, it could cause > >> uninformed users like myself some lost time, thinking something may have > >> gone wrong on our system. > >> > >> I submitted bug #627964: > >> > >> https://bugs.gentoo.org/show_bug.cgi?id=627964 > >> > >> I think a news item although useful, on its own is not sufficient. If > >> remounting 'rw' and back again to 'ro' is not performed by the legit > >> commands which touch efivars (e.g. efibootmgr, GRUB, et al), the HandBook > >> should also be amended if it hasn't been already, because newbies will > >> have one more excuse to pack it in and go back to *buntu. > > > > That was an instructive conversation - thanks all. I had the same problem > > with systemd-boot while rebuild this box over the last few days. I don't > > know whether to raise a similar bug against systemd-boot now, after > > reading > > your bug report, Mick. > > Given that systemd-boot is ripped out of systemd, and systemd always > mounts efivarfs as read/write, there is really no chance of them > altering bootctl to re-mount efivarfs on demand. > > Reporting a bug against systemd-boot would probably be a waste of your > time since I will almost certainly close it as WONTFIX. ;-)
TBH once the user/sysadmin knows the cause of the problem is that efivarfs is mounted as 'ro', it is one simple step to remount it as 'rw' before executing successfully whichever boot manager command is desired. The main problem is that having been accustomed to boot managers functioning without this additional step for the last 4-5 years, some users will be wondering what is suddenly wrong with their system. It is for this reason I suggested that a portage news item wouldn't go amiss, since OpenRC is a cornerstone of the Gentoo system and its impacts can be significant. Although I proposed it as an option, I am not sure if each and every boot manager software should be scripted to automatically detect if the efivarfs is mounted as 'ro' and remount 'rw'/execute/remount 'ro' on its own and without user confirmation. I think it should not do so without requiring user input, if only to make sure the protection of mounting efivarfs as 'ro' is retained. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
