Page MenuHomePhabricator

Test disabling EFI_VARS in hardened-host-kernel
Open, NormalPublic

Description

CONFIG_EFI_VARS exposes a lot of attack surface as it allows you to mess with EFI variables.

https://github.com/torvalds/linux/blob/master/drivers/firmware/efi/Kconfig

There have been cases of people bricking their computers by accidentally deleting EFI variables. An attacker might be able to do far more by writing specific things to them.

CLIP OS disables this.

https://github.com/clipos/src_platform_config-linux-hardware/blob/master/kernel_config/blacklist#L60

CONFIG_EFI_VARS also seems to be a legacy option replaced by efivarfs.

https://github.com/torvalds/linux/blob/master/fs/efivarfs/Kconfig

This may break some things and requires testing and more research.

https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/402

Details

Impact
Normal

Event Timeline

madaidan triaged this task as Normal priority.Mon, Mar 2, 6:19 PM
madaidan created this task.