Test disabling EFI_VARS in hardened-host-kernel
Open, NormalPublic
Actions

Assigned To

None

Authored By

	madaidan
	Mar 2 2020, 5:19 PM

Description

CONFIG_EFI_VARS exposes a lot of attack surface as it allows you to mess with EFI variables.

https://github.com/torvalds/linux/blob/master/drivers/firmware/efi/Kconfig

There have been cases of people bricking their computers by accidentally deleting EFI variables. An attacker might be able to do far more by writing specific things to them.

CLIP OS disables this.

https://github.com/clipos/src_platform_config-linux-hardware/blob/master/kernel_config/blacklist#L60

CONFIG_EFI_VARS also seems to be a legacy option replaced by efivarfs.

https://github.com/torvalds/linux/blob/master/fs/efivarfs/Kconfig

This may break some things and requires testing and more research.

https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/402

Details

Impact: Normal

Event Timeline

madaidan triaged this task as Normal priority.Mar 2 2020, 5:19 PM

madaidan created this task.

Herald added subscribers: • entr0py, Patrick. · View Herald TranscriptMar 2 2020, 5:19 PM

Test disabling EFI_VARS in hardened-host-kernelOpen, NormalPublicActions

Description

Details

Event Timeline

Test disabling EFI_VARS in hardened-host-kernel
Open, NormalPublic
Actions