Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
commit 3f5e3bdbb45bc2cd9ae95972420eb11b0340f120
Author: Matthew Garrett <mjg59@coreos.com>
Date: Mon Feb 1 13:31:00 2016 +1100
Block most UEFI variable deletions
Some systems appear to become upset if certain UEFI non-volatile variables
are delted, to the point of no longer POSTing successfully. For a short-term
fix, let's just block deletion of most variables while we figure out a
better approach.
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c
index 70a0fb1..77b4327 100644
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@@ -532,6 +532,37 @@ int efivar_entry_delete(struct efivar_entry *entry)
{
const struct efivar_operations *ops = __efivars->ops;
efi_status_t status;
+ efi_guid_t global_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
+ int i;
+ u16 *unicode_name = entry->var.VariableName;
+
+ /* Block deletion of any non-spec variables */
+ if (memcmp(&global_variable_guid, &entry->var.VendorGuid,
+ sizeof(efi_guid_t)) != 0)
+ return -EPERM;
+
+ /*
+ * Don't permit deletion of the majority of spec-defined variables.
+ * We just re-use the list of variables that we have validation code
+ * for - wildcards are ignored in this case, so deleting boot and
+ * device entries is still permitted.
+ */
+ for (i = 0; variable_validate[i].validate != NULL; i++) {
+ const char *name = variable_validate[i].name;
+ int match;
+
+ for (match = 0; ; match++) {
+ char c = name[match];
+ u16 u = unicode_name[match];
+
+ if (c != u)
+ break;
+
+ /* Reached the end of the string while matching */
+ if (!c && !u)
+ return -EPERM;
+ }
+ }
spin_lock_irq(&__efivars->lock);
status = ops->set_variable(entry->var.VariableName,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment