Make efivars mount RO RW configurable #238
Comments
|
Perhaps this default can be changed instead of making a knob. It's not necessary anymore since the kernel makes efivarfs immutable. Tools that need to write to it (such as fwupdate and efibootmgr) will modify immutable bit as necessary. |
|
Which kernel version is the first to make it immutable? |
|
4.5-rc5 |
|
4.4 is still an lts kernel, so I don't think I can safely change the default. |
|
I'm adding a reference, for completeness, to the issue where this was originally set up, #134. |
|
What I am willing to do is consider honoring fstab, so if you want different mount options for efivarfs you can set them there. Then, once 4.4 goes EOL, I would change the default mount options for it. |
|
Waiting for 4.4 to go EOL can be a long wait. a config option/USE flag would be much better |
|
I think this should be taken very carefully. Debian 8, RHEL 7, Cent OS 7, etc are all based on 3.x kernels and those distro releases are not EOL yet. In my case our laboratory in the university has a Debian 8 server and a Cent OS 7 server running on 3.x kernels. In these cases efivars should still be mounted as RO. Not to mention that for example Cent OS 7 has its EOL for maintenance updates on June 30th, 2024... that means that potentially 3.x kernels will still be in use for another 5 years. I am in agreement with OpenRC honoring fstab for this, that way at least I don't have to worry about those servers getting borked accidentally. |
|
fstab is too clumsy, here we have the same fstab for both UEFI and non UEFI machines. |
|
BTW, on your old 3.x machines you could add an efivars RO mount in your fstab instead. |
|
I run OpenRC on the Debian server, but not on the Cent OS server. Getting Debian 8 to use OpenRC was very easy considering that they have sysvinit scripts that run with OpenRC just fine. However Cent OS 7 only has systemd units which meant that I would have had to install all init scripts by hand which it was decided was not worth it since it is just a gateway server and nothing more. I also use OpenRC on all of my personal machines in various distros(Arch Linux, Artix Linux, Debian, and Cromnix). So it is definitely getting more use outside of Gentoo now and the list of distros running OpenRC by default is growing. |
|
Why not just detect the kernel version and decide from that what to do? |
|
I would expect that distros using older kernels would backport a patch to make efivarfs safe to use. It's not OpenRC's responsibility to detect that. If Gentoo is supporting 4.4 kernels, they should backport the patch as well. |
|
In fact, the 4.4 stable series already has the efivarfs immutable change applied. |
|
3.16.y also has this backported. |
|
All supported kernels listed on kernel.org have the patch to make efivarfs immutable, so it looks like we are safe to make efivarfs rw. |
ATM efivars is unconditionally mounted RO, users/admin has no say about that.
Could openrc add a config knob so admins can change mount to RW?
The text was updated successfully, but these errors were encountered: