[arch-general] efivars mounted read-write, but "operation not permitted, "
Hi All, This is admittedly more about Linux in general than Arch specifically, but I’m wondering if anybody has insight into why I can’t delete EFI variables, when efivarfs is mounted read-write. For anybody interested, I am wanting to remove the default boot entry created by systemd-boot, but receive an “Operation not permitted,” message when trying to do so, even as root. Any insight would be appreciated. Thanks much, Zack.
On 3 August 2016 at 22:03, Zachary Kline <zkline@speedpost.net> wrote:
Hi All,
This is admittedly more about Linux in general than Arch specifically, but I’m wondering if anybody has insight into why I can’t delete EFI variables, when efivarfs is mounted read-write. For anybody interested, I am wanting to remove the default boot entry created by systemd-boot, but receive an “Operation not permitted,” message when trying to do so, even as root.
try efibootmgr -- damjan
I have no knowledge about this domain, but perhaps they are immutable. [root@moonstudio tmp]# touch test [root@moonstudio tmp]# lsattr test -------------e-- test [root@moonstudio tmp]# chattr +i test [root@moonstudio tmp]# lsattr test ----i--------e-- test [root@moonstudio tmp]# rm -f test rm: cannot remove 'test': Operation not permitted [root@moonstudio tmp]# chattr -i test [root@moonstudio tmp]# rm -f test [root@moonstudio tmp]# ls test ls: cannot access 'test': No such file or directory *?* Assumed they should be immutable, then there might be a reason for this ;).
On Wed, 3 Aug 2016 22:21:23 +0200, Ralf Mardorf wrote:
I have no knowledge about this domain, but perhaps they are immutable.
[root@moonstudio tmp]# touch test [root@moonstudio tmp]# lsattr test -------------e-- test [root@moonstudio tmp]# chattr +i test [root@moonstudio tmp]# lsattr test ----i--------e-- test [root@moonstudio tmp]# rm -f test rm: cannot remove 'test': Operation not permitted [root@moonstudio tmp]# chattr -i test [root@moonstudio tmp]# rm -f test [root@moonstudio tmp]# ls test ls: cannot access 'test': No such file or directory
*?*
Assumed they should be immutable, then there might be a reason for this ;).
Bingo! "efivarfs - a (U)EFI variable filesystem The efivarfs filesystem was created to address the shortcomings of using entries in sysfs to maintain EFI variables. The old sysfs EFI variables code only supported variables of up to 1024 bytes. This limitation existed in version 0.99 of the EFI specification, but was removed before any full releases. Since variables can now be larger than a single page, sysfs isn't the best interface for this. Variables can be created, deleted and modified with the efivarfs filesystem. efivarfs is typically mounted like this, mount -t efivarfs none /sys/firmware/efi/efivars Due to the presence of numerous firmware bugs where removing non-standard UEFI variables causes the system firmware to fail to POST, efivarfs files that are not well-known standardized variables are created as immutable files. This doesn't prevent removal - "chattr -i" will work - but it does prevent this kind of failure from being accomplished accidentally." - https://www.kernel.org/doc/Documentation/filesystems/efivarfs.txt
Are you trying to delete 'nvram' file on the efi partition directly or are you trying to delete /sys/firmware/efi* ? I think it would be saver to use 'efibootmgr' instead of manually deleting 'efivar' or 'nvram' file.
On Wed, 3 Aug 2016 13:03:41 -0700 Zachary Kline <zkline@speedpost.net> wrote:
Hi All,
This is admittedly more about Linux in general than Arch specifically, but I’m wondering if anybody has insight into why I can’t delete EFI variables, when efivarfs is mounted read-write. For anybody interested, I am wanting to remove the default boot entry created by systemd-boot, but receive an “Operation not permitted,” message when trying to do so, even as root.
Any insight would be appreciated. Thanks much, Zack.
I remember there were some kernel patches that went in a few months ago. Brief summary of what happened: * Someone ran 'rm -rf /' on his system to wipe it. It was hard bricked, not even able to POST. [0] (You need an Arch BBS account to view that thread.) * All Hell broke loose. Tech blogs had a field day. [1] A bug was filed in systemd [2]. For some reason beyond me, systemd requires that efivars be mounted read-write. (Probably bad design) * A kernel patch was submitted to try to protect efivars somewhat [3]. I think you are seeing the direct consequence of this patch. --Kyle [0]: https://bbs.archlinux.org/viewtopic.php?id=207549 [1]: https://www.phoronix.com/scan.php?page=news_item&px=UEFI-rm-root-directory [2]: https://github.com/systemd/systemd/issues/2402 [3]: https://gist.github.com/mjg59/8d9d494da56fbe6d8992 -- The computer can't tell you the emotional story. It can give you the exact mathematical design, but what's missing is the eyebrows. - Frank Zappa
participants (5)
-
Alive 4ever
-
Damjan Georgievski
-
Kyle Terrien
-
Ralf Mardorf
-
Zachary Kline