[arch-general] efivars mounted read-write, but "operation not permitted, "

Ralf Mardorf silver.bullet at zoho.com
Wed Aug 3 20:25:22 UTC 2016

On Wed, 3 Aug 2016 22:21:23 +0200, Ralf Mardorf wrote:
>I have no knowledge about this domain, but perhaps they are immutable.
>[root at moonstudio tmp]# touch test
>[root at moonstudio tmp]# lsattr test 
>-------------e-- test
>[root at moonstudio tmp]# chattr +i test
>[root at moonstudio tmp]# lsattr test 
>----i--------e-- test
>[root at moonstudio tmp]# rm -f test
>rm: cannot remove 'test': Operation not permitted
>[root at moonstudio tmp]# chattr -i test
>[root at moonstudio tmp]# rm -f test
>[root at moonstudio tmp]# ls test 
>ls: cannot access 'test': No such file or directory
>Assumed they should be immutable, then there might be a reason for
>this ;).


"efivarfs - a (U)EFI variable filesystem

The efivarfs filesystem was created to address the shortcomings of
using entries in sysfs to maintain EFI variables. The old sysfs EFI
variables code only supported variables of up to 1024 bytes. This
limitation existed in version 0.99 of the EFI specification, but was
removed before any full releases. Since variables can now be larger
than a single page, sysfs isn't the best interface for this.

Variables can be created, deleted and modified with the efivarfs

efivarfs is typically mounted like this,

	mount -t efivarfs none /sys/firmware/efi/efivars

Due to the presence of numerous firmware bugs where removing
non-standard UEFI variables causes the system firmware to fail to POST,
efivarfs files that are not well-known standardized variables are
created as immutable files.  This doesn't prevent removal - "chattr -i"
will work - but it does prevent this kind of failure from being
accomplished accidentally." -

More information about the arch-general mailing list