On Thu, Aug 17, 2017 at 10:29 AM, Peter Humphrey <pe...@prh.myzen.co.uk> wrote: > On Tuesday 15 August 2017 22:12:41 Mick wrote: >> On Tuesday 15 Aug 2017 16:02:19 Mike Gilbert wrote: >> > On Tue, Aug 15, 2017 at 2:17 PM, Rich Freeman <ri...@gentoo.org> wrote: >> > > On Tue, Aug 15, 2017 at 11:04 AM, Mick <michaelkintz...@gmail.com> > wrote: >> > >> I can't recall if I did this myself in a moment of security induced >> > >> inspiration. I doubt I did. So how did this happen? What is >> > >> responsible for mounting this fs? >> > > >> > > It looks like this never did turn into a news item: >> > > https://archives.gentoo.org/gentoo-dev/message/35304b0db4de9e06fea3222 >> > > 7537 9fa81 >> > > >> > > You can remount it as rw if your tools don't do it automatically. It >> > > might not hurt to file a bug if one doesn't already exist for the tool >> > > that isn't remounting it. >> > >> > Please bother efibootmgr upstream about it, or bother the OpenRC >> > maintainer who decided to break things. >> >> Thank you Rich, I suspected it was an intentional change and from a >> security perspective it is to be commended. However, it could cause >> uninformed users like myself some lost time, thinking something may have >> gone wrong on our system. >> >> I submitted bug #627964: >> >> https://bugs.gentoo.org/show_bug.cgi?id=627964 >> >> I think a news item although useful, on its own is not sufficient. If >> remounting 'rw' and back again to 'ro' is not performed by the legit >> commands which touch efivars (e.g. efibootmgr, GRUB, et al), the HandBook >> should also be amended if it hasn't been already, because newbies will >> have one more excuse to pack it in and go back to *buntu. > > That was an instructive conversation - thanks all. I had the same problem > with systemd-boot while rebuild this box over the last few days. I don't > know whether to raise a similar bug against systemd-boot now, after reading > your bug report, Mick.
Given that systemd-boot is ripped out of systemd, and systemd always mounts efivarfs as read/write, there is really no chance of them altering bootctl to re-mount efivarfs on demand. Reporting a bug against systemd-boot would probably be a waste of your time since I will almost certainly close it as WONTFIX. ;-)
