Peter Jones of Red Hat has submitted a patch to the Linux-EFI mailing list, which helps with the recent systemd attack against Linux’s EFI. Patchset email excerpted below:
Preventing “rm -rf /sys/firmware/efi/efivars/” from damage
Here’s a patchset to make all the variables in efivarfs that aren’t well known to be reasonably safe to delete be immutable by default. This should alleviate the danger of somebody accidentally using “rm” to remove some proprietary file that turns out to be important to the platform, which for some reason it also can’t regenerate during POST. In all cases this is just preventing the user from accidentally triggering a major security problem with their underlying firmware, but stopping accidents isn’t a bad thing. These firmwares still need CVEs and updates to fix them. Maybe using ESRT and fwupd 🙂
For more information, see the linux-efi mailing list archives.
https://firmwaresecurity.com/2016/01/29/systemd-uefi-and-efivarfs-bricking-concerns/
Firmware Security 