fstab: add switch to enable/disable efivarfs mount

Don't use noefi kernel parameter here as we want to switch on the fly
2022-08-21 15:47:03 +07:00 · 2022-08-21 15:47:03 +07:00 · 4dcca81110
parent 90ba790ee7
commit 4dcca81110
2 changed files with 22 additions and 0 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -16,6 +16,9 @@ additional_kernel_parameters:
  - page_alloc.shuffle=1
  - lockdown=integrity

+# Disable access to /sys/firmware/efi/efivars
+disable_uefi_access: true
+
 # 'seatd' or 'elogind'
 seat_manager: seatd

--- a/roles/fstab/tasks/main.yml
+++ b/roles/fstab/tasks/main.yml
@ -36,3 +36,22 @@
        state: present
  vars:
    proc_group: '{{ use_polkit | ternary("polkitd", "wheel") }}'
+
+- name: fstab | Disable UEFI variable access
+  mount:
+    src: efivarfs
+    path: /sys/firmware/efi/efivars
+    fstype: efivars
+    opts: ro,nosuid,nodev,noexec
+    state: present
+  when: disable_uefi_access
+
+- name: fstab | Allow UEFI variable access
+  lineinfile:
+    path: /etc/fstab
+    search_string: /sys/firmware/efi/efivars
+    state: absent
+    owner: root
+    group: root
+    mode: 0644
+  when: not disable_uefi_access