KBArch LinuxPatch EFI Security Hole
Public · no sign-in needed
Arch Linux

Patch EFI Security Hole

In /etc/fstab locate EFI partition:

UUID=XXX-XXX   /boot   vfat   ...

Replace with:

UUID=XXX-XXX   /boot   vfat   rw,relatime,umask=0077,utf8,errors=remount-ro   0 2

Added:

  • umask=0077 : Makes EFI readable/writable only by ROOT

Removed:

  • fmask=0022 : A
  • dmask=0022 : A
  • codepage=437 : Legacy DOS character set; only useful if using non-ASCII chars on ESP
  • iocharset=ascii : Defines how to interpret non-ASCII filenames; redundant
  • shortname=mixed : Redundant

Reload:

sudo mount -o remount /boot