[Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot

[David Howells]

Justin Forbes <jmforbes at linuxtx.org> wrote:

> Lockdown is a config option on it's own, just also add a separate
> config option option to enable lockdown on UEFI secure boot.

The patchset has that already (CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT).

One of the issues appears to be that we're making it boot-time conditional at
all.  If I understand him correctly, Linus seems to want us to make everything
locked down at compile time or not at all.

David