[Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot

Mauro Carvalho Chehab mchehab+samsung at kernel.org
Fri Sep 7 19:53:50 UTC 2018


Em Wed, 5 Sep 2018 15:34:04 -0500
Justin Forbes <jmforbes at linuxtx.org> escreveu:

> On Wed, Sep 5, 2018 at 3:14 PM, David Howells <dhowells at redhat.com> wrote:
> > Justin Forbes <jmforbes at linuxtx.org> wrote:
> >  
> >> Lockdown is a config option on it's own, just also add a separate
> >> config option option to enable lockdown on UEFI secure boot.  
> >
> > The patchset has that already (CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT).
> >
> > One of the issues appears to be that we're making it boot-time conditional at
> > all.  If I understand him correctly, Linus seems to want us to make everything
> > locked down at compile time or not at all.
> >  
> 
> The last push attempt dropped that patch and did have the compile time
> (CONFIG_LOCK_DOWN_MANDATORY) as well as an option for command line
> enabling with lockdown=1 (CONFIG_LOCK_DOWN_KERNEL).  It just didn't
> have an option for triggering off of UEFI Secure Boot.   As a distro,
> running   CONFIG_LOCK_DOWN_MANDATORY isn't much of an option. We ran
> the 4.17 development series in rawhide with CONFIG_LOCK_DOWN_KERNEL,
> and no one noticed that their secure boot was off.  

Heh, I actually had to turn secure boot off due to that :-)

(long story short, it was on an Intel 8 gen CPU with Radeon GPU on it,
with required 4.17 + DRM for 4.18 in order to detect my 3 monitors,
so I had to build my own kernel, not signed by Red Hat).

Thanks,
Mauro


More information about the Ksummit-discuss mailing list