[Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot
Mauro Carvalho Chehab
mchehab+samsung at kernel.org
Fri Sep 7 19:53:50 UTC 2018
Em Wed, 5 Sep 2018 15:34:04 -0500
Justin Forbes <jmforbes at linuxtx.org> escreveu:
> On Wed, Sep 5, 2018 at 3:14 PM, David Howells <dhowells at redhat.com> wrote:
> > Justin Forbes <jmforbes at linuxtx.org> wrote:
> >
> >> Lockdown is a config option on it's own, just also add a separate
> >> config option option to enable lockdown on UEFI secure boot.
> >
> > The patchset has that already (CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT).
> >
> > One of the issues appears to be that we're making it boot-time conditional at
> > all. If I understand him correctly, Linus seems to want us to make everything
> > locked down at compile time or not at all.
> >
>
> The last push attempt dropped that patch and did have the compile time
> (CONFIG_LOCK_DOWN_MANDATORY) as well as an option for command line
> enabling with lockdown=1 (CONFIG_LOCK_DOWN_KERNEL). It just didn't
> have an option for triggering off of UEFI Secure Boot. As a distro,
> running CONFIG_LOCK_DOWN_MANDATORY isn't much of an option. We ran
> the 4.17 development series in rawhide with CONFIG_LOCK_DOWN_KERNEL,
> and no one noticed that their secure boot was off.
Heh, I actually had to turn secure boot off due to that :-)
(long story short, it was on an Intel 8 gen CPU with Radeon GPU on it,
with required 4.17 + DRM for 4.18 in order to detect my 3 monitors,
so I had to build my own kernel, not signed by Red Hat).
Thanks,
Mauro
More information about the Ksummit-discuss
mailing list