From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
To: Justin Forbes <jmforbes@linuxtx.org>
Cc: James.Bottomley@hansenpartnership.com,
Peter Jones <pjones@redhat.com>,
joeyli.kernel@gmail.com,
ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot
Date: Fri, 7 Sep 2018 16:53:50 -0300 [thread overview]
Message-ID: <20180907165350.44039a6a@coco.lan> (raw)
In-Reply-To: <CAFxkdAoiQMuzEq1Dv0=fO6uB2fLcc+0Wb+zuVvSFsAweROfhQQ@mail.gmail.com>
Em Wed, 5 Sep 2018 15:34:04 -0500
Justin Forbes <jmforbes@linuxtx.org> escreveu:
> On Wed, Sep 5, 2018 at 3:14 PM, David Howells <dhowells@redhat.com> wrote:
> > Justin Forbes <jmforbes@linuxtx.org> wrote:
> >
> >> Lockdown is a config option on it's own, just also add a separate
> >> config option option to enable lockdown on UEFI secure boot.
> >
> > The patchset has that already (CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT).
> >
> > One of the issues appears to be that we're making it boot-time conditional at
> > all. If I understand him correctly, Linus seems to want us to make everything
> > locked down at compile time or not at all.
> >
>
> The last push attempt dropped that patch and did have the compile time
> (CONFIG_LOCK_DOWN_MANDATORY) as well as an option for command line
> enabling with lockdown=1 (CONFIG_LOCK_DOWN_KERNEL). It just didn't
> have an option for triggering off of UEFI Secure Boot. As a distro,
> running CONFIG_LOCK_DOWN_MANDATORY isn't much of an option. We ran
> the 4.17 development series in rawhide with CONFIG_LOCK_DOWN_KERNEL,
> and no one noticed that their secure boot was off.
Heh, I actually had to turn secure boot off due to that :-)
(long story short, it was on an Intel 8 gen CPU with Radeon GPU on it,
with required 4.17 + DRM for 4.18 in order to detect my 3 monitors,
so I had to build my own kernel, not signed by Red Hat).
Thanks,
Mauro
prev parent reply other threads:[~2018-09-07 19:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 16:53 [Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot David Howells
2018-09-05 19:33 ` Jiri Kosina
2018-09-05 19:51 ` Justin Forbes
2018-09-05 20:14 ` David Howells
2018-09-05 20:34 ` Justin Forbes
2018-09-05 20:53 ` Andy Lutomirski
2018-09-05 21:01 ` Justin Forbes
2018-09-06 6:53 ` joeyli
2018-09-06 10:00 ` Jani Nikula
2018-09-06 10:05 ` David Howells
2018-09-06 10:21 ` Jani Nikula
2018-09-07 19:53 ` Mauro Carvalho Chehab [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180907165350.44039a6a@coco.lan \
--to=mchehab+samsung@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=jmforbes@linuxtx.org \
--cc=joeyli.kernel@gmail.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.