From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
To: Justin Forbes <jmforbes@linuxtx.org>
Cc: James.Bottomley@hansenpartnership.com,
Peter Jones <pjones@redhat.com>,
joeyli.kernel@gmail.com,
ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot
Date: Fri, 7 Sep 2018 16:53:50 -0300 [thread overview]
Message-ID: <20180907165350.44039a6a@coco.lan> (raw)
In-Reply-To: <CAFxkdAoiQMuzEq1Dv0=fO6uB2fLcc+0Wb+zuVvSFsAweROfhQQ@mail.gmail.com>
Em Wed, 5 Sep 2018 15:34:04 -0500
Justin Forbes <jmforbes@linuxtx.org> escreveu:
> On Wed, Sep 5, 2018 at 3:14 PM, David Howells <dhowells@redhat.com> wrote:
> > Justin Forbes <jmforbes@linuxtx.org> wrote:
> >
> >> Lockdown is a config option on it's own, just also add a separate
> >> config option option to enable lockdown on UEFI secure boot.
> >
> > The patchset has that already (CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT).
> >
> > One of the issues appears to be that we're making it boot-time conditional at
> > all. If I understand him correctly, Linus seems to want us to make everything
> > locked down at compile time or not at all.
> >
>
> The last push attempt dropped that patch and did have the compile time
> (CONFIG_LOCK_DOWN_MANDATORY) as well as an option for command line
> enabling with lockdown=1 (CONFIG_LOCK_DOWN_KERNEL). It just didn't
> have an option for triggering off of UEFI Secure Boot. As a distro,
> running CONFIG_LOCK_DOWN_MANDATORY isn't much of an option. We ran
> the 4.17 development series in rawhide with CONFIG_LOCK_DOWN_KERNEL,
> and no one noticed that their secure boot was off.
Heh, I actually had to turn secure boot off due to that :-)
(long story short, it was on an Intel 8 gen CPU with Radeon GPU on it,
with required 4.17 + DRM for 4.18 in order to detect my 3 monitors,
so I had to build my own kernel, not signed by Red Hat).
Thanks,
Mauro
prev parent reply other threads:[~2018-09-07 19:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 16:53 [Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot David Howells
2018-09-05 19:33 ` Jiri Kosina
2018-09-05 19:51 ` Justin Forbes
2018-09-05 20:14 ` David Howells
2018-09-05 20:34 ` Justin Forbes
2018-09-05 20:53 ` Andy Lutomirski
2018-09-05 21:01 ` Justin Forbes
2018-09-06 6:53 ` joeyli
2018-09-06 10:00 ` Jani Nikula
2018-09-06 10:05 ` David Howells
2018-09-06 10:21 ` Jani Nikula
2018-09-07 19:53 ` Mauro Carvalho Chehab [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180907165350.44039a6a@coco.lan \
--to=mchehab+samsung@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=jmforbes@linuxtx.org \
--cc=joeyli.kernel@gmail.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).