Re: [PATCH 00/16] Kernel lockdown

From: Justin Forbes
Date: Wed Nov 16 2016 - 17:28:50 EST

On Wed, Nov 16, 2016 at 3:47 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
> These patches provide a facility by which a variety of avenues by which
> userspace can feasibly modify the running kernel image can be locked down.
> These include:

Bit surprised to see this. Not that I am opposed to the patches
themselves. These were pulled into my tree as the first step towards
consolidating the implementation used for secure boot, and I know
there is interest in using large parts outside of a secure boot
context as well, but there were a few changes to be made after our
discussions in Santa Fe. Those are going into
I am completely happy to submit those changes as separate patches if
people want to take these. They do actually work, and are being
shipped and supported by multiple distributions at this point.