Re: [GIT PULL] Kernel lockdown for secure boot

From: Matthew Garrett
Date: Tue Apr 03 2018 - 16:55:14 EST

Next message: kbuild test robot: "Re: [PATCH 5/5] MIPS: perf: Fold vpe_id() macro into it's one last usage"
Previous message: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
In reply to: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 3, 2018 at 1:53 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx>
wrote:

> On Tue, Apr 3, 2018 at 9:29 AM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote:
> > On Tue, Apr 3, 2018 at 8:11 AM Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> >> Can you explain that much more clearly? I'm asking why booting via
> >> UEFI Secure Boot should enable lockdown, and I don't see what this has
> >> to do with kexec. And "someone blacklist[ing] your key in the
> >> bootloader" sounds like a political issue, not a technical issue.
> >
> > A kernel that allows users arbitrary access to ring 0 is just an
> > overfeatured bootloader. Why would you want secure boot in that case?

> .. maybe you don't *want* secure boot, but it's been pushed in your
> face by people with an agenda?

Then turn it off, or build a self-signed kernel that doesn't do this?

Next message: kbuild test robot: "Re: [PATCH 5/5] MIPS: perf: Fold vpe_id() macro into it's one last usage"
Previous message: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
In reply to: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]