Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

From: Matt Fleming
Date: Tue Jan 31 2017 - 06:58:12 EST

On Mon, 30 Jan, at 02:01:32PM, David Howells wrote:
> Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> wrote:
> > > Matt argues, however, that boot_params->secure_boot should be propagated from
> > > the bootloader and if the bootloader wants to set it, then we should skip the
> > > check in efi_main() and go with the bootloader's opinion. This is something
> > > we probably want to do with kexec() so that the lockdown state is propagated
> > > there.
> >
> > Actually what I was arguing for was that if the boot loader wants to
> > set it and bypass the EFI boot stub, e.g. by going via the legacy
> > 64-bit entry point, startup_64, then we should allow that as well as
> > setting the flag in the EFI boot stub.
> That brings up another question: Should the non-EFI entry points clear the
> secure_boot mode flag and set a default?

There are no non-EFI boot entry points. EFI worked before we added the
EFI boot stub. The boot stub just provides new features (and allows us
to bundle firmware/boot fixes workarounds with kernel updates).

This is exactly why we should allow, or at least not actively
prohibit, the boot loader to set ->secure_boot and jump to the old
entry point if it wants to do that.