Re: [GIT PULL] Kernel lockdown for secure boot

From: Matthew Garrett
Date: Tue Apr 03 2018 - 12:30:08 EST

Next message: David Lechner: "Re: [PATCH v8 25/42] ARM: davinci: dm644x: add new clock init using common clock framework"
Previous message: Al Viro: "Re: [PATCH net 1/2] net: bcmgenet: Fix sparse warnings in bcmgenet_put_tx_csum()"
In reply to: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 3, 2018 at 8:11 AM Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> Can you explain that much more clearly? I'm asking why booting via
> UEFI Secure Boot should enable lockdown, and I don't see what this has
> to do with kexec. And "someone blacklist[ing] your key in the
> bootloader" sounds like a political issue, not a technical issue.

A kernel that allows users arbitrary access to ring 0 is just an
overfeatured bootloader. Why would you want secure boot in that case?

Next message: David Lechner: "Re: [PATCH v8 25/42] ARM: davinci: dm644x: add new clock init using common clock framework"
Previous message: Al Viro: "Re: [PATCH net 1/2] net: bcmgenet: Fix sparse warnings in bcmgenet_put_tx_csum()"
In reply to: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]