Re: [GIT PULL] Kernel lockdown for secure boot

From: Linus Torvalds
Date: Tue Apr 03 2018 - 19:59:06 EST

Next message: Matthew Garrett: "Re: [GIT PULL] Kernel lockdown for secure boot"
Previous message: Stuart Yoder: "Re: [PATCH v3 2/4] bus: fsl-mc: add restool userspace support"
In reply to: David Howells: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: David Howells: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 3, 2018 at 4:56 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
=>
> Most users haven't even given this a moment's thought, aren't even aware of
> the issues, don't even know to ask and, for them, it makes no difference.
> They trust their distribution to deal with stuff they don't know about.

Right.

Like perhaps trusting the distribution to just enable all those
security measures _regaredless_ of whether they booted in using secure
boot or not?

See?

If lockdown breaks something, the distro would need to fix it
regardless of secure boot.

So why is the enablement dependent on it again?

I'm not arguing "lockdown shouldn't be on".

I'm arguing "lockdown being on or off has _nothing_ to do with whether
the machine was booted in EFI mode with secure boot or not".

You don't seem to get it.

Linus

Next message: Matthew Garrett: "Re: [GIT PULL] Kernel lockdown for secure boot"
Previous message: Stuart Yoder: "Re: [PATCH v3 2/4] bus: fsl-mc: add restool userspace support"
In reply to: David Howells: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: David Howells: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]