Re: [GIT PULL] Kernel lockdown for secure boot

From: Matthew Garrett
Date: Tue Apr 03 2018 - 20:17:04 EST

Next message: Jann Horn: "Re: [GIT PULL] Kernel lockdown for secure boot"
Previous message: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
In reply to: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 3, 2018 at 5:15 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx>
wrote:
> On Tue, Apr 3, 2018 at 5:10 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote:
> >
> >> Exactly like EVERY OTHER KERNEL CONFIG OPTION.
> >
> > So your argument is that we should make the user experience worse?
Without
> > some sort of verified boot mechanism, lockdown is just security theater.
> > There's no good reason to enable it unless you have some mechanism for
> > verifying that you booted something you trust.

> Wow. Way to snip the rest of the email where I told you what the
> solution was. Let me repeat it here, since you so conveniently missed
> it and deleted it:

I ignored it because it's not a viable option. Part of the patchset
disables various kernel command line options. If there's a kernel command
line option that disables the patchset then it's pointless.

Next message: Jann Horn: "Re: [GIT PULL] Kernel lockdown for secure boot"
Previous message: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
In reply to: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]