On Wed, Apr 4, 2018 at 2:06 AM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Tue, Apr 3, 2018 at 4:59 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: >> >> Ok. So we can build distribution kernels that *always* have this on, and to >> turn it off you have to disable Secure Boot and install a different kernel. > > Bingo. > > Exactly like EVERY OTHER KERNEL CONFIG OPTION. > > Just like all the ones that I've mentioned several times. > > Or, like a lot of other kernel options, maybe have a way to just > disable it on the kernel command line, and let the user know about it. > > That would still be better than disabling secure boot entirely in your > world view, so it's (a) more convenient and (b) better. > > Again, in no case does it make sense to tie it into "how did we boot". > Because that's just inconvenient for everybody. Without taking a stance regarding whether I think that kernel lockdown makes sense, I think Matthew's point is this: If you don't have lockdown, secure boot doesn't provide a benefit, since an attacker could just modify the init binary instead of messing with your kernel. If you have secure boot, you want lockdown to prevent chainloading into a backdoored version of the real OS. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
