On Tue, Apr 3, 2018 at 5:16 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > On Tue, Apr 3, 2018 at 5:15 PM Linus Torvalds > <torvalds@xxxxxxxxxxxxxxxxxxxx> > wrote: >> On Tue, Apr 3, 2018 at 5:10 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: >> > >> >> Exactly like EVERY OTHER KERNEL CONFIG OPTION. >> > >> > So your argument is that we should make the user experience worse? > Without >> > some sort of verified boot mechanism, lockdown is just security theater. >> > There's no good reason to enable it unless you have some mechanism for >> > verifying that you booted something you trust. > >> Wow. Way to snip the rest of the email where I told you what the >> solution was. Let me repeat it here, since you so conveniently missed >> it and deleted it: > > I ignored it because it's not a viable option. Part of the patchset > disables various kernel command line options. If there's a kernel command > line option that disables the patchset then it's pointless. if your secure boot-enabled bootloader can't prevent a bad guy from using malicious kernel command line parameters, then fix it. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
