On Wed, Apr 4, 2018 at 1:01 PM Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > Now where the disagreement lies is the way how the uid/ring0 aspect is tied > to secure boot, which makes it impossible to be useful independent of > Secure Boot. It doesn't - you can pass a command line parameter that enables it, or your bootloader can set the bootparams flag. I don't see a fundamental problem with offering the opportunity to change it at runtime, other than that some stuff that was previously initialised may have to be torn down. The reason for having the UEFI boot stub *optionally* check the secure boot state itself and make a policy decision (rather than having the signed bootloader do so) is because the kernel can be launched directly by the firmware. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html