On Thu, Nov 08, 2012 at 09:44:11AM -0500, Shea Levy wrote: > How is secureboot_enable=no ok? Unless we're disabling efivarfs in > secureboot mode root can change the kernel command line. What do you mean by "ok"? Ubuntu ship a signed kernel without requiring signed modules, so any in-kernel protections can be trivially circumvented. They've made that decision based on a risk/benefit analysis. Every vendor is going to have to make their own analysis, and it's not guaranteed that the upstream kernel is going to precisely match any of them. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html