On Mon, 2013-09-09 at 11:25 -0700, David Lang wrote: > Given that we know that people want signed binaries without blocking kexec, you > should have '1' just enforce module signing and '2' (or higher) implement a full > lockdown including kexec. There's already a kernel option for that. -- Matthew Garrett <matthew.garrett@xxxxxxxxxx> ��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥