On Mon, 2013-09-09 at 11:40 -0700, David Lang wrote: > On Mon, 9 Sep 2013, Matthew Garrett wrote: > > > On Mon, 2013-09-09 at 11:25 -0700, David Lang wrote: > > > >> Given that we know that people want signed binaries without blocking kexec, you > >> should have '1' just enforce module signing and '2' (or higher) implement a full > >> lockdown including kexec. > > > > There's already a kernel option for that. > > So, if there is an existing kernel option for this, why do we need a new one? There's an existing kernel option for "I want to enforce module signatures but I don't care about anything else". There isn't for "I want to prevent userspace from modifying my running kernel". -- Matthew Garrett <matthew.garrett@xxxxxxxxxx> ��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥