Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > Yes. In pre-2.6, DeployedMode is not a reserved name, and so it may be > possible for someone to slip in a DeployedMode=0 on a secure boot > enabled system to trick the kernel into thinking lockdown should be > disabled. How does one get the version number? Unfortunately, searching the document for 'version' doesn't help as every page has that in the footer:-/ > > + if (val == 1) > > + return 0; > > I think the logic is the wrong way around here. Secure Boot is enabled > if SecureBoot=1 and SetupMode=0, unless DeployedMode=0. So you should > return 0 here if val == 0, but only when running on 2.6 or later. Good point. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
