Hi! > allow the running kernel image to be changed including the loading of > modules that aren't validly signed with a key we recognise, fiddling with > MSR registers and disallowing hibernation, "." at EOL. > @@ -158,6 +158,21 @@ config HARDENED_USERCOPY_PAGESPAN > been removed. This config is intended to be used only while > trying to find such users. > > +config LOCK_DOWN_KERNEL > + bool "Allow the kernel to be 'locked down'" Locked down, or 'locked down' ? :-). > + help > + Allow the kernel to be locked down under certain circumstances, for > + instance if UEFI secure boot is enabled. Locking down the kernel > + turns off various features that might otherwise allow access to the > + kernel image (eg. setting MSR registers). I'd add something that clarifies it is "running" kernel image. > +config ALLOW_LOCKDOWN_LIFT > + bool Don't you need to add 'bool "something"' so that user can actually select this? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature
