On 14 April 2017 at 19:05, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > On Wed, 5 Apr 2017, David Howells wrote: > >> From: Kyle McMartin <kyle@xxxxxxxxxx> >> >> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running >> kernel image to be modified. This lifts the lockdown. >> >> Signed-off-by: Kyle McMartin <kyle@xxxxxxxxxx> >> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> >> cc: x86@xxxxxxxxxx > > Matt, Ard? > > Any opinions on this? > >From an EFI point of view, there is not a lot to see here. I think having a SysRq to lift lockdown makes sense, although I think we should avoid 'secure boot' when referring to lockdown because they are really two different things. As someone else pointed out, you may have other ways of trusting your kernel, in which case you should be able to lock it down as well. That does bring me to another EFI related point: many of these patches are x86 specific for no good reason. We have been working really hard over the past couple of years to move EFI plumbing into drivers/firmware/efi, and things are not intimately related to an architecture should ideally be implemented there. Looking at the diffstat of this patch, I don't see why this should be a x86 only feature. In general, though, I think this should be two patches, one that introduces the functionality to restrict some SysRq keys to console only, and one that adds the 'x' for lockdown lift. I haven't gotten around to responding to David's general email regarding the point of all of this. I will do so asap, but it will need to wait until Tuesday at least. -- Ard. On 14 April 2017 at 19:05, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > On Wed, 5 Apr 2017, David Howells wrote: > >> From: Kyle McMartin <kyle@xxxxxxxxxx> >> >> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running >> kernel image to be modified. This lifts the lockdown. >> >> Signed-off-by: Kyle McMartin <kyle@xxxxxxxxxx> >> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> >> cc: x86@xxxxxxxxxx > > Matt, Ard? > > Any opinions on this? > > Thanks, > > tglx -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
