David Howells <dhowells@xxxxxxxxxx> wrote: > > I don't like the idea that the lockdown (which is a runtime > > thing) requires a compile time option (KEXEC_VERIFY_SIG) that > > forces the verification even when the kernel is then not locked > > down at runtime. > > It doesn't. The EPERM only triggers if: > > (1) File signatures aren't mandatory (ie. CONFIG_KEXEC_VERIFY_SIG) is not > set, and > > (2) you're not using IMA appraisal to validate the file contents, and > > (3) lockdown mode is enabled. > > If file signatures are mandatory or IMA appraisal is in use, then the lockdown > state doesn't need to be checked. Having said that, I do see your point, I think. We should still let through validly signed images, even if signatures aren't mandatory in lockdown mode. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
