On Tue, Apr 3, 2018 at 5:02 PM Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Tue, Apr 3, 2018 at 4:47 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > >> Another way of looking at this: if lockdown is a good idea to enable > >> when you booted using secure boot, then why isn't it a good idea when > >> you *didn't* boot using secure boot? > > > > Because it's then trivial to circumvent and the restrictions aren't worth > > the benefit. > Bullshit. > If there those restrictions cause problems, they need to be fixed regardless. How? When there are random DMA-capable PCI devices that are driven by userland tools that are mmap()ing the BARs out of sysfs, how do we simultaneously avoid breaking those devices while also preventing the majority of users from being vulnerable to an attacker just DMAing over the kernel? -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
