Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > ... use the kernel command line to disable things. An attacker could then modify grub.cfg, say, and cause a reboot (or wait for the next reboot) to disable lockdown:-/ And whilst we could also distribute a non-locked-down variant of the kernel as an alternative, the attacker could install and boot that instead since we can't lock package installation down very easily since it doesn't impinge directly on the running kernel. Unfortunately, it's hard to come up with a disablement mechanism in the kernel that an attacker can't also make use of:-/ David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
