On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@xxxxxxxxx> wrote: > > Hello, > > Since `5f56a74cc0a6d9b9f8ba89cea29cd7c4774cb2b1`[1] I can't have both > SecureBoot enabled and lockdown disabled (I need to do that to allow > undervolting on my intel laptop). > > My current bootchain is: > > systemd-boot -> kernel+initrd+cmdline as a unified kernel image and > signed using a personal custom key. I don't use the shim loader. > > Until now I disabled the lockdown by setting the `MokSBState` + > `MokSBStateRT` UEFI variables to 1. Now they need to be volatile. > OK, so this means the patch works as intended: MokSBState is owned by shim, and you are not booting via shim, and so honouring those variables was a bug. > Would you be open to either add a variable or a command-line argument to > disable the kernel lockdown while keeping SecureBoot enabled ? Can't you just omit the lockdown LSM from your kernel build? > If so > what would be the right way to express it ? > > Thanks, > > [1]: https://lore.kernel.org/linux-efi/20220920153743.3598053-1-ardb@xxxxxxxxxx/ > > -- > Antoine 'xdbob' Damhet
