On Sun, Oct 02, 2022 at 05:28:16PM +0200, Ard Biesheuvel wrote: > On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@xxxxxxxxx> wrote: > > > > Hello, > > > > Since `5f56a74cc0a6d9b9f8ba89cea29cd7c4774cb2b1`[1] I can't have both > > SecureBoot enabled and lockdown disabled (I need to do that to allow > > undervolting on my intel laptop). > > > > My current bootchain is: > > > > systemd-boot -> kernel+initrd+cmdline as a unified kernel image and > > signed using a personal custom key. I don't use the shim loader. > > > > Until now I disabled the lockdown by setting the `MokSBState` + > > `MokSBStateRT` UEFI variables to 1. Now they need to be volatile. > > > > OK, so this means the patch works as intended: MokSBState is owned by > shim, and you are not booting via shim, and so honouring those > variables was a bug. > > > Would you be open to either add a variable or a command-line argument to > > disable the kernel lockdown while keeping SecureBoot enabled ? > > Can't you just omit the lockdown LSM from your kernel build? It would probably work but I'm using a downstream Fedora build, I would rather find a solution that would work in a default configure state (eg: that distributions would be willing to use) if it's possible. > > > If so > > what would be the right way to express it ? > > > > Thanks, > > > > [1]: https://lore.kernel.org/linux-efi/20220920153743.3598053-1-ardb@xxxxxxxxxx/ > > > > -- > > Antoine 'xdbob' Damhet -- Antoine 'xdbob' Damhet
Attachment:
signature.asc
Description: PGP signature
