On 1/15/19 9:21 PM, Heinrich Schuchardt wrote: > Hello Michael, > > with secure boot enabled the 4.19 kernel writes the following message: > > Kernel is locked down from EFI secure boot; see man kernel_lockdown.7 > > The corresponding man-page has been proposed in 2017: > https://lwn.net/Articles/735564/ > > I found a later version in > https://lkml.org/lkml/2018/3/1/311 > which unfortunately was not in patch format. > > What is needed to get the page created? > > Best regards > > Heinrich > Hello David, you are right. My fault. Debian Buster package linux-image-amd64-signed-template adds the patch below. Are there any plans for merging that functionality to mainline? Best regards Heinrich From: David Howells <dhowells@xxxxxxxxxx> Date: Wed, 8 Nov 2017 15:11:31 +0000 Subject: [01/29] Add the ability to lock down access to the running kernel image Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6d350e2534bfaaaa3e523484b2ca44d22377e951 Provide a single call to allow kernel code to determine whether the system should be locked down, thereby disallowing various accesses that might allow the running kernel image to be changed including the loading of modules that aren't validly signed with a key we recognise, fiddling with MSR registers and disallowing hibernation, Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Acked-by: James Morris <james.l.morris@xxxxxxxxxx>
