Re: [PATCH 00/12] One more attempt at useful kernel lockdown

[Valdis . Kletnieks]

On Mon, 09 Sep 2013 11:49:34 -0400, Matthew Garrett said:

> So, this is my final attempt at providing the functionality I'm interested
> in without inherently tying it to Secure Boot. There's strong parallels
> between the functionality that I'm interested in and the BSD securelevel
> interface, so here's a trivial implementation.

Although all the individual patches look like sane and reasonable things
to do, I'm not at all convinced that sticking them all under control of one
flag is really the right way to do it.  In particular, there probably needs
to be some re-thinking of the kexec, signed-module, and secure-boot stuff,
as it's still a moving target.

> So, this is my final attempt at providing the functionality I'm interested
> in without inherently tying it to Secure Boot.

You may as well bite the bullet on this one, and tie it together.  Without
Secure Boot, by the time your code runs it's already too late.  That's the
whole point of Secure Boot, after all.

Attachment: pgp00000.pgp
Description: PGP signature