[GIT PULL] Kernel lockdown for secure boot
Linus Torvalds
torvalds at linux-foundation.org
Tue Apr 3 23:58:55 UTC 2018
On Tue, Apr 3, 2018 at 4:56 PM, David Howells <dhowells at redhat.com> wrote:
=>
> Most users haven't even given this a moment's thought, aren't even aware of
> the issues, don't even know to ask and, for them, it makes no difference.
> They trust their distribution to deal with stuff they don't know about.
Right.
Like perhaps trusting the distribution to just enable all those
security measures _regaredless_ of whether they booted in using secure
boot or not?
See?
If lockdown breaks something, the distro would need to fix it
regardless of secure boot.
So why is the enablement dependent on it again?
I'm not arguing "lockdown shouldn't be on".
I'm arguing "lockdown being on or off has _nothing_ to do with whether
the machine was booted in EFI mode with secure boot or not".
You don't seem to get it.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list