[PATCH 0/2] Secure Boot lock down
sergeh at kernel.org
sergeh at kernel.org
Thu Jul 24 14:13:41 UTC 2025
On Thu, Jul 24, 2025 at 02:59:39PM +0200, Nicolas Bouchinet wrote:
> Hi Hamza, thanks for your patch.
>
> Thanks, Paul, for the forward.
>
> Sorry for the delay, we took a bit of time to do some lore archaeology
> and discuss it with Xiu.
>
> As you might know, this has already been through debates in 2017 [1]. At
> that time, the decision was not to merge this behavior.
>
> Distros have indeed carried downstream patches reflecting this behavior
> for a long time and have been affected by vulnerabilities like
> CVE-2025-1272 [2], which is caused by the magic sprinkled in
> setup_arch().
>
> While your implementation looks cleaner to me. One of the points in
> previous debates was to have a Lockdown side Kconfig knob to enable or
> not this behavior. It would gate the registration of the Lockdown LSM to
> the security_lock_kernel_down() hook.
Well, but there is a default-n kconfig. What do you mean by "Lockdown
side Kconfig knob"? I'm sure I'm missing something, but not sure
what...
thanks,
-serge
More information about the Linux-security-module-archive
mailing list