lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+55aFwJBGCr-anrdV9N63fUH4V_QJqgr0_fJyHhH=fuqGAoog@mail.gmail.com> Date: Tue, 3 Apr 2018 17:06:13 -0700 From: Linus Torvalds <torvalds@...ux-foundation.org> To: Matthew Garrett <mjg59@...gle.com> Cc: Andrew Lutomirski <luto@...nel.org>, David Howells <dhowells@...hat.com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, James Morris <jmorris@...ei.org>, Alan Cox <gnomes@...rguk.ukuu.org.uk>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Justin Forbes <jforbes@...hat.com>, linux-man <linux-man@...r.kernel.org>, joeyli <jlee@...e.com>, LSM List <linux-security-module@...r.kernel.org>, Linux API <linux-api@...r.kernel.org>, Kees Cook <keescook@...omium.org>, linux-efi <linux-efi@...r.kernel.org> Subject: Re: [GIT PULL] Kernel lockdown for secure boot On Tue, Apr 3, 2018 at 4:59 PM, Matthew Garrett <mjg59@...gle.com> wrote: > > Ok. So we can build distribution kernels that *always* have this on, and to > turn it off you have to disable Secure Boot and install a different kernel. Bingo. Exactly like EVERY OTHER KERNEL CONFIG OPTION. Just like all the ones that I've mentioned several times. Or, like a lot of other kernel options, maybe have a way to just disable it on the kernel command line, and let the user know about it. That would still be better than disabling secure boot entirely in your world view, so it's (a) more convenient and (b) better. Again, in no case does it make sense to tie it into "how did we boot". Because that's just inconvenient for everybody. Linus
Powered by blists - more mailing lists