On Tue 2018-04-03 21:08:54, Matthew Garrett wrote: > On Tue, Apr 3, 2018 at 2:01 PM Linus Torvalds > > wrote: > > > On Tue, Apr 3, 2018 at 1:54 PM, Matthew Garrett wrote: > > > > > >> .. maybe you don't *want* secure boot, but it's been pushed in your > > >> face by people with an agenda? > > > > > > Then turn it off, or build a self-signed kernel that doesn't do this? > > > Umm. So you asked a question, and then when you got an answer you said > > "don't do that then". > > > The fact is, some hardware pushes secure boot pretty hard. That has > > *nothing* to do with some "lockdown" mode. > > Secure Boot ensures that the firmware will only load signed bootloaders. If > a signed bootloader loads a kernel that's effectively an unsigned > bootloader, there's no point in using Secure Boot - you should just turn it > off instead, because it's not giving you any meaningful > security. Andy's Not true. I have kernel with printk() enabled. Yes, once userland is started, you can boot another kernel, maybe. Maybe my kernel is locked down with exception of kexec, and it does printk(KERN_CRIT "kexecing") followed by mdelay(5000). That's pretty good security. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html