On Tue, Apr 3, 2018 at 5:53 PM, Andy Lutomirski wrote: > On Tue, Apr 3, 2018 at 3:51 PM, Matthew Garrett wrote: > > On Tue, Apr 3, 2018 at 3:46 PM Linus Torvalds > > > > wrote: > > > >> For example, I love signed kernel modules. The fact that I love them > >> has absolutely zero to do with secure boot, though. There is > >> absolutely no linkage between the two issues: I use (self-)signed > >> kernel modules simply because I think it's a good thing in general. > > > >> The same thing is true of some lockdown patch. Maybe it's a good thing > >> in general. But whether it's a good thing is _entirely_ independent of > >> any secure boot issue. I can see using secure boot without it, but I > >> can very much also see using lockdown without secure boot. > > > >> The two things are simply entirely orthogonal. They have _zero_ > >> overlap. I'm not seeing why they'd be linked at all in any way. > > > > Lockdown is clearly useful without Secure Boot (and I intend to deploy it > > that way for various things), but I still don't understand why you feel > > that the common case of booting a kernel from a boot chain that's widely > > trusted derives no benefit from it being harder to subvert that kernel > into > > subverting that boot chain. For cases where you're self-signing and feel > > happy about that, you just set CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT to n > and > > everyone's happy? > > I would like to see distros that want Secure Boot to annoy users by > enabling Lockdown be honest about the fact that it's an annoyance and > adds very little value by having to carry a patch that was rejected by > the upstream kernel. > > -Andy > They have been carrying those patches for *years* now. If we didn't think there was value in it, we wouldn't be carrying them.