[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Live, Secure Boot, Kernel Lockdown and DKMS

Hi all

> If not, is there any way that we can get a signed kernel where
> lockdown is disabled per default?

I just noticed that when Matthew Garrett published v33 of the lockdown
patches (see https://lkml.org/lkml/2019/6/20/1492), he statet:

> As with the last implementation, this can be enabled via static kernel
> configuration, the kernel command line or via securityfs, depending on
> usecase. Distributions may wish to tie it to UEFI Secure Boot state,
> but we can save that conversation to later.

So it looks like it is perfectly possible that distributions provide
signed kernels where lockdown is not tied to Secure Boot. Would it be
possible that we have a signed kernel in Debian where lockdown can be
selectively enabled/disabled with a kernel command line? This is exactly
what we need to provide a Debian live system for BYOD scenarios in our
schools. Please? :-)

If there is anything I can do to help make this possible, please let me
know. This is really important for us.

Best regards


Reply to: