Re: Debian Live, Secure Boot, Kernel Lockdown and DKMS

To: <debian-efi@lists.debian.org>
Subject: Re: Debian Live, Secure Boot, Kernel Lockdown and DKMS
From: Ronny Standtke <ronny.standtke@inf.unibe.ch>
Date: Mon, 2 Sep 2019 19:38:29 +0200
Message-id: <[🔎] 353efba5-3329-859d-04d3-17c3139882e1@inf.unibe.ch>
In-reply-to: <8f155522-80e4-4b93-1061-0a232899012e@inf.unibe.ch>
References: <8f155522-80e4-4b93-1061-0a232899012e@inf.unibe.ch>

Hi all

> If not, is there any way that we can get a signed kernel where
> lockdown is disabled per default?

I just noticed that when Matthew Garrett published v33 of the lockdown
patches (see https://lkml.org/lkml/2019/6/20/1492), he statet:

> As with the last implementation, this can be enabled via static kernel
> configuration, the kernel command line or via securityfs, depending on
> usecase. Distributions may wish to tie it to UEFI Secure Boot state,
> but we can save that conversation to later.

So it looks like it is perfectly possible that distributions provide
signed kernels where lockdown is not tied to Secure Boot. Would it be
possible that we have a signed kernel in Debian where lockdown can be
selectively enabled/disabled with a kernel command line? This is exactly
what we need to provide a Debian live system for BYOD scenarios in our
schools. Please? :-)

If there is anything I can do to help make this possible, please let me
know. This is really important for us.


Best regards

Ronny

Reply to:

Prev by Date: Re: Remove fwupdate from the archive
Next by Date: Re: Remove fwupdate from the archive
Previous by thread: RE: Remove fwupdate from the archive
Next by thread: Re: How to use uefi secure boot in a virtual machine in Debian Buster 10
Index(es):
- Date
- Thread