Bug#1025417: linux: LOCK_DOWN_IN_EFI_SECURE_BOOT help claims confidentiality mode
Source: linux
Version: 5.10.149-2
Severity: trivial
debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
modifies security/lockdown/Kconfig to add the
LOCK_DOWN_IN_EFI_SECURE_BOOT option, whose help claims:
> Enabling this option results in kernel lockdown being
> triggered in confidentiality mode if EFI Secure Boot is
> set.
However, the lockdown is actually in integrity mode, rather than
confidentiality mode:
> #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
> lock_kernel_down("EFI Secure Boot",
> LOCKDOWN_INTEGRITY_MAX);
> #endif
The implementation was apparently changed for
https://bugs.debian.org/956197 but the documentation
was not updated at that time.
https://salsa.debian.org/kernel-team/linux/-/commit/c2ea339ee4296658084804c0e678f03832ab2d79
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-19-amd64 (SMP w/8 CPU threads)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: