On Mon, 2013-09-09 at 11:25 -0700, David Lang wrote: > Given that we know that people want signed binaries without blocking kexec, > you > should have '1' just enforce module signing and '2' (or higher) implement a > full > lockdown including kexec.
There's already a kernel option for that. -- Matthew Garrett <matthew.garr...@nebula.com>