On Tue, Apr 3, 2018 at 5:15 PM Linus Torvalds <torva...@linux-foundation.org> wrote: > On Tue, Apr 3, 2018 at 5:10 PM, Matthew Garrett <mj...@google.com> wrote: > > > >> Exactly like EVERY OTHER KERNEL CONFIG OPTION. > > > > So your argument is that we should make the user experience worse? Without > > some sort of verified boot mechanism, lockdown is just security theater. > > There's no good reason to enable it unless you have some mechanism for > > verifying that you booted something you trust.
> Wow. Way to snip the rest of the email where I told you what the > solution was. Let me repeat it here, since you so conveniently missed > it and deleted it: I ignored it because it's not a viable option. Part of the patchset disables various kernel command line options. If there's a kernel command line option that disables the patchset then it's pointless.