On Tue 2018-04-03 21:08:54, Matthew Garrett wrote: > On Tue, Apr 3, 2018 at 2:01 PM Linus Torvalds > <[email protected]> > wrote: > > > On Tue, Apr 3, 2018 at 1:54 PM, Matthew Garrett <[email protected]> wrote: > > > > > >> .. maybe you don't *want* secure boot, but it's been pushed in your > > >> face by people with an agenda? > > > > > > Then turn it off, or build a self-signed kernel that doesn't do this? > > > Umm. So you asked a question, and then when you got an answer you said > > "don't do that then". > > > The fact is, some hardware pushes secure boot pretty hard. That has > > *nothing* to do with some "lockdown" mode. > > Secure Boot ensures that the firmware will only load signed bootloaders. If > a signed bootloader loads a kernel that's effectively an unsigned > bootloader, there's no point in using Secure Boot - you should just turn it > off instead, because it's not giving you any meaningful > security. Andy's
Not true.
I have kernel with printk() enabled. Yes, once userland is started,
you can boot another kernel, maybe.
Maybe my kernel is locked down with exception of kexec, and it does
printk(KERN_CRIT "kexecing") followed by mdelay(5000). That's pretty
good security.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures)
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
signature.asc
Description: Digital signature
