From: Al Stone on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_526418916
No real concerns. Follow Rule 4096: do what Peter says -- move the
lockdown to generic and enable it.
___
kernel mailing list --
From: Don Zickus on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524569661
@ahs3 - can you do a quick sanity check of this conversation and see if
you have any concerns?
___
kernel mailing list --
From: Ondrej Mosnáček on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524400814
@dzickusrh Yes, I suppose a review/insight form the downstream EFI
maintainers would be useful here.
___
kernel mailing list --
From: Don Zickus on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524373324
@omos - who else from RHEL should get involved in this review? The EFI
lockdown kernel folks?
___
kernel mailing list --
From: Ondrej Mosnáček on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524364236
Ah, I see... So I should enable CONFIG_SECURITY_LOCKDOWN_LSM=y globally
and also add "lockdown" to the CONFIG_LSM list? Or should it stay
disabled by default, unless the user
From: pbrobinson on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524345964
So Lockdown LSM is now upstream and it's the vast majority of the
implementation of UEFI secure boot. Then Fedora/ARK has a minor patchset
on top of that for UEFI secure boot. Downstream
From: Ondrej Mosnáček on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524338595
I'm not sure if we actually want to have the Lockdown LSM enabled. IIRC,
Fedora/RHEL (or just Fedora?) has some downstream patches that implement
something similar (I think?)...
From: pbrobinson on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922#note_524304568
The BPF LSM patch looks fine, I think the lockdown LSM is incorrect and
needs a review/patch too to move it from Fedora -> common/generic and
enable it.
From: Ondrej Mosnáček on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922
...and clean up a couple LSM-related configs while there. For more
details see the commit messages.
___
kernel mailing list --
