Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

On Mon, 30 Jan, at 02:01:32PM, David Howells wrote: > Matt Fleming wrote: > > > > Matt argues, however, that boot_params->secure_boot should be propagated > > > from > > > the bootloader and if the bootloader wants to set it, then we should skip > > > the > > > check

Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

On Mon, 30 Jan, at 02:01:32PM, David Howells wrote: > Matt Fleming wrote: > > > > Matt argues, however, that boot_params->secure_boot should be propagated > > > from > > > the bootloader and if the bootloader wants to set it, then we should skip > > > the > > > check in efi_main() and go with

Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

Matt Fleming wrote: > > Matt argues, however, that boot_params->secure_boot should be propagated > > from > > the bootloader and if the bootloader wants to set it, then we should skip > > the > > check in efi_main() and go with the bootloader's opinion. This is

Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

Matt Fleming wrote: > > Matt argues, however, that boot_params->secure_boot should be propagated > > from > > the bootloader and if the bootloader wants to set it, then we should skip > > the > > check in efi_main() and go with the bootloader's opinion. This is something > > we probably want

Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

On Mon, 30 Jan, at 12:10:29PM, David Howells wrote: > > Matt argues, however, that boot_params->secure_boot should be propagated from > the bootloader and if the bootloader wants to set it, then we should skip the > check in efi_main() and go with the bootloader's opinion. This is something > we

Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

On Mon, 30 Jan, at 12:10:29PM, David Howells wrote: > > Matt argues, however, that boot_params->secure_boot should be propagated from > the bootloader and if the bootloader wants to set it, then we should skip the > check in efi_main() and go with the bootloader's opinion. This is something > we

What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

Hi all, There's an interesting issue with the way the x86 boot parameters are passed into the kernel if we want to store the secure-boot mode flag in there. My patches add boot_params->secure_boot, into which is placed the secure boot mode as deduced by the EFI boot wrapper, if it is invoked.

What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

Hi all, There's an interesting issue with the way the x86 boot parameters are passed into the kernel if we want to store the secure-boot mode flag in there. My patches add boot_params->secure_boot, into which is placed the secure boot mode as deduced by the EFI boot wrapper, if it is invoked.