On Wed, Apr 4, 2018 at 9:22 AM, Matthew Garrett [off-list ref] wrote:

On Wed, Apr 4, 2018 at 6:52 AM Theodore Y. Ts'o [off-list ref] wrote:

quoted

On Wed, Apr 04, 2018 at 02:33:37PM +0100, David Howells wrote:

quoted

Theodore Y. Ts'o [off-list ref] wrote:

quoted

Whoa.  Why doesn't lockdown prevent kexec?  Put another away, why
isn't this a problem for people who are fearful that Linux could be
used as part of a Windows boot virus in a Secure UEFI context?

Lockdown mode restricts kexec to booting an authorised image (where the
authorisation may be by signature or by IMA).

quoted

If that's true, then Matthew's assertion that lockdown w/o secure boot
is insecure goes away, no?

If you don't have secure boot then an attacker with root can modify your
bootloader or kernel, and on next boot lockdown can be silently disabled.

This has been rebutted over and over and over.  Secure boot is not the
only verified boot mechanism in the world.  Other, better, much more
auditable, and much simpler mechanisms have been around for a long,
long time.

quoted

The fact that this Verified Boot on, lockdown off causes trouble
points to a clear problem.   User owns the hardware they should have
the right to defeat secureboot if they wish to.

Which is why Shim allows you to disable validation if you prove physical
user presence.

And that's a giant hack.  The actual feature should be that a user
proves physical presence and thus disables lockdown *without*
disabling verification.

--Andy