On Thu, Jul 24, 2025 at 02:59:39PM +0200, Nicolas Bouchinet wrote:

Hi Hamza, thanks for your patch.

Thanks, Paul, for the forward. 

Sorry for the delay, we took a bit of time to do some lore archaeology
and discuss it with Xiu. 

As you might know, this has already been through debates in 2017 [1]. At
that time, the decision was not to merge this behavior. 

Distros have indeed carried downstream patches reflecting this behavior
for a long time and have been affected by vulnerabilities like
CVE-2025-1272 [2], which is caused by the magic sprinkled in
setup_arch(). 

While your implementation looks cleaner to me. One of the points in
previous debates was to have a Lockdown side Kconfig knob to enable or
not this behavior. It would gate the registration of the Lockdown LSM to
the security_lock_kernel_down() hook. 

Well, but there is a default-n kconfig.  What do you mean by "Lockdown
side Kconfig knob"?  I'm sure I'm missing something, but not sure
what...

thanks,
-serge