What should the default lockdown mode be if the bootloader sentinel triggers sanitization?
dhowells at redhat.com
Mon Jan 30 06:01:32 PST 2017
Matt Fleming <matt at codeblueprint.co.uk> wrote:
> > Matt argues, however, that boot_params->secure_boot should be propagated from
> > the bootloader and if the bootloader wants to set it, then we should skip the
> > check in efi_main() and go with the bootloader's opinion. This is something
> > we probably want to do with kexec() so that the lockdown state is propagated
> > there.
> Actually what I was arguing for was that if the boot loader wants to
> set it and bypass the EFI boot stub, e.g. by going via the legacy
> 64-bit entry point, startup_64, then we should allow that as well as
> setting the flag in the EFI boot stub.
That brings up another question: Should the non-EFI entry points clear the
secure_boot mode flag and set a default?
More information about the linux-arm-kernel