Slashdot Mirror

← Back to Stories (view on slashdot.org)

Torvalds Opposes Tying UEFI Secure Boot to Kernel Lockdown Mode (phoronix.com)

Posted by EditorDavid on from the kernel-mustered dept.

An anonymous reader quotes Phoronix: The kernel lockdown feature further restricts access to the kernel by user-space with what can be accessed or modified... Pairing that with UEFI SecureBoot unconditionally is meeting some resistance by Linus Torvalds. The goal of kernel lockdown, which Linus Torvalds doesn't have a problem with at all, comes down to "prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorised modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded." But what has the Linux kernel creator upset with are developers trying to pair this unconditionally with UEFI SecureBoot. Linus describes Secure Boot as being "pushed in your face by people with an agenda." But his real problem is that Secure Boot would then imply Kernel Lockdown mode... "Tying these things magically together IS A BAD IDEA."

3 of 69 comments (clear)

  1. Re:Please don't hurt me. by guruevi · · Score: 5, Interesting

    That's not what the argument is about. UEFI SecureBoot has its place and reasons although an open implementation would be much better, Linux Kernel Lockdown has its place and reasons. Requiring one to enable the other is a problem or declaring that your system is broken without both enabled is a problem.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  2. Thanks, but you're mistaken about both by raymorris · · Score: 3, Interesting

    First, kernel lockdown in no way restricts which drivers you might have running. If you want to *change* which drivers you have running without rebooting, you'll need to *sign* the new module. Absolutely nothing prevents you from signing an open-source module. The command is:

    scripts/sign-file sha512 kernel-signkey.priv kernel-signkey.x509 module.ko
    (Or just set check the box to sign all modules in make menuconfig).

    Sign-file signatures work for both secure boot and the kernel restriction. For the kernel, the first time you ever sign a module you enroll your public key with keyctl.

  3. Re:Essentially by rtkluttz · · Score: 3, Interesting

    Malware. Any system that treats the owner of the device as the problem is malware. I'm all for secure boot as long as the owner of the device decides what to tag as secure and has complete control over the encryption and lockdowns.

    --
    Digital is, by definition, imperfect. Analog is the way to go.