https://bugzilla.suse.com/show_bug.cgi?id=1208766 https://bugzilla.suse.com/show_bug.cgi?id=1208766#c7 --- Comment #7 from Joey Lee <jlee@suse.com> --- (In reply to Frank Kr�ger from comment #5)
Given secure boot enabled, for kernel <= 6.2.0 we have
cat /sys/kernel/security/lockdown [none] integrity confidentiality
while for kernel 6.2.1
cat /sys/kernel/security/lockdown none [integrity] confidentiality
Bug or feature? As for the latter, I don't see any hint in the changelog of 6.2.1: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.2.1
Any idea? Thx.
This is a feature, base on security point of view. The lockdown function be introduced to mainline kernel since v5.4: commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449 Author: Matthew Garrett <matthewgarrett@google.com> Date: Mon Aug 19 17:17:39 2019 -0700 security: Add a static lockdown policy LSM Like other distro, we add downstream patches to connect secure_boot with kernel lockdown function to allow users to switch this function. Then we enabled kernel lockdown function. Please see the change log of kernel-default package:
rpm -q --changelog kernel-default-6.2.1-1.1.g69e0e95.x86_64 | less
* Sat Feb 18 2023 jlee@suse.com - arm64: lock down kernel in secure boot mode (jsc#SLE-15020, bsc#1198101). - efi: Lock down the kernel at the integrity level if booted in secure boot mode (jsc#SLE-9870, bsc#1198101). - efi: Lock down the kernel if booted in secure boot mode (jsc#SLE-9870, bsc#1198101). - Update config files. - The shim for openSUSE Tumbleweed needs to be reviewed by upstream and signed by Microsoft. So we need to lockdown kernel on x86_64 and arm64 because EFI secure boot. - We disable CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in other architectures. - efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode (jsc#SLE-9870, bsc#1198101). - security: lockdown: expose a hook to lock the kernel down (jsc#SLE-9870, bsc#1198101). - commit a7d5b50 The reason is that other big distros are enabled lockdown functions, and connect this feature with EFI secure boot by downstream patches. On the other hand, openSUSE shim's opensuse-cert-prompt patch is NOT pass the upstream review for Microsoft signing. So we need to enable kernel lockdown functions to align other distros. -- You are receiving this mail because: You are on the CC list for the bug.