Comment # 7 on bug 1208766 from 
(In reply to Frank Kr���ger from comment #5)
> Given secure boot enabled, for kernel <= 6.2.0 we have
> > cat /sys/kernel/security/lockdown
> [none] integrity confidentiality
> 
> while for kernel 6.2.1
> > cat /sys/kernel/security/lockdown
> none [integrity] confidentiality
> 
> Bug or feature? As for the latter, I don't see any hint in the changelog of
> 6.2.1: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.2.1
> 
> Any idea? Thx.

This is a feature, base on security point of view. The lockdown function be
introduced to mainline kernel since v5.4:

commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449
Author: Matthew Garrett <matthewgarrett@google.com>
Date:   Mon Aug 19 17:17:39 2019 -0700

    security: Add a static lockdown policy LSM


Like other distro, we add downstream patches to connect secure_boot with kernel
lockdown function to allow users to switch this function. Then we enabled
kernel lockdown function. Please see the change log of kernel-default package:

> rpm -q --changelog kernel-default-6.2.1-1.1.g69e0e95.x86_64 | less

* Sat Feb 18 2023 jlee@suse.com
- arm64: lock down kernel in secure boot mode (jsc#SLE-15020, bsc#1198101).
- efi: Lock down the kernel at the integrity level if booted in
  secure boot mode (jsc#SLE-9870, bsc#1198101).
- efi: Lock down the kernel if booted in secure boot mode
  (jsc#SLE-9870, bsc#1198101).
- Update config files.
  - The shim for openSUSE Tumbleweed needs to be reviewed by upstream
    and signed by Microsoft. So we need to lockdown kernel on x86_64
    and arm64 because EFI secure boot.
  - We disable CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in other
    architectures.
- efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
  (jsc#SLE-9870, bsc#1198101).
- security: lockdown: expose a hook to lock the kernel down
  (jsc#SLE-9870, bsc#1198101).
- commit a7d5b50


The reason is that other big distros are enabled lockdown functions, and
connect this feature with EFI secure boot by downstream patches. On the other
hand, openSUSE shim's opensuse-cert-prompt patch is NOT pass the upstream
review for Microsoft signing. So we need to enable kernel lockdown functions to
align other distros.

You are receiving this mail because: