Jiri Slaby wrote:
Trust me, if there is any widespread problem, I will revert the patchset from TW instantly. And let them retry later, when all is settled. Unfortunately without this trial phase, we cannot find out. Note that I'm not much in favor of this "functionality". BUt it's the way it is. We (open/SUSE) are required to have this so that MS will sign our shim. How does one load unsigned modules if one does not have shim installed? I use Dracut's unified kernel image functionality, which produces an .efi file containing kernel + initramfs + hardcoded boot options that is signed with a custom key. (Allowing the kernel to load an untrusted initramfs misses the point of Secure Boot completely). Do you perhaps know of an incantation that i can add to kernel_cmdline to disable lockdown?