On Mon, Jun 12, 2023 at 06:26:06PM -0000, Bruno Pitrus wrote:
master branch of openSUSE Tumbleweed kernel Is it enabled in upstream? What problem would be it for you to ship an UNSIGNED kernel that has all the SUSE patches EXCEPT lockdown? You already ship kernel-vanilla, and AFAIK it does not have lockdown.
Mainline kernel has lockdown function but it didn't connect with the secure boot switch in firmware. Like other big distros (Fedora, Ubuntu, Leap/SLE), We put downstream patch to Tumbleweed kernel to connect lockdown-integrity mode with secure boot. About kernel-vanilla, a bsc#1209008 be created (I am not sure that it's public bug). We will ship unsigned kernel-vanilla without lockdown. Currently we do not have a SUSE-patched unsigned Tumbleweed kernel. We need a new kernel flavor against this. I don't know who has power to do the decision. Thanks Joey Lee