On 21. 02. 20, 1:49, Chris Murphy wrote:
On Wed, Feb 19, 2020 at 11:52 PM ASSI <Stromeko@nexgo.de> wrote:
ASSI writes:
Useless use of cat… :-) but it is also in the current Tmbleweed kernel:
# grep -i lockdown /boot/config-5.5.2-1-default CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
It's still there after today's kernel update. I went ahead and hibernated/resumed the machine, which worked:
This gets used in lockdown.c which is where I get [ 0.000000] flap.local kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/securi...
But I don't see that kernel message in Tumbleweed kernels. I'm not sure what actually enables the lockdown, but I'm pretty sure this is intentional for Tumbleweed where you'd want to be able to test various things. You'd want Secure Boot enabled, but you maybe wouldn't want lockdown to prevent things like tracefs, which is also subject to lockdown. I see this with Fedora, as well as in Ubuntu 20.04 kernels:
Unlike Leap (and fedora and ubuntu focal), Tumbleweed does not have the lock_kernel_down patches. Noted this to jsc#SLE-9870, so that we can have this fixed. thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org