ACK/Cmnt: [PATCH v2 00/57][X] Lockdown updates
Andrea Righi
andrea.righi at canonical.com
Mon Jun 22 08:54:09 UTC 2020
On Fri, Jun 19, 2020 at 11:49:13AM -0500, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1884159
>
> v2 adds lockdown for debugfs and a patch for /dev/efi_test which was
> mistakenly omittted from v1.
>
> The following changes since commit f93eb42c09f9c2338fc0604b71b805398dd848f5:
>
> UBUNTU: Ubuntu-4.4.0-184.214 (2020-06-03 12:51:32 +0200)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~sforshee/ubuntu/+source/linux/+git/xenial lockdown-updates
>
> for you to fetch changes up to 09045d1dca266467713d77a9f49b3e72f79787d5:
>
> UBUNTU: SAUCE: (efi-lockdown) debugfs: Disallow use of debugfs files when the kernel is locked down (2020-06-19 10:21:02 -0500)
>
> Thanks,
> Seth
Reviewed, test-built and tested the debugfs access policy. All good in
general.
I was wondering if we should add a "lockdown" kernel boot parameter,
like we have in bionic, that would enable lockdown by calling
enforce_signed_modules(), but I guess it's not needed, because (somehow)
the boot-loader is already able to enforce the kernel lockdown even
without this option.
Apart from this comment and the one about debugfs (see my previous
email), everything else looks good to me, therefore:
Acked-by: Andrea Righi <andrea.righi at canonical.com>
More information about the kernel-team
mailing list