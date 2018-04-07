Torvalds Opposes Tying UEFI Secure Boot to Kernel Lockdown Mode (phoronix.com) 12
An anonymous reader quotes Phoronix: The kernel lockdown feature further restricts access to the kernel by user-space with what can be accessed or modified... Pairing that with UEFI SecureBoot unconditionally is meeting some resistance by Linus Torvalds. The goal of kernel lockdown, which Linus Torvalds doesn't have a problem with at all, comes down to "prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorised modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded." But what has the Linux kernel creator upset with are developers trying to pair this unconditionally with UEFI SecureBoot. Linus describes Secure Boot as being "pushed in your face by people with an agenda." But his real problem is that Secure Boot would then imply Kernel Lockdown mode... "Tying these things magically together IS A BAD IDEA."
That's not what the argument is about. UEFI SecureBoot has its place and reasons although an open implementation would be much better, Linux Kernel Lockdown has its place and reasons. Requiring one to enable the other is a problem or declaring that your system is broken without both enabled is a problem.
The question is what need or benefit is gained by having these two features intrinsically linked on the back end?
Linux is a distribution by users, for users. So the individuals you are locking down are the developers and future developers of the operating system.
"Keeping the bad guys out" is a nanny state problem for for-cost operating systems. You can tie secure boot and kernel lockdowns together if you want to outsource your I.T. to a third party or for-cost d
Lock your house so people can't get to your computer. Kernel lockdown is about keeping control of your own system. Tying It to secure boot, though, is about keeping whoever has possession of the system (you) from having total control of it.
What does any of this mean?
Secure Boot protects against malware and malicious hardware, as well as teenagers with Linux on USB thumb drives bypassing security altogether.
Together they are supposed to make it impossible to bypass or break the core things, which is supposed to make a computer more secure.
Of course adding security breaks things. Such as open source drivers for hardware for which drivers do not exist. Which means that those needing exemptions to the security will lose both, not