You still missed the basic.

Date: 2018-04-05 10:03 am (UTC)
From: (Anonymous)
"If you're running in an environment where you're able to verify the kernel before booting it (either through cryptographic validation of the kernel, or knowing that there's a secret tied to the TPM that will prevent the system booting if the kernel's been tampered with), you can turn on lockdown."

Neither is required. The kernel/bootloader could be on read only media. Like booting from a live disc. A system using a solution like this may be a pre UEFI one.

So no cryptographic or TPM turning lockdown on there is valid cases.

Having to disable validation of kernel to disable lockdown is highly invalid.

Just because Linux distributions mandate lockdown feature does not mean people building their own kernels want lockdown or people doing a development process on a device want to always have lockdown in way.

Allowing distributions to build with lockdown on does not mean that you cannot provide the features to allow kernels to be built with lockdown off.

Also not provide the option for when it safe to have lockdown without secure boot is a mistake as well.
Identity URL: 
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


If you are unable to use this captcha for any reason, please contact us by email at

Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags