"If you're running in an environment where you're able to verify the kernel before booting it (either through cryptographic validation of the kernel, or knowing that there's a secret tied to the TPM that will prevent the system booting if the kernel's been tampered with), you can turn on lockdown."
Neither is required. The kernel/bootloader could be on read only media. Like booting from a live disc. A system using a solution like this may be a pre UEFI one.
So no cryptographic or TPM turning lockdown on there is valid cases.
Having to disable validation of kernel to disable lockdown is highly invalid.
Just because Linux distributions mandate lockdown feature does not mean people building their own kernels want lockdown or people doing a development process on a device want to always have lockdown in way.
Allowing distributions to build with lockdown on does not mean that you cannot provide the features to allow kernels to be built with lockdown off.
Also not provide the option for when it safe to have lockdown without secure boot is a mistake as well.
You still missed the basic.
Neither is required. The kernel/bootloader could be on read only media. Like booting from a live disc. A system using a solution like this may be a pre UEFI one.
So no cryptographic or TPM turning lockdown on there is valid cases.
Having to disable validation of kernel to disable lockdown is highly invalid.
Just because Linux distributions mandate lockdown feature does not mean people building their own kernels want lockdown or people doing a development process on a device want to always have lockdown in way.
Allowing distributions to build with lockdown on does not mean that you cannot provide the features to allow kernels to be built with lockdown off.
Also not provide the option for when it safe to have lockdown without secure boot is a mistake as well.