Re: You still missed the basic.

Date: 2018-04-05 10:52 am (UTC)
From: (Anonymous)
Exactly Distributions have the option of setting what ever configurations they have to.

Now a person development a embedded device with UEFI boot with secureboot on only as an option yet is wanting lockdown off for diagnostics if going to be up the creek. These device doing sysrq-x is not a option on lot of them as you don't have keyboard. You have a jtag and that is it.

There is no need to bind UEFI secureboot to lockdown absolutely. Binding UEFI secureboot to lockdown will purely get in way.

Adding MOK is adding an extra that will not be in production device as well.

Its not like using mokutil --disable-validation is without is absolute failures.

The UEFI secureboot to lockdown link does need to be breakable by kernel build option.

I can understand why its wanted on so that when secureboot is on lockdown is on but you have the usage cases where secureboot is on but you need lockdown off. These cases where you have secureboot on but lockdown off you are normally dealing with boot loader from hell provide by a vendor also you normally have PK and KEKs under your control so not requiring anyone one else approval.

There are two conflicting use cases here. People developing on new boards with horrible vendor bootloader vs the general UEFI PC group attempting to match what Microsoft wants to sign shims. The reality is both groups can be happy if enough kernel configuration options is provided.

Please note how long is mok shim going to allowed due to the fact it allows running unsigned kernels with system set to secureboot. We need to consider that one day the ability to turn verified boot off will not be there. Instead you will have to do what is already required on some development boards of set your own PK and KEK and always have secure boot on.

Basically its a error to be using secureboot as a on/off switch.
Identity URL: 
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


If you are unable to use this captcha for any reason, please contact us by email at

Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags