Date: 2018-04-05 10:55 am (UTC)
From: (Anonymous)
There might actually be a reason to enable it everywhere if it is compiled in the kernel and that is a developer currently (ab)using features that will get restricted with lockdown, especially if said developer is running his own kernel, didn't set up secure boot and/or is on a distro that doesn't turn this on.

For example lets say such a developer is using distro X which doesn't compile the kernel with lockdown enabled now they get a bug report from someone using distro Y which does have lockdown enabled but from the bug report this might not be clear. The dev can't reproduce it and so tries to get distro Y installed in a VM but this VM has no EUFI secure boot so lockdown doesn't get enabled and thus still can't get it to reproduce.

I think there are 2 ways around this the first is to have lockdown always enabled even on non-secure boot platforms (if it is compiled in the kernel) or have the kernel (or other) logging/errors be explicit in why something got blocked (haven't looked at this so might already be in, hopefully)

Does this make sense or am I just rambling here?
Identity URL: 
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


If you are unable to use this captcha for any reason, please contact us by email at

Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags