so why do you need another kernel with lockdown disabled by default to be shipped?
Why would an attacker not force that kernel to be booted when he gets control over the machine?
Having a command line parameter to disable lockdown would make it obvious both in the journald logs or in /proc/cmdline.
If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org
Re: You're not making much sense
Date: 2018-04-06 07:49 pm (UTC)If you have the patch that sets default lockdown policy based on secure boot state, you don't. If you don't have that patch, you do.
Because it wouldn't be signed.
Both of which could be compromised after an attacker adds the option and livepatches the kernel.