"Secure Boot can be disabled on all systems running shim."
Disable secure boot disable validation on kernel right that is has not been damaged on media. Reality we should not end up in a case with a unsigned kernel if it can be avoided. lockdown need to be independent of if kernel is signed or not.
This could require altering the mok so that it support lower security KEK/MOK entries for auditing solutions with lockdown off.
Basically turning signing off defeats one of the the points of UEFI secureboot that is validating the files loaded to boot from.
"Obviously the one that has lockdown disabled wouldn't be signed, because that would defeat the point."
Basically this idea defeats one of the reasons for secureboot. You need to work out how to-do this without ever turning secureboot off. The may require redesign MOK and working with UEFI standard to add another level of KEK.
1) KEK/MOK set for full secure. 2) KEK/MOK set for validation but what ever is using this is not fully secure and depending on configuration this may require password or proof of physical access. 3) No signed mode for UEFI/MOK configuration only once configured this mode disappaers.
And deprecate the existing shim.
Before you added lockdown to the Linux kernel people had KEK or MOK validation of the Linux kernel and boot loader. Saying unsigned is telling those people to down grade their solution.
Re: You're not making much sense
Disable secure boot disable validation on kernel right that is has not been damaged on media. Reality we should not end up in a case with a unsigned kernel if it can be avoided. lockdown need to be independent of if kernel is signed or not.
This could require altering the mok so that it support lower security KEK/MOK entries for auditing solutions with lockdown off.
Basically turning signing off defeats one of the the points of UEFI secureboot that is validating the files loaded to boot from.
"Obviously the one that has lockdown disabled wouldn't be signed, because that would defeat the point."
Basically this idea defeats one of the reasons for secureboot. You need to work out how to-do this without ever turning secureboot off. The may require redesign MOK and working with UEFI standard to add another level of KEK.
1) KEK/MOK set for full secure.
2) KEK/MOK set for validation but what ever is using this is not fully secure and depending on configuration this may require password or proof of physical access.
3) No signed mode for UEFI/MOK configuration only once configured this mode disappaers.
And deprecate the existing shim.
Before you added lockdown to the Linux kernel people had KEK or MOK validation of the Linux kernel and boot loader. Saying unsigned is telling those people to down grade their solution.