From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Egor Ignatov To: devel-kernel@lists.altlinux.org Date: Wed, 27 May 2026 11:25:39 +0300 Message-ID: <20260527082539.2000966-7-egori@altlinux.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260527082539.2000966-1-egori@altlinux.org> References: <20260527082539.2000966-1-egori@altlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH v2 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2026 08:25:42 -0000 Archived-At: List-Archive: List-Post: Enable automatic kernel lockdown when booted in UEFI Secure Boot mode. This is required by the shim-review process, which asks how the signed kernel enforces lockdown under Secure Boot and will not sign the shim otherwise. Link: https://github.com/rhboot/shim-review#how-does-your-signed-kernel-enforce-lockdown-when-your-system-runs-with-secure-boot-enabled Signed-off-by: Egor Ignatov --- config | 1 + 1 file changed, 1 insertion(+) diff --git a/config b/config index 9aaf07ae98..596785caa3 100644 --- a/config +++ b/config @@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_SAFESETID=y CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set -- 2.50.1