From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <egori@altlinux.org>
Message-ID: <4ee211b7-b7a7-403a-8179-389e46542c1e@altlinux.org>
Date: Wed, 20 May 2026 15:29:12 +0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: devel-kernel@lists.altlinux.org
References: <20260506173722.1012394-1-egori@altlinux.org>
 <20260506173722.1012394-7-egori@altlinux.org> <af6AIf_7i1z13ztK@altlinux.org>
Content-Language: en-US, ru
From: Egor Ignatov <egori@altlinux.org>
In-Reply-To: <af6AIf_7i1z13ztK@altlinux.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [d-kernel] [PATCH 6/6] config: Enable
 LOCK_DOWN_IN_EFI_SECURE_BOOT
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2026 12:29:13 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/4ee211b7-b7a7-403a-8179-389e46542c1e@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>


On 5/9/26 3:34 AM, Vitaly Chikunov wrote:
> On Wed, May 06, 2026 at 08:37:22PM +0300, Egor Ignatov wrote:
>> Signed-off-by: Egor Ignatov <egori@altlinux.org>
> 
> Было бы неплохо в этом патче иметь небольшое обоснование, что это
> обязательно для прохождения shim-review для подписи shim для Secure
> Boot, со ссылкой:
> 
>    Link: https://github.com/rhboot/shim-review#how-does-your-signed-kernel-enforce-lockdown-when-your-system-runs-with-secure-boot-enabled

Согласен. Так же замечу, что это не только требование shim, но и 
рекомендация Центр исследований безопасности системного программного 
обеспечения [1].

[1] https://portal.linuxtesting.ru/LVCSecureBoot.html#4_3

> 
>> ---
>>   config | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/config b/config
>> index 9aaf07ae98..596785caa3 100644
>> --- a/config
>> +++ b/config
>> @@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y
>>   CONFIG_SECURITY_SAFESETID=y
>>   CONFIG_SECURITY_LOCKDOWN_LSM=y
>>   CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>> +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
>>   CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
>>   # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
>>   # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
>> -- 
>> 2.50.1
>>
>> _______________________________________________
>> devel-kernel mailing list
>> devel-kernel@lists.altlinux.org
>> https://lists.altlinux.org/mailman/listinfo/devel-kernel
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel

-- 
Egor Ignatov
ALT Linux Team