Re: [d-kernel] [PATCH 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT
Date: Sat, 9 May 2026 03:34:14 +0300
Message-ID: <af6AIf_7i1z13ztK@altlinux.org> (raw)
In-Reply-To: <20260506173722.1012394-7-egori@altlinux.org>

On Wed, May 06, 2026 at 08:37:22PM +0300, Egor Ignatov wrote:
> Signed-off-by: Egor Ignatov <egori@altlinux.org>

Было бы неплохо в этом патче иметь небольшое обоснование, что это
обязательно для прохождения shim-review для подписи shim для Secure
Boot, со ссылкой:

  Link: https://github.com/rhboot/shim-review#how-does-your-signed-kernel-enforce-lockdown-when-your-system-runs-with-secure-boot-enabled

> ---
>  config | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/config b/config
> index 9aaf07ae98..596785caa3 100644
> --- a/config
> +++ b/config
> @@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y
>  CONFIG_SECURITY_SAFESETID=y
>  CONFIG_SECURITY_LOCKDOWN_LSM=y
>  CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
>  CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
>  # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
>  # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel