Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Chat about Linux in general
Post Reply
User avatar
michael louwe
Level 8
Level 8
Posts: 2227
Joined: Sun Sep 11, 2016 11:18 pm

Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by michael louwe » Fri Apr 06, 2018 6:55 am

https://www.phoronix.com/scan.php?page= ... n-Concerns
(Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach - 3 April 2018)
.
For Win 8 and new UEFI computers in 2012, M$ mandated the OEMs to allow Secure Boot to be disabled.
....... For Win 10 in 2015, M$ mandated the OEMs have the discretion to allow Secure Boot to be disabled.

Recently at end 2017, a few OEMs have begun to sell new Win 10 computers which do not allow Secure Boot to be disabled, eg Acer's S and E series laptops.
....... M$'s ARM-based Surface RT tablet PCs did not allow Secure Boot to be disabled.

Imagine, at the urging of M$, all the OEMs start not allowing Secure Boot to be disabled in all their new Win 10 computers = Matthew Garrett may have inadvertently caused all Linux kernels to become locked-down = kernel boot parameters cannot be edited = can only be unlocked by tech-geeks.
.

P S - Certain OEM Win 8.x/10 computers, eg Acer, Asus and HP, have an obstructive or pro-M$ UEFI-BIOS setting for "select an UEFI file as trusted for executing",(= Linux cannot boot). For the fix, please refer to ...
https://itsfoss.com/no-bootable-device-found-ubuntu/
viewtopic.php?t=236560

The above latest(= 2017) OEM laptops, eg Acer E and S series, may have even removed this UEFI-BIOS setting(eg "No bootable device" after installing Linux and cannot be fixed), but may be restored by a new BIOS firmware update from the OEMs = update through Windows only. This was after many complaints from affected users. ...
viewtopic.php?f=46&t=254948
... Another workaround is ...
https://askubuntu.com/questions/862946/ ... re-es1-533

User avatar
Faust
Level 4
Level 4
Posts: 334
Joined: Thu Jul 14, 2016 3:40 am

Re: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by Faust » Fri Apr 06, 2018 7:11 am

On a related note , I saw this earlier today ( linked from Hacker News ) :-

" Linux kernel lockdown and UEFI Secure Boot "
https://mjg59.dreamwidth.org/50577.html

.... interesting reading .
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

User avatar
michael louwe
Level 8
Level 8
Posts: 2227
Joined: Sun Sep 11, 2016 11:18 pm

Re: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by michael louwe » Sat Apr 07, 2018 7:41 am

Matthew Garrett, the creator of Shim or shimx64.efi at Red Hat/Fedora which allows most major Linux distros to be bootable with Secure Boot enabled, is now working for Google since Jan 2018. He has been pushing to lockdown the Linux kernel with Secure Boot enabled.

Seems, he is trying to lockdown the Linux kernel for the Linux desktop OS like how Google had locked-down the Linux kernel for her proprietary Android mobile OS = average users could not boot Android devices to do a clean reinstall or reimage with a Recovery or Install media, eg a microSD card, USB flash-drive or DVD - only tech-geeks could.
....... Is he preparing Google to enter the world desktop OS market against M$-Windows.?

User avatar
michael louwe
Level 8
Level 8
Posts: 2227
Joined: Sun Sep 11, 2016 11:18 pm

Re: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by michael louwe » Sun Apr 08, 2018 5:24 am

The origin of this patch at kernel.org ... https://www.phoronix.com/scan.php?page= ... wn-Patches
[Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL) - 17 Nov 2016]

User avatar
catweazel
Level 14
Level 14
Posts: 5448
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by catweazel » Sun Apr 08, 2018 5:27 am

michael louwe wrote:
Sat Apr 07, 2018 7:41 am
....... Is he preparing Google to enter the world desktop OS market against M$-Windows.?
Interesting thought.
A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. - Max Planck

Laurent85
Level 14
Level 14
Posts: 5291
Joined: Tue May 26, 2015 10:11 am

Re: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by Laurent85 » Sun Apr 08, 2018 8:26 am

Current Kernel Lockdown patch series tied to Secure Boot will not merge into kernel tree any time soon. Quoting Linus:
And dammit, if you tie them together, you had damn well have a good
reason. So far, your reasons have _literally_ been "Why not?" and
tried to make the onus be on others to explain to you why not.

That's not the right approach to begin with, Matthew. The onus is on
*you* to explain why you tied them together, not on others to explain
to you - over and over - that they have nothing to do with each other.

This discussion is over until you give an actual honest-to-goodness
reason for why you tied the two features together. No more "Why not?"
crap.
Side note: I suspect the reason is something along the lines of "there
are political reasons".

But dammit, if that's the case, those should be documented and
explained, not answered with "why not" when people ask why something
is the case.
THE TWO THINGS ARE ENTIRELY INDEPENDENT.

I'm done with you. You're not listening, and you're repeating bogus
arguments that make no sense.

No way in hell will I merge anything like this.
http://lkml.iu.edu/hypermail/linux/kern ... 01597.html
http://lkml.iu.edu/hypermail/linux/kern ... 01600.html
http://lkml.iu.edu/hypermail/linux/kern ... 01607.html
Image

User avatar
Portreve
Level 6
Level 6
Posts: 1067
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Post by Portreve » Sun Apr 08, 2018 7:12 pm

Laurent85 wrote:
Sun Apr 08, 2018 8:26 am
THE TWO THINGS ARE ENTIRELY INDEPENDENT.

I'm done with you. You're not listening, and you're repeating bogus
arguments that make no sense.

No way in hell will I merge anything like this.
That's my guy. Good on you, Linus.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

Post Reply

Return to “Chat about Linux”