------- Comment From [email protected] 2020-04-06 11:28 EDT------- I tested the ppa kernel patch which links secureboot with lockdown.
When secureboot is disabled: ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown [none] integrity confidentiality When secureboot is enabled: ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown none [integrity] confidentiality It does move to integrity lockdown mode. Daniel helped with testing the lockdown functionality itself in secureboot enabled state. Here are his test results: xmon is in read-only mode. 54:mon> ls is_ppc_secureboot_enabled is_ppc_secureboot_enabled: c000000000085430 54:mon> b c000000000085430 Operation disabled: xmon in read-only mode 54:mon> /dev/mem is blocked: root@ltc-wspoon13:/boot# cat /dev/mem cat: /dev/mem: Operation not permitted root@ltc-wspoon13:/boot# dmesg|tail ... [ 991.917345] Lockdown: cat: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 He also ensured that kexec load is disabled and can boot successfully to a signed kernel if the key is present in the keyring. Thank Daniel for the linking patch between secureboot and lockdown. And also for the quick testing of lockdown itself. Thanks to Canonical team for respining the kernel with the updated patch from Daniel. Thanks to Michael for his support throughout this work. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
