mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-24 05:41:04 +02:00
8393a4cf4b
Shim signing for secure boot requires enforcing lockdown. There are three ways we can do this: 1. setting CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y. This unconditionally prevents loading unsigned kernel modules. 2. setting lockdown=integrity on the kernel cmdline from a signed Grub configuration. This would be OK, but Grub is not updated in the field right now, so we'd be stuck. 3. incorporate the secure-boot-lockdown patches that other major distros are using. We're going to go with 3, because this only enforces lockdown when secure boot is actually enabled and lets us change approach later on. These patches are sourced from Debian: https://sources.debian.org/src/linux/6.6.13-1~bpo12%2B1/debian/patches/features/all/lockdown/. Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>