Hacker News new | past | comments | ask | show | jobs | submit login

I believe it's a set of kernel build flags and not a kernel parameter, in which case, not really, I initially said you could just replace the kernel with something that's been built without the flags and reboot but apparently the second paragraph says it prevents that, though I'm not sure how would updating the kernel work in that case then.



There are build config options, but there's also a kernel parameter

> lockdown= [SECURITY] { integrity | confidentiality }

https://www.kernel.org/doc/Documentation/admin-guide/kernel-...


You need GRUB's help do do this. There is a 'verify' module you can use that makes GRUB load files that are signed with a given GPG key.

You build a GRUB efi binary that contains your key and only loads signed config files, initrds, and kernels and then sign that binary so that it can be loaded by UEFI.


I missed that part, so I'm honestly as puzzled as you are (I suppose the answer would be yes then).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: