[solved] "Automatic" kernel lockdown with Secure boot

Cvlc · 2023-03-07 11:59:38

Hi !

On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode.

However on my system with Secure Boot enabled, lockdown is only enabled with the appropriate lockdown= kernel parameters.

(See https://wiki.archlinux.org/title/Securi … kdown_mode)

Is the manpage misleading or am I missing something ?

Thanks !

Last edited by Cvlc (2023-03-08 21:30:46)

Bradley · 2023-03-07 21:26:54

It says x86, not x86_64. They should make that clearer. I have secure boot enabled on my x86_64 machine and I can confirm, lockdown isn’t enabled by default on it.

Cvlc · 2023-03-07 23:43:03

Good catch ! Although other sources and articles don't mention this detail at all.

loqs · 2023-03-08 00:17:22

The man page for lockdown was initially sourced from Fedora https://git.kernel.org/pub/scm/docs/man … d670d3608d
There have been later commits adjusting it to match what was accepted into the upstream kernel. This could be another overlooked difference as earlier iterations of the lockdown patch series did enable lockdown when secureboot was enabled https://git.kernel.org/pub/scm/linux/ke … 22b9b90203 that feature was rejected by Linus and so dropped.

Cvlc · 2023-03-08 00:18:25

Thanks ! I was just reading about this right now.

Arch Linux

#1 2023-03-07 11:59:38

[solved] "Automatic" kernel lockdown with Secure boot

#2 2023-03-07 21:26:54

Re: [solved] "Automatic" kernel lockdown with Secure boot

#3 2023-03-07 23:43:03

Re: [solved] "Automatic" kernel lockdown with Secure boot

#4 2023-03-08 00:17:22

Re: [solved] "Automatic" kernel lockdown with Secure boot

#5 2023-03-08 00:18:25

Re: [solved] "Automatic" kernel lockdown with Secure boot

Board footer