Announcement

**tildearrow** · 27 September 2019, 04:29 PM

Typo:

Originally posted by phoronix View Post

Among the limitations enforced in this lock-down mode is preventing hiberation support

**tildearrow** · 27 September 2019, 04:31 PM

Particularly for security conscious users and for applications like UEFI SecureBoot

Particularly for companies to make it easier to lock down their devices.

**starshipeleven** · 27 September 2019, 07:33 PM

Originally posted by tildearrow View Post

Particularly for companies to make it easier to lock down their devices.

Commenting out stuff in their own kernel fork is just as fast, and does not require Torvald's permission, drop this bs already.

**chithanh** · 27 September 2019, 09:52 PM

As evidenced by the number of iterations that this has had to go through, kernel lockdown isn't all that trivial to implement correctly without breaking other things. Few companies would have the expertise and resources to maintain such a patchset and port it across kernel versions.

Now it becomes just the flip of a kernel config option. That is a godsend for every company who sells locked down devices.

**boxie** · 28 September 2019, 12:02 AM

Originally posted by tildearrow View Post



Particularly for companies to make it easier to lock down their devices.

As someone who works for a company that uses android set top boxes, being able to lock them down to stop tampering is a good thing for us. things includes HDCP support and all the other things that we need to do to support playing back DRM content.

Note that these are not devices consumers purchase.

There are very legitimate use cases for this sort of thing outside of the "everything must be free" mantra.

**starshipeleven** · 28 September 2019, 08:01 AM

Originally posted by chithanh View Post

As evidenced by the number of iterations that this has had to go through, kernel lockdown isn't all that trivial to implement correctly without breaking other things. Few companies would have the expertise and resources to maintain such a patchset and port it across kernel versions.

Lol, "patchset", "maintain" and "port across kernel versions", very funny.

None does anything of that in embedded. They get the SDK with the kernel and a basic OS and hack that to their liking. No updates, no nothing.

This lockdown feature is for distribution maintainers for distros that will run on X86 and UEFI ARM servers, and maybe other few kinds of embedded devices that are close enough to that usecase and are frequently updated for some reason.

As you said, this functionality makes sense only if you need to update and maintain the stuff and can't just hack out what they don't like easily.

**brent** · 28 September 2019, 12:15 PM

Fedora has been shipping lockdown support for quite a while. No issues. Just get this merged already...

**Michael** · 28 September 2019, 12:31 PM

Landed: https://www.phoronix.com/scan.php?pa...-Adds-Lockdown

**tildearrow** · 28 September 2019, 02:01 PM

Originally posted by boxie View Post

As someone who works for a company that uses android set top boxes, being able to lock them down to stop tampering is a good thing for us. things includes HDCP support and all the other things that we need to do to support playing back DRM content.

Note that these are not devices consumers purchase.

There are very legitimate use cases for this sort of thing outside of the "everything must be free" mantra.

I wish HDCP didn't exist at all... If it has been already broken, then what's the point?

Announcement

Linus Torvalds Hasn't Yet Decided On "LOCKDOWN" Functionality For Linux 5.4

Linus Torvalds Hasn't Yet Decided On "LOCKDOWN" Functionality For Linux 5.4

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment