Check what to do wrt. kernel lockdown
What’s the default in Debian?
Can/should we configure this in a stricter way?
|Blocked by Tails - Feature #17495: Run most of our test suite with Secure Boot enabled||Confirmed|
#3 Updated by intrigeri 2020-04-24 08:43:42
On my sid system, with 5.5.0-2-amd64 (5.5.17-1), booted in UEFI (without Secure Boot, FWIW), kernel lockdown is disabled:
# cat /sys/kernel/security/lockdown [none] integrity confidentiality
And indeed, in the kernel config file I see than none of the
LOCK_DOWN_KERNEL_FORCE_* options are set, so the default
LOCK_DOWN_KERNEL_FORCE_NONE is used.
Next step: run our test suite on a Tails image that adds the
lockdown=confidentiality boot option; if that breaks stuff, retry with
#6 Updated by intrigeri 2020-05-04 13:48:35
When Secure Boot is enabled on
linux-image-5.5.0-2-amd64 5.5.17-1, the default lockdown level is “integrity” and it’s impossible to disable it; it’s only possible to raise it to “confidentiality”.
Note that at this point, we have no idea whether the “integrity” level breaks stuff: Feature #17495 would help answer that. So IMO we lack a baseline to consider raising the lockdown level.