lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX

LOCKDOWN_CONFIDENTIALITY_MAX restricts a lot of useful features, even security ones (like monitoring via BPF), while not adding that much value for common use cases. Set the default level to LOCKDOWN_INTEGRITY_MAX as Ubuntu, RedHat and SUSE did recently. iovisor/bcc#2565 (comment) https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=ef7c6600bb3e https://bugzilla.redhat.com/show_bug.cgi?id=1815571 Closes: #956197
SolidRun · Apr 8, 2020 · c2ea339 · c2ea339
1 parent 6e1581a
commit c2ea339
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/debian/changelog b/debian/changelog
@@ -30,6 +30,10 @@ linux (5.6.2-1~exp1) UNRELEASED; urgency=medium
   * [x86] udeb: Add crc32_pclmul to crc-modules
   * udeb: Add crc32_generic to crc-modules
 
+  [ Luca Boccassi ]
+  * lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX
+    (Closes: #956197)
+
  -- Ben Hutchings <benh@debian.org>  Mon, 30 Mar 2020 14:50:42 +0100
 
 linux (5.5.13-1) unstable; urgency=medium

diff --git a/.../patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/.../patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -56,7 +56,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			set_bit(EFI_SECURE_BOOT, &efi.flags);
 +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
 +			lock_kernel_down("EFI Secure Boot",
-+					 LOCKDOWN_CONFIDENTIALITY_MAX);
++					 LOCKDOWN_INTEGRITY_MAX);
 +#endif
  			pr_info("Secure boot enabled\n");
  			break;