Bug 213577

Summary: kernel_lockdown.7 seems to be incorrect about automatically enabling lockdown mode in secure boot mode
Product: Documentation Reporter: Peter Cai (peter)
Component: man-pagesAssignee: documentation_man-pages (documentation_man-pages)
Status: NEW ---    
Severity: normal CC: hramrach, jlee, msuchanek
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Peter Cai 2021-06-25 06:58:26 UTC 
As of the time of posting, the kernel_lockdown.7 manpage [1] contains a description about how lockdown mode is enabled by default when using EFI secure boot:

> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
> enabled
if the system boots in EFI Secure Boot mode.

I have not followed lockdown development upstream recently, but it seems that as of today the feature described above is still a downstream patch shipped by some distributions like Fedora [2][3]. If this is the case, then including this statement in the man page would be inappropriate, since it would not apply to other distributions such as Arch Linux which do not include said patches.

[1]: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/kernel_lockdown.7#n31
[2]: https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/Patchlist.changelog#_205
[3]: https://gitlab.com/cki-project/kernel-ark/-/commit/5850c93175b9d2e1081873f4bbe08dead202cb08
Comment 1 Alejandro Colomar 2021-07-03 19:01:49 UTC 
Added a few CCs.

On 6/25/21 8:58 AM, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=213577
> 
>             Bug ID: 213577
>            Summary: kernel_lockdown.7 seems to be incorrect about
>                     automatically enabling lockdown mode in secure boot
>                     mode
>            Product: Documentation
>            Version: unspecified
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: man-pages
>           Assignee: documentation_man-pages@kernel-bugs.osdl.org
>           Reporter: peter@typeblog.net
>         Regression: No
> 
> As of the time of posting, the kernel_lockdown.7 manpage [1] contains a
> description about how lockdown mode is enabled by default when using EFI
> secure
> boot:
> 
>> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
>> enabled
> if the system boots in EFI Secure Boot mode.
> 
> I have not followed lockdown development upstream recently, but it seems that
> as of today the feature described above is still a downstream patch shipped
> by
> some distributions like Fedora [2][3]. If this is the case, then including
> this
> statement in the man page would be inappropriate, since it would not apply to
> other distributions such as Arch Linux which do not include said patches.
> 
> [1]:
>
> https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/kernel_lockdown.7#n31
> [2]:
>
> https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/Patchlist.changelog#_205
> [3]:
>
> https://gitlab.com/cki-project/kernel-ark/-/commit/5850c93175b9d2e1081873f4bbe08dead202cb08
>