Bug 1211813

Summary: Set ALP kernel to lockdown mode to align with SLE kernel
Product: [SUSE ALP - SUSE Adaptable Linux Platform] Granite Reporter: Joey Lee <jlee>
Component: KernelAssignee: Joey Lee <jlee>
Status: RESOLVED FIXED QA Contact:
Severity: Normal    
Priority: P2 - High CC: jcheung
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Joey Lee 2023-05-30 03:43:31 UTC 
Current ALP kernel be duplicated from openSUSE Tumbleweed kernel, so it is not locked down when secure boot is enabled. Set kernel to integrity lockdown mode to align with SLE kernel.

Tumbleweed kernel will also be locked-down after local-built NVIDIA driver be supported with MOK on Tumbleweed.
Comment 1 Joey Lee 2023-05-30 03:52:13 UTC 
Sent change to un-mark the following patches from series.conf for ALP kernel:

patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch
patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch
patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch
patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch
Comment 2 Joey Lee 2023-07-13 06:24:31 UTC 
(In reply to Joey Lee from comment #1)
> Sent change to un-mark the following patches from series.conf for ALP kernel:
> 
> patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.
> patch
> patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-
> mode.patch
> patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.
> patch
> patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
> patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch

Lockdown patches are merged to ALP-current kernel branch. Set FIXED.