Comment 27 for bug 1855668

------- Comment From <email address hidden> 2020-04-06 11:28 EDT-------
I tested the ppa kernel patch which links secureboot with lockdown.

When secureboot is disabled:
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown
[none] integrity confidentiality

When secureboot is enabled:
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown
none [integrity] confidentiality

It does move to integrity lockdown mode.

Daniel helped with testing the lockdown functionality itself in secureboot enabled state.

Here are his test results:
xmon is in read-only mode.

54:mon> ls is_ppc_secureboot_enabled
is_ppc_secureboot_enabled: c000000000085430
54:mon> b c000000000085430
Operation disabled: xmon in read-only mode
54:mon>

/dev/mem is blocked:
root@ltc-wspoon13:/boot# cat /dev/mem
cat: /dev/mem: Operation not permitted
root@ltc-wspoon13:/boot# dmesg|tail
...
[ 991.917345] Lockdown: cat: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7

He also ensured that kexec load is disabled and can boot successfully to a signed kernel if the key is present in the keyring.

Thank Daniel for the linking patch between secureboot and lockdown. And also for the quick testing of lockdown itself.
Thanks to Canonical team for respining the kernel with the updated patch from Daniel.

Thanks to Michael for his support throughout this work.

Thanks & Regards,
- Nayna