openSUSE Begins Enforcing Secure Boot Kernel Lockdown

Linux distro openSUSE has begun enforcing Kernel Lockdown when Secure Boot is enabled, creating issues for many users....
openSUSE Begins Enforcing Secure Boot Kernel Lockdown
Written by Matt Milano
  • Linux distro openSUSE has begun enforcing Kernel Lockdown when Secure Boot is enabled, creating issues for many users.

    Kernel Lockdown was introduced in version 5.4 of the Linux kernel and is designed to help protect the kernel from tampering and unauthorized modification, and serves as an important security feature. It works together with Secure Boot, which is a system to ensure the bootloader process is running legitimate, trusted code signed by Microsoft-controlled master keys.

    While openSUSE has long supported Secure Boot, it did not have Kernel Lockdown enabled for its Tumbleweed distro. Because Tumbleweed is a rolling distro, where updates are pushed out as they become available instead of waiting for a point release, leaving Kernel Lockdown disabled made it easier for users to deal with unsigned kernel modules and drivers, such as Nvidia drivers.

    Evidently, according to a Reddit thread that also links to an openSUSE mailing list, Microsoft evidently refused to continue signing openSUSE’s bootload shim unless Kernel Lockdown was enabled. As a result, beginning with kernel 6.2.1, openSUSE Tumbleweed will enable Kernel Lockdown whenever Secure Boot is also enabled.

    Microsoft’s reasons for insisting on Kernel Lockdown being enabled are easy to understand. Without it, Secure Boot is essentially useless, giving anyone who had it enabled a false sense of security.

    At the same time, users that rely on Nvidia drivers on the fast-moving Tumbleweed now have a choice to make: either disable Secure Boot or manually sign those modules so that the kernel can load them.

    Even for users without Nvidia cards, hibernation is another casualty of the change, and no longer works on systems with Secure Boot enabled, although there is ongoing discussion about how to re-enable it with Secure Boot.

    Contrary to many opinions, while Microsoft does serve as the central signing authority, Secure Boot is not a Microsoft attempt to control people’s hardware, as evidenced by the fact that users can sign their own modules. openSUSE provides instructions on how to do so in the following link:

    https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot

    Get the WebProNews newsletter delivered to your inbox

    Get the free daily newsletter read by decision makers

    Subscribe
    Advertise with Us

    Ready to get started?

    Get our media kit