Comment 0 for bug 1884159

Impact: The lockdown patches have evolved over time, and part of this was restricting more areas of the kernel. Not all of these additions were backported, and some can lead to lockdown bypasses, see [1] and [2].

Fix: Backport newer lockdown restrictions to older releases.

Test Case: Test cases for most of the backports can be found at [3], and [4] is another test case. Some which need e.g. specific hardware to test have not been tested.

Regression Potential: Most of these are small, simple fixes with low potential for regression. Users may also lose access to some functionality previously accissible under secure boot. Some changes are more substantial, especially the hw_param changes for xenial, but they are based on well-tested upstream code. The xmon backports also carry a more moderate risk of regression.

[1] https://lists.ubuntu.com/archives/kernel-team/2020-June/111050.html
[2] https://<email address hidden>/
[3] https://git.launchpad.net/~sforshee/+git/lockdown-tests
[4] https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh