On Di, 14.10.25 11:54, Chris Murphy ([email protected]) wrote: > >> It's not correct nothing is gained by a different fs. Aside from > >> pooling, (open)SUSE has leveraged Btrfs for bootable snapshots. Can > >> Fedora do this some other way? Yes, it'd be more work, rather than > >> leveraging what Btrfs is designed to do. GRUB follows snapshots just > >> fine, and has for a very long time. > > > > Whenever you do something like this it implies you are not interested > > in a proper, modern authentication/encryption boot chain, because if > > you do that you basically have to turn your boot loader into something > > that speaks verity, does tpm2 measurements and policy enforcement, > > that does fido2, and pkcs#11. And frankly, that's just not realistic > > to reimplement in a boot loader. > > Apple and Microsoft have implemented all of what you say is > unrealistic, except verity, into their bootloaders. Literally how > all of iOS boots, not even the bootloader is exposed on a simple > system. And on desktop and server Windows, only the bootloader is > exposed as plaintext, everything else is on Bitlocker encrypted > NTFS.
They have a lot fewer options than us, a *lot*. Only one fs for example. No verity. No as many unlock mechanisms and so on. > Are you saying only AOSP is using a modern boot chain? Is anyone > else using verity? You want Fedora to mimic mobile device booting? > That's a pretty significant change. chromeos has verity for example, for more than a decade. And yes, for a properly secured system you need to have that. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
