On 6/25/26 8:15 AM, Lennart Poettering wrote:
Given that the UEFI's trust/security architecture during boot focuses
on authenticating individual binaries (rather than authenticating file
systems as a whole) it is essential that file systems accessed during
boot loader runtime are as simple as possible. i.e. FAT is simply the
best option, because comparatively simple.

It's funny how CSsushiMan  and Lennart, with their nearly entirely opposite backgrounds, essentially have the same intuition that early boot stages need to have a clean, green field of a simple kernel/initrd layout.  I actually agree; the combinatorial explosion of possibilities with all the filesystems, MD/DM layers, encryption, RAID, etc, etc, is just too hard to manage.

My reservation used to be the unencrypted boot artifacts allowed tampering and subversion of the boot process---but of course now the secure boot can use  TPM verification chain to protect them.

--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to