On 3/23/21 2:27 PM, Colin Watson wrote:
> On Tue, Mar 23, 2021 at 12:37:20PM +0100, Javier Martinez Canillas wrote:
[snip]
>>
>> For this particular case, it might be better for distros to just revert
>> commit
>> 9e95f45ceee ("verifiers: Move verifiers API to kernel image") instead of
>> making
>> it conditional for i386-pc, adding complexity to the GRUB upstream code IMO.
>
> That would also mean skipping or substantially modifying your lockdown
> patch that followed it, which requires great care. I did something like
> this in various forms for our security updates because there wasn't much
> choice there, but I'm not keen on it as a long-term solution.
>
> In the long term, we do seem to want to have the verifiers API in the
> kernel image at least for EFI platforms, don't we? So reverting that
> patch entirely seems like a bad move, and Michael's approach seems a
> reasonable compromise.
>
Yes, that's a good point. Accepting Michael's patch to fix the issue for
i386-pc but start pushing back other patches whose goal is to keep the
GRUB core image minimal seems to be a good middle ground for this topic.
Best regards,
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
