Gerd Hoffmann writes:
...
>> I'm talking about removing shim from the boot flow.
>
> That is not a goal of this change proposal, and it's not up for debate
> for phase #2. Maybe an option in a later phase, once we have a signed
> systemd-boot (see below).
Also, we have one more Fedora-specific
Hi,
> > > This is IMHO a mistake, the systemd-boot and UKI paths are the perfect
> > > time
> > > to break with shim and require some form of actual fedora/whatever secure
> > > boot key enrollment on the machine.
> >
> > This is not going to fly. There are too many cases where you simply
> >
Hi,
On 12/18/23 06:41, Gerd Hoffmann wrote:
On Fri, Dec 15, 2023 at 02:03:27PM -0600, Jeremy Linton wrote:
Hi,
Phase 2 goals
* Add support for booting UKIs directly.
** Boot path is shim.efi -> UKI, without any boot loader (grub,
sd-boot) involved.
This is IMHO a mistake, the sys
On Fri, Dec 15, 2023 at 02:03:27PM -0600, Jeremy Linton wrote:
> Hi,
>
> > Phase 2 goals
> >
> > * Add support for booting UKIs directly.
> > ** Boot path is shim.efi -> UKI, without any boot loader (grub,
> > sd-boot) involved.
>
> This is IMHO a mistake, the systemd-boot and UKI path
Jeremy Linton wrote:
> This is IMHO a mistake, the systemd-boot and UKI paths are the perfect
> time to break with shim and require some form of actual fedora/whatever
> secure boot key enrollment on the machine. Shim's fundamentally
> backdooring the UEFI security infrastructure, and frankly some
Hi,
On 12/5/23 14:38, Aoife Moloney wrote:
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Sum
Hi,
On 12/6/23 11:26, Vitaly Kuznetsov wrote:
Gerd Hoffmann writes:
Hi,
Does that mean that the Linux EFI boot code knows how to call back to
shim to get the certificates instead of reading the firmware directly?
No. The linux efi stub doesn't need that.
shim.efi does:
(a) Set ef
> Gerd Hoffmann this AFAIU means that we also need shim in the boot chain if we want to
> support these addons.
Only if you want to use certs in MOK to verify them, otherwise it's not
necessary. The protocol is just LoadImage which every firmware also provides
and checks against DB.
--
Gerd Hoffmann writes:
> Hi,
>
>> Does that mean that the Linux EFI boot code knows how to call back to
>> shim to get the certificates instead of reading the firmware directly?
>
> No. The linux efi stub doesn't need that.
>
> shim.efi does:
>
> (a) Set efi variables, where the linux kernel
Hi,
> Does that mean that the Linux EFI boot code knows how to call back to
> shim to get the certificates instead of reading the firmware directly?
No. The linux efi stub doesn't need that.
shim.efi does:
(a) Set efi variables, where the linux kernel can read the
certificates from.
On Wed, Dec 6, 2023 at 5:15 AM Gerd Hoffmann wrote:
>
> Hi,
>
> > What is the point of using shim in this path? We're not having UKIs
> > signed by Microsoft, and unless the Linux kernel knows how to call
> > shim for certificates, I don't see how this is supposed to be useful
> > for the Micros
Hi,
> What is the point of using shim in this path? We're not having UKIs
> signed by Microsoft, and unless the Linux kernel knows how to call
> shim for certificates, I don't see how this is supposed to be useful
> for the Microsoft->Fedora->OS boot chain.
Booting without shim.efi would work
On Tue, Dec 05, 2023 at 03:01:04PM -0600, Chris Adams wrote:
> Once upon a time, Aoife Moloney said:
> > * UKIs need this to find the root filesystem without root=... on the
> > kernel command line.
>
> How does this work in system with more than one Linux install? Or any
> more-complicated disk
On Tue, Dec 05, 2023 at 04:14:00PM -0500, Neal Gompa wrote:
> On Tue, Dec 5, 2023 at 3:47 PM Aoife Moloney wrote:
> >
> > This document represents a proposed Change. As part of the Changes
> > process, proposals are publicly announced in order to receive
> > community feedback. This proposal will
On Tue, Dec 5, 2023 at 3:47 PM Aoife Moloney wrote:
>
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering C
Once upon a time, Aoife Moloney said:
> * UKIs need this to find the root filesystem without root=... on the
> kernel command line.
How does this work in system with more than one Linux install? Or any
more-complicated disk setup (e.g. SW RAID)? Does this also lock users
out from ALL kernel com
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Improve support for unified kernels in
17 matches
Mail list logo
