On Thu, Jan 19, 2023 at 04:34:49PM +0100, Julian Andres Klode wrote: > Now how do we enforce that we don't update the shim on the ESP when we > don't have kernels trusted by it? One thing is clear: In the > maintainer script we need to check which kernels are signed by our CA > and see if all of them are in the revoked kernels (if you only have > self-signed kernels, or no signed kernels or whatever we don't care > about it in the context of this key revocation).
> Option 1: Fail in preinst > This breaks a large apt upgrade in the middle leading to apport errors > and unconfigured packages on the system as apt doesn't complete > unrelated tasks necessarily. > Option 3: Alternatives > We ship both the latest and previous shim in shim-signed, install them > both as alternatives. If trusted kernels are around, the 'latest' > alternative gets priority 100 and the 'previous' gets priority 50; > without trusted kernels the priorities are reversed. > We then add a kernel postinst.d hook that swaps the priorities and > reconfigures shim-signed (installs it to the ESP) when a trusted > kernel is being installed. I am personally not convinced that it was necessary to avoid failing in the preinst. Given that kernels are always published to -security and security updates are by default installed automatically on a frequent cadence, I don't think the incidence of users having failures in the preinst would have been very high, and that even users who encountered the preinst failure would have done so as part of small upgrades within a release, not large upgrades where the preinst failure causes significant problems in recovering. However, you've implemented option 3 and, having reviewed it from an SRU perspective, I can't find fault with the implementation. So we'll move forward with this approach. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
