Hi All, I've been working on rebasing Fedora's secure boot approach to using the secure_module patches Matthew Garrett posted upstream. Below are the changes to do this. Things to note: 1) Most people won't even notice a change as the impacts to userspace remain the same. 2) We're dropping the pekey patches. It's a large chunk of code that is dead upstream and has no usage within Fedora. 3) The kexec patch should likely get reworked to prevent loading, and that has been noted upstream. 4) At some point we'll look at adding support for hibernate likely via the patches that OpenSUSE has introduced. 5) This falls back to using the upstream .modsign_keyring instead of .system_keyring. The concept of a system keyring is decent, but at the moment it isn't going anywhere upstream. We can look at switching back at some point in the future. josh _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
