On Mon, Aug 22, 2016 at 06:00:44PM -0700, Laura Abbott wrote: > On 08/22/2016 05:22 PM, Jarod Wilson wrote: > >On Mon, Aug 22, 2016 at 03:50:22PM -0600, Chris Murphy wrote: > >>On Mon, Aug 22, 2016 at 3:14 PM, Laura Abbott <labbott@xxxxxxxxxx> wrote: > >>>On 08/22/2016 01:16 PM, Chris Murphy wrote: > >>>> > >>>>On Mon, Aug 22, 2016 at 2:08 PM, John Dulaney <jdulaney@xxxxxxx> wrote: > >>>>> > >>>>>On Mon, Aug 22, 2016 at 12:28:18PM -0700, Laura Abbott wrote: > >>>>>> > >>>>>>The secure boot patches have been around in the Fedora tree for a while > >>>>>>now. > >>>>>>They work well enough but there has not been much active work in getting > >>>>>>them accepted upstream in recent years. The longer they exist out of > >>>>>>tree > >>>>>>the harder they get to maintain without extra support. If there isn't a > >>>>>>path for the current secure boot patch set to be accepted upstream, we > >>>>>>need > >>>>>>to seriously consider if it's worth carrying long term. > >>>>>> > >>>>>>Thoughts? > >>>>> > >>>>> > >>>>>So, how would we handle secure boot moving forward? > >>>> > >>>> > >>>>How are other distros handling this? Does upstream have an alternative? > >>>> > >>> > >>>There isn't one unified answer. Every distro seems to be doing something > >>>different because upstream hasn't provided a single solution. > >>> > >>>Moving forward, we would treat secure boot like feature that is still > >>>in progress. This means taking the existing secure boot patches or > >>>a new approach and submitting them in a way that's acceptable to the > >>>upstream > >>>community. This is also code for "I don't know but what we have isn't > >>>sustainable so let's discuss something better". > >> > >>Of course. > >> > >>What patch set are Red Hat and CentOS using? If they're not all using > >>the same thing is it viable to get them all using the same thing? > > > >They're using the same basic thing, but CentOS 7 and it's grandfather are > >based on a 3.10 kernel, so there's a gulf of difference in the codebase of > >that and current Fedora kernels, meaning there's no way they're going to > >be using exactly the same code. And once it works one particular way in > >Red Hat Enterprise Linux, it's unlikely to be swapped out wholesale for > >the "new and improved" upstream way until the next major RHEL release. > >Enterprise stability and stuff. So yeah, no, you really can't get them all > >using the same thing. The kernel codebases are just faaaar too different > >for a fairly invasive patchset that touches bits and pieces all over the > >place in core areas. > > > > You're right, distros aren't going to swap out what they have in existing > releases for the new hotness. I'd like to believe that if there was a > workable upstream solution many distros would choose to converge on that > for a future release with a corresponding kernel version. Oh, they absolutely would, for future (major) releases. The issue is more that yes, we can do something new and different in Fedora, but not in CentOS/RHEL 7 or earlier. > Maybe we will > have to maintain some version of these patches for older kernels like > Cent OS but newer kernels could be common. "We" being who? Red Hat is absolutely going to have to maintain them for RHEL, as it's already shipped as a supported feature, and will have to remain such for the life of at least RHEL7. CentOS gets it for free. Fedora really only has to be concerned with Fedora, though at some point, that could also carry over to the next RHEL kernel too... But if Red Hat really wants to ship something in the next RHEL kernel, maybe Red Hat ought to dedicate some resources to getting something upstream so we're not having to carry out-of-tree crud for both Fedora *and* RHEL... -- Jarod Wilson jarod@xxxxxxxxxx _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
