Re: The future of secure boot patches in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/22/2016 02:50 PM, Chris Murphy wrote:
On Mon, Aug 22, 2016 at 3:14 PM, Laura Abbott <labbott@xxxxxxxxxx> wrote:
On 08/22/2016 01:16 PM, Chris Murphy wrote:

On Mon, Aug 22, 2016 at 2:08 PM, John Dulaney <jdulaney@xxxxxxx> wrote:

On Mon, Aug 22, 2016 at 12:28:18PM -0700, Laura Abbott wrote:

The secure boot patches have been around in the Fedora tree for a while
now.
They work well enough but there has not been much active work in getting
them accepted upstream in recent years. The longer they exist out of
tree
the harder they get to maintain without extra support. If there isn't a
path for the current secure boot patch set to be accepted upstream, we
need
to seriously consider if it's worth carrying long term.

Thoughts?


So, how would we handle secure boot moving forward?


How are other distros handling this? Does upstream have an alternative?


There isn't one unified answer. Every distro seems to be doing something
different because upstream hasn't provided a single solution.

Moving forward, we would treat secure boot like feature that is still
in progress. This means taking the existing secure boot patches or
a new approach and submitting them in a way that's acceptable to the
upstream
community. This is also code for "I don't know but what we have isn't
sustainable so let's discuss something better".

Of course.

What patch set are Red Hat and CentOS using? If they're not all using
the same thing is it viable to get them all using the same thing?

I'd think that without an upstream solution that this must be an issue
for all the distros supporting Secure Boot in one form or another.
Hmm, no schedule yet for Linux Kernel Summit and Linux Plumbers
Conference.

Without Secure Boot we run up against making dual boot with Windows
messier for users, effectively encouraging them to permanently leave
it off which possibly opens them up to bootloader malware with their
Windows installation.  Most users will not flip Secure Boot
enabled/disabled when going between Fedora and Windows, they'll just
give up and leave it disabled, in my estimation. (I sorta hate dual
boot, but that's beside the point.)


Right. Secure boot _is_ an important feature.

Disregarding the dual boot case, is some form of measured boot a
better way forward? I have no idea what the state of hardware is with
TPM vs Secure Boot.


There is a TPM microconference happening at Plumbers (I think?).

Thanks,
Laura
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux