>>>>>>> The secure boot patches have been around in the Fedora tree for a >>>>>>> while >>>>>>> now. >>>>>>> They work well enough but there has not been much active work in >>>>>>> getting >>>>>>> them accepted upstream in recent years. The longer they exist out of >>>>>>> tree >>>>>>> the harder they get to maintain without extra support. If there isn't >>>>>>> a >>>>>>> path for the current secure boot patch set to be accepted upstream, >>>>>>> we >>>>>>> need >>>>>>> to seriously consider if it's worth carrying long term. >>>>>>> >>>>>>> Thoughts? >>>>>> >>>>>> >>>>>> >>>>>> So, how would we handle secure boot moving forward? >>>>> >>>>> >>>>> >>>>> How are other distros handling this? Does upstream have an alternative? >>>>> >>>> >>>> There isn't one unified answer. Every distro seems to be doing something >>>> different because upstream hasn't provided a single solution. >>>> >>>> Moving forward, we would treat secure boot like feature that is still >>>> in progress. This means taking the existing secure boot patches or >>>> a new approach and submitting them in a way that's acceptable to the >>>> upstream >>>> community. This is also code for "I don't know but what we have isn't >>>> sustainable so let's discuss something better". >>> >>> >>> Of course. >>> >>> What patch set are Red Hat and CentOS using? If they're not all using >>> the same thing is it viable to get them all using the same thing? >> >> >> They're using the same basic thing, but CentOS 7 and it's grandfather are >> based on a 3.10 kernel, so there's a gulf of difference in the codebase of >> that and current Fedora kernels, meaning there's no way they're going to >> be using exactly the same code. And once it works one particular way in >> Red Hat Enterprise Linux, it's unlikely to be swapped out wholesale for >> the "new and improved" upstream way until the next major RHEL release. >> Enterprise stability and stuff. So yeah, no, you really can't get them all >> using the same thing. The kernel codebases are just faaaar too different >> for a fairly invasive patchset that touches bits and pieces all over the >> place in core areas. >> > > You're right, distros aren't going to swap out what they have in existing > releases for the new hotness. I'd like to believe that if there was a > workable upstream solution many distros would choose to converge on that > for a future release with a corresponding kernel version. Maybe we will > have to maintain some version of these patches for older kernels like > Cent OS but newer kernels could be common. Sounds like a good topic to be bought up at plumbers conf. P _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
