On Tue, Aug 23, 2016 at 4:05 AM, Peter Robinson <pbrobinson@xxxxxxxxx> wrote: >>>>>>>> The secure boot patches have been around in the Fedora tree for a >>>>>>>> while >>>>>>>> now. >>>>>>>> They work well enough but there has not been much active work in >>>>>>>> getting >>>>>>>> them accepted upstream in recent years. The longer they exist out of >>>>>>>> tree >>>>>>>> the harder they get to maintain without extra support. If there isn't >>>>>>>> a >>>>>>>> path for the current secure boot patch set to be accepted upstream, >>>>>>>> we >>>>>>>> need >>>>>>>> to seriously consider if it's worth carrying long term. >>>>>>>> >>>>>>>> Thoughts? >>>>>>> >>>>>>> >>>>>>> >>>>>>> So, how would we handle secure boot moving forward? >>>>>> >>>>>> >>>>>> >>>>>> How are other distros handling this? Does upstream have an alternative? >>>>>> >>>>> >>>>> There isn't one unified answer. Every distro seems to be doing something >>>>> different because upstream hasn't provided a single solution. >>>>> >>>>> Moving forward, we would treat secure boot like feature that is still >>>>> in progress. This means taking the existing secure boot patches or >>>>> a new approach and submitting them in a way that's acceptable to the >>>>> upstream >>>>> community. This is also code for "I don't know but what we have isn't >>>>> sustainable so let's discuss something better". >>>> >>>> >>>> Of course. >>>> >>>> What patch set are Red Hat and CentOS using? If they're not all using >>>> the same thing is it viable to get them all using the same thing? >>> >>> >>> They're using the same basic thing, but CentOS 7 and it's grandfather are >>> based on a 3.10 kernel, so there's a gulf of difference in the codebase of >>> that and current Fedora kernels, meaning there's no way they're going to >>> be using exactly the same code. And once it works one particular way in >>> Red Hat Enterprise Linux, it's unlikely to be swapped out wholesale for >>> the "new and improved" upstream way until the next major RHEL release. >>> Enterprise stability and stuff. So yeah, no, you really can't get them all >>> using the same thing. The kernel codebases are just faaaar too different >>> for a fairly invasive patchset that touches bits and pieces all over the >>> place in core areas. >>> >> >> You're right, distros aren't going to swap out what they have in existing >> releases for the new hotness. I'd like to believe that if there was a >> workable upstream solution many distros would choose to converge on that >> for a future release with a corresponding kernel version. Maybe we will >> have to maintain some version of these patches for older kernels like >> Cent OS but newer kernels could be common. > > Sounds like a good topic to be bought up at plumbers conf. The problem is, it was. Like 3 years ago. We even had agreement. Then things failed. I'll be there and I'm happy to discuss it again, but I'm not holding my breath. josh _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
