On Tue, Aug 23, 2016 at 7:23 AM, Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> wrote: > On 22.08.2016 23:14, Laura Abbott wrote: >> On 08/22/2016 01:16 PM, Chris Murphy wrote: >>> On Mon, Aug 22, 2016 at 2:08 PM, John Dulaney <jdulaney@xxxxxxx> wrote: >>>> On Mon, Aug 22, 2016 at 12:28:18PM -0700, Laura Abbott wrote: >>>>> The secure boot patches have been around in the Fedora tree for a while now. >>>>> They work well enough but there has not been much active work in getting >>>>> them accepted upstream in recent years. The longer they exist out of tree >>>>> the harder they get to maintain without extra support. If there isn't a >>>>> path for the current secure boot patch set to be accepted upstream, we need >>>>> to seriously consider if it's worth carrying long term. >>>>> Thoughts? >>>> So, how would we handle secure boot moving forward? >>> How are other distros handling this? Does upstream have an alternative? >> >> There isn't one unified answer. Every distro seems to be doing something >> different because upstream hasn't provided a single solution. > > Hmmm. Is that really a good description of the current situation in this > context? What patches are we actually talking about? I see about ten in > git that are related to secure boot; among them are these: > > http://pkgs.fedoraproject.org/cgit/rpms/kernel.git/tree/Add-option-to-automatically-enforce-module-signature.patch > http://pkgs.fedoraproject.org/cgit/rpms/kernel.git/tree/Add-secure_modules-call.patch > http://pkgs.fedoraproject.org/cgit/rpms/kernel.git/tree/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch > http://pkgs.fedoraproject.org/cgit/rpms/kernel.git/tree/Add-sysrq-option-to-disable-secure-boot-mode.patch There are more. > Those or similar patches are are in the latest ubuntu kernels as well: > > http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/commit/?id=2c025dacea2a5dc76391a0c338d46ce73049d24d > http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/commit/?id=b2d26ece1936cc2a4201f516c3b0ffdd25597ea7 > http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/commit/?id=0838c26a63625a67392e5d11a9ac75463f349c8f > http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/commit/?id=be77004bd69297b38fd3a7225174e59ef5c1ec39 > > A few others are there as well afaics (I did not check for each and > everyone). Ohh, and I can spot a few secure boot patches we use in in > the SLE-SP2 kernel as well (hint: they are in the patches.suse tarball). > And as stated already elsewhere in this thread the patches in RHEL have > a connection to our patches as well. > > So wouldn't it help already to look deeper into this and create a proper > upstream for developing and upstreaming the patches some of the big > players in the Distro market want and already use in some form? That was already done once. The problem isn't distro adoption. The problem is that despite being told we needed distro adoption (which we have) and despite coming to an agreement on upstreaming them, they continued to be nacked by other upstream developers that dislike them because they don't solve every possible threat model or they don't like the implementation. The latter can be changed, but when a lot of the argumentation is against SB on political grounds it tends to lead to developers chasing their tails. I'm not opposed to revisiting this upstream at all, but I don't want people to get them impression that it will be simple or trivial to upstream. josh _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
