From: Vitaly Kuznetsov on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2917#note_1807239692 I think it would make sense to make it possible for an addon to target 'standard' UKI / 'debug' UKI / both in the infrastructure which Emanuele is trying to create. Personally, I would not be overthinking security issues of debug addons just **now** and wait until we get a request for an addon which we will consider 'unsafe'. As command line addons are currently rigid, i.e. it's impossible to have something like 'root=*', I don't think we have that many kernel options which require denylisting. For the extreme cases with very strong security requirements, adding other PCRs (e.g. PCR4) to the sealing policy might be a good option. -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
