On Wed, 2011-06-22 at 20:02 +0100, Matthew Garrett wrote: > http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed > feature for F16. We've traditionally had a hard objection to the > functionality because it required either the distribution or downloading > of binary code that ran on the host CPU, but it seems that there'll > shortly be systems that incorporate the appropriate sinit blob in their > BIOS, which is a boundary we've traditionally been fine with. > > However, this is the kind of feature that has a pretty significant > impact on the distribution as a whole. Fesco decided that we should > probably have a broader discussion about the topic. The most obvious > issues are finding a sensible way to incorporate this into Anaconda, but > it's also then necessary to make sure that bootloader configuration is > updated appropriately. > > Outside that, is there any other impact? Does tboot perform any > verification of the kernels, and if so how is that configured? Is the > expectation that an install configured with TXT will only boot trusted > kernels, and if so what mechanism is used to verify the kernel? Is there > any further integration work that has to be performed for this to be > useful? > Are we going to continue the double grub entries? while I realize that tboot SHOULD allow non TXT hw to boot properly I also realize that any differences will be pointed to as a point of contention when debugging semirelated problems. so it seems like the double entries are wise. Additionally, is the grub modifyication implemented in grubby and does this behave properly on a yum update of the kernel? -sv -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
