On 06/22/2011 03:20 PM, seth vidal wrote: > On Wed, 2011-06-22 at 20:02 +0100, Matthew Garrett wrote: > Are we going to continue the double grub entries? while I realize that > tboot SHOULD allow non TXT hw to boot properly I also realize that any > differences will be pointed to as a point of contention when debugging > semirelated problems. so it seems like the double entries are wise. > > Additionally, is the grub modifyication implemented in grubby and does > this behave properly on a yum update of the kernel? I'd say how to handle the grub entries is basically the entire point of the feature request. I was surprised to learn the other day that they filed a request at all since this was really just about making a change to grubby. I don't know how they plan to handle it. Systems which don't support TXT are easy. They will work fine. The CPU won't say it supports TXT and tboot will just move along. The real problem is systems which claim to support TXT, but then don't. tboot is actually really smart and will record that it tried a TXT enabled boot and if it fails will not use the TXT instructions the next time (this happens on things like the Lenovo x201). On other platforms, like the Lenovo x210 TXT does something when setting the iommu's in a safe state which causes the video card to go haywire when it tries to get set up. Now tboot can't tell this, since TXT completed and the kernel did actually launch successfully, but I'd imagine half ass broken hardware won't be common for too long. Intel had a kernel patch they thought would fix the problem, but I lost access to the system in question before I could test it (and I don't know if it was sent upstream) Systems which ACTUALLY support TXT are easy. They just work and you don't even know your kernel was measured and and the iommus programmed to be safe before it launched. So yeah, installing tboot if it automatically enables itself can be a problem on some broken hardware. I would certainly recommend against making tboot a part of the default install. But if a user installs it, it should 'just work', without manually updating grub on ever kernel update. -Eric -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
