Re: F38 proposal: Unified Kernel Support Phase 1 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Hi,

> * Enhance parted/libparted to support arbitrary GUIDs and enhance blivet to understand the full listing of GUIDs? Or

parted is done, blivet still todo.
https://bugzilla.redhat.com/show_bug.cgi?id=1075288#c7

> the CLI tool seems not to support it but maybe fdisk does.

sfdisk supports it.  The workaround mentioned in the change page looks
like this:

# setup discoverable partitions
/usr/sbin/sfdisk --part-type /dev/sda 3 4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709  # Linux root (x86-64)

> > * Add proper systemd-boot support to installers.
> 
> Great. The gotcha though is this in effect requires a change in the
> file system currently mounted at /boot, which is ext4. And ext4 isn't
> supported by sd-boot or UEFI firmware. So if you're going to support
> sd-boot, the installer needs to be aware that either the ESP is big
> enough to be used as /boot, or if it's not big enough then it will be
> mounted on /efi *and* a new partition XBOOTLDR formatted as FAT will
> be used as /boot.

Well, for the virtual machine use case isn't a problem, you can just
make the ESP big enough and even drop the separate /boot filesystem
then.

For the general case we need some other option.  Could be just stick to
grub2 for those cases (we'll continue to need grub2 anyway for bios boot
and ppc64le).  Or drop an ext4 driver to /boot/efi/EFI/systemd/drivers,
for example this one:
  https://github.com/tianocore/edk2-platforms/tree/master/Features/Ext4Pkg

> > * Better secure boot support (specifically the initrd is covered by
> > the signature).
> 
> We need to solve the glaring hole that is the initrd. There's no
> question about it. I can't really assess if this feature is the best
> way to do that. Or if it would be adequate for dracut to self-sign
> every locally generated initrd with a unique key pair and throw away
> the private key after each initrd is generated.

The private key management problem unfortunately isn't solved that
easily ... 

When using distro signatures you don't have the key management problem
in the first place.

> Or if we could do enough strict standardization in the boot chain with
> a possibly larger kernel to avoid needing an initrd, i.e. get to
> sysroot mount faster thereby obviating the need for a large initrd.

The initrd does more than carrying drivers.  Finding the root filesystem
for example.  The kernel's builtin feaure set for root= is small
compared to what a dracut initrd is able to do.

take care,
  Gerd
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux