On Thu, Dec 22, 2022 at 10:35 AM Gerd Hoffmann <kraxel@xxxxxxxxxx> wrote: > > Hi, > > > Hmm, the updated Change is mostly okay. I disagree that you have any > > real security benefits since all the Secure Boot stuff in Linux is > > still in a bad place. > > It's a step into the right direction, but I agree, it alone doesn't > improve the situation much. I think we need to overthink the whole > secure boot signing process in Fedora. For starters we need to use > different signing keys for UKI and non-UKI kernels, so it is possible > (for the user if he chooses so) to disable booting non-UKI kernels to > really plug the unsigned initrd hole. > > shim project planning to move from compiled-in certificates to signed > certificates in separate files should make it easier to manage this. > As part of this, we *really* need to make the process for managing supported/enabled certificates reasonable and independent of the firmware restrictions. > But all that is probably worth a separate change proposal and a separate > discussion. > > > I would like the Change document to be updated > > to include feedback about Secure Boot in there to further justify how > > restricted the scope will remain for Phase 1. > > > > Additionally, "discoverable partitions" fixes nothing for Fedora right > > now. There are two problems here: > > * We don't have a discoverable subvolume specification for Btrfs > > * Discoverable partition specification falls over dead with snapshots. > > > > Don't plan on using systemd-boot. I've said why before in other > > threads, so I'm not repeating it again. > > > > Drop locking out modified kernel command lines. That's pretty much a > > non-starter. > > > > If you want to pursue a Fedora Cloud image with UKIs, please bring it > > up with the Cloud SIG, keeping in mind the feedback I listed. > > Noted. I'll rework the Change proposal early next year, I'm almost off > into my xmas holidays. > Makes sense. Have a merry Christmas and a happy new year! :) -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
