On Tue, Dec 05, 2023 at 04:14:00PM -0500, Neal Gompa wrote: > On Tue, Dec 5, 2023 at 3:47 PM Aoife Moloney <amoloney@xxxxxxxxxx> wrote: > > > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order to receive > > community feedback. This proposal will only be implemented if approved > > by the Fedora Engineering Steering Committee. > > > > == Summary == > > Improve support for unified kernels in Fedora. > > > > == Owner == > > * Name: [[User:kraxel| Gerd Hoffmann]] > > * Email: kraxel@xxxxxxxxxx > > > > * Name: [[User:vittyvk| Vitaly Kuznetsov]] > > * Email: vkuznets@xxxxxxxxxx > > > > > > == Detailed Description == > > See [[ Changes/Unified_Kernel_Support_Phase_1 ]] for overview and Phase 1 goals. > > > > ==== Phase 2 goals ==== > > > > * Add support for booting UKIs directly. > > ** Boot path is shim.efi -> UKI, without any boot loader (grub, > > sd-boot) involved. > > ** The UEFI boot configuration will get an entry for each kernel installed. > > ** Newly installed kernels are configured to be booted once (via BootNext). > > ** Successful boot of the system will make the kernel update permanent > > (update BootOrder). > > * Enable UKIs for aarch64. > > ** Should be just flipping the switch, dependencies such as kernel > > zboot support are merged. > > * Add a UEFI-only cloud image variant which uses UKIs. > > ** Also suitable for being used in confidential VMs. > > ** Cover both x86_64 and aarch64. > > > > What is the point of using shim in this path? We're not having UKIs > signed by Microsoft, and unless the Linux kernel knows how to call > shim for certificates, I don't see how this is supposed to be useful > for the Microsoft->Fedora->OS boot chain. The VM UEFI firmware almost always only has the Microsoft certs installed. Thus the only thing it can boot is shim, which is signed by Microsoft. The boot configuration tells shim to boot the desired UKI, signed by Fedora, instead of its compiled default of booting grub. The only way you could do away with shim is to install the Fedora certs in UEFI directly, which isn't something most public clouds or other VM mgmt tools support well (if at all). With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
