Gerd Hoffmann <kraxel@xxxxxxxxxx> writes: ... >> I'm talking about removing shim from the boot flow. > > That is not a goal of this change proposal, and it's not up for debate > for phase #2. Maybe an option in a later phase, once we have a signed > systemd-boot (see below). Also, we have one more Fedora-specific problem: we can't create a new SB cert for signing UKIs so we're currently using the same cert as the traditional kernel. This works if you enroll the cert in DB but then these kernels are indistinguishable if you only look at PCR7, this complicates creating PCR policies a lot. The problem why we can't have a new SB certificate is not technical but organizational: currently, private parts of the certs are on physical cards which a few people have an issuing a new one is a real pain. Rumor has it this is going to change and I'd really like to have it included in 'phase #3'. In phase #2, we can probably add an option to 'uki-direct' to add UKIs without shim to BootXXXX, this certainly won't be the default and will require Fedora cert to be enrolled into DB/MOK but for specific use-cases (e.g. AWS with provisioned varstore) this can be used. -- Vitaly -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
