Hi Chris On 20/01/2021 17:06, Chris Murphy wrote: > On Tue, Jan 19, 2021 at 10:43 AM Mark Pearson <markpearson@xxxxxxxxxx> wrote: >> >> >> Some background: We need the latest kernel/alsa/pulse/libfprint and >> their dependencies for supporting the new 2021 HW - and as we'll be >> (hopefully) releasing before F34 is available we're looking for >> F33+updates and the best way to provide that in a way that works for the >> community and our preload process. > > We need to coordinate a shim update, one that's signed with new world > keys (post-BootHole) which doesn't yet exist. > > Specifically, if the new hardware will come with UEFI Secure Boot > enabled, it will need a preloaded image containing either pre-BootHole > revocation database. Shim needs to be updated before the revocation > database or the system will not boot. > > If this preload image is also going to form the basis for a recovery > partition, this is a bigger concern because it'd be rendered > unbootable once the revocation database is pushed. Fedora hasn't > decided to push the revocation database automatically, but other > distros do so aggressively. Microsoft has thus far delayed pushing the > post-BootHole revocation db, but eventually they will sometime this > year. > > We still have secure boot disabled by default for Linux systems - it's something I want to turn on but every time we look at it there are a few headaches and there's some process in manufacturing too to resolve and it just never quite makes it high enough in the list to become a priority. I'm not going to get that solved for this round so I don't think it has to block this effort. Something I'm happy to look at for platforms later in the year with F34/F35? Let me know if I'm missing something important. Mark _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
