Added Thomas and Clark if any more inputs
On Tue, 20 Dec 2022 at 23:06, James Bottomley
<James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Tue, 2022-12-20 at 11:43 +0800, Dave Young wrote:
> > Hi Ard,
> >
> > Real time kernels usually disable efi runtime for latency issues,
>
> Could you say a bit more about this? I was under the impression we
> only call efi runtime services when asked: for variable or capsule
> updates or if you use the EFI RTC. So if you don't use EFI services in
> a real time kernel, you shouldn't suffer any latency issues due to
> having them enabled.
I do not have much background, but from below kconfig option, it will
be disabled by default when PREEMPT_RT is set
config EFI_DISABLE_RUNTIME
bool "Disable EFI runtime services support by default"
default y if PREEMPT_RT
>
> > but for some use cases, e.g. when Secure Boot is used kexec needs to
> > get the UEFI keys to verify the kernel signatures with
> > kexec_file_load syscall.
>
> It's not just kexec. Without EFI variable services, you won't be able
> to update the MoK keys for new kernels either.
Yes, one workaround is people can use kernel cmdline to enable runtime
and update MoK keys, then reboot with the default setup.
This is not ideal though.
>
> James
>
>
> >
> > Do you have suggestions on how to make both work?
> > Is it possible to have something like CONFIG_EFI_DISABLE_RUNTIME_LATE
> > so the runtime can be disabled after init phase or a runtime switch
> > in sysctl?
> >
> > Thanks
> > Dave
> >
>
