On Tue, 20 Feb 2024 at 02:03, xnox <dimitri.ledkov@xxxxxxxxxxxxx> wrote: > > Ard Biesheuvel <ardb@xxxxxxxxxx> writes: > > > On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > >> > >> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote: > >> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > >> > > > >> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote: > >> > > > (cc stakeholders from various distros - apologies if I missed anyone) > >> > > > > >> > > > Please consider the patches below for backporting to the linux-6.6.y > >> > > > stable tree. > >> > > > > >> > > > These are prerequisites for building a signed x86 efistub kernel image > >> > > > that complies with the tightened UEFI boot requirements imposed by > >> > > > MicroSoft, and this is the condition under which it is willing to sign > >> > > > future Linux secure boot shim builds with its 3rd party CA > >> > > > certificate. (Such builds must enforce a strict separation between > >> > > > executable and writable code, among other things) > >> > > > > > ... > >> > > And is this not an issue for 6.1.y as well? > >> > > > >> > > >> > It is, but there are many more changes that would need to go into v6.1: > >> > ... > >> > 32 files changed, 1204 insertions(+), 1448 deletions(-) > >> > > > ... > >> > If you're happy to take these too, I can give you the proper list, but > >> > perhaps we should deal with v6.6 first? > >> > >> Yeah, let's deal with 6.6 first :) > >> > >> What distros are going to need/want this for 6.1.y? Will normal users > >> care as this is only for a new requirement by Microsoft, not for older > >> releases, right? > >> > > > > I will let the distro folks on cc answer this one. > > Canonical will want to backport this at least as far back as v4.15 for > Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be > apperiated by everybody involved. Since if/when firmware (VMs or > Hardware) starts to require NX compat, it will be desired to have all > stable supported kernels with this support built-in. > Thanks for the data point, and good luck with backporting this to v4.15 or earlier. If it helps, I have a branch that backports LoadFile2 initrd loading support to v5.4 (below), which you will need to backport first. Going further back than v5.4 is going to be very messy IMHO. https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf2-backport-x86
