On Tue, 20 Feb 2024 at 08:37, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Tue, 20 Feb 2024 at 02:03, xnox <dimitri.ledkov@xxxxxxxxxxxxx> wrote: > > > > Ard Biesheuvel <ardb@xxxxxxxxxx> writes: > > > > > On Thu, 15 Feb 2024 at 12:12, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > >> > > >> On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote: > > >> > On Thu, 15 Feb 2024 at 10:27, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > >> > > > > >> > > On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote: > > >> > > > (cc stakeholders from various distros - apologies if I missed anyone) > > >> > > > > > >> > > > Please consider the patches below for backporting to the linux-6.6.y > > >> > > > stable tree. > > >> > > > > > >> > > > These are prerequisites for building a signed x86 efistub kernel image > > >> > > > that complies with the tightened UEFI boot requirements imposed by > > >> > > > MicroSoft, and this is the condition under which it is willing to sign > > >> > > > future Linux secure boot shim builds with its 3rd party CA > > >> > > > certificate. (Such builds must enforce a strict separation between > > >> > > > executable and writable code, among other things) > > >> > > > > > > ... > > >> > > And is this not an issue for 6.1.y as well? > > >> > > > > >> > > > >> > It is, but there are many more changes that would need to go into v6.1: > > >> > > ... > > >> > 32 files changed, 1204 insertions(+), 1448 deletions(-) > > >> > > > > ... > > >> > If you're happy to take these too, I can give you the proper list, but > > >> > perhaps we should deal with v6.6 first? > > >> > > >> Yeah, let's deal with 6.6 first :) > > >> > > >> What distros are going to need/want this for 6.1.y? Will normal users > > >> care as this is only for a new requirement by Microsoft, not for older > > >> releases, right? > > >> > > > > > > I will let the distro folks on cc answer this one. > > > > Canonical will want to backport this at least as far back as v4.15 for > > Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be > > apperiated by everybody involved. Since if/when firmware (VMs or > > Hardware) starts to require NX compat, it will be desired to have all > > stable supported kernels with this support built-in. > > > > Thanks for the data point, and good luck with backporting this to > v4.15 or earlier. If it helps, I have a branch that backports > LoadFile2 initrd loading support to v5.4 (below), which you will need > to backport first. Going further back than v5.4 is going to be very > messy IMHO. > > https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf2-backport-x86 Yeah, we are not yet sure how far back we will actually manage to get to. And things will need to move one series/generation at the time. As other pieces need to land too. And yes, the above repo is helpful. -- Dimitri Sent from Ubuntu Pro https://ubuntu.com/pro
