On 21.03.25 01:26, Luca Boccassi wrote:
On Thu, 20 Mar 2025 at 22:43, Alexander Graf <graf@xxxxxxxxxx> wrote:
Let's first figure out how all of this works without shim. Then we can
look at whether we need to and how we can extend the shim/sd-boot
interface to make that case work as well. Please don't start off
assuming everyone runs shim in secure boot environments.
But that's a bit off topic, though - the issue Mate brought up with
this thread is specifically with shim/16 + sd-boot + sd-stub, which is
a bit time pressing as both Plucky and Trixie are about to go out with
this combination that used to work, but doesn't anymore.
Without shim there's no new issue, everything works as it always did.
If you read through Heinrich's reply once more, you can clearly see that
it does not. We have 2 broken cases: new shim (change of contract) and
U-Boot (dependency on PI internals).
You could - as Ard suggested - introduce a new "prevalidated image load"
protocol in shim to solve the shim case. But that will continue to leave
U-Boot broken. To solve U-Boot, you would basically need to implement
the same "prevalidated image load" in sd-boot. And once you have that,
why would you duplicate it in shim?
Alex
