Hi, > Hmm, the updated Change is mostly okay. I disagree that you have any > real security benefits since all the Secure Boot stuff in Linux is > still in a bad place.
It's a step into the right direction, but I agree, it alone doesn't improve the situation much. I think we need to overthink the whole secure boot signing process in Fedora. For starters we need to use different signing keys for UKI and non-UKI kernels, so it is possible (for the user if he chooses so) to disable booting non-UKI kernels to really plug the unsigned initrd hole. shim project planning to move from compiled-in certificates to signed certificates in separate files should make it easier to manage this. But all that is probably worth a separate change proposal and a separate discussion. > I would like the Change document to be updated > to include feedback about Secure Boot in there to further justify how > restricted the scope will remain for Phase 1. > > Additionally, "discoverable partitions" fixes nothing for Fedora right > now. There are two problems here: > * We don't have a discoverable subvolume specification for Btrfs > * Discoverable partition specification falls over dead with snapshots. > > Don't plan on using systemd-boot. I've said why before in other > threads, so I'm not repeating it again. > > Drop locking out modified kernel command lines. That's pretty much a > non-starter. > > If you want to pursue a Fedora Cloud image with UKIs, please bring it > up with the Cloud SIG, keeping in mind the feedback I listed. Noted. I'll rework the Change proposal early next year, I'm almost off into my xmas holidays. take care, Gerd _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
