Hi, > > > [...] I will need secure boot at some point (which apparently > > > would resolve the issue) [...]
It does, to some extent, namely that you're not using EFI Boot Guard mechanisms anymore to convey kernel parameters but instead use Unified Kernel Images (UKI) in which these parameters are embedded. The stub loader hands them over to the kernel. With Secure Boot, the parameters are immutable build-time defined as the whole UKI is signed (there's a way around this but you're deliberately jeopardizing integrity then, defeating the whole purpose). While not using Secure Boot, you can however modify the stub loader to do whatever you want with kernel parameters, e.g., setting them based on some condition or even loading them from VFAT disk... As you will make the transition anyway, you may be able to do it a bit sooner and don't need to ship a tainted EFI Boot Guard ;) > > I have a local copy of the repository > > (https://github.com/siemens/efibootguard.git), and I didn't see any > > commits related to this change. Is the development work being done in a > > different repository? > > There is nothing related merged yet. Traces are RFC patches on the list, > discussions. And then there were some direct discussions, primarily > between Christian (on CC) and me. EFI Boot Guard is upstream first and anything happens in this repository and its Mailing List. That doesn't include coffee bar talks though to which Jan is referring to. So yes, we do have some ideas (and even RFC patches on the list) but we're not truly happy with the results yet. As you don't change config file formats like your clothes we're still investigating this. So, it's not dead, quite the contrary, but the change must be well-defined, future-proof, and backwards-compatible (for some time being at least). You see, this is not an easy task ;) Kind regards, Christian -- Dr. Christian Storm Siemens AG, Technology, T CED SES-DE Otto-Hahn-Ring 6, 81739 München, Germany -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20221117153741.fyicwfkddtbywpoi%40cosmos.
