From: Daniel P. Berrangé on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2917#note_1803375698
> I agree, that handling them here is easier. But I doubt that there will only be a few addons. There are a ton of debug parameters that at some point in time will be needed. Plus there are bugs that can be worked around by "setting the right parameter". Furthermore, we need the ability to disable memory hungry parameters for the kdump kernel. All in all my expectation is that the number will increase rapidly once UKIs get used more. We need to be very careful about creating signed addons for debug parameters. The goal of UKIs is to close the huge SecureBoot security hole in existing systems where neither the initrd nor cmdline were covered by the SecureBoot signatures. With the UKIs now the cmdline is signed, we have a fully trustworthy kernel environment booted. There are parameters for the kernel that could potentially undermine the security of the system such that we do NOT want to sign addons with distro keys. For adhoc debugging options, I think the expectation is that users would be able to create and sign addons themselves, using a MOK key they have locally enrolled with shim, rather than having the distro vendor (Red Hat) signing them. -- _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
