Reworked Secure Boot patches
Kyle McMartin
kyle at redhat.com
Fri Aug 30 12:49:14 UTC 2013
On Fri, Aug 30, 2013 at 08:21:28AM -0400, Josh Boyer wrote:
> I've been working on rebasing Fedora's secure boot approach to using the
> secure_module patches Matthew Garrett posted upstream. Below are the
> changes to do this.
>
> Things to note:
>
> 1) Most people won't even notice a change as the impacts to userspace
> remain the same.
>
> 2) We're dropping the pekey patches. It's a large chunk of code that is
> dead upstream and has no usage within Fedora.
>
> 3) The kexec patch should likely get reworked to prevent loading, and
> that has been noted upstream.
>
> 4) At some point we'll look at adding support for hibernate likely via
> the patches that OpenSUSE has introduced.
>
> 5) This falls back to using the upstream .modsign_keyring instead of
> .system_keyring. The concept of a system keyring is decent, but at the
> moment it isn't going anywhere upstream. We can look at switching back
> at some point in the future.
>
ACK or something. ;-)
More information about the kernel
mailing list