Reworked Secure Boot patches
Josh Boyer
jwboyer at redhat.com
Fri Aug 30 13:01:38 UTC 2013
On Fri, Aug 30, 2013 at 08:58:14AM -0400, Prarit Bhargava wrote:
> On 08/30/2013 08:21 AM, Josh Boyer wrote:
> > Hi All,
> >
> > I've been working on rebasing Fedora's secure boot approach to using the
> > secure_module patches Matthew Garrett posted upstream. Below are the
> > changes to do this.
> >
> > Things to note:
> >
> > 1) Most people won't even notice a change as the impacts to userspace
> > remain the same.
> >
> > 2) We're dropping the pekey patches. It's a large chunk of code that is
> > dead upstream and has no usage within Fedora.
> >
> > 3) The kexec patch should likely get reworked to prevent loading, and
> > that has been noted upstream.
> >
> > 4) At some point we'll look at adding support for hibernate likely via
> > the patches that OpenSUSE has introduced.
> >
> > 5) This falls back to using the upstream .modsign_keyring instead of
> > .system_keyring. The concept of a system keyring is decent, but at the
> > moment it isn't going anywhere upstream. We can look at switching back
> > at some point in the future.
> >
> > josh
>
> Not-sure-if-supposed-to-acked-by: Prarit Bhargava <prarit at redhat.com>
Of course. More eyes always welcome.
> :)
>
> Looks good Josh ... thanks :)
Thanks.
josh
More information about the kernel
mailing list