On Tue, 2022-12-20 at 14:56 -0500, Demi Marie Obenour wrote:
How do you plan to handle system recovery? For VMs this is much
less of a concern, but on bare metal there needs to be a way for
a local, authenticated administrator to obtain a root shell on
the system console even if the root filesystem cannot be mounted.
This has saved my system more than once.
Also, how will Xen be supported in this model? Will the hypervisor
be part of an alternate UKI? CCing Marek Marczykowski-Gorécki of
Qubes OS.
It is all answered in the large amount of text you quoted, if you read
it carefully.
The old kernel+inird does not go away, so you disable secure boot and
just use the good old methods, or worst case you use a recovery disk
(or USB drive, or whatever you use to install) if you damaged the boot
partition.
Anything that is not explicitly supported likewise will use the old
kernel + custom initrd, you just disable secure boot.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc