On Wed, Dec 1, 2021, at 4:34 PM, Chris Adams wrote:
> Once upon a time, Colin Walters <walters(a)verbum.org> said:
>>
https://github.com/coreos/fedora-coreos-config/commit/eb74f2ea3e9b4539023...
>
> Missed this message earlier... this seems like this should be the
> default on pretty much all Fedora setups, with documentation on how to
> change it if you secure the boot loader.
Yeah, I agree. Also related is
https://github.com/coreos/fedora-coreos-tracker/issues/134
Basically systemd doesn't know whether or not the bootloader is locked.
Longer term, perhaps there could be some standard variable for this passed from the
bootloader to kernel/systemd that says whether or not the bootloader allows
unauthenticated interactive keyboard changes (as grub does on default Fedora setups). If
it does, we can just unceremoniously drop to a root shell.
to
make this default on Fedora setups (it should be officially
announced by Monday).
I'm interested in the longer-term followup too - should we discuss that
separately and cc: grub and systemd development lists?
Best,
--
Michel Alexandre Salim
profile: