On Tue, Jan 19, 2021 at 10:43 AM Mark Pearson <markpearson(a)lenovo.com> wrote:
Some background: We need the latest kernel/alsa/pulse/libfprint and
their dependencies for supporting the new 2021 HW - and as we'll be
(hopefully) releasing before F34 is available we're looking for
F33+updates and the best way to provide that in a way that works for the
community and our preload process.
We need to coordinate a shim update, one that's signed with new world
keys (post-BootHole) which doesn't yet exist.
Specifically, if the new hardware will come with UEFI Secure Boot
enabled, it will need a preloaded image containing either pre-BootHole
revocation database. Shim needs to be updated before the revocation
database or the system will not boot.
If this preload image is also going to form the basis for a recovery
partition, this is a bigger concern because it'd be rendered
unbootable once the revocation database is pushed. Fedora hasn't
decided to push the revocation database automatically, but other
distros do so aggressively. Microsoft has thus far delayed pushing the
post-BootHole revocation db, but eventually they will sometime this
year.
--
Chris Murphy