Trusted Boot in Fedora

[Wei, Gang]

Eric Paris wrote on 2011-06-23:
> On 06/22/2011 03:20 PM, seth vidal wrote:
>> On Wed, 2011-06-22 at 20:02 +0100, Matthew Garrett wrote:
>> 
>> Are we going to continue the double grub entries? while I realize
>> that tboot SHOULD allow non TXT hw to boot properly I also realize
>> that any differences will be pointed to as a point of contention
>> when debugging semirelated problems. so it seems like the double entries are wise.
>> 
>> Additionally, is the grub modifyication implemented in grubby and
>> does this behave properly on a yum update of the kernel?
> 
> I'd say how to handle the grub entries is basically the entire point
> of the feature request.  I was surprised to learn the other day that
> they filed a request at all since this was really just about making a
> change to grubby.  I don't know how they plan to handle it.

What we want to do is just provide an easy-to-be-found option on install UI to select tboot package, and handle the grub entries while doing tboot package installation. We just want to follow what xen package previously did. We will look into details for how to achieve it via coordination among Anaconda/grubby/tboot package.

> So yeah, installing tboot if it automatically enables itself can be a
> problem on some broken hardware.  I would certainly recommend against
> making tboot a part of the default install.  But if a user installs
> it, it should 'just work', without manually updating grub on ever kernel update.

We are not seeking for making tboot a part of the default install, just want to make the tboot install/configuration easier for end users.

BTW, I am trying to update the tboot feature page to include more documentations and other necessary information.

Jimmy