Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage

From: James Bottomley
Date: Fri Jul 21 2023 - 11:27:12 EST

Next message: Thierry Reding: "Re: (subset) [PATCH 1/7] bus: sunxi-rsb: Convert to devm_platform_ioremap_resource()"
Previous message: Thierry Reding: "Re: (subset) [PATCH 1/6] soc: ti: omap-prm: Use devm_platform_get_and_ioremap_resource()"
In reply to: Luca Boccassi: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Next in thread: Paolo Bonzini: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2023-07-21 at 16:22 +0100, Luca Boccassi wrote:
> On Fri, 21 Jul 2023 at 16:14, Luca Boccassi <bluca@xxxxxxxxxx> wrote:
[...]
> > Anyway, I wasn't aware that SUSE doesn't embed their cert in Shim,
> > we'll have to take that in consideration for sure.
>
> Actually, a dev from SUSE's security just confirmed they embed their
> CA in Shim like every other distribution. Nobody seems to be aware of
> any example where a distribution relies exclusively on MoK - and
> that's understandable, as that would mean failing to boot by default
> on a new machine. Do you have any example/cases where that's actually
> happening? Outside development/local signing/etc.

It happened last year for an openSUSE Leap update that changed the
kernel signing certificate. I got asked to confirm acceptance of the
new key and it got put in my MokList, which now has three certificates:
two suse ones and my own.

James

Next message: Thierry Reding: "Re: (subset) [PATCH 1/7] bus: sunxi-rsb: Convert to devm_platform_ioremap_resource()"
Previous message: Thierry Reding: "Re: (subset) [PATCH 1/6] soc: ti: omap-prm: Use devm_platform_get_and_ioremap_resource()"
In reply to: Luca Boccassi: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Next in thread: Paolo Bonzini: "Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]