[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230714091310.GA21128@srcf.ucam.org>
Date: Fri, 14 Jul 2023 10:13:10 +0100
From: Matthew Garrett <mjg59@...f.ucam.org>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: Luca Boccassi <bluca@...ian.org>, Peter Jones <pjones@...hat.com>,
Emanuele Giuseppe Esposito <eesposit@...hat.com>,
x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>,
lennart@...ttering.net, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <masahiroy@...nel.org>,
Alexander Potapenko <glider@...gle.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Daniel P . Berrangé <berrange@...hat.com>,
linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
On Fri, Jul 14, 2023 at 10:52:20AM +0200, Ard Biesheuvel wrote:
> Maybe the OEMs have gotten better at this over the years, but it is
> definitely not possible for the distros to rely on being able to get
> their own cert into KEK and sign their builds directly.
Getting certs into local machine databases should[1] be possible on all
Windows certified machines, but in the status-quo there's no
cross-vendor solution to doing this. Relying on the Shim-provided
mechanisms is much safer from a consistency perspective.
[1] Every time someone has claimed it's impossible to me I've ended up
demonstrating otherwise, but that's not a guarantee
Powered by blists - more mailing lists