Hi Chris
On 20/01/2021 17:06, Chris Murphy wrote:
On Tue, Jan 19, 2021 at 10:43 AM Mark Pearson markpearson@lenovo.com wrote:
Some background: We need the latest kernel/alsa/pulse/libfprint and their dependencies for supporting the new 2021 HW - and as we'll be (hopefully) releasing before F34 is available we're looking for F33+updates and the best way to provide that in a way that works for the community and our preload process.
We need to coordinate a shim update, one that's signed with new world keys (post-BootHole) which doesn't yet exist.
Specifically, if the new hardware will come with UEFI Secure Boot enabled, it will need a preloaded image containing either pre-BootHole revocation database. Shim needs to be updated before the revocation database or the system will not boot.
If this preload image is also going to form the basis for a recovery partition, this is a bigger concern because it'd be rendered unbootable once the revocation database is pushed. Fedora hasn't decided to push the revocation database automatically, but other distros do so aggressively. Microsoft has thus far delayed pushing the post-BootHole revocation db, but eventually they will sometime this year.
We still have secure boot disabled by default for Linux systems - it's something I want to turn on but every time we look at it there are a few headaches and there's some process in manufacturing too to resolve and it just never quite makes it high enough in the list to become a priority.
I'm not going to get that solved for this round so I don't think it has to block this effort. Something I'm happy to look at for platforms later in the year with F34/F35?
Let me know if I'm missing something important.
Mark