On Tue, Jan 19, 2021 at 10:43 AM Mark Pearson markpearson@lenovo.com wrote:
Some background: We need the latest kernel/alsa/pulse/libfprint and their dependencies for supporting the new 2021 HW - and as we'll be (hopefully) releasing before F34 is available we're looking for F33+updates and the best way to provide that in a way that works for the community and our preload process.
We need to coordinate a shim update, one that's signed with new world keys (post-BootHole) which doesn't yet exist.
Specifically, if the new hardware will come with UEFI Secure Boot enabled, it will need a preloaded image containing either pre-BootHole revocation database. Shim needs to be updated before the revocation database or the system will not boot.
If this preload image is also going to form the basis for a recovery partition, this is a bigger concern because it'd be rendered unbootable once the revocation database is pushed. Fedora hasn't decided to push the revocation database automatically, but other distros do so aggressively. Microsoft has thus far delayed pushing the post-BootHole revocation db, but eventually they will sometime this year.