On Tue, 20 Feb 2024 at 08:37, Ard Biesheuvel ardb@kernel.org wrote:
On Tue, 20 Feb 2024 at 02:03, xnox dimitri.ledkov@canonical.com wrote:
Ard Biesheuvel ardb@kernel.org writes:
On Thu, 15 Feb 2024 at 12:12, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:41:57AM +0100, Ard Biesheuvel wrote:
On Thu, 15 Feb 2024 at 10:27, Greg KH gregkh@linuxfoundation.org wrote:
On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote: > (cc stakeholders from various distros - apologies if I missed anyone) > > Please consider the patches below for backporting to the linux-6.6.y > stable tree. > > These are prerequisites for building a signed x86 efistub kernel image > that complies with the tightened UEFI boot requirements imposed by > MicroSoft, and this is the condition under which it is willing to sign > future Linux secure boot shim builds with its 3rd party CA > certificate. (Such builds must enforce a strict separation between > executable and writable code, among other things) >
...
And is this not an issue for 6.1.y as well?
It is, but there are many more changes that would need to go into v6.1:
...
32 files changed, 1204 insertions(+), 1448 deletions(-)
...
If you're happy to take these too, I can give you the proper list, but perhaps we should deal with v6.6 first?
Yeah, let's deal with 6.6 first :)
What distros are going to need/want this for 6.1.y? Will normal users care as this is only for a new requirement by Microsoft, not for older releases, right?
I will let the distro folks on cc answer this one.
Canonical will want to backport this at least as far back as v4.15 for Ubuntu and Ubuntu Pro. So yeah, as far back as possible will be apperiated by everybody involved. Since if/when firmware (VMs or Hardware) starts to require NX compat, it will be desired to have all stable supported kernels with this support built-in.
Thanks for the data point, and good luck with backporting this to v4.15 or earlier. If it helps, I have a branch that backports LoadFile2 initrd loading support to v5.4 (below), which you will need to backport first. Going further back than v5.4 is going to be very messy IMHO.
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=efi-lf...
Yeah, we are not yet sure how far back we will actually manage to get to. And things will need to move one series/generation at the time. As other pieces need to land too. And yes, the above repo is helpful.