GNU bug report logs -
#68524
[PATCH 0/2] Support root encryption and secure boot.
Previous Next
Full log
View this message in rfc822 format
heyo!
thanks for the review :) I'll submit a revised patch, but had a question before
I get to work on it.
> I tried to adjust uki.scm before commenting, so here's a paste of my
> adjusted version, in case some of my comments are not expressed clearly:
> https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000
nighttime sky I didn't realize reinstall-bootloader existed. shit.
at this point, I don't think the install-uki.scm hack is a good idea. to get
this fully functioning, will probably have to do some more invasive edits to the
bootloader system, since the current one pretty much assumes an
extlinux/grubalike (which is what necessitated install-uki in the first place).
RFC on the following plan:
* add secure-boot-cert and secure-boot-key fields to bootloader-configuration.
* deprecate configuration-file and configuration-file-generator in the
bootloader struct, and instead create an install-configuration-file field,
similar to install-bootloader. default procedure will be to do the current
install-boot-cfg (gnu build install) using the deprecated fields.
* rework uki.scm to, instead, run efibootmgr in install-configuration-file and
install the uki.efi files in install-bootloader. remove the separation between
uefi-uki-signed-bootloader and uefi-uki-bootloader, instead working off the
new bootloader-configuration fields.
this plan should work with reinstall-bootloader, even though it uses the default
bootloader-configuration, since files are only signed during installation
proper.
opinions?
thanks,
lilah
This bug report was last modified 237 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.