Hello, On Sat, Jun 17, 2023 at 10:49:09AM +0800, joeyli via openSUSE Factory wrote:
Hi Lubos,
Sorry for bother you!
On Wed, Jun 14, 2023 at 11:01:57PM +0800, joeyli via openSUSE Factory wrote:
On Mon, Jun 12, 2023 at 06:26:06PM -0000, Bruno Pitrus wrote:
master branch of openSUSE Tumbleweed kernel Is it enabled in upstream? What problem would be it for you to ship an UNSIGNED kernel that has all the SUSE patches EXCEPT lockdown? You already ship kernel-vanilla, and AFAIK it does not have lockdown.
Mainline kernel has lockdown function but it didn't connect with the secure boot switch in firmware. Like other big distros (Fedora, Ubuntu, Leap/SLE), We put downstream patch to Tumbleweed kernel to connect lockdown-integrity mode with secure boot.
About kernel-vanilla, a bsc#1209008 be created (I am not sure that it's public bug). We will ship unsigned kernel-vanilla without lockdown.
Currently we do not have a SUSE-patched unsigned Tumbleweed kernel. We need a new kernel flavor against this. I don't know who has power to do the decision.
In the systemd-boot with unified kernel image (UKI) case, community has voice that he wants to have a unsigned kernel with SUSE patches, and the kernel will not be locked-down. Because they want to produce UKI image and sign it by their personal key. SUSE will not be responsible for the integrity or verifiction of their self-signed UKI image. User should enroll their key to db by UEFI firmware UI manually.
Could you please consider to create a openSUSE Tumbleweed Jira against this requirement? I think that we need a new kernel flavor for Tumbleweed to fill this requirement.
This should be possible to do with config.addon mechanism - that is create a link of kernel-source and add an extra config file that disables the lockdown. As this is an unnofficial kernel anyone can create a link in a project of their choice. Thanks Michal