Re: 6.2.1 will have lockdown patches
[inadvertently did not send my reply to the list, so trying to get it in again with this] Jiri Slaby schrieb:
On 09. 03. 23, 12:32, Robert Kaiser wrote:
Jiri Slaby schrieb:
Last but not least, I do not recommend anyone with out of tree modules to run TW.
So, you mean, anybody who wants to use NVidia graphics fully should not use TW? Doesn't sound like a good solution to me, esp. as nowadays, the proprietary driver mostly works fine even on kernel updates (when a new major version comes out, there sometimes are breakages but those usually get fixed pretty quickly). And with 6.2.1 I "just" needed to disable secureboot in the UEFI - not ideal, but it works for those of us who can just do that.
Did you intentionally remove the next sentence: I mean those users not having good enough knowledge how to fix things. ?
Reading the above, you belong to the category.
That said, could there be two kernels available for choice, one with lockdown, one without, and for TW the one without would be default (while on SLE or even Leap or it successor the locked down one would be default)?
No, as per Microsoft requirements.
Hrm, that's a bummer. Being able to chose if you lock down your system or not would IMHO be great but if they don't allow that user choice, that's really sad. Cheers, KaiRo
On Thu, Mar 09, 2023 at 12:46:14PM +0100, Robert Kaiser wrote:
[inadvertently did not send my reply to the list, so trying to get it in again with this]
Jiri Slaby schrieb:
On 09. 03. 23, 12:32, Robert Kaiser wrote:
Jiri Slaby schrieb:
Last but not least, I do not recommend anyone with out of tree modules to run TW.
So, you mean, anybody who wants to use NVidia graphics fully should not use TW? Doesn't sound like a good solution to me, esp. as nowadays, the proprietary driver mostly works fine even on kernel updates (when a new major version comes out, there sometimes are breakages but those usually get fixed pretty quickly). And with 6.2.1 I "just" needed to disable secureboot in the UEFI - not ideal, but it works for those of us who can just do that.
Did you intentionally remove the next sentence: I mean those users not having good enough knowledge how to fix things. ?
Reading the above, you belong to the category.
That said, could there be two kernels available for choice, one with lockdown, one without, and for TW the one without would be default (while on SLE or even Leap or it successor the locked down one would be default)?
No, as per Microsoft requirements.
Hrm, that's a bummer. Being able to chose if you lock down your system or not would IMHO be great but if they don't allow that user choice, that's really sad.
Actually, they do. It just must not be loaded automatically. Thet is you have to sign the kernel with a key that is not trusted by default by shim, enroll that key, reboot to confirm the key enrollment, and boot your gaping-seucurity-hole kernel. The additional technical problem is that the build service has only one key per project, and then either you get locked-down kernels that boot automagically, or you need to enroll openSUSE key before you can boot the installation medium. Thanks Michal
On Thu, 9 Mar 2023 12:46:14 +0100, Robert Kaiser wrote:
That said, could there be two kernels available for choice, one with lockdown, one without, and for TW the one without would be default (while on SLE or even Leap or it successor the locked down one would be default)?
No, as per Microsoft requirements.
Hrm, that's a bummer. Being able to chose if you lock down your system or not would IMHO be great but if they don't allow that user choice, that's really sad.
Seems like if it's broken now without lockdown, the best default behavior would be to continue behaving the way we do now, at least for people who either don't use secure boot (which of course probably means this patch wouldn't affect them anyways). I wonder...how many people who don't have a dual-boot configuration with Windows use secure boot at all anyways? -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 2023-03-09 20:08, Jim Henderson wrote:
I wonder...how many people who don't have a dual-boot configuration with Windows use secure boot at all anyways?
Me, for instance. On both my desktop and media server, secure boot is enabled, IIRC (is there a check on a booted system, to make sure?). Also in my tiny laptop, but that one is double boot. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
participants (4)
-
Carlos E. R. -
Jim Henderson -
Michal Suchánek -
Robert Kaiser