Re: No longer sign i386 kernels
On Wed, Dec 06, 2023 at 09:09:01PM +, Steve McIntyre wrote: > We should publicise this for users and be consistent for all the EFI > signed binaries - there's no point in signing i386 grub and fwupd or > having a signed shim if we don't have a signed kernel. > Agreed? Signing of i386 kernels is gone. https://salsa.debian.org/kernel-team/linux/-/merge_requests/944 Bastian -- Suffocating together ... would create heroic camaraderie. -- Khan Noonian Singh, "Space Seed", stardate 3142.8
Re: No longer sign i386 kernels
On Wed, Dec 06, 2023 at 11:44:52PM +0100, Pascal Hambourg wrote: >Hello, > >On 06/12/2023 at 22:09, Steve McIntyre wrote: >> >> On Wed, Dec 06, 2023 at 06:01:17PM +0100, Bastian Blank wrote: >> > >> > I would like do stop signing i386 kernels. >> > >> > - IA32 UEFI is basically non existent outside of the Apple world and >> > maybe some embedded stuff. >(...) >> there's no point in signing i386 grub and fwupd or >> having a signed shim if we don't have a signed kernel. > >Over the years I have seen a number of netbook or tablet-style PCs with >32-bit UEFI firmware and a 64-bit capable CPU, so they could boot with >grub-efi-ia32 and an amd64 kernel. I do not remember if they supported secure >boot though. Some of them did, but at this point the most recent of those Bay Trail netbooks is heading for a decade old. They were designed to be very cheap, which means very few will have survived this long. We're not proposing to kill support *altogether*, but SB isn't a priority here for such old machines IMHO. -- Steve McIntyre, Cambridge, UK.st...@einval.com “Why do people find DNS so difficult? It’s just cache invalidation and naming things.” -– Jeff Waugh (https://twitter.com/jdub)
Re: No longer sign i386 kernels
Hello, On 06/12/2023 at 22:09, Steve McIntyre wrote: On Wed, Dec 06, 2023 at 06:01:17PM +0100, Bastian Blank wrote: I would like do stop signing i386 kernels. - IA32 UEFI is basically non existent outside of the Apple world and maybe some embedded stuff. (...) there's no point in signing i386 grub and fwupd or having a signed shim if we don't have a signed kernel. Over the years I have seen a number of netbook or tablet-style PCs with 32-bit UEFI firmware and a 64-bit capable CPU, so they could boot with grub-efi-ia32 and an amd64 kernel. I do not remember if they supported secure boot though.
Re: No longer sign i386 kernels
Hey Bastian! On Wed, Dec 06, 2023 at 06:01:17PM +0100, Bastian Blank wrote: > >I would like do stop signing i386 kernels. > >- IA32 UEFI is basically non existent outside of the Apple world and > maybe some embedded stuff. >- i386 lacks many of the microarchitectural fixes that creeped in during > the last years. So those kernels are unsuitable for real world usage > of processors released in the last ten years. > >Install base of a IA32 EFI capable boot chain, as possible to see by >popcon (via grub-efi-ia32-signed): 178 > >Install base of a X64 EFI capable boot chain (via >grub-efi-amd64-signed): 71743 ACK. We're heading towards deprecating i386 as a full architecture anyway and just keeping it as a secondary arch for backwards compatibility for old programs, Wine, games etc. So I think this makes sense. We should publicise this for users and be consistent for all the EFI signed binaries - there's no point in signing i386 grub and fwupd or having a signed shim if we don't have a signed kernel. Agreed? -- Steve McIntyre, Cambridge, UK.st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.