On Fri, 2024-05-03 at 13:11 +0000, ecur...@redhat.com wrote: > One thing I would like to point out is secure boot in the form of > Android Boot Images and UKIs. These secure boot technologies combine > kernel+cmdline+initramfs (and optionally a dtb, if the dtb is on the > OS) into a secured binary blob to be delivered to the client device. > If the dtb exists on the OS side, we must now provide a signed > Android Boot Images and/or UKIs per device, this concept doesn't > exists in package managers I know, at least in Fedora, CentOS Stream. > If the kernel+cmdline+initramfs doesn't have a dtb, we can deliver a > generic version that is secured for all devices.
Note that for UKIs, this issue was discussed here: https://github.com/uapi-group/specifications/pull/71 The outcome was to allow multiple DTB sections in a single UKI, without specifying a specific selection algorithm. The implementation in the systemd EFI loader is ongoing here: https://github.com/systemd/systemd/pull/28959 https://github.com/systemd/systemd/pull/29726 https://github.com/systemd/systemd/pull/31466 https://github.com/systemd/systemd/pull/31467 Adding Máté Kukri, to hopefully have EBBR match the implementation. :) Jan _______________________________________________ boot-architecture mailing list -- boot-architecture@lists.linaro.org To unsubscribe send an email to boot-architecture-le...@lists.linaro.org
