Hm, I'm not sure we can sign the zfcpdump-kernel. By convention, in Focal, signed kernels enforce signed module loading & lockdown that prevents unsigned module loading, kexec unsigned kernels or reading arbitrary kernel memory from userspace. And I am under impression that zfcpdump kernel/initrd rely on being able to read kernel memory.
The zfcpdump-kernel flavour currently is built using zfcpdump_defconfig. I would be more comfortable if we could use the stock signed kernel image as the zfcpdump one, instead of the purpose built one. And include any missing modules in the zfcpdump initrd and/or adjust the cmdline to do things like PANIC_ON_OOPS=y. But i guess we will not get CONFIG_CC_OPTIMIZE_FOR_SIZE=y with the stock kernel image. Does zfcdump work with locked-down kernels? Why do we want/prefer a separate kernel flavour for zfcpdump, instead of the stock one? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed when secure boot is requested To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
