From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1gi2Xm-0002O9-GJ for mharc-grub-devel@gnu.org; Fri, 11 Jan 2019 14:32:38 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36444) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gi2Xj-0002Ng-M9 for grub-devel@gnu.org; Fri, 11 Jan 2019 14:32:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gi2Xj-0003TG-0m for grub-devel@gnu.org; Fri, 11 Jan 2019 14:32:35 -0500 Received: from mail-it1-x134.google.com ([2607:f8b0:4864:20::134]:56109) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gi2Xi-0003Rh-Pu for grub-devel@gnu.org; Fri, 11 Jan 2019 14:32:34 -0500 Received: by mail-it1-x134.google.com with SMTP id m62so4315651ith.5 for ; Fri, 11 Jan 2019 11:32:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T7ebEvntRgHbl4tKCNQaG0NPwSe6iX9AVgWjpp2tYgs=; b=Gth2Yk/HuKmG1uFE/xkgvSMF5s8ZL4FlW1DGzDaKzWCZ24MlcH5OoDKvaBsKpEIZjN HrOfam65Dfz61FUJBZdoMwY4vOT7lyhYObnd0r1VnnR7+57V5u3dPn4zk5FByiAEs/hE I4nSxZlh4AOfIP3TuqJodXoTIv6RTkc7fR0HsrvzYOIkPTNPzBwYPLRtScVjZHWuZFXm fR7ag8zl88UsH2Y6Mpt7mH2FX6XGOvwmFp4ME8zd4YHzezA9AEjkZMvIZl4pbs/yUrBP He06afboN1bgNhtE3shuYNLcBVQDxCC1aaUM5+jDgDt8pmoRxKMjDNmJUCV8mIKYDE+B faBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T7ebEvntRgHbl4tKCNQaG0NPwSe6iX9AVgWjpp2tYgs=; b=g/fFaxMr59yhB5fFcPgMwKb2mMysvTX3BA517jB0YxxU6FUj8XqY0X2uv7NvV73FbG flcRho5PFNem6HLMZ85J9msYRCFiLrnZ/SQMiwp0Eqhai9xu712NFlNUY3anSN5rZh1U Ha1UZsLyZQ0dvyTDlsE9/aoJqsGJxtCkRlBDVHu5rOS6YNbiOLOUMKAq+yOyvyYXQtkO rR3Chd5jstl7vMVFEYpD0QpDZhGdNId0AsgzoosmNohR6rGN1wHV+4zpZ4DUPN3rgUhm H8GfZJl5sSfHN4irxSOyaJyHRLLuHt+Ye7nevj6fqQnD1WvCaXsdb1IJ12zCFRdoGXQW YfaQ== X-Gm-Message-State: AJcUukddOSQL//MMq9Qz265z00BoevudlK2FTEubTNIsugcoTS62/ugT e0l4jPBpaUWxZe5ZcEKG4kpW22KsPt2yxXnbs1pGsQ== X-Google-Smtp-Source: ALg8bN68NX4i7DosbxTTcPGNXRchsG5KIV0yQzEKD6GMqV0WYtwpggsxTxm/yzST5DCFXjutBp0YJ2hj1LRgc0ZaCMw= X-Received: by 2002:a05:660c:b12:: with SMTP id f18mr33122itk.118.1547235150423; Fri, 11 Jan 2019 11:32:30 -0800 (PST) MIME-Version: 1.0 References: <20190110081208.GA5021@mazu> <1CE00885-C88C-4D0C-B41C-3BBDDB65F716@suse.de> In-Reply-To: <1CE00885-C88C-4D0C-B41C-3BBDDB65F716@suse.de> From: Matthew Garrett Date: Fri, 11 Jan 2019 11:32:19 -0800 Message-ID: Subject: Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM To: Alexander Graf Cc: Michael Chang , The development of GNU GRUB , Ard Biesheuvel , Leif Lindholm , Peter Jones , Benjamin Brunner Content-Type: text/plain; charset="UTF-8" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::134 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2019 19:32:36 -0000 On Thu, Jan 10, 2019 at 12:59 AM Alexander Graf wrote: > So really dumb question here: What if we didn't use the MS key? What if instead, we just provide a SUSE/openSUSE key and give customers the ability to sign their own grub+Linux binaries? Then you end up blocking install of any Linux distribution that isn't big enough to have every ARM server vendor include their keys. This is the exact reason we chose not to explore this approach on x86 - we didn't want Red Hat to have privileges that, say, Gentoo didn't. The problem is somewhat mitigated if systems are guaranteed to be shipped with Secure Boot disabled, but you then still end up encouraging vendor lock-in - it becomes difficult to migrate systems from one distribution to another without manual re-keying.