-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dracut.sh: add --sbat option to add sbat policy to UKI #2426
Conversation
Not sure what |
Those test failures are not regressions form this PR. |
Nice thread: https://lore.kernel.org/lkml/[email protected]/T/#u |
I am the author of that patch. We will probably not end up having anything in kernel upstream, but distros might add their own SBAT section to the vmlinux binary. So IMHO this PR is still needed, also because:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, also document the new option in dracut.8.asc
and dracut.conf.5.asc
.
16d9814
to
904a3ec
Compare
72bbdea
to
1ffcb0c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than that, it looks good from my side. Just one minor thing I forgot last time, could you please add the bash completion for the new --sbat
option after https://github.com/dracutdevs/dracut/blob/master/shell-completion/bash/dracut#L49
See if it makes sense for you 👍 |
Take existing .sbat section from the uefi stub and merge it with vmlinux .sbat (if it exists) and user-provided .sbat parameters using the new --sbat option. For some reasons, --update-section in objcopy does not resize the .sbat section, so remove the section from the stub and add it to the UKI as new one, to avoid having incomplete SBAT strings. Signed-off-by: Emanuele Giuseppe Esposito <[email protected]>
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Take existing .sbat section from the uefi stub and merge it with vmlinux .sbat (if it exists) and user-provided .sbat file using the new --sbat option.
For some reasons, --update-section in objcopy does not resize the .sbat section, so remove the section from the stub and add it to the UKI as new one, to avoid having incomplete SBAT strings.
Changes
Checklist
Fixes #