On Mon, 18 Dec 2023 11:22:19 +0300 Michael Tokarev <m...@tls.msk.ru> wrote:
18.12.2023 10:59, Heinrich Schuchardt:
> On 12/18/23 07:41, Michael Tokarev wrote:
> <snip />
>> Yes, we can do that. I don't see much benefit here though.
>> For one, I dislike dangling symlinks in package, and don't
>> want to add yet another directory to firmware search directories.
>
> OpenSBI is security critical as it runs in the highest privilege mode at Linux runtime. There have been potentially security relevant code errors
> detected in the past like buffer overruns.
Sure.
> I am concerned that security errors fixed in the OpenSBI package might not be fixed in qemu-system-data at the same time. For the security team it
> would be much more evident what to fix if there were only one package building OpenSBI.
I dunno where we have more chances to have a fix faster - in qemu than in
opensbi.
Maybe Vagrant can answer this one.
If we're to go this route, will ask opensbi maintainer(s) to create symlinks to
opensbi firmware in /usr/share/qemu/ directory. This will involve Break/Replace
of the old qemu-system-data package.
Hi! A friendly ping? Vagrant, what do you think?
Thanks,
/mjt
--
GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98
ECDF 2C8E
Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0
8044 65C5
Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt
