From: Vitaly Kuznetsov on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2917#note_1807239692
I think it would make sense to make it possible for an addon to target 'standard' UKI / 'debug' UKI / both in the infrastructure which Emanuele is trying to create. Personally, I would not be overthinking security issues of debug addons just **now** and wait until we get a request for an addon which we will consider 'unsafe'. As command line addons are currently rigid, i.e. it's impossible to have something like 'root=*', I don't think we have that many kernel options which require denylisting. For the extreme cases with very strong security requirements, adding other PCRs (e.g. PCR4) to the sealing policy might be a good option. -- _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
