Maybe this is an example of seeing everything as a nail since we have a big hammer in objcopy.
I added support for stubby to use an 'allowed list' of command line arguments .
I occurs to me that that is a thing that might likely be changed (as it is, there is 'root=atomix' allowed, which is clearly not general purpose).
Should we allow putting that white list into the stubby.efi via objcopy? Then whoever is putting together a kernel/initrd can make the decision of what is acceptable. Ultimately, the list is signed by the signer, so its up to them what they want to do anyway.
I am somewhat weary of this running amuck into a general purpose "stuff configuration into stubby.efi" mechanism.
Maybe this is an example of seeing everything as a nail since we have a big hammer in
objcopy
.I added support for stubby to use an 'allowed list' of command line arguments . I occurs to me that that is a thing that might likely be changed (as it is, there is 'root=atomix' allowed, which is clearly not general purpose).
Should we allow putting that white list into the stubby.efi via objcopy? Then whoever is putting together a kernel/initrd can make the decision of what is acceptable. Ultimately, the list is signed by the signer, so its up to them what they want to do anyway.
I am somewhat weary of this running amuck into a general purpose "stuff configuration into stubby.efi" mechanism.
Thoughts? Scott