Closed esnowberg closed 2 years ago
esnowberg
commented
2 years ago I did it this way incase someone built a shim the other way and might see this as being a regression. If it would be acceptable to just change the default behavior, let me know and I’ll update the pull request with the change. Thanks.
frozencemetery
commented
2 years ago I'll defer to vathpela on that.
jsetje
commented
2 years ago I'm fine either way, I guess I have a slight preference for this being the default behavior.
jsetje
commented
2 years ago This was briefly discussed and based on the assumption that this will end up enabled in nearly every distro anyway, we might as well have the upstream default enable this as well.
vathpela
commented
2 years ago This was briefly discussed and based on the assumption that this will end up enabled in nearly every distro anyway, we might as well have the upstream default enable this as well.
Yeah, I'd rather just make it unconditional.
Within previous versions of shim the MokListTrusted var did not exist. Add the ability through a compile time option to set the MokListTrustedRT when the BS var does not exist. When the BS var exists, MokListTrustedRT is not set. This inverse logic allows a distro to give the end-user the ability to opt out of this feature instead of opting in.
Many Linux distros carry out of tree patches to trust the mok keys by default. These out of tree patches can be dropped when compiling shim this way and using a Linux kernel that supports MokListTrustedRT.
Signed-off-by: Eric Snowberg eric.snowberg@oracle.com