Re: [PATCH v2] i386-pc: build verifiers API as module

[Javier Martinez Canillas]

On 3/23/21 2:27 PM, Colin Watson wrote:
> On Tue, Mar 23, 2021 at 12:37:20PM +0100, Javier Martinez Canillas wrote:

[snip]

>>
>> For this particular case, it might be better for distros to just revert 
>> commit
>> 9e95f45ceee ("verifiers: Move verifiers API to kernel image") instead of 
>> making
>> it conditional for i386-pc, adding complexity to the GRUB upstream code IMO.
> 
> That would also mean skipping or substantially modifying your lockdown
> patch that followed it, which requires great care.  I did something like
> this in various forms for our security updates because there wasn't much
> choice there, but I'm not keen on it as a long-term solution.
> 
> In the long term, we do seem to want to have the verifiers API in the
> kernel image at least for EFI platforms, don't we?  So reverting that
> patch entirely seems like a bad move, and Michael's approach seems a
> reasonable compromise.
> 

Yes, that's a good point. Accepting Michael's patch to fix the issue for
i386-pc but start pushing back other patches whose goal is to keep the
GRUB core image minimal seems to be a good middle ground for this topic.

Best regards,
-- 
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat