On Fri, 2024-05-03 at 13:11 +0000, ecurtin@redhat.com wrote:
One thing I would like to point out is secure boot in the form of Android Boot Images and UKIs. These secure boot technologies combine kernel+cmdline+initramfs (and optionally a dtb, if the dtb is on the OS) into a secured binary blob to be delivered to the client device. If the dtb exists on the OS side, we must now provide a signed Android Boot Images and/or UKIs per device, this concept doesn't exists in package managers I know, at least in Fedora, CentOS Stream. If the kernel+cmdline+initramfs doesn't have a dtb, we can deliver a generic version that is secured for all devices.
Note that for UKIs, this issue was discussed here: https://github.com/uapi-group/specifications/pull/71 The outcome was to allow multiple DTB sections in a single UKI, without specifying a specific selection algorithm.
The implementation in the systemd EFI loader is ongoing here: https://github.com/systemd/systemd/pull/28959 https://github.com/systemd/systemd/pull/29726 https://github.com/systemd/systemd/pull/31466 https://github.com/systemd/systemd/pull/31467
Adding Máté Kukri, to hopefully have EBBR match the implementation. :)
Jan