Re: [RFC] Second attempt at kernel secure boot support

[Eric W. Biederman]

Matthew Garrett <mjg59@xxxxxxxxxxxxx> writes:

> On Mon, Nov 05, 2012 at 06:46:32PM -0800, Eric W. Biederman wrote:
>> Matthew Garrett <mjg59@xxxxxxxxxxxxx> writes:
>> 
>> > On Mon, Nov 05, 2012 at 11:16:12AM -0800, Eric W. Biederman wrote:
>> >> Matthew Garrett <mjg59@xxxxxxxxxxxxx> writes:
>> >> > No, in the general case the system will do that once it fails to find a 
>> >> > bootable OS on the drive.
>> >> 
>> >> In the general case there will be a bootable OS on the drive.
>> >
>> > That's in no way a given.
>> 
>> You have it backwards.  The conclusion here is that having a case where
>> a non-interactive install is possible is not a given.
>
> I deal with customers who perform non-interactive installs. The fact 
> that you don't care about that use case is entirely irrelevant to me, 
> because you're not the person that I am obliged to satisfy.

I have spent what feels like half my life doing automatic installs.  I
care a lot and I understand the requirements.  I also see through
misstatements about reality used to justify stupid design decisions.

For automated installs you don't have to satisfy me.  Feel free to
deliver a lousy solution to your users.   Just don't use your arbitrary
design decisions to justify your kernel patches.

Non-interactive installs do not justify removing all trust from the root
user of a system, disabling suspend to disk and completely rewriting
kexec for the simple expedient removing a couple of lines of code from
your bootloader.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/