1. Forum
  2. Usenet
  3. LINUX.DEBIAN.KERNEL

  • No longer sign i386 kernels

    From Bastian Blank@21:1/5 to All on Wed Dec 6 18:20:01 2023
    Hi

    I would like do stop signing i386 kernels.

    - IA32 UEFI is basically non existent outside of the Apple world and
    maybe some embedded stuff.
    - i386 lacks many of the microarchitectural fixes that creeped in during
    the last years. So those kernels are unsuitable for real world usage
    of processors released in the last ten years.

    Install base of a IA32 EFI capable boot chain, as possible to see by
    popcon (via grub-efi-ia32-signed): 178

    Install base of a X64 EFI capable boot chain (via
    grub-efi-amd64-signed): 71743

    Bastian

    --
    Military secrets are the most fleeting of all.
    -- Spock, "The Enterprise Incident", stardate 5027.4

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to Bastian Blank on Wed Dec 6 22:10:01 2023
    Hey Bastian!

    On Wed, Dec 06, 2023 at 06:01:17PM +0100, Bastian Blank wrote:

    I would like do stop signing i386 kernels.

    - IA32 UEFI is basically non existent outside of the Apple world and
    maybe some embedded stuff.
    - i386 lacks many of the microarchitectural fixes that creeped in during
    the last years. So those kernels are unsuitable for real world usage
    of processors released in the last ten years.

    Install base of a IA32 EFI capable boot chain, as possible to see by
    popcon (via grub-efi-ia32-signed): 178

    Install base of a X64 EFI capable boot chain (via
    grub-efi-amd64-signed): 71743

    ACK. We're heading towards deprecating i386 as a full architecture
    anyway and just keeping it as a secondary arch for backwards
    compatibility for old programs, Wine, games etc. So I think this makes
    sense.

    We should publicise this for users and be consistent for all the EFI
    signed binaries - there's no point in signing i386 grub and fwupd or
    having a signed shim if we don't have a signed kernel.

    Agreed?

    --
    Steve McIntyre, Cambridge, UK. steve@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be
    handing rope-creating factories for users to hang multiple
    instances of themselves.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Pascal Hambourg@21:1/5 to Steve McIntyre on Wed Dec 6 23:50:01 2023
    Hello,

    On 06/12/2023 at 22:09, Steve McIntyre wrote:

    On Wed, Dec 06, 2023 at 06:01:17PM +0100, Bastian Blank wrote:

    I would like do stop signing i386 kernels.

    - IA32 UEFI is basically non existent outside of the Apple world and
    maybe some embedded stuff.
    (...)
    there's no point in signing i386 grub and fwupd or
    having a signed shim if we don't have a signed kernel.

    Over the years I have seen a number of netbook or tablet-style PCs with
    32-bit UEFI firmware and a 64-bit capable CPU, so they could boot with grub-efi-ia32 and an amd64 kernel. I do not remember if they supported
    secure boot though.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to Pascal Hambourg on Thu Dec 7 00:10:01 2023
    On Wed, Dec 06, 2023 at 11:44:52PM +0100, Pascal Hambourg wrote:
    Hello,

    On 06/12/2023 at 22:09, Steve McIntyre wrote:

    On Wed, Dec 06, 2023 at 06:01:17PM +0100, Bastian Blank wrote:

    I would like do stop signing i386 kernels.

    - IA32 UEFI is basically non existent outside of the Apple world and
    maybe some embedded stuff.
    (...)
    there's no point in signing i386 grub and fwupd or
    having a signed shim if we don't have a signed kernel.

    Over the years I have seen a number of netbook or tablet-style PCs with >32-bit UEFI firmware and a 64-bit capable CPU, so they could boot with >grub-efi-ia32 and an amd64 kernel. I do not remember if they supported secure >boot though.

    Some of them did, but at this point the most recent of those Bay Trail
    netbooks is heading for a decade old. They were designed to be very
    cheap, which means very few will have survived this long. We're not
    proposing to kill support *altogether*, but SB isn't a priority here
    for such old machines IMHO.

    --
    Steve McIntyre, Cambridge, UK. steve@einval.com “Why do people find DNS so difficult? It’s just cache invalidation and
    naming things.”
    -– Jeff Waugh (https://twitter.com/jdub)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Blank@21:1/5 to Steve McIntyre on Sun Dec 10 00:00:01 2023
    On Wed, Dec 06, 2023 at 09:09:01PM +0000, Steve McIntyre wrote:
    We should publicise this for users and be consistent for all the EFI
    signed binaries - there's no point in signing i386 grub and fwupd or
    having a signed shim if we don't have a signed kernel.
    Agreed?

    Signing of i386 kernels is gone. https://salsa.debian.org/kernel-team/linux/-/merge_requests/944

    Bastian

    --
    Suffocating together ... would create heroic camaraderie.
    -- Khan Noonian Singh, "Space Seed", stardate 3142.8

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)