------- Comment From <email address hidden> 2020-12-17 23:45 EDT-------
Squeezing in right before the end of the year! I tested this with my pseries secure boot setup. I built the key from the PPA into grub and signed grub with the testing key which I built into SLOF.
I was then able to boot 5.10.0-9-generic in secure boot mode under P8 KVM.
The kernel correctly detected secure boot mode and entered lockdown:
[ 0.000000] Secure boot mode enabled
[ 0.000000] Kernel is locked down from PowerNV Secure Boot mode; see man kernel_lockdown.7
(The text is a bit of a misnomer, but that's of no consequence.)
Lockdown appears to work as expected, I can't open /dev/mem for example.
Given LP: #1903288 / BZ 189099, I didn't test kexec.
In summary, I don't see anything from booting with secure boot on or off that would prevent you promoting 5.10 for hirsute.
Enjoy your end of year break!
Kind regards,
Daniel
------- Comment From <email address hidden> 2020-12-17 23:45 EDT-------
Squeezing in right before the end of the year! I tested this with my pseries secure boot setup. I built the key from the PPA into grub and signed grub with the testing key which I built into SLOF.
I was then able to boot 5.10.0-9-generic in secure boot mode under P8 KVM.
The kernel correctly detected secure boot mode and entered lockdown:
[ 0.000000] Secure boot mode enabled
[ 0.000000] Kernel is locked down from PowerNV Secure Boot mode; see man kernel_lockdown.7
(The text is a bit of a misnomer, but that's of no consequence.)
Lockdown appears to work as expected, I can't open /dev/mem for example.
Given LP: #1903288 / BZ 189099, I didn't test kexec.
In summary, I don't see anything from booting with secure boot on or off that would prevent you promoting 5.10 for hirsute.
Enjoy your end of year break!
Kind regards,
Daniel