Enable FIPS and SELinux for sdboot #125
Conversation
|
This doesn't fix Grub with BLS yet, I am currently looking into that. |
Needs to be tested, but grub2-bls should also work with this change in /etc/kernel/cmdline, as the entry is created by sdbootutil the same for any boot loader (minus some checks related with the entry name) |
|
So would it work if - instead of checking for an sdboot system explicitly - both /etc/default/grub and /etc/kernel/cmdline would just be changed if they are present? Or mustn't /etc/default/grub be changed any more when using GRUB2 with BLS? |
|
grub2-bls and systemd-boot under sdbootutil only requires changes in /etc/kernel/cmdline. sdbootutil is agnostic of the boot loaders as far as it is BLS So, no, from grub2-bls no change in /etc/default/grub will make sense |
|
That would mean the differentiator shouldn't be /boot/efi/EFI/systemd/installed_by_sdbootutil as in the current patch, but it should check for and modify /etc/kernel/cmdline instead, and /etc/default/grub otherwise, correct? |
|
Better differentiator is /etc/kernel/cmdline, right? In BLS some agent will create the boot entries. For us is sdbootutil, but this can be a transient status. This agent will use /etc/kernel/cmdline also, as sdbootutil is doing. So IMHO if [ -f /etc/kernel/cmdline ]; then update this file, else update /etc/default/grub |
|
I just remembered, perl-Bootloader can also touch and reference the /etc/kernel/cmdline and the boot entries. |
When running on a sdboot, modify /etc/kernel/cmdline instead of the grub config. Fixes openSUSE#113
|
I have updated the PR to use |
|
Perfect - thanks a lot! |
When running on a sdboot, modify /etc/kernel/cmdline instead of the grub config.
Fixes #113