Lennart Poettering

The efi var makes no sense to me, the builder of the UKI knows how the internal image is signed, and noone else really. Once it#s wrapped in a UKI...

So I think the question whether to call into the original auth methods before or after our own check matters. I think for the auto-enrollment of keys we should sooner...

> Ultimately, the decision is on the user of the image (which as said, may be supposed to be immutable). And any tooling that signs the payload and assembles the...

i'd be fine with binding authentication of the inner image to an EFI var if this is conditionalized on something inside the outer PE file that declares, "yes it's OK...

Soooo. What are the implications of this: https://marc.info/?l=linux-efi&m=166505106716940&w=2 I take it we can avoid patching around in protocol vtables once that has landed? @ardbiesheuvel did i get this right?

generator_write_cryptsetup_unit_section() already adds `After=cryptsetup-pre.target` automatically, as I think you found already. This means it should be ordered properly already – if cryptsetup-pre.target ends up in the boot transaction. By default...

sd-stub already uniquifies boot entries dynamically if you have multiple with the same title. It does so by appending relevant fields that differ between the entries. Why is that not...

Sorry, I meant sd-boot, bot sd-stub It uniquifies the titles if there are multiple entries which would have the same titles, by adding version info/machine ID and so on. Why...

Well, sure, but it's a lot to fix. If a patch is quickly prepared to fix the points I raised, we could merge that instead of this.

Let's close this one in favour of the already commited #24823 and #24853 that i just posted.