Linux 6.9 Makes A Change To Fulfill Microsoft For EFI x86 Shim Loader Signing

The EFI updates had been merged at present for the continuing Linux 6.9 merge window. This cycle the EFI kernel code is seeing enhancements for confidential computing in addition to for fulfill Microsoft’s necessities for getting them to signal the x86 shim loader once more for UEFI Safe Boot dealing with.

The EFI adjustments for Linux 6.9 permit utilizing the Confidential Computing (CC) protocol ought to the TCG2 protocol not be supported, such because the case for Intel Trusted Area Extensions (TDX) confidential digital machines. The Microsoft change is round making certain mappings should not each writable and executable when operating within the EFI boot companies. Making certain not writable and executable is sweet safety apply usually however vital for getting Microsoft to re-sign the x86 shim loader in order that Linux distributions will play properly on Safe Boot enabled techniques.

The merge request by Ard Biesheuvel notes:

– Measure initrd and command line utilizing the CC protocol if the extraordinary TCG2 protocol is just not applied, usually on TDX confidential VMs

– Keep away from creating mappings which can be each writable and executable whereas operating within the EFI boot companies. This can be a prerequisite for getting the x86 shim loader signed by MicroSoft once more, which permits the distros to put in on x86 PCs that ship with EFI safe boot enabled.

– API replace for struct platform_driver::take away()

This new EFI code is sweet to go for Linux 6.9 that may debut as steady across the center of 2024.