Re: [PATCH v2] i386-pc: build verifiers API as module

[Daniel Kiper]

On Thu, Mar 18, 2021 at 07:30:26PM +0800, Michael Chang via Grub-devel wrote:
> Given no core functions on i386-pc would require verifiers to work and
> the only consumer of the verifier API is the pgp module, it looks good
> to me that we can move the verifiers out of the kernel image and let
> moddep.lst to auto-load it when pgp is loaded on i386-pc platform.
>
> This helps to reduce the size of core image and thus can relax the
> tension of exploding on some i386-pc system with very short MBR gap
> size. See also a very comprehensive summary from Colin [1] about the
> details.
>
> [1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html
>
> V2:
> Drop COND_NOT_i386_pc and use !COND_i386_pc.
> Add comment in kern/verifiers.c to help understanding what's going on
> without digging into the commit history.
>
> Reported-by: Colin Watson <cjwatson@debian.org>
> Reviewed-by: Colin Watson <cjwatson@debian.org>
> Signed-off-by: Michael Chang <mchang@suse.com>

NAK for this patch and others "fixing" small MBR gaps. I am not going to
deal with this kind of issues any longer because a few folks in the
world cannot/do not want/... reinstall their systems. Sorry guys.

Additionally, the commit 5fd18f77e (mbr: Warn if MBR gap is small and
user uses advanced modules) and 505d92f5e (mbr: Document new limitations
on MBR gap support) are pretty clear we do not support advanced configs
with small MBR gaps any longer.

Daniel

PS FYI, I am not sure anybody cares but I think patch is not fully correct
   because lockdown part of kernel calls into verifiers module on i386-pc.