David Howells [off-list ref] writes:

Andy Lutomirski [off-list ref] wrote:

quoted

As far as I can tell, what's really going on here is that there's a
significant contingent here that wants to prevent Linux from
chainloading something that isn't Linux.

You have completely the wrong end of the stick.  No one has said that or even
implied that.  You are alleging dishonesty on our part.

What we *have* said is that *if* we want to pass the secure boot state across
kexec, then we have to make sure that:

 (1) no one tampers with the intermediate kernel between boot and kexec
     otherwise the secure boot state is effectively invalidated, and

 (2) the image that gets kexec'ed is trusted.

Remember: you cannot know (2) if you don't have (1).

And if someone tampers with the aim of breaking, say, Windows, then someone,
e.g.  Microsoft, might blacklist the shim.

*Wow*   You just denied this isn't about not booting Windows and a few
lines later said that is your concern.

I was thinking I would have to dig up old archives where I had been told
this before, but you just nicely repeated all of the old arguments so I
don't see the point.

Eric