Bug 2020922

Summary: systemd-bootx64.efi not signed
Product: [Fedora] Fedora Reporter: François Rigault <francois.rigault>
Component: systemd-bootAssignee: Zbigniew Jędrzejewski-Szmek <zbyszek>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: unspecified    
Version: rawhideCC: dtardon, fedoraproject, filbranden, flepied, gary.buhrmaster, lnykryn, msekleta, ryncsn, ssahani, s, systemd-maint, travier, yuwatana, zbyszek
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description François Rigault 2021-11-07 11:20:31 UTC 
Description of problem:
systemd-boot cannot work without deactivating secure boot


Version-Release number of selected component (if applicable):
systemd-udev-249.4-2.fc35.x86_64

How reproducible:
every time


Steps to Reproduce:
1. bootctl install (full instructions https://kowalski7cc.xyz/blog/systemd-boot-fedora-32)
2. efibootmgr -v
3. sbverify --list /efi/EFI/systemd/systemd-bootx64.efi

Actual results:
efibootmgr shows systemd-bootx64.efi configured as boot manager entry
sbverify shows No signature table present


Expected results:
systemd-bootx64 should be signed.
- either by a global CA to be installed on the system
- either by fedoraca, in that case a shim should be configured in the entries

Additional info:
any plan to support default installation with systemd-boot?
Comment 1 Zbigniew Jędrzejewski-Szmek 2021-11-07 12:10:16 UTC 
Yeah, we should probably do this at some point. Frankly, I have no idea how signing works in Fedora
(pesign is used, but how can call it and when?). So if somebody who cares about this would be so
nice and figure out what initial steps would be required and what would need to be done for each
official build of systemd, that'd help a lot to move this forward.
Comment 2 François Rigault 2021-12-18 13:24:59 UTC 
there will be one more step to make secure boot work though
assuming systemd-bootx64.efi is signed (using this macros: https://src.fedoraproject.org/rpms/grub2/blob/rawhide/f/grub.macros#_389, on the right build hosts I guess?) at the moment bootctl install is installing an entry for "\EFI\systemd\systemd-bootx64.efi" instead of a shim.

The shim-x64 package today depends on grub2-efi-x64. If systemd-bootx64 get properly signed, a user would have
- to install shim-x64 + grub2 nonetheless
- then copy systemd-bootx64.efi to overwrite grubx64.efi
- then to use the entry with shim instead of systemd-boot in the efibootmgr

Also the default efi partition on cloud image is 100MB, probably not enough.
Comment 3 Ben Cotton 2022-11-29 17:15:44 UTC 
This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 4 Gary Buhrmaster 2025-10-30 02:46:54 UTC 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=2268695