Bug 2140646

Summary: [spec] Enable 'systemd-stub' in the build
Product: Red Hat Enterprise Linux 9 Reporter: Vitaly Kuznetsov <vkuznets>
Component: systemdAssignee: Jan Macku <jamacku>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: aadam, ailan, alexl, andavis, berrange, jamacku, kraxel, osteffen, redhat-bugzilla, systemd-maint-list, vgoyal, vkuznets
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-252-6.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:21:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2142102    

Description Vitaly Kuznetsov 2022-11-07 13:48:36 UTC 
To support Azure Confidential VMs (https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), there's an intention to build EFI Unified Kernel Image for RHEL. To do this, 'systemd-stub' is needed. To achive this, a simple:

diff --git a/systemd.spec b/systemd.spec
index cb1a3f80e335..9e9cc1fdb071 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -418,6 +418,10 @@ Patch0337: 0337-udev-net_id-add-rhel-9.1-naming-scheme.patch
 
 # Downstream-only patches (9000–9999)
 
+%ifarch %{ix86} x86_64 aarch64
+%global have_gnu_efi 1
+%endif
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  coreutils
@@ -474,6 +478,10 @@ BuildRequires:  pkgconfig(tss2-mu)
 BuildRequires:  perl
 BuildRequires:  perl(IPC::SysV)
 
+%if 0%{?have_gnu_efi}
+BuildRequires:  gnu-efi gnu-efi-devel
+%endif
+
 Requires(post): coreutils
 Requires(post): sed
 Requires(post): acl
@@ -747,7 +755,7 @@ CONFIGURE_OPTS=(
         -Dlibiptc=false
         -Dlibcurl=true
         -Dlibfido2=false
-        -Dgnu-efi=false
+        -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"]
         -Dtpm=true
         -Dtpm2=true
         -Dhwdb=true

(copied from Fedora) seems to do the job. This, however, also enables systemd-boot and the associated tools (e.g. bootctl) and we may not want this. I was able to disable it with:

diff --git a/split-files.py b/split-files.py
index 7622210b14e5..ffe72dac310e 100644
--- a/split-files.py
+++ b/split-files.py
@@ -95,10 +95,6 @@ for file in files(buildroot):
         o = o_libs
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
-                       bootctl|
-                       sd-boot|systemd-boot\.|loader.conf|
-                       bless-boot|
-                       boot-system-token|
                        kernel-install|
                        vconsole|
                        backlight|
@@ -122,7 +118,7 @@ for file in files(buildroot):
                        verity-setup|
                        remount-fs|
                        /boot$|
-                       /boot/efi|
+                       /boot/efi/linuxx64.*|
                        /kernel/|
                        /kernel$|
                        /modprobe.d
Comment 1 Vitaly Kuznetsov 2022-11-07 13:55:42 UTC 
For the reference: the proposed (WIP!) kernel spec change building Unified Kernel Image looks like:
https://gitlab.com/vkuznets/centos-stream-9/-/commit/44bc17e4211be9ef102d7cd99f31368187e4dc17

In fact, there's no need to ship "/usr/lib/systemd/boot/efi/linuxx64.*" in systemd-udev subpackage (like it's done in Fedora), we can probably consider creating a buildroot only subpackage for it if for some reason shipping these files to customers is undesirable.
Comment 7 Robert Scheck 2023-01-02 14:58:26 UTC 
(In reply to Vitaly Kuznetsov from comment #1)
> In fact, there's no need to ship "/usr/lib/systemd/boot/efi/linuxx64.*" in systemd-udev subpackage (like it's done in Fedora), we can probably consider creating a buildroot only subpackage for it if for some reason shipping these files to customers is undesirable.

I created bug #2157663, because from my point of understanding, the 'systemd-stub' is only required for Azure Confidential VMs - and not because Red Hat is really interested in maintaining systemd-boot in RHEL as first-class citizen (= to actually boot RHEL using systemd-boot instead of grub2-efi), while latter is my intention with the systemd-boot subpackage from systemd-extras in EPEL.
Comment 8 Vitaly Kuznetsov 2023-01-02 15:03:59 UTC 
(In reply to Robert Scheck from comment #7)
> (In reply to Vitaly Kuznetsov from comment #1)
> > In fact, there's no need to ship "/usr/lib/systemd/boot/efi/linuxx64.*" in systemd-udev subpackage (like it's done in Fedora), we can probably consider creating a buildroot only subpackage for it if for some reason shipping these files to customers is undesirable.
> 
> I created bug #2157663, because from my point of understanding, the
> 'systemd-stub' is only required for Azure Confidential VMs - and not because
> Red Hat is really interested in maintaining systemd-boot in RHEL as
> first-class citizen (= to actually boot RHEL using systemd-boot instead of
> grub2-efi), while latter is my intention with the systemd-boot subpackage
> from systemd-extras in EPEL.

Right, 'systemd-stub' may come handy for other not-only-confidential VM use-cases
too but in any case its existence is orthogonal to 'systemd-boot'. I.e. UKI 
images produced with 'systemd-stub' can already be booted either from firmware
directly or by shim.
Comment 9 Robert Scheck 2023-01-02 15:10:54 UTC 
But RHEL 9 will still ship "traditional" vmlinuz and initramfs files for its lifecycle, right? And for these setups, I would like to be able to use a well-maintained and/or latest systemd-boot (which I honestly doubt if only systemd-stub is actually needed for a Red Hat product/specific image).
Comment 10 Vitaly Kuznetsov 2023-01-03 09:03:35 UTC 
(In reply to Robert Scheck from comment #9)
> But RHEL 9 will still ship "traditional" vmlinuz and initramfs files for its
> lifecycle, right? And for these setups, I would like to be able to use a
> well-maintained and/or latest systemd-boot (which I honestly doubt if only
> systemd-stub is actually needed for a Red Hat product/specific image).

Currently, there's no discussion about 'switching' to UKIs, the plan is to
provide them as an option for some very well defined use-cases. I'm absolutely
sure traditional vmlinux/initramfs are to stay for the lifetime of RHEL9, there
are just too many use-cases which don't work well with an immutable initramfs.
Comment 11 Plumber Bot 2023-02-22 07:22:02 UTC 
fix merged to github main branch -> https://github.com/redhat-plumbers/systemd-rhel9/pull/142
Comment 12 Jan Macku 2023-03-09 17:09:11 UTC 
*** Bug 2099278 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2023-05-09 08:21:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2531