Bug 2268695

Summary: Please include systemd-boot in the shim review process for the next update
Product: [Fedora] Fedora Reporter: Zbigniew JÄ™drzejewski-Szmek <zbyszek>
Component: shimAssignee: Peter Jones <pjones>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: daan.j.demeyer, davdunc, davide, fmartine, gary.buhrmaster, jeremy.linton, kraxel, michel, mjg59, ngompa13, nilskemail, pjones, pmendezh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2024-03-09 16:22:17 UTC 
As suggested in https://pagure.io/releng/issue/10765, please prepare the next shim version so that it can be used for systemd-boot too. (Or in other words, so that we can sign systemd-boot with a certificate that is trusted by the chain embedded in our shim.)

Recently, the shim review process was extended to cover systemd-boot.
(https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md#systemd-boot)
For make the process easier, I'm including the answers to the added questions:

Does the submitter use systemd-boot as a bootloader? This is also used in certain distributions, but less common than grub.

==============&<===============================================================

> If systemd-boot is used:
>
> Is it used exclusively, or provided alongside grub as an alternative package?
Both are used.

> Is it intended to be used with BLS (Boot Loader Specification) Type #1 or Type #2 third stages, or either?
Either.

> Is it the minimum required version, or alternatively does it have the patches stated by the issue template and README.md, if any?
The version used will be systemd-255.4 or later, i.e. it has all the patches for known issues.

> Does it include the appropriate SBAT metadata, and if Type #2 BLS (i.e.: UKIs) are used, are the identifiers of systemd-boot and systemd-stub (UKI/kernel.efi) separate and distinct (examples after the list)?
Yes.

> Are there any custom patches applied? If so, are they explained by the submitter and well understood? This can be very time-consuming to do right - if a vendor is doing their own novel patches we may need to get more reviews.
No additional patches are included.

> Example of the .sbat entry of a systemd-boot binary:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/systemd-bootx64.efi /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-boot,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-boot.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/

> Example of the .sbat entry of a UKI:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/linuxx64.efi.stub /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-stub,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-stub.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/

==============>&===============================================================

Signing of systemd-boot makes it easier for users to use systemd-boot.
The Anaconda installer has support for systemd-boot since F39
(https://fedoraproject.org/wiki/Changes/cleanup_systemd_install).
In addition, this will make it easier to develop systemd-boot and experiment
with it.


Reproducible: Always