DescriptionZbigniew Jędrzejewski-Szmek
2024-03-09 16:22:17 UTC
As suggested in https://pagure.io/releng/issue/10765, please prepare the next shim version so that it can be used for systemd-boot too. (Or in other words, so that we can sign systemd-boot with a certificate that is trusted by the chain embedded in our shim.)
Recently, the shim review process was extended to cover systemd-boot.
(https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md#systemd-boot)
For make the process easier, I'm including the answers to the added questions:
Does the submitter use systemd-boot as a bootloader? This is also used in certain distributions, but less common than grub.
==============&<===============================================================
> If systemd-boot is used:
>
> Is it used exclusively, or provided alongside grub as an alternative package?
Both are used.
> Is it intended to be used with BLS (Boot Loader Specification) Type #1 or Type #2 third stages, or either?
Either.
> Is it the minimum required version, or alternatively does it have the patches stated by the issue template and README.md, if any?
The version used will be systemd-255.4 or later, i.e. it has all the patches for known issues.
> Does it include the appropriate SBAT metadata, and if Type #2 BLS (i.e.: UKIs) are used, are the identifiers of systemd-boot and systemd-stub (UKI/kernel.efi) separate and distinct (examples after the list)?
Yes.
> Are there any custom patches applied? If so, are they explained by the submitter and well understood? This can be very time-consuming to do right - if a vendor is doing their own novel patches we may need to get more reviews.
No additional patches are included.
> Example of the .sbat entry of a systemd-boot binary:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/systemd-bootx64.efi /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-boot,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-boot.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/> Example of the .sbat entry of a UKI:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/linuxx64.efi.stub /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-stub,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-stub.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/
==============>&===============================================================
Signing of systemd-boot makes it easier for users to use systemd-boot.
The Anaconda installer has support for systemd-boot since F39
(https://fedoraproject.org/wiki/Changes/cleanup_systemd_install).
In addition, this will make it easier to develop systemd-boot and experiment
with it.
Reproducible: Always