Description of problem: systemd-boot cannot work without deactivating secure boot Version-Release number of selected component (if applicable): systemd-udev-249.4-2.fc35.x86_64 How reproducible: every time Steps to Reproduce: 1. bootctl install (full instructions https://kowalski7cc.xyz/blog/systemd-boot-fedora-32) 2. efibootmgr -v 3. sbverify --list /efi/EFI/systemd/systemd-bootx64.efi Actual results: efibootmgr shows systemd-bootx64.efi configured as boot manager entry sbverify shows No signature table present Expected results: systemd-bootx64 should be signed. - either by a global CA to be installed on the system - either by fedoraca, in that case a shim should be configured in the entries Additional info: any plan to support default installation with systemd-boot?
Yeah, we should probably do this at some point. Frankly, I have no idea how signing works in Fedora (pesign is used, but how can call it and when?). So if somebody who cares about this would be so nice and figure out what initial steps would be required and what would need to be done for each official build of systemd, that'd help a lot to move this forward.
there will be one more step to make secure boot work though assuming systemd-bootx64.efi is signed (using this macros: https://src.fedoraproject.org/rpms/grub2/blob/rawhide/f/grub.macros#_389, on the right build hosts I guess?) at the moment bootctl install is installing an entry for "\EFI\systemd\systemd-bootx64.efi" instead of a shim. The shim-x64 package today depends on grub2-efi-x64. If systemd-bootx64 get properly signed, a user would have - to install shim-x64 + grub2 nonetheless - then copy systemd-bootx64.efi to overwrite grubx64.efi - then to use the entry with shim instead of systemd-boot in the efibootmgr Also the default efi partition on cloud image is 100MB, probably not enough.
This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=2268695