2140646 – [spec] Enable 'systemd-stub' in the build

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2140646 - [spec] Enable 'systemd-stub' in the build

Summary: [spec] Enable 'systemd-stub' in the build

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Macku
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2099278 (view as bug list)
Depends On:
Blocks:	2142102
TreeView+	depends on / blocked

Reported:	2022-11-07 13:48 UTC by Vitaly Kuznetsov
Modified:	2023-05-09 10:35 UTC (History)
CC List:	12 users (show)
Fixed In Version:	systemd-252-6.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-09 08:21:58 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Gitlab	redhat/centos-stream/rpms systemd merge_requests 60	None	opened	spec: Build systemd-boot EFI tools	2022-12-02 12:27:06 UTC
Red Hat Issue Tracker	RHELPLAN-138521	None	None	None	2022-11-07 14:21:22 UTC
Red Hat Product Errata	RHBA-2023:2531	None	None	None	2023-05-09 08:23:17 UTC

Internal Links: 2142102 2157663

Description Vitaly Kuznetsov 2022-11-07 13:48:36 UTC

To support Azure Confidential VMs (https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), there's an intention to build EFI Unified Kernel Image for RHEL. To do this, 'systemd-stub' is needed. To achive this, a simple:

diff --git a/systemd.spec b/systemd.spec
index cb1a3f80e335..9e9cc1fdb071 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -418,6 +418,10 @@ Patch0337: 0337-udev-net_id-add-rhel-9.1-naming-scheme.patch
 
 # Downstream-only patches (9000–9999)
 
+%ifarch %{ix86} x86_64 aarch64
+%global have_gnu_efi 1
+%endif
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  coreutils
@@ -474,6 +478,10 @@ BuildRequires:  pkgconfig(tss2-mu)
 BuildRequires:  perl
 BuildRequires:  perl(IPC::SysV)
 
+%if 0%{?have_gnu_efi}
+BuildRequires:  gnu-efi gnu-efi-devel
+%endif
+
 Requires(post): coreutils
 Requires(post): sed
 Requires(post): acl
@@ -747,7 +755,7 @@ CONFIGURE_OPTS=(
         -Dlibiptc=false
         -Dlibcurl=true
         -Dlibfido2=false
-        -Dgnu-efi=false
+        -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"]
         -Dtpm=true
         -Dtpm2=true
         -Dhwdb=true

(copied from Fedora) seems to do the job. This, however, also enables systemd-boot and the associated tools (e.g. bootctl) and we may not want this. I was able to disable it with:

diff --git a/split-files.py b/split-files.py
index 7622210b14e5..ffe72dac310e 100644
--- a/split-files.py
+++ b/split-files.py
@@ -95,10 +95,6 @@ for file in files(buildroot):
         o = o_libs
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
-                       bootctl|
-                       sd-boot|systemd-boot\.|loader.conf|
-                       bless-boot|
-                       boot-system-token|
                        kernel-install|
                        vconsole|
                        backlight|
@@ -122,7 +118,7 @@ for file in files(buildroot):
                        verity-setup|
                        remount-fs|
                        /boot$|
-                       /boot/efi|
+                       /boot/efi/linuxx64.*|
                        /kernel/|
                        /kernel$|
                        /modprobe.d

Comment 1 Vitaly Kuznetsov 2022-11-07 13:55:42 UTC

For the reference: the proposed (WIP!) kernel spec change building Unified Kernel Image looks like:
https://gitlab.com/vkuznets/centos-stream-9/-/commit/44bc17e4211be9ef102d7cd99f31368187e4dc17

In fact, there's no need to ship "/usr/lib/systemd/boot/efi/linuxx64.*" in systemd-udev subpackage (like it's done in Fedora), we can probably consider creating a buildroot only subpackage for it if for some reason shipping these files to customers is undesirable.

Comment 7 Robert Scheck 2023-01-02 14:58:26 UTC

(In reply to Vitaly Kuznetsov from comment #1)
> In fact, there's no need to ship "/usr/lib/systemd/boot/efi/linuxx64.*" in systemd-udev subpackage (like it's done in Fedora), we can probably consider creating a buildroot only subpackage for it if for some reason shipping these files to customers is undesirable.

I created bug #2157663, because from my point of understanding, the 'systemd-stub' is only required for Azure Confidential VMs - and not because Red Hat is really interested in maintaining systemd-boot in RHEL as first-class citizen (= to actually boot RHEL using systemd-boot instead of grub2-efi), while latter is my intention with the systemd-boot subpackage from systemd-extras in EPEL.

Comment 8 Vitaly Kuznetsov 2023-01-02 15:03:59 UTC

(In reply to Robert Scheck from comment #7)
> (In reply to Vitaly Kuznetsov from comment #1)
> > In fact, there's no need to ship "/usr/lib/systemd/boot/efi/linuxx64.*" in systemd-udev subpackage (like it's done in Fedora), we can probably consider creating a buildroot only subpackage for it if for some reason shipping these files to customers is undesirable.
> 
> I created bug #2157663, because from my point of understanding, the
> 'systemd-stub' is only required for Azure Confidential VMs - and not because
> Red Hat is really interested in maintaining systemd-boot in RHEL as
> first-class citizen (= to actually boot RHEL using systemd-boot instead of
> grub2-efi), while latter is my intention with the systemd-boot subpackage
> from systemd-extras in EPEL.

Right, 'systemd-stub' may come handy for other not-only-confidential VM use-cases
too but in any case its existence is orthogonal to 'systemd-boot'. I.e. UKI 
images produced with 'systemd-stub' can already be booted either from firmware
directly or by shim.

Comment 9 Robert Scheck 2023-01-02 15:10:54 UTC

But RHEL 9 will still ship "traditional" vmlinuz and initramfs files for its lifecycle, right? And for these setups, I would like to be able to use a well-maintained and/or latest systemd-boot (which I honestly doubt if only systemd-stub is actually needed for a Red Hat product/specific image).

Comment 10 Vitaly Kuznetsov 2023-01-03 09:03:35 UTC

(In reply to Robert Scheck from comment #9)
> But RHEL 9 will still ship "traditional" vmlinuz and initramfs files for its
> lifecycle, right? And for these setups, I would like to be able to use a
> well-maintained and/or latest systemd-boot (which I honestly doubt if only
> systemd-stub is actually needed for a Red Hat product/specific image).

Currently, there's no discussion about 'switching' to UKIs, the plan is to
provide them as an option for some very well defined use-cases. I'm absolutely
sure traditional vmlinux/initramfs are to stay for the lifetime of RHEL9, there
are just too many use-cases which don't work well with an immutable initramfs.

Comment 11 Plumber Bot 2023-02-22 07:22:02 UTC

fix merged to github main branch -> https://github.com/redhat-plumbers/systemd-rhel9/pull/142

Comment 12 Jan Macku 2023-03-09 17:09:11 UTC

*** Bug 2099278 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2023-05-09 08:21:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2531

Note You need to log in before you can comment on or make changes to this bug.