As suggested in https://pagure.io/releng/issue/10765, please prepare the next shim version so that it can be used for systemd-boot too. (Or in other words, so that we can sign systemd-boot with a certificate that is trusted by the chain embedded in our shim.) Recently, the shim review process was extended to cover systemd-boot. (https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md#systemd-boot) For make the process easier, I'm including the answers to the added questions: Does the submitter use systemd-boot as a bootloader? This is also used in certain distributions, but less common than grub. ==============&<=============================================================== > If systemd-boot is used: > > Is it used exclusively, or provided alongside grub as an alternative package? Both are used. > Is it intended to be used with BLS (Boot Loader Specification) Type #1 or Type #2 third stages, or either? Either. > Is it the minimum required version, or alternatively does it have the patches stated by the issue template and README.md, if any? The version used will be systemd-255.4 or later, i.e. it has all the patches for known issues. > Does it include the appropriate SBAT metadata, and if Type #2 BLS (i.e.: UKIs) are used, are the identifiers of systemd-boot and systemd-stub (UKI/kernel.efi) separate and distinct (examples after the list)? Yes. > Are there any custom patches applied? If so, are they explained by the submitter and well understood? This can be very time-consuming to do right - if a vendor is doing their own novel patches we may need to get more reviews. No additional patches are included. > Example of the .sbat entry of a systemd-boot binary: $ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/systemd-bootx64.efi /dev/null 2>/dev/null sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md systemd-boot,1,The systemd Developers,systemd,255,https://systemd.io/ systemd-boot.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/ > Example of the .sbat entry of a UKI: $ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/linuxx64.efi.stub /dev/null 2>/dev/null sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md systemd-stub,1,The systemd Developers,systemd,255,https://systemd.io/ systemd-stub.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/ ==============>&=============================================================== Signing of systemd-boot makes it easier for users to use systemd-boot. The Anaconda installer has support for systemd-boot since F39 (https://fedoraproject.org/wiki/Changes/cleanup_systemd_install). In addition, this will make it easier to develop systemd-boot and experiment with it. Reproducible: Always