2268695 – Please include systemd-boot in the shim review process for the next update

Bug 2268695 - Please include systemd-boot in the shim review process for the next update

Summary: Please include systemd-boot in the shim review process for the next update

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	shim
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Peter Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-09 16:22 UTC by Zbigniew Jędrzejewski-Szmek
Modified:	2024-04-12 07:45 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zbigniew Jędrzejewski-Szmek 2024-03-09 16:22:17 UTC

As suggested in https://pagure.io/releng/issue/10765, please prepare the next shim version so that it can be used for systemd-boot too. (Or in other words, so that we can sign systemd-boot with a certificate that is trusted by the chain embedded in our shim.)

Recently, the shim review process was extended to cover systemd-boot.
(https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md#systemd-boot)
For make the process easier, I'm including the answers to the added questions:

Does the submitter use systemd-boot as a bootloader? This is also used in certain distributions, but less common than grub.

==============&<===============================================================

> If systemd-boot is used:
>
> Is it used exclusively, or provided alongside grub as an alternative package?
Both are used.

> Is it intended to be used with BLS (Boot Loader Specification) Type #1 or Type #2 third stages, or either?
Either.

> Is it the minimum required version, or alternatively does it have the patches stated by the issue template and README.md, if any?
The version used will be systemd-255.4 or later, i.e. it has all the patches for known issues.

> Does it include the appropriate SBAT metadata, and if Type #2 BLS (i.e.: UKIs) are used, are the identifiers of systemd-boot and systemd-stub (UKI/kernel.efi) separate and distinct (examples after the list)?
Yes.

> Are there any custom patches applied? If so, are they explained by the submitter and well understood? This can be very time-consuming to do right - if a vendor is doing their own novel patches we may need to get more reviews.
No additional patches are included.

> Example of the .sbat entry of a systemd-boot binary:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/systemd-bootx64.efi /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-boot,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-boot.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/

> Example of the .sbat entry of a UKI:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/linuxx64.efi.stub /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-stub,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-stub.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/

==============>&===============================================================

Signing of systemd-boot makes it easier for users to use systemd-boot.
The Anaconda installer has support for systemd-boot since F39
(https://fedoraproject.org/wiki/Changes/cleanup_systemd_install).
In addition, this will make it easier to develop systemd-boot and experiment
with it.


Reproducible: Always

Note You need to log in before you can comment on or make changes to this bug.