Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2268695

Summary: Please include systemd-boot in the shim review process for the next update
Product: [Fedora] Fedora Reporter: Zbigniew JÄ™drzejewski-Szmek <zbyszek>
Component: shimAssignee: Peter Jones <pjones>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: daan.j.demeyer, davdunc, davide, fmartine, gary.buhrmaster, jeremy.linton, kraxel, michel, mjg59, ngompa13, nilskemail, pjones, pmendezh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2024-03-09 16:22:17 UTC
As suggested in https://pagure.io/releng/issue/10765, please prepare the next shim version so that it can be used for systemd-boot too. (Or in other words, so that we can sign systemd-boot with a certificate that is trusted by the chain embedded in our shim.)

Recently, the shim review process was extended to cover systemd-boot.
(https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md#systemd-boot)
For make the process easier, I'm including the answers to the added questions:

Does the submitter use systemd-boot as a bootloader? This is also used in certain distributions, but less common than grub.

==============&<===============================================================

> If systemd-boot is used:
>
> Is it used exclusively, or provided alongside grub as an alternative package?
Both are used.

> Is it intended to be used with BLS (Boot Loader Specification) Type #1 or Type #2 third stages, or either?
Either.

> Is it the minimum required version, or alternatively does it have the patches stated by the issue template and README.md, if any?
The version used will be systemd-255.4 or later, i.e. it has all the patches for known issues.

> Does it include the appropriate SBAT metadata, and if Type #2 BLS (i.e.: UKIs) are used, are the identifiers of systemd-boot and systemd-stub (UKI/kernel.efi) separate and distinct (examples after the list)?
Yes.

> Are there any custom patches applied? If so, are they explained by the submitter and well understood? This can be very time-consuming to do right - if a vendor is doing their own novel patches we may need to get more reviews.
No additional patches are included.

> Example of the .sbat entry of a systemd-boot binary:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/systemd-bootx64.efi /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-boot,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-boot.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/

> Example of the .sbat entry of a UKI:
$ objcopy --dump-section .sbat=/dev/stdout /usr/lib/systemd/boot/efi/linuxx64.efi.stub /dev/null 2>/dev/null
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-stub,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-stub.fedora,1,Fedora Linux,systemd,255.4-1.fc40,https://bugzilla.redhat.com/

==============>&===============================================================

Signing of systemd-boot makes it easier for users to use systemd-boot.
The Anaconda installer has support for systemd-boot since F39
(https://fedoraproject.org/wiki/Changes/cleanup_systemd_install).
In addition, this will make it easier to develop systemd-boot and experiment
with it.


Reproducible: Always