On Fri, Jun 02, 2023 at 05:25:22PM -0700, Luya Tshimbalanga wrote: > Hello team, > > I would like to bring back the topic related to the selection of bootloader > notably either GRUB2 and systemd-boot. With the recent adoption on UKI > kernel, it would be great to get systemd-boot ready for at least Fedora 39 > which is useful for devices like laptops. Currently, some methods allow to > install systemd-boot with extra step to keep supporting secure boot while > preserving GRUB2 [1]. What is the missing step to enable secure boot for > systemd-boot without at least keeping GRUB 2?
Hi Luya, my goal is to have systemd-boot built as a ready-to-install Fedora package with a Fedora signature for SecureBoot. The signature would use a different certificate than grub2, and would not be trusted by our shim build. (This way, we don't have to touch the complicated issue of making shim trust sd-boot.) Users would be able to self-enroll those sd-boot singing keys on their machines, getting reasonable protection from SecureBoot and being able to build useful policies for tpm-encrypted secrets. Unfortunately, this requires releng to adjust the infrastructure to do the signing, and this is not progressing at all [1]. Also, there has been work to add support for sd-boot to Anaconda [2,3]. There has been more progress there, but what we have is not a complete solution. [1] https://pagure.io/releng/issue/10765 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2106706 [3] https://github.com/rhinstaller/anaconda/pull/4368 In general, I think it'd be nice to make the process of installing sd-boot much much simpler than it is currently. 'bootctl install' takes care of installation process, if the system already has the expected layout. So the installation procedure for Fedora should be just 'dnf install …' of a single package. But this doesn't currently work because of a few issues: 1. the /boot partition is formatted with ext4 2. partitions don't have parttype uuids conforming to Discoverable Partitions Spec [4] (or has this been fixed? I need to check.) 3. grub2 and shim carry files directly in their rpm payload, hardcoding paths and causing any changes to layout to conflict with what rpm thinks about the file system. (This part was discussed on fedora-devel recently too.) 4. grub2 and grubby and other packages are part of Requires chain in packages [e.g. 5]. Point 3. makes this more of a problem. Overall, those are really small things, but progress has been very slow. [4] https://uapi-group.org/specifications/specs/discoverable_partitions_specification/ [5] https://bugzilla.redhat.com/show_bug.cgi?id=2121912 > [1] > https://medium.com/@umglurf/full-uefi-secure-boot-on-fedora-using-signed-initrd-and-systemd-boot-3ff2054593ab Yeah. This blog story reflects the mess we have right now. This level of complexity and risk is not suitable for the general user. There's just too much chance of something going wrong and the system being broken. We need to cut the number of steps down by 90%. Zbyszek _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
