Re: Making systemd-boot option available for installation?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 02, 2023 at 05:25:22PM -0700, Luya Tshimbalanga wrote:
> Hello team,
> 
> I would like to bring back the topic related to the selection of bootloader
> notably either GRUB2 and systemd-boot. With the recent adoption on UKI
> kernel, it would be great to get systemd-boot ready for at least Fedora 39
> which is useful for devices like laptops. Currently, some methods allow to
> install systemd-boot with extra step to keep supporting secure boot while
> preserving GRUB2 [1]. What is the missing step to enable secure boot for
> systemd-boot without at least keeping GRUB 2?

Hi Luya,

my goal is to have systemd-boot built as a ready-to-install Fedora package
with a Fedora signature for SecureBoot. The signature would use a different
certificate than grub2, and would not be trusted by our shim build. (This
way, we don't have to touch the complicated issue of making shim trust sd-boot.)
Users would be able to self-enroll those sd-boot singing keys on their machines,
getting reasonable protection from SecureBoot and being able to build
useful policies for tpm-encrypted secrets.

Unfortunately, this requires releng to adjust the infrastructure to do the
signing, and this is not progressing at all [1].

Also, there has been work to add support for sd-boot to Anaconda [2,3].
There has been more progress there, but what we have is not a complete solution.

[1] https://pagure.io/releng/issue/10765
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2106706
[3] https://github.com/rhinstaller/anaconda/pull/4368

In general, I think it'd be nice to make the process of installing sd-boot much
much simpler than it is currently. 'bootctl install' takes care of installation
process, if the system already has the expected layout. So the installation procedure
for Fedora should be just 'dnf install …' of a single package. But this doesn't
currently work because of a few issues:

1. the /boot partition is formatted with ext4
2. partitions don't have parttype uuids conforming to Discoverable Partitions Spec [4]
   (or has this been fixed? I need to check.)
3. grub2 and shim carry files directly in their rpm payload, hardcoding paths and
   causing any changes to layout to conflict with what rpm thinks about the file system.
   (This part was discussed on fedora-devel recently too.)
4. grub2 and grubby and other packages are part of Requires chain in packages [e.g. 5].
   Point 3. makes this more of a problem.

Overall, those are really small things, but progress has been very slow.

[4] https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
[5] https://bugzilla.redhat.com/show_bug.cgi?id=2121912

> [1] https://medium.com/@umglurf/full-uefi-secure-boot-on-fedora-using-signed-initrd-and-systemd-boot-3ff2054593ab

Yeah. This blog story reflects the mess we have right now. This level of
complexity and risk is not suitable for the general user. There's just too much
chance of something going wrong and the system being broken. We need to cut the
number of steps down by 90%.

Zbyszek
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux