[systemd-devel] Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora

Lennart Poettering lennart at poettering.net
Mon May 2 09:24:02 UTC 2022


On Sa, 30.04.22 08:08, Andrei Borzenkov (arvidjaar at gmail.com) wrote:

> On 28.04.2022 10:54, Lennart Poettering wrote:
> >
> >> * systemd-boot is an additional bootloader, rather than replacing
> >>   an existing one, thus increasing the attack surface.
> >
> > Hmm, what? "additional bootloader"? Are they suggesting you use grub
> > to start sd-boot? I mean, you certainly could do that, but the only
> > people I know who do that do that to patch around the gatekeeping that
> > the shim people are doing. Technically the boot chain should either be
> > [firmware → sd-boot → kernel] or [firmware → shim → sd-boot → kernel]
> > (if you buy into the shim thing), and nothing else.
>
> I guess "additional bootloader" in this context means that distribution
> cannot use sd-boot as the only bootloader for obvious reason - it is EFI
> only. So distribution would need to keep currently used bootloader
> anyway. If current bootloader already works on platforms supported by
> distribution, what is gained by adding yet another one?

That sounds like a strange point to make when we are talking about
signing *EFI* binaries. Which platforms a distro X decides to support
is a decision for that distro, not for the SHIM community.

And there's plenty that is gained: sd-boot has much better semantics,
less code (a third of the shim codebase, and a fraction of grub's),
better integration with the host OS, better update logic, boot
assessment, and so on and so on. There's so much. Not sure why the
SHIM committee should really bother though.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list