[systemd-devel] shim 16 breaking systemd stub and next steps
Alexander Graf
graf at amazon.com
Fri Mar 21 08:05:30 UTC 2025
On 21.03.25 01:26, Luca Boccassi wrote:
> On Thu, 20 Mar 2025 at 22:43, Alexander Graf <graf at amazon.com> wrote:
>> Let's first figure out how all of this works without shim. Then we can
>> look at whether we need to and how we can extend the shim/sd-boot
>> interface to make that case work as well. Please don't start off
>> assuming everyone runs shim in secure boot environments.
> But that's a bit off topic, though - the issue Mate brought up with
> this thread is specifically with shim/16 + sd-boot + sd-stub, which is
> a bit time pressing as both Plucky and Trixie are about to go out with
> this combination that used to work, but doesn't anymore.
> Without shim there's no new issue, everything works as it always did.
If you read through Heinrich's reply once more, you can clearly see that
it does not. We have 2 broken cases: new shim (change of contract) and
U-Boot (dependency on PI internals).
You could - as Ard suggested - introduce a new "prevalidated image load"
protocol in shim to solve the shim case. But that will continue to leave
U-Boot broken. To solve U-Boot, you would basically need to implement
the same "prevalidated image load" in sd-boot. And once you have that,
why would you duplicate it in shim?
Alex
More information about the systemd-devel
mailing list