On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering <mzerqung(a)0pointer.de> wrote:
On Mi, 27.07.22 16:50, Chris Murphy (lists(a)colorremedies.com) wrote:
> > I prefer no shim in my computers. I'm using systemd-boot signed by my
> > own CA.
>
> That is not a generic solution we can ship in Fedora. Since each
> distro ships their own shim, they'd each have to ship their own
> signed fsfs in order to read the shared a non-FAT $BOOT. It's too
> high a barrier to adoption.
Something we could add relatively easily to sd-boot is that it could
look for drivers to load in one of its own PE sections (let's say a
new section ".drivers").
Then Fedora could do something like this:
1. build ext4 efifs as UEFI PE binary (→ ext2_x64.efi)
2. build systemd-boot as UEFI PE binary (→ systemd-bootx64.efi)
3. use "objcopy --add-section .drivers=ext2_x64.efi
systemd-bootx64.efi systemd-bootx64.withext4.efi" to embedd the ext4
driver inside systemd-boot
4. sign the resulting systemd-bootx64.withext4.efi via shim/…
5. profitt! now you have an sd-boot binary that can do ext4. yay.
6. ask relevant other distros to do the same. They are probably in a
very similar situation as fedora is, given they typically all use
Grub right now.
This sounds pretty awesome, actually. I'd like to see that get implemented...
--
真実はいつも一つ!/ Always, there's only one truth!