On Mi, 27.07.22 16:50, Chris Murphy (lists(a)colorremedies.com) wrote:
> I prefer no shim in my computers. I'm using systemd-boot
signed by my
> own CA.
That is not a generic solution we can ship in Fedora. Since each
distro ships their own shim, they'd each have to ship their own
signed fsfs in order to read the shared a non-FAT $BOOT. It's too
high a barrier to adoption.
Something we could add relatively easily to sd-boot is that it could
look for drivers to load in one of its own PE sections (let's say a
new section ".drivers").
Then Fedora could do something like this:
1. build ext4 efifs as UEFI PE binary (→ ext2_x64.efi)
2. build systemd-boot as UEFI PE binary (→ systemd-bootx64.efi)
3. use "objcopy --add-section .drivers=ext2_x64.efi
systemd-bootx64.efi systemd-bootx64.withext4.efi" to embedd the ext4
driver inside systemd-boot
4. sign the resulting systemd-bootx64.withext4.efi via shim/…
5. profitt! now you have an sd-boot binary that can do ext4. yay.
6. ask relevant other distros to do the same. They are probably in a
very similar situation as fedora is, given they typically all use
Grub right now.
Lennart
--
Lennart Poettering, Berlin