Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[meta] unifying and tracking UKI / systemd-boot SBAT entries #397

Open
SherifNagy opened this issue Mar 5, 2024 · 2 comments
Open

[meta] unifying and tracking UKI / systemd-boot SBAT entries #397

SherifNagy opened this issue Mar 5, 2024 · 2 comments
Labels
meta Not a review request, but an issue or notice wrt the signing process

Comments

@SherifNagy
Copy link
Collaborator

SherifNagy commented Mar 5, 2024

We have seen few submission with different UKI SBAT entries, some of them due to the fact that the documentation got published after the actual shim submission, the aim of this ticket is to track those submission and to discuss how the UKI / Systemd-boot SBAT entry should look like for future submission, if downstream vendors / distros needs to keep UKI sbat entries for upstream distros and reflect that into the documentation.

Issues with UKI SBAT entries so far for shim 15.8:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.rhel,1,Red Hat Enterprise Linux,systemd,252-18.el9,https://bugzilla.redhat.com/
linux,1,Red Hat,linux,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.rhel,1,Red Hat,linux,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.rocky,1,Rocky Linux,systemd,252-18.el9.0.1.rocky,https://bugs.rockylinux.org/
linux,1,Red Hat,linux,5.14.0-362.18.1.el9_3.0.1.x86_64,https://bugzilla.redhat.com/
linux,1,RESF,linux,5.14.0-362.18.1.el9_3.0.1.x86_64,https://bugs.rockylinux.org/
linux.rhel,1,Red Hat,linux,5.14.0-362.18.1.el9_3.0.1.x86_64,https://bugzilla.redhat.com/
linux.rocky,1,RESF,linux,5.14.0-362.18.1.el9_3.0.1.x86_64,https://bugs.rockylinux.org/
kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,5.14.0-362.18.1.el9_3.0.1.x86_64,https://bugzilla.redhat.com/
kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,5.14.0-362.18.1.el9_3.0.1.x86_64,https://bugs.rockylinux.org/
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.ol,1,Oracle Linux Server,systemd,252-14.0.1.el9_2.3,https://github.com/oracle/oracle-linux
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,253,https://www.freedesktop.org/wiki/Software/systemd
systemd.ubuntu,1,Ubuntu,systemd,253.5-1ubuntu6.1,https://bugs.launchpad.net/ubuntu/
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
linux,1,Red Hat,linux,5.14.0-425.el9.x86_64,mailto:[email protected]
linux.centos,1,Red Hat,linux,5.14.0-425.el9.x86_64,mailto:[email protected]
kernel-uki-virt.centos,1,Red Hat,kernel-uki-virt,5.14.0-425.el9.x86_64,mailto:[email protected]
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.centos,1,CentOS Stream,systemd,252-27.el9,mailto:[email protected]
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.eurolinux,1,EuroLinux,systemd,252-18.el9,https://github.com/EuroLinux/eurolinux-distro-bugs-and-rfc/
linux,1,Red Hat,linux,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.centos,1,Red Hat,linux,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
kernel-uki-virt.centos,1,Red Hat,kernel-uki-virt,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.rhel,1,Red Hat Enterprise Linux,systemd,252-18.el9,https://bugzilla.redhat.com/ systemd.virtuozzo,1,Virtuozzo,systemd,systemd-252-18.vl9,mail:[[email protected]](mailto:[email protected])
linux,1,Red Hat,linux,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.rhel,1,Red Hat,linux,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.virtuozzo,1,Virtuozzo,5.14.0-362.18.1.vz9,https://bugzilla.redhat.com/ kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,5.14.0-362.18.1.el9_3.x86_64,https://bugzilla.redhat.com/ kernel-uki-virt.virtuozzo,1,Virtuozzo,kernel-uki-virt,5.14.0-362.18.1.vz9,mail [[email protected]](mailto:[email protected])
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.miraclelinux,1,MIRACLE LINUX,systemd,252-18.el9.ML.1,https://bugzilla.asianux.com/
linux,1,MIRACLE LINUX,linux,5.14.0-362.24.1.el9_3.x86_64,https://bugzilla.asianux.com/
linux.miraclelinux,1,MIRACLE LINUX,linux,5.14.0-362.24.1.el9_3.x86_64,https://bugzilla.asianux.com/
kernel-uki-virt.miraclelinux,1,MIRACLE LINUX,kernel-uki-virt,5.14.0-362.24.1.el9_3.x86_64,https://bugzilla.asianux.com/
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.sll,1,SUSE Liberty Linux,systemd,252-18.el9,https://bugzilla.suse.com/
linux,1,Red Hat,linux,5.14.0-362.24.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.rhel,1,Red Hat,linux,5.14.0-362.24.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.sll,1,SUSE Liberty Linux,linux,5.14.0-362.24.1.el9_3.x86_64,mail:[[email protected]](mailto:[email protected])
kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,5.14.0-362.24.1.el9_3.x86_64,https://bugzilla.redhat.com
kernel-uki-virt.sll,1,SUSE Liberty Linux,kernel-uki-virt,5.14.0-362.24.1.el9_3.x86_64,mail:[[email protected]](mailto:[email protected])
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd,1,The systemd Developers,systemd,252,https://systemd.io/
systemd.navix,1,Navix,systemd,252-18.el9,https://bugs.navercorp.com/
linux,1,Red Hat,linux,5.14.0-362.8.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.rhel,1,Red Hat,linux,5.14.0-362.8.1.el9_3.x86_64,https://bugzilla.redhat.com/
linux.openela,1,OpenELA,linux,5.14.0-362.8.1.el9_3.x86_64,https://bugs.openela.org/
linux.navix,1,Navix,linux,5.14.0-362.8.1.el9_3.x86_64,[email protected]
kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,5.14.0-362.8.1.el9_3.x86_64,https://bugzilla.redhat.com/
kernel-uki-virt.openela,1,OpenELA,kernel-uki-virt,5.14.0-362.8.1.el9_3.x86_64,https://bugs.openela.org/
kernel-uki-virt.navix,1,Navix,kernel-uki-virt,5.14.0-362.8.1.el9_3.x86_64,[email protected]

Documentation examples:

@SherifNagy SherifNagy added the meta Not a review request, but an issue or notice wrt the signing process label Mar 5, 2024
@bluca
Copy link
Contributor

bluca commented Mar 6, 2024

For systemd-boot, as in the second stage boot menu binary, the current reviewer guidelines are correct, this is the example listed:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-boot,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-boot.debian,1,Debian GNU/Linux,systemd,255-1,https://bugs.debian.org/

For UKIs, i.e.: systemd-stub + kernel + initrd, the current advice doesn't include a UKI-specific line, which we probably want, so the following PR adds it: #398

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
systemd-stub,1,The systemd Developers,systemd,255,https://systemd.io/
systemd-stub.debian,1,Debian GNU/Linux,systemd,255-1,https://bugs.debian.org/
uki.debian,1,UKI for Debian GNU/Linux,debian,12,https://uapi-group.org/specifications/specs/unified_kernel_image/

Reviewers need to ensure that the second line is specific to the stub, rather than a generic systemd, which is what the older stubs set by default if not overridden. We changed this in the last release some months ago to differentiate between systemd-boot and systemd-stub which are different components.

If a different stub was used, hypothetically, the 2nd and 3rd lines would be different and reference that specific stub's metadata, but the 4th one should still be uki.vendor,...

@SherifNagy
Copy link
Collaborator Author

Adding #368 to the list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Not a review request, but an issue or notice wrt the signing process
Projects
None yet
Development

No branches or pull requests

2 participants