Clean Systemd-boot installs

Summary

Fedora default installs with a shim + grub bootloader on EFI platforms, yet has been shipping systemd-boot in various forms for a number of releases. There are a few howto's which describe how to replace grub with systemd-boot with varying levels of functionality. This should be easier with a formalized default method that can be built upon. This proposal aims to complete the work started with anaconda (inst.sdboot), kickstart (bootloader --sdboot) such that the "everything" media can install a grub free machine.

Owner

• Name: Jeremy Linton
• Name: Possibly others since it may touch -comps, systemd-boot, etc

• Email: <jeremy.linton@arm.com>

Current status

• Targeted release: Fedora Linux 39
• Last updated: 2023-09-28
• devel thread
• FESCo issue: #3022
• Tracker bug: #2233234
• Release notes tracker: #1014

Detailed Description

As a first pass, the 'inst.sdboot' option already in anaconda should work. As it stands, that replaces grub+shim with the systemd-boot loader, and moves the kernel + initrd to the EFI system partition (ESP). It doesn't attempt to create unified kernel images. The existing dnf update, kdumpctl, and make install in a kernel source directory should all work. The vast majority of this work has been done, leaving only two action items, removing grubby from core, and merging a shimming package (sdubby) into the fedora repos.

Beyond that there are various enhancements which can be made to remove the /boot partition (leaving the EFI at /boot/efi), enrolling fedora keys if the secure boot mode is "Setup", adding options to enable shim+systemd-boot, assuring that there is a systemd-boot-signed package, etc.

The advantages of just enabling the systemd-boot loader without UKIs or restructuring the /boot and /boot/efi mount points result in a wider range of supported machines and a more familiar environment for users and applications. AKA, by not changing the HostOnly/initrd build process the vast majority of UEFI machines are supported.

To be clear, the intention isn't to replace grub, but to co-exist alongside as an alternative bootloader.

Feedback

Benefit to Fedora

Fedora is considered a forward looking distro. As systemd-boot and UKIs gain traction it should be straightforward for users/testers to try out this option in their own environments with a well defined configuration.

Potentially in the future, once secure boot/etc is straightened out the simpler/cleaner code base may prove to be more secure, or a consistent set of measured boot PCRs may enable a simpler (for the end user) encrypted storage environment.

Scope

• Proposal owners:

At the moment two things remain open:

https://pagure.io/fedora-comps/pull-request/838

and:

https://bugzilla.redhat.com/show_bug.cgi?id=2134972

Both of which are largely in the "needs more discussion" state, but otherwise are complete as they stand.

There is also an open kexec-tools + aarch64 zboot set that needs to be merged in order to support kdump properly on aarch64 platforms, although that problem is caused by zboot and affects grub as well. Zboot is required for systemd-boot at the moment.

• Other developers:

Depending on the results of the discussion above: Its possible the systemd maintainers, kdumpctl, etc may need changes.

• Release engineering: #Releng issue number

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with Community Initiatives:

Upgrade/compatibility impact

Ideally nothing as we aren't deprecating or changing the shim + grub boot paths.

How To Test

1. Have a VM or non critical test machine that can be reinstalled at will.
2. Assure secure boot is disabled or in setup mode.
3. Pass inst.sdboot on the kernel/grub command line presented on the install media and install as normal.
   1. possibly adding additional space to the EFI system partition during partitioning to guarantee there is sufficient space for the number of bootable kernels active on the machine (~100MB each should be more than sufficient)
   2. Alternatively --sdboot can be added to the bootloader command in kickstarts, and the partitions/etc adjusted there
4. Use the machine as normal.
5. Report issues during upgrades, or with any packages that can't find kernel images. Everything besides the loader entries, kernel image, and generated initrds should remain in /boot.

User Experience

Ideally, after the initial install the fedora experience should generally remain the same. There may be slight differences in boot timings (at least on aarch64 possibly slightly faster) and the bootctl utility may have more information and work properly.

Dependencies

Systemd-boot, described in the comps and sdubby review.

Contingency Plan

Tell users that the install option remains incomplete and point them at how to manually edit comps and pull down the copr repos needed. Similar to the existing systemd-boot HOWTOs.

• Contingency mechanism: N/A (not a System Wide Change)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

• https://anaconda-installer.readthedocs.io/en/latest/boot-options.html#inst-sdboot

or

• https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#bootloader

Release Notes