Moving from GRUB to systemd boot

Works!!!
You can have systemd-boot in secure mode, if you follow the nice guide in the link above, with only Fedora tools. But it will completely change your BIOS and rule out Windows (and redhat) secure boot. So on bare metal BIOS, there are risks.

First, systemd-boot should work without secure boot!

You can skip the removal of signatures on shimx64.efi, and sign systemd-bootx64.efi. This bootmanager is unsigned and will never work without signature with secure boot switched on.
In contrast to what the tutorial tells, I had to add a signature on the kernel.
initrd and kernel modules are not touched.
Of course, every following update will require signing of systemd-boot and/or kernel.

For a VM, I would look into the signed uki-virt kernel which can be launched from UEFI directly.

System:
      Firmware: UEFI 2.70 (EDK II 1.00)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 253-6.fc38
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Boot loader sets ESP information
          ESP: /dev/disk/by-partuuid/2f9beffb-3bab-b244-aa5f-78bed1d50ca1
         File: └─/EFI/systemd/systemd-bootx64.efi
2 Likes