diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index 48af75ba50..fac63bc232 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -9,7 +9,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
| Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq |
| Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
| Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
-| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-signed
kernel-uki
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd |
+| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
hvloader
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
verity-read-only-root
vnstat
zstd |
| Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan |
| Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad |
| NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | libnvidia-container
mlnx-tools
mlx-bootctl
nvidia-container-toolkit
ofed-scripts
perftest |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index ac05320f76..a84463232e 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -2235,6 +2235,7 @@
"keras",
"kernel-signed",
"kernel-uki",
+ "kernel-uki-signed",
"kpatch",
"kube-vip-cloud-provider",
"kubernetes",
@@ -2403,6 +2404,7 @@
"sriov-network-device-plugin",
"SymCrypt",
"SymCrypt-OpenSSL",
+ "systemd-boot-signed",
"tensorflow",
"tinyxml2",
"toml11",
diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
new file mode 100644
index 0000000000..64edbdcd49
--- /dev/null
+++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
@@ -0,0 +1,70 @@
+%global debug_package %{nil}
+%ifarch x86_64
+%global buildarch x86_64
+%endif
+%define kernelver %{version}-%{release}
+Summary: Signed Unified Kernel Image for %{buildarch} systems
+Name: kernel-uki-signed-%{buildarch}
+Version: 6.6.35.1
+Release: 2%{?dist}
+License: GPLv2
+Vendor: Microsoft Corporation
+Distribution: Azure Linux
+Group: System Environment/Kernel
+URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+# 1. Build the unsigned packages as normal
+# 2. Sign the desired binary
+# 3. Place the unsigned package and signed binary in this spec's folder
+# 4. Build this spec
+Source0: kernel-uki-%{kernelver}.%{buildarch}.rpm
+Source1: vmlinuz-uki-%{kernelver}.efi
+ExclusiveArch: x86_64
+
+%description
+This package contains the Unified Kernel Image (UKI) EFI binary signed for secure boot.
+The package is specifically created for installing on %{buildarch} systems.
+
+%package -n kernel-uki
+Summary: Unified Kernel Image
+Group: System Environment/Kernel
+
+%description -n kernel-uki
+The kernel-uki package contains the Linux kernel packaged as a Unified
+Kernel Image (UKI).
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed kernel-uki binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./boot/vmlinuz-uki-%{kernelver}.efi
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+%files -n kernel-uki
+/boot/vmlinuz-uki-%{kernelver}.efi
+/lib/modules/%{kernelver}/vmlinuz-uki.efi
+
+%changelog
+* Tue Jun 25 2024 Thien Trung Vuong - 6.6.35.1-2
+- Original version for Azure Linux.
+- License verified.
diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
new file mode 100644
index 0000000000..5d40a0f8ae
--- /dev/null
+++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
@@ -0,0 +1,91 @@
+%global debug_package %{nil}
+%ifarch x86_64
+%global buildarch x86_64
+%endif
+
+# Support for quick builds with rpmbuild --build-in-place.
+# See README.build-in-place
+%bcond inplace 0
+Summary: Signed systemd-boot for %{buildarch} systems
+Name: systemd-boot-%{buildarch}
+%if %{without inplace}
+Version: 255
+%else
+# determine the build information from local checkout
+Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
+%endif
+Release: 15%{?dist}
+License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
+Vendor: Microsoft Corporation
+Distribution: Azure Linux
+URL: https://systemd.io
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+# 1. Build the unsigned packages as normal
+# 2. Sign the desired binary
+# 3. Place the unsigned package and signed binary in this spec's folder
+# 4. Build this spec
+Source0: systemd-boot-%{version}-%{release}.%{buildarch}.rpm
+Source1: systemd-bootx64.efi
+ExclusiveArch: x86_64
+
+%description
+This package contains the systemd-boot EFI binary signed for secure boot. The package is
+specifically created for installing on %{buildarch} systems
+
+%package -n systemd-boot
+Summary: UEFI boot manager (signed version)
+
+Provides: systemd-boot-%{efi_arch} = %version-%release
+Provides: systemd-boot = %version-%release
+Provides: systemd-boot%{_isa} = %{version}-%{release}
+# A provides with just the version, no release or dist, used to build systemd-boot
+Provides: version(systemd-boot) = %version
+Provides: version(systemd-boot)%{_isa} = %version
+
+# self-obsoletes to install both packages after split of systemd-boot
+Obsoletes: systemd-udev < 252.2^
+
+%description -n systemd-boot
+systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
+graphical menu to select the entry to boot and an editor for the kernel command
+line. systemd-boot supports systems with UEFI firmware only.
+
+This package contains the signed version that works with Secure Boot.
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed systemd-boot binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./usr/lib/systemd/boot/efi/systemd-bootx64.efi
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+%files -n systemd-boot
+/usr/lib/systemd/boot/efi/*
+/usr/share/man/man5/loader.conf.5.gz
+/usr/share/man/man7/sd-boot.7.gz
+/usr/share/man/man7/systemd-boot.7.gz
+
+%changelog
+* Tue Jun 25 2024 Thien Trung Vuong - 255-15
+- Original version for Azure Linux.
+- License verified.
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
index 097f8a590f..26b149d9c5 100644
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@@ -30,7 +30,7 @@ BuildRequires: kernel = %{version}-%{release}
BuildRequires: systemd-ukify
BuildRequires: dracut
BuildRequires: binutils
-BuildRequires: systemd-boot-unsigned
+BuildRequires: systemd-boot
BuildRequires: systemd-udev
BuildRequires: system-release
BuildRequires: tpm2-tools
@@ -59,9 +59,13 @@ ukify build \
--output vmlinuz-uki.efi
%install
-install -D -t %{buildroot}/lib/modules/%{kernelver} vmlinuz-uki.efi
+install -vdm 700 %{buildroot}/boot
+install -vdm 700 %{buildroot}/lib/modules/%{kernelver}
+install -vm 600 vmlinuz-uki.efi %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi
+ln -s /boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/lib/modules/%{kernelver}/vmlinuz-uki.efi
%files
+/boot/vmlinuz-uki-%{kernelver}.efi
/lib/modules/%{kernelver}/vmlinuz-uki.efi
%changelog
diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
index 166b671866..4d68b23776 100644
--- a/SPECS/systemd/systemd.spec
+++ b/SPECS/systemd/systemd.spec
@@ -50,7 +50,7 @@ Version: 255
# determine the build information from local checkout
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
%endif
-Release: 14%{?dist}
+Release: 15%{?dist}
# FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
%global stable 1
@@ -468,20 +468,20 @@ This package provides ukify, a script that combines a kernel image, an initrd,
with a command line, and possibly PCR measurements and other metadata, into a
Unified Kernel Image (UKI).
-%package boot-unsigned
+%package boot
Summary: UEFI boot manager (unsigned version)
-Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release
+Provides: systemd-boot-%{efi_arch} = %version-%release
Provides: systemd-boot = %version-%release
Provides: systemd-boot%{_isa} = %version-%release
# A provides with just the version, no release or dist, used to build systemd-boot
-Provides: version(systemd-boot-unsigned) = %version
-Provides: version(systemd-boot-unsigned)%{_isa} = %version
+Provides: version(systemd-boot) = %version
+Provides: version(systemd-boot)%{_isa} = %version
# self-obsoletes to install both packages after split of systemd-boot
Obsoletes: systemd-udev < 252.2^
-%description boot-unsigned
+%description boot
systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
graphical menu to select the entry to boot and an editor for the kernel command
line. systemd-boot supports systems with UEFI firmware only.
@@ -1166,7 +1166,7 @@ fi
%if 0%{?want_bootloader}
%files ukify -f .file-list-ukify
-%files boot-unsigned -f .file-list-boot
+%files boot -f .file-list-boot
%endif
%files container -f .file-list-container
@@ -1202,6 +1202,9 @@ rm -f %{name}.lang
# %autochangelog. So we need to continue manually maintaining the
# changelog here.
%changelog
+* Tue Jun 25 2024 Thien Trung Vuong - 255-15
+- Rename systemd-boot-unsigned to systemd-boot
+
* Thu Jun 13 2024 Chris Co - 255-14
- Disable LLMNR by default to prevent LLMNR poisoning MitM attacks
diff --git a/toolkit/scripts/check_entangled_specs.py b/toolkit/scripts/check_entangled_specs.py
index 6910d02d1e..3f39113253 100755
--- a/toolkit/scripts/check_entangled_specs.py
+++ b/toolkit/scripts/check_entangled_specs.py
@@ -14,10 +14,15 @@ import sys
version_release_matching_groups = [
frozenset([
"SPECS-SIGNED/kernel-signed/kernel-signed.spec",
+ "SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec",
"SPECS/kernel/kernel.spec",
"SPECS/kernel/kernel-uki.spec",
"SPECS/kernel-headers/kernel-headers.spec"
]),
+ frozenset([
+ "SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec",
+ "SPECS/systemd/systemd.spec"
+ ]),
frozenset([
"SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec",
"SPECS/grub2/grub2.spec"