Fixes #37653 - Always load local disk's GRUB2 configuration #10247
+5
−485
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
goarsna
force-pushed
the
37653
branch
3 times, most recently
from
6a2aa4a
to
d4e03fc
Compare
jloeser
reviewed
Aug 22, 2024
app/views/unattended/provisioning_templates/snippet/pxegrub2_chainload.erb
Outdated
Show resolved
Hide resolved
app/views/unattended/provisioning_templates/snippet/pxegrub2_chainload.erb
Outdated
Show resolved
Hide resolved
Load the local disk's GRUB2 configuration regardless of weather
SecureBoot is enabled or not. This standardizes the boot process
under UEFI.
To support SecureBoot for arbitrary operating systems, support for
distribution vendor specific boot files is added separately.
The following existing approaches for local boot don't work (anymore).
Using `chainloader` command:
- Not supported according to GRUB2 manual [1] if SecureBoot is
enabled (even if supported by some distribution vendors).
- Chainloading with disabled SecureBoot requires patched
`connectefi` command on some platforms which is currently only
supported by EL GRUB2 binaries.
Using `exit 1` to boot from next boot device by firmware:
- Tests showed that this behavior is not deterministic across
different distribution vendor specific boot files.
- Additional effort would be required to ensure the correct boot
order.
- This was introduced with commit b6b3204 for enabled SecureBoot
only and was already fixed with commit aca4023.
For Windows we still use chainloading as there is no local `grub.cfg`.
The default EL GRUB2 which is used in this case supports the
`connectefi` command. SecureBoot verification is done by the Microsoft
certificate in the db.
[1]: https://www.gnu.org/software/grub/manual/grub/html_node/UEFI-secure-boot-and-shim.html#UEFI-secure-boot-and-shim
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We propose to switch to loading the local disk's GRUB2 configuration regardless of weather SecureBoot is enabled or not. This standardizes the boot process under UEFI.
To support SecureBoot for arbitrary operating systems, support for distribution vendor specific boot files will be added by #9864 and the related PRs.
Distribution vendors patch GRUB2 differently which results in
exit 1(see: Fixes #37562 - Fix local disk boot over network #10207) andconnecteficommand (available on EL only), which affects chainloading from local disks using thechainloadercommand (see: Fixes #37345 - Improve "EFI local chainloading" on SecureBoot enabled hosts #10126).Therefore, in case distribution vendor specific boot files are set up for the operating system of a host, using the
chainloadercommand may lead to problems during boot in case the distribution vendor specific GRUB2 doesn't support theconnecteficommand - which is at least true for non EL systems.For SecureBoot enabled hosts this has already been fixed by switching to loading the local disk's GRUB2 configuration (#10207). Now we want to introduce this also for the case that SecureBoot is disabled.
For Windows we still use chainloading as there is no local
grub.cfg. The default EL GRUB2 which is used in this case supports theconnecteficommand. SecureBoot verification is done by the Microsoft certificate in the db.