-
Notifications
You must be signed in to change notification settings - Fork 981
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #37345 - Improve "EFI local chainloading" on SecureBoot enabled hosts #10126
Conversation
Can one of the admins verify this patch? |
2 similar comments
Can one of the admins verify this patch? |
Can one of the admins verify this patch? |
@goarsna feedback on this? |
To be clear: if we use this approach, we can enable efibootmgr_netboot by default (currently only if But this needs to be tested first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be OK with this approach. While I don't consider myself very well versed in Grub, the explanation makes sense to me and I'd trust @jloeser on the technical implementation.
Any objections against merging this? Is there anything left to do, @jloeser? |
@jloeser can you squash the commits? After that it should be all green and ready for merge |
92f8423
to
bae4167
Compare
71dd21d
to
4975273
Compare
app/views/unattended/provisioning_templates/snippet/pxegrub2_chainload.erb
Show resolved
Hide resolved
app/views/unattended/provisioning_templates/snippet/pxegrub2_chainload.erb
Outdated
Show resolved
Hide resolved
app/views/unattended/provisioning_templates/snippet/pxegrub2_chainload.erb
Outdated
Show resolved
Hide resolved
… hosts Chainloading is not supported when SecureBoot is enabled [1]. Currently, this issue is tried to be tackled by changing the boot order during installation to boot from disk by default. But this disturbs the "always boot from network" workflow which might result in broken attempts for the user to re-provision a host (see theforeman#9123). What we can do is to exit network booted GRUB2 with `exit 1` resulting in the boot of the next boot device, which is probably the boot file from disk. The use of efibootmgr_netboot is still possible (if desired). The proposed solution would also work when SecureBoot is disabled, however to avoid side effects I propose to only boot next device if SecureBoot is enabled (GRUB2 variable `lockdown=y` [2]). [1]: https://www.gnu.org/software/grub/manual/grub/grub.html#UEFI-secure-boot-and-shim [2]: https://www.gnu.org/software/grub/manual/grub/grub.html#Lockdown
4975273
to
0722c34
Compare
Thanks @jloeser @sbernhard |
Chainloading is not supported when SecureBoot is enabled 1.
Currently, this issue is tried to be tackled by changing the boot order during installation to boot from disk by default. But this disturbs the "always boot from network" workflow which might result in broken attempts for the user to re-provision a host (see
#9123).
What we can do is to exit network booted GRUB2 with
exit 1
resulting in the boot of the next boot device, which is probably the boot file from disk.The use of efibootmgr_netboot is still possible (if desired). The proposed solution would also work when SecureBoot is disabled, however to avoid side effects I propose to only boot next device if SecureBoot is enabled (GRUB2 variable
lockdown=y
2).