Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provide way to use non-Fedora EFI shim when building a CoreOS system #1090

Closed
miabbott opened this issue Jan 31, 2020 · 3 comments · Fixed by #1105
Closed

provide way to use non-Fedora EFI shim when building a CoreOS system #1090

miabbott opened this issue Jan 31, 2020 · 3 comments · Fixed by #1105
Assignees
@darkmuggle
Labels
bug Something isn't working jira for syncing to jira

Comments

@miabbott
Copy link
Member

The current behavior of coreos-assembler uses the Fedora EFI shim when assembling disk images for CoreOS systems (FCOS/RHCOS).

The RHT folks want us to use the Red Hat EFI shim for RHCOS, so it would be nice if we were able to specify a different shim to use during the build process.

Copying some notes from https://issues.redhat.com/browse/GRPA-1315:

I did a simple test
find /boot -name "shim*"
on rhel8.1
and on rhcos4.4

for rhel:
find . -name "shim*"
./efi/EFI/redhat/shimx64-redhat.efi
./efi/EFI/redhat/shimx64.efi

for rhcos
find . -name "shim*"
(nothing)

so I guess the answer is RHCOS has not integrated shim.efi yet.

[core@coreos efi]$ head -n2 /etc/os-release 
NAME="Red Hat Enterprise Linux CoreOS"
VERSION="44.81.202001281500.0"
[core@coreos efi]$ rpm -ql shim-x64 
/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/fbx64.efi
/boot/efi/EFI/redhat/BOOTX64.CSV
/boot/efi/EFI/redhat/mmx64.efi
/boot/efi/EFI/redhat/shimx64-redhat.efi
/boot/efi/EFI/redhat/shimx64.efi
[core@coreos efi]$ pwd
/boot/efi
[core@coreos efi]$ find .
.
./EFI
./EFI/BOOT
./EFI/BOOT/BOOTX64.EFI
./EFI/BOOT/grubx64.efi
./EFI/redhat
./EFI/redhat/grub.cfg

From @darkmuggle:

There is no shim....its know issue in RHCOS and we haven't had the time to fix it:

The EFI bits are from F31 (the COSA container) not from RHEL 8's RPM

[root@ibm-p8-kvm-03-guest-02 efi]# find .
.
./EFI
./EFI/BOOT
./EFI/BOOT/BOOTX64.EFI
./EFI/BOOT/grubx64.efi
./EFI/redhat
./EFI/redhat/grub.cfg

Its a bug in COSA that I've been meaning to fix.
@darkmuggle darkmuggle self-assigned this Feb 3, 2020
lucab pushed a commit to lucab/coreos-assembler that referenced this issue Feb 4, 2020
@jlebon
mantle: Bump to 7794361
3811a9d 
```
Colin Walters (3):
      network: Honor MANTLE_SSH_DIR
      kola: Note qemu-unpriv now has networking
      kola: Drop torcx tests

Jakub Čajka (1):
      kola: initial ppc64le support

Stephen Lowrie (15):
      vendor: add aliyun related dependencies
      network/*ssh: Add HostKeyCallback to ClientConfig
      auth: add aliyun auth provider
      platform/api/aliyun: add the aliyun platform
      cmd/ore/aliyun: add image creation related aliyun calls
      docs: add Aliyun platform documentation
      Merge pull request coreos#1066 from arithx/aliyun
      Merge pull request coreos#1081 from cgwalters/ssh-agent-tmpdir
      Merge pull request coreos#1086 from cgwalters/platform-qemu-unpriv-net
      README: update qemu-unpriv notes
      Merge pull request coreos#1087 from cgwalters/kola-prune-cl
      kola/tests: disable additional clustered tests on qemu-unpriv
      Merge pull request coreos#1090 from arithx/disable_tests_on_unpriv
      Merge pull request coreos#1088 from arithx/unpriv_readme
      Merge pull request coreos#1067 from jcajka/ppc64le

Stephen Milner (1):
      Merge pull request coreos#1070 from ashcrow/kola-crio-restart-test

Steve Milner (1):
      kola/tests/crio/crio: Add pods and service restart test
```
@cgwalters
Copy link
Member

This should have been fixed by #901

@miabbott
Copy link
Member Author

miabbott commented Feb 4, 2020

It looks like we need to enhance #901 to also copy in shim*.efi. Maybe all the EFI binaries?

@darkmuggle darkmuggle added branch/alpha bug Something isn't working labels Feb 5, 2020
@darkmuggle darkmuggle mentioned this issue Feb 6, 2020
Merged
@darkmuggle darkmuggle added the jira for syncing to jira label Feb 6, 2020
@darkmuggle
Copy link
Contributor

Draft PR out for this. #1105.

openshift-merge-robot pushed a commit that referenced this issue Feb 6, 2020
@openshift-merge-robot
create_disk: fix UEFI secure boot
1159022 
Ensure that all the efi binaries are included from the target.
Fixes #1090
Fixes BZ 1799891

Our UEFI boot today is a bit lucky. This fixes a couple problems:
1. The full UEFI/EFI binaries were not copied over. In order to do a
   compliant EFI boot, BOOT<ARCH>.EFI should be there.
2. /usr/lib/ostree-boot/efi/BOOT/BOOT<ARCH>.EFI is a symlink
   to /usr/lib/ostree-boot/efi/<VENDOR>/shim<ARCH>.efi.
   This requires that a copy be made.
3. /boot/efi/EFI/<VENDOR>/grub2.cfg was not complete. It needed to
   load the /boot/grub2/grub2.cfg file and then boot. Previous images
   were booting using fallback.
4. Missing mmx64.efi means that secure UEFI could not happen since the
   the keys are no registered. mmx64.efi is needed to ensure GPL
   compliance on the shim. Without this file, the shim has is not
   recorded in the nvram.
jcajka pushed a commit to jcajka/coreos-assembler that referenced this issue Mar 24, 2020
Merge pull request coreos#1090 from arithx/disable_tests_on_unpriv
c0d08d1 
kola/tests: disable additional clustered tests on qemu-unpriv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darkmuggle darkmuggle

Labels
bug Something isn't working jira for syncing to jira
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

create_disk: fix UEFI secure boot
3 participants
@cgwalters @darkmuggle @miabbott