On Wed, Jul 27, 2022 at 10:13:57AM -0400, Chris Murphy wrote:
>
>
> On Wed, Jul 27, 2022, at 4:42 AM, Daniel P. Berrangé wrote:
> >
> > Since you say systemd-boot can already do what we want in this regard:
> >
> > e. Replace grub for EFI systems with systemd-boot ?
>
> I wish it were possible. I'm pretty sure the Red Hat bootloader team
> has no time or interest in it. And there's no upgrade path, because
> systemd-boot requires a FAT /boot volume. The lack of an upgrade path,
> I think, is a bigger issue than a system-wide change proposal to:
> switch to systemd-boot on UEFI, including FAT /boot partition, for
> new clean installs.
AFAICT, use of /boot is entirely optional, and is ignored if it
can't be accessed (due to either not existing, or having an unsupported
filesystem type). I've got VMs booting with system-boot where /boot is
xfs and systemd-boot pulls the kernel found in /boot/efi.
IIUC, the main reason for the loader to use /boot is if /boot/efi
is insufficiently large for storing the kernels, and /boot has
greater space. Admittedly this is probably still the key issue for
the upgrade scenario, since existing Fedora VMs seem to get a /boot/efi
partition that is even smaller than /boot.
> There's quite a lot of GRUB upstream work related to TPM stuff,
> including measured boot. I have no idea if we're going to use any
> of that at some point, but it's not something in systemd-boot's
> realm.
The Grub support for the RPM measurements is one of the big reasons
for wanting to replace Grub IMHO. Every single statement that is
executed from the grub.conf file gets individually measured into
the TPM[1]. Writing a policy to validate correctness of the measurement
taking into account grub.conf permuations is beyond the bounds of
reasonableness. This is a key problem the virt maintainers are facing
when trying to figure out how to support confidential virtualization,
where we need to measure the boot process. A vastly simplified boot
loader like sd-boot + unified kernels is quite appealing in this area.
With regards,
Daniel
[1] From a generic Fedora 36 VM under KVM, the grub measurements
alone are this:
# tpm2 eventlog /sys/kernel/security/tpm0/binary_bios_measurements | grep grub_cmd
grub_cmd: set pager=1
grub_cmd: [ -f (hd0,gpt1)/EFI/fedora/grubenv ]
grub_cmd: [ -s (hd0,gpt1)/EFI/fedora/grubenv ]
grub_cmd: [ ]
grub_cmd: set default=
grub_cmd: [ xy = xy ]
grub_cmd: menuentry_id_option=--id
grub_cmd: export menuentry_id_option
grub_cmd: [ ]
grub_cmd: terminal_output console
grub_cmd: [ xy = xy ]
grub_cmd: set timeout_style=menu
grub_cmd: set timeout=5
grub_cmd: [ -f (hd0,gpt1)/EFI/fedora/user.cfg ]
grub_cmd: insmod increment
grub_cmd: [ -n -a = 0 ]
grub_cmd: insmod part_gpt
grub_cmd: insmod xfs
grub_cmd: search --no-floppy --fs-uuid --set=root db3c5945-1d59-4309-b022-df1af7727032
grub_cmd: insmod part_gpt
grub_cmd: insmod fat
grub_cmd: search --no-floppy --fs-uuid --set=boot 5922-59E5
grub_cmd: [ -z ]
grub_cmd: set kernelopts=root=UUID=5fd49e99-6297-4880-92ef-bc31aef6d2f0 ro rd.luks.uuid=luks-6806c81d-4169-4e7a-9bbc-c7bf65cabcb2 rhgb quiet
grub_cmd: insmod blscfg
grub_cmd: blscfg
grub_cmd: [ = 1 -o = 1 ]
grub_cmd: set menu_hide_ok=0
grub_cmd: [ = 1 ]
grub_cmd: [ = 1 ]
grub_cmd: set boot_success=0
grub_cmd: save_env boot_success boot_indeterminate
grub_cmd: [ xy = xy ]
grub_cmd: [ ]
grub_cmd: [ -a 0 = 1 ]
grub_cmd: [ xy = xy ]
grub_cmd: [ ]
grub_cmd: [ efi = efi ]
grub_cmd: menuentry UEFI Firmware Settings --id uefi-firmware {
grub_cmd: [ -f (hd0,gpt1)/EFI/fedora/custom.cfg ]
grub_cmd: [ -z (hd0,gpt1)/EFI/fedora -a -f (hd0,gpt1)/EFI/fedora/custom.cfg ]
grub_cmd: load_video
grub_cmd: [ xy = xy ]
grub_cmd: insmod all_video
grub_cmd: set gfxpayload=keep
grub_cmd: insmod gzio
grub_cmd: linux (hd0,gpt2)/vmlinuz-5.17.13-300.fc36.x86_64 root=UUID=5fd49e99-6297-4880-92ef-bc31aef6d2f0 ro rd.luks.uuid=luks-6806c81d-4169-4e7a-9bbc-c7bf65cabcb2 rhgb quiet
grub_cmd: initrd (hd0,gpt2)/initramfs-5.17.13-300.fc36.x86_64.img
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
