Feature #37345
closed
Improve "EFI local chainloading" on SecureBoot enabled hosts
Description
Chainloading is not supported when SecureBoot is enabled [1].
Currently, this issue is tried to be tackled by changing the boot order during installation to boot from disk by default. But this disturbs the "always boot from network" workflow which might result in broken attempts for the user to re-provision a host (see https://github.com/theforeman/foreman/pull/9123).
What we can do is to exit network booted GRUB2 with `exit 1` resulting in the boot of the next boot device, which is probably the boot file from disk.
The use of efibootmgr_netboot is still possible (if desired).
The proposed solution would also work when SecureBoot is disabled, however to avoid side effects I propose to only boot next device if SecureBoot is enabled (GRUB2 variable `lockdown=y` [2]).
[1]: https://www.gnu.org/software/grub/manual/grub/grub.html#UEFI-secure-boot-and-shim
[2]: https://www.gnu.org/software/grub/manual/grub/grub.html#Lockdown
Updated by The Foreman Bot 8 months ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10126 added
Updated by Jan Loeser 7 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|b6b32045e9d9604d784f93a931ae4265493e2549.
Updated by The Foreman Bot 5 months ago
- Pull request https://github.com/theforeman/foreman/pull/10153 added
Updated by Ewoud Kohl van Wijngaarden 4 months ago
- Category set to Unattended installations
- Triaged changed from No to Yes