Project

General

Profile

Actions

Feature #37345

closed

Improve "EFI local chainloading" on SecureBoot enabled hosts

Added by Jan Loeser 6 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Unattended installations
Target version:
-
Fixed in Releases:
Found in Releases:

Description

Chainloading is not supported when SecureBoot is enabled [1].

Currently, this issue is tried to be tackled by changing the boot order during installation to boot from disk by default. But this disturbs the "always boot from network" workflow which might result in broken attempts for the user to re-provision a host (see https://github.com/theforeman/foreman/pull/9123).

What we can do is to exit network booted GRUB2 with `exit 1` resulting in the boot of the next boot device, which is probably the boot file from disk.

The use of efibootmgr_netboot is still possible (if desired).
The proposed solution would also work when SecureBoot is disabled, however to avoid side effects I propose to only boot next device if SecureBoot is enabled (GRUB2 variable `lockdown=y` [2]).

[1]: https://www.gnu.org/software/grub/manual/grub/grub.html#UEFI-secure-boot-and-shim
[2]: https://www.gnu.org/software/grub/manual/grub/grub.html#Lockdown

Actions

Also available in: Atom PDF