Project

General

Profile

Actions
Copy link

Bug #37562

open

Improved "EFI local chainloading" on SecureBoot enabled hosts not working for all distribution

Added by Jan Loeser 17 days ago. Updated 17 days ago.

Status:
Ready For Testing
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/10207
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

We introduced the following to Foreman:

https://github.com/theforeman/foreman/pull/10126

The assumption was that `exit 1` in GRUB2 triggers a boot from the next
bootdevice by the firmware and that the `chainloader` command is not
working at all when SecureBoot is enabled (`lockdown=y`).

These assumptions seems to be wrong. It looks like that distribution
vendors patch GRUB2 differently which results in different behavior
affecting these assumptions. Some support `chainloader` command, some do
simply end up in the BIOS menu when using `exit 1`.

As an alternative we can do a "chainload light" and only load the GRUB2
configuration file from local disk. This means that the PXE booted GRUB2
boots the actual kernel from local disk.

For successful SecureBoot verification, the following changes are
required:

https://github.com/theforeman/foreman/pull/9864

The proposed solution would also work when SecureBoot is disabled,
however to avoid side effects I propose to only boot next device if
SecureBoot is enabled (GRUB2 variable `lockdown=y` [2]).

Actions
Copy link
 #1

Updated by The Foreman Bot 17 days ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/10207 added
Actions
Copy link

Also available in: Atom PDF