From 2fad4a6f567e807c7bbe522f5a23546c1aececf7 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Thu, 27 Jun 2024 10:45:49 +0200 Subject: [PATCH] overlay/15fcos: upgrade bootloader for secureboot-enabled systems kernel 6.9 won't boot on system installed prior to F39, as shim is too old. Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot installed before that won't be able to boot kernel 6.9 See https://github.com/coreos/fedora-coreos-tracker/issues/1752 https://github.com/fedora-silverblue/issue-tracker/issues/543 --- .../lib/systemd/system-preset/45-fcos.preset | 3 +++ ...coreos-bootupctl-update-secureboot.service | 19 +++++++++++++++++ .../usr/libexec/coreos-update-bootloader | 21 +++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 overlay.d/15fcos/usr/lib/systemd/system/coreos-bootupctl-update-secureboot.service create mode 100755 overlay.d/15fcos/usr/libexec/coreos-update-bootloader diff --git a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset index eb19f43ebb..2e23f7520e 100644 --- a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset +++ b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset @@ -9,3 +9,6 @@ enable coreos-check-wireless-firmwares.service # Strip extraneous field in aleph files to avoid bootupctl failing # https://github.com/coreos/fedora-coreos-tracker/issues/1724 enable coreos-fix-aleph-file.service +# Upgrade bootloader on secureboot nodes to avoid +# https://github.com/coreos/fedora-coreos-tracker/issues/1752 +enable coreos-bootupctl-update-secureboot.service diff --git a/overlay.d/15fcos/usr/lib/systemd/system/coreos-bootupctl-update-secureboot.service b/overlay.d/15fcos/usr/lib/systemd/system/coreos-bootupctl-update-secureboot.service new file mode 100644 index 0000000000..85acfe2fba --- /dev/null +++ b/overlay.d/15fcos/usr/lib/systemd/system/coreos-bootupctl-update-secureboot.service @@ -0,0 +1,19 @@ +# Remove after the next barrier release +# https://github.com/coreos/fedora-coreos-tracker/issues/1752 + +[Unit] +Description=Update Bootloader for Secure Boot-enabled systems +ConditionSecurity=uefi-secureboot + +# make sure to run after the aleph file is fixed +# see https://github.com/coreos/fedora-coreos-tracker/issues/1724 +After=coreos-fix-aleph-file.service +Requires=coreos-fix-aleph-file.service + +[Service] +Type=oneshot +ExecStart=/usr/libexec/coreos-update-bootloader +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/overlay.d/15fcos/usr/libexec/coreos-update-bootloader b/overlay.d/15fcos/usr/libexec/coreos-update-bootloader new file mode 100755 index 0000000000..3846b06e2e --- /dev/null +++ b/overlay.d/15fcos/usr/libexec/coreos-update-bootloader @@ -0,0 +1,21 @@ +#!/bin/bash +set -euo pipefail + +# This script update the bootloader using bootupd +# and also detect RAID-1 setups as those requires +# extra steps + + +# bootupd don't support RAID-1 setups +# https://github.com/coreos/fedora-coreos-tracker/issues/1485 +if test -f /dev/disk/by-label/esp-1 && test -f /dev/disk/by-label/esp-2; then + mount /dev/disk/by-label/esp-1 /boot/efi + cp -rp /usr/lib/bootupd/updates/EFI /boot/efi + umount /boot/efi + mount /dev/disk/by-label/esp-2 /boot/efi + cp -rp /usr/lib/bootupd/updates/EFI /boot/efi + umount /boot/efi +fi + +# Regular case +bootupctl update