Skip to content

Commit

Permalink
overlay/15fcos: upgrade bootloader for Secure Boot-enabled systems
Browse files Browse the repository at this point in the history
The 6.9 kernel won't boot on systems installed prior to F39, as the shim
is too old.

Add a systemd unit that updates the bootloader on those machines.
Manually handle systems with mirrored ESPs.

See also: coreos/fedora-coreos-tracker#1752
Fixes: fedora-silverblue/issue-tracker#543

Co-authored-by: Jonathan Lebon <[email protected]>
  • Loading branch information
jbtrystram and jlebon committed Jun 27, 2024
1 parent 7b89c45 commit 8dd5b81
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 0 deletions.
3 changes: 3 additions & 0 deletions overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@ enable coreos-check-wireless-firmwares.service
# Strip extraneous field in aleph files to avoid bootupctl failing
# https://github.com/coreos/fedora-coreos-tracker/issues/1724
enable coreos-fix-aleph-file.service
# Upgrade bootloader on Secure Boot-enabled nodes to avoid
# https://github.com/coreos/fedora-coreos-tracker/issues/1752
enable coreos-bootupctl-update-secureboot.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Remove after the next barrier release

[Unit]
Description=Update Bootloader for Secure Boot-enabled Systems
Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1752
ConditionSecurity=uefi-secureboot

# make sure to run after the aleph file is fixed
# see https://github.com/coreos/fedora-coreos-tracker/issues/1724
After=coreos-fix-aleph-file.service
Requires=coreos-fix-aleph-file.service

[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-update-bootloader
RemainAfterExit=yes
MountFlags=slave

[Install]
WantedBy=multi-user.target
27 changes: 27 additions & 0 deletions overlay.d/15fcos/usr/libexec/coreos-update-bootloader
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash
set -euo pipefail

# This script update the bootloader using bootupd
# and also detect RAID-1 setups as those requires
# extra steps

if [ -e /dev/disk/by-label/EFI-SYSTEM ]; then
echo "Found ESP; calling 'bootupctl update'"
bootupctl update
exit
fi

# handle RAID case manually since bootupd doesn't support it
# https://github.com/coreos/bootupd/issues/132
i=1
while true; do
if [ ! -e /dev/disk/by-label/esp-$i ]; then
break
fi
echo "Found ESP (replica $i); updating"
mount /dev/disk/by-label/esp-$i /boot/efi
cp -rp /usr/lib/bootupd/updates/EFI /boot/efi
umount /boot/efi
i=$((i+1))
done
sync

0 comments on commit 8dd5b81

Please sign in to comment.