Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trigger a bootupd update before landing latest 6.9 kernel update in Fedora CoreOS #1752

Closed
travier opened this issue Jun 26, 2024 · 18 comments
Closed

Comments

@travier
Copy link
Member

travier commented Jun 26, 2024

Describe the bug

We have to make sure everyone gets their bootloader updated before we land the 6.9 kernel in FCOS.

See fedora-silverblue/issue-tracker#543

Reproduction steps

Update to 6.9 kernel.

Expected behavior

System boots with Secure Boot enabled

Actual behavior

It doesn't

System details

N/A

Butane or Ignition config

N/A

Additional information

No response

@travier
Copy link
Member Author

travier commented Jun 26, 2024

I tested installing Fedora Silverblue 39 and updating to latest commit which comes with the 6.9 kernel and it failed to boot. It's likely that it will fail as well for FCOS.

We might not see that in the tests as the bootloader there is always up-to-date as it's a fresh installation.

Maybe the upgrade tests will show it.

@travier
Copy link
Member Author

travier commented Jun 26, 2024

Note: I won't be there for the meeting today

@jlebon
Copy link
Member

jlebon commented Jun 26, 2024

Just to sanity-check, as expected I can confirm this also affects FCOS. Booting from an f38 image and rebasing to testing-devel (which already has kernel 6.9):

error: ../../grub-core/kern/efi/sb.c:182:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:258:you need to load the kernel
first.

Maybe the upgrade tests will show it.

The last few Secure Boot upgrade tests are currently failing, but on what seems to be an unrelated issue. It needs to be looked at. (Or maybe that is what it's failing on; the console logs appear truncated so it's hard to tell.)

We did force a bootloader update recently-ish, but only on aarch64. And even then, it's not clear whether it addresses this (when did the fixed e.g. shim/grub enter Fedora 39?).

@jlebon
Copy link
Member

jlebon commented Jun 26, 2024

We did force a bootloader update recently-ish, but only on aarch64.

For reference, this is the PR where we did this: coreos/fedora-coreos-config#2308.

@jlebon
Copy link
Member

jlebon commented Jun 26, 2024

And it looks like systemd supports ConditionSecurity=uefi-secureboot. So we could revive that unit but conditionalize on just systems that have Secure Boot to lower its risk.

@jbtrystram
Copy link
Contributor

jbtrystram commented Jun 26, 2024

This was discussed today in the community meeting and the following plan was decided :

We will also use the opportunity of this barrier release to fix the aleph issue mentionned above, as this needs fixing to be able to update the bootloader anyway.

See the meeting logs for more details : https://meetbot.fedoraproject.org/meeting-1_matrix_fedoraproject-org/2024-06-26/fedora-coreos-meeting.2024-06-26-16.30.log.html

@jbtrystram jbtrystram added status/pending-action Needs action and removed meeting topics for meetings labels Jun 26, 2024
@jbtrystram jbtrystram self-assigned this Jun 26, 2024
@travier
Copy link
Member Author

travier commented Jun 27, 2024

Should we do some special sauce to detect RAID setups that we currently don't support in bootupd?

@jbtrystram
Copy link
Contributor

Pr to pin kernel 6.8 in testing-devel : coreos/fedora-coreos-config#3041

@jbtrystram
Copy link
Contributor

Should we do some special sauce to detect RAID setups that we currently don't support in bootupd?

looking at #1485 (comment)
I am not sure how i can write a script that would reliably find the correct partitions labels

jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
@jbtrystram
Copy link
Contributor

PR with the bootloader update (and aleph fix) : coreos/fedora-coreos-config#3042

jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
@cverna cverna added the jira for syncing to jira label Jun 27, 2024
@jlebon
Copy link
Member

jlebon commented Jun 27, 2024

Should we do some special sauce to detect RAID setups that we currently don't support in bootupd?

Yes, good point. I think we should for completeness.

@jbtrystram
Copy link
Contributor

some special sauce to detect RAID setups that we currently don't support in bootupd?

@jlebon @travier is /dev/disk/by-label/esp-1 a reliable label on raid setups ?

@travier
Copy link
Member Author

travier commented Jun 27, 2024

That's a good question and I don't know the answer. I think we'll have to provision an FCOS system with various RAID setups and look at the device configurations.

@jlebon
Copy link
Member

jlebon commented Jun 27, 2024

Added more info re. RAID in coreos/fedora-coreos-config#3042 (comment).

Yes, those labels are reliable. The only RAID1 we can try to support is the one we setup ourselves via the mirror Butane sugar. Those labels are defined there: https://github.com/coreos/butane/blob/d26d80317825a24f482d9c6cca2fa80181e0082f/config/fcos/v1_3/translate.go#L165

jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jbtrystram added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jlebon pushed a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jlebon pushed a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
jlebon added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
The 6.9 kernel won't boot on systems installed prior to F39, as the shim
is too old.

Add a systemd unit that updates the bootloader on those machines.
Manually handle systems with mirrored ESPs.

See also: coreos/fedora-coreos-tracker#1752
Fixes: fedora-silverblue/issue-tracker#543

Co-authored-by: Jonathan Lebon <[email protected]>
jlebon added a commit to jbtrystram/fedora-coreos-config that referenced this issue Jun 27, 2024
The 6.9 kernel won't boot on systems installed prior to F39, as the shim
is too old.

Add a systemd unit that updates the bootloader on those machines.
Manually handle systems with mirrored ESPs.

See also: coreos/fedora-coreos-tracker#1752
Fixes: fedora-silverblue/issue-tracker#543

Co-authored-by: Jonathan Lebon <[email protected]>
jlebon added a commit to coreos/fedora-coreos-config that referenced this issue Jun 27, 2024
The 6.9 kernel won't boot on systems installed prior to F39, as the shim
is too old.

Add a systemd unit that updates the bootloader on those machines.
Manually handle systems with mirrored ESPs.

See also: coreos/fedora-coreos-tracker#1752
Fixes: fedora-silverblue/issue-tracker#543

Co-authored-by: Jonathan Lebon <[email protected]>
@marmijo marmijo added the status/pending-testing-release Fixed upstream. Waiting on a testing release. label Jun 27, 2024
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Jul 5, 2024
…stems"

This reverts commit 8dd5b81.

We've shipped this in a barrier release now.

See also: coreos/fedora-coreos-tracker#1752
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Jul 5, 2024
This reverts commit 7b89c45.

We've shipped this in a barrier release now.

See also: coreos/fedora-coreos-tracker#1752
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Jul 5, 2024
This reverts commit 8d4e788.

Now that we shipped bootloader updates for Secure Boot systems, we no
longer need to pin to v6.8.

See also: coreos/fedora-coreos-tracker#1752
@jlebon
Copy link
Member

jlebon commented Jul 5, 2024

Revert in coreos/fedora-coreos-config#3054.

jbtrystram pushed a commit to coreos/fedora-coreos-config that referenced this issue Jul 5, 2024
…stems"

This reverts commit 8dd5b81.

We've shipped this in a barrier release now.

See also: coreos/fedora-coreos-tracker#1752
jbtrystram pushed a commit to coreos/fedora-coreos-config that referenced this issue Jul 5, 2024
This reverts commit 7b89c45.

We've shipped this in a barrier release now.

See also: coreos/fedora-coreos-tracker#1752
jbtrystram pushed a commit to coreos/fedora-coreos-config that referenced this issue Jul 5, 2024
This reverts commit 8d4e788.

Now that we shipped bootloader updates for Secure Boot systems, we no
longer need to pin to v6.8.

See also: coreos/fedora-coreos-tracker#1752
@travier travier added the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Jul 5, 2024
@marmijo
Copy link
Member

marmijo commented Jul 8, 2024

The fix for this went into testing stream release 40.20240701.1.0. Please try out the new release and report issues.

@marmijo marmijo removed the status/pending-testing-release Fixed upstream. Waiting on a testing release. label Jul 8, 2024
@travier
Copy link
Member Author

travier commented Jul 8, 2024

With the revert done and the fix landed in testing, I think we can close this one now.

@marmijo
Copy link
Member

marmijo commented Jul 19, 2024

The fix for this went into stable stream release 40.20240701.3.0.

@marmijo marmijo removed status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. status/pending-action Needs action labels Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants