Skip to content

Commit

Permalink
overlay/15fcos: upgrade bootloader for secureboot-enabled systems
Browse files Browse the repository at this point in the history
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
  • Loading branch information
jbtrystram authored and jlebon committed Jun 27, 2024
1 parent 3036af6 commit de8c104
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 0 deletions.
3 changes: 3 additions & 0 deletions overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@ enable coreos-check-wireless-firmwares.service
# Strip extraneous field in aleph files to avoid bootupctl failing
# https://github.com/coreos/fedora-coreos-tracker/issues/1724
enable coreos-fix-aleph-file.service
# Upgrade bootloader on Secure Boot-enabled nodes to avoid
# https://github.com/coreos/fedora-coreos-tracker/issues/1752
enable coreos-bootupctl-update-secureboot.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Remove after the next barrier release

[Unit]
Description=Update Bootloader for Secure Boot-enabled Systems
Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1752
ConditionSecurity=uefi-secureboot

# make sure to run after the aleph file is fixed
# see https://github.com/coreos/fedora-coreos-tracker/issues/1724
After=coreos-fix-aleph-file.service
Requires=coreos-fix-aleph-file.service

[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-update-bootloader
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
27 changes: 27 additions & 0 deletions overlay.d/15fcos/usr/libexec/coreos-update-bootloader
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash
set -euo pipefail

# This script update the bootloader using bootupd
# and also detect RAID-1 setups as those requires
# extra steps

if [ -e /dev/disk/by-label/EFI-SYSTEM ]; then
echo "Found ESP; calling 'bootupctl update'"
bootupctl update
exit
fi

# handle RAID case manually since bootupd doesn't support it
# https://github.com/coreos/bootupd/issues/132
i=1
while true; do
if [ ! -e /dev/disk/by-label/esp-$i ]; then
break
fi
echo "Found ESP (replica $i); updating"
mount /dev/disk/by-label/esp-$i /boot/efi
cp -rp /usr/lib/bootupd/updates/EFI /boot/efi
umount /boot/efi
i=$((i+1))
done
sync

0 comments on commit de8c104

Please sign in to comment.