after switch to bls system not boot

[vtolstov]

i have custom tree with latest rpm-ostree (tree based on fedora 32)

i'm run grub2-switch-to-blscfg
check that loader entries present and reboot (i have efi mode)

after reboot system have only fwsetup and no menu entries populated

my fs layout:
/ on /dev/vg/root
/boot/efi on /dev/mmcblk0p1

vg placed on /dev/mmcblk0p2

what can i modify to get corrected blscfg stuff?

[jlebon]

Hmm, that's worrying. To sanity-check, this is with grub2 > 2.04-11? (This is when support for OSTree was added in the grub2-switch-to-blscfg script).

Can you confirm that you have e.g.:

insmod blscfg
blscfg

in your GRUB config?

/cc @martinezjavier

(Note this is technically an ostree issue, though it seems one can't transfer issues across organizations, so we can just leave it here for now.)

[martinezjavier]

That's worrisome indeed.

@vtolstov could you please share the following files:

/boot/efi/EFI/fedora/grubenv
/boot/efi/EFI/fedora/grub.cfg
/boot/loder/entries/*

And also your GRUB binary (/boot/efi/EFI/fedora/grubx64.efi) so I can try to reproduce it.

[vtolstov]

i'm attach via files, please note that i'm add 15_ostree file to /etc/grub.d so generated contents present in grub.cfg (without it i can't boot system).

[vtolstov]

files.zip

[martinezjavier]

@vtolstov thanks a lot for the files.

I see that there is an issue with your grubx64.efi though. It's size is only 224K while on my Fedora 32 machine the binary from the latest grub2-efi-x64 package is 2.4M.

By inspecting the binary I noticed that a lot of things are missing, among them the blscfg module that is used to populate the boot menu from the BLS snippets. And also that your LVM is set as the prefix (lvmid/YljVtc-iYls-wJZK-ZHJK-kpDc-d0yd-G4Kkmt/tj1QG5-vXES-o2un-oe5L-ZEaH-OerV-Zmf9yN)/boot/grub2 instead of the /EFI/fedora prefix that is set when building the Fedora GRUB binary.

So I guess this is a custom GRUB binary that you built? Can you please test with the latest Fedora binary in grub2-efi-x64-2.04-20.fc32.x86_64.rpm?

Another issue I noticed is that since you are not using a boot partition, the linux and initrd file paths in the BLS will not be correct. In traditional Fedora, the kernel-install script calls to grub2-mkrelpath to figure out the correct path to set in the BLS snippets, but I don't think ostree supports this.

For example ostreedev/ostree#1404 and ostreedev/ostree#1452 seems to indicate that this is not a supported configuration for ostree. Even though the /etc/grub.d/15_ostree script copes with that and is able to add a /boot prefix to the generated commands in the menuentry.

I see that you added linuxefi and initrdefi keys to ostree-1-fedora.conf that has the correct path with a /boot prefix. But those are not supported by the blscfg module since only linux and initrd are defined in the BLS. The *efi variants are just GRUB commands.

[vtolstov]

1. grub is from fedora first try when i'm switch to ostree, (fedora 29 ?)
   after that i'm upgrade only via rpm-ostree upgrade, my rpm for grub:

grub2-efi-x64-2.04-20.fc32.x86_64
grub2-pc-2.04-20.fc32.x86_64
grub2-pc-modules-2.04-20.fc32.noarch
grub2-common-2.04-20.fc32.noarch
grub2-tools-2.04-20.fc32.x86_64
grub2-tools-efi-2.04-20.fc32.x86_64
grub2-efi-x64-modules-2.04-20.fc32.noarch
grub2-tools-minimal-2.04-20.fc32.x86_64
ostree-grub2-2020.3.20-7a9592986708446cceea0d72b55f2d3219d475aa.e61f1ecd0c44ddf28e7761464385c40fecef439d.fc29.x86_64

2. for boot partition yes, i have / on lvm and only /boot/efi on dedicated partition. If this is root case for other issues - how can i switch on running system?

3. ok, makes sense... blscfg can generate efi variants in my case?

[martinezjavier]

1. grub is from fedora first try when i'm switch to ostree, (fedora 29 ?)

But you mentioned that executed grub2-switch-to-blscfg right? That should had copied your GRUB binary from /usr/lib/ostree-boot/efi/EFI/fedora/grubx64.efi to /boot/efi/EFI/fedora/grubx64.efi.

So you should had the same GRUB in the ESP as the one installed by ostree in /usr/lib/ostree-boot/efi/EFI/fedora/.

But your GRUB definitely doesn't come from Fedora, since is not even signed:

$ pesign -S -i ostree/grubx64.efi
No signatures found.

It should be something like the following:

$ sudo pesign -S -i /boot/efi/EFI/fedora/grubx64.efi
---------------------------------------------
certificate address is 0x7f9567580008
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Fedora Secure Boot Signer
No signer email address.
Signing time: Sun Jun 07, 2020
There were certs or crls included.
---------------------------------------------

Did you execute grub2-install ? That may explain why you have a non-signed GRUB binary that doesn't contain any module built-in. That command shouldn't be executed for EFI systems since it re-creates a grubx64.efi binary that is not signed and also mess the EFI boot entries since it deletes the one that has shim in its file path and adds one that points to GRUB instead.

We should make grub2-install to just warn the user and do nothing for EFI.

Did you test using the GRUB binary from Fedora as mentioned in my previous comment? Just copying from /usr/lib/ostree-boot/efi/EFI/fedora/grubx64.efi to /boot/efi/EFI/fedora/grubx64.efi should be enough.

grub2-efi-x64-2.04-20.fc32.x86_64

Yes, but the GRUB binary is not updated by ostree (in fact none of the EFI binaries) because the ESP is not part of the ostree deployment transaction. More information about this is in coreos/fedora-coreos-tracker#510

2. for boot partition yes, i have / on lvm and only /boot/efi on dedicated partition. If this is root case for other issues - how can i switch on running system?

This is a good question. Until ostree handles this and sets the correct file paths for the linux and initrd keys in the BLS snippets to point to the real path in the $root device I don't see how it could be supported.

@jlebon what do you think about this? I believe we should also check for mountpoint -q /boot in grub2-switch-to-blscfg and only mark the bootloader as BLS supported if that's true. Since it won't work if there isn't a boot partition with the currently generated BLS snippets.

3. ok, makes sense... blscfg can generate efi variants in my case?

That's correct, the linux and initrd keys in the BLS files just happen to be named as the GRUB commands, but every bootloader should map to whatever command or configuration is used there to specify the linux and initrd images to be loaded.

The GRUB EFI loader that supports Secure Boot is still not in upstream (but has been carried in most distros for years) used the linuxefi and initrdefi commands to differentiate from the upstream EFI loader that doesn't have SB support. But there's really no reason for that, and in Fedora we had been using just linux and initrd for all the platforms (still support the *efi commands for backward compat). But In any case, that's a bootloader implementation detail and shouldn't leak in the BLS snippet as mentioned.

[vtolstov]

yes, i'm run grub2-install i don't know that on efi this is not needed

ok so in my case without dedicated /boot partition i cant use bls ?

[vtolstov]

p.s. i'm re-run grub2-switch-to-blscfg and it copy efi grub file, so now its fine

[vtolstov]

and another question, when grub.cfg must be

find /boot/ -name 'grub*.cfg'
/boot/efi/EFI/fedora/grub.cfg
/boot/grub2/grub.cfg
/boot/loader.1/grub.cfg

[jlebon]

@jlebon what do you think about this? I believe we should also check for mountpoint -q /boot in grub2-switch-to-blscfg and only mark the bootloader as BLS supported if that's true. Since it won't work if there isn't a boot partition with the currently generated BLS snippets.

Hmm yes, I think that makes sense.

Thanks a lot BTW for digging into this!

and another question, when grub.cfg must be

You just need the one in /boot/efi.

[vtolstov]

Does it possible to fix now my issue?or by support boot on root, or by my hands without reinstall? ср, 17 июн. 2020 г., 17:05 Jonathan Lebon <[email protected]>:

…

@jlebon <https://github.com/jlebon> what do you think about this? I believe we should also check for mountpoint -q /boot in grub2-switch-to-blscfg and only mark the bootloader as BLS supported if that's true. Since it won't work if there isn't a boot partition with the currently generated BLS snippets. Hmm yes, I think that makes sense. Thanks a lot BTW for digging into this! and another question, when grub.cfg must be You just need the one in /boot/efi. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2121 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADVQG5OTTTMYHMIN26RLNTRXDEIFANCNFSM4NXEWX5Q> .

[martinezjavier]

Hmm yes, I think that makes sense.

Thanks a lot BTW for digging into this!

You are welcome. I've pushed grub2 updates for both F32 and Rawhide now that adds this check.

[martinezjavier]

Does it possible to fix now my issue?or by support boot on root, or by my hands without reinstall?

I don't so with the current ostree support. What you can do is remove the /boot/grub2/.grub2-blscfg-supported file so the /etc/grub.d/30_ostree script adds the menuentry commands to the GRUB config by parsing the BLS snippets.

You will still get entries that are broken due not having the /boot/ prefix... but at least you should be able to boot using the entries created by /etc/grub.d/30_ostree.

Having said that, probably would make sense to change your partition layout to have a boot partition since that's an assumption made by ostree, so it may cause other issues even though the /etc/grub.d/30_ostree script covers that case.

Also I noticed that having /boot in a partition with a LVM is not even a supported option by the Anaconda installer used in traditional Fedora.

[vtolstov]

hm , i dont have 30_ostree file. what package contains it?

[martinezjavier]

hm , i dont have 30_ostree file. what package contains it?

I'ts provided by the ostree-grub2 package.

[vtolstov]

@martinezjavier strange..:

rpm -ql ostree-grub2
/etc/grub.d/15_ostree
/usr/libexec/libostree
/usr/libexec/libostree/grub2-15_ostree
rpm -qa | grep ostree-grub2
ostree-grub2-2020.3.20-7a9592986708446cceea0d72b55f2d3219d475aa.e61f1ecd0c44ddf28e7761464385c40fecef439d.fc29.x86_64

[vtolstov]

p.s. i'm use fahc repo:

[ostree]
name=ostree
baseurl=https://ci.centos.org/artifacts/sig-atomic/fahc/rdgo/build-1/
enabled=1
skip_if_unavailable=0
gpgcheck=0

[jlebon]

I think it's a typo. The file is indeed 15_ostree.

p.s. i'm use fahc repo:

I would... move away from that. F29 is EOL and we have long stopped maintaining rdgo (and actually, we should kill it off). My advice is to just go back to the ostree packages in the Fedora repos.

[vtolstov]

@jlebon thanks for info, i'm try yo rebuild tree without rdgo repo.

[martinezjavier]

I think it's a typo. The file is indeed 15_ostree.

Yes, sorry about that. That happens when I try to write file names by heart instead of looking them up.

[vtolstov]

no problem, thanks.
i'm rebuilt tree without rdgo, and checking now. also some people already create pr to support boot on the same partition