-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bootloader Plugin: efivar #1903
Comments
There's a number of different issues asking for different bootloader setup support: e.g.
Ideally libostree only has to generate a BLS configuration and be done with it, however there are setups that would require special handling to integrate nicely with Would it be possible to provide a "bootloader" that simply runs hook scripts from the deployment ? |
That's an interesting idea. Another way to potentially do it is to make the bootloader managers separate executables that are installed in Also, for your scenario I'd suggest explicitly setting the bootloader to |
Wouldn't separate executables make things more difficult than necessary ? While writing a Just a couple more thoughts:
I can't think of any scenario where chrooting before calling the script would be desirable. In general I've noticed that there are quite a few different ways ostree-based chroots are setup, of course they are all slightly different.
Yes, I could, however I want to have I've also found that I need to "wrap" grub-mkconfig in my modified Debian Installer (which is an even bigger hack), since the chroot provided by ostree/src/libostree/ostree-bootloader-grub2.c Lines 275 to 328 in 490f515
grub-mkconfig to mount every filesystem it requires.
|
So I'm increasingly thinking that the bootloader backends all were a mistake, and the way things should work is via having separate systemd units that hook into The appeal here is that it severs ostree from needing to know about specific bootloaders at all. And systemd offers tons of controls and tooling for units - it's effectively already a plugin system today. We'd just have to stabilize the existence of |
So ostree would start the I don't particularly like this idea, because it would hide errors in systemd logs, but it works, so I could live with it. Sorry, I'm pretty sure once I implement SecureBoot with my own PK, and TPM2.0 Attestation, I will manage to break a few more assumptions ostree makes about bootloaders 😅 |
aboot is similar to zipl backend in that, the main reason why having a backend is useful in this case is to flash boot data at the end of the deploy in the "post_bls_sync" stage. It's to execute final steps before next boot that an ostree commit simply cannot apply (as @cgwalters described in a different way). There's actually a little demand for an Asahi Fedora Silverblue Remix now, if somebody actually implemented that, they might need similar hooks also, if you wanted to handle all kinds of upgrades in rpm-ostree, you also have the option of doing some upgrades outside of rpm-ostree like fwupd would do for example. ostree-finalize-staged.service @cgwalters described could achieve the same goal in a less monolithic way, not requiring contributions directly to ostree everytime (and not necessarily requiring C code either). |
Right, the issue with this I think which @bauen1 alluded to is that this only helps with the finalization flow at shutdown. I think whatever we come up with should work even if you direcly do |
Yes, but we control those things, and can also force-invoke |
Definitely. It just feels like an awkward API vs just e.g. a dropin directory with executables (probably want both |
Here's a thorny example: you can have a staged deployment and a rollback deployment at the same time. If you just fire off But also, IMO I think systemd units which can be "re-activated" are just confusing. You almost always want |
Actually, we already have the
Two things to note:
|
Are there any plans to implement efivar as a bootloader?
https://github.com/rhboot/efivar
For example, compiling the kernel with efi stubs and using secure boot direct to kernel.
The text was updated successfully, but these errors were encountered: