Skip to content

Commit

Permalink
overlay/15fcos: upgrade bootloader for secureboot-enabled systems
Browse files Browse the repository at this point in the history
kernel 6.9 won't boot on system installed prior to F39, as shim is too old.
Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot
installed before that won't be able to boot kernel 6.9

See coreos/fedora-coreos-tracker#1752
fedora-silverblue/issue-tracker#543
  • Loading branch information
jbtrystram committed Jun 27, 2024
1 parent 6d566d5 commit 2fad4a6
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 0 deletions.
3 changes: 3 additions & 0 deletions overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@ enable coreos-check-wireless-firmwares.service
# Strip extraneous field in aleph files to avoid bootupctl failing
# https://github.com/coreos/fedora-coreos-tracker/issues/1724
enable coreos-fix-aleph-file.service
# Upgrade bootloader on secureboot nodes to avoid
# https://github.com/coreos/fedora-coreos-tracker/issues/1752
enable coreos-bootupctl-update-secureboot.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Remove after the next barrier release
# https://github.com/coreos/fedora-coreos-tracker/issues/1752

[Unit]
Description=Update Bootloader for Secure Boot-enabled systems
ConditionSecurity=uefi-secureboot

# make sure to run after the aleph file is fixed
# see https://github.com/coreos/fedora-coreos-tracker/issues/1724
After=coreos-fix-aleph-file.service
Requires=coreos-fix-aleph-file.service

[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-update-bootloader
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
21 changes: 21 additions & 0 deletions overlay.d/15fcos/usr/libexec/coreos-update-bootloader
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
set -euo pipefail

# This script update the bootloader using bootupd
# and also detect RAID-1 setups as those requires
# extra steps


# bootupd don't support RAID-1 setups
# https://github.com/coreos/fedora-coreos-tracker/issues/1485
if test -f /dev/disk/by-label/esp-1 && test -f /dev/disk/by-label/esp-2; then
mount /dev/disk/by-label/esp-1 /boot/efi
cp -rp /usr/lib/bootupd/updates/EFI /boot/efi
umount /boot/efi
mount /dev/disk/by-label/esp-2 /boot/efi
cp -rp /usr/lib/bootupd/updates/EFI /boot/efi
umount /boot/efi
fi

# Regular case
bootupctl update

0 comments on commit 2fad4a6

Please sign in to comment.