-
Notifications
You must be signed in to change notification settings - Fork 644
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move from bootctl to mokutil when checking for Secure Boot status #3486
Move from bootctl to mokutil when checking for Secure Boot status #3486
Conversation
@@ -93,7 +93,7 @@ function clear_lingering_reboot_config() | |||
if [[ -f ${WARM_DIR}/${REDIS_FILE} ]]; then | |||
mv -f ${WARM_DIR}/${REDIS_FILE} ${WARM_DIR}/${REDIS_FILE}.${TIMESTAMP} || /bin/true | |||
fi | |||
/sbin/kexec -u || /bin/true | |||
/sbin/kexec -u -a || /bin/true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this change required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have the same question. If this is valid and general bug fix, we need to evaluate the backport needs. Could you separate it into a standalone PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kexec -u on systems with SB enabled is failing. Already fixed for WR here: #3439.
Since we are updating soft-reboot to work on Secure boot systems. i've also added this change
Could you link this PR to HLD PR? |
function load_kernel() { | ||
# Load kernel into the memory | ||
/sbin/kexec -l "$KERNEL_IMAGE" --initrd="$INITRD" --append="$BOOT_OPTIONS" | ||
invoke_kexec -a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar to above comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me
@qiluo-msft can you please review comment feedback? |
…nic-net#3486) #### What I did Moved to use mokutil instead of bootctl as bootctl is no longer available in Bookworm. This affected reboot scripts, and upgrade scenario. #### How I did it Change calls to _bootctl status_ with _mokutil --sb-state_ #### How to verify it After fixing the scripts to check reboot: root@sn5600:/home/admin# soft-reboot SECURE_UPGRADE_ENABLED=1 [[ CHECK_SECURE_UPGRADE_ENABLED -ne 0 ]] load_kernel_secure invoke_kexec -s packet_write_wait: port 22: Broken pipe admin@sn5600:~$ show reboot-cause User issued 'soft-reboot' command [User: admin, Time: Tue Jul 23 11:06:43 PM UTC 2024]
Cherry-pick PR to 202405: #3545 |
) #### What I did Moved to use mokutil instead of bootctl as bootctl is no longer available in Bookworm. This affected reboot scripts, and upgrade scenario. #### How I did it Change calls to _bootctl status_ with _mokutil --sb-state_ #### How to verify it After fixing the scripts to check reboot: root@sn5600:/home/admin# soft-reboot SECURE_UPGRADE_ENABLED=1 [[ CHECK_SECURE_UPGRADE_ENABLED -ne 0 ]] load_kernel_secure invoke_kexec -s packet_write_wait: port 22: Broken pipe admin@sn5600:~$ show reboot-cause User issued 'soft-reboot' command [User: admin, Time: Tue Jul 23 11:06:43 PM UTC 2024]
What I did
Moved to use mokutil instead of bootctl as bootctl is no longer available in Bookworm.
This affected reboot scripts, and upgrade scenario.
How I did it
Change calls to bootctl status with mokutil --sb-state
How to verify it
After fixing the scripts to check reboot:
root@sn5600:/home/admin# soft-reboot
SECURE_UPGRADE_ENABLED=1
[[ CHECK_SECURE_UPGRADE_ENABLED -ne 0 ]]
load_kernel_secure
invoke_kexec -s
packet_write_wait: port 22: Broken pipe
admin@sn5600:~$ show reboot-cause
User issued 'soft-reboot' command [User: admin, Time: Tue Jul 23 11:06:43 PM UTC 2024]
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)