RFE: instead of invoking exactly grubx64.efi iterate through drop-in dir #573
Comments
|
This is orthogonal to establishing trust and signing, so seems like a good idea in general to me. Currently the only way to change this is via a build-time makefile variable, which works fine for local testing, but not much more. |
|
This must be a good idea. Though, I'm just worried Microsoft is willing to sign those uncertain combinations of shim + (non-grub2 + some proprietary 2nd stage boot loaders) located in |
|
@dennis-tseng99 msft has no problem if people sign other boot loaders. noone at msft is glued to grub. |
|
The signing discussion is off-topic here, it's really orthogonal to how binaries are searched, let's focus on this |
|
@poettering @bluca I sent the following pull request: #608 that will solve this problem with a configuration file. I would be interested in your feedback on this approach. |
|
Uh, I am not sure what the benefit would be to have a config file for that. (and csv! yikes). it's much simpler to just look for the alternative files and use them, rather than making things indirect. config files kind mean yu also want to measure them, and so on, it just makes things a ton more complex for little gain. |
|
@poettering Directory iteration only works on local file systems, silently failing on remote HTTP and TFTP boot locations. But anyway I don't believe this is valuable that way because we already have boot$arch.csv for the fallback loader and that's supposed to be merged so we do not need to reset the system anymore but can just chainload. |
|
Of course you could call them kernel${efi_arch}0001.efi and so on and try them in order until you run out. |
|
See issue #482 for more details on how trying the directory bit us when we tried it for certmules. |
For HTTP and TFTP the kind of reliability fallback logic is not really necessary, where you'd iterate through a dir to find a working version. After all (at least in my thinking) that's about dealing with bad file system drivers, incomplete writes and so on, but nothing of that sort applies to http/tftp. Hence if you ask me, it would be totally fine to do the dir thing i proposed, and if it works, then great, but also do something else, either before or after.
What is "boot$arch.csv"? csv files? as in comma separated vaues files? That sounds less than ideal to me, for various reasons... Is there a link about details? Generally, is that a file that would have to rewritten each time a boot loader is updated? that's precisely what I want to avoid with my proposal: single point of failures. on vfat it's a lot better to not update files too much, but rather create new ones and leave old files as they are, until one day they are deleted. |
|
for sd-boot the boot loader spec requires drop-in style stuff to define type 1 and type entries, btw, i.e. it currently requires directory enumeration to work at all. There's a TODO list item somwhere to extend that so that if directory enumeration doesn#t work, sd-boot instead looks for a file |
|
So to summarize, here's what I'd propose: add support for something like |
It has been this way for 10 years, since the first version of fallback.
Yes
|
|
Implementing this would be beneficial for Fedora which are working towards better systemd-boot as an alternative to GRUB depending on ones needs. https://fedoraproject.org/wiki/Changes/cleanup_systemd_install Support such a setup with secure boot is also planned down the line and would require this feature. Automatic enumeration as sd-boot does it seems like the cleanest and most robust way forward here. |
|
What we discussed a couple of weeks ago was to support all these options: first try to load the configured default second stage by name, then try to use the new csv file if present, and if not proceed to enumerate the directory content as discussed in this ticket. This should satisfy all use cases and requirements for everyone. |
|
You know I already provided a patch (twice) that allows putting the boot file in a utf16 text file. Here's a copy (the acme stuff would be your company name). |
|
@TBOpen I was not aware there was a previous attempt. Is there an old pull request that can be referenced? |
|
I think I just sent a patch file as I did this time .. it's been a while. |
|
Just my 2 cents worth of support for this RFE:
Lets focus on local files first instead of thinking about remote booting... |
Currently shim strictly chainloads grubx64.efi (well, at least on x86-64). This is less than ideal for two reasons:
Hence I'd propose the following logic, that is dumb enough to be safe, but avoids both these issues:
enumerate EFI binaries from some to be defined directory (for example
\EFI\shim-payload\*.EFIor so), sort them via strverscmp() (ideally the modified one the boot loader spec mandates, as per https://uapi-group.org/specifications/specs/boot_loader_specification/), and then invoke the newest binary. if that fails, go for the next, and so on, and so on, until one works.This should be reasonably simple and robust and decouple shim from the boot loader implementation while increasing safety for participants in this: they can drop a new entry in the dir, and keep a couple of them around and delete the old ones when they see fit. versions never fight for the same filename anymore.
The text was updated successfully, but these errors were encountered: