-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buildextend-live: drop shim fallback.efi from ISO; simplify EFI image #2435
Conversation
UEFI boots from removable media via the arch-specific default EFI application in /EFI/BOOT. When booted that way, shim chains to fallback.efi if it exists, and fallback.efi creates an EFI boot entry. That's not appropriate for removable media boot, since the media will probably never be present again. If a TPM is present, fallback.efi will additionally reboot the machine, and on some machines this leads to boot loops. Instead of all this, we just want shim to chain directly to GRUB. The EFI boot image currently looks like this: EFI/BOOT/BOOTX64.EFI EFI/BOOT/fbx64.efi EFI/fedora/BOOTX64.CSV EFI/fedora/fonts/ EFI/fedora/grub.cfg EFI/fedora/grubx64.efi EFI/fedora/mmx64.efi EFI/fedora/shim.efi EFI/fedora/shimx64.efi Refactor the EFI boot image under the expectation that we never want to create or boot from an EFI boot entry. Consolidate /EFI/<vendor-id> into /EFI/BOOT and delete things we don't need: fallback.efi, its associated CSV, and extra copies of shim. The result is this: EFI/BOOT/BOOTX64.EFI EFI/BOOT/fonts/ EFI/BOOT/grub.cfg EFI/BOOT/grubx64.efi EFI/BOOT/mmx64.efi This also saves a couple MB of space. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2004449
On UEFI systems, confirm that shim hasn't created an EFI boot entry during live ISO bootup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall!
os.unlink(path) | ||
|
||
# Drop vendor copies of shim; we already have it in BOOT*.EFI in | ||
# BOOT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we sanity-check before nuking that BOOTX64.EFI
and shimx86.efi
are the same file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it matters. If the shim package decides to install a slightly different binary into BOOTX64.EFI
, presumably that's the one we want to use. The shimx64.efi
in the vendor directory is there for booting via a boot entry, which we won't be doing.
[Service] | ||
Type=oneshot | ||
RemainAfterExit=yes | ||
ExecStart=/bin/sh -c '! efibootmgr -v | grep -E "(HD|CDROM)\("' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you verify, even if manually, that this test failed before this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup!
UEFI boots from removable media via the arch-specific default EFI application in
/EFI/BOOT
. When booted that way, shim chains to fallback.efi if it exists, and fallback.efi creates an EFI boot entry. That's not appropriate for removable media boot, since the media will probably never be present again. If a TPM is present, fallback.efi will additionally reboot the machine, and on some machines this leads to boot loops. Instead of all this, we just want shim to chain directly to GRUB.The EFI boot image currently looks like this:
Refactor the EFI boot image under the expectation that we never want to create or boot from an EFI boot entry. Consolidate
/EFI/<vendor-id>
into/EFI/BOOT
and delete things we don't need:fallback.efi
, its associated CSV, and extra copies of shim. The result is this:This also saves a couple MB of space.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2004449