overlay/15fcos: upgrade bootloader for secureboot-enabled systems

kernel 6.9 won't boot on system installed prior to F39, as shim is too old. Shim 15.8-3 reached stable on 2023-03-21, so any system using secureboot installed before that won't be able to boot kernel 6.9 See coreos/fedora-coreos-tracker#1752 fedora-silverblue/issue-tracker#543
jbtrystram · Jun 27, 2024 · 9ace03e · 9ace03e
1 parent 159530e
commit 9ace03e
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
@@ -9,4 +9,6 @@ enable coreos-check-wireless-firmwares.service
 # Strip extraneous field in aleph files to avoid bootupctl failing
 # https://github.com/coreos/fedora-coreos-tracker/issues/1724
 enable coreos-fix-aleph-file.service
-
+# Upgrade bootloader on secureboot nodes to avoid
+# https://github.com/coreos/fedora-coreos-tracker/issues/1752
+enable coreos-bootupctl-update-secureboot.service
diff --git a/overlay.d/15fcos/usr/lib/systemd/system/coreos-bootupctl-update-secureboot.service b/overlay.d/15fcos/usr/lib/systemd/system/coreos-bootupctl-update-secureboot.service
@@ -0,0 +1,18 @@
+# Remove after the next barrier release
+# https://github.com/coreos/fedora-coreos-tracker/issues/1752
+
+[Unit]
+Description=Update Bootloader for secureboot-enabled systems
+ConditionSecurity=uefi-secureboot
+ConditionFirmware=uefi
+# make sure to run after the aleph file is fixed
+# see https://github.com/coreos/fedora-coreos-tracker/issues/1724
+After=coreos-fix-aleph-file.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootupctl update
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target