Hey all,
As a follow up to Chris' thread on hybrid BIOS/UEFI images[1], it was pointed out that in order to build images that actually boot, I need to make sure that the protective MBR boot flag isn't set. To implement this for Fedora Cloud images, I'm using parted in %post[2]. However, that has a major problem: I don't necessarily know what the block device name is going to be. I'm making an educated guess, but for third parties attempting to rebuild our images, that guess may be wrong.
What I'd like to see is the clearpart command getting a --no-gpt-pmbr-boot-flag or similar that would allow me to do this without having to write a magic snippet that includes a guess on how this works.
I imagine this would also be useful for RHEL/CentOS 9, since it would simplify making hybrid boot images.
What do y'all think?
Thanks in advance and best regards, Neal
[1]: https://listman.redhat.com/archives/anaconda-devel-list/2021-May/msg00000.ht... [2]: https://pagure.io/fedora-kickstarts/pull-request/820#_3__29
-- 真実はいつも一つ!/ Always, there's only one truth!
On Sat, Jul 03, 2021 at 08:36:54AM -0400, Neal Gompa wrote:
Hey all,
As a follow up to Chris' thread on hybrid BIOS/UEFI images[1], it was pointed out that in order to build images that actually boot, I need to make sure that the protective MBR boot flag isn't set. To implement this for Fedora Cloud images, I'm using parted in %post[2]. However, that has a major problem: I don't necessarily know what the block device name is going to be. I'm making an educated guess, but for third parties attempting to rebuild our images, that guess may be wrong.
What I'd like to see is the clearpart command getting a --no-gpt-pmbr-boot-flag or similar that would allow me to do this without having to write a magic snippet that includes a guess on how this works.
I imagine this would also be useful for RHEL/CentOS 9, since it would simplify making hybrid boot images.
What do y'all think?
I really don't want to add new flags to pykickstart for every corner case, so I think this needs to be fixed some other way.
blivet is what's actually responsible for setting this, see:
https://github.com/storaged-project/blivet/blob/98e436074345974ab1f793f521f0...
so changing that isn't a simple change.
If I understand the issue, it's that KVM's UEFI firmware isn't booting with this set? This seems strange, since it looks like pmbr_boot is always set by blivet for non-mac UEFI installs, and it has been this way for a considerable amount of time.
More importantly, the UEFI specification specifically states that UEFI firmware is to ignore the flag (it's called 'BootIndicator' in the spec) so if the firmware isn't recognizing it because of that flag it is a bug.
Brian
On Tue, Jul 6, 2021 at 12:54 PM Brian C. Lane bcl@redhat.com wrote:
On Sat, Jul 03, 2021 at 08:36:54AM -0400, Neal Gompa wrote:
Hey all,
As a follow up to Chris' thread on hybrid BIOS/UEFI images[1], it was pointed out that in order to build images that actually boot, I need to make sure that the protective MBR boot flag isn't set. To implement this for Fedora Cloud images, I'm using parted in %post[2]. However, that has a major problem: I don't necessarily know what the block device name is going to be. I'm making an educated guess, but for third parties attempting to rebuild our images, that guess may be wrong.
What I'd like to see is the clearpart command getting a --no-gpt-pmbr-boot-flag or similar that would allow me to do this without having to write a magic snippet that includes a guess on how this works.
I imagine this would also be useful for RHEL/CentOS 9, since it would simplify making hybrid boot images.
What do y'all think?
I really don't want to add new flags to pykickstart for every corner case, so I think this needs to be fixed some other way.
blivet is what's actually responsible for setting this, see:
https://github.com/storaged-project/blivet/blob/98e436074345974ab1f793f521f0...
so changing that isn't a simple change.
If I understand the issue, it's that KVM's UEFI firmware isn't booting with this set? This seems strange, since it looks like pmbr_boot is always set by blivet for non-mac UEFI installs, and it has been this way for a considerable amount of time.
More importantly, the UEFI specification specifically states that UEFI firmware is to ignore the flag (it's called 'BootIndicator' in the spec) so if the firmware isn't recognizing it because of that flag it is a bug.
It is a bug, and I just fixed it in EDK2 upstream: https://github.com/tianocore/edk2/commit/b3db0cb1f8d163f22b769c205c6347376a3...
But that doesn't change the ~10 years of UEFI firmware that don't support this properly.
-- 真実はいつも一つ!/ Always, there's only one truth!
anaconda-devel@lists.fedoraproject.org
-
Brian C. Lane -
Neal Gompa