https://fedoraproject.org/wiki/Changes/BiggerESP This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == The Fedora installer includes an EFI System Partition of between 200MB and 600MB by default, of which the lower size is much too small for firmware updates on modern hardware and also for future bootloader features like UKI. This change will increase the minimum size of the ESP to be 500MB, which is also the same value used by Microsoft for Windows 10 and newer.

== Owner == * Name: [[User:rhughes| Richard Hughes]] * Email: richard(a)hughsie.com == Detailed Description == Modern hardware has UEFI firmware updates that are more than 64MB in size. The OEMs recommend a ESP free space of double the flash size plus 20MB and fwupd now enforces this requirement to ensure flash success. As the ESP is often shared between Windows and Linux, and also used for firmware updates, and soon to be used by UKIs it's not enough to just allocate a few hundreds of megabytes. Windows 10 and 11 allocates an ESP of at least 500MiB. Arch also specifies a minimum of 512 MiB.

== Feedback == There is no alternative -- the ESP has to scale up if we want firmware updates to continue to work and to support UKIs for next-generation bootloaders. == Benefit to Fedora == Firmware updates will work on future hardware, and we can boot the kernel using UKIs using next-generation bootloaders. == Scope == * Proposal owners: We need to change a number in Anaconda: https://github.com/rhinstaller/anaconda/pull/4711 == Upgrade/compatibility impact == We can't grow the ESP in size, and so this change will only affect new installs. This is fine, as this will affect new hardware more than old hardware. == How To Test == Install Fedora and observe that /boot/efi has at least 276MB free space, even when installed alongside Windows. == Dependencies == Anaconda would need to be modified, and Fedora would have a / or /home partition that's ~300MB smaller by default than it is now.

https://fedoraproject.org/wiki/Changes/BiggerESP This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == The Fedora installer includes an EFI System Partition of between 200MB and 600MB by default, of which the lower size is much too small for firmware updates on modern hardware and also for future bootloader features like UKI. This change will increase the minimum size of the ESP to be 500MB, which is also the same value used by Microsoft for Windows 10 and newer.

https://fedoraproject.org/wiki/Changes/BiggerESP

== Feedback == There is no alternative -- the ESP has to scale up if we want firmware updates to continue to work and to support UKIs for next-generation bootloaders.

== Summary == This change will increase the minimum size of the ESP to be 500MB, which is also the same value used by Microsoft for Windows 10 and newer.

Hi, > If we want to change the default here, let's do some proper cleanup: > 1. the split between ESP and XBOOTLDR is only useful in the case where > ESP already existed and was small. If the installer is *creating* > an ESP, it should just make it large enough. And install kernels to /boot/efi in case /boot is not a XBOOTLDR filesystem?

> 2. having a second partition with a second (different) file system > implementation just increases the footprint and attack surface for > no gain. If we create XBOOTLDR, make it like the ESP (i.e. VFAT > in almost all realistic scenarios). While being at it also give the XBOOTLDR the correct type uuid according to the discoverable partitions spec.

I've been asked to consider converting /boot to a Btrfs subvolume so that it no longer has a fixed space allocation to deal with the ever increasing amount of firmware required for NVIDIA GPUs[1]. This is currently incompatible with how systemd views the world, because the "discoverable partition spec" is wired to partitions, and there is no equivalent spec for subvolumes of a volume. And I imagine that XBOOTLDR (whatever that is) also would have a problem with this.

Also, as an aside, there is now a "from-scratch" Btrfs EFI driver in development[2] (and for your personal horror, an NTFS one too[3]).

On Tue, May 9, 2023 at 12:31 PM Lennart Poettering <mzerqung(a)0pointer.de&gt; wrote: > > On Di, 09.05.23 08:22, Neal Gompa (ngompa13(a)gmail.com) wrote: > > > I've been asked to consider converting /boot to a Btrfs subvolume so > > that it no longer has a fixed space allocation to deal with the ever > > increasing amount of firmware required for NVIDIA GPUs[1]. This is > > currently incompatible with how systemd views the world, because the > > "discoverable partition spec" is wired to partitions, and there is no > > equivalent spec for subvolumes of a volume. And I imagine that > > XBOOTLDR (whatever that is) also would have a problem with this. > > This makese no sense. If you want /boot to just be a subvolume of the > rootfs btrfs, then this would imply it's also covered by the same > security choices, i.e. encryption. We want to bind that sooner or > later to things like TPM2, FIDO2, PKCS11. And that's simply not > feasible from a boot loader environment. > > Hence, the place the kernel is loaded from (regardless if you call it > /efi or /boot or /boot/efi, and regardless what fs it is) must be > accessible from the boot loader easily, without requiring > implementation of TPM2/FIDO2/PKCS11 hookup in the boot loader. > > Hence: btrfs subvols won't work for this If we're not using LUKS for encryption, then this is not a problem. We're generally looking toward encrypting subvolumes individually using the upcoming Btrfs native encryption capability rather than using LUKS. That allows us to 1. Pick which subvolumes are encrypted 2. Pick the security binding method per subvolume For example, the root and home subvolumes would use TPM or some other non-interactive binding. The user subvolume in home would decrypt with user login. While this is true, and it would be nice if we could just make "size of

> We're generally looking toward encrypting subvolumes individually > using the upcoming Btrfs native encryption capability rather than > using LUKS. That allows us to How do you establish trust in the underlying file system? The thing that kernel fs maintainers made very clear is that they do not consider Linux file systems safe regarding rogue offline modification. Hence you must establish trust somehow *before* you mount the fs, which pretty much means LUKS. Linux fs maintainers also made very clear that they generally consider alternative implementations of their file systems as unsupported, and a problem. The big relevant Linux file systems consider only the implementation in the Linux kernel as defining the format. Which means that anything like an alternative implementation of btrfs or xfs or ext4 in things like grub or EFI is expressly against the wishes of the people who maintain the file systems. Or in other words: what you are proposing appears like a very bad idea, and in fact even upstream Grub wants to get away from maintaining thei own fs drivers for Linux fs as I hear, because it's so untenable to them, too. Seriously, bury this idea.

Read-only drivers, which are the only drivers under discussion here, aren't a per se problem because they can't modify the file system. So they have no complaints about that.

I don't know what question you asked them. Any modifications (writes) performed outside kernel code is not supported, since forever.

Read-only drivers, which are the only drivers under discussion here, aren't a per se problem because they can't modify the file system. So they have no complaints about that.

On Thu, May 11, 2023 at 3:33 AM Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; wrote: We already don't do boot counting from the bootloader side. That happens in the operating system.

On Thu, May 11, 2023 at 6:26 AM Luca Boccassi <bluca(a)debian.org&gt; wrote: I definitely am, considering how often there's no space and how easy it is to brick many systems through it.

On Thu, May 11, 2023 at 3:33 AM Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; wrote: > > On Wed, May 10, 2023 at 05:54:45PM -0400, Chris Murphy wrote: > > I don't know what question you asked them. Any modifications > > (writes) performed outside kernel code is not supported, since > > forever. > > > Read-only drivers, which are the only drivers under discussion here, > > aren't a per se problem because they can't modify the file > > system. So they have no complaints about that. > > Just read-only is not enough: a user must be able to configure things in > the boot loader: the default boot entry, or screen resolution, etc. > Also we want boot counting, which means writing the number of boot > attempts somewhere. A solution which makes those things impossible > is not very attractive. > We already don't do boot counting from the bootloader side. That happens in the operating system.

On Mi, 10.05.23 17:54, Chris Murphy (lists(a)colorremedies.com) wrote: > > Read-only drivers, which are the only drivers under discussion here, > aren't a per se problem because they can't modify the file > system. So they have no complaints about that. No. Not true.

On Thu, May 11, 2023 at 10:10 AM Lennart Poettering <mzerqung(a)0pointer.de&gt; wrote: > > (Moreover, read-only access doesn't cut it. If you want boot counting > you want write access.) > > Just interjecting a quick thought -- would it be possible to use FAT's reserved sectors for the boot counting? (You can find a description of them under the -R option in the mkfs.vfat man page.) I still think it would be nice to be able to mirror the ESP with mdraid. But if the FAT filesystem is writable by the bootloader, then that won't work. The reserved sectors are specifically reserved for bootloader code by design and if write access by the bootloader/firmware is limited to those sectors then there should be no danger of filesystem corruption if software mirroring is used.

On Tue, May 9, 2023 at 12:31 PM Lennart Poettering <mzerqung(a)0pointer.de&gt; wrote: > > On Di, 09.05.23 08:22, Neal Gompa (ngompa13(a)gmail.com) wrote: > > > I've been asked to consider converting /boot to a Btrfs subvolume so > > that it no longer has a fixed space allocation to deal with the ever > > increasing amount of firmware required for NVIDIA GPUs[1]. This is > > currently incompatible with how systemd views the world, because the > > "discoverable partition spec" is wired to partitions, and there is no > > equivalent spec for subvolumes of a volume. And I imagine that > > XBOOTLDR (whatever that is) also would have a problem with this. > > This makese no sense. If you want /boot to just be a subvolume of the > rootfs btrfs, then this would imply it's also covered by the same > security choices, i.e. encryption. We want to bind that sooner or > later to things like TPM2, FIDO2, PKCS11. And that's simply not > feasible from a boot loader environment. > > Hence, the place the kernel is loaded from (regardless if you call it > /efi or /boot or /boot/efi, and regardless what fs it is) must be > accessible from the boot loader easily, without requiring > implementation of TPM2/FIDO2/PKCS11 hookup in the boot loader. > > Hence: btrfs subvols won't work for this If we're not using LUKS for encryption, then this is not a problem. We're generally looking toward encrypting subvolumes individually using the upcoming Btrfs native encryption capability rather than using LUKS. That allows us to 1. Pick which subvolumes are encrypted 2. Pick the security binding method per subvolume For example, the root and home subvolumes would use TPM or some other non-interactive binding. The user subvolume in home would decrypt with user login.

On Wed, May 10, 2023 at 11:12 AM Simo Sorce <simo(a)redhat.com&gt; wrote: > > On Tue, 2023-05-09 at 12:37 -0400, Neal Gompa wrote: > > On Tue, May 9, 2023 at 12:31 PM Lennart Poettering <mzerqung(a)0pointer.de&gt; wrote: > > > > > > On Di, 09.05.23 08:22, Neal Gompa (ngompa13(a)gmail.com) wrote: > > > > > > > I've been asked to consider converting /boot to a Btrfs subvolume so > > > > that it no longer has a fixed space allocation to deal with the ever > > > > increasing amount of firmware required for NVIDIA GPUs[1]. This is > > > > currently incompatible with how systemd views the world, because the > > > > "discoverable partition spec" is wired to partitions, and there is no > > > > equivalent spec for subvolumes of a volume. And I imagine that > > > > XBOOTLDR (whatever that is) also would have a problem with this. > > > > > > This makese no sense. If you want /boot to just be a subvolume of the > > > rootfs btrfs, then this would imply it's also covered by the same > > > security choices, i.e. encryption. We want to bind that sooner or > > > later to things like TPM2, FIDO2, PKCS11. And that's simply not > > > feasible from a boot loader environment. > > > > > > Hence, the place the kernel is loaded from (regardless if you call it > > > /efi or /boot or /boot/efi, and regardless what fs it is) must be > > > accessible from the boot loader easily, without requiring > > > implementation of TPM2/FIDO2/PKCS11 hookup in the boot loader. > > > > > > Hence: btrfs subvols won't work for this > > > > If we're not using LUKS for encryption, then this is not a problem. > > We're generally looking toward encrypting subvolumes individually > > using the upcoming Btrfs native encryption capability rather than > > using LUKS. That allows us to > > > > 1. Pick which subvolumes are encrypted > > 2. Pick the security binding method per subvolume > > > > For example, the root and home subvolumes would use TPM or some other > > non-interactive binding. The user subvolume in home would decrypt with > > user login. > > Neal, > I think you are barking up the wrong tree here. > > The design of the boot loader *nedds* to be simple. > > Simple means, VFAT and *no trust* in the filesystem, individual files > are signed and verified. > Only the bare minimum *necessary* is in the boot partition, which means > kernel images and the bare minimum init image needed to unlock and > mount the root partition. > > There is no point in building a more complex system than that and load > tons of garbage drivers in the EFI. > > Booting is a staged system, and should be kept as simple as possible to > avoid duplication (which means subtle bugs and a ton of maintenance > overhead). > This proposal isn't better. Neither Windows nor macOS put critical operating system code in the ESP, and we shouldn't either. But you want to put kernels in the ESP? That's the wrong approach too. As soon as you throw UKIs in the mix, you've completely broken that because now the absolutely most valuable code for your system is in a "hostile" environment. At least we can make /boot authenticated and tamper resistant as a Btrfs subvolume.

I would rather have a multi-stage boot process, where the first stage does just enough to unlock and load the OS volume to load the real boot environment.

On Wed, May 10, 2023 at 12:02 PM Neal Gompa <ngompa13(a)gmail.com&gt; wrote: > > > This proposal isn't better. Neither Windows nor macOS put critical > operating system code in the ESP, and we shouldn't either. But you > want to put kernels in the ESP? That's the wrong approach too. > > As soon as you throw UKIs in the mix, you've completely broken that > because now the absolutely most valuable code for your system is in a > "hostile" environment. At least we can make /boot authenticated and > tamper resistant as a Btrfs subvolume. As other people have mentioned, we have a solution for the ESP being untrusted - secure boot. As far as I understand, there's no tamper resistance for /boot on btrfs unless it's encrypted, and that would be a whole other barrel of snakes :-)

Now, there's a second problem with reading everything from the ESP - it's slow for two reasons. First, because read speeds when going through the firmware are much slower than the Linux NVMe stack. And second, because we have to read everything in order to checksum and verify it. For that reason, Demi's suggestion of moving things onto a dm-verity protected partition is intriguing. Could that even be a loopback file on the ESP? It would be like a lazy-read system extension. The performance geek in me thinks "we could see exciting speedups from that!" - the practical side of me thinks "it might be a few second faster. And much more complex! Let's just go with efifb, keep the initramfs small, and accept any minor regressions". > I would rather have a multi-stage boot process, where the first stage > does just enough to unlock and load the OS volume to load the real > boot environment. "unlock and load the OS volume" is pretty much what the initramfs does, right?

On Wed, May 10, 2023 at 2:24 PM Owen Taylor <otaylor(a)redhat.com&gt; wrote: >> As soon as you throw UKIs in the mix, you've completely broken that >> because now the absolutely most valuable code for your system is in a >> "hostile" environment. At least we can make /boot authenticated and >> tamper resistant as a Btrfs subvolume. > > > As other people have mentioned, we have a solution for the ESP being untrusted - secure boot. As far as I understand, there's no tamper resistance for /boot on btrfs unless it's encrypted, and that would be a whole other barrel of snakes :-) fsverity is separate from fscrypt. We can apply filesystem authentication today.

No. It initializes the whole operating system, and then pivots the user-space later. That's why we have to everything in initramfs. UKIs attempt to standardize the early-stage image without attempting to solve this problem, because a two-stage boot process requires changing how we think about operating system initialization.

On Wed, May 10, 2023, at 2:24 PM, Owen Taylor wrote: On Wed, May 10, 2023 at 12:02 PM Neal Gompa <ngompa13(a)gmail.com&gt; wrote: Now, there's a second problem with reading everything from the ESP - it's slow for two reasons. First, because read speeds when going through the firmware are much slower than the Linux NVMe stack. And second, because we have to read everything in order to checksum and verify it. For that reason, Demi's suggestion of moving things onto a dm-verity protected partition is intriguing. Could that even be a loopback file on the ESP? It would be like a lazy-read system extension. The performance geek in me thinks "we could see exciting speedups from that!" - the practical side of me thinks "it might be a few second faster. And much more complex! Let's just go with efifb, keep the initramfs small, and accept any minor regressions". GRUB doesn't support dm-verity, but I don't know if it would make a difference if it did. Once the kernel has the ability to interact with physical storage, understand partitions, initialize dm-verity, and read a file systemt... it could just mount `/` . I think the only way the current initial root file system works with the kernel is for the bootloader to read an entire initrd file into RAM, and then the kernel can randomly access things in that RAM disk.

It's early still for UKI details but I assume we will need both a universal UKI (all use cases), and much smaller use case focused UKIs. I say that because the desktops in the default installation configuration are the largest single use case. With Btrfs built-into the kernel, we don't need that much in the initrd to setup block devices, discover their contents, and perform switch root. The next most common use case(s), device-mapper and md based, require a pile of user space programs running to do all the work setting things up. Maybe we can just get away with two images, a simple fast one and the universal.

On Wed, May 10, 2023 at 5:34 PM Chris Murphy <lists(a)colorremedies.com&gt; wrote: > __ > > > On Wed, May 10, 2023, at 2:24 PM, Owen Taylor wrote: >> >> >> On Wed, May 10, 2023 at 12:02 PM Neal Gompa <ngompa13(a)gmail.com&gt; wrote: >>> >> Now, there's a second problem with reading everything from the ESP - it's slow for two reasons. First, because read speeds when going through the firmware are much slower than the Linux NVMe stack. And second, because we have to read everything in order to checksum and verify it. >> >> For that reason, Demi's suggestion of moving things onto a dm-verity protected partition is intriguing. Could that even be a loopback file on the ESP? It would be like a lazy-read system extension. >> >> The performance geek in me thinks "we could see exciting speedups from that!" - the practical side of me thinks "it might be a few second faster. And much more complex! Let's just go with efifb, keep the initramfs small, and accept any minor regressions". > > GRUB doesn't support dm-verity, but I don't know if it would make a difference if it did. Once the kernel has the ability to interact with physical storage, understand partitions, initialize dm-verity, and read a file systemt... it could just mount `/` . I think the only way the current initial root file system works with the kernel is for the bootloader to read an entire initrd file into RAM, and then the kernel can randomly access things in that RAM disk. In this idea, the dm-verity parition/file would only be accessed from the initrd, once we have enough kernel to ability to interact with physical storage, understand partitions, initialize dm-verity, and read *a* partition, but potentially not enough to read from a bluetooth keyboard, show a graphical prompt, mount / from the network, etc. What dm-verity provides here is a way to trust content without requiring it to be read ahead of time, checksumed, signature checked and put into ram. To be clear, I don't think this is necessarily the right way to go - I think using efifb, not prompting for a passphrase when possible, etc, are simpler approaches.

> > It's early still for UKI details but I assume we will need both a universal UKI (all use cases), and much smaller use case focused UKIs. I say that because the desktops in the default installation configuration are the largest single use case. With Btrfs built-into the kernel, we don't need that much in the initrd to setup block devices, discover their contents, and perform switch root. > > The next most common use case(s), device-mapper and md based, require a pile of user space programs running to do all the work setting things up. Maybe we can just get away with two images, a simple fast one and the universal. The elephant in the room is whether the "desktops in the default installation" UKI requires piles of graphics firmware. It might not be at all small in that case.

On Wed, May 10, 2023 at 11:12 AM Simo Sorce <simo(a)redhat.com&gt; wrote: > > On Tue, 2023-05-09 at 12:37 -0400, Neal Gompa wrote: > > On Tue, May 9, 2023 at 12:31 PM Lennart Poettering <mzerqung(a)0pointer.de&gt; wrote: > > > > > > On Di, 09.05.23 08:22, Neal Gompa (ngompa13(a)gmail.com) wrote: > > > > > > > I've been asked to consider converting /boot to a Btrfs subvolume so > > > > that it no longer has a fixed space allocation to deal with the ever > > > > increasing amount of firmware required for NVIDIA GPUs[1]. This is > > > > currently incompatible with how systemd views the world, because the > > > > "discoverable partition spec" is wired to partitions, and there is no > > > > equivalent spec for subvolumes of a volume. And I imagine that > > > > XBOOTLDR (whatever that is) also would have a problem with this. > > > > > > This makese no sense. If you want /boot to just be a subvolume of the > > > rootfs btrfs, then this would imply it's also covered by the same > > > security choices, i.e. encryption. We want to bind that sooner or > > > later to things like TPM2, FIDO2, PKCS11. And that's simply not > > > feasible from a boot loader environment. > > > > > > Hence, the place the kernel is loaded from (regardless if you call it > > > /efi or /boot or /boot/efi, and regardless what fs it is) must be > > > accessible from the boot loader easily, without requiring > > > implementation of TPM2/FIDO2/PKCS11 hookup in the boot loader. > > > > > > Hence: btrfs subvols won't work for this > > > > If we're not using LUKS for encryption, then this is not a problem. > > We're generally looking toward encrypting subvolumes individually > > using the upcoming Btrfs native encryption capability rather than > > using LUKS. That allows us to > > > > 1. Pick which subvolumes are encrypted > > 2. Pick the security binding method per subvolume > > > > For example, the root and home subvolumes would use TPM or some other > > non-interactive binding. The user subvolume in home would decrypt with > > user login. > > Neal, > I think you are barking up the wrong tree here. > > The design of the boot loader *nedds* to be simple. > > Simple means, VFAT and *no trust* in the filesystem, individual files > are signed and verified. > Only the bare minimum *necessary* is in the boot partition, which means > kernel images and the bare minimum init image needed to unlock and > mount the root partition. > > There is no point in building a more complex system than that and load > tons of garbage drivers in the EFI. > > Booting is a staged system, and should be kept as simple as possible to > avoid duplication (which means subtle bugs and a ton of maintenance > overhead). > This proposal isn't better. Neither Windows nor macOS put critical operating system code in the ESP, and we shouldn't either. But you want to put kernels in the ESP? That's the wrong approach too. As soon as you throw UKIs in the mix, you've completely broken that because now the absolutely most valuable code for your system is in a "hostile" environment. At least we can make /boot authenticated and tamper resistant as a Btrfs subvolume.

I would rather have a multi-stage boot process, where the first stage does just enough to unlock and load the OS volume to load the real boot environment.

> This makese no sense. If you want /boot to just be a subvolume of the > rootfs btrfs, then this would imply it's also covered by the same > security choices, i.e. encryption. We want to bind that sooner or > later to things like TPM2, FIDO2, PKCS11. And that's simply not > feasible from a boot loader environment. Windows and macOS do this, so it is feasible, the question is what are the consequences of this and are we willing to live with them?

One obvious consequence, it further creates dependency on a single bootloader, GRUB. Or we need an independent project that provides an EFI program for unlocking LUKS volumes within the pre-boot environment, thus making plaintext view available to any bootloader.

> Hence, the place the kernel is loaded from (regardless if you call > it /efi or /boot or /boot/efi, and regardless what fs it is) must > be accessible from the boot loader easily, without requiring > implementation of TPM2/FIDO2/PKCS11 hookup in the boot loader. I understand that might be difficult and something we don't want to do for resource reasons, but there isn't a technical impediment for it.

FAT isn't resizable. The growth requirement for /boot is greater for some use cases more than others, so there is pressure building because it will create waste for some use cases and underprovisioning in other use cases. Those unverprovisioned being told they can't upgrade but need to reprovision to solve this is kindof annoying.

Right. Hence Linux Boot. Dump all the toy drivers in favor of real ones. And a real user space.

Hi, > > And install kernels to /boot/efi in case /boot is not a XBOOTLDR > > filesystem? > > If /boot is not a XBOOTLDR, then we only have one file system which is > the ESP. It could be mounted on /boot or on /efi or maybe even /boot/efi (*). > The kernels would then go to /boot/EFI/Linux, /efi/EFI/Linux, or /boot/efi/EFI/Linux, > respectively. (When you write /boot/efi, it's not clear what exactly you > mean. The duplication of "efi" and "EFI" on on case-insensitive system > is confusing.) I meant ESP mounted at /boot/efi (and therefore UKIs in /boot/efi/EFI/Linux).

> (*) This is actually something that'd need to be figure out. > /boot/efi is the worst choice; either /boot or /efi would be OK, > but something needs to be chosen. /boot/efi is clearly not ideal for a number of reasons, but this is what we have today and changing this opens up another can of worms. For starters this will stop working: # rpm -ql shim-x64 /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/fedora/BOOTX64.CSV

If we are going to change this the only option which makes sense to me is to go for the systemd default: ESP (if present) mounted at /efi, XBOOTLDR (if present) mounted at /boot.

the ESP. It could be mounted on /boot or on /efi or maybe even /boot/efi (*). The kernels would then go to /boot/EFI/Linux, /efi/EFI/Linux, or /boot/efi/EFI/Linux, respectively. (When you write /boot/efi, it's not clear what exactly you mean. The duplication of "efi" and "EFI" on on case-insensitive system is confusing.) (*) This is actually something that'd need to be figure out. /boot/efi is the worst choice; either /boot or /efi would be OK, but something needs to be chosen.

What about the increasing growth in linux-firmware and in particular the NVIDIA firmware requirements? My reading suggests it's significant and the future growth also significant.

On Tue, May 09, 2023 at 01:31:01PM -0500, Chris Adams wrote: > Once upon a time, Chris Murphy <lists(a)colorremedies.com&gt; said: >> What about the increasing growth in linux-firmware and in particular the NVIDIA firmware requirements? My reading suggests it's significant and the future growth also significant. > > Could we use a dumb framebuffer in initrd and get rid of all the GPU > firmware from the image? Maybe, probably, who knows… But it's not just the video. The pressure to add more stuff and more drivers will only grow: bluetooth for keyboards and FIDO2, sound support for voice assistance, network for remote attestation or clevis, etc. We can push this can down the road, but it seems we need to be ready to add move stuff before root is available anyway. Zbyszek

On Tue, May 9, 2023, at 2:47 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Tue, May 09, 2023 at 01:31:01PM -0500, Chris Adams wrote: >> Once upon a time, Chris Murphy <lists(a)colorremedies.com&gt; said: >> > What about the increasing growth in linux-firmware and in particular the NVIDIA firmware requirements? My reading suggests it's significant and the future growth also significant. >> >> Could we use a dumb framebuffer in initrd and get rid of all the GPU >> firmware from the image? > > Maybe, probably, who knows… But it's not just the video. The pressure > to add more stuff and more drivers will only grow: bluetooth for keyboards > and FIDO2, sound support for voice assistance, network for remote attestation > or clevis, etc. We can push this can down the road, but it seems we need > to be ready to add move stuff before root is available anyway. I still think we need less kernel and initramfs in order to get more by having `/` available faster. Fast enough that the user isn't looking for or expecting interactivity in the few seconds it should take to get to `/` being mounted.

Once upon a time, Chris Murphy <lists(a)colorremedies.com&gt; said: > What about the increasing growth in linux-firmware and in particular the NVIDIA firmware requirements? My reading suggests it's significant and the future growth also significant. Could we use a dumb framebuffer in initrd and get rid of all the GPU firmware from the image?

On Tue, 9 May 2023 at 10:22, Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; wrote: > This is both too much and not enough. Right; and I think a different Fedora feature proposal would be a good idea for the version of Fedora when we switch to UKIs. Where we can just have /boot/efi and not /boot -- but that's not what this proposal is about. This is primarily to keep firmware updates working, and as a secondary measure maybe more people can test UKIs. I don't want this simple feature of "unbreak future firmware updates" to become "completely rework how we boot the system". > (Point 2. is not really *necessary* for the size changes, but it'd be > nice to get rid of this anachronism if this area is being touched.) I think that's fine -- but I don't think the onus should be on me to push it through. Like I said to Lennart, if you want to do a Fedora proposal to rework all this stuff to remove /boot that's fine, but please don't hijack this one and make me responsible for doing the work.

On Wed, 10 May 2023 at 11:55, Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; wrote: > Especially not by making some small change contingent on moonshot proposals. > But I think that a) the current proposal is just a band-aid, and > b) to make things better we don't need to make huge changes. Okay, please open a _new_ change proposal with what you want to happen: expanding the scope like you suggest feels like me getting tricked to work on your much bigger change that's not terribly well-defined or tested. > ...Anaconda needs to *lose* a feature where it > refuses VFAT for /boot [1], the various places which create partitions > need to be modified to inject the right partition-type UUID instead of > made-up one, and instead of creating two partitions with different fs > types, create just one. None of this is rocket science. Perhaps you'd like to push this feature. I'd happily retract my smaller proposal if you've got patches ready for anaconda, have tested this on all platforms, and have all the votes.

> == Summary == > > This change will increase the minimum size of the ESP to be 500MB, > which is also the same value used by Microsoft for Windows 10 and > newer. This is both too much and not enough. Essentially, this grows the ESP, but also leaves the XBOOTLDR partition large. Overall, the users pays twice, and on some systems 1.5GB is not insignificant. OTOH, 500 or 512 MB seems not enough: three big UKIs and a rescue kernel and and some Windows blobs and a firmware update would likely overflow. If we want to change the default here, let's do some proper cleanup: 1. the split between ESP and XBOOTLDR is only useful in the case where ESP already existed and was small. If the installer is *creating* an ESP, it should just make it large enough. 2. having a second partition with a second (different) file system implementation just increases the footprint and attack surface for no gain. If we create XBOOTLDR, make it like the ESP (i.e. VFAT in almost all realistic scenarios). 3. if there are bootloaders that don't read one or the other partition as they should, fix them. Then we can make the ESP 1 GB *and* save space compared to current defaults. (Point 2. is not really *necessary* for the size changes, but it'd be nice to get rid of this anachronism if this area is being touched.)

On Tue, 2023-05-09 at 18:32 +0200, Lennart Poettering wrote: It sounds reasonable for sure. The only concern is, given Microsoft creates at most 500MB ESP partitions, are we sure all UEFI systems out there will not choke on a 1GB one? Can't we reduce the number of kernels by having *only* one UKI and a rescue one that can be used to restore the previous working UKI from /root if the active one fails? Or perhaps just have always 2 UKI (current, and former working). Do we actually need a separate dedicated rescue UKI? Can't rescue be implemented by booting the previously working UKI with a "rescue" command line option ?

If the idea to allow a UKI to contain multiple alternate, signed, cmdline line profiles gets accepted

On Wed, May 10, 2023 at 03:52:51PM -0000, Luca Boccassi wrote: If the idea to allow a UKI to contain multiple alternate, signed, cmdline line profiles gets accepted [1], then a "rescue" image won't neccessarily need to be a separate image anymore. There could just be an alternative cmdline that caused the initrd to launch in a "rescue" / "safe" mode, and that would be nicely complemented by an A/B scheme to cope with bad kernel upgrades. With regards, Daniel [1] https://github.com/systemd/systemd/issues/24539

At least in the upstream kiwi project, we encountered problems making bigger ESPs because not all UEFI implementations handle FAT32 (despite it being part of the spec). In particular, there were a few server boards and especially AWS EC2 that couldn't handle it.

On Wed, May 10, 2023 at 11:54:50AM -0400, Neal Gompa wrote: > On Wed, May 10, 2023 at 11:21 AM Simo Sorce <simo(a)redhat.com&gt; wrote: > > > > On Tue, 2023-05-09 at 18:32 +0200, Lennart Poettering wrote: > > > On Di, 09.05.23 09:20, Zbigniew Jędrzejewski-Szmek (zbyszek(a)in.waw.pl) wrote: > > > > > > > > == Summary == > > > > > > > > > > This change will increase the minimum size of the ESP to be 500MB, > > > > > which is also the same value used by Microsoft for Windows 10 and > > > > > newer. > > > > > > > > This is both too much and not enough. Essentially, this grows the ESP, > > > > but also leaves the XBOOTLDR partition large. Overall, the users pays > > > > twice, and on some systems 1.5GB is not insignificant. OTOH, 500 or > > > > 512 MB seems not enough: three big UKIs and a rescue kernel and and > > > > some Windows blobs and a firmware update would likely overflow. > > > > > > > > If we want to change the default here, let's do some proper cleanup: > > > > 1. the split between ESP and XBOOTLDR is only useful in the case where > > > > ESP already existed and was small. If the installer is *creating* > > > > an ESP, it should just make it large enough. > > > > 2. having a second partition with a second (different) file system > > > > implementation just increases the footprint and attack surface for > > > > no gain. If we create XBOOTLDR, make it like the ESP (i.e. VFAT > > > > in almost all realistic scenarios). > > > > 3. if there are bootloaders that don't read one or the other partition > > > > as they should, fix them. > > > > > > > > Then we can make the ESP 1 GB *and* save space compared to current > > > > defaults. > > > > > > > > (Point 2. is not really *necessary* for the size changes, but it'd be > > > > nice to get rid of this anachronism if this area is being touched.) > > > > > > I guess this might not be surprising, but this proposal makes a ton of > > > sense to me and has my full support, FWTW > > > > It sounds reasonable for sure. > > The only concern is, given Microsoft creates at most 500MB ESP > > partitions, are we sure all UEFI systems out there will not choke on a > > 1GB one? > > > > Can't we reduce the number of kernels by having *only* one UKI and a > > rescue one that can be used to restore the previous working UKI from > > /root if the active one fails? > > At least in the upstream kiwi project, we encountered problems making > bigger ESPs because not all UEFI implementations handle FAT32 (despite > it being part of the spec). In particular, there were a few server > boards and especially AWS EC2 that couldn't handle it. > > Reference: https://github.com/OSInside/kiwi/commit/4b17aaa8b545260bf26ab081d10dfb6a6... Are there any more details about this? This commit just does a revert and doesn't reference any discussion.

On Mi, 10.05.23 11:20, Simo Sorce (simo(a)redhat.com) wrote: > It sounds reasonable for sure. > The only concern is, given Microsoft creates at most 500MB ESP > partitions, are we sure all UEFI systems out there will not choke on a > 1GB one? Well, I don't really think we have a reason to believe that a 1G ESP was any more problematic than a 0.1G ESP. I am not aware of any reports, and given that FAT32 is mandated by UEFI since basically always, I think there's no immediate reason to believe we are in trouble. I think the only reasonable approach here is to pick a larger default in a development distro, and collect feedback. > Can't we reduce the number of kernels by having *only* one UKI and a > rescue one that can be used to restore the previous working UKI from > /root if the active one fails? I'd kill the rescue concept as a separate kernel. Pre-compiled UKIs provided by Fedora should be comprehensive and suitable enough to be rescue images, I don't see why we need a second version of that. The only difference between a rescue boot and a regular boot should be one of parameterization, not of picking different kernel.

Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel(a)lists.fedoraproject.org To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

On Mon, Apr 24, 2023, at 12:15 PM, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/BiggerESP > This change will increase the minimum size of the ESP to be 500MB, > which is also the same value used by Microsoft for Windows 10 and > newer. Issue 1: Currently anaconda calls mkdosfs on the ESP without any options and historically are reluctant to add non-default mkfs options. By default, mkdosfs will create a FAT 16 file system on a 500M (either SI or IEC units). The UEFI spec clearly prefers FAT 32 for the ESP on built-in drives. To my knowledge there haven't been any FAT 16 related bugs reported during the many years Fedora created FAT 16 ESPs. But it's probably better to create it as FAT 32. I don't know where the cutoff is in the mkdosfs code, but a 512MiB (IEC units) does result in a FAT 32 file system. So you might make it 512MiB. Issue 2: Last I checked (about 12 months ago), Windows 10 and 11 images from microsoft.com were still creating ~99M (I forget which units, and it may have been 100). That's consistent with: https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/co... "The minimum size of this partition is 100 MB, and must be formatted using the FAT32 file format." So I'm not sure if Microsoft got the memo, and it's actually vendors' OEM images that are using large ESP size?