Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kiwi creates /boot/efi/EFI/BOOT/grubx64.efi which is not owned by any package #2553

Open
sbraz opened this issue May 24, 2024 · 3 comments
Open

kiwi creates /boot/efi/EFI/BOOT/grubx64.efi which is not owned by any package #2553

sbraz opened this issue May 24, 2024 · 3 comments

Comments

@sbraz
Copy link

sbraz commented May 24, 2024

Problem description

Hi,
We recently noticed that official Rocky Linux 9.4 images include additional files compared to 9.3:

/boot/efi/EFI/BOOT/grub.cfg
/boot/efi/EFI/BOOT/grubx64.efi
/boot/efi/EFI/BOOT/mmx64.efi

These files do not belong to any package and this is a problem because /boot/efi/EFI/BOOT/grub.cfg does not get updated (unlike /boot/efi/EFI/rocky/grub.cfg whose update is triggered by grub2-common's posttrans). This means that, if the UUID of the boot partition is changed, nothing will update its value in /boot/efi/EFI/BOOT/grub.cfg, making the system unbootable. I also believe that /boot/efi/EFI/BOOT/grubx64.efi will never be updated either, which poses a security risk.

@nazunalika explained that these files are created by kiwi and pointed me to this line which seems to handle the creation of /boot/efi/EFI/BOOT/grub.cfg:

kiwi/kiwi/bootloader/config/grub2.py

Line 561 in 1e9fdf2

def _copy_grub_config_to_efi_path(

I am also seeing the same thing on Fedora 40 images.

Could you please explain what the purpose of these files is? I can understand the need for a default bootloader file (/boot/efi/EFI/BOOT/BOOTX64.EFI) but /boot/efi/EFI/BOOT/grubx64.efi does not look like a special path to me.

Expected behaviour

Additional EFI files which do not belong to a package should not be created, or there should be a way to disable their creation.

Steps to reproduce the behaviour

I do not know the specifics of how the Rocky Linux or Fedora images are created.

OS and Software information

Same answer as above.

  • KIWI version:
  • Operating system host version:
  • Operating system target version:
  • Open Build Service version (N/A if not using OBS):
  • Koji version (N/A if not using Koji):
@NeilHanlon
Copy link

NeilHanlon commented May 24, 2024
edited
Loading

Steps to reproduce

  1. git clone --branch fresh-empanadas https://git.resf.org/sig_core/toolkit.git
  2. pushd toolkit/iso/empanadas && poetry install
  3. poetry run build-image --version 9 --type GenericCloud --variant Base --debug

(last step will checkout the rocky kiwi descriptions as well as the mock config needed into /tmp)

OS and Software information

KIWI version: 10.0.16
Operating system host version: Rocky Linux 9 (via mock)
Operating system target version: Rocky Linux 9.4
Open Build Service version (N/A if not using OBS): N/A
Koji version (N/A if not using Koji): N/A

@sbraz sbraz mentioned this issue Jun 10, 2024
Closed
@sbraz
Copy link
Author

sbraz commented Dec 2, 2024

Hi @NeilHanlon, I just noticed the latest Rocky Linux 9.5 image no longer has these files. I don't remember how you handled this, did you add something to manually remove them?

@NeilHanlon
Copy link

NeilHanlon commented Dec 6, 2024
edited
Loading

@sbraz I believe we pulled this patch into our build of kiwi -- https://git.rockylinux.org/sig/core/src/kiwi/-/blob/r9/SOURCES/0001-Ensure-BOOT-does-not-contain-erroneous-data.patch?ref_type=heads

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NeilHanlon @sbraz