Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UEFI bootloader updates seem broken #297

Open
ArrayBolt3 opened this issue Dec 23, 2024 · 2 comments · May be fixed by #299
Open

UEFI bootloader updates seem broken #297

ArrayBolt3 opened this issue Dec 23, 2024 · 2 comments · May be fixed by #299
Labels
help wanted upstream

Comments

@ArrayBolt3
Copy link

grml-debootstrap currently installs grub-efi-amd64-signed when building an image with EFI boot support. However, it does not install grub-efi-amd64 itself, which means that the actual GRUB installation won't be updated when the GRUB package is updated. As the grub-efi-amd64-bin package description warns:

 This package contains GRUB modules that have been built for use with the
 EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface has
 been activated).  It can be installed in parallel with other flavours, but
 will not automatically install GRUB as the active boot loader nor
 automatically update grub.cfg on upgrade unless grub-efi-amd64 is also
 installed.

grub-pc, on the other hand, is installed by default, which means that the BIOS bootloader will be updated properly. Sadly grub-pc and grub-efi-amd64 can't be installed at the same time, so you can't have both bootloaders be continuously updated. Of the two, I'd argue the UEFI bootloader is the more important one to keep continuously up-to-date, because it's the one that has Secure Boot implications, while grub-pc doesn't.

Furthermore, while grml-debootstrap installs the bootloader to the removable media location by default using the --removable switch, the grub2/force_efi_extra_removable debconf variable isn't being set. This means that even if grub-efi-amd64 is installed, the fallback bootloader won't be updated when GRUB updates, potentially leaving security issues.

(Note: This isn't an issue that can be solved entirely in grml-debootstrap. In my testing, even installing grub-efi-amd64 and setting the debconf variable correctly wasn't working to get UEFI bootloader updates to work on an image built with grml-debootstrap. I don't understand why, but suspect it may be a bug in Debian's grub-efi-amd64.postinst script.)
@zeha
Copy link
Member

zeha commented Jan 2, 2025

We should see what is actually a bug in grml-debootstrap and whats an Debian issue.

@ArrayBolt3
Copy link
Author

I've determined that there is not actually a Debian bug here. grub-efi-amd64's postinst only runs a GRUB installation if the distribution-specific bootloader directory exists. For instance, on Debian, the bootloader will only be installed when configuring grub-efi-amd64 if /boot/efi/EFI/debian exists. If that directory does not exist, the bootloader will not be installed during package configuration, not to the normal path and not to the removable media path.

@ArrayBolt3 ArrayBolt3 linked a pull request Jan 10, 2025 that will close this issue
Open
ArrayBolt3 added a commit to ArrayBolt3/grml-debootstrap that referenced this issue Feb 11, 2025
@ArrayBolt3
Improve hybrid bootloader and arm64 UEFI support
c407ca7 
Previously, it was possible to install both BIOS and UEFI bootloaders
at the same time when creating VM images with grml-debootstrap. In this
setup however, the UEFI bootloader would not be automatically updated,
due to the absence of a grub-efi-ARCH package on the installed system.
It also was not possible to install both bootloaders using
grml-debootstrap on a physical disk, and arm64 VM images could not be
built with full UEFI support as enabled by the --vmefi argument (these
builds would fail).

To rectify these issues:

* Use grub-cloud-amd64 to install both BIOS and UEFI bootloaders and
  manage updates.
* Add support for installing BIOS and UEFI bootloaders simultaneously
  on physical disk installations.
* Get rid of the ARM_EFI_TARGET variable and make ARM64 VM builds use
  VMEFI=1 by default.

Fixes grml#297, grml#257
ArrayBolt3 added a commit to ArrayBolt3/grml-debootstrap that referenced this issue Feb 12, 2025
@ArrayBolt3
Improve hybrid bootloader and arm64 UEFI support
34b42c1 
Previously, it was possible to install both BIOS and UEFI bootloaders
at the same time when creating VM images with grml-debootstrap. In this
setup however, the UEFI bootloader would not be automatically updated,
due to the absence of a grub-efi-ARCH package on the installed system.
It also was not possible to install both bootloaders using
grml-debootstrap on a physical disk, and arm64 VM images could not be
built with full UEFI support as enabled by the --vmefi argument (these
builds would fail).

To rectify these issues:

* Use grub-cloud-amd64 to install both BIOS and UEFI bootloaders and
  manage updates.
* Add support for installing BIOS and UEFI bootloaders simultaneously
  on physical disk installations.
* Get rid of the ARM_EFI_TARGET variable and make ARM64 VM builds use
  VMEFI=1 by default.

Fixes grml#297, grml#257
ArrayBolt3 added a commit to ArrayBolt3/grml-debootstrap that referenced this issue Feb 25, 2025
@ArrayBolt3
Improve hybrid bootloader and arm64 UEFI support
5f5f588 
Previously, it was possible to install both BIOS and UEFI bootloaders
at the same time when creating VM images with grml-debootstrap. In this
setup however, the UEFI bootloader would not be automatically updated,
due to the absence of a grub-efi-ARCH package on the installed system.
It also was not possible to install both bootloaders using
grml-debootstrap on a physical disk, and arm64 VM images could not be
built with full UEFI support as enabled by the --vmefi argument (these
builds would fail).

To rectify these issues:

* Use grub-cloud-amd64 to install both BIOS and UEFI bootloaders and
  manage updates.
* Add support for installing BIOS and UEFI bootloaders simultaneously
  on physical disk installations.
* Get rid of the ARM_EFI_TARGET variable and make ARM64 VM builds use
  VMEFI=1 by default.

Fixes grml#297, grml#257
ArrayBolt3 added a commit to ArrayBolt3/grml-debootstrap that referenced this issue Feb 25, 2025
@ArrayBolt3
Improve hybrid bootloader and arm64 UEFI support
04b3553 
Previously, it was possible to install both BIOS and UEFI bootloaders
at the same time when creating VM images with grml-debootstrap. In this
setup however, the UEFI bootloader would not be automatically updated,
due to the absence of a grub-efi-ARCH package on the installed system.
It also was not possible to install both bootloaders using
grml-debootstrap on a physical disk, and arm64 VM images could not be
built with full UEFI support as enabled by the --vmefi argument (these
builds would fail).

To rectify these issues:

* Use grub-cloud-amd64 to install both BIOS and UEFI bootloaders and
  manage updates.
* Add support for installing BIOS and UEFI bootloaders simultaneously
  on physical disk installations.
* Get rid of the ARM_EFI_TARGET variable and make ARM64 VM builds use
  VMEFI=1 by default.

Fixes grml#297, grml#257
ArrayBolt3 added a commit to ArrayBolt3/grml-debootstrap that referenced this issue Feb 27, 2025
@ArrayBolt3
Improve hybrid bootloader and arm64 UEFI support
8bc6a8b 
Previously, it was possible to install both BIOS and UEFI bootloaders
at the same time when creating VM images with grml-debootstrap. In this
setup however, the UEFI bootloader would not be automatically updated,
due to the absence of a grub-efi-ARCH package on the installed system.
It also was not possible to install both bootloaders using
grml-debootstrap on a physical disk, and arm64 VM images could not be
built with full UEFI support as enabled by the --vmefi argument (these
builds would fail).

To rectify these issues:

* Use grub-cloud-amd64 to install both BIOS and UEFI bootloaders and
  manage updates.
* Add support for installing BIOS and UEFI bootloaders simultaneously
  on physical disk installations.
* Get rid of the ARM_EFI_TARGET variable and make ARM64 VM builds use
  VMEFI=1 by default.

Fixes grml#297, grml#257
ArrayBolt3 added a commit to ArrayBolt3/grml-debootstrap that referenced this issue Feb 27, 2025
@ArrayBolt3
Improve hybrid bootloader and arm64 UEFI support
2891f17 
Previously, it was possible to install both BIOS and UEFI bootloaders
at the same time when creating VM images with grml-debootstrap. In this
setup however, the UEFI bootloader would not be automatically updated,
due to the absence of a grub-efi-ARCH package on the installed system.
It also was not possible to install both bootloaders using
grml-debootstrap on a physical disk, and arm64 VM images could not be
built with full UEFI support as enabled by the --vmefi argument (these
builds would fail).

To rectify these issues:

* Use grub-cloud-amd64 to install both BIOS and UEFI bootloaders and
  manage updates.
* Add support for installing BIOS and UEFI bootloaders simultaneously
  on physical disk installations.
* Get rid of the ARM_EFI_TARGET variable and make ARM64 VM builds use
  VMEFI=1 by default.

Fixes grml#297, grml#257
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted upstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make bootloader updates on UEFI-based systems work ArrayBolt3/grml-debootstrap
3 participants
@zeha @mika @ArrayBolt3