* boot: added function to set EFI variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: renamed trustedShimFallbackBinary to seedShimPath
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: refactored setting EFI boot variables at install
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: adjusted variable names and fixed variable initialization
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: improve setting Boot#### EFI variable
Notably, splits off the process of reading a Boot#### variable and
extracting its DevicePath into its own function `readBootVariable` which
can be mocked and otherwise simplifies the `setBootNumberVariable`
function.
Also, fixes behavior around the final BootFFFF variable. Previously, it
was not possible to select the BootFFFF variable if it was unused, due
to overflow concerns on uint16. Now, the behavior around BootFFFF is
identical to that of any other boot variable, by using an int internally
instead of uint16, which also allows a more robust check for whether
there were no matching variables.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: added unit tests for setting EFI Boot#### variable
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: refactored setting EFI boot variables
Rewrote EFI boot variable functions to more closely match the behavior
of shim fallback: https://github.com/rhboot/shim/blob/main/fallback.c
In particular, the following have changed:
1. Existing Boot#### variables must fully match the new load option to
be considered a match. In particular, the load option attributes,
label, and device path must all be byte-for-byte identical.
Previously, only the device paths were compared.
2. Matching Boot#### variables are no longer overwritten. Since the
variable data must now byte-for-byte match the new load option, there
is no need to overwrite the existing variable.
3. Since existing Boot#### variables are no longer overwritten, the
variable attributes are no longer checked for those variables.
Instead, it is assumed that the Boot#### variable attributes are
viable for it to be used as a boot option. This matches the behavior
of `rhboot/shim/fallback.c`, for better or for worse.
4. When modifying the BootOrder variable, boot option numbers are no
longer pruned if there is no matching Boot#### variable.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: introduce UefiBootloader to build EFI load options
Previously, the path of the shim binary relative to the EFI partition
was passed into `SetEfiBootVariables`. However, different bootloaders
may wish to set up `OptionalData` in the load option.
Additionally, not all `TrustedAssetBootloaders` will attempt to set
EFI boot variables, and not all bootloaders which should set EFI boot
variables necessarily support secure boot. Thus, these should be
decoupled.
This commit adds a new `UefiBootloader` interface with the
`ConstructShimEfiLoadOption` method, which builds an EFI load option
from the shim path for the given bootloader.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: fixed linting errors and improved EFI boot variable test clarity
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
bootloader: improved unit test for grub EFI load option creation
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: set EFI boot variables in `MakeRunnableSystem`
Previously, attempted to set boot variables in
`MakeRecoverySystemBootable`, which is called by `MakeBootableImage`,
which is called when building the image file, rather than during install
mode.
`MakeRunnableSystem` is called on first boot during install mode, and
thus should be responsible for setting EFI boot variables.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: use seed bootloader when setting EFI variables
In install mode, the bootloader located in ubuntu-seed should be used
when setting the EFI boot variables. Previously, the bootloader in
ubuntu-boot was accidentally re-used.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: added simple test to execute setefibootvar.go code
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fixed standalone set EFI vars code test to work with different layouts
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: moved simple setefibootvar.go check to nested test
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: added check for idempotence when setting EFI boot variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
bootloader: adjust comments, organization, and add TODO
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: fix setting EFI boot variables
Make function to search for EFI asset device path and construct load
option common so each UefiBootloader does not have to re-implement it.
Instead, the bootloader returns the description, asset file path, and
optional data, which can then be used to create the EFI load option.
Also, in `makeRunnableSystem`, the bootloader in ubuntu-seed must have
`NoSlashBoot` in order to correctly find the grub.cfg file and thus the
grub bootloader. This commit fixes this bug, and refactors a bit to
account for the changes in responsibilities between the bootloader and
the setefibootvars.go code.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
bootloader: fixed grub EFI load option test with tmp rootdir
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
go.mod: move golang.org/x/text import next to other golang.org/x/ imports
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: adjust opts to look for recovery bootloader when setting EFI variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: do not overwrite BootOrder if unchanged, and unexport EFI variable helper functions
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: unexport `setEfiBootOrderVariable`
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: move code to detect bootloader and set EFI variables accordingly into dedicated function
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: unexport `setUbuntuSeedEfiBootVariables` and accompanying error
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: ensure nil optionalData for EFI variable is equivalent to 0-length slice
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: handle empty boot order and other boot var improvements
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: make setefibootvars functions linux-only
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* tests: add nested spread test for setting EFI vars
The test checks that EFI boot variables exist for the following:
1. A Boot#### variable pointing to the shim file path.
2. A BootOrder variable with the #### from the above Boot#### as first.
Since the layout of EFI assets is dependent on the gadget snap, the test
downloads and unpacks the gadget, then modifies the contents so that one
variant has the shim and grub binaries in `EFI/boot/` and another
variant has the shim and grub binaries in `EFI/ubuntu/` and the fallback
binary in `EFI/boot/`.
After building a core image around that modified gadget, the VM is
booted and the test checks that the EFI variables are set correctly.
Then, the test modifies the gadget to match the other variant's initial
layout, and then installs the newly modified gadget. This should trigger
re-setting EFI boot variables as well.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fix problems in spread test for setting EFI boot variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: disabled TPM on EFI boot vars test and separated gadget script
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fixed EFI vars test to use correct toolbox and include all EFI assets
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: modify-gadget.sh re-use existing gadget so edition is incremented
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fix mangled EFI var search string and other improvements
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: polish tests for setting EFI boot variables
Notably, allow tests/nested/core/core20-set-efi-boot-variables to run on
arm64 as well as amd64, simplify setefivars.go to search for multiple
assets on multiple architectures, and allow
tests/nested/manual/core20-set-efi-boot-vars to run on any ubuntu-2*.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* bootloader/grub.go: only consider new shim asset in boot entry for now
* tests/nested/core/core20-set-efi-boot-variables: fix details
* boot: update uefi variables on gadget update
* tests/nested/manual/core20-set-efi-boot-vars: work-around file not deleted
* tests/nested/manual/core20-set-efi-boot-vars: use fb.efi like other tests
* tests/nested/manual/core20-set-efi-boot-vars: drop use of toolbox snap
* tests/nested/manual/core20-set-efi-boot-vars: drop work-around for not deleted files
* tests/nested/manual/core20-set-efi-boot-vars: verify install does add a boot entry
* tests/nested/manual/core20-set-efi-boot-vars: run only on version that have UC
* tests/nested/manual/core20-set-efi-boot-vars: obey GADGET_CHANNEL
* tests/nested/manual/core20-set-efi-boot-vars: move get_boot_entry.py to libs
* tests/nested/manual/core20-set-efi-boot-vars: factorize copy of variables
... so we can reuse the script in other tests
* tests/nested/core/core20-set-efi-boot-variables: stop using toolbox snap
* tests/nested/core/core20-set-efi-boot-variables: only run on versions with UC available
* overlord/devicestate: test using EfiLoadOptionParameters
* boot: test that variables are set
* boot: test observers' UpdateBootEntry
* tests/nested/manual/core20-set-efi-boot-vars: also test without secure boot
* many: use trusted install observer when UEFI variables are supported
* boot/makebootable.go: rename sealer to observer
* boot/grub.go: fix function name in doc
* cmd/snap-bootstrap: verify that ObserveExistingTrustedRecoveryAssets is called
* boot: add tests for SetEfiBootVariables
* many: comment on calls to ObserveExistingTrustedRecoveryAssets
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Co-authored-by: Oliver Calder <oliver.calder@canonical.com>
We need to resolve the boot chains another place based on the trusted
assets we encountered to be installed. At this point it could be any chain.
We will need to discover later what the correct chain is.
Also make TrustedAssets return an unsorted data structure to make sure
we do not use the order like the comments claimed.
We know what are the default the default command line so that we can
compute measurement, so there is not much reason to use
`snapd_extra_cmdline_args`. Always using `snapd_full_cmdline_args`
will allow us to filter part of the default command line.
There is a potential bug when filtering all arguments, `grub.cfg` will
just revert to the all the default. We will need to fix it when we
introduce the filtering.
Implement RestartParameters which helps keeping track of tasks that needs to restart and why for a change. It also adds the new logic for performing deferred restarts.
Go 1.19 includes some changes to gofmt which intend to make lists and
heading clearer when rendered (https://go.dev/doc/go1.19). This commit
is the result of running the new gofmt and manually fixing some of it.
This was necessary because the new gofmt assumed lines beginning w/ tabs
to start lists or examples. While this is often true in our codebase,
we occasionally also use tabs to indent the lines after a TODO or FIXME
prefix or in yaml (e.g., excerpts of a snap.yaml). This meant that a lot of the
reformatted comments were broken and had to be fixed manually.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
This new interface is needed by piboot for the moment, and makes sure
that we do not reconfigure the bootloader while changing the
environment file from the initramfs.
Add support for the official RPi bootloader, so we can use it instead
of RPi's U-Boot port. The U-Boot port is a community effort, so it has
a series of problems, like:
1. It takes some time until it gets ported when a new RPi model
appears in the market
2. It lacks support for USB drivers so USB is not possible
This commit makes it possible to use RPi bootloader, however there are
some limitations that cannot be directly solved as this firmware is
closed source:
1. We can cold-boot only from the first partition in the disk. This
implies that we need to write boot assets to the ubuntu-seed
partition instead of to ubuntu-boot.
2. The OS updates mechanism depends on a volatile flag that gets
removed in cold boots. That makes it not possible to distinguish
sometimes between failed updates and having power-cycled a device
before really trying a pending update.
3. There is no scripting language for the RPi bootloader. The only
way to influence its behavior is by changes to the
{config,tryboot}.txt files.
The implementation leverages the os_prefix [1] setting in the
bootloader configuration files to select the
kernel/initramfs/dtb/dtbos/cmdline to use in the next
boot. Environment is stored in key=value pairs in text files that are
translated to bootloader configuration when needed (a new kernel is
installed, the run mode changes, etc.). To be able to try new kernels,
fail-safe OS updates are used [2].
[1] https://www.raspberrypi.com/documentation/computers/config_txt.html#os_prefix
[2] https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#fail-safe-os-updates-tryboot
Introduce a structure for passing components of kernel command line. Extend the
structure with a field to carry the full set of arguments. Introduce support in
grub.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
This is not used anywhere anymore, so let's just drop it. If we need it again,
we can bring it back.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
bootloader/many: rm ConfigFile, add Present for indicating presence of bloader
Now we have a specific method on the Bootloader interface which tells Find()
whether the specific bootloader is actually present on the current system. This
will simplify future bootloader implementations to be able to return errors when
identifying if a bootloader is present on the system is more complicated a
question than just if the config file for that bootloader exists.
This is required for the UC20 lk bootloader work, where the Present() implementation will be more complicated than just whether a file exists.
This is simpler and avoids from having to maintain the list of names of
bootloaders in three locations, one in the bootloader implementation itself, one
in the gadget.yaml bootloader setting, and one in Find(). Now we just have the
bootloader implementation and the gadget.yaml validator.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Indicate when the bootloader boot config was updated. This allows the callers to
take a better decision as to whether an update or some other action is required.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Now we have a specific method on the Bootloader interface which tells Find()
whether the specific bootloader is actually present on the current system. This
will simplify future bootloader implementations to be able to return errors when
identifying if a bootloader is present on the system is more complicated a
question than just if the config file for that bootloader exists.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
