Bug 1939317

Summary:	Generated images are not secure-boot capable
Product:	Red Hat OpenStack	Reporter:	Steve Baker <sbaker>
Component:	diskimage-builder	Assignee:	Steve Baker <sbaker>
Status:	CLOSED ERRATA	QA Contact:
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	16.2 (Train)	CC:	ali, apevec, pbabbar, shrjoshi, spower
Target Milestone:	beta	Keywords:	TestBlocker, Triaged
Target Release:	16.2 (Train on RHEL 8.4)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	diskimage-builder-3.9.0-2.20210603124809.cb96117.el8ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-09-15 07:12:31 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Steve Baker 2021-03-16 03:27:50 UTC

Currently the UEFI boot file /boot/efi/EFI/BOOT/BOOTX64.EFI is generated by running grub2-install, which will boot in UEFI mode, but will never be secure-boot capable.

As of grub2 >= 2.02-95, calling grub2-install
on an EFI partition will fail with: "this utility cannot be used for
EFI platforms because it does not support UEFI Secure Boot."

This version of grub is now in the rhel-8-for-x86_64-baseos-rpms repos. As soon as it is promoted to rhel-8-for-x86_64-baseos-eus-rpms then whole disk image building will break, hence the urgency of this bug.

To avoid this breakage and to make images secure-boot capable, /boot/efi/EFI/BOOT/BOOTX64.EFI needs to be from the packaged shim, and a grub config needs to be generated in /boot/efi/EFI/redhat.

Comment 2 Steve Baker 2021-03-28 22:18:34 UTC

I'm setting this to urgent for 16.2, RHEL-8.4 has grub2 greater than 2.02-92, which no longer allows using grub2-install to install a bootloader for UEFI boot. Without this fix it will not be possible to build overcloud-full UEFI capable whole disk images, the image build command will halt with an error.

Comment 4 Steve Baker 2021-04-09 01:52:35 UTC

This will need a follow-up patch to fix arm image builds, and ensure both efi and legacy grub config files are identical

Comment 5 Ali 2021-04-13 07:36:07 UTC

This doesn't even respect grub2-install's `--force` option ... so basically you've just decided to break all existing installations that don't even use secure boot, overnight ...
at least enable the users to bypass this using grub2-install's `--force` option.

Comment 6 Ali 2021-04-13 07:36:14 UTC

This doesn't even respect grub2-install's `--force` option ... so basically you've just decided to break all existing installations that don't even use secure boot, overnight ...
at least enable the users to bypass this using grub2-install's `--force` option.

Comment 7 Steve Baker 2021-04-13 20:43:41 UTC

(In reply to Ali from comment #6)
> This doesn't even respect grub2-install's `--force` option ... so basically
> you've just decided to break all existing installations that don't even use
> secure boot, overnight ...
> at least enable the users to bypass this using grub2-install's `--force`
> option.

Sorry, can you elaborate how this breaks all existing installations?

Do you mean this diskimage-builder change, or the grub change to no longer support installing grub binaries for UEFI boot loaders?

Comment 8 Ali 2021-04-23 07:17:19 UTC

(In reply to Steve Baker from comment #7)
> (In reply to Ali from comment #6)
> > This doesn't even respect grub2-install's `--force` option ... so basically
> > you've just decided to break all existing installations that don't even use
> > secure boot, overnight ...
> > at least enable the users to bypass this using grub2-install's `--force`
> > option.
> 
> Sorry, can you elaborate how this breaks all existing installations?
> 
> Do you mean this diskimage-builder change, or the grub change to no longer
> support installing grub binaries for UEFI boot loaders?


I'm referring to grub change.
at the very least it should respect the `--force` option; that's quite literally what that option is for.

Comment 9 Steve Baker 2021-04-26 20:10:01 UTC

(In reply to Ali from comment #8)
> I'm referring to grub change.
> at the very least it should respect the `--force` option; that's quite
> literally what that option is for.

This is off topic for a diskimage-builder bug. However all you need to do is install packages shim-x64 and grub2-efi-x64 which gives you a grub binary installed to /boot/efi/EFI/redhat/, then ensure you have a copy your grub.cfg also in that directory.

No existing installations are broken by this change, you just need to make a minor change to your practice from RHEL-8.4 onwards.

Comment 13 Steve Baker 2021-05-20 03:42:56 UTC

The fix is ready

Comment 23 errata-xmlrpc 2021-09-15 07:12:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform (RHOSP) 16.2 enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:3483