Bug 2040109

Summary: [RFE] Install grubx64.efi twice to be readable by non-root users
Product: Red Hat Enterprise Linux 9 Reporter: Steve Baker <sbaker>
Component: grub2Assignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED WONTFIX QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, jwboyer
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-13 07:31:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Baker 2022-01-13 00:21:13 UTC 
This is a request for packaging to also install the grub efi files in a /usr location which is accessible by all users.

There are use cases for grubx64.efi beyond booting the machine it is installed on. Specifically serving grubx64.efi (and the shim) over tftp to a remote machine will make it possible to enable secure boot for baremetal provisioning in OpenStack Ironic by using (signed) grub network boot instead of iPXE.

Requiring root just to copy grubx64.efi into the /tftpboot directory constrains /tftpboot population to a privileged tool. This has drawbacks, for example when the shim package is updated.
Comment 1 Robbie Harwood 2022-01-13 15:01:15 UTC 
> Requiring root just to copy grubx64.efi into the /tftpboot directory constrains /tftpboot population to a privileged tool. This has drawbacks, for example when the shim package is updated.

Root is not required.  Just unpack the rpm cpio ball and get grubx64.efi from there.
Comment 3 Steve Baker 2022-01-17 21:43:15 UTC 
Let me provide some more background for the requirements here.

openstack-ironic is aiming to improve the install experience by auto-populating the /tftpboot director on service startup. This directory needs ipxe, grub, shim images plus some template generated text files.

This leads to a solution which must be unprivileged, configuration driven, and distro agnostic. This means that running custom scripts which do rpm unpacking is not an option, and pulling a package from the network is *really* not an option.

Red Hat family is unique in distros, installing root-only readable files to /boot/efi:
SUSE: /usr/share/efi/x86_64/grub.efi
Debian/Ubuntu: /usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed

I'm fine with doing the packaging work to make this happen:
https://gitlab.com/redhat/centos-stream/rpms/grub2/-/merge_requests/19
Comment 6 RHEL Program Management 2023-07-13 07:31:54 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.