Bug 2304328

Summary: Backport fixes for rust-bootupd in F41 Beta
Product: [Fedora] Fedora Reporter: Carl Roth <roth>
Component: rust-bootupdAssignee: Timothée Ravier <travier>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 41CC: awilliam, fzatlouk, jmarrero, jonathan, lucab, m.mcnutt, rust-sig, travier, walters
Target Milestone: ---Keywords: Upgrades
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedFreezeException
Fixed In Version: rust-bootupd-0.2.24-1.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-15 00:18:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2150982, 2247866    

Description Carl Roth 2024-08-13 15:08:23 UTC 
I bricked a few Silverblue/Kinoite systems while updating to the 20240810 rawhide OSTree image, which included a transition from ostree-boot to bootupctl (bootupd v0.2.20). I was able to recover the systems using a rescue image (copy EFI artifacts from a recent deployment to /boot/efi) but encountered a lot of issues along the way.

1. Secure boot/FDE fails during boot loader artifact updates. There doesn't appear to be a way to detect if a bootloader update like this one will boot correctly after the fact. In some cases I can boot using a backup LUKS key, but in this case I had to completely turn of secure boot in the BIOS.

2. The rescue image doesn't work. Is there a documented way to recover an OSTree system? Otherwise "recovery" in this case involved manually unlocking the root partition and digging around to find the correct deployment directory.

3. Updating boot artifacts via bootupd should be transactional. Once I got the systems to boot once with a bootupd-enabled image, running rpm-ostree a second time somehow made the EFI artifacts inconsistent; the system tried to boot the fedora EFI profile but failed and returned to the BIOS menu. Even better, bootupd should be parameterized to read artifacts from any deployment, not just the current one.

4. These systems were built starting with a Fedora 38 OSTree installer, which did not use a consistent partition naming scheme. From looking at the rust-bootupd sources I figured out that I could rename the ESP as "EFI-SYSTEM" and bootupctl would proceed further, but this is fragile. The partition search logic for bootupd should use the fstype UUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b) from e.g. 'parted print -j'

5. The SELinux policy for bootupd (bootupd.te in selinux-policy) is incomplete. The default label for /boot is boot_t and the default label for an ESP specified in /etc/fstab is dosfs_t, neither of which is readable by bootupd_t. If the ESP is pre-mounted to e.g. /boot/efi, bootupctl is able to find the partition but not read it. The bootupd_t type is not transitionable either, so I was not able to mount the ESP with '-o context='.

Aug 12 15:45:34 ce-link-94-c8-d5 systemd[1]: Started bootupd.service - /usr/bin/bootupctl -v2 status.
Aug 12 15:45:34 ce-link-94-c8-d5 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=bootupd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 12 15:45:34 ce-link-94-c8-d5 audit[264814]: AVC avc:  denied  { getattr } for  pid=264814 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="nvme0n1p1" ino=171 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0
Aug 12 15:45:34 ce-link-94-c8-d5 systemd[1]: bootupd.service: Main process exited, code=exited, status=1/FAILURE
Aug 12 15:45:34 ce-link-94-c8-d5 systemd[1]: bootupd.service: Failed with result 'exit-code'.

Aug 12 16:12:15 ce-link-94-c8-d5 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=bootupd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 12 16:12:15 ce-link-94-c8-d5 audit[265819]: AVC avc:  denied  { write } for  pid=265819 comm="bootupctl" path=2F626F6F742F233135202864656C6574656429 dev="nvme0n1p2" ino=15 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=0
Aug 12 16:12:15 ce-link-94-c8-d5 audit[265819]: AVC avc:  denied  { create } for  pid=265819 comm="bootupctl" name=".tmpQd6RdJ5a.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=0


6. SELinux policy gaps also prevented bootupctl from mounting the ESP dynamically. Presumably we need to borrow some of the logic from fstools.te to enable block device access.

Aug 12 16:43:30 ce-link-94-c8-d5 audit[266722]: AVC avc:  denied  { getattr } for  pid=266722 comm="bootupctl" path="/dev/nvme0n1p1" dev="devtmpfs" ino=445 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Aug 12 16:43:30 ce-link-94-c8-d5 systemd[1]: bootupd.service: Main process exited, code=exited, status=1/FAILURE
Aug 12 16:43:30 ce-link-94-c8-d5 systemd[1]: bootupd.service: Failed with result 'exit-code'.

7. The systemd-run logic in bootupctl is fragile and does not handle tool failures well. When bootupctl fails (like, because of SELinux issues) the failure is something cryptic like

Failed to start transient service unit: Unit bootupd.service failed to load properly, please adjust/correct and reload service manager: Device or resource busy

and if the transient unit does fail, it leaves a unit file in /run/systemd/transient preventing the tool from starting again.

I am concerned that we don't have a smooth upgrade path from F40 to F41 without fixes for some of these issues.



Reproducible: Always

Steps to Reproduce:
1. boot an OSTree system using bootupd
2. rm /boot/bootupd-state.json
3. setenforce 1
4. bootupctl update
Actual Results:  
bootupctl fails to update boot artifacts

Expected Results:  
bootupctl should either update the boot artifacts, or roll them back and give a useful error message

If the system is bricked, it can be recovered with some difficulty from a rescue image by overwriting /boot/efi/EFI/Boot and /boot/efi/EFI/fedora from the most recent deployment.

Otherwise, bootupd appears to run smoothly if selinux is disabled.

setenforce 0
bootupctl update
Comment 1 Carl Roth 2024-08-19 16:57:38 UTC 
This bug might need some disambiguation. One of the other things that got upgraded with the latest OSTree builds was GRUB up to 2.12, and the side effect there is that it lost the /boot/grub2/grub.cfg file. This was particularly painful because the (relatively simple) bootupctl commands to fix that are not documented, and, again, the building a rescue environment that is fully-formed enough that bootupctl will run cleanly is expert level stuff.
Comment 2 Timothée Ravier 2024-09-03 10:48:03 UTC 
A lot of things in this bug report so let's go over those one by one.

1. This is likely https://fedoramagazine.org/manual-action-needed-to-resolve-boot-failure-for-fedora-atomic-desktops-and-fedora-iot/

2. We don't have rescue boot entries in Atomic Desktops right now. Is this what you were looking for? This would be a good RFE to file at https://gitlab.com/fedora/ostree/sig/-/issues

3. We tried to make updating the ESP as transactional as possible: https://github.com/coreos/bootupd/issues/454. Fully completing this would be https://github.com/rhboot/shim/pull/502.

3bis. Updating the bootloader from another (pending) deployment is tracked in https://github.com/coreos/bootupd/issues/108

4. Bootupd currently looks for two names for the ESP (https://github.com/coreos/bootupd/blob/0f3de094a8c9eb965f4d7adad315c1beae7fe995/src/efi.rs#L39.L41) which are the ones used by Anaconda and Fedora CoreOS. We could extend the logic to look for all ESP-type partitions, but that might have implications if you have multiple ones set up by other operating systems. This would be best filed as an issue for bootupd: https://github.com/coreos/bootupd/issues 

5. https://github.com/fedora-selinux/selinux-policy/pull/2336 should fix this

6. This one is new to me. Could you give us more details?

7. This one should be fixed by https://github.com/coreos/bootupd/pull/715

I'm going to mark this bug as Beta blocker so that we can land the bootupd update in F41 for those fixes.
Comment 3 packager-dashboard-bot 2024-09-03 10:50:26 UTC 
Proposed as a Freeze Exception for 41-beta by Fedora user siosm using the blocker tracking app because:

 Fixes required to complete the bootupd change in F41: https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd
Comment 4 Carl Roth 2024-09-03 14:15:27 UTC 
> 6. This one is new to me. Could you give us more details?

If you follow the repro steps in the bug you should see AVC messages in the logs (and a failed bootupctl).
This also ties into (7) in that the bootupctl failure leaves a tombstone (failed) service in /run/systemd/transient
Comment 5 Carl Roth 2024-09-03 14:17:29 UTC 
> 4. Bootupd currently looks for two names for the ESP
> (https://github.com/coreos/bootupd/blob/
> 0f3de094a8c9eb965f4d7adad315c1beae7fe995/src/efi.rs#L39.L41) which are the
> ones used by Anaconda and Fedora CoreOS. We could extend the logic to look
> for all ESP-type partitions, but that might have implications if you have
> multiple ones set up by other operating systems. This would be best filed as
> an issue for bootupd: https://github.com/coreos/bootupd/issues 

The Anaconda installer for F38 labeled all of the partitions with the string "primary". I'll take your word for it that it's been fixed in current Anaconda.
Comment 6 Timothée Ravier 2024-09-03 17:18:32 UTC 
To clarify for the freeze exception, this is to get an updated bootupd package in Fedora 41, which will include the following fixes:

- https://github.com/coreos/bootupd/issues/707 > Recover on failures
- https://github.com/coreos/bootupd/issues/454 > Needed to make updates safer 
- https://github.com/coreos/bootupd/pull/716 > Needed to let Atomic Desktops enable bootupd updates by default
Comment 7 Timothée Ravier 2024-09-03 17:31:01 UTC 
(In reply to Carl Roth from comment #4)
> > 6. This one is new to me. Could you give us more details?
> 
> If you follow the repro steps in the bug you should see AVC messages in the
> logs (and a failed bootupctl).

Atomic Desktops have /boot/efi mounted by default right now. I unmounted it and I can reproduce this one now.

(In reply to Carl Roth from comment #5)
> > 4. Bootupd currently looks for two names for the ESP
> > (https://github.com/coreos/bootupd/blob/
> > 0f3de094a8c9eb965f4d7adad315c1beae7fe995/src/efi.rs#L39.L41) which are the
> > ones used by Anaconda and Fedora CoreOS. We could extend the logic to look
> > for all ESP-type partitions, but that might have implications if you have
> > multiple ones set up by other operating systems. This would be best filed as
> > an issue for bootupd: https://github.com/coreos/bootupd/issues 
> 
> The Anaconda installer for F38 labeled all of the partitions with the string
> "primary". I'll take your word for it that it's been fixed in current
> Anaconda.

I can not reproduce that. My system is an old install (F34 at least) and I have PARTLABEL="EFI System Partition". All the new installations that I did have it like that as well.
Comment 8 Timothée Ravier 2024-09-03 17:55:41 UTC 
(In reply to Timothée Ravier from comment #7)
> Atomic Desktops have /boot/efi mounted by default right now. I unmounted it
> and I can reproduce this one now.

Filed https://github.com/fedora-selinux/selinux-policy/issues/2341
Comment 9 František Zatloukal 2024-09-03 18:40:31 UTC 
Discussed during the 2024-09-03 blocker review meeting: [1]

The decision to classify this bug wasn't made:

"We're generally inclined to +1 appropriate and scoped fixes for bootupd, but this seems like a very vague ticket, we would like to ask travier for more clarity on which of the 7.5 listed issues are considered in scope for fixing here."

[1] https://meetbot.fedoraproject.org/blocker-review_matrix_fedoraproject-org/2024-09-03/f41-blocker-review.2024-09-03-16.00.log.html
Comment 10 Timothée Ravier 2024-09-04 15:49:08 UTC 
Move tracking the SELinux backports to https://bugzilla.redhat.com/show_bug.cgi?id=2309742
Comment 11 Timothée Ravier 2024-09-05 17:27:27 UTC 
Let's rescope this issue to landing the following fixes for the bootupd package:

- https://github.com/coreos/bootupd/issues/454
  - Fixed by https://github.com/coreos/bootupd/pull/669
  - Which is in the https://github.com/coreos/bootupd/releases/tag/v0.2.21 release
  - Which is already in Rawhide
- https://github.com/coreos/bootupd/issues/707
  - Fixed by https://github.com/coreos/bootupd/pull/715
  - Which is not yet in a release

This should let us enable updates by default, which will happen in a backport of https://pagure.io/workstation-ostree-config/pull-request/571
Comment 12 Adam Williamson 2024-09-09 15:17:37 UTC 
+3 in https://pagure.io/fedora-qa/blocker-review/issue/1638 , marking accepted.
Comment 13 Fedora Update System 2024-10-14 12:56:14 UTC 
FEDORA-2024-7bb17ff603 (rust-bootupd-0.2.24-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-7bb17ff603
Comment 14 Fedora Update System 2024-10-15 00:18:10 UTC 
FEDORA-2024-7bb17ff603 (rust-bootupd-0.2.24-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.