Currently the UEFI boot file /boot/efi/EFI/BOOT/BOOTX64.EFI is generated by running grub2-install, which will boot in UEFI mode, but will never be secure-boot capable. As of grub2 >= 2.02-95, calling grub2-install on an EFI partition will fail with: "this utility cannot be used for EFI platforms because it does not support UEFI Secure Boot." This version of grub is now in the rhel-8-for-x86_64-baseos-rpms repos. As soon as it is promoted to rhel-8-for-x86_64-baseos-eus-rpms then whole disk image building will break, hence the urgency of this bug. To avoid this breakage and to make images secure-boot capable, /boot/efi/EFI/BOOT/BOOTX64.EFI needs to be from the packaged shim, and a grub config needs to be generated in /boot/efi/EFI/redhat.
I'm setting this to urgent for 16.2, RHEL-8.4 has grub2 greater than 2.02-92, which no longer allows using grub2-install to install a bootloader for UEFI boot. Without this fix it will not be possible to build overcloud-full UEFI capable whole disk images, the image build command will halt with an error.
This will need a follow-up patch to fix arm image builds, and ensure both efi and legacy grub config files are identical
This doesn't even respect grub2-install's `--force` option ... so basically you've just decided to break all existing installations that don't even use secure boot, overnight ... at least enable the users to bypass this using grub2-install's `--force` option.
(In reply to Ali from comment #6) > This doesn't even respect grub2-install's `--force` option ... so basically > you've just decided to break all existing installations that don't even use > secure boot, overnight ... > at least enable the users to bypass this using grub2-install's `--force` > option. Sorry, can you elaborate how this breaks all existing installations? Do you mean this diskimage-builder change, or the grub change to no longer support installing grub binaries for UEFI boot loaders?
(In reply to Steve Baker from comment #7) > (In reply to Ali from comment #6) > > This doesn't even respect grub2-install's `--force` option ... so basically > > you've just decided to break all existing installations that don't even use > > secure boot, overnight ... > > at least enable the users to bypass this using grub2-install's `--force` > > option. > > Sorry, can you elaborate how this breaks all existing installations? > > Do you mean this diskimage-builder change, or the grub change to no longer > support installing grub binaries for UEFI boot loaders? I'm referring to grub change. at the very least it should respect the `--force` option; that's quite literally what that option is for.
(In reply to Ali from comment #8) > I'm referring to grub change. > at the very least it should respect the `--force` option; that's quite > literally what that option is for. This is off topic for a diskimage-builder bug. However all you need to do is install packages shim-x64 and grub2-efi-x64 which gives you a grub binary installed to /boot/efi/EFI/redhat/, then ensure you have a copy your grub.cfg also in that directory. No existing installations are broken by this change, you just need to make a minor change to your practice from RHEL-8.4 onwards.
The fix is ready
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform (RHOSP) 16.2 enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:3483