Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2106706

Summary:	anaconda throws errors when trying to use vfat for /boot
Product:	Red Hat Enterprise Linux 9	Reporter:	Gerd Hoffmann <kraxel>
Component:	anaconda	Assignee:	Anaconda Maintenance Team <anaconda-maint-list>
Status:	CLOSED WONTFIX	QA Contact:	Release Test Team <release-test-team-automation>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	9.0	CC:	alexl, berrange, jkonecny, jonathansteffan, jstodola, pjones, pmendezh, zbyszek
Target Milestone:	rc	Keywords:	FutureFeature, Reopened
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-12-20 14:29:59 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gerd Hoffmann 2022-07-13 11:12:30 UTC

Description of problem:
Can not use 'vfat' as filesystem for /boot

Version-Release number of selected component (if applicable):
Tried both Fedora 36 and RHEL 9.0 GA installers

How reproducible:
100%

Steps to Reproduce:
try install a virtual machine with this kickstart file:

------------------------- cut here ---------------------
# minimal config
rootpw --plaintext root
firstboot --disable
reboot

# partitioning
ignoredisk --only-use=sda
clearpart --all --initlabel --disklabel=gpt --drives=sda
part /boot/efi --size=100 --fstype=efi
part /boot     --size=500 --fstype=vfat --label=boot
part /         --size=999 --fstype=xfs --label=root --grow
bootloader --append="console=ttyS0"

# minimal package list
%packages
@core
shim-x64
grub2-efi-x64
-dracut-config-rescue
dracut-config-generic
%end

%post

%end
------------------------- cut here ---------------------

Actual results:
Starting automated install.Saving storage configuration...
.Checking storage configuration...
./boot file system cannot be of type vfat.

Expected results:
Install completes without errors.

Additional info:

Comment 1 Jan Stodola 2022-07-15 10:25:20 UTC

Hello, /boot on vfat is not supported intentionally, since the vfat file system doesn't support for example extended attributes. There is no plan to support /boot on vfat and anaconda shows a correct error message. Please use for example XFS or ext4 for /boot.

I'm closing this bug.

Comment 2 Gerd Hoffmann 2022-07-15 11:45:31 UTC

> Hello, /boot on vfat is not supported intentionally, since the vfat file
> system doesn't support for example extended attributes.

What is the use case for extended attributes on /boot?

I can only think of selinux.  That doesn't make sense though.
There is no need for fine-grained access control for /boot.

Only root is allowed to update /boot, period.
Whenever you want allow public read access to /boot is debatable.

Given there are no secrets on /boot and everybody can download
the content by fetching the kernel rpms I don't see how
restricting /boot read access helps improving security much.
On the other hand the same is true for /boot/efi which actually
is only readable for root on a default install.

> There is no plan to
> support /boot on vfat

As far I know there are plans to change that.
Cc'ing Peter Jones + Alexander Larsson.

> Please use
> for example XFS or ext4 for /boot.

Requiring the boot loader being able to handle the complexity
of a journaling file system IMHO isn't a wise choice.

Comment 4 Jan Stodola 2022-08-02 17:23:23 UTC

(In reply to Gerd Hoffmann from comment #2)
> > Hello, /boot on vfat is not supported intentionally, since the vfat file
> > system doesn't support for example extended attributes.
> 
> What is the use case for extended attributes on /boot?
> 
> I can only think of selinux.  That doesn't make sense though.
> There is no need for fine-grained access control for /boot.
> 
> Only root is allowed to update /boot, period.
> Whenever you want allow public read access to /boot is debatable.
> 
> Given there are no secrets on /boot and everybody can download
> the content by fetching the kernel rpms I don't see how
> restricting /boot read access helps improving security much.
> On the other hand the same is true for /boot/efi which actually
> is only readable for root on a default install.

/boot contains crucial files to boot the system, so security is a valid reason - for example initramfs may contain sensitive content.

> 
> > There is no plan to
> > support /boot on vfat
> 
> As far I know there are plans to change that.
> Cc'ing Peter Jones + Alexander Larsson.

OK, I'm interested to know the justification.

> 
> > Please use
> > for example XFS or ext4 for /boot.
> 
> Requiring the boot loader being able to handle the complexity
> of a journaling file system IMHO isn't a wise choice.

Then ext2 could work.

Comment 5 Daniel Berrangé 2022-08-02 17:29:18 UTC

(In reply to Jan Stodola from comment #4)
> (In reply to Gerd Hoffmann from comment #2)
> > > Hello, /boot on vfat is not supported intentionally, since the vfat file
> > > system doesn't support for example extended attributes.
> > 
> > What is the use case for extended attributes on /boot?
> > 
> > I can only think of selinux.  That doesn't make sense though.
> > There is no need for fine-grained access control for /boot.
> > 
> > Only root is allowed to update /boot, period.
> > Whenever you want allow public read access to /boot is debatable.
> > 
> > Given there are no secrets on /boot and everybody can download
> > the content by fetching the kernel rpms I don't see how
> > restricting /boot read access helps improving security much.
> > On the other hand the same is true for /boot/efi which actually
> > is only readable for root on a default install.
> 
> /boot contains crucial files to boot the system, so security is a valid
> reason - for example initramfs may contain sensitive content.

/boot is unencrypted, so there should be no expectation of security for content of any files stored on it.

Comment 6 Jan Stodola 2022-08-02 17:47:17 UTC

I posted the initramfs example because I remembered the following CVE we had to deal with in the past:
https://bugzilla.redhat.com/show_bug.cgi?id=859448

On the other hand, the installer allows to disable SELinux on the installed system (by "selinux=0" on the kernel command line), so if the user wants to have a system with SELinux disabled, then using vfat for /boot is also fine from this point of view.

Comment 7 Jiri Konecny 2022-08-05 10:42:24 UTC

Hi Gerd,

could you please tell us about the priority of the issue. Is there a customer case or are we breaking a workflow by this?

Comment 8 Gerd Hoffmann 2022-08-16 12:53:14 UTC

> could you please tell us about the priority of the issue. Is there a
> customer case or are we breaking a workflow by this?

No concrete use case yet.  We are investigating how we can simplify
the boot workflow for confidential computing.  In particular the way
grub2 handles TPM measurements is rather problematic, and checking out
alternatives is much easier when the EFI firmware is able to read the
filesystem where the kernels are stored on.  That allows to use other
simpler boot loaders which don't bring their own filesystem drivers,
or to not use a boot loader at all and add the kernel directly to the
BootNNNN EFI variables instead.

(In reply to Jan Stodola from comment #6)
> I posted the initramfs example because I remembered the following CVE we had
> to deal with in the past:
> https://bugzilla.redhat.com/show_bug.cgi?id=859448

Storing machine-specific configuration or evens secrets in the initrd is
another problem which needs adressing.  CoreOS ships a initrd by default
instead of generating it on the installed system, which is a step into the
right direction.  No config/secret is in there.  Also we know the hashes
of the bits we ship, so measurements are much more useful because we can
actually verify that the initrd hasn't been tampered with.

Ideally we'll go further and ship unified kernel images (aka all-in-one efi
binary with kernel, initrd, cmdline and secure boot signature).

[ not relevant to this bug, just giving some more background info ]

Comment 11 Jiri Konecny 2022-12-20 14:29:59 UTC

Hi Gerd,

thank you for providing us all the information. We decided that we don't want to implement this feature. It seems that there is not a strong use-case now and we would also need ACK from bootloader team first. Because of that I'm closing this issue now. Feel free to reopen if you don't agree with the decision.