kiwi doesn't install the correct grub2-efi binary for ISOs for CentOS/Fedora images - Githubissues

OSInside / kiwi

KIWI - Appliance Builder Next Generation

https://osinside.github.io/kiwi

GNU General Public License v3.0

307 stars 152 forks source link

kiwi doesn't install the correct grub2-efi binary for ISOs for CentOS/Fedora images #2270

Closed Conan-Kudo closed 1 year ago

Conan-Kudo commented 1 year ago

Problem description

When creating CentOS/Fedora live media, kiwi does not install the right signed grub2 EFI binary. As a consequence, the resulting image is not bootable.

This is caused by kiwi not being aware of the gcdx64.efi (x64), gcdaa64.efi (aa64), and gcdia32.efi (ia32) binaries to install in place of the normal grubx64.efi, grubaa64.efi, and grubia32.efi binaries for CD/ISO boot.

You can see the install pattern for these in Lorax: https://github.com/weldr/lorax/commit/7ba88931ac38116d1cd0fd9c70b38e5fcc2475a0

Expected behavior

Built ISO boots in a VM in UEFI mode

Steps to reproduce the behavior

Build a CentOS Hyperscale GNOME or KDE live image
Boot it in GNOME Boxes in UEFI mode

Sample KDE build: https://cbs.centos.org/koji/taskinfo?taskID=3303471 Sample GNOME build: https://cbs.centos.org/koji/taskinfo?taskID=3303474

OS and Software information

KIWI version: 9.24.52
Operating system host version: CentOS Stream 9
Operating system target version: CentOS Stream 9
Open Build Service version (N/A if not using OBS): N/A
Koji version (N/A if not using Koji): 1.31

schaefi commented 1 year ago

Going to look into it as soon as I find a slot

schaefi commented 1 year ago

That we have to differentiate an EFI binary file by the type of the image that we built is new and requires some refactoring. To be honest I question this concept on the Fedora side, what is the benefit of maintaining the many EFI binaries ?

Conan-Kudo commented 1 year ago

I don't know, maybe @martinezjavier knows?

schaefi commented 1 year ago

@Conan-Kudo is there a difference in the location/names of the EFI binaries for ISO's also in terms of signed and not-signed variants ? In kiwi we have get_signed_grub_loader() and get_unsigned_grub_loader() methods. These needs to change to also receive the image type such that we can differentiate even further

Conan-Kudo commented 1 year ago

No. The filenames only differ in the RPM, you have to install it as the single correct name for shim to load it. That name is the one that's used for the regular grub EFI binaries.

schaefi commented 1 year ago

yes I got that, but are there rpms that differentiate between signed and not-signed, e.g providing gcdx64.efi and maybe gcdx64.signed.efi or something ?

schaefi commented 1 year ago

The lorax patch does not differentiate them either so I assume not

Conan-Kudo commented 1 year ago

They are all signed. Unsigned binaries are not shipped in Fedora for GRUB.