From e4489825a46f4d20c003863aeb4c9dd43506bc1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20L=C3=B6nnegren?= Date: Wed, 24 Apr 2024 16:06:35 +0200 Subject: [PATCH 1/2] Disable boot entry if efivars is read-only (#2059) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On some systems the efivars is mounted read-only if the firmware does not support writing (such as RPI). This commit turns off writing boot entries to efivars if the efivars filesystem is mounted read-only. Signed-off-by: Fredrik Lönnegren (cherry picked from commit 8baaef2251428aee5ec8c9d53f6368f417980a43) --- pkg/action/install.go | 5 ++++- pkg/action/reset.go | 4 +++- pkg/bootloader/grub.go | 23 +++++++++++++++++++++++ pkg/constants/constants.go | 1 + pkg/elemental/elemental.go | 6 +++--- pkg/snapshotter/loopdevice.go | 3 ++- 6 files changed, 36 insertions(+), 6 deletions(-) diff --git a/pkg/action/install.go b/pkg/action/install.go index 877df1285a..c0b09b211c 100644 --- a/pkg/action/install.go +++ b/pkg/action/install.go @@ -61,7 +61,10 @@ func NewInstallAction(cfg *types.RunConfig, spec *types.InstallSpec, opts ...Ins } if i.bootloader == nil { - i.bootloader = bootloader.NewGrub(&cfg.Config, bootloader.WithGrubDisableBootEntry(i.spec.DisableBootEntry)) + i.bootloader = bootloader.NewGrub(&cfg.Config, + bootloader.WithGrubDisableBootEntry(i.spec.DisableBootEntry), + bootloader.WithGrubAutoDisableBootEntry(), + ) } if i.snapshotter == nil { diff --git a/pkg/action/reset.go b/pkg/action/reset.go index 890fa2515e..aa652eccd7 100644 --- a/pkg/action/reset.go +++ b/pkg/action/reset.go @@ -84,7 +84,9 @@ func NewResetAction(cfg *types.RunConfig, spec *types.ResetSpec, opts ...ResetAc if r.bootloader == nil { r.bootloader = bootloader.NewGrub( - &cfg.Config, bootloader.WithGrubDisableBootEntry(r.spec.DisableBootEntry), + &cfg.Config, + bootloader.WithGrubDisableBootEntry(r.spec.DisableBootEntry), + bootloader.WithGrubAutoDisableBootEntry(), bootloader.WithGrubClearBootEntry(false), ) } diff --git a/pkg/bootloader/grub.go b/pkg/bootloader/grub.go index ba0a0a6eaa..ec6b8dcb51 100644 --- a/pkg/bootloader/grub.go +++ b/pkg/bootloader/grub.go @@ -23,6 +23,7 @@ import ( "regexp" "github.com/rancher/elemental-toolkit/v2/pkg/constants" + "github.com/rancher/elemental-toolkit/v2/pkg/elemental" "github.com/rancher/elemental-toolkit/v2/pkg/types" "github.com/rancher/elemental-toolkit/v2/pkg/utils" @@ -121,6 +122,28 @@ func WithGrubDisableBootEntry(disableBootEntry bool) func(g *Grub) error { } } +func WithGrubAutoDisableBootEntry() func(g *Grub) error { + return func(g *Grub) error { + if g.disableBootEntry { + // already disabled manually, doing nothing + return nil + } + + rw, err := elemental.IsRWMountPoint(g.runner, constants.EfivarsMountPath) + if err != nil { + g.logger.Errorf("error finding efivar mounts: %s", err.Error()) + return err + } + + // If efivars is not RW, disable writing boot entries. + if !rw { + g.disableBootEntry = true + } + + return nil + } +} + func WithGrubClearBootEntry(clearBootEntry bool) func(g *Grub) error { return func(g *Grub) error { g.clearBootEntry = clearBootEntry diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index d0f563fca8..cc9ce31a2d 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -63,6 +63,7 @@ const ( Tmpfs = "tmpfs" Autofs = "auto" Block = "block" + EfivarsMountPath = "/sys/firmware/efi/efivars" // Maxium number of nested symlinks to resolve MaxLinkDepth = 4 diff --git a/pkg/elemental/elemental.go b/pkg/elemental/elemental.go index a65cbf677c..8a46865678 100644 --- a/pkg/elemental/elemental.go +++ b/pkg/elemental/elemental.go @@ -177,8 +177,8 @@ func IsMounted(c types.Config, part *types.Partition) (bool, error) { return !notMnt, nil } -func IsRWMountPoint(c types.Config, mountPoint string) (bool, error) { - cmdOut, err := c.Runner.Run("findmnt", "-fno", "OPTIONS", mountPoint) +func IsRWMountPoint(r types.Runner, mountPoint string) (bool, error) { + cmdOut, err := r.Run("findmnt", "-fno", "OPTIONS", mountPoint) if err != nil { return false, err } @@ -193,7 +193,7 @@ func IsRWMountPoint(c types.Config, mountPoint string) (bool, error) { // MountRWPartition mounts, or remounts if needed, a partition with RW permissions func MountRWPartition(c types.Config, part *types.Partition) (umount func() error, err error) { if mnt, _ := IsMounted(c, part); mnt { - if ok, _ := IsRWMountPoint(c, part.MountPoint); ok { + if ok, _ := IsRWMountPoint(c.Runner, part.MountPoint); ok { c.Logger.Debugf("Already RW mounted: %s at %s", part.Name, part.MountPoint) return func() error { return nil }, nil } diff --git a/pkg/snapshotter/loopdevice.go b/pkg/snapshotter/loopdevice.go index e8ea44b8dc..d642558d45 100644 --- a/pkg/snapshotter/loopdevice.go +++ b/pkg/snapshotter/loopdevice.go @@ -26,6 +26,7 @@ import ( "strings" "github.com/hashicorp/go-multierror" + "github.com/rancher/elemental-toolkit/v2/pkg/constants" "github.com/rancher/elemental-toolkit/v2/pkg/elemental" @@ -91,7 +92,7 @@ func (l *LoopDevice) InitSnapshotter(state *types.Partition, efiDir string) erro l.legacyClean = true // Legacy deployments might not include RW mounts for state partitions - if ok, _ := elemental.IsRWMountPoint(l.cfg, l.rootDir); !ok { + if ok, _ := elemental.IsRWMountPoint(l.cfg.Runner, l.rootDir); !ok { err = l.cfg.Mounter.Mount("", l.rootDir, "auto", []string{"remount", "rw"}) if err != nil { l.cfg.Logger.Errorf("Failed remounting root as RW: %v", err) From c6fd7abda0f9d00e678a5a0bfae4cfec0e7c4f76 Mon Sep 17 00:00:00 2001 From: David Cassany Date: Thu, 18 Jul 2024 17:50:34 +0200 Subject: [PATCH 2/2] Add test for auto disabled boot entry in Grub Signed-off-by: David Cassany (cherry picked from commit 76caad5f6ee53e33f93037ef4e2ae27bcb5e6301) --- pkg/bootloader/grub_test.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkg/bootloader/grub_test.go b/pkg/bootloader/grub_test.go index fe2ff6954d..19c51df97b 100644 --- a/pkg/bootloader/grub_test.go +++ b/pkg/bootloader/grub_test.go @@ -105,8 +105,15 @@ var _ = Describe("Booloader", Label("bootloader", "grub"), func() { ) }) - It("installs without errors", func() { - grub = bootloader.NewGrub(cfg, bootloader.WithGrubDisableBootEntry(true)) + It("installs without errors and auto detects there is no writable efivars", func() { + runner.SideEffect = func(cmd string, args ...string) ([]byte, error) { + if cmd == "findmnt" && len(args) > 0 && args[0] == "-fno" { + return []byte("ro"), nil + } + return []byte{}, nil + } + + grub = bootloader.NewGrub(cfg, bootloader.WithGrubAutoDisableBootEntry()) Expect(grub.Install(rootDir, efiDir)).To(Succeed()) // Check grub config in EFI directory