raito/lanzaboote
0
0
Fork 0
Code Issues 45 Pull requests 6 Projects Releases 6 Packages Wiki Activity Actions

XBOOTLDR support #173

New issue
Open
opened 2023-05-03 01:06:57 +00:00 by colemickens · 11 comments
colemickens commented 2023-05-03 01:06:57 +00:00 (Migrated from github.com)
Copy link

As far as I can tell, there's no option to tell Lanzaboot to install the bootloader entries to /boot, with the bootloader itself residing on /efi.

This is necessary for systems that are dual-boot and have to deal with Windows anemic 512MB ESP.

This is something I implemented for systemd-boot in : https://github.com/NixOS/nixpkgs/pull/226692

As far as I can tell, there's no option to tell Lanzaboot to install the bootloader entries to `/boot`, with the bootloader itself residing on `/efi`. This is necessary for systems that are dual-boot and have to deal with Windows anemic 512MB ESP. This is something I implemented for systemd-boot in : https://github.com/NixOS/nixpkgs/pull/226692
👍 4
colemickens commented 2023-05-03 01:10:07 +00:00 (Migrated from github.com)
Copy link

From a quick skim, I guess that most places where esp_paths is propagated to/through Installer, a similar variable, entries_path(s) could be added for this parameters.

From a quick skim, I guess that most places where esp_paths is propagated to/through Installer, a similar variable, `entries_path(s)` could be added for this parameters.
colemickens commented 2023-05-03 01:24:51 +00:00 (Migrated from github.com)
Copy link

Ope, maybe I'm wrong, this looks like a lot of paths... hm. adc01887d9/rust/tool/src/esp.rs (L23)

Ope, maybe I'm wrong, this looks like a lot of paths... hm. https://github.com/nix-community/lanzaboote/blob/adc01887d9db2c3e354bbe86d7f46c4661357c27/rust/tool/src/esp.rs#L23
colemickens commented 2023-05-03 01:39:33 +00:00 (Migrated from github.com)
Copy link

Just to illuminate this quickly for anyone unfamiliar with it:

  • /boot is a specially marked vfat part
  • /efi is the ESP part

╭ zeph  ~/code/nixcfg 0.01s
╰─▶ exa -al --tree --level 3 /boot
drwxr-xr-x    - root 31 Dec  1969 /boot
drwxr-xr-x    - root 23 Apr 15:14 ├── EFI
drwxr-xr-x    - root  2 Jan 22:59 │  ├── Linux
drwxr-xr-x    - root  2 May 16:33 │  └── nixos
drwxr-xr-x    - root  2 May 16:33 │     ├── .extra-files
.rwxr-xr-x  52M root  2 May 16:33 │     ├── 9920dchp0yjc0dqx34yag9fq2ifdmv8l-initrd-linux-6.2.13-initrd.efi
.rwxr-xr-x  51M root  2 May 16:33 │     ├── a4i5wblhjhqgb7qfqh8lypqybqd8h2dg-initrd-linux-6.2.13-initrd.efi
.rwxr-xr-x  51M root  2 May 16:33 │     ├── acn81cicvkrqv202r1njwrn7qxvc1xyd-initrd-linux-6.2.13-initrd.efi
.rwxr-xr-x  49M root  2 May 16:33 │     ├── ars088s92c751rg5mv2l5hhpb1qcp22a-initrd-linux-6.2.13-initrd.efi
.rwxr-xr-x  52M root  2 May 16:33 │     ├── aypnb0n4608vgx7jcppv21mpqriz97cp-initrd-linux-6.2.13-initrd.efi
.rwxr-xr-x  52M root  2 May 16:33 │     ├── c4sfzink5na1vrid6mglk3rhs5mrfg14-initrd-linux-6.2.13-initrd.efi
.rwxr-xr-x 9.8M root  2 May 16:33 │     ├── dwfs0ayw1jnjvrjk7903sw4xr6bssc7r-linux-6.2.13-bzImage.efi
.rwxr-xr-x 9.8M root  2 May 16:33 │     ├── h5a07lsxf0ywn6ryj3zxracb88wyfbf6-linux-6.2.13-bzImage.efi
.rwxr-xr-x  49M root  2 May 16:33 │     ├── jzfibarpqvsv34qci8lihski6q8b0h4z-initrd-linux-6.2.13-initrd.efi
drwxr-xr-x    - root  2 Apr 04:47 └── loader
drwxr-xr-x    - root  2 May 16:33    ├── entries
.rwxr-xr-x  464 root  2 May 16:33    │  ├── nixos-generation-4-specialisation-legacyboot.conf
.rwxr-xr-x  466 root  2 May 16:33    │  ├── nixos-generation-4-specialisation-sysd-netboot.conf
.rwxr-xr-x  451 root  2 May 16:33    │  ├── nixos-generation-4.conf
.rwxr-xr-x  464 root  2 May 16:33    │  ├── nixos-generation-5-specialisation-legacyboot.conf
.rwxr-xr-x  466 root  2 May 16:33    │  ├── nixos-generation-5-specialisation-sysd-netboot.conf
.rwxr-xr-x  451 root  2 May 16:33    │  ├── nixos-generation-5.conf
.rwxr-xr-x  464 root  2 May 16:33    │  ├── nixos-generation-6-specialisation-legacyboot.conf
.rwxr-xr-x  466 root  2 May 16:33    │  ├── nixos-generation-6-specialisation-sysd-netboot.conf
.rwxr-xr-x  451 root  2 May 16:33    │  └── nixos-generation-6.conf
.rwxr-xr-x    6 root 31 Dec  2022    └── entries.srel

╭ zeph  ~/code/nixcfg 0.01s
╰─▶ exa -al --tree --level 3 /efi
drwxr-xr-x   - root 31 Dec  1969 /efi
drwxr-xr-x   - root  2 May 19:05 ├── EFI
drwxr-xr-x   - root 27 Apr 11:19 │  ├── Boot
.rwxr-xr-x 99k root 31 Dec  1979 │  │  └── bootx64.efi
drwxr-xr-x   - root 30 Jan  2022 │  ├── Microsoft
drwxr-xr-x   - root 30 Jan  2022 │  │  ├── Boot
drwxr-xr-x   - root 30 Jan  2022 │  │  └── Recovery
drwxr-xr-x   - root 27 Apr 11:19 │  └── systemd
.rwxr-xr-x 99k root 31 Dec  1979 │     └── systemd-bootx64.efi
drwxr-xr-x   - root  2 May 16:33 ├── loader
.rwxr-xr-x  60 root  2 May 16:33 │  ├── loader.conf
.rwxr-xr-x  32 root  1 May 22:12 │  └── random-seed
drwxr-xr-x   - root 30 Jan  2022 └── System Volume Information
Just to illuminate this quickly for anyone unfamiliar with it: * /boot is a specially marked vfat part * /efi is the ESP part ``` ╭ zeph ~/code/nixcfg 0.01s ╰─▶ exa -al --tree --level 3 /boot drwxr-xr-x - root 31 Dec 1969 /boot drwxr-xr-x - root 23 Apr 15:14 ├── EFI drwxr-xr-x - root 2 Jan 22:59 │ ├── Linux drwxr-xr-x - root 2 May 16:33 │ └── nixos drwxr-xr-x - root 2 May 16:33 │ ├── .extra-files .rwxr-xr-x 52M root 2 May 16:33 │ ├── 9920dchp0yjc0dqx34yag9fq2ifdmv8l-initrd-linux-6.2.13-initrd.efi .rwxr-xr-x 51M root 2 May 16:33 │ ├── a4i5wblhjhqgb7qfqh8lypqybqd8h2dg-initrd-linux-6.2.13-initrd.efi .rwxr-xr-x 51M root 2 May 16:33 │ ├── acn81cicvkrqv202r1njwrn7qxvc1xyd-initrd-linux-6.2.13-initrd.efi .rwxr-xr-x 49M root 2 May 16:33 │ ├── ars088s92c751rg5mv2l5hhpb1qcp22a-initrd-linux-6.2.13-initrd.efi .rwxr-xr-x 52M root 2 May 16:33 │ ├── aypnb0n4608vgx7jcppv21mpqriz97cp-initrd-linux-6.2.13-initrd.efi .rwxr-xr-x 52M root 2 May 16:33 │ ├── c4sfzink5na1vrid6mglk3rhs5mrfg14-initrd-linux-6.2.13-initrd.efi .rwxr-xr-x 9.8M root 2 May 16:33 │ ├── dwfs0ayw1jnjvrjk7903sw4xr6bssc7r-linux-6.2.13-bzImage.efi .rwxr-xr-x 9.8M root 2 May 16:33 │ ├── h5a07lsxf0ywn6ryj3zxracb88wyfbf6-linux-6.2.13-bzImage.efi .rwxr-xr-x 49M root 2 May 16:33 │ ├── jzfibarpqvsv34qci8lihski6q8b0h4z-initrd-linux-6.2.13-initrd.efi drwxr-xr-x - root 2 Apr 04:47 └── loader drwxr-xr-x - root 2 May 16:33 ├── entries .rwxr-xr-x 464 root 2 May 16:33 │ ├── nixos-generation-4-specialisation-legacyboot.conf .rwxr-xr-x 466 root 2 May 16:33 │ ├── nixos-generation-4-specialisation-sysd-netboot.conf .rwxr-xr-x 451 root 2 May 16:33 │ ├── nixos-generation-4.conf .rwxr-xr-x 464 root 2 May 16:33 │ ├── nixos-generation-5-specialisation-legacyboot.conf .rwxr-xr-x 466 root 2 May 16:33 │ ├── nixos-generation-5-specialisation-sysd-netboot.conf .rwxr-xr-x 451 root 2 May 16:33 │ ├── nixos-generation-5.conf .rwxr-xr-x 464 root 2 May 16:33 │ ├── nixos-generation-6-specialisation-legacyboot.conf .rwxr-xr-x 466 root 2 May 16:33 │ ├── nixos-generation-6-specialisation-sysd-netboot.conf .rwxr-xr-x 451 root 2 May 16:33 │ └── nixos-generation-6.conf .rwxr-xr-x 6 root 31 Dec 2022 └── entries.srel ╭ zeph ~/code/nixcfg 0.01s ╰─▶ exa -al --tree --level 3 /efi drwxr-xr-x - root 31 Dec 1969 /efi drwxr-xr-x - root 2 May 19:05 ├── EFI drwxr-xr-x - root 27 Apr 11:19 │ ├── Boot .rwxr-xr-x 99k root 31 Dec 1979 │ │ └── bootx64.efi drwxr-xr-x - root 30 Jan 2022 │ ├── Microsoft drwxr-xr-x - root 30 Jan 2022 │ │ ├── Boot drwxr-xr-x - root 30 Jan 2022 │ │ └── Recovery drwxr-xr-x - root 27 Apr 11:19 │ └── systemd .rwxr-xr-x 99k root 31 Dec 1979 │ └── systemd-bootx64.efi drwxr-xr-x - root 2 May 16:33 ├── loader .rwxr-xr-x 60 root 2 May 16:33 │ ├── loader.conf .rwxr-xr-x 32 root 1 May 22:12 │ └── random-seed drwxr-xr-x - root 30 Jan 2022 └── System Volume Information ```
colemickens commented 2023-05-03 01:58:39 +00:00 (Migrated from github.com)
Copy link

(A small note, the Windows default ESP now seems to be about 100MB, making this more important for such systems)

(A small note, the Windows default ESP now seems to be about 100MB, making this more important for such systems)
colemickens commented 2023-05-03 02:35:47 +00:00 (Migrated from github.com)
Copy link

last update: for now this works for me:

config = {
  fileSystems = {
     # ..
      "/efi/EFI/Linux" = { device = "/boot/EFI/Linux"; options = ["bind"];};
      "/efi/EFI/nixos" = { device = "/boot/EFI/nixos"; options = ["bind"];};
    };
}

otherwise things went well according to the quickstart! thanks!

last update: for now this works for me: ``` config = { fileSystems = { # .. "/efi/EFI/Linux" = { device = "/boot/EFI/Linux"; options = ["bind"];}; "/efi/EFI/nixos" = { device = "/boot/EFI/nixos"; options = ["bind"];}; }; } ``` otherwise things went well according to the quickstart! thanks!
👍 1
RaitoBezarius commented 2023-05-03 15:59:55 +00:00 (Migrated from github.com)
Copy link

Is there any action we should do to your opinion to enable better support of XBOOTLDR?

Is there any action we should do to your opinion to enable better support of XBOOTLDR?
colemickens commented 2023-05-03 16:31:01 +00:00 (Migrated from github.com)
Copy link

@RaitoBezarius I'm not really sure! I think, generally, NixOS should make this pattern easier to achieve, and as far as I know, it's basically just not supported (without my PR for systemd-boot anyway). And thus similarly lanzaboot.

Personally, I would prefer lanzaboot to not require me to (manually) set up bind mounts, when they're really only here to workaround what feels like a feature deficit in Lanzaboot. I do feel like the "right" solution is for Lanzaboot to internally have a concept of "payloadPath" (maybe, rather than entriesPath) since in this case lanzaboot is installing EFI binaries, rather than entries conf files). And then this would be exposed out to the nixos module.

So, in my opinion, ideally I'd be able to remove the bind mount and then set boot.lanzaboot.payloadPath = "/boot" and have it work.

@RaitoBezarius I'm not really sure! I think, generally, NixOS should make this pattern easier to achieve, and as far as I know, it's basically just not supported (without my PR for systemd-boot anyway). And thus similarly lanzaboot. Personally, I would prefer lanzaboot to not require me to (manually) set up bind mounts, when they're really only here to workaround what feels like a feature deficit in Lanzaboot. I do feel like the "right" solution is for Lanzaboot to internally have a concept of "payloadPath" (maybe, rather than `entriesPath`) since in this case lanzaboot is installing EFI binaries, rather than entries conf files). And then this would be exposed out to the nixos module. So, in my opinion, ideally I'd be able to remove the bind mount and then set `boot.lanzaboot.payloadPath = "/boot"` and have it work.
RaitoBezarius commented 2023-05-03 17:09:01 +00:00 (Migrated from github.com)
Copy link

cc @nikstur

I don't really like payloadPath, I think we should have the extension extendedPath in bootspec (no pun) and keep the efiSysMountPoint parameter (which already exist) and rely on this for EFI.

And then, we could have extendedPath as part of boot.extendedPath and be it an sanctioned nixpkgs extension of bootspec.

cc @nikstur I don't really like `payloadPath`, I think we should have the extension `extendedPath` in bootspec (no pun) and keep the efiSysMountPoint parameter (which already exist) and rely on this for EFI. And then, we could have `extendedPath` as part of `boot.extendedPath` and be it an sanctioned nixpkgs extension of bootspec.
colemickens commented 2023-05-03 18:07:51 +00:00 (Migrated from github.com)
Copy link

I haven't fully had a chance to grok what is "in scope" of bootspec, vs extensions, vs left up to the "installer", so I can't offer an opinion. But I do like the last sentence, anyway. I do think I'm a bit nervous about what I'd argue is core functionality in extensions, but I also haven't had a chance to wrap my head around extensions, how they work, if there's a graduation path for them, etc.

Personally, I think most tools around bootloaders make some invalid assumptions that everything goes into the ESP (see, nixpkgs/lanzaboot having the ability to configure the ESP path, but not the path for installing payloads). This isn't true with xbootldr, and I'd argue, it's "cleaner" this way too. I like my ESP just containing the bootloader and then the /boot partition containing the actual payloads.

I haven't fully had a chance to grok what is "in scope" of bootspec, vs extensions, vs left up to the "installer", so I can't offer an opinion. But I do like the last sentence, anyway. I do think I'm a bit nervous about what I'd argue is core functionality in extensions, but I also haven't had a chance to wrap my head around extensions, how they work, if there's a graduation path for them, etc. Personally, I think most tools around bootloaders make some invalid assumptions that everything goes into the ESP (see, nixpkgs/lanzaboot having the ability to configure the ESP path, but not the path for installing payloads). This isn't true with xbootldr, and I'd argue, it's "cleaner" this way too. I like my ESP just containing the bootloader and then the /boot partition containing the actual payloads.
bb010g commented 2024-03-11 03:40:35 +00:00 (Migrated from github.com)
Copy link

Note that https://github.com/NixOS/nixpkgs/pull/285401 has finally been merged.

Note that <https://github.com/NixOS/nixpkgs/pull/285401> has finally been merged.
JohnRTitor commented 2024-03-14 11:30:24 +00:00 (Migrated from github.com)
Copy link

Note: the PR to support xbootldr partition has been accepted into nixpkgs, it's available as a option. boot.loader.systemd-boot.xbootldrMountPoint.

Note: [the PR](https://github.com/NixOS/nixpkgs/pull/285401) to support xbootldr partition has been accepted into nixpkgs, it's available as a option. `boot.loader.systemd-boot.xbootldrMountPoint`.
🎉 1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
test
qm3ster/patch-1
blitz/npins
enroll-keys
github-actions
systemd-sb-enroll
fix-ci
bump-edk2
global-credentials
signing-client
in-memory-assembling
cpio-packing
uboot
netboot
experiment-sd-addons
insecure-boot
refactor-building
tpm2-pcr-sections
bootsplash
sd-stub-dtb
bzimage-load
configuration-limit-test
boot-file-integrity-investigation
crane-uefi
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
bug

Something isn't working

  
dependency

Issues related to our dependencies

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
review-next

   
security

   
stub

   
tool

   
wontfix

This will not be worked on

No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
Milestone
Clear milestone
No items
No milestone
Release 2.0.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#173
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?