Merge "Correct boot path to cover FIPS usage cases"

This commit is contained in:
Zuul 2023-03-21 06:39:00 +00:00 committed by Gerrit Code Review
commit 9c1ee6dcd8
4 changed files with 53 additions and 1 deletions

View File

@ -316,6 +316,20 @@ class BlockDevice(object):
print("%s" % root_fs['type']) print("%s" % root_fs['type'])
return 0 return 0
if symbol == "boot-label":
try:
boot_mount = self._config_get_mount("/boot")
boot_fs = self._config_get_mkfs(boot_mount['base'])
# If not explicitly defined, we appear to fallback
# to name for a label, which we can only get from the
# resulting filesystem config.
boot_label = boot_fs.get('label', boot_fs.get('name', ''))
except AssertionError:
boot_label = ''
logger.debug("boot-label [%s]", boot_label)
print("%s" % boot_label)
return 0
if symbol == 'mount-points': if symbol == 'mount-points':
mount_points = self._config_get_all_mount_points() mount_points = self._config_get_all_mount_points()
# we return the mountpoints joined by a pipe, because it is not # we return the mountpoints joined by a pipe, because it is not

View File

@ -88,6 +88,29 @@ echo "GRUB_TIMEOUT=${DIB_GRUB_TIMEOUT:-5}" >>/etc/default/grub
echo 'GRUB_TERMINAL="serial console"' >>/etc/default/grub echo 'GRUB_TERMINAL="serial console"' >>/etc/default/grub
echo 'GRUB_GFXPAYLOAD_LINUX=auto' >>/etc/default/grub echo 'GRUB_GFXPAYLOAD_LINUX=auto' >>/etc/default/grub
# NOTE(TheJulia): We need to remove any boot entry from the /etc/default/grub
# file that may already exist, such as what was added by fips being setup on
# either in the source image or by by an element, as we repack the image.
# with new filesystems.
# Matches any element which looks like " boot=" and the associated value
# in order for us to have a clean starting point to put a value in place,
# if applicable.
# Removes entry trailing with a space, or any entry where boot is set as
# the last argument on the line.
sed -i 's/\ boot=[0-9A-Za-z/=\-]\+//' /etc/default/grub
# NOTE(TheJulia): When using FIPS, dracut wants to evaluate
# the hmac files for the kernel checksum. However, if /boot is
# located on a separate filesystem from the root filesystem,
# than this fails. As a result, we need to identify IF /boot
# is a separate filesystem, and convey this fact as a boot
# argument so dracut does not halt the system on boot.
if [[ -n "${DIB_BOOT_LABEL}" ]]; then
BOOT_FS="boot=LABEL=${DIB_BOOT_LABEL}"
else
BOOT_FS=""
fi
if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then
SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}" SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}"
elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then
@ -100,7 +123,7 @@ else
fi fi
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check" GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check"
echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE}\"" >>/etc/default/grub echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS}\"" >>/etc/default/grub
echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
# os-prober leaks /dev/sda into config file in dual-boot host # os-prober leaks /dev/sda into config file in dual-boot host

View File

@ -343,6 +343,11 @@ export DIB_ROOT_LABEL
DIB_ROOT_FSTYPE=$(${DIB_BLOCK_DEVICE} getval root-fstype) DIB_ROOT_FSTYPE=$(${DIB_BLOCK_DEVICE} getval root-fstype)
export DIB_ROOT_FSTYPE export DIB_ROOT_FSTYPE
# Need to get the boot device label because, if defined, we may
# need to update boot configuration in some cases
DIB_BOOT_LABEL=$(${DIB_BLOCK_DEVICE} getval boot-label)
export DIB_BOOT_LABEL
# retrieve mount points so we can reuse in elements # retrieve mount points so we can reuse in elements
DIB_MOUNTPOINTS=$(${DIB_BLOCK_DEVICE} getval mount-points) DIB_MOUNTPOINTS=$(${DIB_BLOCK_DEVICE} getval mount-points)
export DIB_MOUNTPOINTS export DIB_MOUNTPOINTS

View File

@ -0,0 +1,10 @@
---
fixes:
- |
Fixes the GRUB2 bootloader kernel command line where a prior ``boot``
parameter could cause issues with bootloader configuration when
an image is rebuilt and the ``bootloader`` element is utilized.
We now remove any prior ``boot`` parameter in */etc/default/grub*
when executing the ``bootloader`` element, and then assert a
valid entry ``boot`` parameter if a */boot* partition is defined
as part of the image build.