Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sdbootutil for openSUSE:Factory checked in at 2026-05-08 16:42:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old) and /work/SRC/openSUSE:Factory/.sdbootutil.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sdbootutil" Fri May 8 16:42:06 2026 rev:102 rq:1351271 version:1+git20260506.25d47bf Changes: -------- --- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2026-04-23 17:03:11.749245200 +0200 +++ /work/SRC/openSUSE:Factory/.sdbootutil.new.1966/sdbootutil.changes 2026-05-08 16:42:13.449333083 +0200 @@ -1,0 +2,20 @@ +Wed May 06 18:46:10 UTC 2026 - Alberto Planas Dominguez <[email protected]> + +- Update to version 1+git20260506.25d47bf: + * Drop systemd.machine_id if /etc/machine-id is present + * Support XBOOTLDR partition + * Add CLAUDE.md file + * Use command -v instead of hash + * Remove dead code + * Fix regular expression non-capturing group + * Add comment about default values in config file + * Clarify when swap is mounted + * Fix typo in comment + * Exit early if we are outside the initrd + * Fix variable name + * Fix typo + * When cleaning pcrlock.d remove only the content + * Do not check in_buildroot when updating entries + * update_kernels: Update entries for the system if no snapshot is provided + +------------------------------------------------------------------- Old: ---- sdbootutil-1+git20260421.88e40c4.obscpio New: ---- sdbootutil-1+git20260506.25d47bf.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sdbootutil.spec ++++++ --- /var/tmp/diff_new_pack.ioeqeK/_old 2026-05-08 16:42:14.505376845 +0200 +++ /var/tmp/diff_new_pack.ioeqeK/_new 2026-05-08 16:42:14.509377011 +0200 @@ -18,7 +18,7 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' Name: sdbootutil -Version: 1+git20260421.88e40c4 +Version: 1+git20260506.25d47bf Release: 0 Summary: Bootctl wrapper for BLS boot loaders License: MIT ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.ioeqeK/_old 2026-05-08 16:42:14.565379331 +0200 +++ /var/tmp/diff_new_pack.ioeqeK/_new 2026-05-08 16:42:14.569379497 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/sdbootutil.git</param> - <param name="changesrevision">88e40c4a5d98d5c0f977478f72cdfce596a463c5</param></service></servicedata> + <param name="changesrevision">25d47bf10ddc4b8b8c6061e82670e8f82fe8916b</param></service></servicedata> (No newline at EOF) ++++++ sdbootutil-1+git20260421.88e40c4.obscpio -> sdbootutil-1+git20260506.25d47bf.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260421.88e40c4/10-sdbootutil.snapper new/sdbootutil-1+git20260506.25d47bf/10-sdbootutil.snapper --- old/sdbootutil-1+git20260421.88e40c4/10-sdbootutil.snapper 2026-04-21 10:34:02.000000000 +0200 +++ new/sdbootutil-1+git20260506.25d47bf/10-sdbootutil.snapper 2026-05-06 20:45:00.000000000 +0200 @@ -31,7 +31,7 @@ # The entries are added here only for Tumbleweed # (non-transactional systems) /usr/bin/sdbootutil add-all-kernels "$num" || : - # In Tumblweed clean the default snapshot, not the new created + # In Tumbleweed clean the default snapshot, not the new created /usr/bin/sdbootutil cleanup || : } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260421.88e40c4/CLAUDE.md new/sdbootutil-1+git20260506.25d47bf/CLAUDE.md --- old/sdbootutil-1+git20260421.88e40c4/CLAUDE.md 1970-01-01 01:00:00.000000000 +0100 +++ new/sdbootutil-1+git20260506.25d47bf/CLAUDE.md 2026-05-06 20:45:00.000000000 +0200 @@ -0,0 +1,283 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +`sdbootutil` is a bootctl wrapper for BLS (Boot Loader Specification) boot loaders (systemd-boot and grub2-bls) designed for btrfs-based, snapper-managed systems. It manages the full lifecycle of bootloader installations with Full Disk Encryption (FDE) support based on systemd. + +**Key Capabilities:** +- Installs and updates systemd-boot with shim for secure boot +- Manages kernel entries in ESP (EFI System Partition) with snapshot awareness +- Handles btrfs snapshots via snapper integration +- Implements full disk encryption enrollment (TPM2, FIDO2, password) +- Uses checksums for kernel/initrd deduplication across snapshots +- Manages PCR (Platform Configuration Register) predictions for TPM2 + +## Architecture + +### Core Components + +1. **`sdbootutil` (main bash script)** - 4400+ lines + - Primary interface for all bootloader operations + - Handles kernel/entry management, snapshot integration, FDE enrollment + - Entry point for snapper hooks and RPM triggers + +2. **`uhmac/` (Rust utility)** - HMAC calculation utility + - Used for cryptographic operations in FDE scenarios + - Built with cargo, linked as `%{_libexecdir}/sdbootutil/uhmac` + +3. **Integration Scripts:** + - `10-sdbootutil.snapper` - Snapper plugin for snapshot lifecycle hooks + - `kernelhooks.lua` - RPM file trigger for kernel package install/remove + - `10-sdbootutil.tukit` - Tukit plugin for transactional systems + - `50-sdbootutil.install` - kernel-install plugin script + +4. **FDE/TPM Components:** + - `measure-pcr-generator.sh` - Generates PCR 15 predictions + - `measure-pcr-validator.sh` - Validates PCR measurements at boot + - `sdbootutil-enroll` - Enrollment service wrapper + - `jeos-firstboot-enroll` - JEOS integration for first-boot enrollment + +### How Snapshots Work + +Unlike standard systemd-boot which assumes one OS instance per kernel version, sdbootutil extends this for btrfs snapshots where multiple subvolumes share kernels: + +- **Entry naming:** `{machine-id}-{version}-{snapshot}.conf` (e.g., `2ceda9f-6.2.1-1-default-15.conf`) +- **Kernel/initrd deduplication:** Uses checksums instead of snapshot numbers in filenames + - Example: `linux-b021b508eb42b2afd06de8f0242b9727aa7dc494` + - Allows multiple snapshots to share same kernel/initrd files +- **Reference counting:** Uses `bootctl unlink` and `bootctl cleanup` to safely remove entries +- **Initrd reuse:** Intelligently reuses initrds from parent snapshots when possible + +### System Integration Points + +**Snapper Hooks** (`10-sdbootutil.snapper`): +- `create-snapshot-post`: Updates bootloader, adds entries (Tumbleweed) or defers to set-default (transactional) +- `delete-snapshot-pre`: Removes entries for deleted snapshot +- `set-default-snapshot-post`: Sets bootloader default, adds entries (transactional systems only) + +**RPM Triggers** (`kernelhooks.lua`): +- Monitors `/usr/lib/modules/{version}/vmlinuz` installations +- Filters out legacy `/boot/vmlinuz-*` locations +- Calls `sdbootutil add-kernel` / `remove-kernel` automatically +- Note: File triggers can be unreliable with zypper + +**Transactional vs Non-Transactional:** +- **Transactional (MicroOS):** Kernel entries added in `set-default-snapshot-post` after transaction completes +- **Non-Transactional (Tumbleweed):** Kernel entries added immediately in `create-snapshot-post` + +## Common Commands + +### Build + +```bash +# Build uhmac utility (Rust) +cd uhmac +cargo build --release + +# For RPM build, see sdbootutil.spec (%build and %install sections) +``` + +### Testing sdbootutil + +```bash +# Enable trace mode (outputs to /var/log/sdbootutil.log) +sudo ./sdbootutil --start-trace-code <command> +sudo ./sdbootutil --stop-trace-code + +# Verbose output +sudo ./sdbootutil -v <command> + +# Check bootloader status +sudo ./sdbootutil is-installed +sudo ./sdbootutil bootloader + +# List entries/kernels for snapshot +sudo ./sdbootutil list-entries [snapshot] +sudo ./sdbootutil list-kernels [snapshot] +sudo ./sdbootutil list-snapshots + +# Test kernel entry management +sudo ./sdbootutil add-kernel <version> [snapshot] +sudo ./sdbootutil remove-kernel <version> [snapshot] +sudo ./sdbootutil cleanup [snapshot] +``` + +### Full Disk Encryption Operations + +```bash +# Enroll TPM2 with PIN +sudo ./sdbootutil enroll --method tpm2+pin + +# Enroll FIDO2 key +sudo ./sdbootutil enroll --method fido2 + +# Update PCR predictions after kernel/bootloader changes +sudo ./sdbootutil update-predictions + +# List tracked encrypted devices +sudo ./sdbootutil list-devices +``` + +### Bootloader Management + +```bash +# Install bootloader with shim (secure boot) +sudo ./sdbootutil install --secure-boot + +# Check if bootloader needs update +sudo ./sdbootutil needs-update + +# Update bootloader (only if newer version available) +sudo ./sdbootutil update + +# Force update bootloader to match system version +sudo ./sdbootutil update --sync +``` + +## Configuration + +### Config File Hierarchy +1. `/etc/sdbootutil.conf` - User configuration (loaded if exists) +2. Auto-generated from defaults if bootloader installed but no config exists +3. CLI arguments override config file values + +**Key Config Variables:** +- `ENTRY_TOKEN` - Entry identifier (default: machine-id) +- `ESP_PATH` - ESP mount point +- `BOOTLOADER_TYPE` - "systemd-boot" or "grub2-bls" +- `UPDATE_NVRAM` - Whether to update EFI variables +- `REUSE_INITRD` - Whether to reuse initrds from parent snapshots + +### ESP Directory Structure + +``` +ESP/ +├── {entry-token}/ # e.g., 2ceda9f/ +│ └── {kernel-version}/ # e.g., 6.2.1-1-default/ +│ ├── linux-{checksum} # Deduplicated kernel +│ └── initrd-{checksum} # Deduplicated initrd +├── EFI/ +│ ├── BOOT/ +│ │ └── BOOTX64.EFI # Shim for removable media +│ └── systemd/ +│ ├── systemd-bootx64.efi +│ ├── shim.efi +│ └── grub.efi # Actually systemd-boot when using shim +└── loader/ + ├── entries/ + │ └── {entry-token}-{version}-{snapshot}.conf + └── loader.conf # Default entry, timeout +``` + +## Important Implementation Details + +### Entry Configuration Format + +Entries include snapshot-specific `rootflags=subvol=` parameter: + +``` +title openSUSE Tumbleweed +version [email protected] +machine-id 2ceda9f +sort-key opensuse-tumbleweed +options root=UUID=... rootflags=subvol=@/.snapshots/15/snapshot +linux /2ceda9f/6.2.1-1-default/linux-{checksum} +initrd /2ceda9f/6.2.1-1-default/initrd-{checksum} +``` + +### Checksum-Based Deduplication + +Function `install_kernel()` uses SHA-256 checksums to: +1. Check if identical kernel/initrd already exists in ESP +2. Reuse existing files instead of copying duplicates +3. Maintain reference counts for safe cleanup + +### Initrd Reuse Logic + +`reuse_initrd()` function (lines 901+): +- Compares kernel versions between snapshots +- If kernel version matches, reuses parent snapshot's initrd +- Checks both vmlinuz and modules to ensure compatibility +- Can be disabled with `--no-reuse-initrd` + +### PCR Prediction System + +Full disk encryption relies on PCR (Platform Configuration Register) predictions: + +1. **Generation** (`measure-pcr-generator.sh`): + - Calculates expected PCR 15 values for initrd measurements + - Signs predictions with private key + - Stores in `/var/lib/sdbootutil/measure-pcr-prediction` + +2. **Validation** (`measure-pcr-validator.sh`, `measure-pcr-validator.service`): + - Runs at boot to verify PCR 15 matches prediction + - Checks signature validity + - Prevents boot if validation fails (unless `measure-pcr-validator.ignore` set) + +### State File for Transactional Systems + +`/var/lib/misc/transactional-update.state` stores state across reboots for read-only root systems. + +### Debug Tracing + +When `--start-trace-code` is used: +- Creates `/var/log/sdbootutil.log` +- Enables `set -x` with BASH_XTRACEFD=3 +- Custom PS4 with timestamps and source locations +- WARNING: May contain secrets (encryption keys, passwords) + +## Common Development Patterns + +### Adding New Commands + +1. Add command handler function (e.g., `my_command()`) +2. Add to help text in `helpandquit()` +3. Add case in main command switch (line 4353+) +4. Update bash completion in `completions/bash_sdbootutil` + +### Working with Snapshots + +Always use `${snapshot:-$root_snapshot}` pattern for optional snapshot argument, where `$root_snapshot` is the current/default snapshot. + +### Error Handling + +- Use `err()` for fatal errors (exits with status 1) +- Use `warn()` for non-fatal warnings +- Use `info()` for user-facing messages +- Use `dbg()` / `dbg_var()` / `dbg_cat()` for debug output (only when verbose mode enabled) + +### Rollback Support + +Functions can use `install_with_rollback()` to backup files before modification. On cleanup (error or exit), `rollback[@]` array is processed to restore backups. + +## Dependencies + +**Runtime:** +- systemd (for bootctl, systemd-pcrlock) +- snapper (for snapshot integration) +- dracut (for initrd generation) +- btrfs-progs (for btrfs operations) +- tpm2-tools, keyutils (for FDE) +- efibootmgr (for NVRAM management) +- jq, sed, openssl, qrencode (utilities) + +**Build:** +- cargo, cargo-packaging (for uhmac) +- libopenssl-devel (for uhmac) +- systemd-rpm-macros (for packaging) + +## Testing Considerations + +- Changes to bootloader logic should be tested in VMs with btrfs + snapper +- FDE enrollment requires TPM2 device or FIDO2 hardware +- Snapshot operations require active snapper configuration +- Secure boot testing requires shim + signed binaries in `/usr/share/efi/$(uname -m)` +- Always test both transactional and non-transactional paths + +## Related Documentation + +- **ARCHITECTURE.md** - Detailed explanation of bootloader spec implementation with snapshots +- **sdbootutil.spec** - RPM packaging, subpackages, dependencies +- See upstream: [Boot Loader Specification](https://uapi-group.org/specifications/specs/boot_loader_specification/) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260421.88e40c4/measure-pcr-generator.sh new/sdbootutil-1+git20260506.25d47bf/measure-pcr-generator.sh --- old/sdbootutil-1+git20260421.88e40c4/measure-pcr-generator.sh 2026-04-21 10:34:02.000000000 +0200 +++ new/sdbootutil-1+git20260506.25d47bf/measure-pcr-generator.sh 2026-05-06 20:45:00.000000000 +0200 @@ -4,17 +4,18 @@ # For a generator, the first parameter `normal-dir` is not optional [ -n "$1" ] || { echo "Missing normal-dir parameter"; exit 1; } -[ -f "/etc/crypttab" ] || exit 0; +[ -f "/etc/crypttab" ] || exit 0 + +# Only the entries in /etc/crypttab in the initrd should participate +# from the extension for now. The reason is that extensions after the +# switch root cannot participate in abort the boot process from initrd +# itself +[ -f "/etc/initrd-release" ] || exit 0 # Read /etc/crypttab lines that contains tpm2-device and # tpm2-measure-pcr. It will order the services as listed in this file after="" while read -r name _ _ opts; do - # Only the entries in /etc/crypttab in the initrd should - # participate from the extension for now. The reason is that - # extensions after the switch root cannot participate in abort - # the boot process from initrd itself - [ -f "/etc/initrd-release" ] || continue [[ "$name" = \#* ]] && continue [[ "$opts" != *"tpm2-device="* ]] && continue [[ "$opts" != *"tpm2-measure-pcr="* ]] && continue @@ -41,6 +42,7 @@ while read -r name _ _ opts; do [[ "$name" = \#* ]] && continue [[ "$opts" != *"fido2-device="* ]] && continue + name="$(systemd-escape "$name")" mkdir -p "$1/systemd-cryptsetup@$name.service.d" [ -f "$1/systemd-cryptsetup@$name.service.d/measure-pcr.conf" ] || { echo "# Automatically generated by measure-pcr-generator" > "$1/systemd-cryptsetup@$name.service.d/measure-pcr.conf" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260421.88e40c4/sdbootutil new/sdbootutil-1+git20260506.25d47bf/sdbootutil --- old/sdbootutil-1+git20260421.88e40c4/sdbootutil 2026-04-21 10:34:02.000000000 +0200 +++ new/sdbootutil-1+git20260506.25d47bf/sdbootutil 2026-05-06 20:45:00.000000000 +0200 @@ -48,7 +48,7 @@ arg_force= have_snapshots= in_buildroot= -# for x in vmlinuz image vmlinux linux bzImage uImage Image zImage; do +# Possible values: vmlinuz image vmlinux linux bzImage uImage Image zImage image= unlock_method= @@ -369,6 +369,7 @@ ROOTFS="$ROOTFS" # Percentage (%) of free space in the ESP that sdbootutil should guarantee + # Default values is 10% ESP_FREE_SPACE="$ESP_FREE_SPACE" EOF } @@ -612,8 +613,7 @@ # - Replace or add root= to refers to [PART]{UUID, LABEL}, or # mapped device # - Replace or add rootflags to point at correct subvolume - # - Replace or add systemd.machine-id to match current - # machine-id + # - Delete systemd.machine_id if /etc/machine-id is present # # From the sed manual: # ‘t’ @@ -632,7 +632,7 @@ "-e s/\$//;ta;:a" "-e s,\<root=[^ ]*,root=$root_param,;tb;s,\$, root=$root_param,;tc;:c;:b") [ -z "$subvol" ] || sed_arguments+=("-e s,\<rootflags=subvol=[^ ]*,rootflags=subvol=$subvol,;td;s,\$, rootflags=subvol=$subvol,;te;:e;:d") - [ -z "$machine_id" ] || sed_arguments+=("-e s,\<systemd.machine_id=[^ ]*,systemd.machine_id=$machine_id,;tf;s,\$, systemd.machine_id=$machine_id,;tg;:g;:f") + [ -n "$machine_id" ] || sed_arguments+=("-e s/\<systemd.machine_id=[^ ]* \?//") sed "${sed_arguments[@]}" } @@ -1025,12 +1025,12 @@ boot_space() { - echo $(($(findmnt --noheadings --bytes -o SIZE --target "$boot_root" | head -n 1) / 1024)) + echo $(($(findmnt --noheadings --bytes -o SIZE --target "${boot_root}" | head -n 1) / 1024)) } boot_free_space() { - echo $(($(findmnt --noheadings --bytes -o AVAIL --target "$boot_root" | head -n 1) / 1024)) + echo $(($(findmnt --noheadings --bytes -o AVAIL --target "${boot_root}" | head -n 1) / 1024)) } regex_snapshot_ids_for_free_space() @@ -1055,7 +1055,7 @@ if [ "${#snapshots[@]}" = 1 ]; then re="${!snapshots[*]}" else - IFS='|' eval re='"(:?${!snapshots[*]})"' + IFS='|' eval re='"(?:${!snapshots[*]})"' fi echo "$re" @@ -1242,7 +1242,7 @@ local initrd="${src%/*}/initrd" - mkdir -p "$boot_root${dst%/*}" + mkdir -p "${boot_root}${dst%/*}" if [ -e "$initrd" ]; then ln -s "$initrd" "$tmpdir/initrd-0" @@ -1273,7 +1273,7 @@ fi fi - make_free_space_for_kernel "$snapshot" || err "No free space in $boot_root for new kernel" + make_free_space_for_kernel "$snapshot" || err "No free space in ${boot_root} for new kernel" local boot_options [ -z "$in_buildroot" ] || subvol="${subvol_prefix}/.snapshots/${snapshot}/snapshot" @@ -1314,16 +1314,16 @@ dbg_cat "$tmpdir/entry.conf" local failed= - if [ ! -e "$boot_root$dst" ]; then - install_with_rollback "$src" "$boot_root$dst" || failed=kernel + if [ ! -e "${boot_root}$dst" ]; then + install_with_rollback "$src" "${boot_root}$dst" || failed=kernel else - info "Reusing $boot_root$dst" + info "Reusing ${boot_root}$dst" fi if [ -z "$failed" ] && [ -e "$tmpdir/initrd-0" ]; then i=0 while [ -e "$tmpdir/initrd-$i" ]; do - if [ ! -e "$boot_root${dstinitrd[$i]}" ]; then - install_with_rollback "$tmpdir/initrd-$i" "$boot_root${dstinitrd[$i]}" || { failed=initrd; break; } + if [ ! -e "${boot_root}${dstinitrd[$i]}" ]; then + install_with_rollback "$tmpdir/initrd-$i" "${boot_root}${dstinitrd[$i]}" || { failed=initrd; break; } rm -f "$tmpdir/initrd-$i" fi ((++i)) @@ -1352,8 +1352,8 @@ # removes them local entry_name loader_entry loader_entry_current entry_name="$(entry_conf_file "$kernel_version" "$snapshot")" - loader_entry="$boot_root/loader/entries/$(entry_conf_file "$kernel_version" "$snapshot" "$tries")" - loader_entry_current="$(find "$boot_root/loader/entries" -maxdepth 1 -type f -name "${entry_name%.conf}*" -print -quit)" + loader_entry="${boot_root}/loader/entries/$(entry_conf_file "$kernel_version" "$snapshot" "$tries")" + loader_entry_current="$(find "${boot_root}/loader/entries" -maxdepth 1 -type f -name "${entry_name%.conf}*" -print -quit)" install_with_rollback "$tmpdir/entry.conf" "$loader_entry" "$loader_entry_current" || failed="bootloader entry" rm -f "$tmpdir/entry.conf" fi @@ -1539,9 +1539,7 @@ local snapshot="$2" local subvol="" - if [ -n "$have_snapshots" ] || [ -z "$in_buildroot" ]; then - subvol="${subvol_prefix}/.snapshots/${snapshot}/snapshot" - fi + [ -z "$have_snapshots" ] || subvol="${subvol_prefix}/.snapshots/${snapshot}/snapshot" local boot_options boot_options="$(create_boot_options "$subvol")" @@ -1584,6 +1582,8 @@ info "Updating all boot entries" + settle_entry_token "${snapshot}" + [ -z "$TRANSACTIONAL_UPDATE" ] || [ -n "$arg_force" ] || { warn "Inside transactional-update. Updating boot entries must be done outside the transaction" return 0 @@ -1668,7 +1668,11 @@ for kv in "${!found_kernels[@]}"; do installed_kernels["/$entry_token/$kv/linux-${found_kernels[$kv]}"]='' done - update_entries_for_snapshot "$snapshot" + if [ -n "$snapshot" ]; then + update_entries_for_snapshot "$snapshot" + else + update_entries_for_this_system + fi # XXX: maybe we should parse the actual path in the entry while read -r path id; do @@ -1723,9 +1727,9 @@ { # Check if shim is installed in the ESP # In installed systems there should be a shim.efi - [ ! -f "${boot_root}${boot_dst}/shim.efi" ] || return 0 + [ ! -f "${esp_root}${esp_dst}/shim.efi" ] || return 0 # In removable media there is only BOOT${arch}.EFI - ! grep -q "UEFI SHIM" "${boot_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" 2> /dev/null || return 0 + ! grep -q "UEFI SHIM" "${esp_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" 2> /dev/null || return 0 return 1 } @@ -1743,13 +1747,13 @@ local fn="$1" if [ -z "$1" ]; then if is_shim_installed; then - fn="$boot_root$boot_dst/grub.efi" + fn="${esp_root}${esp_dst}/grub.efi" elif [ -n "$arg_portable" ]; then - fn="$boot_root/EFI/BOOT/BOOT${firmware_arch^^}.EFI" + fn="${esp_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" else local bootloader bootloader="$(find_bootloader)" - fn="$boot_root$boot_dst/${bootloader##*/}" + fn="${esp_root}${esp_dst}/${bootloader##*/}" fi fi [ -e "$fn" ] || return 1 @@ -1772,7 +1776,7 @@ is_installed() { info "Checking if the bootloader is installed" - bootloader_version > /dev/null && [ -e "$boot_root/$boot_dst/installed_by_sdbootutil" ] + bootloader_version > /dev/null && [ -e "${esp_root}/${esp_dst}/installed_by_sdbootutil" ] } find_sdboot() @@ -1857,10 +1861,10 @@ return 1 } -boot_root_drive_partno_dseq() +esp_root_drive_partno_dseq() { local blkpart drive disk_seq_min - blkpart="$(findmnt -nvo SOURCE "$boot_root")" + blkpart="$(findmnt -nvo SOURCE "$esp_root")" drive="${blkpart##*/}" lsblk -o NAME,PKNAME,PARTN,DISK-SEQ --json > "$devicefile" # Read the json file with all the devices and, recursively, @@ -1913,29 +1917,30 @@ dbg_var "bootloader" dbg_var "bldr_name" - mkdir -p "$boot_root/loader/entries" + mkdir -p "${esp_root}/loader" + mkdir -p "${boot_root}/loader/entries" if [ -n "$arg_secure_boot" ] && [ ! -e "$prefix$shimdir/shim.efi" ]; then warn "A secure boot installation cannot be done. The shim package is not installed" fi if [ -n "$arg_secure_boot" ] && [ -e "$prefix$shimdir/shim.efi" ]; then - info "Installing $bldr_name with shim into $boot_root" - entry="$boot_dst/shim.efi" + info "Installing $bldr_name with shim into $esp_root" + entry="$esp_dst/shim.efi" for i in MokManager shim; do - [ -n "$arg_portable" ] || install -p -D "$prefix$shimdir/$i.efi" "$boot_root$boot_dst/$i.efi" + [ -n "$arg_portable" ] || install -p -D "$prefix$shimdir/$i.efi" "${esp_root}${esp_dst}/$i.efi" done - install -p -D "$bootloader" "$boot_root$boot_dst/grub.efi" + install -p -D "$bootloader" "${esp_root}${esp_dst}/grub.efi" # boot entry point - install -p -D "$prefix$shimdir/MokManager.efi" "$boot_root/EFI/BOOT/MokManager.efi" - [ -n "$arg_portable" ] || install -p -D "$prefix$shimdir/fallback.efi" "$boot_root/EFI/BOOT/fallback.efi" - install -p -D "$prefix$shimdir/shim.efi" "$boot_root/EFI/BOOT/BOOT${firmware_arch^^}.EFI" + install -p -D "$prefix$shimdir/MokManager.efi" "${esp_root}/EFI/BOOT/MokManager.efi" + [ -n "$arg_portable" ] || install -p -D "$prefix$shimdir/fallback.efi" "${esp_root}/EFI/BOOT/fallback.efi" + install -p -D "$prefix$shimdir/shim.efi" "${esp_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" else - info "Installing $bldr_name without shim into $boot_root" - entry="$boot_dst/${bootloader##*/}" - [ -n "$arg_portable" ] || install -p -D "$bootloader" "$boot_root$entry" - install -p -D "$bootloader" "$boot_root/EFI/BOOT/BOOT${firmware_arch^^}.EFI" + info "Installing $bldr_name without shim into $esp_root" + entry="$esp_dst/${bootloader##*/}" + [ -n "$arg_portable" ] || install -p -D "$bootloader" "${esp_root}$entry" + install -p -D "$bootloader" "${esp_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" fi # shellcheck disable=SC2154 @@ -1946,23 +1951,24 @@ boot_manager="${split[0]} Boot Manager" # This is for shim to create the entry if missing - [ -n "$arg_portable" ] || echo "${entry##*/},$boot_manager" | { echo -ne "\xff\xfe"; iconv -f ascii -t ucs-2le; } > "$boot_root$boot_dst/boot.csv" + [ -n "$arg_portable" ] || echo "${entry##*/},$boot_manager" | { echo -ne "\xff\xfe"; iconv -f ascii -t ucs-2le; } > "${esp_root}${esp_dst}/boot.csv" + + mkdir -p "${boot_root}/${entry_token}" + echo "$entry_token" > "${esp_root}${esp_dst}/installed_by_sdbootutil" - mkdir -p "$boot_root/$entry_token" - echo "$entry_token" > "$boot_root$boot_dst/installed_by_sdbootutil" mkdir -p "/etc/kernel" [ -s /etc/kernel/entry-token ] || echo "$entry_token" > /etc/kernel/entry-token update_random_seed if is_sdboot "$snapshot"; then - [ -s "$boot_root/loader/entries.srel" ] || echo type1 > "$boot_root/loader/entries.srel" - [ -e "$boot_root/loader/loader.conf" ] || echo -e "#timeout 3\n#console-mode keep\n" > "$boot_root/loader/loader.conf" + [ -e "${esp_root}/loader/loader.conf" ] || echo -e "#timeout 3\n#console-mode keep\n" > "${esp_root}/loader/loader.conf" + [ -s "${boot_root}/loader/entries.srel" ] || echo type1 > "${boot_root}/loader/entries.srel" fi # Create boot menu entry if it does not exist - if [ -z "$arg_no_variables" ] && [ -z "$arg_portable" ] && mountpoint -q "$boot_root"; then + if [ -z "$arg_no_variables" ] && [ -z "$arg_portable" ] && mountpoint -q "$esp_root"; then local drive partno - read -r drive partno _ < <(boot_root_drive_partno_dseq) + read -r drive partno _ < <(esp_root_drive_partno_dseq) local escaped_entry="${entry//\//\\\\}" efibootmgr | grep -q "Boot.*${boot_manager}.*${escaped_entry}" || efibootmgr -q --create --disk "$drive" --part "$partno" --label "${boot_manager} ($bldr_name)" --loader "$entry" || true @@ -2016,10 +2022,10 @@ { [ -z "$arg_no_random_seed" ] || return 0 local s _p - read -r s _p < <({ dd if=/dev/urandom bs=32 count=1 status=none; [ -e "$boot_root/loader/random-seed" ] && dd if="$boot_root/loader/random-seed" bs=32 count=1 status=none; } | sha256sum) + read -r s _p < <({ dd if=/dev/urandom bs=32 count=1 status=none; [ -e "${esp_root}/loader/random-seed" ] && dd if="${esp_root}/loader/random-seed" bs=32 count=1 status=none; } | sha256sum) [ "${#s}" = 64 ] || { warn "Invalid random seed"; return 0; } - hex_to_binary "$s" > "$boot_root/loader/random-seed.new" - mv "$boot_root/loader/random-seed.new" "$boot_root/loader/random-seed" + hex_to_binary "$s" > "${esp_root}/loader/random-seed.new" + mv "${esp_root}/loader/random-seed.new" "${esp_root}/loader/random-seed" } has_efivars() @@ -2050,20 +2056,20 @@ local key="${1:?}" local value="${2:?}" - [ -e "${boot_root}/loader/loader.conf" ] || touch "${boot_root}/loader/loader.conf" + [ -e "${esp_root}/loader/loader.conf" ] || touch "${esp_root}/loader/loader.conf" - if grep -q "^$key " "${boot_root}/loader/loader.conf"; then - sed -i -e "s/^$key .*/$key $value/" "${boot_root}/loader/loader.conf" + if grep -q "^$key " "${esp_root}/loader/loader.conf"; then + sed -i -e "s/^$key .*/$key $value/" "${esp_root}/loader/loader.conf" else - echo "$key $value" >> "${boot_root}/loader/loader.conf" + echo "$key $value" >> "${esp_root}/loader/loader.conf" fi } loader_conf_get() { local key="${1:?}" - if [ -e "${boot_root}/loader/loader.conf" ]; then - IFS=' ' read -r key value < <(grep "^$key " "${boot_root}/loader/loader.conf") + if [ -e "${esp_root}/loader/loader.conf" ]; then + IFS=' ' read -r key value < <(grep "^$key " "${esp_root}/loader/loader.conf") echo -n "$value" fi } @@ -2073,7 +2079,7 @@ local key="${1:?}" local value="${2:?}" - [ -e "${boot_root}${boot_dst}/grubenv" ] || touch "${boot_root}${boot_dst}/grubenv" + [ -e "${esp_root}${esp_dst}/grubenv" ] || touch "${esp_root}${esp_dst}/grubenv" grubenv="$(mktemp -t grubenv.XXXXXX)" echo "# GRUB Environment Block" > "$grubenv" @@ -2081,22 +2087,22 @@ [[ "$line" == '#'* ]] && continue [[ "$line" == "$key"=* ]] && continue echo "$line" >> "$grubenv" - done < "${boot_root}${boot_dst}/grubenv" + done < "${esp_root}${esp_dst}/grubenv" echo "$key=$value" >> "$grubenv" local filler filler=$((1024 - $(stat -c %s "$grubenv"))) printf '#%.0s' $(seq 1 $filler) >> "$grubenv" - mv "$grubenv" "${boot_root}${boot_dst}/grubenv" + mv "$grubenv" "${esp_root}${esp_dst}/grubenv" } grubenv_get() { local key="${1:?}" - if [ -e "${boot_root}${boot_dst}/grubenv" ]; then - IFS='=' read -r key value < <(grep "^$key=" "${boot_root}${boot_dst}/grubenv") + if [ -e "${esp_root}${esp_dst}/grubenv" ]; then + IFS='=' read -r key value < <(grep "^$key=" "${esp_root}${esp_dst}/grubenv") echo -n "$value" fi } @@ -2443,7 +2449,7 @@ local re re="$(snapshot_ids_for_prediction)" re="${re// /|}" - echo "(:?$re)" + echo "(?:$re)" } select_entries_for_prediction() @@ -2490,7 +2496,8 @@ { select_entries_for_prediction mv "$entryfile" "$initialentryfile" - cp -a "$boot_root/." "$tmpdir" + cp -a "${boot_root}/." "$tmpdir" + [ "$esp_root" = "$boot_root" ] || cp -a "${esp_root}/." "$tmpdir" } parse_eventlog() @@ -2690,7 +2697,7 @@ pcrlock_grub2_bls_entry_files() { local suffix="${1:+-$1}" - local base="${2:-$boot_root}" + local base="${2:-${boot_root}}" local locks=() local n=0 for i in "$base"/loader/entries/*.conf; do @@ -2717,13 +2724,13 @@ # 641-sdboot-loader-conf.pcrlock is not part of the pcrlock # standards - if [ -e "${boot_root}/loader/loader.conf" ]; then + if [ -e "${esp_root}/loader/loader.conf" ]; then shift_component 641-sdboot-loader-conf pcrlock \ lock-raw \ --pcr=5 \ --pcrlock=/var/lib/pcrlock.d/641-sdboot-loader-conf.pcrlock.d/generated.pcrlock \ - "${boot_root}/loader/loader.conf" + "${esp_root}/loader/loader.conf" fi # 650-kernel-efi-application.pcrlock is not part of the @@ -2791,13 +2798,13 @@ # 641-grub2-bls-grubenv.pcrlock is not part of the pcrlock # standards - if [ -e "${boot_root}${boot_dst}/grubenv" ]; then + if [ -e "${esp_root}${esp_dst}/grubenv" ]; then shift_component 641-grub2-bls-grubenv pcrlock \ lock-raw \ --pcr=9 \ --pcrlock=/var/lib/pcrlock.d/641-grub2-bls-grubenv.pcrlock.d/generated.pcrlock \ - "${boot_root}${boot_dst}/grubenv" + "${esp_root}${esp_dst}/grubenv" fi # 643-grub2-bls-entry-files.pcrlock is not part of the pcrlock @@ -2811,11 +2818,11 @@ local grub2_bls_drive if systemd-analyze compare-versions "$(bootloader_version)" "<" "2.13"; then local partno - read -r _ partno dseq < <(boot_root_drive_partno_dseq) + read -r _ partno dseq < <(esp_root_drive_partno_dseq) # We are assuming that the disk sequence (that start # with 1) is related with the disk sequence that GRUB2 # see during boot time (that start with 0). - # boot_root_drive_partno_dseq already set the correct + # esp_root_drive_partno_dseq already set the correct # start # # Also if for GRUB2 >= 2.14 this section is not @@ -2829,12 +2836,12 @@ while read -r options; do read -r linux read -r initrd - [ -f "${boot_root}$linux" ] || { - info "Missing ${boot_root}$linux, ignoring entry for prediction" + [ -f "${esp_root}$linux" ] || { + info "Missing ${esp_root}$linux, ignoring entry for prediction" continue } - [ -f "${boot_root}$initrd" ] || { - info "Missing ${boot_root}$initrd, ignoring entry for prediction" + [ -f "${esp_root}$initrd" ] || { + info "Missing ${esp_root}$initrd, ignoring entry for prediction" continue } n=$((n+1)) @@ -2874,8 +2881,8 @@ local n=0 local -A kernels while read -r linux; do - [ -f "${boot_root}$linux" ] || { - info "Missing ${boot_root}$linux, ignoring entry for prediction" + [ -f "${esp_root}$linux" ] || { + info "Missing ${esp_root}$linux, ignoring entry for prediction" continue } [ -z "${kernels["$linux"]}" ] || continue @@ -2889,7 +2896,7 @@ pcrlock \ lock-pe \ --pcrlock="/var/lib/pcrlock.d/650-kernel-efi-application.pcrlock.d/linux-$n.pcrlock" \ - "${boot_root}/$linux" + "${esp_root}/$linux" done < <(jq --raw-output 'sort_by(.priority, (.kernel | map(-.))) | map(.linux) | .[]' "$entryfile") fi @@ -2942,12 +2949,12 @@ while read -r cmdline; do read -r linux read -r initrd - [ -f "${boot_root}$linux" ] || { - info "Missing ${boot_root}$linux, ignoring entry for prediction" + [ -f "${esp_root}$linux" ] || { + info "Missing ${esp_root}$linux, ignoring entry for prediction" continue } - [ -f "${boot_root}$initrd" ] || { - info "Missing ${boot_root}$initrd, ignoring entry for prediction" + [ -f "${esp_root}$initrd" ] || { + info "Missing ${esp_root}$initrd, ignoring entry for prediction" continue } n=$((n+1)) @@ -2955,7 +2962,7 @@ info "More than 4 variations for 710-grub2-bls-kernel-initrd-entry" continue } - pcrlock_grub2_bls_kernel_initrd_cmdline_initrd "${boot_root}$linux" "${boot_root}$initrd" "BOOT_IMAGE=${grub2_bls_drive}$linux $cmdline" "$n" + pcrlock_grub2_bls_kernel_initrd_cmdline_initrd "${esp_root}$linux" "${esp_root}$initrd" "BOOT_IMAGE=${grub2_bls_drive}$linux $cmdline" "$n" done < <(jq --raw-output 'sort_by(.priority, (.kernel | map(-.))) | .[] | .options, .linux, .initrd[0]' "$entryfile") # Generate variation for @@ -2996,10 +3003,10 @@ # required for the event log aligment. find /var/lib/pcrlock.d -name '*.pcrlock' -type f -mtime +7 -delete - # Sometimes, like in tests, the user will generate new entries - # and reboot in a short period of time + # Sometimes, like in openQA tests, the user will generate new + # entries and reboot in a short period of time if [ "$(find /var/lib/pcrlock.d -type f -name '*-7.pcrlock' | wc -l)" -gt 0 ]; then - rm -fr /var/lib/pcrlock.d + rm -fr /var/lib/pcrlock.d/* || true fi } @@ -3098,7 +3105,7 @@ # boot application was loaded from, which is effectively the # disk where our ESP is located. shift_component 600-gpt - pcrlock lock-gpt "$boot_root" + pcrlock lock-gpt "$esp_root" # Measure the boot loader. Combinations: # - Removable media with shim: BOOTX64.EFI, grub.efi @@ -3109,11 +3116,11 @@ local shim_path bootloader_path if is_shim_installed; then if [ -n "$arg_portable" ]; then - shim_path="${boot_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" - bootloader_path="${boot_root}/EFI/BOOT/grub.efi" + shim_path="${esp_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" + bootloader_path="${esp_root}/EFI/BOOT/grub.efi" else - shim_path="${boot_root}${boot_dst}/shim.efi" - bootloader_path="${boot_root}${boot_dst}/grub.efi" + shim_path="${esp_root}${esp_dst}/shim.efi" + bootloader_path="${esp_root}${esp_dst}/grub.efi" fi else local bootloader_filename @@ -3123,9 +3130,9 @@ bootloader_filename="grubbls.efi" fi if [ -n "$arg_portable" ]; then - bootloader_path="${boot_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" + bootloader_path="${esp_root}/EFI/BOOT/BOOT${firmware_arch^^}.EFI" else - bootloader_path="${boot_root}${boot_dst}/${bootloader_filename}" + bootloader_path="${esp_root}${esp_dst}/${bootloader_filename}" fi fi @@ -3229,7 +3236,7 @@ # Publish the assets in the ESP, so can be imported by # dracut-pcr-signature [ -e /var/lib/systemd/pcrlock.json ] && \ - cp /var/lib/systemd/pcrlock.json "${boot_root}${boot_dst}" && { + cp /var/lib/systemd/pcrlock.json "${esp_root}${esp_dst}" && { echo "NVIndex policy created" } } @@ -3294,7 +3301,7 @@ local val="$3" local digest - hash "${dgst}sum" || return 1 + command -v "${dgst}sum" &> /dev/null || { warn "${dgst}sum not found"; return 1; } hex_to_binary "$pcr$val" > "$tmpdir/pcr" read -r digest _ < <("${dgst}sum" "$tmpdir/pcr") echo "$digest" @@ -3340,10 +3347,11 @@ # the mount point so we can identify /etc or /var. # # According to https://systemd.io/MOUNT_REQUIREMENTS/ - # /etc is mounted in initrd, and /var is mounted after - # initrd, but in MicroOS (via microos-tools) is adding - # /var to be mounted in the initrd stage too because - # of selinux (98selinux-microos). + # /etc and swap are mounted in initrd, and /var is + # mounted after initrd, but in MicroOS (via + # microos-tools) is adding /var to be mounted in the + # initrd stage too because of selinux + # (98selinux-microos). extra="$(lsblk --noheadings -o FSTYPE,MOUNTPOINT "$dev")" if [[ "$extra" != *"swap"* ]] && [[ "$extra" != *"/etc"* ]] && { [[ "$extra" != *"/var"* ]] || ! is_transactional; }; then [[ "$opts" != *"x-initrd.attach"* ]] && continue @@ -3395,9 +3403,9 @@ # Publish the assets in the ESP, so can be imported by # dracut-pcr-signature [ ! -e /var/lib/sdbootutil/measure-pcr-prediction ] || \ - cp /var/lib/sdbootutil/measure-pcr-prediction "${boot_root}${boot_dst}" + cp /var/lib/sdbootutil/measure-pcr-prediction "${esp_root}${esp_dst}" [ ! -e /var/lib/sdbootutil/measure-pcr-prediction.sha256 ] || \ - cp /var/lib/sdbootutil/measure-pcr-prediction.sha256 "${boot_root}${boot_dst}" + cp /var/lib/sdbootutil/measure-pcr-prediction.sha256 "${esp_root}${esp_dst}" } updated_crypttab() @@ -3448,11 +3456,11 @@ # The user can remove measure-pcr-prediction file from the # ESP, but generate_tpm2_predictions_pcr_15 will not be called - [ -f "${boot_root}${boot_dst}/measure-prediction" ] || { + [ -f "${esp_root}${esp_dst}/measure-prediction" ] || { [ ! -e /var/lib/sdbootutil/measure-pcr-prediction ] || \ - cp /var/lib/sdbootutil/measure-pcr-prediction "${boot_root}${boot_dst}" + cp /var/lib/sdbootutil/measure-pcr-prediction "${esp_root}${esp_dst}" [ ! -e /var/lib/sdbootutil/measure-pcr-prediction.sha256 ] || \ - cp /var/lib/sdbootutil/measure-pcr-prediction.sha256 "${boot_root}${boot_dst}" + cp /var/lib/sdbootutil/measure-pcr-prediction.sha256 "${esp_root}${esp_dst}" } } @@ -3504,7 +3512,7 @@ in_lockout() { - hash tpm2_getcap &> /dev/null || { warn "tpm2_getcap not found"; return 1; } + command -v tpm2_getcap &> /dev/null || { warn "tpm2_getcap not found"; return 1; } tpm2_getcap properties-variable | grep -q 'inLockout: *1' } @@ -3915,16 +3923,16 @@ { systemctl --quiet disable sdbootutil-update-predictions.service || true pcrlock remove-policy &> /dev/null || true - rm -fr /var/lib/pcrlock.d + rm -fr /var/lib/pcrlock.d/* || true rm -f /var/lib/systemd/pcrlock.json - rm -f "${boot_root}${boot_dst}/pcrlock.json" + rm -f "${esp_root}${esp_dst}/pcrlock.json" rm -f /var/lib/sdbootutil/crypttab.sha1 rm -f /var/lib/sdbootutil/measure-pcr-private.pem rm -f /var/lib/sdbootutil/measure-pcr-public.pem rm -f /var/lib/sdbootutil/measure-pcr-prediction rm -f /var/lib/sdbootutil/measure-pcr-prediction.sha256 - rm -f "${boot_root}${boot_dst}/measure-pcr-prediction" - rm -f "${boot_root}${boot_dst}/measure-pcr-prediction.sha256" + rm -f "${esp_root}${esp_dst}/measure-pcr-prediction" + rm -f "${esp_root}${esp_dst}/measure-pcr-prediction.sha256" } unenroll_all_pcr_oracle() @@ -3932,12 +3940,12 @@ rm -f /etc/systemd/tpm2-pcr-private-key.pem rm -f /etc/systemd/tpm2-pcr-public-key.pem rm -f /etc/systemd/tpm2-pcr-signature.json - rm -f "${boot_root}${boot_dst}/tpm2-pcr-public-key.pem" - rm -f "${boot_root}${boot_dst}/tpm2-pcr-signature.json" + rm -f "${esp_root}${esp_dst}/tpm2-pcr-public-key.pem" + rm -f "${esp_root}${esp_dst}/tpm2-pcr-signature.json" rm -f /var/lib/sdbootutil/measure-pcr-prediction rm -f /var/lib/sdbootutil/measure-pcr-prediction.sha256 - rm -f "${boot_root}${boot_dst}/measure-pcr-prediction" - rm -f "${boot_root}${boot_dst}/measure-pcr-prediction.sha256" + rm -f "${esp_root}${esp_dst}/measure-pcr-prediction" + rm -f "${esp_root}${esp_dst}/measure-pcr-prediction.sha256" } unenroll_device() @@ -4006,7 +4014,7 @@ # Prepare /etc/crypttab and update initrd if required case "$arg_method" in "tpm2"|"tpm2+pin") - have_tpm2 || err "No TPM2 found found" + have_tpm2 || err "No TPM2 found" for dev in "${tracked_devices[@]}"; do remove_crypttab_option "$dev" 'tpm2-device=auto' remove_crypttab_option "$dev" 'tpm2-measure-pcr=yes' @@ -4057,7 +4065,8 @@ # XXX: bootctl should have json output for that too # shellcheck disable=SC2016 eval "$(bootctl 2> /dev/null | sed -ne 's/Firmware Arch: *\(\w\+\)/firmware_arch="\1"/p;s/ *token: *\(\w\+\)/entry_token="\1"/p')" - boot_root="$(bootctl --print-esp-path)" + esp_root="$(bootctl --print-esp-path)" + boot_root="$(bootctl --print-boot-path)" } bootloader_name() @@ -4265,31 +4274,32 @@ root_snapshot="1" fi -if [ -n "$arg_esp_path" ] && [ "$boot_root" != "$arg_esp_path" ]; then +if [ -n "$arg_esp_path" ] && [ "$esp_root" != "$arg_esp_path" ]; then err "mismatch of esp path" fi [ -n "$arg_arch" ] && firmware_arch="$arg_arch" -[ -n "$boot_root" ] || err "No ESP detected. Legacy system?" +[ -n "$esp_root" ] || err "No ESP detected. Legacy system?" [ -n "$root_subvol" ] || [ -z "$have_snapshots" ] || err "Can't determine root subvolume" [ -n "$firmware_arch" ] || err "Can't determine firmware arch" set_image_name -mountpoint -q "$boot_root" || warn "$boot_root is not a valid mountpoint" +mountpoint -q "$esp_root" || warn "$esp_root is not a valid mountpoint" dbg_var "root_snapshot" +dbg_var "esp_root" dbg_var "boot_root" # shellcheck disable=SC1091 [ -e /etc/sysconfig/bootloader ] && . /etc/sysconfig/bootloader if is_sdboot; then - boot_dst="/EFI/systemd" + esp_dst="/EFI/systemd" elif is_grub2_bls; then set_os_release "${root_snapshot}" # shellcheck disable=SC2154 read -r -a name <<<"${os_release_NAME,,}" - boot_dst="/EFI/${name[0]}" + esp_dst="/EFI/${name[0]}" else msg="Bootloader not detected" [ -z "$LOADER_TYPE" ] || msg+=". /etc/sysconfig/bootloader has LOADER_TYPE=\"$LOADER_TYPE\", but only \"systemd-boot\" or \"grub2-bls\" are recognized." @@ -4299,22 +4309,22 @@ # Removable media layout is described in # https://github.com/rhboot/shim/blob/main/README.fallback if [ -n "$arg_portable" ]; then - if [ -d "${boot_root}${boot_dst}" ]; then + if [ -d "${esp_root}${esp_dst}" ]; then err "Bootloader is already installed permanently" fi - boot_dst="/EFI/BOOT" + esp_dst="/EFI/BOOT" fi # When we are doing an operation different from installation, the -# boot_dst should be already present. We can use it to identify a +# esp_dst should be already present. We can use it to identify a # removable installation -if [ "$1" != "install" ] && [ ! -d "${boot_root}${boot_dst}" ]; then +if [ "$1" != "install" ] && [ ! -d "${esp_root}${esp_dst}" ]; then info "Removable installation detected" - boot_dst="/EFI/BOOT" + esp_dst="/EFI/BOOT" arg_portable=1 fi -dbg_var "boot_dst" +dbg_var "esp_dst" if [ "$SECURE_BOOT" = "yes" ] || is_shim_installed; then arg_secure_boot=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260421.88e40c4/sdbootutil-enroll new/sdbootutil-1+git20260506.25d47bf/sdbootutil-enroll --- old/sdbootutil-1+git20260421.88e40c4/sdbootutil-enroll 2026-04-21 10:34:02.000000000 +0200 +++ new/sdbootutil-1+git20260506.25d47bf/sdbootutil-enroll 2026-05-06 20:45:00.000000000 +0200 @@ -85,10 +85,12 @@ if [ -n "$tpm2_pin" ]; then echo "Enrolling TPM2 with PIN" - SDB_ADD_INITIAL_COMPONENT=1 PIN="$crypt_tpm_pin" sdbootutil enroll --method=tpm2+pin + SDB_ADD_INITIAL_COMPONENT=1 PIN="$tpm2_pin" sdbootutil enroll --method=tpm2+pin + # TODO: write_issue_file "$recovery_pin" elif [ -n "$tpm2" ]; then echo "Enrolling TPM2" SDB_ADD_INITIAL_COMPONENT=1 sdbootutil enroll --method=tpm2 + # TODO: write_issue_file "$recovery_pin" fi [ -z "$fido2" ] || { ++++++ sdbootutil.obsinfo ++++++ --- /var/tmp/diff_new_pack.ioeqeK/_old 2026-05-08 16:42:14.773387951 +0200 +++ /var/tmp/diff_new_pack.ioeqeK/_new 2026-05-08 16:42:14.789388615 +0200 @@ -1,5 +1,5 @@ name: sdbootutil -version: 1+git20260421.88e40c4 -mtime: 1776760442 -commit: 88e40c4a5d98d5c0f977478f72cdfce596a463c5 +version: 1+git20260506.25d47bf +mtime: 1778093100 +commit: 25d47bf10ddc4b8b8c6061e82670e8f82fe8916b
