You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GRUB is on the MBR for BIOS booting and also on the ESP for EFI booting. GRUB has custom logic for A/B GPT attribute handling, the reading of the dm-verity hash from a kernel offset, and the detection of first boot and OEM. Users may also customize the kernel parameters through the grub.cfg file.
For TPM usage, however, GRUB's supported mode is not really useful because it doesn't work with signatures of PCR measurements compared to systemd-boot which has modern TPM functionality.
Impact
TPM usage in its current form would mean to reenroll on every update, which is fragile combined with rollbacks.
Ideal future situation
For the EFI boot path we use systemd-boot while we keep GRUB on the MBR for BIOS booting.
To be able to ship a single image and be backwards compatible we would need to support both ways of boot try counting (systemd-boot uses a suffix in the kernel file name). Ideally it would even work to turn EFI boot on and off without requiring manual changes.
Implementation options
We can focus only on new installations and old installations stay with GRUB for EFI.
Fedora has some GRUB code to support boot counting in the filename, maybe we could use this to only have one way of boot counting?
In update-engine both cases need to be covered, either we prepare the system for both boot loaders or we detect which one is used.
Additional information
As of now, GRUB does not support unified kernel images but adding this support to GRUB could help to gain more out of systemd-boot.
The text was updated successfully, but these errors were encountered:
Current situation
GRUB is on the MBR for BIOS booting and also on the ESP for EFI booting. GRUB has custom logic for A/B GPT attribute handling, the reading of the dm-verity hash from a kernel offset, and the detection of first boot and OEM. Users may also customize the kernel parameters through the grub.cfg file.
For TPM usage, however, GRUB's supported mode is not really useful because it doesn't work with signatures of PCR measurements compared to systemd-boot which has modern TPM functionality.
Impact
TPM usage in its current form would mean to reenroll on every update, which is fragile combined with rollbacks.
Ideal future situation
For the EFI boot path we use systemd-boot while we keep GRUB on the MBR for BIOS booting.
To be able to ship a single image and be backwards compatible we would need to support both ways of boot try counting (systemd-boot uses a suffix in the kernel file name). Ideally it would even work to turn EFI boot on and off without requiring manual changes.
Implementation options
We can focus only on new installations and old installations stay with GRUB for EFI.
Fedora has some GRUB code to support boot counting in the filename, maybe we could use this to only have one way of boot counting?
In update-engine both cases need to be covered, either we prepare the system for both boot loaders or we detect which one is used.
Additional information
As of now, GRUB does not support unified kernel images but adding this support to GRUB could help to gain more out of systemd-boot.
The text was updated successfully, but these errors were encountered: