From nobody Tue Jun 9 23:34:01 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZlby6KBJz6gtFc for ; Tue, 09 Jun 2026 23:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZlby5Pmfz43pS for ; Tue, 09 Jun 2026 23:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781048046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+WYAlDHR5w3EDay5uy2znpPodNOPH4nz1l02t0GOLd0=; b=FzqcBS7rdPmZPlICNWK+TYwclUykEM7MPaQ9vefezRdLoYjKOB4ISasBMgbhTcmHR77l9o 4rQRmAvAVRbs/aXXQnMi1CWzWS3v+6GGmyxAjuC62qvi4pn5KXT+aV+OAj7feus9qqf5c4 zja/fNIcbHifNkyD+m9aXlYlKT4B/znhlKsyOsHb9yZ7rbJamBd6KbGx743B7IevdJftGG DE87eB/BLe+8MFLPkPdz3bElMs2XPcaot06EjBbccHYkMvG4iT3/QBg1wZdwRNSH8bodUP sHLh1SSV+cAAqrLkmvwjK1FwMcnsEpAzTYHbaIz18a673mQclGwGDDpfMmQz/g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781048046; a=rsa-sha256; cv=none; b=Ol3BC9J9LelbbpGEm+5F+ceO1MmBgGqNI91N4ZXkKiAVkxVDO5yyweTjh0xJjhBIoJYhpu 2S+9d97bAHvnG2as8IelIkII1MEVv4rSDlCX6conOS0KKg4oXaRCGLzDscGb2fpvrhYLay eln6LhjvALMSuQ1IHb5WdTwBk0MUOp5e8M55Y84SL9YFUJpIrcJPTVQvSG5gewUpADQ21u cCvCI9DK33663neoUxaQsTi3HjUZe4Ri2RowgoBDsFNQHo5QeOfZW1iEAvl3JjbRQo++OL bk48vaSAugi+vipw9dvCVqrw2tX7w/musSnsPsnQASSXbFi4/Qrm+JtoymOPCA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781048046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+WYAlDHR5w3EDay5uy2znpPodNOPH4nz1l02t0GOLd0=; b=I1K9gpMOEsjBmYS4QqNTdIlO2zuD65OaQLfwta3bgTfnwUWkD9XBSrpQGwks6GrTTuEGjX 6jVNz1WuIupUdej907bT32uvOxtgXq9lOr3keCQu81N3PJm0xVNW2p1oGvvaa7olxP2jkk FKmpkmduPWurwWsRnB0lhFw1nrVDB/LQciMEAyD02AnU6uEg952NNszfPIyb3Kll369zTJ IH1TXMlgv47EAKmhWmpS2HYXD4e3qs+IrA6+gEh5Umu0qJJ5ASlg5YS47mpEaOcCDpWuLJ OTh/X6zW7nPkrcKlimeansamqdxHbmE9tmaun2VLk9e9vIvjmXkI1uy9snjOGg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZlby4y28zwj7 for ; Tue, 09 Jun 2026 23:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b89e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 23:34:01 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Faraz Vahedi From: Warner Losh Subject: git: 1c85c5eea09a - main - loader.efi: Search boot device before foreign ZFS pools List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1c85c5eea09a4c9649b7634225220337e6005cd4 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 23:34:01 +0000 Message-Id: <6a28a2e9.3b89e.f7901f7@gitrepo.freebsd.org> The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=1c85c5eea09a4c9649b7634225220337e6005cd4 commit 1c85c5eea09a4c9649b7634225220337e6005cd4 Author: Faraz Vahedi AuthorDate: 2026-05-26 14:35:42 +0000 Commit: Warner Losh CommitDate: 2026-06-09 23:33:05 +0000 loader.efi: Search boot device before foreign ZFS pools When `boot_policy` is `RELAXED`, `find_currdev()` tried ZFS pools on every disk before searching the boot ESP and sibling partitions. Booting install media from USB could therefore select an installed ZFS root on internal storage instead of the intended memstick UFS image. Extract the boot-device partition walk into `try_boot_device_partitions()` and run it before relaxed foreign-pool probing. The ZFS search order is preserved; pools on the boot device are tried first, followed by pools on other devices when `boot_policy` is `RELAXED` and the boot device yields no bootable root. Signed-off-by: Faraz Vahedi Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/2239 --- stand/efi/loader/main.c | 125 ++++++++++++++++++++++++++++-------------------- 1 file changed, 72 insertions(+), 53 deletions(-) diff --git a/stand/efi/loader/main.c b/stand/efi/loader/main.c index 2dc7924b9fcd..1444b1eee17d 100644 --- a/stand/efi/loader/main.c +++ b/stand/efi/loader/main.c @@ -364,6 +364,49 @@ try_as_currdev(pdinfo_t *hd, pdinfo_t *pp) return (sanity_check_currdev()); } +/* + * Search the boot device first (i.e. the ESP and any sibling partitions). + * Per the UEFI specification, filesystems on other devices must not be + * preferred until the boot device has been fully exhausted. + */ +static int +try_boot_device_partitions(void) +{ + pdinfo_t *dp, *pp, *espdp; + CHAR16 *text; + + dp = efiblk_get_pdinfo_by_handle(boot_img->DeviceHandle); + if (dp == NULL) + return (ENOENT); + + text = efi_devpath_name(dp->pd_devpath); + if (text != NULL) { + printf("Trying ESP: %S\n", text); + efi_free_devpath_name(text); + } + set_currdev_pdinfo(dp); + if (sanity_check_currdev()) + return (0); + + if (dp->pd_parent == NULL) + return (ENOENT); + + espdp = dp; + dp = dp->pd_parent; + STAILQ_FOREACH(pp, &dp->pd_part, pd_link) { + if (espdp == pp) + continue; + text = efi_devpath_name(pp->pd_devpath); + if (text != NULL) { + printf("Trying: %S\n", text); + efi_free_devpath_name(text); + } + if (try_as_currdev(dp, pp)) + return (0); + } + return (ENOENT); +} + /* * Sometimes we get filenames that are all upper case * and/or have backslashes in them. Filter all this out @@ -535,10 +578,9 @@ match_boot_info(char *boot_info, size_t bisz) static int find_currdev(bool do_bootmgr, char *boot_info, size_t boot_info_sz) { - pdinfo_t *dp, *pp; + pdinfo_t *dp; EFI_DEVICE_PATH *devpath, *copy; EFI_HANDLE h; - CHAR16 *text; struct devsw *dev; int unit; uint64_t extra; @@ -606,65 +648,42 @@ find_currdev(bool do_bootmgr, char *boot_info, size_t boot_info_sz) return (0); #endif /* MD_IMAGE_SIZE */ -#ifdef EFI_ZFS_BOOT - zfsinfo_list_t *zfsinfo = efizfs_get_zfsinfo_list(); - zfsinfo_t *zi; + if (try_boot_device_partitions() == 0) + return (0); - /* - * First try the zfs pool(s) that were on the boot device, then - * try any other pool if we have a relaxed policy. zfsinfo has - * the pools that had elements on the boot device first. - */ - STAILQ_FOREACH(zi, zfsinfo, zi_link) { - if (boot_policy == STRICT && - zi->zi_handle != boot_img->DeviceHandle) - continue; - printf("Trying ZFS pool 0x%jx\n", zi->zi_pool_guid); - if (probe_zfs_currdev(zi->zi_pool_guid)) - return (0); - } -#endif /* EFI_ZFS_BOOT */ +#ifdef EFI_ZFS_BOOT + { + zfsinfo_list_t *zfsinfo = efizfs_get_zfsinfo_list(); + zfsinfo_t *zi; - /* - * Try to find the block device by its handle based on the - * image we're booting. If we can't find a sane partition, - * search all the other partitions of the disk. We do not - * search other disks because it's a violation of the UEFI - * boot protocol to do so. We fail and let UEFI go on to - * the next candidate. - */ - dp = efiblk_get_pdinfo_by_handle(boot_img->DeviceHandle); - if (dp != NULL) { - text = efi_devpath_name(dp->pd_devpath); - if (text != NULL) { - printf("Trying ESP: %S\n", text); - efi_free_devpath_name(text); + /* + * Try ZFS pool(s) on the boot device not reachable via + * the partition walk above. + */ + STAILQ_FOREACH(zi, zfsinfo, zi_link) { + if (zi->zi_handle != boot_img->DeviceHandle) + continue; + printf("Trying ZFS pool 0x%jx\n", zi->zi_pool_guid); + if (probe_zfs_currdev(zi->zi_pool_guid)) + return (0); } - set_currdev_pdinfo(dp); - if (sanity_check_currdev()) - return (0); - if (dp->pd_parent != NULL) { - pdinfo_t *espdp = dp; - dp = dp->pd_parent; - STAILQ_FOREACH(pp, &dp->pd_part, pd_link) { - /* Already tried the ESP */ - if (espdp == pp) + + /* + * With a relaxed policy, try pools on other devices only + * after the boot device has no bootable root. + */ + if (boot_policy == RELAXED) { + STAILQ_FOREACH(zi, zfsinfo, zi_link) { + if (zi->zi_handle == boot_img->DeviceHandle) continue; - /* - * Roll up the ZFS special case - * for those partitions that have - * zpools on them. - */ - text = efi_devpath_name(pp->pd_devpath); - if (text != NULL) { - printf("Trying: %S\n", text); - efi_free_devpath_name(text); - } - if (try_as_currdev(dp, pp)) + printf("Trying ZFS pool 0x%jx\n", + zi->zi_pool_guid); + if (probe_zfs_currdev(zi->zi_pool_guid)) return (0); } } } +#endif /* EFI_ZFS_BOOT */ /* * Try the device handle from our loaded image first. If that