From owner-freebsd-hackers@freebsd.org Thu Oct 26 15:19:17 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96E50E4C06D for ; Thu, 26 Oct 2017 15:19:17 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F812818E9 for ; Thu, 26 Oct 2017 15:19:17 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-io0-x22a.google.com with SMTP id j17so6148461iod.5 for ; Thu, 26 Oct 2017 08:19:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=/zo1NSMKNua/nxEFyGI8jawsjV+Y7YIfNqhzXgaNDgE=; b=Jyky03Qixvs0qrjk92e01/vp02MwHiRz1EnRTAFae9+2ok4DHTW6MESBN1JfE68p2C Ih7+aJBR0YH9K2aLLu3fkBPndjGp5ZEkbbGqUQ9WAaTcTRyNo/ds/1c/TyxUo6E1S2VG 8Wb+gBPwV+Zss6LvSZlwz5uv0J/jtbRj2b0TYG71IHMuH+ucD51Sn9vD3cYUxcM7DVAr v+m060dd2JNUJpc33f8duom3wEDcZBoEn1SQBrmVEfV7B7vrr9/4MDaVKR/a1EKcZ7pJ 4IhtPFqr1jPMSXIU5drxDHeQIeLyYGuLleV8AX8FKcv7c8Eev4i3aZcDY+9eidHy3VuI wgLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=/zo1NSMKNua/nxEFyGI8jawsjV+Y7YIfNqhzXgaNDgE=; b=hnfScnIQWF0Enqxvty/fAy1FGsdzUa6F0vyY2Md3XvjXpu9WS9SGAxVDPS3byO2dlo Dts8dIvGhbkOfk+ynaW/qOFr+ryDlV11KlAu4DI6p2QU0f4vviXbAxCrHYMJxHfMdI6E 7wbsyQRQCA1bHYa6wqhD+1Ab0qyLZ6oPtYxtWydbIegnUAdoG6QXaBBEViSZ3/cmoJHt Yc9GHXbXc5eOSMM3qR3A4OV50kyKE/UkWJoQBPHQkcqxmHH86OXGRxcTM3qn3qpwAdqP n3P70G6jBssJxy5TcV+pbZm3twVThFT3il/hNWgxN1cTM/JG1ayATf3MVtRHlF+nB47D UUMA== X-Gm-Message-State: AMCzsaUR7CQ99ZAgSJB1j/IcgnJpOlZ9r25Eyy2KbYRtFEqVjgqScY0r HQly6k3rHDUsWk8n8w1a7D0uBJXI7xR5AudSKeV6Jg== X-Google-Smtp-Source: ABhQp+TAozaEDJwbObrVVbToU98ijBXS9sHSFTb5Zdbd8XIL+x+bWhVtn9cdGgB6mNVvT5UasMTLchm0eTjI6n63aPg= X-Received: by 10.36.69.100 with SMTP id y97mr2979555ita.50.1509031156531; Thu, 26 Oct 2017 08:19:16 -0700 (PDT) MIME-Version: 1.0 Sender: wlosh@bsdimp.com Received: by 10.79.57.22 with HTTP; Thu, 26 Oct 2017 08:19:15 -0700 (PDT) X-Originating-IP: [50.253.109.65] In-Reply-To: <87ceccf2-09fb-1adb-6304-649961cae2d4@metricspace.net> References: <87ceccf2-09fb-1adb-6304-649961cae2d4@metricspace.net> From: Warner Losh Date: Thu, 26 Oct 2017 09:19:15 -0600 X-Google-Sender-Auth: pDi-euoNyPP9XB4E5_inmkJbvi0 Message-ID: Subject: Re: New behaviors for loader.efi To: Eric McCorkle Cc: "freebsd-arch@freebsd.org" , "freebsd-hackers@freebsd.org" , Warner Losh Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Oct 2017 15:19:17 -0000 On Thu, Oct 26, 2017 at 6:32 AM, Eric McCorkle wrote: > On 10/25/2017 22:58, Warner Losh wrote: > > > I would vote neither. If it belongs on the ESP at all, it belongs in > > \efi\freebsd\boot.conf. We now own \efi\freebsd, so that's where all our > > boot files need to wind up in our install. But I'm not sure that we need > > it at all, since boot.conf is only for boot1/boot2 in the current system > > (though it does set serial by default, which might be helpful to > > preserve). It would be even better, though, to use the command line > > that's passed in as part of the UEFI:BootXXXX environment variable. > > Since we have to move it anyway, we should do things in the EFI way, > > which is to store all the nonvolatile info in UEFI environment variables > > (and in this case, the command line / aux info in the BootXXXX > > variable). We really need to stop polluting \efi\boot with anything, > > except on removable media. > > That seems reasonable, however it might be worth having a backup > mechanism (boot.conf) in case the EFI vars get clobbered. Also, a file > with the args can be more easily signed and verified than EFI vars. So long as it's a backup method, that's fine. It occurs to me that it might be useful for removable media where you can't count on EFI env vars and you are bootstrapping such that you need the args (serial console is the canonical case). > I think it should be in /boot/loader.conf on /, not the ESP. We should > > only have \efi\freebsd\loader.efi in the ESP. > > Also my inclination. Excellent. If we do have a boot.conf to supply a backup way of specifying command line args, then we should look for it in ESP:\efi\freebsd\boot.conf. > I'm not sure that it should look very hard, and it should only look as a > > last result. > > > > UEFI:BootCurrent lists the current boot variable. It points to the > > UEFI:BootXXXX that contains a LoadOption variable. This variable > > contains a series of DevicePaths. The first one is what the UEFI BIOS > > uses to load loader.efi (installed as ESP:\EFI\FREEBSD\LOADER.EFI). The > > second one in the list will point to the kernel to load. That way we > > shouldn't have to go looking at all. We assume that the root is the same > > partition we load the kernel comes from. We should only go looking if we > > fail to find the second path in the LoadOption. > > Right. The search would be a fallback mechanism, if all else fails. It > doesn't even need to succeed; it just needs to make a reasonable guess. The fallback mechanism should try too hard though. Trying hard gets in the way of many things. The biggest one being when I have multiple disks in a system that have multiple copies of the OS. You want the fallback mechanism to try as limited a number of things as possible then FAIL so we can go to the next BootXXXX in the boot order. So long as the guesses are super limited, and/or only done done when we don't specify something explicit, then that's OK. So the change from the present would be: (1) If a second path is specified in the BootXXXX option, then boot it (might want to look in the list to generalize this, but for the moment that's an enhancement). If we fail to boot an explicit path, fail back to the EFI boot manager. We were told to do something explicitly, and we couldn't do that, so we shouldn't go guessing (this includes ZFS BE, UFS, etc) (2) If no path is specified and if we come from a UFS or ZFS partition (the boot1.efi vector), then try to boot the kernel off of that partition. If that fails, then fail the boot back to EFI boot manager. (3) If no path is specified and there's ZFS BE we can boot from, boot that (fail if we can't) (4) if no path is specified and we can find a UFS partition on the current disk, boot that (fail if we can't) Otherwise fail back to EFI boot manager for the next one on the list. > No, we don't. boot1.efi already does this, and legacy systems will > > already have this installed. So we don't have to recreate this behavior > > if we don't want to since updated systems will need to follow the > > efibootmgr protocol. There's no way the loader.efi will fit on the old > > ESPs we created anyway... loader.efi needs to cope with being loaded > > this way, but it doesn't have to recreate boot1.efi's behavior. > > OK, I was assuming there'd be an interim period where loader.efi still > gets installed to /boot/, in which case the dual-purpose would be > necessary. It sounds like you want to quit installing it there altogether. > Yes. I want to get loader.efi in shape to be the primary loader, but won't get rid of boot1.efi right away until the installer catches up. A small case could be made for having boot1.efi for legacy users that keeps simple UFS / ZFS features we have in 11.x, but removes any features we've added since then. It's still unclear to me if that's useful or not. > With regard to GELI, it sounds like it can actually be committed in > parallel with any of the changes you're planning here. This would give > loader the ability to attach and explore EFI partitions, but you > wouldn't be able to boot a pure-GELI system until the loader-only setup > is viable. > Yes. I agree. I'd like to see it so you could install one by hand in the base prior to the installer supporting that. I'll have to look at the individual changes carefully, but at a high level when I saw them they looked like the right direction. I'll try to find some time today to update the boot document and to try to draw in points you have in your chain of trust documents because that's also important. It might also be worth bringing in the 'self contained load env' work that I know is going on elsewhere (basically, you load a loader with a MD burned into it and boot from that, with the entire loader.efi signed such that the shim-loader that floating around can load and verify it -- a lite version of the stuff you are working on). Warner