From nobody Tue Jun 9 23:34:01 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZlbz3kSTz6gtFd for ; Tue, 09 Jun 2026 23:34:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZlby734Cz43YH for ; Tue, 09 Jun 2026 23:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781048047; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+WYAlDHR5w3EDay5uy2znpPodNOPH4nz1l02t0GOLd0=; b=JmAPELvPFl7GzWkQg7TkF+lBW5EwrLxwHwomOdErcyhU2txMe9Fat0F//47bBPoPv9woby H86KiZ8US7Xi8a7cej5zUBSAj2QcYcWOAvd2MHJc89VrT+30mHkPl3koy0y/Tte3dzo4DI bv/xjrfGH3tV2mdHRK48zGgX97v9Q/ZLUUBjbr69TFrC4MF1ayisY/B4qV28Yl4Y37QWna 3sORBkJjhcVP5FRg7v9jWMDttvWLX/zHLIbWbuqIFxG2YCSu8eiuu1shabMzKDtJgDSpST S9Jd3y687sOszkIDOGpsF1icNkP88fHfzvJd9RnUuwZM5MnYL4S6QU02xbCFLQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781048047; a=rsa-sha256; cv=none; b=VG74IWcDNETJjcl/+az4A1/izEmugFMTuVlx6MTxayJjdyTVxNvMy4rSdlL+2XEMyYhs2D GzNCgil2qMhRGZYejhcUlpocsLcyo8MOBUGh7qKtCZwQ3/G/P19AlBxqjMg5WlD/A2CUbZ nuWRctIrC4stGDPwQCion4Qb0oWorBOxtOECeDpRvdtZRJruXrk0taUnv79gRMUkZ3Fxbh Tpb1ffwPNo0PS0j4TyHZrNdZkIv1R7KL/tt09DOPrISdHToFpnzleOK4t73l9EFpRHitnw Kywt7ueHOmVdKFa9XiBQD1gnHqPFtmNQdLwizaYcqFMICcrMu8usfSPgE7gRIA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781048047; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+WYAlDHR5w3EDay5uy2znpPodNOPH4nz1l02t0GOLd0=; b=RUquMeQoxoASpC8DyikL0vYQo86di6NLuTz59BI3g+ToJWW+KKQnU+fz+pRJkBwFdGIxKq OP1owrXD8jQA0T0Vr7mNhGvFHaqG2zSTadY7w2sR+xqbM5srfPcdYqLfo83mHLaLsdEOJr pNY80bW8CX91Qyle9CrxGO7a+biDtpa1dOfqVwo8pxFsc3+FpNYe1huBJeFLZAVvzbj4B0 EUeqYqo03RhIcq+X5EwWd067MaHMR5UZkjF11tKgNrSVI+wsA5vER+s53oYNQgE5bEX+ul f5jeQvVb2Dr3FGD/AiPXmXrg2I8CBi90UaG4NjCYg1uC75NIda1spzqRAxz3zA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZlby6WLkzvxT for ; Tue, 09 Jun 2026 23:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b89e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 09 Jun 2026 23:34:01 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Faraz Vahedi From: Warner Losh Subject: git: 1c85c5eea09a - main - loader.efi: Search boot device before foreign ZFS pools List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1c85c5eea09a4c9649b7634225220337e6005cd4 Auto-Submitted: auto-generated Date: Tue, 09 Jun 2026 23:34:01 +0000 Message-Id: <6a28a2e9.3b89e.f7901f7@gitrepo.freebsd.org> The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=1c85c5eea09a4c9649b7634225220337e6005cd4 commit 1c85c5eea09a4c9649b7634225220337e6005cd4 Author: Faraz Vahedi AuthorDate: 2026-05-26 14:35:42 +0000 Commit: Warner Losh CommitDate: 2026-06-09 23:33:05 +0000 loader.efi: Search boot device before foreign ZFS pools When `boot_policy` is `RELAXED`, `find_currdev()` tried ZFS pools on every disk before searching the boot ESP and sibling partitions. Booting install media from USB could therefore select an installed ZFS root on internal storage instead of the intended memstick UFS image. Extract the boot-device partition walk into `try_boot_device_partitions()` and run it before relaxed foreign-pool probing. The ZFS search order is preserved; pools on the boot device are tried first, followed by pools on other devices when `boot_policy` is `RELAXED` and the boot device yields no bootable root. Signed-off-by: Faraz Vahedi Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/2239 --- stand/efi/loader/main.c | 125 ++++++++++++++++++++++++++++-------------------- 1 file changed, 72 insertions(+), 53 deletions(-) diff --git a/stand/efi/loader/main.c b/stand/efi/loader/main.c index 2dc7924b9fcd..1444b1eee17d 100644 --- a/stand/efi/loader/main.c +++ b/stand/efi/loader/main.c @@ -364,6 +364,49 @@ try_as_currdev(pdinfo_t *hd, pdinfo_t *pp) return (sanity_check_currdev()); } +/* + * Search the boot device first (i.e. the ESP and any sibling partitions). + * Per the UEFI specification, filesystems on other devices must not be + * preferred until the boot device has been fully exhausted. + */ +static int +try_boot_device_partitions(void) +{ + pdinfo_t *dp, *pp, *espdp; + CHAR16 *text; + + dp = efiblk_get_pdinfo_by_handle(boot_img->DeviceHandle); + if (dp == NULL) + return (ENOENT); + + text = efi_devpath_name(dp->pd_devpath); + if (text != NULL) { + printf("Trying ESP: %S\n", text); + efi_free_devpath_name(text); + } + set_currdev_pdinfo(dp); + if (sanity_check_currdev()) + return (0); + + if (dp->pd_parent == NULL) + return (ENOENT); + + espdp = dp; + dp = dp->pd_parent; + STAILQ_FOREACH(pp, &dp->pd_part, pd_link) { + if (espdp == pp) + continue; + text = efi_devpath_name(pp->pd_devpath); + if (text != NULL) { + printf("Trying: %S\n", text); + efi_free_devpath_name(text); + } + if (try_as_currdev(dp, pp)) + return (0); + } + return (ENOENT); +} + /* * Sometimes we get filenames that are all upper case * and/or have backslashes in them. Filter all this out @@ -535,10 +578,9 @@ match_boot_info(char *boot_info, size_t bisz) static int find_currdev(bool do_bootmgr, char *boot_info, size_t boot_info_sz) { - pdinfo_t *dp, *pp; + pdinfo_t *dp; EFI_DEVICE_PATH *devpath, *copy; EFI_HANDLE h; - CHAR16 *text; struct devsw *dev; int unit; uint64_t extra; @@ -606,65 +648,42 @@ find_currdev(bool do_bootmgr, char *boot_info, size_t boot_info_sz) return (0); #endif /* MD_IMAGE_SIZE */ -#ifdef EFI_ZFS_BOOT - zfsinfo_list_t *zfsinfo = efizfs_get_zfsinfo_list(); - zfsinfo_t *zi; + if (try_boot_device_partitions() == 0) + return (0); - /* - * First try the zfs pool(s) that were on the boot device, then - * try any other pool if we have a relaxed policy. zfsinfo has - * the pools that had elements on the boot device first. - */ - STAILQ_FOREACH(zi, zfsinfo, zi_link) { - if (boot_policy == STRICT && - zi->zi_handle != boot_img->DeviceHandle) - continue; - printf("Trying ZFS pool 0x%jx\n", zi->zi_pool_guid); - if (probe_zfs_currdev(zi->zi_pool_guid)) - return (0); - } -#endif /* EFI_ZFS_BOOT */ +#ifdef EFI_ZFS_BOOT + { + zfsinfo_list_t *zfsinfo = efizfs_get_zfsinfo_list(); + zfsinfo_t *zi; - /* - * Try to find the block device by its handle based on the - * image we're booting. If we can't find a sane partition, - * search all the other partitions of the disk. We do not - * search other disks because it's a violation of the UEFI - * boot protocol to do so. We fail and let UEFI go on to - * the next candidate. - */ - dp = efiblk_get_pdinfo_by_handle(boot_img->DeviceHandle); - if (dp != NULL) { - text = efi_devpath_name(dp->pd_devpath); - if (text != NULL) { - printf("Trying ESP: %S\n", text); - efi_free_devpath_name(text); + /* + * Try ZFS pool(s) on the boot device not reachable via + * the partition walk above. + */ + STAILQ_FOREACH(zi, zfsinfo, zi_link) { + if (zi->zi_handle != boot_img->DeviceHandle) + continue; + printf("Trying ZFS pool 0x%jx\n", zi->zi_pool_guid); + if (probe_zfs_currdev(zi->zi_pool_guid)) + return (0); } - set_currdev_pdinfo(dp); - if (sanity_check_currdev()) - return (0); - if (dp->pd_parent != NULL) { - pdinfo_t *espdp = dp; - dp = dp->pd_parent; - STAILQ_FOREACH(pp, &dp->pd_part, pd_link) { - /* Already tried the ESP */ - if (espdp == pp) + + /* + * With a relaxed policy, try pools on other devices only + * after the boot device has no bootable root. + */ + if (boot_policy == RELAXED) { + STAILQ_FOREACH(zi, zfsinfo, zi_link) { + if (zi->zi_handle == boot_img->DeviceHandle) continue; - /* - * Roll up the ZFS special case - * for those partitions that have - * zpools on them. - */ - text = efi_devpath_name(pp->pd_devpath); - if (text != NULL) { - printf("Trying: %S\n", text); - efi_free_devpath_name(text); - } - if (try_as_currdev(dp, pp)) + printf("Trying ZFS pool 0x%jx\n", + zi->zi_pool_guid); + if (probe_zfs_currdev(zi->zi_pool_guid)) return (0); } } } +#endif /* EFI_ZFS_BOOT */ /* * Try the device handle from our loaded image first. If that