Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-127909

Create a build of GRUB with limited functionality to reduce update frequency

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • grub2
    • None
    • None
    • None
    • 1
    • rhel-bootloader
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Bootloader Sprint 2025.4
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      Get a GRUB binary that is updated less often as it does not include code outside of UKI support on UEFI systems.

      What is the impact of this issue to you?

      As part of the Confidential Cluster work, we are trying to remotely attest nodes before they join a cluster, to be able to guarantee that shim, bootloader, kenel, initramfs, kernel command line and composefs image used are as expected by the cluster.

      To be able to do that, we need to pre-compute the PCR values to inject them as a set of valid reference values in Trustee.
      To fully ensure that we are booting the right elements, we want to validate the value for PCR4 (among others) as it includes the authenticode hash of the bootloader binary measured by the firmware.

      We also want to support updating the bootloader (and shim) and we allow users to rollback system updates and boot into the older version if something failed.

      We need to compute all the possible combinaisons of (shim + bootloader) * (UKI versions) that can potentially be booted on a system to support all combinaisons of old bootloader / new UKI, oldbootloader / new UKI, new bootloader / old UKI, new bootloader / new UKI (and repeat for each potential bootloader version).

      As we use bootupd, we can reduce this matrix by assuming that GRUB & shim are updated "in sync", so we treat both as a single unit.

      But any new version of the GRUB binary (and shim but that's a lesser issue) will quickly increase the matrix of values that need to be pre-computed.

      Thus we would like to have a build of GRUB that is updated less often, only when critical issues are found for UKI support. Ideally this build of GRUB would not include support for BIOS, other filesystems, etc. and only support the limited set of options used for UKI support and modern features from the Boot Loader Interface (BLI), thus reducing the need to update it.

      Please provide the package NVR for which the bug is seen:

      N/A

      How reproducible is this bug?:

      N/A

      Steps to reproduce

      N/A

      Expected results

      N/A

      Actual results

      N/A

              bootloader-eng-team bootloader -eng-team
              travier@redhat.com Timothée Ravier
              Timothée Ravier
              bootloader -eng-team bootloader -eng-team
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: