Page MenuHomePhabricator

(U)EFI support
Closed, ResolvedPublic


sooner or later we'll need to look into UEFI booting and leaving legacy bios behind, there's no immediate hurry but neverless something to look into. The original context for this is T90922 from which we've learned a few things:

  • grub-efi boots via pxe just fine
    • however it doesn't (yet?) support passing a path prefix via dhcp so we'll need to find another way to differentiate distributions/installer per-host
  • syslinux wasn't able to successfully boot linux on hp gen9
  • to boot uefi needs a system partition (ESP) formatted FAT16/32 and with a specific GUID if using GPT or id if using MBR
    • in practice this means changing partman to accommodate for that

note: this is orthogonal work (but required for) secure boot


Related Gerrit Patches:
operations/puppet : productionautoinstall: add support for EFI
operations/puppet : productionautoinstall: configure DHCP for UEFI with syslinux

Event Timeline

fgiunchedi raised the priority of this task from to Low.
fgiunchedi updated the task description. (Show Details)
fgiunchedi added a project: acl*sre-team.
fgiunchedi added a subscriber: fgiunchedi.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 19 2015, 3:41 PM
Paladox added a subscriber: Paladox.Aug 8 2017, 9:40 PM

Change 512711 had a related patch set uploaded (by Faidon Liambotis; owner: Faidon Liambotis):
[operations/puppet@production] autoinstall: configure DHCP for UEFI with syslinux

faidon added a subscriber: faidon.May 27 2019, 3:50 PM

So I just pushed a change that uses syslinux.efi above. This may prove to be short-lived, as we may switch to another PXE implementation (iPXE or GRUB, more on that later) but should work. It /may/ require to append initrd=initrd.gz to the kernel command-line options.

This will also won't support Secure Boot, even with buster; Debian's shim only signs GRUB, and they don't have any intentions to sign syslinux anytime soon. I think Secure Boot should be left for a separate step anyway, as we'd likely need to roll-out our own keys or our own shim to be able to deploy custom-built kernels in an emergency etc.

This also definitely requires modified partman recipes for GPT and ESP. This blog post details the steps, copying the example from there just in case it goes offline.

# auto method must be lvm
d-i partman-auto/method string lvm
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-basicfilesystems/no_swap boolean false

# Keep that one set to true so we end up with a UEFI enabled
# system. If set to false, /var/lib/partman/uefi_ignore will be touched
d-i partman-efi/non_efi_system boolean true

# enforce usage of GPT - a must have to use EFI!
d-i partman-basicfilesystems/choose_label string gpt
d-i partman-basicfilesystems/default_label string gpt
d-i partman-partitioning/choose_label string gpt
d-i partman-partitioning/default_label string gpt
d-i partman/choose_label string gpt
d-i partman/default_label string gpt

d-i partman-auto/choose_recipe select boot-root-all
d-i partman-auto/expert_recipe string \
boot-root-all :: \
538 538 1075 free \
$iflabel{ gpt } \
$reusemethod{ } \
method{ efi } \
format{ } \
. \
128 512 256 ext2 \
$defaultignore{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext2 } \
mountpoint{ /boot } \
. \
1024 4096 15360 ext4 \
$lvmok{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ / } \
. \
1024 4096 15360 ext4 \
$lvmok{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /var } \
. \
1024 1024 -1 ext4 \
$lvmok{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /var/lib } \
# This makes partman automatically partition without confirmation, provided
# that you told it what to do using one of the methods above.
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman-md/confirm boolean true
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

# This is fairly safe to set, it makes grub install automatically to the MBR
# if no other operating system is detected on the machine.
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i grub-installer/bootdev  string /dev/sda

Next step would be to test this, either in a VM (with OVMF) and/or on a bare metal machine. I'll leave the task open until this has been merged and tested.

Change 512711 merged by Volans:
[operations/puppet@production] autoinstall: configure DHCP for UEFI with syslinux

Change 512787 had a related patch set uploaded (by Faidon Liambotis; owner: Faidon Liambotis):
[operations/puppet@production] autoinstall: add working support for EFI

Change 512787 merged by Faidon Liambotis:
[operations/puppet@production] autoinstall: add support for EFI

faidon closed this task as Resolved.EditedMay 28 2019, 12:53 AM
faidon claimed this task.

OK, a few changes later, and we have a working EFI install in a VM (d-i-test) \o/

Everything should work. I even converted our flat.cfg partman recipe to work on both EFI & BIOS at the same time. Similar changes can be done on all recipes but I'll avoid making any mass changes that I can't test for now.

EFI can be stateful, and Ganeti's support for EFI is non-existent, so I also filed #1374 upstream, and also applied a workaround. Until that happens, we can convert VMs to EFI with:
gnt-instance modify -H kvm_extra="-bios OVMF.fd" d-i-test.eqiad.wmnet

I think as far as this task goes, this is complete and can be resolved. Future work:

  • IPv6 boot
  • HTTP Boot
  • Switch all systems to EFI by default
  • Secure Boot