Skip to content

packages: modernize the EFI/boot stack (grub 2.14, shim 16.1, efivar 39, efibootmgr 18)#1128

Open
bhouse-nexthop wants to merge 4 commits into
opencomputeproject:onie-modernization-2026from
bhouse-nexthop:bhouse.efi-boot-stack
Open

packages: modernize the EFI/boot stack (grub 2.14, shim 16.1, efivar 39, efibootmgr 18)#1128
bhouse-nexthop wants to merge 4 commits into
opencomputeproject:onie-modernization-2026from
bhouse-nexthop:bhouse.efi-boot-stack

Conversation

@bhouse-nexthop

@bhouse-nexthop bhouse-nexthop commented Jul 9, 2026

Copy link
Copy Markdown

Targets onie-modernization-2026. Independent — not stacked on any other modernization PR. Everything here builds on the existing cross-toolchain (GCC 8.3); none of it requires GCC 14 (verified — shim 16.1 compiles and hashes fine under GCC 8.3). Kept as its own PR (separate from the general package wave) for rollback isolation, since this is boot-critical.

What this does

Package From To Notes
grub 2.04 2.14 one ONIE source patch (SBAT-optional kernel verify, below); the tarball ships a generated ./configure so no autogen is needed here. The i386-pc / binutils-2.45 build patches (which need autogen + autoconf-archive) stay with the toolchain PR
shim 15 16.1 shim 16.1 bundles its own gnu-efi in-tree, so the separate gnu-efi package is dropped. shim's ENABLE_SHIM_HASH step now uses the host pesign (Debian 11 ships pesign 0.112, added to the build image) instead of the copy ONIE compiled from source, so ONIE's pesign build is dropped too
efivar 37 39 drops the entire vendored patch set (upstreamed / obsoleted by newer uClibc-ng <uchar.h>); source → GitHub archive; builds SUBDIRS=src
efibootmgr 16 18 keeps its 2 ONIE patches; won't build against efivar 39's changed efidp_format_device_path() signature, so bumped together with efivar

Secure Boot correctness (shim 16.1)

  • shim 16.1 refuses to load a GRUB image that has no .sbat section, so mk-grub-efi-image now embeds one meeting shim's baseline generation.
  • shim 16.1's image-loader makes an .sbat section mandatory in every image it loads, which would reject ONIE's pre-6.x (pre-SBAT) kernels even though their signature is valid. A one-hunk source patch to grub-core/kern/efi/sb.c makes grub verify the kernel via the legacy SHIM_LOCK->verify protocol (where a missing .sbat is optional). Signature enforcement is unchanged; a present-but-revoked .sbat is still a hard failure — only a completely missing .sbat on the kernel is tolerated.

Why shim / pesign / gnu-efi live here and not in the toolchain PR (#1129)

These are EFI/boot components, and all of them build on the existing GCC 8.3 toolchain. (shim 15 does not build under GCC 14 — that is why the toolchain PR cannot keep it — but shim 16.1 is toolchain-agnostic and belongs with the rest of the boot stack.)

Dependencies

No dependency on the general package PR (#1127) or the toolchain PR (#1129). Build-order edges on zlib (efibootmgr links libz) and lvm2 (grub links libdevmapper) are both satisfied by base onie-modernization-2026 (zlib 1.2.11, lvm2 2.02.105).

Testing

Built end-to-end on the existing toolchain (Debian 11 / GCC 8.3): green recovery ISO, and a Secure-Boot-enforced boot of the resulting image (shim 16.1 → grub 2.14 → the pre-SBAT 5.4 kernel) succeeds, with the SB negative control (db absent) correctly rejected. Each commit is bisectable.

@bhouse-nexthop bhouse-nexthop force-pushed the bhouse.efi-boot-stack branch from 32e7da0 to 2663006 Compare July 9, 2026 22:19
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 9, 2026
…9, efibootmgr 18)

Squashed content of PR opencomputeproject#1128, pulled in as a dependency for the toolchain milestone.

Signed-off-by: Brad House <bhouse@nexthop.ai>
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 10, 2026
…9, efibootmgr 18, shim 16.1, host pesign)
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 10, 2026
Move the cross-toolchain and build host to a modern base, and standardize
all machines on it.  The secure-boot signing stack (shim 16.1, host pesign,
gnu-efi removal, grub SBAT) is no longer here -- it moved to the EFI/boot
stack PR (opencomputeproject#1128), since none of it requires GCC 14.

  - Build host Debian 11 -> Debian 13 (trixie).  The old crosstool-NG 1.24 /
    GCC 8.3 toolchain cannot build on a Debian 13 host, so host and toolchain
    move together.
  - crosstool-NG 1.24 -> 1.28.0, GCC 8.3 -> 14, uClibc-ng 1.0.38 -> 1.0.54,
    binutils 2.45; XTOOLS_LINUX_VERSION decoupling so image-kernel bumps no
    longer rebuild the toolchain.
  - mokutil 0.4.0 -> 0.7.2 (adds a libkeyutils dependency).
  - grub i386-pc kernel.img link fix for binutils >= 2.39 (custom linker
    script + autogen + autoconf-archive) -- needs the new toolchain.
  - images.make GCC 14 libstdc++ SONAME (libstdc++.so.6.0.33).
  - Build pre-6.x kernels under GCC 14 (KERNEL_OLD_GCC_COMPAT): the existing
    5.4 kernel is kept and built under the new toolchain via
    CONFIG_STACK_VALIDATION= + -Wno-error, letting the toolchain move land
    independently of the kernel bump.

Signed-off-by: Brad House <bhouse@nexthop.ai>
@bhouse-nexthop bhouse-nexthop changed the title packages: modernize the EFI/boot stack (grub 2.14, efivar 39, efibootmgr 18) packages: modernize the EFI/boot stack (grub 2.14, shim 16.1, efivar 39, efibootmgr 18) Jul 10, 2026
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 10, 2026
…sstool-NG 1.28 / uClibc-ng 1.0.54)

Squashed content of PR opencomputeproject#1129, pulled in as a dependency.  (The secure-boot
stack -- shim 16.1, host pesign, grub SBAT -- is part of PR opencomputeproject#1128, which
opencomputeproject#1129 in turn depends on, so it is transitively included here.)
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 13, 2026
…sstool-NG 1.28 / uClibc-ng 1.0.54)

Squashed content of PR opencomputeproject#1129, pulled in as a dependency.  (The secure-boot
stack -- shim 16.1, host pesign, grub SBAT -- is part of PR opencomputeproject#1128, which
opencomputeproject#1129 in turn depends on, so it is transitively included here.)
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 13, 2026
…9, efibootmgr 18, shim 16.1, host pesign)
bhouse-nexthop added a commit to bhouse-nexthop/onie that referenced this pull request Jul 13, 2026
Move the cross-toolchain and build host to a modern base, and standardize
all machines on it.  The secure-boot signing stack (shim 16.1, host pesign,
gnu-efi removal, grub SBAT) is no longer here -- it moved to the EFI/boot
stack PR (opencomputeproject#1128), since none of it requires GCC 14.

  - Build host Debian 11 -> Debian 13 (trixie).  The old crosstool-NG 1.24 /
    GCC 8.3 toolchain cannot build on a Debian 13 host, so host and toolchain
    move together.
  - crosstool-NG 1.24 -> 1.28.0, GCC 8.3 -> 14, uClibc-ng 1.0.38 -> 1.0.54,
    binutils 2.45; XTOOLS_LINUX_VERSION decoupling so image-kernel bumps no
    longer rebuild the toolchain.
  - mokutil 0.4.0 -> 0.7.2 (adds a libkeyutils dependency).
  - grub i386-pc kernel.img link fix for binutils >= 2.39 (custom linker
    script + autogen + autoconf-archive) -- needs the new toolchain.
  - images.make GCC 14 libstdc++ SONAME (libstdc++.so.6.0.33).
  - Build pre-6.x kernels under GCC 14 (KERNEL_OLD_GCC_COMPAT): the existing
    5.4 kernel is kept and built under the new toolchain via
    CONFIG_STACK_VALIDATION= + -Wno-error, letting the toolchain move land
    independently of the kernel bump.

Signed-off-by: Brad House <bhouse@nexthop.ai>
Update grub 2.04 -> 2.14 (latest release), sourced from
ftp.gnu.org/gnu/grub.

Drop the entire patches/grub tree: grub 2.14 needs none of it.  The
CVE-2020-10713 "BootHole" family and the assorted overflow/security
fixes ONIE carried for 2.04 are upstream as of grub 2.06, the gcc-10+
build fixes are upstream, and the remainder were Debian/Ubuntu distro
integration ONIE does not use.  The release tarball ships a generated
./configure, so grub-patch no longer applies a series or runs
autogen.sh.

Drop the linuxefi grub module from the recovery-image and EFI image
module lists: upstream folded linuxefi/initrdefi into the standard
linux/initrd commands, so the module no longer exists (the grub.cfgs
already use linux/initrd).

The i386-pc kernel-image link fix needed for binutils >= 2.39 is not
included here; it requires patches + autogen and lands with the GCC 14
toolchain upgrade.  grub 2.14 builds from the pristine tarball on the
current binutils 2.32 toolchain.

Signed-off-by: Brad House <bhouse@nexthop.ai>
efivar 37 -> 39 and efibootmgr 16 -> 18, bumped together because
efibootmgr 16 does not build against efivar 39 (efidp_format_device_path()
changed signature); efibootmgr 18 matches it.

Both projects stopped publishing release dist tarballs, so source from
the GitHub source archives (github.com/rhboot/{efivar,efibootmgr}/archive,
which unpack to efivar-39/ and efibootmgr-18/).

efivar 39 needs none of the ONIE efivar patches, so drop the entire
patches/efivar tree: the sysfs/device-path parser fixes are upstream,
char16_t/char32_t now come from <uchar.h> (shipped by uClibc-ng),
remove-arrows is upstream, and efivar 39's build system is cross-compile
aware (derives CC/AR/HOSTCC from CROSS_COMPILE) so the build-integration
patches are obsolete.  Build with SUBDIRS=src to skip the docs.
efibootmgr's two ONIE patches still apply and are retained.

Signed-off-by: Brad House <bhouse@nexthop.ai>
Move the secure-boot signing components into the EFI/boot-stack PR where
they belong (they had been bundled with the toolchain move, but none of
this requires GCC 14 -- shim 16.1 builds fine under the existing GCC 8.3
toolchain).

  - shim 15 -> 16.1.  shim 16.1 bundles its own gnu-efi in-tree, so the
    separate gnu-efi package is dropped.  shim 16.1 needs no ONIE patches
    (patches/shim/series is now empty).
  - Use the host's pesign for shim's ENABLE_SHIM_HASH step instead of the
    copy ONIE compiles from source.  Debian 11 ships pesign 0.112, which is
    sufficient; add it to the build image and drop ONIE's pesign build.

Signed-off-by: Brad House <bhouse@nexthop.ai>
shim 16.1 requires every GRUB image it loads to carry an .sbat section
(grub-mkimage --sbat) or it refuses with "Verification failed: (0x1A)
Security Violation", and its image-loader makes an .sbat section mandatory
in every image it loads -- which rejects ONIE's pre-6.x (pre-SBAT) kernels
even though their signature is valid.

  - mk-grub-efi-image (installer grub) and onie-mk-iso.sh (recovery-ISO
    grub): embed an .sbat section meeting shim 16.1's baseline. Both build a
    GRUB image that shim loads, so both need it.
  - Apply a source patch to grub-core/kern/efi/sb.c so grub verifies the
    kernel via the legacy SHIM_LOCK->verify protocol (SBAT optional) rather
    than shim's image loader, so a validly-signed pre-SBAT kernel boots.
    Signature enforcement is unchanged; only a completely missing .sbat on
    the kernel is tolerated.

Signed-off-by: Brad House <bhouse@nexthop.ai>
@bhouse-nexthop bhouse-nexthop force-pushed the bhouse.efi-boot-stack branch from eeec2ab to 8e8fe8e Compare July 13, 2026 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant