From 416ebf2bdba6ae9dc2531dda96c9e293d24cea2b Mon Sep 17 00:00:00 2001 From: Clif Houck Date: Fri, 29 May 2026 11:34:25 -0500 Subject: [PATCH] Add an agent flag to disable installing boatloaders Pipes the new agent flag (enable_bios_bootloader_install) to agents. This flag disables bootloader install (calls to grub-install) by default for security reasons. Part of mitigation of CVE-2026-43003. Changes to backported versions: The default flips to avoid breaking stable users of Ironic. While this is a less secure default, it allows operators to apply the patch without fear of breaking existing workloads. Operators who need the increased security posture should explicitly set [agent]/enable_bios_bootloader_install to False. Related-Bug: 2148310 Change-Id: I694bbe121e09e7e0b2e6c5ab3746f7943385190a Signed-off-by: Clif Houck Signed-off-by: Jay Faulkner (cherry picked from commit e38ae0c579f8f05a85fc3266910525f96877dec5) --- ironic/api/controllers/v1/ramdisk.py | 1 + ironic/conf/agent.py | 8 ++++++++ ironic/tests/unit/api/controllers/v1/test_ramdisk.py | 1 + ...lling-bootloaders-by-default-4a3c69777069587c.yaml | 11 +++++++++++ 4 files changed, 21 insertions(+) create mode 100644 releasenotes/notes/disable-installing-bootloaders-by-default-4a3c69777069587c.yaml diff --git a/ironic/api/controllers/v1/ramdisk.py b/ironic/api/controllers/v1/ramdisk.py index 8ae9e1f1e2..2dcb263491 100644 --- a/ironic/api/controllers/v1/ramdisk.py +++ b/ironic/api/controllers/v1/ramdisk.py @@ -65,6 +65,7 @@ def config(token): 'agent_md5_checksum_enable': CONF.agent.allow_md5_checksum, 'disable_deep_image_inspection': CONF.conductor.disable_deep_image_inspection, # noqa 'permitted_image_formats': CONF.conductor.permitted_image_formats, + 'enable_bios_bootloader_install': CONF.agent.enable_bios_bootloader_install, # noqa } diff --git a/ironic/conf/agent.py b/ironic/conf/agent.py index 9cea41d821..97008ad101 100644 --- a/ironic/conf/agent.py +++ b/ironic/conf/agent.py @@ -180,6 +180,14 @@ 'permitted to consider MD5 checksums. This option ' 'is expected to change to a default of False in a ' '2024 release of Ironic.')), + cfg.BoolOpt('enable_bios_bootloader_install', + default=True, + help=_('When enabled, enables agent support for partition ' + 'images which require a legacy bootloader -- and a ' + 'call to ``grub-install``. Generally, this should ' + 'remain disabled for maximum security, however, this ' + 'option allows it to be re-enabled for ' + 'compatibility.')), ] diff --git a/ironic/tests/unit/api/controllers/v1/test_ramdisk.py b/ironic/tests/unit/api/controllers/v1/test_ramdisk.py index 5b19f43151..a1d14ec155 100644 --- a/ironic/tests/unit/api/controllers/v1/test_ramdisk.py +++ b/ironic/tests/unit/api/controllers/v1/test_ramdisk.py @@ -84,6 +84,7 @@ def _check_config(self, data): 'agent_md5_checksum_enable': CONF.agent.allow_md5_checksum, 'disable_deep_image_inspection': CONF.conductor.disable_deep_image_inspection, # noqa 'permitted_image_formats': CONF.conductor.permitted_image_formats, + 'enable_bios_bootloader_install': CONF.agent.enable_bios_bootloader_install, # noqa } self.assertEqual(expected_config, data['config']) self.assertIsNotNone(data['config']['agent_token']) diff --git a/releasenotes/notes/disable-installing-bootloaders-by-default-4a3c69777069587c.yaml b/releasenotes/notes/disable-installing-bootloaders-by-default-4a3c69777069587c.yaml new file mode 100644 index 0000000000..c305ef0450 --- /dev/null +++ b/releasenotes/notes/disable-installing-bootloaders-by-default-4a3c69777069587c.yaml @@ -0,0 +1,11 @@ +--- +security: + - | + Disable installation of bootloaders (via grub-install) by IPA by default + in order to improve security posture by adding a new agent configuration + option `enable_bios_bootloader_install` which defaults to `True` for this + branch of Ironic. + + Operators who have a stricter security posture or do not need this + functionality can disable installation of bootloaders by setting + `enable_bios_bootloader_install` to `False`. Addresses CVE-2026-43003.