Comments (23)
You don't have bootctl
?! terrible :)
I think we can implement the same logic and also look for SYSTEMD_ESP_PATH
and ESP_PATH
as fallbacks. Better to use the possible options we have available. Preferably not mess with mounting anything.
from sbctl.
Hmm, lets go blkid and the ENV variables then we can figure out dbus later. It probably improves the status quo regardless :) Thanks!
from sbctl.
I'd prefer not to depend on bootctl
, since I don't have that here :P
@Foxboron do you have any preference between a command line parameter or env vars? Looping through those directories seems reasonable to me, though. We could even implement logic to try and mount the ESP (if given in the command line or via env var) by calling mount $ESP_PATH
, but I don't think that's entirely necessary.
from sbctl.
This is one of the more "this seems easy". But the missing part is that systemd checks with blkid and/or udev depending on privileged or unprivileged operation. I have no clue if the partition types is stored in procfs or sysfs or if there needs to be some simple partition introspection for this.
I might be over complicating this as well and we could just assume BOOT/BOOTX64.EFI
should exist on one of those paths. Which should cover most of the usecases.
from sbctl.
From the systemd source code why it has both udev and blkid selection mechanism.
/* If we are unprivileged we ask udev for the metadata about the partition. If we are privileged we
* use blkid instead. Why? Because this code is called from 'bootctl' which is pretty much an
* emergency recovery tool that should also work when udev isn't up (i.e. from the emergency shell),
* however blkid can't work if we have no privileges to access block devices directly, which is why
* we use udev in that case. */
from sbctl.
Should we assume that udev
is always available? And default to some silly checking for BOOTx64.EFI
if that is not the case?
from sbctl.
I think udev
is only available on systems with systemd or eudev. BTW, not sure why they are saying the blkid
does not work in unpriviledged mode as it seems to work for me.
BTW there is a wipefs
command that support JSON output.
from sbctl.
BTW, not sure why they are saying the
blkid
does not work in unpriviledged mode as it seems to work for me.
blkid
doesn't work for unprivileged users (just check it). maybe you're part of the disk
group.
from sbctl.
I'm inclined to assume udev is available and leave the current approach by iterating over /efi
, /boot
and /boot/efi
as a fallback. Does that sound good? We can set a default ESP partition in the config when that is implemented.
from sbctl.
BTW, not sure why they are saying the
blkid
does not work in unpriviledged mode as it seems to work for me.
blkid
doesn't work for unprivileged users (just check it). maybe you're part of thedisk
group.
I figured it out. When blkid
is run it will create a cache file under /run/blkid/blkid.tab
. After that unprivileged users can read the cache instead of the devices directly. There is some program that calls blkid
on my system that creates that cache by running blkid
.
from sbctl.
I'm inclined to assume udev is available and leave the current approach by iterating over
/efi
,/boot
and/boot/efi
as a fallback. Does that sound good? We can set a default ESP partition in the config when that is implemented.
Even if udev is available if there are multiple vfat partitions with ESP partition GUID (for example a user has inserted Arch boot ISO) how would you select.
from sbctl.
So the systemd code is looping over /efi
, /boot
and /boot/efi
and queries each of these with either blkid or udev. It checks if it's a mount, if it's the correct UUID and so on. It doesn't query all disks, just the expected mount locations of the partition. It also force mounts it by trying to lookup path/trigger
first. I think we can follow the same logic?
- check if
SYSTEMD_ESP_PATH
orESP_PATH
is defined - Loop over
/efi
,/boot
and/boot/efi
and check for a valid ESP.
from sbctl.
I think we can follow the same logic?
Sounds good.
from sbctl.
@igo95862 Want to try implement it :)?
from sbctl.
@igo95862 Want to try implement it :)?
Closer to weekend probably.
BTW how would you want to add udev? Use some existing udev go binds? Link to libsystemd with cgo?
from sbctl.
Preferably some existing udev go library would be the best option I think.
from sbctl.
How about this one: https://github.com/pilebones/go-udev
from sbctl.
Hmm, there really wasn't that many udev libraries. That library is probably nice :)
from sbctl.
Hmm, there really wasn't that many udev libraries. That library is probably nice :)
Well, its actually GPL3. (just realized) Unless you want to re-license entire project...
from sbctl.
I think implementing the blkid
is easier because it won't require any extra libraries just some command line parsing.
from sbctl.
Actually what was the problem with lsblk
? It can be used to retrieve the same information as blkid
or udev plus output in JSON making parsing easy.
from sbctl.
Ohhh! Neat! I'm not sure if this is new or I was completely blind to it when I implemented it the first time :)
from sbctl.
At least from March 2018 balena-io-modules/drivelist#255
from sbctl.
Related Issues (20)
- Failing test from vendored go HOT 1
- Issue with sbctl sign-all -g bundle generation HOT 4
- /boot fails to mount after migrate HOT 11
- signing and listing bundles fails with "permission denied" although files exist and executed with sudo HOT 2
- Cosmetic problem: sbctl is telling me to migrate the config whilst I'm migrating the config. HOT 1
- `rotate-keys` seems to enroll keys without vendor certificates/TPM Eventlog checksums HOT 8
- `sign-all` no longer updates already signed output files if input files change HOT 12
- sbctl messed up after running "sbctl setup --migrate" HOT 2
- Image signature/verification fails if PK or KEK are missing
- Support drop-in configs HOT 1
- Already signed file doesn't appear in database, can't add it either HOT 4
- enroll-keys --microsoft seems to enroll more microsoft keys than necessary for Option ROM HOT 7
- Feature Request: custom Common Name
- Allow exporting keys without efivarfs
- Feature request: warn about writing UKIs to the EFI partition on FDE setups HOT 7
- Running sbctl verify returns failed to find EFI system partition HOT 6
- Request to remove requirement for private key from enroll-keys HOT 1
- [bug] `sbctl create-keys --config ./sbctl.conf` ignores custom config-path HOT 1
- how to setup OpenSUSE auto sign?
- failed parsing pkcs7 signature from binary HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.