On Di, Aug 30 2022 at 13:56:40 -0400, Chris Murphy <lists@colorremedies.com> wrote:
Hi,
There was some discussion about 18 months ago on the file system layout [1]. It also mentions the Boot Loader Specification.
systemd 252 NEWS [2] mentions changes and clarifications in sd-boot, bootctl, and the Boot Loader Specification. And it's got me wondering if there's interest in openSUSE adopting Boot Loader Spec?
I have lifted support from Fedora in some of my grub2 builds on obs in the past, and used my system with modified /boot mount from how it comes preinstalled, it works, but it is most certainly janky the way I did it.
I recently came across Boom[3] a project to manage BLS snippets for the boot-to-snapshot use case, Btrfs and LVM.
We could go two ways with snapper support, it's currently done with a shell script: https://build.opensuse.org/package/view_file/Base:System/grub2/grub2-snapper... we could either integrate this shell script with boom, or rewrite the shell script to still do the full handling of boot entries. Considering the status quo, boom never seemed necessary for our use case to me, but it could be a nice idea if it was integrated more directly with snapper. Since BLS is a pretty generic, it's probably a better idea than the current hook system anyhow, but I assume I would be lynched by anybody using snapper outside of the openSUSE context ;) https://github.com/openSUSE/snapper/blob/master/snapper/Hooks.cc
One hurdle is BLS pretty much obviates the idea of an encrypted $BOOT, which openSUSE supports right now. While the kernel and initramfs are not secrets, thus don't need confidentiality, the initrd in particular needs to be protected from malicious insertions, which (somewhat indirectly) encryption achieves. Whether no initramfs or implementing BLS Type 2 (EFI Unified Kernel Images, which includes an initrd and bootloader config, and the whole thing is signed), suggests pretty significant changes to implement.
Any recent thoughts on the general direction to go in? Thanks.
I would say this starts with implementing bls in perl-bootloader or trying to lift support for bls config generation from other distributions (though that is simple enough, it seems Fedora for example deprecated grubby as a whole and instead maintains a bunch of "short" shell scripts that generate bls config). From having used both grub2 with bls and systemd-boot on openSUSE, the set up is a janky mess, but the experience is fine. BLS's strengths are in the much lower complexity of maintenance of boot entries, which is most certainly a plus for a person that lives off of a hacked up distro at all times ;) So I would say yes, but I assume not everyone will be this enthused about changing the snapshots to not include /boot, since we already had a discussion about this a few years back, and I got a big fat nope last time around https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4... (you will have to search for my mention of /boot/efi, bls or systemd-boot to find it though, it's a long thread about a lot of stuff) LCP [Jake] https://lcp.world/