🌱 spike: lifecycle operations with UKI

[mudler]

• try to install the image manually (mimicking the installer) taking notes of the steps
• try to do upgrade manually (mimicking what we have) taking notes of the steps

See also:
https://github.com/canonical/nullboot
https://github.com/Foxboron/sbctl

Action items

• investigate required changes
• create follow-ups card to implement the required code changes

[mudler]

Blocked by #1150

[Itxaka]

This has to be revisited as:

There is no install workflow anywhere for uki, its just 1 efi file that you need to copy into a FAT formatted partition
There is no upgrade workflow. There is only 1 partition where the efi resides. Upgrade would be dropping a new ifi file into that partition and making the bootloader add that entry.

In both cases we dont have anything in there to do any of those workflows, nor are we sure we can do those. Nor there is a install apth nor there is an iso that bundles the uki artifact.

[mudler]

Summary after conversation:

• Installation, Upgrade and reset are handled manually by Kairos (managing directly the EFI files, without a boot manager like GRUB)
• We can offer utilities to e.g. switch from active to passive during runtime (changing the EFI boot)
• The EFI signatures of the images that we generate will be installed in the bios db of the machine
• Both /oem and cos_persistent are optional. If they are there must be encrypted
  • Cloud config during installation can be sealed in the TPM (only one-off) or just the strictly necessary data to unencrypt the encrypted partition

[Itxaka]

Very interesting thing, fedora ships a fallback.efi which does the following:

• Check under each EFI/ dir that its not BOOT
• Looks for BOOT.CSV
• For each valid entry in each BOOT.CSV file it finds, fallback creates a new Boot#### variable and appends it to BootOrder
• After that, it boots the first created entry

Maybe we could lean on that to create and regenerate boot entries in case of failure or if we mess up or remove valid entries?

So the idea would be:

• Copy kairos uki into /EFI/Kairos/kairos-$VERSION.efi
• Add that new entry into a BOOT.CSV int eh /EFI/Kairos dir
• Add the fallback.efi into /EFI/BOOT/{bootaa64.efi,bootx64.efi}

This would allow us some safety net in case we mess up the EFI boot manager entries...

https://blog.uncooperative.org/uefi/linux/shim/efi%20system%20partition/2014/02/06/the-efi-system-partition.html

[Itxaka]

Action items from the meeting:

• [uki] Test ipxe boot #1881
• [uki] test ipxe iso with OEM/PERSISTENT partitions on a usb device or disk #1882
• [uki] Test usb boot #1883
• [uki] adjust immucore for ipxe boot path #1887
• [uki] Modify agent install workflow for uki netboot #1888

[mudler]

@Itxaka we need a card for UEFI Setup mode install wrt Secure Boot

[mudler]

created the relevant cards

[mudler]

this is done, closing