Foxboron
Feature request: Support mdadm raid for ESP partitions
I build pretty much all my systems as root-on-zfs, using my own setup ZFS-root. It works fine with Secureboot, and for multiple boot disks I use a mdadm mirror of the ESP partitions. The mirrored ESP is seen like this in /proc/mounts
/dev/md127 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
Setup all works, systems boot, all is good. The only thing that doesn't work is sbctl verify which predictably fails with the failed to find EFI system partition error.
Testing in a Virtualbox VM with 4x boot drives (why not hehe) the relevant output of lsblk is as follows
lsblk --json --output PARTTYPE,MOUNTPOINT,PTTYPE,FSTYPE,MOUNTPOINTS,TYPE,PKNAME,KNAME
:
},{
"parttype": "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
"mountpoint": null,
"pttype": "gpt",
"fstype": "linux_raid_member",
"mountpoints": [
null
],
"type": "part",
"pkname": "sda",
"kname": "sda1"
},{
"parttype": "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
"mountpoint": null,
"pttype": "gpt",
"fstype": "linux_raid_member",
"mountpoints": [
null
],
"type": "part",
"pkname": "sdb",
"kname": "sdb1"
},{
"parttype": "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
"mountpoint": null,
"pttype": "gpt",
"fstype": "linux_raid_member",
"mountpoints": [
null
],
"type": "part",
"pkname": "sdc",
"kname": "sdc1"
},{
"parttype": "c12a7328-f81f-11d2-ba4b-00a0c93ec93b",
"mountpoint": null,
"pttype": "gpt",
"fstype": "linux_raid_member",
"mountpoints": [
null
],
"type": "part",
"pkname": "sdd",
"kname": "sdd1"
},{
"parttype": null,
"mountpoint": "/boot/efi",
"pttype": null,
"fstype": "vfat",
"mountpoints": [
"/boot/efi"
],
"type": "raid1",
"pkname": "sda1",
"kname": "md127"
},{
"parttype": null,
"mountpoint": "/boot/efi",
"pttype": null,
"fstype": "vfat",
"mountpoints": [
"/boot/efi"
],
"type": "raid1",
"pkname": "sdb1",
"kname": "md127"
},{
"parttype": null,
"mountpoint": "/boot/efi",
"pttype": null,
"fstype": "vfat",
"mountpoints": [
"/boot/efi"
],
"type": "raid1",
"pkname": "sdc1",
"kname": "md127"
},{
"parttype": null,
"mountpoint": "/boot/efi",
"pttype": null,
"fstype": "vfat",
"mountpoints": [
"/boot/efi"
],
"type": "raid1",
"pkname": "sdd1",
"kname": "md127"
},{
:
4x partitions as raid members with parttype c12a7328-f81f-11d2-ba4b-00a0c93ec93b and pttype gpt. The 4x entries for /boot/efi though are all null for both parttype and pttype.
In general this works well. Much cleaner than using hooks to mount and copy ESP contents around.
What are the chances to have sbctl support this kind of setup fully ?
What are the chances to have sbctl support this kind of setup fully ?
Not something I'll be willing write up. Please just use ESP_PATH and point at the correct location.
I've tried that - no luck :( But I was originally using EFI_PATH doh ! At least with ESP_PATH it works, but it tries to verify every file. This is with the sbctl-017 from jloeser
alice@test:~$ df -h /boot/efi
Filesystem Size Used Avail Use% Mounted on
/dev/md127 985M 164M 822M 17% /boot/efi
alice@test:~$ fgrep efi /proc/mounts
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
/dev/md127 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
alice@test:~$ sudo ESP_PATH=/boot/efi sbctl verify
Verifying file database and EFI images in /boot/efi...
â /boot/efi/EFI/tools/memtest86/memtest86.efi is signed
â /boot/efi/EFI/tools/shellx64.efi is signed
â /boot/efi/EFI/zfsbootmenu/vmlinuz-bootmenu is signed
â /boot/efi/EFI/zfsbootmenu/zfsbootmenu.efi is signed
â /boot/efi/EFI/refind/refind_x64.efi is signed
failed to verify file /boot/efi/EFI/refind/BOOT.CSV: /boot/efi/EFI/refind/BOOT.CSV: invalid pe header
failed to verify file /boot/efi/EFI/refind/icons/README: /boot/efi/EFI/refind/icons/README: invalid pe header
failed to verify file /boot/efi/EFI/refind/icons/arrow_left.png: /boot/efi/EFI/refind/icons/arrow_left.png: invalid pe header
I tried on a Ubuntu Plucky/25.10 with a locally-built sbctl-0.18, and that works. I had copied the original /var/lib/sbctl to /boot/efi/sbctl and created a /etc/sbctl with all filepaths pointing there
alice@test:~/sbctl-0.18$ ls -la /var/lib/sbctl
lrwxrwxrwx 1 root root 16 Oct 26 12:08 /var/lib/sbctl -> /boot/efi/sbctl/
alice@test:~/sbctl-0.18$ sudo ESP_PATH=/boot/efi ./sbctl verify
Verifying file database and EFI images in /boot/efi...
â /boot/efi/EFI/tools/memtest86/memtest86.efi is signed
â /boot/efi/EFI/tools/shellx64.efi is signed
â /boot/efi/EFI/zfsbootmenu/vmlinuz-bootmenu is signed
â /boot/efi/EFI/zfsbootmenu/zfsbootmenu.efi is signed
â /boot/efi/EFI/refind/refind_x64.efi is signed
So it looks like building from source is the way to go