cockpit icon indicating copy to clipboard operation
cockpit copied to clipboard

Published 20 hours ago verified publisher icon cockpit-project

systemd: Add Boot type to system information

Open leomoty opened this issue 1 year ago • 11 comments

I know for sure it might need to fix some wording, so trying to get the feedback early.

Fixes #19368

Can you please take a look, @allisonkarlitskaya?

Oh also, running these tests locally is messy, I get so many pixel diffs, so I really only focused on running the actual test that has the info.

leomoty avatar Sep 21 '23 16:09 leomoty

This is now stale due to #19378, do you want me to rebase it as is? or wait until we have a design? I can implement the other bit afterwards also.

leomoty avatar Sep 25 '23 22:09 leomoty

@garrett So here's where the line shows up:

image

And not here, which is where I thought it would:

image

In addition to "BIOS or Legacy" the current code also has the possibility to display:

  • "EFI (Secure Boot enabled)"
  • "EFI (Secure Boot disabled)"

allisonkarlitskaya avatar Nov 13 '23 15:11 allisonkarlitskaya

Looks good overall!

Questions:

  1. Should we move the left column on the details page? It would make things more balanced, and it kind of feels "tacked on" in the screenshots.
  2. How important is the information? (Would it be needed on the summary card, or is it just an implementation detail from the point of view of an administrator?)
  3. "BIOS or Legacy" should probably say "Legacy BIOS", right?
  4. Should we use strings like "EFI, secure boot on" and "EFI, secure boot off" instead?

garrett avatar Nov 14 '23 10:11 garrett

I think it's "BIOS or Legacy" because if we're in this situation, the only thing we know is that we're not on EFI. It might be that we're on some other arch or so, and then "Legacy BIOS" would be wrong.

I assumed this would be in the main summary screen because that card looks kinda empty and secure boot is kinda a matter of health, depending on your perspective...

allisonkarlitskaya avatar Nov 14 '23 11:11 allisonkarlitskaya

OK, let's do this:

My suggestions above, with @allisonkarlitskaya's stacked on top.

So that's:

  1. Move CPU to the left column on the details page, as I suggested above.
  2. Also add EFI/BIOS information to summary card, as @allisonkarlitskaya suggests.
  3. Keep "BIOS or legacy" (note: fix the L to be lowercase).
  4. Change EFI strings to "EFI, secure boot on" / "EFI, secure boot off".

How's that?

garrett avatar Nov 14 '23 12:11 garrett

This helps but however EFI isn't just with Secure Boot enabled or disabled on X86_64 (x64), as some systems aren't even equipped with the possibility of having Secure Boot but with UEFI (EFI) based BIOS firmware.

Also armhf64 has the potential for Secure Boot (even though a recent update broke it), Microsoft and Linux distributions are looking into fixing it! Thus a check for it being enabled, disabled etc on the 64 bit Arm architecture would be a very good idea!

Can these be taken into account for being in the final merge please?

MrGrymReaper avatar Dec 17 '23 20:12 MrGrymReaper

@garrett @leomoty The above can be taken into account by changing the EFI strings to go "EFI, secure boot on", "EFI, secure boot off" / "EFI, secure boot unavailable". As well as introducing those strings for armhf64 in an appropriate fashion as follows "armhf64, secure boot on", "armhf64, secure boot off" / "armhf64, secure boot unavailable".

MrGrymReaper avatar Dec 29 '23 18:12 MrGrymReaper

Write so we can detect on x86:

  • EFI /sys/firmware/efi
  • BIOS /sys/firmware/efi is absent
  • EFI Secureboot available /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

It seems this UUID is not constant according to the arch wiki.

[jelle@t14s][~]%od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot-*
   6   0   0   0   0

On ARM?

jelly avatar Mar 28 '24 14:03 jelly

Write so we can detect on x86:

  • EFI /sys/firmware/efi
  • BIOS /sys/firmware/efi is absent
  • EFI Secureboot available /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

It seems this UUID is not constant according to the arch wiki.

[jelle@t14s][~]%od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot-*
   6   0   0   0   0

On ARM?

On x86 under /sys/firmware/efi/efivars/ there wouldn't be the Secure Boot entry and/or certain security related values wouldn't be present.

I don't know Arm either however that doesn't mean that it's not possible for such a situation to possible. However speaking to Arm and/or Ampere would help with these checks.

MrGrymReaper avatar Mar 28 '24 16:03 MrGrymReaper

Write so we can detect on x86:

  • EFI /sys/firmware/efi
  • BIOS /sys/firmware/efi is absent
  • EFI Secureboot available /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

It seems this UUID is not constant according to the arch wiki.

[jelle@t14s][~]%od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot-*
   6   0   0   0   0

On ARM?

On x86 under /sys/firmware/efi/efivars/ there wouldn't be the Secure Boot entry and/or certain security related values wouldn't be present.

I don't know Arm either however that doesn't mean that it's not possible for such a situation to possible. However speaking to Arm and/or Ampere would help with these checks.

I quickly read the U-boot code as it provides EFI for ARM and it also supports SecureBoot. But that's just one flavour of ARM. So I'm initially going to look at x86_64, and ARM + UEFI on Fedora.

jelly avatar Mar 28 '24 16:03 jelly

Quickly hacked up https://github.com/cockpit-project/cockpit/pull/20235 needs tests and ironing out some small details. (Also testing on ARM64 to see if I am right).

P.S. added Co-Authored-By leomoty so your contribution does not go lost.

jelly avatar Mar 28 '24 17:03 jelly