cockpit icon indicating copy to clipboard operation
cockpit copied to clipboard

Published 20 hours ago verified publisher icon cockpit-project

systemd: Show boot type in overview card

Open jelly opened this issue 1 year ago • 4 comments

When on x86_64 or ARM64 find out if we are booting from EFI or legacy boot and if we have secure boot enabled.

Secure boot is supported in ARM64 either natively in professional hardware or via U-Boot which provides an EFI implementation with secure boot.

image

jelly avatar Mar 28 '24 17:03 jelly

TBH this feels a little too "prominent/expensive". This isn't something that would/should ever change on a system, no? Could this perhaps be moved to the hwinfo page or so?

martinpitt avatar Apr 08 '24 13:04 martinpitt

TBH this feels a little too "prominent/expensive". This isn't something that would/should ever change on a system, no? Could this perhaps be moved to the hwinfo page or so?

There was an argument against it in https://github.com/cockpit-project/cockpit/pull/19371

jelly avatar Apr 08 '24 13:04 jelly

It's a detail, sure. It's also a security setting to help prevent bootloader and unsigned kernel attacks. And you probably want to know if secure boot is available, but not enabled.

Imagine an admin with multiple machines. They want to make sure secure boot is turned on when possible. Diving into sub-pages is not ideal for this.

Ideally, it's something that wouldn't change on a system. However, if it is different on a system, that could indicate a problem. For an example, on my desktop: I had a UEFI update that turned off secure boot on my desktop and I only noticed when I was looking through GNOME Settings and was confused as to why it was off. Had GNOME not shown that in the settings, I wouldn't have ever known and wouldn't have fixed it and would have assumed my computer was still booting with secure boot on (which is how I set it up).

On a server with multiple people having admin access, someone could've accidentally turned it off or not set it from the beginning (in addition to my example above where a firmware update turned it off). Someone could've also intentionally turned off secure boot for whatever other reasons, such as using a custom kernel or unsigned custom distribution. And someone could've also turned it off for nefarious purposes too.

Taking all of this into consideration, should it be on the overview card? Maybe. Should it be shown in the health card as a warning in some circumstances? Also maybe. Is only having it in the details sub-page a good idea? I'm not sure. I do agree that this is rather prominent for something that shouldn't (and usually wouldn't) change, but I can understand why someone would want to know this information at a high level, especially when they have more than one system.

garrett avatar Apr 18 '24 09:04 garrett

Alternatively we use bootctl to obtain secure boot info https://github.com/systemd/systemd/issues/31856

jelly avatar Apr 29 '24 10:04 jelly