Fixes #37345 - Improve "EFI local chainloading" on SecureBoot enabled hosts

[jloeser]

Chainloading is not supported when SecureBoot is enabled 1.

Currently, this issue is tried to be tackled by changing the boot order during installation to boot from disk by default. But this disturbs the "always boot from network" workflow which might result in broken attempts for the user to re-provision a host (see https://github.com/theforeman/foreman/pull/9123).

What we can do is to exit network booted GRUB2 with exit 1 resulting in the boot of the next boot device, which is probably the boot file from disk.

The use of efibootmgr_netboot is still possible (if desired). The proposed solution would also work when SecureBoot is disabled, however to avoid side effects I propose to only boot next device if SecureBoot is enabled (GRUB2 variable lockdown=y 2).

[theforeman-bot]

Can one of the admins verify this patch?

[theforeman-bot]

Can one of the admins verify this patch?

[theforeman-bot]

Can one of the admins verify this patch?

[sbernhard]

@goarsna feedback on this?

[jloeser]

The use of efibootmgr_netboot is still possible (if desired).

To be clear: if we use this approach, we can enable efibootmgr_netboot by default (currently only if efi_bootentry host param is set) to set boot device after the installation back to network.

https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/snippet/efibootmgr_netboot.erb

But this needs to be tested first.

[goarsna]

Any objections against merging this? Is there anything left to do, @jloeser?

[stejskalleos]

@jloeser can you squash the commits? After that it should be all green and ready for merge

[stejskalleos]

Thanks @jloeser @sbernhard