Timothée Ravier
Timothée Ravier
> The initrd notices the kernel arg "ostree=latest" and looks for the BLS file in /boot/loader with index=1 (i.e. most recent deploy, or index=2 if we're in fallback mode). How...
> But, who will be responsible for the boot part of the deployment, like generating bls files, putting initrds from the images in the right place, merging /etc, rollback, etc....
> You can't even look at the contents for any composefs image other than the one you booted (at least when using per-build keys). Isn't it possible to validate fs-verity...
+1 from me for this approach in general. Thanks for writing it up!
> The BLS files are created in /boot/loader.[01] that points to the deploy dir with the composefs file, and the /boot/loader symlink is atomically switched to new loader.[01] dir. This...
Posting here the result of several discussions that we've had recently: The major change is the need to move the ostree deployment hash out of the kernel command line as...
The design above could be combined with the suggestion from https://github.com/ostreedev/ostree/issues/2753#issuecomment-1488572499 and the use of composefs to verify the content of the deployment.
We need a way to choose which deployment to boot as we need to support rollbacks (rollback protection is another topic that we are not covering here and would be...
> Perhaps a strawman here is that specifying a bare ostree value on the kernel command line would mean "use the default". We could extend this to e.g. ostree_root=fedora-coreos to...
If we do a mapping `boot-entry-number` -> `deployment-hash` in the rootfs then that could work but that would be an additional indirection layer: - Read boot entry number from UKI...