bootloaders/efi: add support for getting current bootname #1696

loblik · 2025-04-15T13:48:04Z

When booting Unified kernel image (UKI) with baked-in kernel command line, arguments passed from firmware boot entry are often ignored. This is also behavior of systemd stub, which ignores passed arguments if secure boot is active.

This patch extends EFI bootloader backend with function to get current bootname from UEFI variables, in case there is nothing on command line.

Tested on Jetson Orin with NVIDIA EDK2 port, and systemd stub and efibootmgr v18.

jluebbe · 2025-04-15T13:57:37Z

Could there be cases where the value BootCurrent is not correct?

jluebbe · 2025-04-15T13:59:17Z

Do you also use BootCurrent to select the corresponding Root-FS partition in the initramfs or do you have a different solution for that?

codecov · 2025-04-15T14:01:30Z

Codecov Report

Attention: Patch coverage is 87.87879% with 4 lines in your changes missing coverage. Please review.

Project coverage is 84.47%. Comparing base (dfd4773) to head (e850fb1).
Report is 13 commits behind head on master.

Files with missing lines	Patch %	Lines
src/bootloaders/efi.c	85.71%	4 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1696   +/-   ##
=======================================
  Coverage   84.47%   84.47%           
=======================================
  Files          76       76           
  Lines       22199    22228   +29     
=======================================
+ Hits        18752    18778   +26     
- Misses       3447     3450    +3

Flag	Coverage Δ
service=false	`80.94% <87.87%> (+0.01%)`	⬆️
service=true	`84.43% <87.87%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

loblik · 2025-04-15T14:32:59Z

Could there be cases where the value BootCurrent is not correct?

I guess most UEFI ports go thru all active boot entries in BootOrder until they find something which boots. If that is an entry which is not not mentioned in system.conf, rauc will fail with this error. I believe this is the same thing, like booting an UEFI entry with no rauc.slot on command line.

Do you also use BootCurrent to select the corresponding Root-FS partition in the initramfs or do you have a different solution for that?

I use the same mechanism. I have rauc without dbus in ramdisk for recovery purposes. So I simply call rauc status --output-format=shell in ramdisk script to find root device.

Edit: #1669 seems a bit related.

jluebbe

Please also use src/bootloaders/efi: as the commit message prefix for consistency.

Looks good otherwise.

src/bootloaders/efi.c

jluebbe · 2025-04-16T08:59:24Z

You could also add a test for r_boot_get_current_bootname in bootchooser_efi in test/bootchooser.c to improve the test coverage of the new code.

When booting Unified kernel image (UKI) with baked-in kernel command line, arguments passed from firmware boot entry are often ignored. This is also behavior of systemd stub, which ignores passed arguments if secure boot is active. Signed-off-by: Pavel Löbl <pavel@loebl.cz>

Efiboomgr is not mocked currently. We cannot check the actual bootname. Signed-off-by: Pavel Löbl <pavel@loebl.cz>

hnez · 2025-04-16T12:03:57Z

Hi,

I think the feature makes sense and is something we want to have.

I justed wanted to tune in and share an alternative way of solving the question "which slot is currently running" on a EFI system with signed UKIs, because I have also implemented that very recently. Just in case someone stumbles over this pull request in search for an answer to that question.

I have used Multi-Profile UKIs to include two different command lines in one UKI.

Generating the profiles

$ ukify build --profile="TITLE=Boot system0" --cmdline="root=/dev/sda3 rauc.slot=system0" \
    --output=system0-profile.efi
$ ukify build --profile="TITLE=Boot system1" --cmdline="root=/dev/sda4 rauc.slot=system1" \
    --output=system1-profile.efi

Generating the signed UKI

$ ukify build \
    --initrd="…" --linux="…" --cmdline="" --output="uki.efi" \
    --signtool=systemd-sbsign --no-sign-kernel \
    --secureboot-private-key="key.pem" \
    --secureboot-certificate="cert.pem" \
    --join-profile=system0-profile.efi \
    --join-profile=system1-profile.efi

This means the (implicit) profile @0 will have an empty command line set, which likely makes it non-bootable.
This is deliberate, since we have no way of knowing which slot it corresponds to.

Adding boot entries

$ efibootmgr --create --disk "/dev/sda1" --part 1 --label "system0" \
    --loader "\\EFI\\LINUX\\UKI.EFI"  --unicode "@1"
$ efibootmgr --create --disk "/dev/sda2" --part 2 --label "system1" \
    --loader "\\EFI\\LINUX\\UKI.EFI"  --unicode "@2"

The --unicode @1 and --unicode @2 parameters configure the command line passed to the systemd-stub by the EFI firmware and are used to select the boot profile.

Being able to pass different command lines based on the active boot slot (while still making sure that only signed command lines may be used) can simplify the logic in the initramfs.

loblik force-pushed the efi_current_bootname branch from 91b7453 to e3f28c4 Compare April 15, 2025 14:45

jluebbe self-requested a review April 16, 2025 08:45

jluebbe added the enhancement Adds new functionality or enhanced handling to RAUC label Apr 16, 2025

jluebbe requested changes Apr 16, 2025

View reviewed changes

src/bootloaders/efi.c Outdated Show resolved Hide resolved

jluebbe assigned loblik Apr 16, 2025

loblik force-pushed the efi_current_bootname branch from e3f28c4 to c92340d Compare April 16, 2025 11:48

test/bootchooser: add basic test for r_boot_get_current_bootname

e850fb1

Efiboomgr is not mocked currently. We cannot check the actual bootname. Signed-off-by: Pavel Löbl <pavel@loebl.cz>

loblik force-pushed the efi_current_bootname branch from c92340d to e850fb1 Compare April 16, 2025 11:49

jluebbe approved these changes Apr 16, 2025

View reviewed changes

jluebbe merged commit 67f26c8 into rauc:master Apr 16, 2025
19 checks passed

jluebbe changed the title ~~bootloader: efi: add support for getting current bootname~~ bootloader/sefi: add support for getting current bootname Apr 16, 2025

jluebbe changed the title ~~bootloader/sefi: add support for getting current bootname~~ bootloaders/efi: add support for getting current bootname Apr 16, 2025

loblik deleted the efi_current_bootname branch April 16, 2025 22:06

jluebbe mentioned this pull request Apr 17, 2025

Support (re)creating UEFI boot entries #1701

Open

jluebbe mentioned this pull request May 15, 2025

prioritize bootloader backend over root= when detecting booted slot #1712

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bootloaders/efi: add support for getting current bootname #1696

bootloaders/efi: add support for getting current bootname #1696

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bootloaders/efi: add support for getting current bootname #1696

bootloaders/efi: add support for getting current bootname #1696

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Generating the profiles

Generating the signed UKI

Adding boot entries

Uh oh!

Uh oh!

Uh oh!