-
Notifications
You must be signed in to change notification settings - Fork 49
ADRs
What is the status, such as proposed, accepted, rejected, deprecated, superseded, etc.?
What is the issue that we're seeing that is motivating this decision or change?
What is the change that we're proposing and/or doing?
What becomes easier or more difficult to do because of this change?
Merged
Secure-boot is currently not supported for squashfs recovery systems since our grub2 artifacts do not include the signed squashfs module.
We default to using squashfs when building raw disk images.
The following code paths deploy recovery systems:
- build-disk: Uses the recovery image to deploy bootloader and the recovery system. Uses CreateImageFromTree directly.
- build-iso: Brings it's own grub configuration, but uses the provided bootloader and extracts kernel+initrd to a boot/<arch>/loader/ directory. Uses a custom variety of DumpSource and directly calling utils.CreateSquashFS
- install: Deploys the system image and uses it as a snapshot source to deploy the recovery image. Uses DeployImage.
- upgrade-recovery: Uses DeployImage directly.
We will extract the kernel and initrd from the image to be able to directly boot the recovery system without loopback devices.
While doing this we will also refactor the mentioned commands to deploy the recovery image in the same way.
The same code is used to deploy the recovery system for build, install and upgrade commands.
The need for loopback devices when booting the recovery system is removed.
We will also be able to secure-boot our expandable disk images and use compression without affecting secure-boot status.