Clean up mentions of tboot

Summary:
Simplify the grub cookbook by removing the now unnecessary tboot related
stanzas; they haven't been in use since we moved off CentOS 7.

Differential Revision: D55189051

fbshipit-source-id: d866c6811505fd4ed47642e03beff27e69378333

cookbooks/fb_grub/README.md

@@ -16,8 +16,6 @@ Attributes
 * node['fb_grub']['serial']['word']
 * node['fb_grub']['serial']['parity']
 * node['fb_grub']['serial']['stop']
-* node['fb_grub']['tboot']['enable']
-* node['fb_grub']['tboot']['logging']
 * node['fb_grub']['terminal']
 * node['fb_grub']['version']
 * node['fb_grub']['use_labels']
@@ -75,21 +73,6 @@ may not exist so this behavior may be disabled by setting
 `force_both_efi_and_bios` to false. This default is mostly an artifact of
 Facebook history - you probably want to disable it.
 
-### tboot
-This cookbook optionally supports enabling tboot. This is only supported for
-GRUB 2 and is disabled by default. It can be controlled with the attribute
-`node['fb_grub']['tboot']['enable']`. If desired, tboot logging output can be
-controlled with `node['fb_grub']['tboot']['logging']` (defaults to `memory`).
-If `serial` output is requested, it will reuse `node['fb_grub']['serial']` for
-its settings.
-
-When tboot is enabled, two menu entries are created for each kernel: one with
-tboot as the MLE before launching the kernel, and one launching the kernel
-directly without tboot.
-
-NOTE: tboot is not compatible with Secure Boot enabled. Please see the RedHat
-bug report for more information: https://bugzilla.redhat.com/show_bug.cgi?id=1318667
-
 ### Boot Loader Specification support
 Set `node['fb_grub']['enable_bls']` to `true` to enable automatic parsing and
 menu entry generation from

cookbooks/fb_grub/attributes/default.rb

@@ -57,21 +57,6 @@
     'parity' => 'no',
     'stop' => 1,
   },
-  'tboot' => {
-    '_grub_modules' => [
-      'relocator.mod',
-      'multiboot2.mod',
-    ],
-    'enable' => false,
-    'kernel_extra_args' => [
-      'intel_iommu=on',
-      'noefi',
-    ],
-    'logging' => [
-      'memory',
-    ],
-    'tboot_extra_args' => [],
-  },
   'terminal' => [
     'console',
   ],

cookbooks/fb_grub/recipes/config.rb

@@ -111,21 +111,6 @@
   end
 end
 
-# grub2 cannot read / if it's compressed with zstd, so hack around it
-node['fb_grub']['tboot']['_grub_modules'].each do |mod_file|
-  remote_file "Copy #{mod_file} file for grub" do
-    only_if do
-      node['fb_grub']['tboot']['enable'] &&
-      !node['fb_grub']['_grub2_copy_path'].nil?
-    end
-    path "/boot/#{mod_file}"
-    source lazy { "file://#{node['fb_grub']['_grub2_copy_path']}/#{mod_file}" }
-    owner 'root'
-    group 'root'
-    mode '0644'
-  end
-end
-
 # cleanup configs for the grub major version that we're not using
 ['_grub_config_bios', '_grub_config_efi'].each do |tpl_name|
   file "cleanup #{tpl_name}" do

cookbooks/fb_grub/recipes/validate.rb

@@ -44,13 +44,6 @@
       end
 
       node.default['fb_grub']['_root_label'] = boot_label
-
-      # For tboot, we have to specify the full path to the modules.
-      # They are in /usr/lib/grub , so we need the label for the root disk
-      slash_label = node.filesystem_data['by_mountpoint']['/']['label']
-      if slash_label
-        node.default['fb_grub']['_module_label'] = slash_label
-      end
     elsif node['fb_grub']['use_uuids']
       if node['fb_grub']['version'] < 2
         fail 'fb_grub: Booting by label requires grub2.'
@@ -125,48 +118,6 @@
     elsif uuid && !uuid.empty?
       node.default['fb_grub']['rootfs_arg'] = "UUID=#{uuid}"
     end
-    # Set the correct grub module path for e.g. the tboot modules
-    if node.efi? && node['fb_grub']['version'] == 2 &&
-       node['fb_grub']['tboot']['enable']
-      if node['fb_grub']['_module_label']
-        module_path = "/usr/lib/grub/#{node['kernel']['machine']}-efi"
-      else
-        os_device = node.device_of_mount('/')
-        if os_device
-          m = os_device.match(/[0-9]+$/)
-          unless m
-            fail 'fb_grub: cannot parse the OS device!'
-          end
-        else
-          fail 'fb_grub: cannot find the OS device!'
-        end
-
-        # People can override the boot_disk if they have a good reason.
-        if node['fb_grub']['boot_disk']
-          boot_disk = node['fb_grub']['boot_disk']
-        elsif node['fb_grub']['root_device']
-          boot_disk = node['fb_grub']['root_device'].split(',')[0]
-        else
-          # This basically just happens if someone enables labels
-          # but doesn't override the boot_disk param and we don't use our new
-          # logic to figure out the boot disk
-          boot_disk = bootdisk_guess
-        end
-        os_part = "(#{boot_disk},#{m[0].to_i})"
-        module_path = "#{os_part}/usr/lib/grub/#{node['kernel']['machine']}-efi"
-      end
-      node.default['fb_grub']['_grub2_module_path'] = module_path
-
-      # So that we can use btrfs subvolumes and still insmod filesystems
-      if node.root_btrfs?
-        node.default['fb_grub']['_grub2_copy_path'] = node['fb_grub'][
-          '_grub2_module_path']
-        node.default['fb_grub']['_module_label'] = node['fb_grub'][
-          '_root_label']
-        node.default['fb_grub']['_grub2_module_path'] = node['fb_grub'][
-          'path_prefix']
-      end
-    end
     node.default['fb_grub']['_decided_boot_disk'] = boot_disk
   end
 end

cookbooks/fb_grub/resources/packages.rb

@@ -52,10 +52,6 @@
     fail "fb_grub: unsupported grub version: #{node['fb_grub']['version']}"
   end
 
-  if node['fb_grub']['tboot']['enable']
-    packages << 'tboot'
-  end
-
   package 'grub packages' do
     package_name packages
     action :upgrade

cookbooks/fb_grub/templates/default/grub2.cfg.erb

@@ -20,24 +20,6 @@
   terminal = node['fb_grub']['terminal'].join(' ')
   serial = node['fb_grub']['serial'].to_hash
 
-  kernel_extra_args = node['fb_grub']['tboot']['kernel_extra_args'].join(' ')
-
-  tboot_cmdline = "logging=#{node['fb_grub']['tboot']['logging'].join(',')}"
-  if node['fb_grub']['tboot']['logging'].include?('serial')
-    tboot_port = '0x3f8'  # I/O port for ttyS0
-    if serial['unit'] == '1'
-      tboot_port = '0x2f8'  # I/O port for ttyS1
-    end
-    tboot_parity = serial['parity'][0]
-    tboot_cmdline += " serial=#{serial['speed']}," +
-                     "#{serial['word']}#{tboot_parity}#{serial['stop']}," +
-                     tboot_port
-  end
-  unless node['fb_grub']['tboot']['tboot_extra_args'].empty?
-    tboot_cmdline +=
-      " #{node['fb_grub']['tboot']['tboot_extra_args'].join(' ')}"
-  end
-
   path_prefix = node['fb_grub']['path_prefix']
 
   users = node['fb_grub']['users'].to_hash
@@ -184,29 +166,6 @@ blscfg default
 # then the first menu entry below this line will be chosen to boot
 <% end %>
 <% node['fb_grub']['kernels'].to_hash.each do |kernel, data| -%>
-<%   if node['fb_grub']['tboot']['enable'] && !kernel.include?('rescue') -%>
-
-menuentry 'tboot <%= kernel %>' <%= restriction %>{
-  <%= root_line %>
-  <%   if node['fb_grub']['_module_label'] %>
-  search --set=module_root --label <%= node['fb_grub']['_module_label'] %>
-  <%     module_root = "($module_root)"
-       elsif node['fb_grub']['_module_uuid'] %>
-  search --set=module_root --fs-uuid <%= node['fb_grub']['_module_uuid'] %>
-  <%     module_root = "($module_root)"
-       else
-         module_root = ''
-       end -%>
-  <%   node['fb_grub']['tboot']['_grub_modules'].each do |mod| -%>
-  insmod <%= "#{module_root}#{node['fb_grub']['_grub2_module_path']}/#{mod}" %>
-  <%   end %>
-  multiboot2 /tboot.gz <%= tboot_cmdline %>
-  module2 <%= path_prefix %><%= data['path'] %> <%= kargs %> <%= kernel_extra_args %>
-<%     if data['initrd_path'] -%>
-  module2 <%= path_prefix %><%= data['initrd_path'] %>
-<%     end -%>
-}
-<%   end -%>
 
 menuentry '<%= kernel %>' <%= restriction %>{
   <%= root_line %>