diff --git a/cookbooks/fb_grub/README.md b/cookbooks/fb_grub/README.md index cf266d2f3..730a9c160 100644 --- a/cookbooks/fb_grub/README.md +++ b/cookbooks/fb_grub/README.md @@ -16,8 +16,6 @@ Attributes * node['fb_grub']['serial']['word'] * node['fb_grub']['serial']['parity'] * node['fb_grub']['serial']['stop'] -* node['fb_grub']['tboot']['enable'] -* node['fb_grub']['tboot']['logging'] * node['fb_grub']['terminal'] * node['fb_grub']['version'] * node['fb_grub']['use_labels'] @@ -75,21 +73,6 @@ may not exist so this behavior may be disabled by setting `force_both_efi_and_bios` to false. This default is mostly an artifact of Facebook history - you probably want to disable it. -### tboot -This cookbook optionally supports enabling tboot. This is only supported for -GRUB 2 and is disabled by default. It can be controlled with the attribute -`node['fb_grub']['tboot']['enable']`. If desired, tboot logging output can be -controlled with `node['fb_grub']['tboot']['logging']` (defaults to `memory`). -If `serial` output is requested, it will reuse `node['fb_grub']['serial']` for -its settings. - -When tboot is enabled, two menu entries are created for each kernel: one with -tboot as the MLE before launching the kernel, and one launching the kernel -directly without tboot. - -NOTE: tboot is not compatible with Secure Boot enabled. Please see the RedHat -bug report for more information: https://bugzilla.redhat.com/show_bug.cgi?id=1318667 - ### Boot Loader Specification support Set `node['fb_grub']['enable_bls']` to `true` to enable automatic parsing and menu entry generation from diff --git a/cookbooks/fb_grub/attributes/default.rb b/cookbooks/fb_grub/attributes/default.rb index dd128de34..2483051ef 100644 --- a/cookbooks/fb_grub/attributes/default.rb +++ b/cookbooks/fb_grub/attributes/default.rb @@ -57,21 +57,6 @@ 'parity' => 'no', 'stop' => 1, }, - 'tboot' => { - '_grub_modules' => [ - 'relocator.mod', - 'multiboot2.mod', - ], - 'enable' => false, - 'kernel_extra_args' => [ - 'intel_iommu=on', - 'noefi', - ], - 'logging' => [ - 'memory', - ], - 'tboot_extra_args' => [], - }, 'terminal' => [ 'console', ], diff --git a/cookbooks/fb_grub/recipes/config.rb b/cookbooks/fb_grub/recipes/config.rb index fee58b876..4e36d0885 100644 --- a/cookbooks/fb_grub/recipes/config.rb +++ b/cookbooks/fb_grub/recipes/config.rb @@ -111,21 +111,6 @@ end end -# grub2 cannot read / if it's compressed with zstd, so hack around it -node['fb_grub']['tboot']['_grub_modules'].each do |mod_file| - remote_file "Copy #{mod_file} file for grub" do - only_if do - node['fb_grub']['tboot']['enable'] && - !node['fb_grub']['_grub2_copy_path'].nil? - end - path "/boot/#{mod_file}" - source lazy { "file://#{node['fb_grub']['_grub2_copy_path']}/#{mod_file}" } - owner 'root' - group 'root' - mode '0644' - end -end - # cleanup configs for the grub major version that we're not using ['_grub_config_bios', '_grub_config_efi'].each do |tpl_name| file "cleanup #{tpl_name}" do diff --git a/cookbooks/fb_grub/recipes/validate.rb b/cookbooks/fb_grub/recipes/validate.rb index 599ca910b..03da62a4e 100644 --- a/cookbooks/fb_grub/recipes/validate.rb +++ b/cookbooks/fb_grub/recipes/validate.rb @@ -44,13 +44,6 @@ end node.default['fb_grub']['_root_label'] = boot_label - - # For tboot, we have to specify the full path to the modules. - # They are in /usr/lib/grub , so we need the label for the root disk - slash_label = node.filesystem_data['by_mountpoint']['/']['label'] - if slash_label - node.default['fb_grub']['_module_label'] = slash_label - end elsif node['fb_grub']['use_uuids'] if node['fb_grub']['version'] < 2 fail 'fb_grub: Booting by label requires grub2.' @@ -125,48 +118,6 @@ elsif uuid && !uuid.empty? node.default['fb_grub']['rootfs_arg'] = "UUID=#{uuid}" end - # Set the correct grub module path for e.g. the tboot modules - if node.efi? && node['fb_grub']['version'] == 2 && - node['fb_grub']['tboot']['enable'] - if node['fb_grub']['_module_label'] - module_path = "/usr/lib/grub/#{node['kernel']['machine']}-efi" - else - os_device = node.device_of_mount('/') - if os_device - m = os_device.match(/[0-9]+$/) - unless m - fail 'fb_grub: cannot parse the OS device!' - end - else - fail 'fb_grub: cannot find the OS device!' - end - - # People can override the boot_disk if they have a good reason. - if node['fb_grub']['boot_disk'] - boot_disk = node['fb_grub']['boot_disk'] - elsif node['fb_grub']['root_device'] - boot_disk = node['fb_grub']['root_device'].split(',')[0] - else - # This basically just happens if someone enables labels - # but doesn't override the boot_disk param and we don't use our new - # logic to figure out the boot disk - boot_disk = bootdisk_guess - end - os_part = "(#{boot_disk},#{m[0].to_i})" - module_path = "#{os_part}/usr/lib/grub/#{node['kernel']['machine']}-efi" - end - node.default['fb_grub']['_grub2_module_path'] = module_path - - # So that we can use btrfs subvolumes and still insmod filesystems - if node.root_btrfs? - node.default['fb_grub']['_grub2_copy_path'] = node['fb_grub'][ - '_grub2_module_path'] - node.default['fb_grub']['_module_label'] = node['fb_grub'][ - '_root_label'] - node.default['fb_grub']['_grub2_module_path'] = node['fb_grub'][ - 'path_prefix'] - end - end node.default['fb_grub']['_decided_boot_disk'] = boot_disk end end diff --git a/cookbooks/fb_grub/resources/packages.rb b/cookbooks/fb_grub/resources/packages.rb index 0436ac4f6..1a873688d 100644 --- a/cookbooks/fb_grub/resources/packages.rb +++ b/cookbooks/fb_grub/resources/packages.rb @@ -52,10 +52,6 @@ fail "fb_grub: unsupported grub version: #{node['fb_grub']['version']}" end - if node['fb_grub']['tboot']['enable'] - packages << 'tboot' - end - package 'grub packages' do package_name packages action :upgrade diff --git a/cookbooks/fb_grub/templates/default/grub2.cfg.erb b/cookbooks/fb_grub/templates/default/grub2.cfg.erb index 52924d1d7..5cb5059d6 100644 --- a/cookbooks/fb_grub/templates/default/grub2.cfg.erb +++ b/cookbooks/fb_grub/templates/default/grub2.cfg.erb @@ -20,24 +20,6 @@ terminal = node['fb_grub']['terminal'].join(' ') serial = node['fb_grub']['serial'].to_hash - kernel_extra_args = node['fb_grub']['tboot']['kernel_extra_args'].join(' ') - - tboot_cmdline = "logging=#{node['fb_grub']['tboot']['logging'].join(',')}" - if node['fb_grub']['tboot']['logging'].include?('serial') - tboot_port = '0x3f8' # I/O port for ttyS0 - if serial['unit'] == '1' - tboot_port = '0x2f8' # I/O port for ttyS1 - end - tboot_parity = serial['parity'][0] - tboot_cmdline += " serial=#{serial['speed']}," + - "#{serial['word']}#{tboot_parity}#{serial['stop']}," + - tboot_port - end - unless node['fb_grub']['tboot']['tboot_extra_args'].empty? - tboot_cmdline += - " #{node['fb_grub']['tboot']['tboot_extra_args'].join(' ')}" - end - path_prefix = node['fb_grub']['path_prefix'] users = node['fb_grub']['users'].to_hash @@ -184,29 +166,6 @@ blscfg default # then the first menu entry below this line will be chosen to boot <% end %> <% node['fb_grub']['kernels'].to_hash.each do |kernel, data| -%> -<% if node['fb_grub']['tboot']['enable'] && !kernel.include?('rescue') -%> - -menuentry 'tboot <%= kernel %>' <%= restriction %>{ - <%= root_line %> - <% if node['fb_grub']['_module_label'] %> - search --set=module_root --label <%= node['fb_grub']['_module_label'] %> - <% module_root = "($module_root)" - elsif node['fb_grub']['_module_uuid'] %> - search --set=module_root --fs-uuid <%= node['fb_grub']['_module_uuid'] %> - <% module_root = "($module_root)" - else - module_root = '' - end -%> - <% node['fb_grub']['tboot']['_grub_modules'].each do |mod| -%> - insmod <%= "#{module_root}#{node['fb_grub']['_grub2_module_path']}/#{mod}" %> - <% end %> - multiboot2 /tboot.gz <%= tboot_cmdline %> - module2 <%= path_prefix %><%= data['path'] %> <%= kargs %> <%= kernel_extra_args %> -<% if data['initrd_path'] -%> - module2 <%= path_prefix %><%= data['initrd_path'] %> -<% end -%> -} -<% end -%> menuentry '<%= kernel %>' <%= restriction %>{ <%= root_line %>