4/16/2023 0 Comments Softraid secure bootCreate higher-level knowledge of the root-filesystem RAID configuration is needed to keep a collection of filesystems manually synchronized instead of doing block-level RAID.Make the partition read-only when not under Linux.To deal with this “external write” situation, I see some solutions: HOWEVER there is one nasty risk with this setup: if UEFI writes anything to one of the drives (which this firmware did when it wrote out a “boot variable cache” file), it may lead to corrupted results once Linux mounts the RAID (since the member drives won’t have identical block-level copies of the FAT32 any more). So, now my system will boot with both or either drive present, and updates from Linux to /boot/efi are visible on all RAID members at boot-time. Luckily my UEFI boots without NVRAM entries, and I can disable the NVRAM writing via the “Update NVRAM variables to automatically boot into Debian?” debconf prompt when running: dpkg-reconfigure -p low grub-efi-amd64 WARNING: Bootloader is not properly installed, system may not be bootable Grub-install: error: efibootmgr failed to register the boot entry: Operation not permitted. In fact, it returns nothing, and tries to run efibootmgr with an empty -d argument: Installing for x86_64-efi platform.Įfibootmgr: option requires an argument - 'd' This fails, though, since it expects a single disk, not a RAID set. However, we’re left with a new problem: on (at least) Debian and Ubuntu, grub-install attempts to run efibootmgr to record which disk UEFI should boot from. UEFI should be able to boot whatever disk hasn’t failed, and grub-install will write to the RAID mounted at /boot/efi. Now we have a visible FAT32 filesystem on the ESP. So, instead, we’ll use -metadata 1.0 to put the RAID metadata at the end: # mdadm -create /dev/md0 -level 1 -raid-disks 2 -metadata 1.0 /dev/sda1 /dev/sdb1 dev/sda1: Linux Software RAID version 1.2. To "1.2" (the commonly preferred 1.x format). Store the superblock at different locations on theĭevice, either at the end (for 1.0), at the start (forġ.1) or 4K from the start (for 1.2). It can easily be moved between hosts withĭifferent endian-ness, and a recovery operation can beĬheckpointed and restarted. Reading from the mdadm man page: -e, -metadata= Your boot-loader understands md/v1.x metadata, or use Store '/boot' on this device please ensure that Mdadm: Note: this array has metadata at the start and In fact, mdadm warns about this pretty loudly: # mdadm -create /dev/md0 -level 1 -raid-disks 2 /dev/sda1 /dev/sdb1 This solves more problems than it creates, but it means the RAID isn’t “invisible” to something that doesn’t know about the metadata. The current implementation of Linux’s md RAID puts metadata at the front of a partition. So, if I want RAID1 for my root filesystem, that’s fine (GRUB will read md, LVM, etc), but how do I handle /boot/efi (the UEFI ESP)? In everything I found answering this question, the answer was “oh, just manually make an ESP on each drive in your RAID and copy the files around, add a separate NVRAM entry (with efibootmgr) for each drive, and you’re fine!” I did not like this one bit since it meant things could get out of sync between the copies, etc. EFI code is either GRUB itself, or Shim which loads GRUB. Then it looks for a FAT32 filesystem there, and does more things like looking at NVRAM boot entries, or just running BOOT/EFI/BOOTX64.EFI from the FAT32. With UEFI, the boot firmware is actually examining the GPT partition table, looking for the partition marked with the “EFI System Partition” (ESP) UUID. This means that BIOS doesn’t really care what’s on the drive, it’ll hand over control to the GRUB code in the MBR. This worked well for BIOS booting since BIOS just transfers control blindly to the MBR of whatever disk it sees (modulo finding a “bootable partition” flag, etc, etc). In these situations, I always use Linux’s md RAID1 for the root filesystem (and/or /boot). I spent some time yesterday building out a UEFI server that didn’t have on-board hardware RAID for its system drives.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |