Verify loader version?

R

RussellASC

I'm preparing to perform an upgrade, and was checking that my mirrored boot disks have the correct and current loader for EFI.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258987 does not appear to be resolved, so I'm manually checking everything for the loaders.

Comparing /boot/loader and my two EFI partitions, I see that EFI may not have been updated during my last upgrade (13.2).

Code: 
% find /boot/efi*  /boot/loader.efi -type f | xargs -n1 cksum | sort
101834236 909824 /boot/loader.efi
2411978603 892928 /boot/efi/efi/boot/bootx64.efi
2411978603 892928 /boot/efi/efi/freebsd/loader.efi
2411978603 892928 /boot/efi2/efi/boot/bootx64.efi
2411978603 892928 /boot/efi2/efi/freebsd/loader.efi

I tried to use strings to determine the version (ie: 13.1 or 13.2), but it doesn't say.

Code: 
% strings /boot/loader.efi | egrep 'FreeBSD.*EFI'      
FreeBSD/amd64 EFI loader, Revision 1.1


% strings /boot/efi/efi/boot/bootx64.efi | egrep 'FreeBSD.*EFI'
DFreeBSD/amd64 EFI loader, Revision 1.1


% strings /boot/efi/efi/freebsd/loader.efi | egrep 'FreeBSD.*EFI'
DFreeBSD/amd64 EFI loader, Revision 1.1

How can I check which version is correct for 13.2?

I assume I'll have to update these by hand during my upgrade.
 
RussellASC said:
How can I check which version is correct for 13.2?
Click to expand...
/boot/loader.efi is the up-to-date loader provided by your current FreeBSD release.

/boot/efi/efi/boot/bootx64.efi and /boot/efi/efi/freebsd/loader.efi are the loaders currently in use. Both files are identic, one of them is enough but I think both are put there by the installer to maximise compatibility with various UEFI implementations.

Loaders in /boot/efi/ aren't updated automatically, so since you didn't update them yourself they're indeed outdated, which you noticed from the file sizes.

So either try Emrion's tool, or manually replace all of your four installed loaders by copies of /boot/loader.efi.
 
bsduck said:
Loaders in /boot/efi/ aren't updated automatically, so since you didn't update them yourself they're indeed outdated, which you noticed from the file sizes.
Click to expand...
That appears to be the case, I'll add that task to my upgrade list.

I'd still like to confirm which is newer.
 
A way that could work is to grab an install image for whatever versions you need, then get the md5sum of each.
Then get the md5sum of whatever you have installed on your system and compare.

Are there any strings in the image, something that would show up with either the "nm" or "strings" command? if the image is an ELF image, maybe "readelf" command?
 
RussellASC said:
That only checks the md5sum of the loader vs EFI. I was asking how I could tell which version is correct or current.
Click to expand...
I don't understand your point. The correct loader for a given system is: /boot/loader.efi.
The corresponding FreeBSD version as far as I know isn't writted in this file.

When you upgrade, a new and up-to-date loader.efi takes place in /boot.
In your case, you see that your loaders aren't up-to-date because the size differs.
You have a clue because the size of your loaders is inferior to the one of /boot/loader.efi (and size increases at each new version for what I observed).
You can compare the file creation date as well.

That the whole point of loaders-update to check that for you and update what it should be updated. It also verifies and reports if an efi partition isn't formatted, as per the bug you mentioned.
 
Code: 
dice@chibacity:~ % strings /boot/loader.efi | grep "EFI loader"
FreeBSD/amd64 EFI loader, Revision 3.0
root@chibacity:~ # strings /boot/efi/efi/freebsd/loader.efi | grep "EFI loader"
FreeBSD/amd64 EFI loader, Revision 3.0
Although I'm not sure if that Revision is updated with every change.

Files are different though, so this isn't a good way to check for changes.
Code: 
dice@chibacity:~ % sha256sum /boot/efi/efi/freebsd/loader.efi
3ee7f3169c9fdb9efe52f86f342e2e25fc2e8a1296af20bf8d75a5ba74bcf906  /boot/efi/efi/freebsd/loader.efi
dice@chibacity:~ % sha256sum /boot/loader.efi
9661db7fc35efee7a4979c799c8517b4f8bdb8312b7c7681c5e4874192f6829f  /boot/loader.efi
 
  • Like
Reactions: mer
Well, I'd suggest just checking the hash (sha256sum/md5sum) and just replace it when they're different.
 
  • Like
Reactions: mer
I tried using "freebsd-update IDS", and it doesn't flag /boot/loader.efi as a mismatch. I tried debug mode, but I couldn't confirm it was checking the file. I looked in /var/db/freebsd-update/ and grepped around, and found other loaders but not loader.efi.

I agree I can just check the sum, but I need to know what the sum should be for the version I'm at.
 
RussellASC said:
I tried using "freebsd-update IDS", and it doesn't flag /boot/loader.efi as a mismatch.
Click to expand...
It shouldn't. /boot/loader.efi is part of the base OS install. You need to copy this file to the efi partition. The system doesn't boot by loading /boot/loader.efi, it also doesn't boot by loading /boot/gptboot or /boot/gptzfsboot (you need to install those with gpart bootcode ... in the freebsd-boot partition). You copy/install those files to the appropriate boot partition and you need to this yourself because the upgrade process will not do this for you.

RussellASC said:
I agree I can just check the sum, but I need to know what the sum should be for the version I'm at.
Click to expand...
/boot/loader.efi is the loader that's correct for your installed version. You compare this file with what's in /boot/efi/EFI/BOOT/BOOTx64.efi and/or /boot/efi/efi/freebsd/loader.efi (assuming the efi partition is mounted on /boot/efi)
 
SirDice said:
It shouldn't. /boot/loader.efi is part of the base OS install.
Click to expand...

I do understand that the EFI partition isn't tested by IDS. What I said is I couldn't confirm that base OS file /boot/loader.efi was checked by IDS, so that I could consider that file authentic (ie: matching my version).

In this thread, we have established that the EFI partition copies of the loader don't match what is in /boot, and that they need to be updated by hand unless I install another package to handle them. Now I'm just trying to confirm which is the correct version or latest version, based on the OS release I'm running.

IDS even in debug mode doesn't output the files it's checking, so I'm dropping down to INDEX files. There was no error for /boot/loader.efi, but also no sign it was tested.

Code: 
% sha256sum /boot/loader.efi             
f5014eaf98f159e206961cce0ed5ec6df0abbfc406e7208039599dccac73681b  /boot/loader.efi

/var/db/freebsd-update
% grep -ri f5014eaf98f159e206961cce0ed5ec6df0abbfc406e7208039599dccac73681b .
./f465c3739385890c221dff1a05e578c6cae0d0430e46996d319db7439f884336-rollback/INDEX-NEW:/boot/loader.efi|f|0|0|0555|4000|f5014eaf98f159e206961cce0ed5ec6df0abbfc406e7208039599dccac73681b|
./f465c3739385890c221dff1a05e578c6cae0d0430e46996d319db7439f884336-rollback/INDEX-NEW:/boot/loader_lua.efi|f|0|0|0555|4000|f5014eaf98f159e206961cce0ed5ec6df0abbfc406e7208039599dccac73681b|/boot/loader.efi
./install.zK3STK/INDEX-NEW:/boot/loader.efi|f|0|0|0555|4000|f5014eaf98f159e206961cce0ed5ec6df0abbfc406e7208039599dccac73681b|
./install.zK3STK/INDEX-NEW:/boot/loader_lua.efi|f|0|0|0555|4000|f5014eaf98f159e206961cce0ed5ec6df0abbfc406e7208039599dccac73681b|/boot/loader.efi

Now I see some records matching the sha256 of my current boot loader, but I haven't a clue which version that's from.
 
If devs change the source_date with each source code/revision change then it can be used to track different versions. It's currently set as:

# Arbitrarily set the PE/COFF header timestamps to 1 Jan 2024 00:00:00
# for build reproducibility.
SOURCE_DATE_EPOCH?=1704067200
Click to expand...

By https://github.com/freebsd/freebsd-src/commit/1b9cfd6a625dc82611846cb9a53c1886f7af3758

It can be viewed using:

objdump -x loader.efi | grep Date


SOURCE_DATE_EPOCH — reproducible-builds.org

reproducible-builds.org reproducible-builds.org
 
VladiBG said:
If devs change the source_date with each source code/revision change then it can be used to track different versions. It's currently set as:



By https://github.com/freebsd/freebsd-src/commit/1b9cfd6a625dc82611846cb9a53c1886f7af3758

It can be viewed using:

objdump -x loader.efi | grep Date


SOURCE_DATE_EPOCH — reproducible-builds.org

reproducible-builds.org reproducible-builds.org
Click to expand...

That sounds nice, except at this point it's more about checking a system file integrity than reading the specifics off the object file. I should be able to do this locally on the system without going out to Github.
I'll compare mine anyway!
 
RussellASC said:
That sounds nice, except at this point it's more about checking a system file integrity than reading the specifics off the object file. I should be able to do this locally on the system without going out to Github.
I'll compare mine anyway!
Click to expand...

Whoops, that doesn't work either!

Code: 
% objdump -x /boot/loader.efi | grep Date             
Time/Date               Fri Jan  1 01:00:00 2016

% objdump -x /boot/efi/efi/boot/bootx64.efi | grep Date 
Time/Date               Fri Jan  1 01:00:00 2016

% objdump -x /boot/efi/efi/freebsd/loader.efi | grep Date
Time/Date               Fri Jan  1 01:00:00 2016
 
bsduck said:
I guess you didn't read my reply as a whole:
Click to expand...
I did. You're making the assumption that /boot/loader.efi was installed by the release. I have multiple boot environments. I could have messed up while mucking with the loaders. Maybe I updated then swapped backward to an earlier BE after I did a copy to EFI?

Asserting it's authentic because it's in the right place is not correct. That's why tools like "freebsd-update IDS" exist, to confirm the OS files match what was shipped.
 
RussellASC said:
I could have messed up while mucking with the loaders. Maybe I updated then swapped backward to an earlier BE after I did a copy to EFI?
Click to expand...
/boot is part of the BE (it's a subdirectory of / after all). So unless you have some weird BE construction, /boot/loader.efi will match with the currently running BE.

Having a newer boot loader than your currently running version is not a problem. A 15-CURRENT loader.efi will not have a problem loading 14.x, 13.x or even older. If you want to be dead sure, boot the latest version BE and use its loader.efi. The boot loader is always backwards compatible.

Now, a 14.x boot loader might have a problem booting 15-CURRENT, but only if you also upgraded your ZFS boot pool to 15's ZFS version. If you did that you would not be able to boot a 14.x BE anymore anyway.
 
Can we take a step back and review how to confirm a base operating system file is current for the OS version and authentic?

Consider /boot/loader.efi. Without going and grepping in a db in /var, freebsd-update IDS should be checking this. However it doesn't give a file by file accounting, so I can't tell if /boot/loader.efi was checked.

What's the correct way to confirm this?
 
You must log in or register to reply here.
Back
Top