Multiple partition with same label on difference difference cause wrong boot

[Maxime Roussin-Bélanger]

Hello,

When efibootguard encounters the same label on multiple volumes, it might select the wrong volume to boot from.

To reproduce this issue, consider a device with two efibootguard-boot partition labels, BOOT0 and BOOT1. Additionally, a USB stick with a live image has the same efibootguard-boot labels. When we attempt to boot from the USB stick via the BIOS, efibootguard will load the EFI configuration from the USB stick but might boot from another volume with a matching label. The behavior appears somewhat random.

The function FileDevicePathFromConfig does not seem to verify whether the selected device actually owns the volume; it simply matches the label and proceeds to boot from that volume.

Is this a user configuration error, or does it indicate a bug in efibootguard?

Thanks,

Max

 

[Jan Kiszka]

On 27.11.24 21:20, Maxime Roussin-Bélanger wrote:
> Hello,
>
> When *efibootguard* encounters the same label on multiple volumes, it

> might select the wrong volume to boot from.
>

> To reproduce this issue, consider a device with two *efibootguard-boot*
> partition labels, |BOOT0| and |BOOT1|. Additionally, a USB stick with a
> live image has the same *efibootguard-boot* labels. When we attempt to
> boot from the USB stick via the BIOS, *efibootguard* will load the EFI

> configuration from the USB stick but might boot from another volume with
> a matching label. The behavior appears somewhat random.
>
> The function |FileDevicePathFromConfig| does not seem to verify whether
> the selected device actually owns the volume; it simply matches the
> label and proceeds to boot from that volume.
>
> Is this a user configuration error, or does it indicate a bug in

> *efibootguard*?

Well, it is an unexpected behavior of EBG, for sure, specifically
because it already prioritizes configs from the boot medium. We may have
to sort not only the config_volumes in filter_cfg_parts but rather the
actual entries in volumes itself. That should give labels on the boot
medium precedence.

OTOH, it is a user mistake for provide a second medium with identical
labeling. Actually, why do you use EBG on that live stick at all? Will
that stick be updated like a disk?

Jan

--
Siemens AG, Technology
Linux Expert Center

[MOESSBAUER, Felix]

On Mon, 2024-12-02 at 10:52 +0100, 'Jan Kiszka' via EFI Boot Guard
wrote:

Hi, IMHO this is a bug. We had the same one in the userspace parts,
which I fixed in [1].

>
> OTOH, it is a user mistake for provide a second medium with identical
> labeling. Actually, why do you use EBG on that live stick at all?

I don't think so. It is not a super-rare use-case to have multiple EBG
devices on a single system (back then it was in an MTDA test
environment where the DUT partitions are user-controlled and broke EBG
of the MTDA device).

[1]https://github.com/siemens/efibootguard/commit/ffbd35f76b7ae587211f999a8cbf4514b0ac4ed2

Best regards,
Felix

[Maxime Roussin-Bélanger]

Hi,

We primarily use that live stick for rescue purposes, and it shares the same base template:
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/a23133c5b481341bbfb510e0cbaa043cd34565c1/wic/ebg-sysparts.inc
This template is used for our live image and another image we install on the NVMe.

This approach ensures the boot process remains consistent, simplifying maintenance.
While we could use GRUB or another bootloader, we prefer keeping things simple by
maintaining almost identical configurations across our images.

Max.