Bump edk2 to 202605, shim to 16.1, and refresh GRUB 2.12 against Fedora#4119
Bump edk2 to 202605, shim to 16.1, and refresh GRUB 2.12 against Fedora#4119chewi wants to merge 6 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Updates Flatcar’s boot/firmware toolchain components (EDK2, shim, and GRUB patchset metadata) to newer upstream/Fedora baselines, with corresponding manifests and changelog entry.
Changes:
- Add EDK2 binary firmware package version
202605(with new distfile entries) and accept-keyword it for amd64/arm64 in the overlay profile. - Bump shim to
16.1, updating ebuilds and manifests; add a newshim-signed-16.1ebuild and signed-asset manifests. - Update GRUB environment metadata (
FLATCAR_VERSION/SBAT line) and drop a GRUB patch file that’s no longer carried.
Reviewed changes
Copilot reviewed 10 out of 12 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| sdk_container/src/third_party/portage-stable/sys-firmware/edk2-bin/Manifest | Add distfile hashes/sizes for edk2-bin 202605 QEMU targets. |
| sdk_container/src/third_party/portage-stable/sys-firmware/edk2-bin/edk2-bin-202605.ebuild | New ebuild for edk2-bin 202605 with per-QEMU-target binpkg unpack/install flow. |
| sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-16.1.ebuild | New shim 16.1 ebuild (EAPI 8) with updated build/install steps. |
| sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild | Remove prior shim 15.8-r3 ebuild. |
| sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest | Update shim distfile manifest to 16.1 tarball. |
| sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-16.1.ebuild | New ebuild to install pre-signed shim EFI binaries per arch. |
| sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/Manifest | Update signed shim EFI artifact manifests to 16.1. |
| sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords | Accept-keyword edk2-bin 202605 for amd64/arm64. |
| sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-boot/grub/grub-2.12-01-execute-return-code.patch | Remove a GRUB patch file previously carried in user-patches. |
| sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub | Bump Flatcar GRUB patchset version metadata and SBAT generation line. |
| changelog/updates/2026-06-23-boot-updates.md | Add user-facing changelog entry for grub/shim/edk2 updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This reverts one commit currently applied to Fedora 45 following upstream's recommendation. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
| newins - sbat.csv <<-EOF | ||
| sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md | ||
| grub,4,Free Software Foundation,grub,${PV},https://www.gnu.org/software/grub/ | ||
| grub,5,Free Software Foundation,grub,${PV},https://www.gnu.org/software/grub/ |
There was a problem hiding this comment.
Is this something we should be bumping on every update? If so, it may be a good idea to split it away into a separate variable that is defined at the top of the file (just like FLATCAR_VERSION).
There was a problem hiding this comment.
No, it's to do with fixed vulnerabilities, and there are strict rules around it. The short version is that we're copying what Fedora has.
There was a problem hiding this comment.
Shouldn't then grub.flatcar below be bumped to 2? But I guess is something for revocation of some boot parts, so maybe not.
There was a problem hiding this comment.
This is how it works. I forget the details, but I think we only need to bump that if we introduce and then fix a vulnerability, either directly or through ingesting Red Hat's patches.
For GRUB, I am targeting Fedora 45 rather than 44 now. They don't seem to consistently publish their changes for upstream, and the 44 branch hasn't changed since December.
I had to fix an issue affecting a couple of Kola tests with Secure Boot enabled. I have submitted the fix upstream.Instead of applying the above fix, I have reverted the change that caused it, as recommended by upstream. We don't need the change anyway.
How to use
See if it boots, particularly with Secure Boot enabled.
Testing done
I've manually tested my EDK2 builds for all the supported architectures on Gentoo. I've also manually tested the Flatcar Secure Boot builds. A Jenkins run has totally passed.
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.