commit 35fcf0397be02883ace364e650b3e8d9a2281e24
author Lorenz Brun <lorenz@monogon.tech> Thu Jun 29 04:15:58 2023 +0200
committer Lorenz Brun <lorenz@monogon.tech> Thu Jul 27 13:58:35 2023 +0000
tree cb1297a2e4a34eeebb9faf09b44c3b95cf603f7f
parent ad131883747f73e51526dd6f163df23b913f69ed

metropolis: implement A/B updates

This implements an A/B update mechanism using two slots, A and B.
This is realized with two system partitions as well as two EFI
loaders/kernels.

The A/B system relies on two EFI loader entries. This has the advantage
that there is no preloader required, which makes the system more
reliable as well as avoiding the complexity of having an un-updatable
preloader (CoreOS has this issue where their GRUB2 crashed booting newer
kernels, sadly the issue seems lost with the migration to Fedora
CoreOS). It also means that the operator can easily override the slot
being booted via the boot loader entries. Primary disadvantage is that
it relies on EFI working somewhat to spec.

New versions are booted into only once by setting NextBoot, if the
bootup doesn't succeed, i.e. if the boot doesn't get to a cluster rejoin
the next boot will be the old slot. Once it gets to this stage the
permanent BootOrder is changed.

The EFI loaders don't know if they are slot A or B because they are
identical and relying on OptionalData in the boot entry to indicate the
slot means that if the EFI boot entries go away, recovering is very hard.
Thus the loaders look at their own file name to determine what slot they
are in. If no slot could be determined, they default to booting slot A.
It is planned to eventually use Authenticode Stamping (passing data in
fake certificates) to stamp the slot into the loader without affecting
the TPM hash logged.

Change-Id: I40de2df8ff7ff660c17d2c97f3d9eb1bd4ddf5bc
Reviewed-on: https://review.monogon.dev/c/monogon/+/1874
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>