CP-53030: bootloader: add RPU chainloader

Kevin Lampis · Kevin Lampis · commit 3726ead68238 · 2025-11-27T22:07:11.000Z
Doing RPU from a host with Secure Boot has extra challenges.

We can't do XS9 Shim -&gt; XS9 GRUB -&gt; XS10 Xen because
XS9 Shim can't verify XS10 Xen's signature.

We need to chainload XS10 Shim before loading any XS10 components.
XS9 Shim -&gt; XS9 GRUB -&gt; XS10 Shim -&gt; XS10 Xen -&gt; ...

After chainloading XS10 Shim the system will end up back in the same
GRUB menu so we also have a guard variable to ensure on first boot we
chainload the shim and on second been we proceed with the RPU.

Signed-off-by: Kevin Lampis &lt;kevin.lampis@citrix.com&gt;
diff --git a/tests/test_bootloader.py b/tests/test_bootloader.py
@@ -186,6 +186,38 @@ def test_arbitrary_contents(self):
 	xen_module vmlinuz b
 	xen_module initrd.img
 }
+''')
+
+    def test_chainloader(self):
+        e = MenuEntry(hypervisor='xen.efi', hypervisor_args='a',
+                      kernel='vmlinuz', kernel_args='b',
+                      initrd='initrd.img',
+                      title='menu_name')
+
+        e.contents.append("\textra data line 1")
+        e.entry_format = Grub2Format.XEN_BOOT
+        e.setRpuChainloader("/EFI/installer/shimx64.efi", "GUARD_VAR")
+
+        self.bl.append('menu_name', e)
+        self.bl.commit()
+
+        with open_with_codec_handling(self.fn, 'r') as f:
+            content = f.read()
+
+        self.assertEqual(content,
+'''menuentry 'menu_name' {
+	if [ "${GUARD_VAR}" = "1" ]; then
+		unset GUARD_VAR
+		save_env GUARD_VAR
+		search --file --set root /EFI/installer/shimx64.efi
+		chainloader /EFI/installer/shimx64.efi
+	else
+	extra data line 1
+	xen_hypervisor xen.efi a
+	xen_module vmlinuz b
+	xen_module initrd.img
+	fi
+}
 ''')
 
     def test_contents_not_clobbered(self):
diff --git a/xcp/bootloader.py b/xcp/bootloader.py
@@ -61,6 +61,12 @@ def __init__(self, hypervisor, hypervisor_args, kernel, kernel_args,
         self.title = title
         self.root = root
         self.entry_format = None  # type: Grub2Format | None
+        self.chainloader = None
+        self.guard_var = None
+
+    def setRpuChainloader(self, chainloader, guard_var):
+        self.chainloader = chainloader
+        self.guard_var = guard_var
 
     def getHypervisorArgs(self):
         return re.findall(r'\S[^ "]*(?:"[^"]*")?\S*', self.hypervisor_args)
@@ -318,6 +324,14 @@ def writeGrub2(self, dst_file = None):
             extra = m.extra if m.extra else ' '
             print("menuentry '%s'%s{" % (m.title, extra), file=fh)
 
+            if m.chainloader and m.guard_var:
+                print(f"\tif [ \"${{{m.guard_var}}}\" = \"1\" ]; then",  file=fh)
+                print(f"\t\tunset {m.guard_var}", file=fh)
+                print(f"\t\tsave_env {m.guard_var}", file=fh)
+                print(f"\t\tsearch --file --set root {m.chainloader}", file=fh)
+                print(f"\t\tchainloader {m.chainloader}", file=fh)
+                print("\telse", file=fh)
+
             try:
                 contents = "\n".join(m.contents)
                 if contents:
@@ -349,6 +363,9 @@ def writeGrub2(self, dst_file = None):
             else:
                 raise AssertionError("Unreachable")
 
+            if m.chainloader and m.guard_var:
+                print("\tfi", file=fh)
+
             print("}", file=fh)
         if not hasattr(dst_file, 'name'):
             fh.close()
