bootloader: Add GrubCC bootloader

Johan-Liebert1 · Johan-Liebert1 · commit 55f54c875b99 · 2026-06-02T16:10:14.000+05:30
Add GrubCC (Grub ConfidentialClusters) as a new bootloader option. This is a minimal version of grub that's supposed to work exactly like systemd-boot Fixes: #2212 Signed-off-by: Johan-Liebert1 <pragyanpoudyal41999@gmail.com>
diff --git a/Dockerfile b/Dockerfile
@@ -59,6 +59,7 @@ COPY --from=target-base /target-rootfs/ /
 ARG SKIP_CONFIGS
 ARG boot_type
 ARG seal_state
+ARG bootloader
 # All network-fetching operations: package installs from distro repos, Copr, Koji.
 # Separated so `just build-fetch --target=fetch` can be retried independently on
 # transient network failures without re-running the configuration phase.
@@ -89,6 +90,20 @@ RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     if [[ ${#pkgs_to_install[@]} -gt 0 ]]; then
         dnf install -y "${pkgs_to_install[@]}"
     fi
+
+    if [[ "$bootloader" == "grub-cc" ]]; then
+        # We have this until we get grub-cc support in bootupd
+        arch=$(uname -m)
+        curl -L -o /var/grub-cc.rpm "https://kojipkgs.fedoraproject.org/packages/grub2/2.12/59.eln156/x86_64/grub2-efi-x64-cc-2.12-59.eln156.${arch}.rpm"
+        mkdir /var/grub-cc
+        rpm2archive /var/grub-cc.rpm | tar -xvz -C /var/grub-cc
+        file=$(find /var/grub-cc -name '*.efi')
+        mkdir /usr/lib/grub-cc
+        cp $file /usr/lib/grub-cc
+        rm -rvf /var/grub-cc
+        rm -rvf /var/grub-cc.rpm
+    fi
+
 EOF
 
 # Note we don't do any customization here yet
diff --git a/crates/lib/src/bootc_composefs/backwards_compat/bcompat_boot.rs b/crates/lib/src/bootc_composefs/backwards_compat/bcompat_boot.rs
@@ -384,7 +384,7 @@ pub(crate) async fn prepend_custom_prefix(
                 rename_exchange_user_cfg(&grub_dir)?;
             }
 
-            Bootloader::Systemd => {
+            Bootloader::Systemd | Bootloader::GrubCC => {
                 handle_bls_conf(storage, cfs_cmdline, boot_dir, true)?;
             }
 
diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs
@@ -607,7 +607,7 @@ pub(crate) fn setup_composefs_bls_boot(
             )
         }
 
-        Bootloader::Systemd => {
+        Bootloader::Systemd | Bootloader::GrubCC => {
             let efi_mount = mount_esp(&esp_device).context("Mounting ESP")?;
 
             let mounted_efi = Utf8PathBuf::from(efi_mount.dir.path().as_str()?);
@@ -1169,7 +1169,9 @@ pub(crate) fn setup_composefs_uki_boot(
             write_grub_uki_menuentry(root_path, &setup_type, uki_info.boot_label, id, &esp_device)?
         }
 
-        Bootloader::Systemd => write_systemd_uki_config(&esp_mount.fd, &setup_type, uki_info, id)?,
+        Bootloader::Systemd | Bootloader::GrubCC => {
+            write_systemd_uki_config(&esp_mount.fd, &setup_type, uki_info, id)?
+        }
 
         Bootloader::None => unreachable!("Checked at install time"),
     };
@@ -1369,13 +1371,48 @@ pub(crate) async fn setup_composefs_boot(
             &root_setup.device_info.require_single_root()?,
             boot_uuid,
         )?;
-    } else if postfetch.detected_bootloader == Bootloader::Grub {
+    } else if matches!(
+        postfetch.detected_bootloader,
+        Bootloader::Grub | Bootloader::GrubCC
+    ) {
         crate::bootloader::install_via_bootupd(
             &root_setup.device_info,
             &root_setup.physical_root_path,
             &state.config_opts,
             None,
         )?;
+
+        // FIXME: Remove this hack once we have support in bootupd
+        if matches!(postfetch.detected_bootloader, Bootloader::GrubCC) {
+            root_setup
+                .physical_root
+                .remove_dir_all("boot/grub2")
+                .context("removing grub2")?;
+
+            let (os_id, ..) = parse_os_release(mounted_root.dir())?
+                .ok_or_else(|| anyhow::anyhow!("Failed to parse os-release"))?;
+
+            let dir = format!("EFI/{os_id}");
+
+            // Files are in EFI/<os-name>/
+            let efis_dir = mounted_root
+                .open_esp_dir()
+                .context("opening esp")?
+                .open_dir(&dir)
+                .with_context(|| format!("Opening {dir}"))?;
+
+            efis_dir
+                .remove_file_optional("bootuuid.cfg")
+                .context("Removing bootuuid.cfg")?;
+            efis_dir
+                .remove_file_optional("grub.cfg")
+                .context("Removing grub.cfg")?;
+
+            mounted_root
+                .dir()
+                .copy("usr/lib/grub-cc/grubx64-cc.efi", &efis_dir, "grubx64.efi")
+                .context("Copying grub-cc binary")?;
+        }
     } else {
         crate::bootloader::install_systemd_boot(
             &mounted_root,
diff --git a/crates/lib/src/bootc_composefs/delete.rs b/crates/lib/src/bootc_composefs/delete.rs
@@ -153,7 +153,7 @@ fn delete_depl_boot_entries(
             }
         },
 
-        Bootloader::Systemd => {
+        Bootloader::Systemd | Bootloader::GrubCC => {
             // For Systemd UKI as well, we use .conf files
             delete_type1_conf_file(deployment, boot_dir, deleting_staged)
         }
diff --git a/crates/lib/src/bootc_composefs/finalize.rs b/crates/lib/src/bootc_composefs/finalize.rs
@@ -140,7 +140,7 @@ pub(crate) async fn composefs_backend_finalize(
             BootType::Uki => finalize_staged_grub_uki(boot_dir)?,
         },
 
-        Bootloader::Systemd => {
+        Bootloader::Systemd | Bootloader::GrubCC => {
             let entries_dir = boot_dir.open_dir("loader")?;
             rename_exchange_bls_entries(&entries_dir)?;
         }
diff --git a/crates/lib/src/bootc_composefs/rollback.rs b/crates/lib/src/bootc_composefs/rollback.rs
@@ -234,7 +234,7 @@ pub(crate) async fn composefs_rollback(
             }
         },
 
-        Bootloader::Systemd => {
+        Bootloader::Systemd | Bootloader::GrubCC => {
             // We use BLS entries for systemd UKI as well
             rollback_composefs_entries(boot_dir, rollback_entry.bootloader.clone())?;
         }
diff --git a/crates/lib/src/bootc_composefs/status.rs b/crates/lib/src/bootc_composefs/status.rs
@@ -368,7 +368,7 @@ pub(crate) fn list_bootloader_entries(storage: &Storage) -> Result<Vec<Bootloade
             }
         }
 
-        Bootloader::Systemd => list_type1_entries(boot_dir)?,
+        Bootloader::Systemd | Bootloader::GrubCC => list_type1_entries(boot_dir)?,
 
         Bootloader::None => unreachable!("Checked at install time"),
     };
@@ -414,10 +414,14 @@ pub(crate) fn get_bootloader() -> Result<Bootloader> {
     let bootloader = match read_uefi_var(EFI_LOADER_INFO) {
         Ok(loader) => {
             if loader.to_lowercase().contains("systemd-boot") {
-                Bootloader::Systemd
-            } else {
-                Bootloader::Grub
+                return Ok(Bootloader::Systemd);
+            }
+
+            if loader.to_lowercase().contains("grub cc") {
+                return Ok(Bootloader::GrubCC);
             }
+
+            return Ok(Bootloader::Grub);
         }
 
         Err(efi_error) => match efi_error {
@@ -911,7 +915,7 @@ async fn composefs_deployment_status_from(
         },
 
         // We will have BLS stuff and the UKI stuff in the same DIR
-        Bootloader::Systemd => {
+        Bootloader::Systemd | Bootloader::GrubCC => {
             let bls_configs = get_sorted_type1_boot_entries(boot_dir, true)?;
             let bls_config = bls_configs
                 .first()
diff --git a/crates/lib/src/bootc_composefs/update.rs b/crates/lib/src/bootc_composefs/update.rs
@@ -184,7 +184,7 @@ pub(crate) fn validate_update(
             }
         },
 
-        Bootloader::Systemd => rm_staged_type1_ent(boot_dir)?,
+        Bootloader::Systemd | Bootloader::GrubCC => rm_staged_type1_ent(boot_dir)?,
 
         Bootloader::None => unreachable!("Checked at install time"),
     }
diff --git a/crates/lib/src/install.rs b/crates/lib/src/install.rs
@@ -1291,6 +1291,7 @@ pub(crate) fn exec_in_host_mountns(args: &[std::ffi::OsString]) -> Result<()> {
     Err(Command::new(cmd).args(args).arg0(bootc_utils::NAME).exec()).context("exec")?
 }
 
+#[derive(Debug)]
 pub(crate) struct RootSetup {
     #[cfg(feature = "install-to-disk")]
     luks_device: Option<String>,
@@ -1874,7 +1875,7 @@ async fn install_with_sysroot(
                     Some(&deployment_path.as_str()),
                 )?;
             }
-            Bootloader::Systemd => {
+            Bootloader::Systemd | Bootloader::GrubCC => {
                 anyhow::bail!("bootupd is required for ostree-based installs");
             }
             Bootloader::None => {
diff --git a/crates/lib/src/install/baseline.rs b/crates/lib/src/install/baseline.rs
@@ -55,7 +55,7 @@ fn use_discoverable_partitions(state: &State) -> bool {
     // systemd-boot always supports BLI
     matches!(
         state.config_opts.bootloader,
-        Some(crate::spec::Bootloader::Systemd)
+        Some(crate::spec::Bootloader::Systemd) | Some(crate::spec::Bootloader::GrubCC)
     )
 }
 
diff --git a/crates/lib/src/spec.rs b/crates/lib/src/spec.rs
@@ -237,6 +237,8 @@ pub enum Bootloader {
     /// Use Grub as the bootloader
     #[default]
     Grub,
+    /// Use Grub for confidential clusters as the bootloader
+    GrubCC,
     /// Use SystemdBoot as the bootloader
     Systemd,
     /// Don't use a bootloader managed by bootc
@@ -247,6 +249,7 @@ impl Display for Bootloader {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         let string = match self {
             Bootloader::Grub => "grub",
+            Bootloader::GrubCC => "grub-cc",
             Bootloader::Systemd => "systemd",
             Bootloader::None => "none",
         };
@@ -261,6 +264,7 @@ impl FromStr for Bootloader {
     fn from_str(value: &str) -> Result<Self> {
         match value {
             "grub" => Ok(Self::Grub),
+            "grub-cc" => Ok(Self::GrubCC),
             "systemd" => Ok(Self::Systemd),
             "none" => Ok(Self::None),
             unrecognized => Err(anyhow::anyhow!("Unrecognized bootloader: '{unrecognized}'")),
diff --git a/crates/lib/src/store/mod.rs b/crates/lib/src/store/mod.rs
@@ -92,6 +92,7 @@
 
 use std::cell::OnceCell;
 use std::ops::Deref;
+use std::os::fd::{AsFd, AsRawFd};
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
@@ -335,7 +336,9 @@ impl BootedStorage {
                 let boot_dir = match get_bootloader()? {
                     Bootloader::Grub => physical_root.open_dir("boot").context("Opening boot")?,
                     // NOTE: Handle XBOOTLDR partitions here if and when we use it
-                    Bootloader::Systemd => esp_mount.fd.try_clone().context("Cloning fd")?,
+                    Bootloader::Systemd | Bootloader::GrubCC => {
+                        esp_mount.fd.try_clone().context("Cloning fd")?
+                    }
                     Bootloader::None => unreachable!("Checked at install time"),
                 };
 
@@ -526,7 +529,7 @@ impl Storage {
         // the actual binaries inside ESP/EFI/Linux
         let boot_dir = match get_bootloader()? {
             Bootloader::Grub => boot_dir.try_clone()?,
-            Bootloader::Systemd => {
+            Bootloader::Systemd | Bootloader::GrubCC => {
                 let boot_dir = boot_dir
                     .open_dir(EFI_LINUX)
                     .with_context(|| format!("Opening {EFI_LINUX}"))?;
diff --git a/crates/xtask/src/xtask.rs b/crates/xtask/src/xtask.rs
@@ -151,6 +151,8 @@ pub(crate) struct LocalRustDepsArgs {
 pub enum Bootloader {
     /// grub as bootloader
     Grub,
+    /// grub cc as bootloader
+    GrubCC,
     /// systemd-boot as bootloader
     Systemd,
 }
@@ -159,6 +161,7 @@ impl Display for Bootloader {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
             Bootloader::Grub => f.write_str("grub"),
+            Bootloader::GrubCC => f.write_str("grub-cc"),
             Bootloader::Systemd => f.write_str("systemd"),
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -384,7 +384,7 @@ pub(crate) async fn prepend_custom_prefix(`
`384`	`384`	`rename_exchange_user_cfg(&grub_dir)?;`
`385`	`385`	`}`
`386`	`386`
`387`		`- Bootloader::Systemd => {`
	`387`	`+ Bootloader::Systemd \| Bootloader::GrubCC => {`
`388`	`388`	`handle_bls_conf(storage, cfs_cmdline, boot_dir, true)?;`
`389`	`389`	`}`
`390`	`390`
Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ fn delete_depl_boot_entries(`
`153`	`153`	`}`
`154`	`154`	`},`
`155`	`155`
`156`		`- Bootloader::Systemd => {`
	`156`	`+ Bootloader::Systemd \| Bootloader::GrubCC => {`
`157`	`157`	`// For Systemd UKI as well, we use .conf files`
`158`	`158`	`delete_type1_conf_file(deployment, boot_dir, deleting_staged)`
`159`	`159`	`}`
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ pub(crate) async fn composefs_backend_finalize(`
`140`	`140`	`BootType::Uki => finalize_staged_grub_uki(boot_dir)?,`
`141`	`141`	`},`
`142`	`142`
`143`		`- Bootloader::Systemd => {`
	`143`	`+ Bootloader::Systemd \| Bootloader::GrubCC => {`
`144`	`144`	`let entries_dir = boot_dir.open_dir("loader")?;`
`145`	`145`	`rename_exchange_bls_entries(&entries_dir)?;`
`146`	`146`	`}`
Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ pub(crate) async fn composefs_rollback(`
`234`	`234`	`}`
`235`	`235`	`},`
`236`	`236`
`237`		`- Bootloader::Systemd => {`
	`237`	`+ Bootloader::Systemd \| Bootloader::GrubCC => {`
`238`	`238`	`// We use BLS entries for systemd UKI as well`
`239`	`239`	`rollback_composefs_entries(boot_dir, rollback_entry.bootloader.clone())?;`
`240`	`240`	`}`
Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ pub(crate) fn validate_update(`
`184`	`184`	`}`
`185`	`185`	`},`
`186`	`186`
`187`		`- Bootloader::Systemd => rm_staged_type1_ent(boot_dir)?,`
	`187`	`+ Bootloader::Systemd \| Bootloader::GrubCC => rm_staged_type1_ent(boot_dir)?,`
`188`	`188`
`189`	`189`	`Bootloader::None => unreachable!("Checked at install time"),`
`190`	`190`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1291,6 +1291,7 @@ pub(crate) fn exec_in_host_mountns(args: &[std::ffi::OsString]) -> Result<()> {`
`1291`	`1291`	`Err(Command::new(cmd).args(args).arg0(bootc_utils::NAME).exec()).context("exec")?`
`1292`	`1292`	`}`
`1293`	`1293`
	`1294`	`+#[derive(Debug)]`
`1294`	`1295`	`pub(crate) struct RootSetup {`
`1295`	`1296`	`#[cfg(feature = "install-to-disk")]`
`1296`	`1297`	`luks_device: Option<String>,`
`@@ -1874,7 +1875,7 @@ async fn install_with_sysroot(`
`1874`	`1875`	`Some(&deployment_path.as_str()),`
`1875`	`1876`	`)?;`
`1876`	`1877`	`}`
`1877`		`- Bootloader::Systemd => {`
	`1878`	`+ Bootloader::Systemd \| Bootloader::GrubCC => {`
`1878`	`1879`	`anyhow::bail!("bootupd is required for ostree-based installs");`
`1879`	`1880`	`}`
`1880`	`1881`	`Bootloader::None => {`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ fn use_discoverable_partitions(state: &State) -> bool {`
`55`	`55`	`// systemd-boot always supports BLI`
`56`	`56`	`matches!(`
`57`	`57`	`state.config_opts.bootloader,`
`58`		`- Some(crate::spec::Bootloader::Systemd)`
	`58`	`+ Some(crate::spec::Bootloader::Systemd) \| Some(crate::spec::Bootloader::GrubCC)`
`59`	`59`	`)`
`60`	`60`	`}`
`61`	`61`