Implement A/B Update Mechanism Using efibootmgr for Sbnb Linux

Description

This enhancement proposes implementing an A/B update mechanism for Sbnb Linux, utilizing UEFI boot management via efibootmgr. The goal is to automate OS updates while ensuring a seamless, reboot-safe transition between versions.

Motivation

• Sbnb Linux is an immutable OS that runs in memory and resets to a clean state on reboot.
• To facilitate automated updates, we need a mechanism to deploy a new Unified Kernel Image without requiring manual intervention.
• Leveraging UEFI boot variables, we can maintain two kernel images (sbnb-a.efi & sbnb-b.efi) and switch between them reliably.

Proposed Solution

1. Implement A/B Boot Entries

• Store sbnb-a.efi and sbnb-b.efi on the ESP partition.
• Utilize efibootmgr to manage boot order and switch between active/inactive versions.
• Ensure the ESP partition is read-write to allow updates.

2. Update Process

• Deploy new updates in the background by writing the new .efi file to the inactive slot.
• Modify UEFI boot variables to select the updated image on next reboot.
• Revert to the last known good state if boot fails.

3. Reboot & Update Window

• Define a scheduled update window to ensure updates apply without disrupting workloads.
• Ensure integration with orchestration tools (Kubernetes, Kestra, etc.) for safe workload migration.

4. Security Considerations

• Investigate methods to cryptographically verify the boot binaries to prevent unauthorized modifications (Secure Boot, Measured boot).

Alternatives Considered

• Manual Image Deployment: Instead of OTA updates, notify users to download and boot a new OS image. However, this approach lacks automation.
• Live Patching (Ubuntu Live Patch Model): Could reduce reboot requirements but deviates from the immutable OS philosophy.

Next Steps

• Implement initial support for A/B boot switching via efibootmgr.
• Define failure recovery mechanisms in case an update results in a non-bootable system.
• Test coordinated reboots.