On Sat, Oct 26, 2024 at 11:23:39PM +0200, Thorsten Glaser wrote: > PARTUUID=104ec3d3-7bc6-4ce4-be38-166f672601ec /boot/efi vfat defaults 0 0 > > This ensures that, if the VM isn’t shut down cleanly just once, > it refuses to function at all. > > Please set the pass field to 2.
We'll need to install dosfstools in the images, too, for that to matter. While we're at it, we should ensure that we're mounting /boot/efi with more restrictive permissions, as there may be sensitive information in it. bootctl warns about the current permissions: ⚠ Mount point '/boot/efi' which backs the random seed file is world accessible, which is a security hole! ⚠ ⚠ Random seed file '/boot/efi/loader/random-seed' is world accessible, which is a security hole! ⚠ noah
