upgrade to 25.7 -> bootloader too old

[mnaim]

Im one of those who had problem to upgrade to 25.7 with microcode installed.
I have started to play with snapshots and microcode is not root cause.
After connecting monitor I saw:

******************************************************
**           BOOT LOADER IS TOO OLD. PLEASE UPGRADE.           **
******************************************************

Loading /boot/defaults/loader.conf
Loading /boot/defaults/loader.conf
Loading /boot/device.hints
Loading /boot/loader.conf
console vidconsole is invalid!
Available consoles:
    efi
    comconsole
    nullconsole
    spinconsole


And then freeze.

After running those commands upgrade went smoothly even with microcode installed (FOR OTHERS DO NOT COPY PASTE-DANGEROUS !!!)
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 2 nda0
cp /boot/loader.efi /boot/efi/efi/boot/bootx64.efi
cp /boot/loader.efi /boot/efi/efi/freebsd/loader.efi

Any idea why this happens?
After 25.7 upgrade I re-run those commands, because loader.efi in efi partition was not updated to newest version.

[davidfi01]

I am having the same issues.  Opnsense is not booting.

[davidfi01]

To get up and running, on boot, I needed to boot to previous kernel.  Once up and running, I logged into opnsense and deleted the intel microcode update pluggin.  I then rebooted and the system came up in OPNsense 25.7-amd64 FreeBSD 14.3-RELEASE-p1.

It was a bit scary at first as I kept getting message that firmware needed to be updated.

[tessus]

How can I find out whether my FreeBSD was booted as EFI or BIOS? In Linux I just check for /sys/firmware/efi but no idea how to determine this in FreeBSD.

I also never switched to ZFS. I have been using UFS since I installed OPNsense in 2021 and only upgraded OPNsense since then.

[Patrick M. Hausen]

You cannot upgrade to ZFS. Switching from UFS to ZFS needs a complete reinstall. So you are probably still running UFS.

To determine how your system boots use

Code Select Expand

sysctl machdep.bootmethod
HTH,
Patrick

[tessus]

Perfect, thanks for the info. As you might have guessed I am not a FreeBSD person. ;-)

So, my system uses UEFI. But according to the posts in this topic it seems that the bootloader is not updated during an update.
I've updated my system since 2021 (thus 8 OPNsense versions) and the major upgrades never updated the bootloader? So I'm using a 4 year old bootloader?
One has to do this manually? All fine and good, but this was never mentioned anywhere nor how to do that. (If the system complains during an upgrade, it's too late, especially on a headless system.)

Is there any information about how to update the boot loader on an OPNsense system?

About ZFS: Yep, I know that ZFS would require a new install. That's not really the issue, since it's a breeze to restore a previous config. But I don't have ECC RAM in that miniPC and thus won't use ZFS. Additionally ZFS usually eats a lot of RAM. IMO ZFS has no advantage on a FW that basically runs from a single filesystem. I use ZFS on my Proxmox server and there it makes perfect sense.

[Patrick M. Hausen]

So, my system uses UEFI. But according to the posts in this topic it seems that the bootloader is not updated during an update.
I've updated my system since 2021 (thus 8 OPNsense versions) and the major upgrades never updated the bootloader? So I'm using a 4 year old bootloader?

Yes.

One has to do this manually?

Also yes, but definitely an upstream issue. There are just too many possible boot configuration/topologies to come up with a general solution. Just assuming a particular partition layout has a high probability of destroying your boot loader completely. So for now it's left as an exercise to the admin. I wonder if there is any progress being made in that direction. If yes, I will probably know in September (EuroBSDCon 2025).

Is there any information about how to update the boot loader on an OPNsense system?

FreeBSD handbook I guess. But then again probably nobody knows from the top of their heads how exactly OPNsense partitioned the disk back in 2021. So please post the output of

Code Select Expand

cat /etc/fstab
gpart show
and I will lead you through the process.

About ZFS: Yep, I know that ZFS would require a new install. That's not really the issue, since it's a breeze to restore a previous config. But I don't have ECC RAM in that miniPC and thus won't use ZFS. Additionally ZFS usually eats a lot of RAM. IMO ZFS has no advantage on a FW that basically runs from a single filesystem. I use ZFS on my Proxmox server and there it makes perfect sense.

Not having ECC being a problem aka the "scrub of death" is a myth that has been debunked countless times yet it seems to stick ;-)

https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/

Apart from that ZFS has a lot of advantages even for an appliance. Foremost resilience against power outages which have frequently lead to unbootable systems for some users on the forum with UFS. And of course snapshots and rollback. That's just awesome.

Kind regards,
Patrick

[Sinister Pisces]

Hello,

I'm tracking this as well, as my firewall refused to boot after I accidentally upgraded to 25.7 when trying to grab the EOL 25.1.12 release.
I've since rolled back, but I did notice the BOOTLOADER TOO OLD message in the serial console.

I've got the intel-microcode package installed.
I'm running on ZFS (which is how I was able to fix my broken system so quickly--thank god for snapshots).

OPNSense 27.1.12 reports:

Code Select Expand

# uname -a
FreeBSD Uhura.finchisland.net 14.2-RELEASE-p4 FreeBSD 14.2-RELEASE-p4 stable/25.1-n269832-6addeda7db20 SMP amd64

root@Uhura:~ # cat /etc/fstab
# Device             Mountpoint      FStype     Options         Dump    Pass#
/dev/gpt/efiboot0    /boot/efi       msdosfs     rw             2       2
/dev/nvd0p3          none            swap        sw             0       0

root@Uhura:~ # gpart show
=>        6  122096635  nda0  GPT  (466G)
          6      66560     1  efi  (260M)
      66566        128     2  freebsd-boot  (512K)
      66694        122        - free -  (488K)
      66816    2097152     3  freebsd-swap  (8.0G)
    2163968  119932672     4  freebsd-zfs  (458G)
  122096640          1        - free -  (4.0K)

@Patrick, I'd appreciate any advice on how to actually update the bootloader without a clean install.
Or, in the alternative, confirmation that I might as well just do a clean install. :P

[Patrick M. Hausen]

@Sinister Pisces - this applies to your partition layout and device names.
@tessus - if yours are identical, go ahead. If not, please post your fstab and partition table, too.

Update EFI boot loader - the partition is mounted, already, so that's easy.

Code Select Expand

mkdir -p /boot/efi/efi/boot /boot/efi/efi/freebsd
cp /boot/loader.efi /boot/efi/efi/boot/bootx64.efi
cp /boot/loader.efi /boot/efi/efi/freebsd/loader.efi

I prefer to not have the EFI partition mounted all the time - if you agree, change fstab

Code Select Expand

/dev/gpt/efiboot0    /boot/efi       msdosfs     rw             2       2

to

Code Select Expand

/dev/gpt/efiboot0    /boot/efi       msdosfs     rw,noauto             2       2

Update BIOS boot loader, too, just in case you might switch hardware and want to just transfer the installed drive(s).

Code Select Expand

gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 2 nda0

HTH,
Patrick

[tessus]

Hi Patrick,

Thanks a bunch for the reply and the explanation. I certainly understand that there are a lot of boot loader configs out there. But as we can figure out which is which, so can a bootloader upgrade script/binary. The only issue is when there is ambiguous output, in which case such an automated bootloader upgrade must be aborted.

However, I also don't have a problem doing it manually. In fact I am even more comfortable by doing such an upgrade manually. But this info should be readily available in an upgrade document. (e.g. for certain Linux distros there is a section in the OS upgrade document that reads "Update bootloader on BIOS/UEFI systems")
If the OPNsense team doesn't want to add this info (due to maintenance burden) to the docs, they could maybe add a link to how this is done for BIOS and UEFI systems. This would already help a lot. I really suck with FreeBSD, otherwise I would have already created a doc PR.

please post the output of

Code Select Expand

Code Select Expand

cat /etc/fstab
gpart show
and I will lead you through the process.

Awesome, thanks. Yep, mine looks a bit different. This operation is way too dangerous for me to deduce from something similar. ;-)
(If it was the same, ok.) Here's the info:

Code Select Expand

root@cator00r:~ # uname -a
FreeBSD cator00r.local 14.2-RELEASE-p4 FreeBSD 14.2-RELEASE-p4 stable/25.1-n269832-6addeda7db20 SMP amd64

root@cator00r:~ # cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/gpt/rootfs / ufs rw 1 1
/dev/gpt/swapfs none swap sw 0 0

root@cator00r:~ # gpart show
=>       40  234441568  ada0  GPT  (112G)
         40     409600     1  efi  (200M)
     409640       1024     2  freebsd-boot  (512K)
     410664  215567272     3  freebsd-ufs  (103G)
  215977936   16777216     4  freebsd-swap  (8.0G)
  232755152    1686456        - free -  (823M)

Not having ECC being a problem aka the "scrub of death" is a myth that has been debunked countless times yet it seems to stick ;-)

https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/

Apart from that ZFS has a lot of advantages even for an appliance. Foremost resilience against power outages which have frequently lead to unbootable systems for some users on the forum with UFS. And of course snapshots and rollback. That's just awesome.

Yep, there is also this disussion which is pretty interesting: ECC vs Non-ECC RAM for TrueNAS | TrueNAS Tech Talk (T3) E007

My current main reason was rather the RAM usage of ZFS. I know, I can tweak certain parameters and so on. But to be fair, my little miniPC only supports a 8GB chip max. Although you might be correct. For my current setup this should be more than enough. I certainly like ZFS' snapshot capability.
,
Well, I might do a reinstall at one point. Who knows? If something goes wrong with my 25.1 -> 25.7 upgrade, I will have to attach a monitor and keyboard anyway. In that case I can reinstall it with ZFS...

I also agree with your statement regarding power outages. Which is why I have multiple UPS. ;-)

[Slashing]

Hello! There is a small utility for checking the bootloader.

[Stormscape]

To be clear, does this need to be done if OPNsense is running on UFS, or is this a ZFS exclusive issue?

[tessus]

This has to be done either way. The bootloader has a few stages, so depending on BIOS/UEFI/filesystem/partition layout the boot loader process differs. This is why there are different instructions for how to update the bootloader. In traditional BIOS systems the bootloader was put in the MBR (master boot record) of the first disk. At one point some bootloaders became so big that they didn't fit in the MBR and thus required their own little partition.
In UEFI systems the bootloader is located on a partition that is specific to EFI. A disk for a UEFI bootloader also uses the GUID Partition Table (GPT), while the legacy BIOS systems use the MBR or a hybrid setup.
The filesystem of the operating system (and/or on additional disks) is a different story. It might also be interesting to know that the /boot filesystem can be in one of many formats these days.

To summarize: updating the bootloader has to be done (or better said "should be done") no matter the filesystem in use. Many OS distros suggest to update the bootloader on every major release.

[OPNenthu]

I prefer to not have the EFI partition mounted all the time [...]

Good tip.  Thanks Patrick!

[Patrick M. Hausen]

@tessus could you add

Code Select Expand

gpart show -l
please?