simplify building the qemu-secex artifacts

We shouldn't need to pass extra parameters around for qemu-secex
and should be able to just ask for that "platform" to be produced
from OSBuild without specifying more.

This commit removes a bunch of extra variables that get set and
passed around and also refactors the osbuild manifests to have
qemu-secex treated more like the other platforms that we have in
its own qemu-secex.ipp.yaml file.

This commit also introduces a symlink cmd-buildextend-qemu-secex
that points to cmd-buildextend-metal too (in addition to the existing
cmd-buildextend-secex symlink). Since `qemu-secex` is the ID that
is used in the meta.json I think we should try to stick with it
more.

Author: dustymabe

src/cmd-buildextend-metal

@@ -5,21 +5,14 @@ dn=$(dirname "$0")
 # shellcheck source=src/cmdlib.sh
 . "${dn}"/cmdlib.sh
 
-# IBM SecureExecution
-secure_execution=
-image_suffix=
-
 # This script is used for creating both the bare metal and the canonical VM
 # image (qemu). `buildextend-qemu` is a symlink to `buildextend-metal`.
 case "$(basename "$0")" in
     "cmd-buildextend-metal") image_type=metal;;
     "cmd-buildextend-metal4k") image_type=metal4k;;
     "cmd-buildextend-qemu") image_type=qemu;;
-    "cmd-buildextend-secex")
-        secure_execution=1
-        image_type=qemu
-        image_suffix=-secex
-        ;;
+    "cmd-buildextend-qemu-secex") image_type=qemu-secex;;
+    "cmd-buildextend-secex") image_type=qemu-secex;;
     *) fatal "called as unexpected name $0";;
 esac
 
@@ -112,9 +105,9 @@ trap 'rm -f ${build_semaphore}' EXIT
 
 # check if the image already exists in the meta.json
 if [ -z "${force}" ]; then
-    meta_img=$(meta_key "images.${image_type}${image_suffix}.path")
+    meta_img=$(meta_key "images.${image_type}.path")
     if [ "${meta_img}" != "None" ]; then
-        echo "${image_type}${image_suffix} image already exists:"
+        echo "${image_type} image already exists:"
         echo "$meta_img"
         exit 0
     fi
@@ -139,11 +132,11 @@ import_ostree_commit_for_build "${build}"
 image_json=${workdir}/tmp/image.json
 
 image_format=raw
-if [[ $image_type == qemu ]]; then
+if [[ "${image_type}" == "qemu" || "${image_type}" == "qemu-secex" ]]; then
     image_format=qcow2
 fi
 
-imgname=${name}-${build}-${image_type}${image_suffix}.${basearch}.${image_format}
+imgname=${name}-${build}-${image_type}.${basearch}.${image_format}
 imgpath=${PWD}/${imgname}
 
 # We do some extra handling of the rootfs here; it feeds into size estimation.
@@ -220,11 +213,6 @@ cat "${image_json}" "${image_dynamic_json}" | jq -s add > "${image_for_disk_json
 platforms_json="${tmp_builddir}/platforms.json"
 yaml2json "${configdir}/platforms.yaml" "${platforms_json}"
 
-osbuild_extra_args=()
-if [[ $secure_execution -eq "1" ]]; then
-    osbuild_extra_args+=("--secex" "1")
-fi
-
 # In the jenkins pipelines we build the qemu image first and that operation
 # will do a lot of the same work required for later artifacts (metal, metal4k, etc)
 # so we want the cached output from that run to persist. The later artifacts get
@@ -235,9 +223,9 @@ fi
 runvm_with_cache_snapshot "$snapshot" -- /usr/lib/coreos-assembler/runvm-osbuild                    \
             --config "${image_for_disk_json}"                                                       \
             --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \
-            --filepath "${imgpath}" "${osbuild_extra_args[@]}"
+            --filepath "${imgpath}"
 
-if [[ $secure_execution -eq "1" ]]; then
+if [[ "${image_type}" == "qemu-secex" ]]; then
     if [ ! -f "${genprotimgvm}" ]; then
         fatal "No genprotimgvm provided at ${genprotimgvm}"
     fi
@@ -283,7 +271,7 @@ sha256=$(sha256sum_str < "${imgpath}")
 cosa meta --workdir "${workdir}" --build "${build}" --dump | python3 -c "
 import sys, json
 j = json.load(sys.stdin)
-j['images']['${image_type}${image_suffix}'] = {
+j['images']['${image_type}'] = {
     'path': '${imgname}',
     'sha256': '${sha256}',
     'size': $(stat -c '%s' "${imgpath}")

src/cmd-buildextend-qemu-secex

@@ -0,0 +1 @@
+./cmd-buildextend-metal

src/osbuild-manifests/coreos.osbuild.s390x.mpp.yaml

@@ -17,8 +17,6 @@ mpp-vars:
   efi_system_size_mb: 127
   se_size_mb:   200
   boot_size_mb: 384
-  root_size_mb:
-    mpp-format-int: $rootfs_size_mb
   boot_verity_size_mb: 128
   root_verity_size_mb: 256
   sector_size: 512
@@ -46,8 +44,6 @@ mpp-vars:
   # the host buildroot is the default if nothing is specified.
   # We're still defining it here in an attempt to be explicit.
   qemu_stage_buildroot: ""
-  # IBM Secure Execution
-  qemu_secex: $qemu_secex
 mpp-define-images:
   - id: image
     sector_size:
@@ -83,40 +79,6 @@ mpp-define-images:
         - name: root
           type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
           partnum: 4
-  # Secure Execution image. It MUST contain same partitions as `image` plus 3 additional
-  - id: image_secex
-    sector_size:
-      mpp-format-int: "{sector_size}"
-    size:
-      mpp-format-string: "{metal_image_size_mb * 1024 * 1024}"
-    table:
-      uuid: 00000000-0000-4000-a000-000000000001
-      label: gpt
-      partitions:
-        - name: se
-          type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-          partnum: 1
-          size:
-            mpp-format-int: "{se_size_mb * 1024 * 1024 / sector_size}"
-        - name: boot
-          type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-          partnum: 3
-          size:
-            mpp-format-int: "{boot_size_mb * 1024 * 1024 / sector_size}"
-        - name: root
-          type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
-          partnum: 4
-          size:
-            mpp-format-int: "{root_size_mb * 1024 * 1024 / sector_size}"
-        - name: boothash
-          partnum: 5
-          size:
-            mpp-format-int: "{boot_verity_size_mb * 1024 * 1024 / sector_size}"
-        - name: roothash
-          type: B325BFBE-C7BE-4AB8-8357-139E652D2F6B
-          partnum: 6
-          size:
-            mpp-format-int: "{root_verity_size_mb * 1024 * 1024 / sector_size}"
 pipelines:
   # If installing from container then let's pull the container file into a pipeline
   - name: oci-archive
@@ -196,13 +158,6 @@ pipelines:
               # filesystem by OSTree (boot -> .) that makes it so that /boot paths
               # will always work.
               bootprefix: true
-      # If on s390x with secex then mkdir for filesytem labeled `se`, where `sdboot` image gets stored
-      - mpp-if: qemu_secex != ''
-        then:
-          type: org.osbuild.mkdir
-          options:
-            paths:
-              - path: /se
       - type: org.osbuild.ignition
       # Deploy via OSTree repo if specified, otherwise ociarchive or container.
       - mpp-if: ostree_repo != ''
@@ -530,131 +485,9 @@ pipelines:
               source: mount
               deployment:
                 default: true
-  # IBM Secure Execution (secex) image has special layout
-  - name: raw-secex-image
-    build:
-      mpp-format-string: '{buildroot}'
-    stages:
-      - type: org.osbuild.truncate
-        options:
-          filename: disk.img
-          size:
-            mpp-format-string: '{image_secex.size}'
-      - type: org.osbuild.sfdisk
-        devices:
-          device:
-            type: org.osbuild.loopback
-            options:
-              filename: disk.img
-        options:
-          mpp-format-json: '{image_secex.layout}'
-      - type: org.osbuild.mkfs.ext4
-        devices:
-          device:
-            type: org.osbuild.loopback
-            options:
-              filename: disk.img
-              start:
-                mpp-format-int: '{image_secex.layout[''se''].start}'
-              size:
-                mpp-format-int: '{image_secex.layout[''se''].size}'
-              lock: true
-        options:
-          uuid: random
-          label:
-            mpp-format-string: '{sd_fs_label}'
-      - type: org.osbuild.mkfs.ext4
-        devices:
-          device:
-            type: org.osbuild.loopback
-            options:
-              filename: disk.img
-              start:
-                mpp-format-int: '{image_secex.layout[''boot''].start}'
-              size:
-                mpp-format-int: '{image_secex.layout[''boot''].size}'
-              lock: true
-        options:
-          uuid:
-            mpp-format-string: '{boot_fs_uuid}'
-          label:
-            mpp-format-string: '{boot_fs_label}'
-          # Set manually the metadata_csum_seed ext4 option otherwise changing the
-          # filesystem UUID while it's mounted doesn't work. Can remove this when
-          # metadata_csum_seed is default in RHEL, which can be checked by looking
-          # in /etc/mke2fs.conf.
-          metadata_csum_seed: true
-      - type: org.osbuild.mkfs.xfs
-        devices:
-          device:
-            type: org.osbuild.loopback
-            options:
-              filename: disk.img
-              start:
-                mpp-format-int: '{image_secex.layout[''root''].start}'
-              size:
-                mpp-format-int: '{image_secex.layout[''root''].size}'
-              lock: true
-        options:
-          uuid:
-            mpp-format-string: '{root_fs_uuid}'
-          label:
-            mpp-format-string: '{root_fs_label}'
-      - type: org.osbuild.copy
-        inputs:
-          tree:
-            type: org.osbuild.tree
-            origin: org.osbuild.pipeline
-            references:
-              - name:tree
-        options:
-          paths:
-            - from: input://tree/
-              to: mount://root/
-        devices:
-          disk:
-            type: org.osbuild.loopback
-            options:
-              filename: disk.img
-              partscan: true
-        mounts:
-          - name: root
-            type: org.osbuild.xfs
-            source: disk
-            partition:
-              mpp-format-int: '{image_secex.layout[''root''].partnum}'
-            target: /
-          - name: boot
-            type: org.osbuild.ext4
-            source: disk
-            partition:
-              mpp-format-int: '{image_secex.layout[''boot''].partnum}'
-            target: /boot
-      - type: org.osbuild.chattr
-        options:
-          items:
-            mount://root/:
-              immutable: true
-        devices:
-          disk:
-            type: org.osbuild.loopback
-            options:
-              filename: disk.img
-              partscan: true
-        mounts:
-          - name: root
-            type: org.osbuild.xfs
-            source: disk
-            partition:
-              mpp-format-int: '{image_secex.layout[''root''].partnum}'
-            target: /
-          - name: ostree.deployment
-            type: org.osbuild.ostree.deployment
-            options:
-              source: mount
-              deployment:
-                default: true
   - mpp-import-pipelines:
       path: platform.metal.ipp.yaml
   - mpp-import-pipelines:
       path: platform.qemu.ipp.yaml
+  - mpp-import-pipelines:
+      path: platform.qemu-secex.ipp.yaml