diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml new file mode 100644 index 000000000..b7c087648 --- /dev/null +++ b/.github/workflows/mkosi.yml @@ -0,0 +1,88 @@ +name: mkosi + +on: + push: + branches: + - master + pull_request: + branches: + - master + +jobs: + boot: + runs-on: ${{ matrix.runner }} + concurrency: + group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.bootloader }}-${{ matrix.uki }}-${{ matrix.runner }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + distro: + - fedora + - centos + - ubuntu + - debian + bootloader: + # Locally signed systemd-boot + - systemd-boot + # Distro signed grub2 + - grub-signed + uki: + # BLS #1 boot, kernel + initrd + - none + # BLS #2 boot, locally built UKI (unsigned because it is not provided by the distro) + - unsigned + runner: + - ubuntu-24.04 + - ubuntu-24.04-arm + include: + # Debian provides distro-signed systemd-boot + - distro: debian + bootloader: systemd-boot-signed + uki: unsigned + runner: ubuntu-24.04 + - distro: debian + bootloader: systemd-boot-signed + uki: unsigned + runner: ubuntu-24.04-arm + exclude: + # The systemd-boot version in 24.04 fails to boot the arm64 compressed kernel + - distro: ubuntu + bootloader: systemd-boot + uki: none + runner: ubuntu-24.04-arm + # grub fails to load UKI with: error: ../../grub-core/script/function.c:119:can't find command `chainloader' + - distro: centos + bootloader: grub-signed + uki: unsigned + runner: ubuntu-24.04-arm + - distro: fedora + bootloader: grub-signed + uki: unsigned + runner: ubuntu-24.04-arm + # kernel is not signed + - distro: fedora + bootloader: grub-signed + uki: none + runner: ubuntu-24.04-arm + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + submodules: recursive + - uses: systemd/mkosi@7be5159f246d4b1283f62f8a0ab3f0ae90651e38 + + - name: Generate key + run: mkosi genkey + + - name: Summary + run: mkosi summary + + - name: Build tools tree + run: mkosi -f sandbox -- true + + - name: Build image + run: mkosi sandbox -- mkosi --distribution ${{ matrix.distro }} --bootloader ${{ matrix.bootloader }} --unified-kernel-images ${{ matrix.uki }} --kernel-command-line=systemd.unit=mkosi-test.service -f build + + - name: Run smoke tests + run: test "$(timeout -k 30 5m mkosi sandbox -- mkosi --firmware-variables mkosi/mkosi.output/ovmf_vars.fd --distribution ${{ matrix.distro }} --kernel-command-line-extra=systemd.unit=mkosi-test.service qemu 1>&2; echo $?)" -eq 123 diff --git a/.gitignore b/.gitignore index d82966992..f29e6d6cf 100644 --- a/.gitignore +++ b/.gitignore @@ -52,3 +52,8 @@ shim_cert.h !/test-data/ /test-random.h version.c +/.mkosi-private/ +/mkosi/mkosi.builddir/ +/mkosi/mkosi.cache/ +/mkosi/mkosi.local.conf +/mkosi/mkosi.output/ diff --git a/mkosi/mkosi.build.chroot b/mkosi/mkosi.build.chroot new file mode 100755 index 000000000..3801d9c28 --- /dev/null +++ b/mkosi/mkosi.build.chroot @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if [ "$ARCHITECTURE" = "x86-64" ]; then + EFI_ARCHITECTURE="x64" +elif [ "$ARCHITECTURE" = "x86" ]; then + EFI_ARCHITECTURE="ia32" +elif [ "$ARCHITECTURE" = "arm64" ]; then + EFI_ARCHITECTURE="aa64" +else + EFI_ARCHITECTURE="$ARCHITECTURE" +fi + +cd "$BUILDDIR" + +openssl x509 -inform PEM -in "$SRCDIR/mkosi/mkosi.conf.d/$DISTRIBUTION/certs/shim.crt" -outform DER -out shim.der + +export VENDOR_CERT_FILE=$PWD/shim.der +export EFIDIR=$DISTRIBUTION +export DEBUG=1 + +make TOPDIR="$SRCDIR" -f "$SRCDIR/Makefile" -j1 + +for b in shim fb mm; do + install -D "${b}${EFI_ARCHITECTURE}.efi" -t "$DESTDIR/usr/lib/shim/" -m 0755 +done diff --git a/mkosi/mkosi.clean b/mkosi/mkosi.clean new file mode 100755 index 000000000..be39a78e0 --- /dev/null +++ b/mkosi/mkosi.clean @@ -0,0 +1,4 @@ +#!/bin/sh + +rm -f "$OUTPUTDIR/ovmf_vars.fd" +rm -rf "$OUTPUTDIR/mok/" diff --git a/mkosi/mkosi.conf b/mkosi/mkosi.conf new file mode 100644 index 000000000..ebf5a3239 --- /dev/null +++ b/mkosi/mkosi.conf @@ -0,0 +1,68 @@ +[Config] +MinimumVersion=commit:7be5159f246d4b1283f62f8a0ab3f0ae90651e38 + +[Output] +RepartDirectories=mkosi.repart +OutputDirectory=mkosi.output + +[Build] +History=yes +ToolsTree=default +BuildDirectory=mkosi.builddir +CacheDirectory=mkosi.cache +Incremental=yes + +[Validation] +SecureBoot=yes +SecureBootAutoEnroll=no + +[Content] +Bootable=yes +ShimBootloader=unsigned + +# Default configuration is systemd-boot + UKI, can be overridden +# on the command line or via mkosi/mkosi.local.conf +Bootloader=systemd-boot-signed +UnifiedKernelImages=unsigned + +SELinuxRelabel=no +KernelInitrdModules=default +KernelCommandLine= + systemd.show_status=0 + systemd.log_ratelimit_kmsg=0 + printk.devkmsg=on + rw + selinux=0 + systemd.firstboot=no + oops=panic + panic=-1 + softlockup_panic=1 + panic_on_warn=1 + mitigations=off + +Packages= + mokutil + openssl + +[Runtime] +# TODO: remove command line from mkosi.yml and uncomment this when +# https://github.com/systemd/mkosi/pull/3817 is fixed +#FirmwareVariables=%O/ovmf_vars.fd +Firmware=uefi-secure-boot +Credentials= + journal.storage=persistent + tty.serial.hvc0.agetty.autologin=root + tty.serial.hvc0.login.noauth=yes + tty.console.agetty.autologin=root + tty.console.login.noauth=yes + tty.virtual.tty1.agetty.autologin=root + tty.virtual.tty1.login.noauth=yes +RuntimeBuildSources=yes +RuntimeScratch=no +CPUs=2 +VSock=yes +# TODO: tpmrm0 device doesn't show up in initrd on arm64 +TPM=no + +[Include] +Include=mkosi-vm diff --git a/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf b/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf new file mode 100644 index 000000000..47bad1d28 --- /dev/null +++ b/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf @@ -0,0 +1,17 @@ +[Match] +Distribution=|centos +Distribution=|fedora + +[Content] +Packages= + dos2unix + efibootmgr + efivar + python-virt-firmware + +BuildPackages= + make + gcc + elfutils-libelf-devel + openssl-devel + pesign diff --git a/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-arm64.conf b/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-arm64.conf new file mode 100644 index 000000000..17b0400ee --- /dev/null +++ b/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-arm64.conf @@ -0,0 +1,5 @@ +[Match] +Architecture=arm64 + +[Content] +Packages=grub2-efi-aa64 diff --git a/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-x86-64.conf b/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-x86-64.conf new file mode 100644 index 000000000..7cb4e4ace --- /dev/null +++ b/mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-x86-64.conf @@ -0,0 +1,5 @@ +[Match] +Architecture=x86-64 + +[Content] +Packages=grub2-efi-x64 diff --git a/mkosi/mkosi.conf.d/centos/certs/shim.crt b/mkosi/mkosi.conf.d/centos/certs/shim.crt new file mode 100644 index 000000000..ff4e981ff --- /dev/null +++ b/mkosi/mkosi.conf.d/centos/certs/shim.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV +BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 +cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow +RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B +CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU +WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i +vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp +aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh +aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da +SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z +IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN +yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs +Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8 +IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2 +t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70 +OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+ +ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG +zAVb3/m0 +-----END CERTIFICATE----- diff --git a/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf b/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf new file mode 100644 index 000000000..1b9b67041 --- /dev/null +++ b/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf @@ -0,0 +1,19 @@ +[Match] +Distribution=|debian +Distribution=|ubuntu + +[Content] +Packages= + dos2unix + efibootmgr + efitools + efivar + python3-virt-firmware + sbsigntool + +BuildPackages= + build-essential + gnu-efi + libefivar-dev + libelf-dev + pesign diff --git a/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/grub-arm64.conf b/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/grub-arm64.conf new file mode 100644 index 000000000..9f0bc9a23 --- /dev/null +++ b/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/grub-arm64.conf @@ -0,0 +1,5 @@ +[Match] +Architecture=arm64 + +[Content] +Packages=grub-efi-arm64-signed diff --git a/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/grub-x86-64.conf b/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/grub-x86-64.conf new file mode 100644 index 000000000..ad9cfc09d --- /dev/null +++ b/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/grub-x86-64.conf @@ -0,0 +1,5 @@ +[Match] +Architecture=x86-64 + +[Content] +Packages=grub-efi-amd64-signed diff --git a/mkosi/mkosi.conf.d/debian/certs/shim.crt b/mkosi/mkosi.conf.d/debian/certs/shim.crt new file mode 100644 index 000000000..315301e73 --- /dev/null +++ b/mkosi/mkosi.conf.d/debian/certs/shim.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIRAO1UodWvh0iUjZ+JMu6cfDQwDQYJKoZIhvcNAQELBQAw +IDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MDkx +OFoXDTQ2MDgwOTE4MDkxOFowIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290 +IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZXUi5vaEKwuyoI3 +waTLSsMbQpPCeinTbt1kr4Cv6maiG2GcgwzFa7k1Jf/F++gpQ97OSz3GEk2x7yZD +lWjNBBH+wiSb3hTYhlHoOEO9sZoV5Qhr+FRQi7NLX/wU5DVQfAux4gOEqDZI5IDo +6p/6v8UYe17OHL4sgHhJNRXAIc/vZtWKlggrZi9IF7Hn7IKPB+bK4F9xJDlQCo7R +cihQpZ0h9ONhugkDZsjfTiY2CxUPYx8rr6vEKKJWZIWNplVBrjyIld3Qbdkp29jE +aLX89FeJaxTb4O/uQA1iH+pY1KPYugOmly7FaxOkkXemta0jp+sKSRRGfHbpnjK0 +ia9XeQIDAQABo4HSMIHPMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYlaHR0 +cHM6Ly9kc2EuZGViaWFuLm9yZy9zZWN1cmUtYm9vdC1jYTAfBgNVHSMEGDAWgBRs +zs5+TGwNH2FJ890n38xcu0GeoTAUBglghkgBhvhCAQEBAf8EBAMCAPcwEwYDVR0l +BAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFGzOzn5MbA0fYUnz3SffzFy7QZ6hMA0GCSqGSIb3DQEBCwUAA4IB +AQB3lj5Hyc4Jz4uJzlntJg4mC7mtqSu9oeuIeQL/Md7+9WoH72ETEXAev5xOZmzh +YhKXAVdlR91Kxvf03qjxE2LMg1esPKaRFa9VJnJpLhTN3U2z0WAkLTJPGWwRXvKj +8qFfYg8wrq3xSGZkfTZEDQY0PS6vjp3DrcKR2Dfg7npfgjtnjgCKxKTfNRbCcitM +UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr +7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV +305gdrAGewiwbuNknyFWrTkP +-----END CERTIFICATE----- diff --git a/mkosi/mkosi.conf.d/fedora/certs/mok/redhat-test.crt b/mkosi/mkosi.conf.d/fedora/certs/mok/redhat-test.crt new file mode 100644 index 000000000..b82f6d057 --- /dev/null +++ b/mkosi/mkosi.conf.d/fedora/certs/mok/redhat-test.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELzCCAxegAwIBAgIJAPfZBdz9lpYhMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV +BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk +Z2UxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xIzAhBgNVBAMTGlJlZCBIYXQgVGVz +dCBDZXJ0aWZ5aW5nIENBMB4XDTEyMDcwOTE5MTI0NFoXDTEzMDcwOTE5MTI0NFow +dDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcT +CUNhbWJyaWRnZTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEhMB8GA1UEAxMYUmVk +IEhhdCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAv4fxdSxUwFHTbIwWndOQUBkBgRy6r919MluiULYsHBMTcB6DVZPfeLre +4vIy2waxcpPiXBNn0y6gDlTb56yWvPR/MYdgnRdX0fBfBGQKFlIChkZWRiA+MZCW +PbQ4bZzn39CpvBnBIufhlQSxZ0leP32iBvJlCs8q5IuDJ1W79y6zgDqYl+89Dms3 +oju0Ys2juR8oUK/tHAKw+g0YPYGC0u24dwBmoBu2sV8rWTMy1hymxwIGYKIuxR6T +hPyC9hWCmXFkg9mATgns9iNIsZYqE6Hhkfg18mFCtH2NcDg83OseC5cvJ2DgKBh3 +VegwNVi/hZmkK6JucK7dNi/PScNqzwIDAQABo4HBMIG+MB0GA1UdDgQWBBQ1gM81 +12s7ZnpA32ZpHLz4c1OyPDAfBgNVHSMEGDAWgBQIoO9YAMsC+1h8ErQDJZx9TvFd +HDAPBgNVHQ8BAf8EBQMDB/+AMB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAYI3 +CgMBMAkGA1UdEwQCMAAwPwYJYIZIAYb4QgENBDIWMFRlc3RpbmcgQ2VydGlmaWNh +dGUgZm9yIFJlZCBIYXQgVGVzdCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOC +AQEAfMGe9NTdhU7yqTTetnaMTSdTU4Fh82TAPvRFBTR0WA6o2Ph4Zdd95bcVwNZO +OvxEnfg3KX7mCS9mgqHI2BWg6Lkvb3cGNr4BgXxwT/Dz2QF+l5iTWeJPJrz6B1kR +2SvvhDCk8FO9IijcGN1xmjUoPnKe0DZTnPhmfnYp9+oDmmtukHA7Kt3RypwfioQx ++IahCIp9AeK+dJP29F8vxkzb5W7pufR6lftkBXjeDe/MekeBv8rBhW1A3xcZgMVU +vxJ/NLEdYAxTXqjotpOESSxdAZrZGuAZ3OnKMGj+q6tlvRQsZ0qET7OewdQtbvNb +5IJty5/t7Mu4A3T9DDwygv354g== +-----END CERTIFICATE----- diff --git a/mkosi/mkosi.conf.d/fedora/certs/shim.crt b/mkosi/mkosi.conf.d/fedora/certs/shim.crt new file mode 100644 index 000000000..ff9960370 --- /dev/null +++ b/mkosi/mkosi.conf.d/fedora/certs/shim.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEWzCCA0OgAwIBAgIQIjmvBBMMRESz83ftvhr3hjANBgkqhkiG9w0BAQsFADCB +jTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcT +CUNhbWJyaWRnZTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEnMCUGA1UECxMeRmVk +b3JhIFNlY3VyZSBCb290IENBIDIwMjAwNzA5MREwDwYDVQQDEwhmZWRvcmFjYTAe +Fw0yMDA3MTMxNzMxMTZaFw0zNzAxMTkwMzE0MDdaMIGNMQswCQYDVQQGEwJVUzEW +MBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMRYwFAYD +VQQKEw1SZWQgSGF0LCBJbmMuMScwJQYDVQQLEx5GZWRvcmEgU2VjdXJlIEJvb3Qg +Q0EgMjAyMDA3MDkxETAPBgNVBAMTCGZlZG9yYWNhMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAq8RBrct6UIlmZfAJ3tuRK7fhex5LKMUpMaXbFVRE3/XI +srYPjxiQKtJ1thweVxvCbI2IW1VJDBmX3EbJxca6jXA4h92czXkr6XS0h8zgbbc6 +jl1Y/lNwXcqRo1KNL6wiDl2KDnX7Ub705MupRS+iBhtkl5DN1g+hY76FTfN5yQnm +xFBq4unk8qYG3pF7cVQrl1fKbTIwBXsw22+M5JUuDNGor/buO5oI1mRklIFt8q50 +89ADgl5K84/JBcUdmc5DjdGbX8+OGF3r4LYSHmje6y0KhZZnS1ZImprkQO714HJ3 +a9dyQs1/nn0K5jX1DzhP0UD1ZqM0TF6FO/DYgyKNtQIDAQABo4G0MIGxME4GCCsG +AQUFBwEBBEIwQDA+BggrBgEFBQcwAoYyaHR0cHM6Ly9mZWRvcmFwcm9qZWN0Lm9y +Zy93aWtpL0ZlYXR1cmVzL1NlY3VyZUJvb3QwHwYDVR0jBBgwFoAUsoDHrmuITg9N +Kg2HJMJer2xlwyYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD +VR0OBBYEFLKAx65riE4PTSoNhyTCXq9sZcMmMA0GCSqGSIb3DQEBCwUAA4IBAQBq +6hHXlrN/76q4P93HdMlc5xT1c13EtCK38YLS/z1LVaDbwjpc2BYlAi9kNrlhB/V9 +vQDQwMGtckicgsdal0dSYfw6ip+S4BGn/Ykw4PdyQtnie0FhF7PnaYB4Hju7d1Lr +xk6AsbQttmaiwIRZ4eu/sSEqGuFzCnRimEhuRM6A+uJbZ4U5hmFua0EfMBXEUk1q +1yt/DY2sjKTqFcB5o+HBOT46cNO8v9GBlXArdcN8vOLxaXZRys3JYIa8xS0ljUOB +JAw+t853cq0Ig9gxD+NZHe3TKWHo18Kdqd3PT1thBR9nvG7uwFDThYDeaZmkYDOQ +QH0B7YJMk/PLH91foJzD +-----END CERTIFICATE----- diff --git a/mkosi/mkosi.conf.d/fedora/mkosi.conf b/mkosi/mkosi.conf.d/fedora/mkosi.conf new file mode 100644 index 000000000..089f3ed42 --- /dev/null +++ b/mkosi/mkosi.conf.d/fedora/mkosi.conf @@ -0,0 +1,6 @@ +[Match] +Distribution=fedora + +[Content] +Packages= + sbsigntools diff --git a/mkosi/mkosi.conf.d/ubuntu/certs/shim.crt b/mkosi/mkosi.conf.d/ubuntu/certs/shim.crt new file mode 100644 index 000000000..55c06d582 --- /dev/null +++ b/mkosi/mkosi.conf.d/ubuntu/certs/shim.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD +VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx +FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk +LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX +DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m +IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x +NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo +b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h +7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7 +v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO ++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr +yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk +YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO +BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj +MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB +Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu +b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB +CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd +B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH +WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx +U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd +7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p +9JkU284DDgtmxBxtvbgnd8FClL38agq8 +-----END CERTIFICATE----- diff --git a/mkosi/mkosi.conf.d/ubuntu/mkosi.conf b/mkosi/mkosi.conf.d/ubuntu/mkosi.conf new file mode 100644 index 000000000..5ba6c9ff5 --- /dev/null +++ b/mkosi/mkosi.conf.d/ubuntu/mkosi.conf @@ -0,0 +1,5 @@ +[Match] +Distribution=ubuntu + +[Distribution] +Repositories=universe diff --git a/mkosi/mkosi.extra/usr/bin/mkosi-test.sh b/mkosi/mkosi.extra/usr/bin/mkosi-test.sh new file mode 100755 index 000000000..06e1e655c --- /dev/null +++ b/mkosi/mkosi.extra/usr/bin/mkosi-test.sh @@ -0,0 +1,17 @@ +#!/bin/bash -eux + +# Ensure secure boot is enabled and not in setup mode +cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') +cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') + +# Check that we didn't accidentally install the microsoft-signed distro shim instead of the local one +if [ -d /boot/EFI ] && command -v sbverify >/dev/null 2>&1; then + sbverify --list /boot/EFI/BOOT/BOOT*.EFI | grep -q mkosi + sbverify --list /boot/EFI/BOOT/mm*.efi | grep -q mkosi + sbverify --list /boot/EFI/BOOT/grub* | grep -v -q mkosi +fi + +# Verify mok-signed UKI addon was loaded correctly +if SYSTEMD_UTF8=0 bootctl status | grep -q "+ Pick up .cmdline from addons"; then + grep -q foobarbaz /proc/cmdline +fi diff --git a/mkosi/mkosi.extra/usr/lib/systemd/system/mkosi-test.service b/mkosi/mkosi.extra/usr/lib/systemd/system/mkosi-test.service new file mode 100644 index 000000000..f7ee0e666 --- /dev/null +++ b/mkosi/mkosi.extra/usr/lib/systemd/system/mkosi-test.service @@ -0,0 +1,12 @@ +[Unit] +Description=Smoke tests for shim +After=multi-user.target +Requires=multi-user.target +SuccessAction=exit +FailureAction=exit +SuccessActionExitStatus=123 + +[Service] +StandardOutput=journal+console +Type=oneshot +ExecStart=/usr/bin/mkosi-test.sh diff --git a/mkosi/mkosi.finalize b/mkosi/mkosi.finalize new file mode 100755 index 000000000..556933410 --- /dev/null +++ b/mkosi/mkosi.finalize @@ -0,0 +1,28 @@ +#!/bin/bash +set -e + +if [ "$ARCHITECTURE" = "x86-64" ]; then + EFI_ARCHITECTURE="x64" +elif [ "$ARCHITECTURE" = "x86" ]; then + EFI_ARCHITECTURE="ia32" +elif [ "$ARCHITECTURE" = "arm64" ]; then + EFI_ARCHITECTURE="aa64" +else + EFI_ARCHITECTURE="$ARCHITECTURE" +fi + +touch -r "$BUILDROOT/usr" "$BUILDROOT/etc/.updated" "$BUILDROOT/var/.updated" + +mkdir -p "$OUTPUTDIR/mok/" +openssl req -new -x509 -newkey rsa:2048 -keyout "$OUTPUTDIR/mok/mkosi.key" -out "$OUTPUTDIR/mok/mkosi.crt" -days 3650 -nodes \ + -subj "/CN=mkosi MOK key" -addext "subjectAltName=DNS:mkosi.local" +chmod 0644 "$OUTPUTDIR/mok/mkosi.crt" +chmod 0600 "$OUTPUTDIR/mok/mkosi.key" + +mkdir -p "$BUILDROOT/boot/loader/addons" +ukify build \ + --stub "/usr/lib/systemd/boot/efi//addon${EFI_ARCHITECTURE}.efi.stub" \ + --cmdline="foobarbaz" \ + --output "$BUILDROOT/boot/loader/addons/test.addon.efi" \ + --secureboot-certificate "$OUTPUTDIR/mok/mkosi.crt" \ + --secureboot-private-key "$OUTPUTDIR/mok/mkosi.key" \ diff --git a/mkosi/mkosi.postoutput b/mkosi/mkosi.postoutput new file mode 100755 index 000000000..5004f7a52 --- /dev/null +++ b/mkosi/mkosi.postoutput @@ -0,0 +1,80 @@ +#!/bin/bash +set -e +shopt -s nullglob + +ARGS=( + --secure-boot + --no-microsoft + --output "$OUTPUTDIR/ovmf_vars.fd" + --enroll-cert "$SRCDIR/mkosi/mkosi.crt" + --add-db OvmfEnrollDefaultKeys "$SRCDIR/mkosi/mkosi.crt" +) + +if [ "$ARCHITECTURE" = "x86-64" ]; then + if [ -f /usr/share/OVMF/OVMF_VARS_4M.fd ]; then + ARGS+=(--input /usr/share/OVMF/OVMF_VARS_4M.fd) + elif [ -f /usr/share/OVMF/OVMF_VARS.fd ]; then + ARGS+=(--input /usr/share/OVMF/OVMF_VARS.fd) + else + echo "No OVMF vars template found for $ARCHITECTURE" + exit 1 + fi +elif [ "$ARCHITECTURE" = "x86" ]; then + if [ -f /usr/share/OVMF/OVMF32_VARS_4M.fd ]; then + ARGS+=(--input /usr/share/OVMF/OVMF32_VARS_4M.fd) + elif [ -f /usr/share/edk2/ovmf-ia32/OVMF_VARS.fd ]; then + ARGS+=(--input /usr/share/edk2/ovmf-ia32/OVMF_VARS.fd) + else + echo "No OVMF vars template found for $ARCHITECTURE" + exit 1 + fi +elif [ "$ARCHITECTURE" = "arm64" ]; then + if [ -f /usr/share/AAVMF/AAVMF_VARS.fd ]; then + ARGS+=(--input /usr/share/AAVMF/AAVMF_VARS.fd) + else + echo "No OVMF vars template found for $ARCHITECTURE" + exit 1 + fi +elif [ "$ARCHITECTURE" = "arm" ]; then + if [ -f /usr/share/AAVMF/AAVMF32_VARS.fd ]; then + ARGS+=(--input /usr/share/AAVMF/AAVMF32_VARS.fd) + elif [ -f /usr/share/edk2/arm/QEMU_VARS.fd ]; then + ARGS+=(--input /usr/share/edk2/arm/QEMU_VARS.fd) + else + echo "No OVMF vars template found for $ARCHITECTURE" + exit 1 + fi +elif [ "$ARCHITECTURE" = "riscv64" ]; then + if [ -f /usr/share/qemu-efi-riscv64/RISCV_VIRT_VARS.fd ]; then + ARGS+=(--input /usr/share/qemu-efi-riscv64/RISCV_VIRT_VARS.fd) + elif [ -f /usr/share/edk2/riscv/RISCV_VIRT_VARS.fd ]; then + ARGS+=(--input /usr/share/edk2/riscv/RISCV_VIRT_VARS.fd) + else + echo "No OVMF vars template found for $ARCHITECTURE" + exit 1 + fi +elif [ "$ARCHITECTURE" = "loongarch64" ]; then + if [ -f /usr/share/qemu-efi-loongarch64/QEMU_VARS.fd ]; then + ARGS+=(--input /usr/share/qemu-efi-loongarch64/QEMU_VARS.fd) + elif [ -f /usr/share/edk2/loongarch64/QEMU_VARS.fd ]; then + ARGS+=(--input /usr/share/edk2/loongarch64/QEMU_VARS.fd) + else + echo "No OVMF vars template found for $ARCHITECTURE" + exit 1 + fi +else + echo "Unsupported architecture for OVMF vars template: $ARCHITECTURE" + exit 1 +fi + +if [ "$MKOSI_DEBUG" = "1" ]; then + ARGS+=(--loglevel DEBUG) +else + ARGS+=(--loglevel WARNING) +fi + +for cert in "$SRCDIR"/mkosi/mkosi.conf.d/"$DISTRIBUTION"/certs/mok/*.crt "$OUTPUTDIR"/mok/*.crt; do + ARGS+=(--add-mok 605dab50-e046-4300-abb6-3dd810dd8b23 "$cert") +done + +virt-fw-vars "${ARGS[@]}" diff --git a/mkosi/mkosi.repart/00-esp.conf b/mkosi/mkosi.repart/00-esp.conf new file mode 100644 index 000000000..716aa7e62 --- /dev/null +++ b/mkosi/mkosi.repart/00-esp.conf @@ -0,0 +1,7 @@ +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=512M +SizeMaxBytes=512M diff --git a/mkosi/mkosi.repart/10-root.conf b/mkosi/mkosi.repart/10-root.conf new file mode 100644 index 000000000..a6e6b9970 --- /dev/null +++ b/mkosi/mkosi.repart/10-root.conf @@ -0,0 +1,6 @@ +[Partition] +Type=root +Format=ext4 +CopyFiles=/ +SizeMinBytes=4G +SizeMaxBytes=4G