From d4ff867be971f5b9e09c28e894f01d6832cfd30f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 15:21:43 +0200 Subject: [PATCH 01/40] Drop sudo usage to run as root in GitHub workflows --- src/cmd-fetch | 4 ++-- src/cmd-init | 2 +- src/cmd-prune | 2 +- src/cmdlib.sh | 18 +++++++++--------- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/cmd-fetch b/src/cmd-fetch index 165829b7c4..9a19aeed70 100755 --- a/src/cmd-fetch +++ b/src/cmd-fetch @@ -8,12 +8,12 @@ dn=$(dirname "$0") FILE=cache/pkgcache-repo if [ -d "${FILE}" ] then - pkgcachesize=$(sudo du --bytes --max-depth 0 "${FILE}" \ + pkgcachesize=$( du --bytes --max-depth 0 "${FILE}" \ | awk '{print $1; exit}') pkglimit=$((1024 * 1024 * 1024 * 5)) if [[ "${pkgcachesize}" -gt "${pkglimit}" ]] then - sudo cosa prune --pkgcache + cosa prune --pkgcache fi fi diff --git a/src/cmd-init b/src/cmd-init index 38a6804920..8703fdeb8e 100755 --- a/src/cmd-init +++ b/src/cmd-init @@ -147,7 +147,7 @@ source=$1; shift preflight if has_privileges; then - sudo chown "$USER:" . + chown "$USER:" . elif [ ! -w . ]; then fatal "init: running unprivileged, and current directory not writable" fi diff --git a/src/cmd-prune b/src/cmd-prune index 660eae5790..59092569c5 100755 --- a/src/cmd-prune +++ b/src/cmd-prune @@ -89,7 +89,7 @@ if args.pkgcache: n = len("cache/pkgcache-repo/refs/heads/") if pkg[n:] not in build_pkg: print(f"Deleted {pkg[n:]}") - subprocess.call(f"sudo ostree refs --repo=cache/pkgcache-repo --delete {pkg[n:]}", shell=True) + subprocess.call(f" ostree refs --repo=cache/pkgcache-repo --delete {pkg[n:]}", shell=True) sys.exit(0) diff --git a/src/cmdlib.sh b/src/cmdlib.sh index 11f6983fea..d66844f573 100755 --- a/src/cmdlib.sh +++ b/src/cmdlib.sh @@ -56,8 +56,8 @@ has_privileges() { elif ! capsh --print | grep -q 'Bounding.*cap_sys_admin'; then info "Missing CAP_SYS_ADMIN; using virt" COSA_PRIVILEGED=0 - elif [ "$(id -u)" != "0" ] && ! sudo true; then - info "Missing sudo privs; using virt" + elif [ "$(id -u)" != "0" ] && ! true; then + info "Missing privs; using virt" COSA_PRIVILEGED=0 else COSA_PRIVILEGED=1 @@ -113,9 +113,9 @@ preflight_kvm() { if ! has_privileges; then fatal "running unprivileged, and /dev/kvm not writable" else - sudo rm -f /dev/kvm - sudo mknod /dev/kvm c 10 232 - sudo setfacl -m u:"$USER":rw /dev/kvm + rm -f /dev/kvm + mknod /dev/kvm c 10 232 + setfacl -m u:"$USER":rw /dev/kvm fi fi fi @@ -562,8 +562,8 @@ runcompose_tree() { set - "$@" --repo "${repo}" --write-composejson-to "${composejson}" # we hardcode a umask of 0022 here to make sure that composes are run # with a consistent value, regardless of the environment - (umask 0022 && sudo -E "$@") - sudo chown -R -h "${USER}":"${USER}" "${tmprepo}" + (umask 0022 && "$@") + chown -R -h "${USER}":"${USER}" "${tmprepo}" else runvm_with_cache -- "$@" --repo "${repo}" --write-composejson-to "${composejson}" fi @@ -586,8 +586,8 @@ runcompose_extensions() { if has_privileges; then # we hardcode a umask of 0022 here to make sure that composes are run # with a consistent value, regardless of the environment - (umask 0022 && sudo -E "$@") - sudo chown -R -h "${USER}":"${USER}" "${outputdir}" + (umask 0022 && "$@") + chown -R -h "${USER}":"${USER}" "${outputdir}" else # Use a snapshot version of the cache qcow2 to allow multiple users # of the cache at the same time. This is needed because the extensions From ecb92b3cb15a415acd0b68b1e951bc62f61ee55b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 15:25:22 +0200 Subject: [PATCH 02/40] Bump ESP & boot partitions size --- src/cmd-buildextend-metal | 2 +- src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal index c7ec9d8795..2bc9f32c07 100755 --- a/src/cmd-buildextend-metal +++ b/src/cmd-buildextend-metal @@ -195,7 +195,7 @@ rootfs_size_mb="$(jq '."estimate-mb".final' "$PWD/tmp/ostree-size.json")" # the size set in the configs since some of them have minimum sizes that # the platforms require and we want a "default" disk size that has some # free space. -nonroot_partition_sizes=513 +nonroot_partition_sizes=2048 # On s390x there is one more build - Secure Execution case, which has # different image layout. We add the sizes of the se and verity # partitions so that they don't "eat into" the 35% buffer (though note diff --git a/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml b/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml index bb4f633a19..8a7aba83d4 100644 --- a/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml +++ b/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml @@ -14,8 +14,8 @@ mpp-vars: bios_boot_size_mb: 1 ppc_prep_size_mb: 4 reserved_part_size_mb: 1 - efi_system_size_mb: 127 - boot_size_mb: 384 + efi_system_size_mb: 512 + boot_size_mb: 512 sector_size: 512 four_k_sector_size: 4096 # Filesystem UUID and label definitions. These UUIDs From 4926cdd9b11b47b82efdc831f82caa1cc295c9ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 15:25:36 +0200 Subject: [PATCH 03/40] github: Remove Dependabot config --- .github/dependabot.yml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 13efb162da..0000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,11 +0,0 @@ -version: 2 -updates: -- package-ecosystem: gomod - directory: "/" - schedule: - interval: daily - allow: - # For now, only enable the deps we know we want to keep fresh - - dependency-name: "github.com/coreos/butane" - - dependency-name: "github.com/coreos/ignition/v2" - - dependency-name: "github.com/coreos/stream-metadata-go" From 357ed4cacbba3db15e21393908e5f8459219250e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 19:29:59 +0200 Subject: [PATCH 04/40] WIP --- src/cmd-build | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/src/cmd-build b/src/cmd-build index 3ee8d9a5c5..dbdb399113 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -651,5 +651,38 @@ if [ -n "${TAG}" ]; then /usr/lib/coreos-assembler/cmd-tag update --build "${buildid}" --tag "${TAG}" fi +commit="$(cat tmp/repo/refs/heads/"${buildid}")" +kernpath="$(ostree ls --repo tmp/repo "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" +kernver="$(basename "${kernpath}")" +ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz +ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs +ostree cat --repo tmp/repo "$commit" "/usr/lib/os-release" > os-release +ukify build \ + --linux "vmlinuz" \ + --initrd "initramfs.img" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8" \ + --os-release "os-release" \ + --signtool sbsign \ + --secureboot-private-key "db.key" \ + --secureboot-certificate "db.pem" \ + --output "uki" \ + --measure \ + --json pretty +mkdir -p "tmp/rootfs/usr/lib/modules/$kernver/uki" +mv uki "tmp/rootfs/usr/lib/modules/$kernver/uki" +sudo chown 0:0 "tmp/rootfs/usr/lib/modules/$kernver/uki" +sudo chmod 644 "tmp/rootfs/usr/lib/modules/$kernver/uki" +sudo chcon "system_u:object_r:usr_t" "tmp/rootfs/usr/lib/modules/$kernver/uki" +ostree commit \ + --repo tmp/repo \ + --base "$commit" \ + --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ + --subject "${buildid} + UKI" \ + --sign-type ed25519 \ + --sign-from-file="tmp/ostree_signing_key" \ + --bootable \ + /tmp/rootfs && \ +rm -rf tmp/rootfs + # and finally, build the specified targets build_followup_targets From aa95e61ecb2ea2584ae8b88348e9d15320947b5f Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Wed, 29 May 2024 18:02:15 +0200 Subject: [PATCH 05/40] cmd-build: Enable composeFS signing This is a first draft trying to implement a signed composeFS build following the steps in https://ostreedev.github.io/ostree/composefs/#signatures Right now the `ostree container image deploy` step fails with : `error: Reading composefs config: Loading composefs config: Invalid tri-state value: signed` --- src/cmd-build | 22 +++++++++++++++++++++- src/cmdlib.sh | 19 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index dbdb399113..922a34cc31 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -38,6 +38,8 @@ Usage: coreos-assembler build --help --autolock=VERSION If no base lockfile used, create one from any arch build of `VERSION`. Note this is automatically enabled when adding to an existing multi-arch non-strict build. + --sign-composefs Sign the composeFS metadata and attach the signature to the OSTree commit. + This will also insert the public key into the rootfs for signature verification. Additional environment variables supported: @@ -62,8 +64,9 @@ TAG= STRICT= CONFIG_ARCHIVE=1 AUTOLOCK_VERSION= +SIGN_COMPOSEFS= rc=0 -options=$(getopt --options hfFt: --longoptions tag:,help,fetch,force,version:,parent:,parent-build:,delay-meta-merge,force-nocache,force-image,skip-prune,prepare-only,strict,skip-config-archive,autolock:,versionary -- "$@") || rc=$? +options=$(getopt --options hfFt: --longoptions tag:,help,fetch,force,version:,parent:,parent-build:,delay-meta-merge,force-nocache,force-image,skip-prune,prepare-only,strict,skip-config-archive,autolock:,versionary,sign-composefs -- "$@") || rc=$? [ $rc -eq 0 ] || { print_help exit 1 @@ -123,6 +126,9 @@ while true; do shift TAG=$1 ;; + --sign-composefs) + SIGN_COMPOSEFS=true + ;; --) shift break @@ -257,6 +263,11 @@ if [ -n "${PARENT_BUILD}" ]; then fi fi +# If composeFS signing is enabled, generate the signature key +if test -n "${SIGN_COMPOSEFS}"; then + gen_ed25519_signing_key +fi + # Calculate image input checksum now and gather previous image build variables if any ks_path="${configdir}"/image.ks if [ -f "${ks_path}" ]; then @@ -448,6 +459,15 @@ echo "New build ID: ${buildid}" # Also write out a ref with the build ID ostree --repo="${tmprepo}" refs --create "${buildid}" "${commit}" +#Not sure if we need to add --generate-composefs-metadata as I couldn't find +# any references in ostree man pages. +# is is default since https://github.com/coreos/rpm-ostree/pull/4495/commits/dbe78217c0205dad372c84b2cf0a299003787952 ? + +# If composeFS signing is enabled, sign the last commit +if test -n "${SIGN_COMPOSEFS}"; then + ostree sign --keys-file ${TMPDIR}/cosa_key.ed25519 ${commit} --repo=${tmprepo} +fi + "${dn}"/write-commit-object "${tmprepo}" "${commit}" "$(pwd)" build_timestamp=$(date -u +$RFC3339) diff --git a/src/cmdlib.sh b/src/cmdlib.sh index d66844f573..b65c68782d 100755 --- a/src/cmdlib.sh +++ b/src/cmdlib.sh @@ -1103,3 +1103,22 @@ extract_osrelease_name() { # shellcheck disable=SC1091,SC2153 (. "$out/os-release" && echo "${NAME}") } + + +gen_ed25519_signing_key() { + local key_file="${1:-cosa_key}" + # Generate the key + openssl genpkey -algorithm ed25519 -outform PEM -out ${TMPDIR}/${key_file} + + # Extract the pubkey + PUBKEY="$(openssl pkey -outform DER -pubout -in ${TMPDIR}/${key_file} | tail -c 32 | base64)" + + ## write the pubkey in overrides + echo $PUBKEY > ${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key + + # Convert the private key to base64 for ostree signing + ## Extract the seed + SEED="$(openssl pkey -outform DER -in ${TMPDIR}/${key_file} | tail -c 32 | base64)" + ## Secret key is the concatenation of SEED and PUBLIC + echo ${SEED}${PUBKEY} | base64 -d | base64 -w 0 > ${TMPDIR}/${key_file}.ed25519 +} From ebec947e267e36d04fa6b6bd5ed80b7f8e473dca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 19:51:48 +0200 Subject: [PATCH 06/40] WIP composefs --- src/cmd-build | 48 ++++++++++++++++++++++++------------------------ src/cmdlib.sh | 19 +++++++++++-------- 2 files changed, 35 insertions(+), 32 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 922a34cc31..adcfc53d77 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -263,6 +263,8 @@ if [ -n "${PARENT_BUILD}" ]; then fi fi +# TODO +SIGN_COMPOSEFS=true # If composeFS signing is enabled, generate the signature key if test -n "${SIGN_COMPOSEFS}"; then gen_ed25519_signing_key @@ -365,15 +367,6 @@ fi if [ ! -f "${workdir}"/builds/builds.json ] && [ ! -f "${fetch_stamp}" ] ; then fatal "Must fetch before building" fi -composefs="$(jq -r .composefs < "${image_json}")" -case "${composefs}" in - false) - ;; - true) - ostree config --repo="${tmprepo}" set ex-integrity.composefs "true" - ;; - *) fatal "Unhandled composefs setting: ${composefs}" ;; -esac # --cache-only is here since `fetch` is a separate verb # shellcheck disable=SC2086 @@ -386,6 +379,9 @@ RUNVM_NONET=1 runcompose_tree --cache-only ${FORCE} \ "${extra_compose_args[@]}" strip_out_lockfile_digests "$lockfile_out".tmp /usr/lib/coreos-assembler/finalize-artifact "${lockfile_out}"{.tmp,} + +# TODO Handle UKI & commit signature here + # Very special handling for --write-composejson-to as rpm-ostree doesn't # write it if the commit didn't change. if [ -f "${changed_stamp}" ] && [ -f "${composejson}" ]; then @@ -395,6 +391,9 @@ if [ -f "${changed_stamp}" ] && [ -f "${composejson}" ]; then # Save this in case the image build fails cp-reflink "${composejson}" "${workdir}"/tmp/compose-"${commit}".json else + echo "Not supported with composefs" + exit 1 + commit="${previous_commit}" image_input_checksum=$( (echo "${commit}" && echo "${image_config_checksum}") | sha256sum_str) echo "commit: ${commit} image: ${image_input_checksum}" @@ -459,14 +458,16 @@ echo "New build ID: ${buildid}" # Also write out a ref with the build ID ostree --repo="${tmprepo}" refs --create "${buildid}" "${commit}" -#Not sure if we need to add --generate-composefs-metadata as I couldn't find +# Not sure if we need to add --generate-composefs-metadata as I couldn't find # any references in ostree man pages. # is is default since https://github.com/coreos/rpm-ostree/pull/4495/commits/dbe78217c0205dad372c84b2cf0a299003787952 ? -# If composeFS signing is enabled, sign the last commit -if test -n "${SIGN_COMPOSEFS}"; then - ostree sign --keys-file ${TMPDIR}/cosa_key.ed25519 ${commit} --repo=${tmprepo} -fi +# TODO +# If composefs signing is enabled, sign the last commit +# if test -n "${SIGN_COMPOSEFS}"; then +# ostree sign --keys-file ${TMPDIR}/cosa_key.ed25519 ${commit} --repo=${tmprepo} +# fi +# TODO "${dn}"/write-commit-object "${tmprepo}" "${commit}" "$(pwd)" @@ -679,29 +680,28 @@ ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/initramfs.img" > ostree cat --repo tmp/repo "$commit" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ - --initrd "initramfs.img" \ + --initrd "initramfs" \ --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8" \ --os-release "os-release" \ + --uname "$kernver" \ --signtool sbsign \ --secureboot-private-key "db.key" \ --secureboot-certificate "db.pem" \ --output "uki" \ - --measure \ - --json pretty -mkdir -p "tmp/rootfs/usr/lib/modules/$kernver/uki" + --measure +mkdir -p "tmp/rootfs/usr/lib/modules/$kernver/" mv uki "tmp/rootfs/usr/lib/modules/$kernver/uki" -sudo chown 0:0 "tmp/rootfs/usr/lib/modules/$kernver/uki" -sudo chmod 644 "tmp/rootfs/usr/lib/modules/$kernver/uki" -sudo chcon "system_u:object_r:usr_t" "tmp/rootfs/usr/lib/modules/$kernver/uki" -ostree commit \ +chown 0:0 "tmp/rootfs/usr/lib/modules/$kernver/uki" +chmod 644 "tmp/rootfs/usr/lib/modules/$kernver/uki" +newcommit="$(ostree commit \ --repo tmp/repo \ --base "$commit" \ --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ --subject "${buildid} + UKI" \ --sign-type ed25519 \ - --sign-from-file="tmp/ostree_signing_key" \ + --sign-from-file="tmp/ostree_signing_key.ed25519" \ --bootable \ - /tmp/rootfs && \ + tmp/rootfs)" rm -rf tmp/rootfs # and finally, build the specified targets diff --git a/src/cmdlib.sh b/src/cmdlib.sh index b65c68782d..e0e2338234 100755 --- a/src/cmdlib.sh +++ b/src/cmdlib.sh @@ -1106,19 +1106,22 @@ extract_osrelease_name() { gen_ed25519_signing_key() { - local key_file="${1:-cosa_key}" + local key_file="ostree_signing_key" + # Generate the key - openssl genpkey -algorithm ed25519 -outform PEM -out ${TMPDIR}/${key_file} + openssl genpkey -algorithm ed25519 -outform PEM -out "${TMPDIR}/${key_file}" # Extract the pubkey - PUBKEY="$(openssl pkey -outform DER -pubout -in ${TMPDIR}/${key_file} | tail -c 32 | base64)" + local -r pubkey="$(openssl pkey -outform DER -pubout -in "${TMPDIR}/${key_file}" | tail -c 32 | base64)" - ## write the pubkey in overrides - echo $PUBKEY > ${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key + # Write the pubkey in overrides + mkdir -p "${workdir}/overrides/rootfs/etc/ostree/" + echo "$pubkey" > "${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key" # Convert the private key to base64 for ostree signing ## Extract the seed - SEED="$(openssl pkey -outform DER -in ${TMPDIR}/${key_file} | tail -c 32 | base64)" - ## Secret key is the concatenation of SEED and PUBLIC - echo ${SEED}${PUBKEY} | base64 -d | base64 -w 0 > ${TMPDIR}/${key_file}.ed25519 + local -r seed="$(openssl pkey -outform DER -in "${TMPDIR}/${key_file}" | tail -c 32 | base64)" + + ## Secret key is the concatenation of seed and public + echo "${seed}${pubkey}" | base64 -d | base64 -w 0 > "${TMPDIR}/${key_file}.ed25519" } From f15cbb16be7ba9a6f35fc23840333f90b49a7085 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 19:53:32 +0200 Subject: [PATCH 07/40] wip --- src/cmd-build | 66 +++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index adcfc53d77..544eaeed25 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -382,10 +382,42 @@ strip_out_lockfile_digests "$lockfile_out".tmp # TODO Handle UKI & commit signature here +commit="$(cat tmp/repo/refs/heads/"${buildid}")" +kernpath="$(ostree ls --repo tmp/repo "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" +kernver="$(basename "${kernpath}")" +ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz +ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs +ostree cat --repo tmp/repo "$commit" "/usr/lib/os-release" > os-release +ukify build \ + --linux "vmlinuz" \ + --initrd "initramfs" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8" \ + --os-release "os-release" \ + --uname "$kernver" \ + --signtool sbsign \ + --secureboot-private-key "db.key" \ + --secureboot-certificate "db.pem" \ + --output "uki" \ + --measure +mkdir -p "tmp/rootfs/usr/lib/modules/$kernver/" +mv uki "tmp/rootfs/usr/lib/modules/$kernver/uki" +chown 0:0 "tmp/rootfs/usr/lib/modules/$kernver/uki" +chmod 644 "tmp/rootfs/usr/lib/modules/$kernver/uki" +commit="$(ostree commit \ + --repo tmp/repo \ + --base "$commit" \ + --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ + --subject "${buildid} + UKI" \ + --sign-type ed25519 \ + --sign-from-file="tmp/ostree_signing_key.ed25519" \ + --bootable \ + tmp/rootfs)" +rm -rf tmp/rootfs + # Very special handling for --write-composejson-to as rpm-ostree doesn't # write it if the commit didn't change. if [ -f "${changed_stamp}" ] && [ -f "${composejson}" ]; then - commit=$(jq -r '.["ostree-commit"]' < "${composejson}") + # commit=$(jq -r '.["ostree-commit"]' < "${composejson}") # Clean up prior versions rm -f "${workdir}"/tmp/compose-*.json # Save this in case the image build fails @@ -672,37 +704,5 @@ if [ -n "${TAG}" ]; then /usr/lib/coreos-assembler/cmd-tag update --build "${buildid}" --tag "${TAG}" fi -commit="$(cat tmp/repo/refs/heads/"${buildid}")" -kernpath="$(ostree ls --repo tmp/repo "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" -kernver="$(basename "${kernpath}")" -ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz -ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs -ostree cat --repo tmp/repo "$commit" "/usr/lib/os-release" > os-release -ukify build \ - --linux "vmlinuz" \ - --initrd "initramfs" \ - --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8" \ - --os-release "os-release" \ - --uname "$kernver" \ - --signtool sbsign \ - --secureboot-private-key "db.key" \ - --secureboot-certificate "db.pem" \ - --output "uki" \ - --measure -mkdir -p "tmp/rootfs/usr/lib/modules/$kernver/" -mv uki "tmp/rootfs/usr/lib/modules/$kernver/uki" -chown 0:0 "tmp/rootfs/usr/lib/modules/$kernver/uki" -chmod 644 "tmp/rootfs/usr/lib/modules/$kernver/uki" -newcommit="$(ostree commit \ - --repo tmp/repo \ - --base "$commit" \ - --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ - --subject "${buildid} + UKI" \ - --sign-type ed25519 \ - --sign-from-file="tmp/ostree_signing_key.ed25519" \ - --bootable \ - tmp/rootfs)" -rm -rf tmp/rootfs - # and finally, build the specified targets build_followup_targets From b18e70b526e1cd257d05a5d8721ce5ae33e9ffe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 20:08:45 +0200 Subject: [PATCH 08/40] wip --- src/cmd-build | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 544eaeed25..8c4ab00e9b 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -382,7 +382,7 @@ strip_out_lockfile_digests "$lockfile_out".tmp # TODO Handle UKI & commit signature here -commit="$(cat tmp/repo/refs/heads/"${buildid}")" +commit=$(jq -r '.["ostree-commit"]' < "${composejson}") kernpath="$(ostree ls --repo tmp/repo "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" kernver="$(basename "${kernpath}")" ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz @@ -407,7 +407,7 @@ commit="$(ostree commit \ --repo tmp/repo \ --base "$commit" \ --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ - --subject "${buildid} + UKI" \ + --subject "$commit + UKI" \ --sign-type ed25519 \ --sign-from-file="tmp/ostree_signing_key.ed25519" \ --bootable \ From e2e6bb0c439f9da7189af760dcb006e4c222d0d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 20:24:14 +0200 Subject: [PATCH 09/40] w --- src/cmd-build | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 8c4ab00e9b..4f97534e1d 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -383,11 +383,11 @@ strip_out_lockfile_digests "$lockfile_out".tmp # TODO Handle UKI & commit signature here commit=$(jq -r '.["ostree-commit"]' < "${composejson}") -kernpath="$(ostree ls --repo tmp/repo "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" +kernpath="$(ostree ls --repo "${tmprepo}" "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" kernver="$(basename "${kernpath}")" -ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz -ostree cat --repo tmp/repo "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs -ostree cat --repo tmp/repo "$commit" "/usr/lib/os-release" > os-release +ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz +ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs +ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ @@ -399,20 +399,20 @@ ukify build \ --secureboot-certificate "db.pem" \ --output "uki" \ --measure -mkdir -p "tmp/rootfs/usr/lib/modules/$kernver/" -mv uki "tmp/rootfs/usr/lib/modules/$kernver/uki" -chown 0:0 "tmp/rootfs/usr/lib/modules/$kernver/uki" -chmod 644 "tmp/rootfs/usr/lib/modules/$kernver/uki" +mkdir -p "ukirootfs/usr/lib/modules/$kernver/" +mv uki "ukirootfs/usr/lib/modules/$kernver/uki" +chown 0:0 "ukirootfs/usr/lib/modules/$kernver/uki" +chmod 644 "ukirootfs/usr/lib/modules/$kernver/uki" commit="$(ostree commit \ - --repo tmp/repo \ + --repo "${tmprepo}" \ --base "$commit" \ --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ --subject "$commit + UKI" \ --sign-type ed25519 \ --sign-from-file="tmp/ostree_signing_key.ed25519" \ --bootable \ - tmp/rootfs)" -rm -rf tmp/rootfs + ukirootfs)" +rm -rf ukirootfs # Very special handling for --write-composejson-to as rpm-ostree doesn't # write it if the commit didn't change. From 51f70736b4346aa213f710b85d840f5123060aa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 22:57:09 +0200 Subject: [PATCH 10/40] wip --- src/cmd-build | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmd-build b/src/cmd-build index 4f97534e1d..093630914f 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -388,6 +388,7 @@ kernver="$(basename "${kernpath}")" ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release +cp ../../db.key ../../db.pem . ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ From 948e8427128b2c369f6f44cf1083b63e8e92fbd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 23:20:55 +0200 Subject: [PATCH 11/40] w --- src/cmd-build | 1 - 1 file changed, 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 093630914f..23e83660f5 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -407,7 +407,6 @@ chmod 644 "ukirootfs/usr/lib/modules/$kernver/uki" commit="$(ostree commit \ --repo "${tmprepo}" \ --base "$commit" \ - --branch "fedora/x86_64/coreos/$(basename "$(ls tmp/repo/refs/heads/fedora/x86_64/coreos/*)")" \ --subject "$commit + UKI" \ --sign-type ed25519 \ --sign-from-file="tmp/ostree_signing_key.ed25519" \ From 70329f78e537d63db164a11ee29bd60d8272ac56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 23:44:21 +0200 Subject: [PATCH 12/40] w --- src/cmd-build | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmd-build b/src/cmd-build index 23e83660f5..9686a48c84 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -407,6 +407,7 @@ chmod 644 "ukirootfs/usr/lib/modules/$kernver/uki" commit="$(ostree commit \ --repo "${tmprepo}" \ --base "$commit" \ + --branch "fedora/x86_64/coreos/$(basename "$(ls "${tmprepo}/refs/heads/fedora/x86_64/coreos/"*)")" \ --subject "$commit + UKI" \ --sign-type ed25519 \ --sign-from-file="tmp/ostree_signing_key.ed25519" \ From 495845955af0331f59cc8eef817ac9db8a3035c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Tue, 30 Jul 2024 23:59:46 +0200 Subject: [PATCH 13/40] w --- src/cmd-build | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 9686a48c84..f30cf506fe 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -388,7 +388,6 @@ kernver="$(basename "${kernpath}")" ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release -cp ../../db.key ../../db.pem . ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ @@ -396,8 +395,8 @@ ukify build \ --os-release "os-release" \ --uname "$kernver" \ --signtool sbsign \ - --secureboot-private-key "db.key" \ - --secureboot-certificate "db.pem" \ + --secureboot-private-key "${workdir}/db.key" \ + --secureboot-certificate "${workdir}/db.pem" \ --output "uki" \ --measure mkdir -p "ukirootfs/usr/lib/modules/$kernver/" @@ -410,7 +409,7 @@ commit="$(ostree commit \ --branch "fedora/x86_64/coreos/$(basename "$(ls "${tmprepo}/refs/heads/fedora/x86_64/coreos/"*)")" \ --subject "$commit + UKI" \ --sign-type ed25519 \ - --sign-from-file="tmp/ostree_signing_key.ed25519" \ + --sign-from-file="${workdir}/tmp/ostree_signing_key.ed25519" \ --bootable \ ukirootfs)" rm -rf ukirootfs From 6b01d290de202473b0958aa11b08fee5586538ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Wed, 31 Jul 2024 11:52:00 +0200 Subject: [PATCH 14/40] w --- src/cmd-build | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/cmd-build b/src/cmd-build index f30cf506fe..bc66ca1d2b 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -403,14 +403,22 @@ mkdir -p "ukirootfs/usr/lib/modules/$kernver/" mv uki "ukirootfs/usr/lib/modules/$kernver/uki" chown 0:0 "ukirootfs/usr/lib/modules/$kernver/uki" chmod 644 "ukirootfs/usr/lib/modules/$kernver/uki" + +ostree_keys=() +for key in $(ostree show --repo "${tmprepo}" "$commit" --list-metadata-keys); do + ostree_keys+=("--keep-metadata=$key") +done + commit="$(ostree commit \ --repo "${tmprepo}" \ --base "$commit" \ + --parent "$commit" \ --branch "fedora/x86_64/coreos/$(basename "$(ls "${tmprepo}/refs/heads/fedora/x86_64/coreos/"*)")" \ --subject "$commit + UKI" \ --sign-type ed25519 \ --sign-from-file="${workdir}/tmp/ostree_signing_key.ed25519" \ --bootable \ + "${ostree_keys[@]}" \ ukirootfs)" rm -rf ukirootfs From 0c19f6c5a2b34839fdbd9c72e24c9e428543440e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Wed, 31 Jul 2024 16:48:34 +0200 Subject: [PATCH 15/40] re-generate composefs metadata --- src/cmd-build | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmd-build b/src/cmd-build index bc66ca1d2b..c5e341be34 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -417,6 +417,7 @@ commit="$(ostree commit \ --subject "$commit + UKI" \ --sign-type ed25519 \ --sign-from-file="${workdir}/tmp/ostree_signing_key.ed25519" \ + --generate-composefs-metadata \ --bootable \ "${ostree_keys[@]}" \ ukirootfs)" From 24fc07540cdf5feb32953d7005f69cd81652e4a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Wed, 31 Jul 2024 17:28:35 +0200 Subject: [PATCH 16/40] wip --- src/cmd-build | 54 +++++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index c5e341be34..81a0fc90d4 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -397,44 +397,44 @@ ukify build \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ --secureboot-certificate "${workdir}/db.pem" \ - --output "uki" \ + --output "uki-${kernver}-${commit}" \ --measure -mkdir -p "ukirootfs/usr/lib/modules/$kernver/" -mv uki "ukirootfs/usr/lib/modules/$kernver/uki" -chown 0:0 "ukirootfs/usr/lib/modules/$kernver/uki" -chmod 644 "ukirootfs/usr/lib/modules/$kernver/uki" - -ostree_keys=() -for key in $(ostree show --repo "${tmprepo}" "$commit" --list-metadata-keys); do - ostree_keys+=("--keep-metadata=$key") -done -commit="$(ostree commit \ - --repo "${tmprepo}" \ - --base "$commit" \ - --parent "$commit" \ - --branch "fedora/x86_64/coreos/$(basename "$(ls "${tmprepo}/refs/heads/fedora/x86_64/coreos/"*)")" \ - --subject "$commit + UKI" \ - --sign-type ed25519 \ - --sign-from-file="${workdir}/tmp/ostree_signing_key.ed25519" \ - --generate-composefs-metadata \ - --bootable \ - "${ostree_keys[@]}" \ - ukirootfs)" -rm -rf ukirootfs +ostree sign "$commit" --sign-type ed25519 --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" + +# mkdir -p "ukirootfs/usr/lib/modules/$kernver/" +# mv uki "ukirootfs/usr/lib/modules/$kernver/uki" +# chown 0:0 "ukirootfs/usr/lib/modules/$kernver/uki" +# chmod 644 "ukirootfs/usr/lib/modules/$kernver/uki" + +# ostree_keys=() +# for key in $(ostree show --repo "${tmprepo}" "$commit" --list-metadata-keys); do +# ostree_keys+=("--keep-metadata=$key") +# done + +# commit="$(ostree commit \ +# --repo "${tmprepo}" \ +# --base "$commit" \ +# --parent "$commit" \ +# --branch "fedora/x86_64/coreos/$(basename "$(ls "${tmprepo}/refs/heads/fedora/x86_64/coreos/"*)")" \ +# --subject "$commit + UKI" \ +# --sign-type ed25519 \ +# --sign-from-file="${workdir}/tmp/ostree_signing_key.ed25519" \ +# --generate-composefs-metadata \ +# --bootable \ +# "${ostree_keys[@]}" \ +# ukirootfs)" +# rm -rf ukirootfs # Very special handling for --write-composejson-to as rpm-ostree doesn't # write it if the commit didn't change. if [ -f "${changed_stamp}" ] && [ -f "${composejson}" ]; then - # commit=$(jq -r '.["ostree-commit"]' < "${composejson}") + commit=$(jq -r '.["ostree-commit"]' < "${composejson}") # Clean up prior versions rm -f "${workdir}"/tmp/compose-*.json # Save this in case the image build fails cp-reflink "${composejson}" "${workdir}"/tmp/compose-"${commit}".json else - echo "Not supported with composefs" - exit 1 - commit="${previous_commit}" image_input_checksum=$( (echo "${commit}" && echo "${image_config_checksum}") | sha256sum_str) echo "commit: ${commit} image: ${image_input_checksum}" From 1a037abc72d3536e8e73dc15b3d067a77d5af8bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Wed, 31 Jul 2024 17:36:46 +0200 Subject: [PATCH 17/40] wip uki name --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 81a0fc90d4..081bbb6287 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -397,7 +397,7 @@ ukify build \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ --secureboot-certificate "${workdir}/db.pem" \ - --output "uki-${kernver}-${commit}" \ + --output "${workdir}/tmp/uki" \ --measure ostree sign "$commit" --sign-type ed25519 --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" From 339ad752142faae25ab9727ed9d93a0abdd988e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Wed, 31 Jul 2024 17:59:59 +0200 Subject: [PATCH 18/40] w --- src/cmd-build | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 081bbb6287..6a15b978c5 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -400,7 +400,11 @@ ukify build \ --output "${workdir}/tmp/uki" \ --measure -ostree sign "$commit" --sign-type ed25519 --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" +ostree sign \ + --repo "${tmprepo}" \ + --sign-type ed25519 \ + --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ + "$commit" # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" # mv uki "ukirootfs/usr/lib/modules/$kernver/uki" From 22a752a423b980fc02b265e9913ec895f1288827 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Thu, 1 Aug 2024 10:47:18 +0200 Subject: [PATCH 19/40] w --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 6a15b978c5..8c0e51d842 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -391,7 +391,7 @@ ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ - --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs)/0" \ --os-release "os-release" \ --uname "$kernver" \ --signtool sbsign \ From 5d1fb41b0c5030a1dd4f3aac5eec9296be0ca3de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Thu, 1 Aug 2024 11:01:02 +0200 Subject: [PATCH 20/40] w --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 8c0e51d842..475ff5b7dd 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -391,7 +391,7 @@ ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ - --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs)/0" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum)/0" \ --os-release "os-release" \ --uname "$kernver" \ --signtool sbsign \ From 209f3423dde03364d41b62663bf28f2550c73d8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Thu, 1 Aug 2024 12:05:00 +0200 Subject: [PATCH 21/40] w --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 475ff5b7dd..b83d05f588 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -391,7 +391,7 @@ ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ - --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum)/0" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ --os-release "os-release" \ --uname "$kernver" \ --signtool sbsign \ From d2daacf136ac3ed5ba6f473d8b183d7f313ea8ed Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Mon, 26 Aug 2024 12:10:46 +0200 Subject: [PATCH 22/40] enable composeFS integrity on ostree repo config --- src/cmd-build | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/cmd-build b/src/cmd-build index b83d05f588..28afe30a5c 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -368,6 +368,16 @@ if [ ! -f "${workdir}"/builds/builds.json ] && [ ! -f "${fetch_stamp}" ] ; then fatal "Must fetch before building" fi +composefs="$(jq -r .composefs < "${image_json}")" +case "${composefs}" in + false) + ;; + true | signed) + ostree config --repo="${tmprepo}" set ex-integrity.composefs "true" + ;; + *) fatal "Unhandled composefs setting: ${composefs}" ;; +esac + # --cache-only is here since `fetch` is a separate verb # shellcheck disable=SC2086 if test -n "${previous_commit}"; then From e410446f7a486e032645a965d31eec9d3f144c55 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Thu, 29 Aug 2024 12:15:41 +0200 Subject: [PATCH 23/40] print executed commands --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 28afe30a5c..4a5be800ff 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -euo pipefail +set -euxo pipefail dn=$(dirname "$0") # shellcheck source=src/cmdlib.sh From 4dc7fbaab2d8d2057192fc1885361d98dd637883 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Mon, 2 Sep 2024 14:01:05 +0200 Subject: [PATCH 24/40] include composefs in commit metadata --- src/cmd-build | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmd-build b/src/cmd-build index 4a5be800ff..73cba9f9cc 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -414,6 +414,7 @@ ostree sign \ --repo "${tmprepo}" \ --sign-type ed25519 \ --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ + --generate-composefs-metadata \ "$commit" # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" From a4956bca162778db23b3988ef6a08c476626a3a4 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Mon, 2 Sep 2024 15:57:53 +0200 Subject: [PATCH 25/40] create_disk.sh is no longer used, it's now osbuild. --- src/cmd-build | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmd-build b/src/cmd-build index 73cba9f9cc..c3f0fbe9f1 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -374,6 +374,7 @@ case "${composefs}" in ;; true | signed) ostree config --repo="${tmprepo}" set ex-integrity.composefs "true" + ostree config --repo=$rootfs/ostree/repo set ex-fsverity.required 'true' ;; *) fatal "Unhandled composefs setting: ${composefs}" ;; esac From 7fe56b66815c9fe33ed891e22d76e98faedec165 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Mon, 2 Sep 2024 16:08:39 +0200 Subject: [PATCH 26/40] wip --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index c3f0fbe9f1..3eebc6a876 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -374,7 +374,7 @@ case "${composefs}" in ;; true | signed) ostree config --repo="${tmprepo}" set ex-integrity.composefs "true" - ostree config --repo=$rootfs/ostree/repo set ex-fsverity.required 'true' + ostree config --repo="${tmprepo}" set ex-fsverity.required 'true' ;; *) fatal "Unhandled composefs setting: ${composefs}" ;; esac From 5abc87462f0e98e13adba502f1275d829765b808 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Mon, 2 Sep 2024 16:40:51 +0200 Subject: [PATCH 27/40] Revert "include composefs in commit metadata" This reverts commit 4dc7fbaab2d8d2057192fc1885361d98dd637883. --- src/cmd-build | 1 - 1 file changed, 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 3eebc6a876..4879da99e2 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -415,7 +415,6 @@ ostree sign \ --repo "${tmprepo}" \ --sign-type ed25519 \ --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ - --generate-composefs-metadata \ "$commit" # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" From dcd1c258598e190f38da3d32b3f80b3b77609aea Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Wed, 4 Sep 2024 15:53:49 +0200 Subject: [PATCH 28/40] cmd-build: add a config file for ostree-prepare-root We must inject this config file in the initramfs so ostree-prepare root knows to verify the signature. --- src/cmd-build | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/cmd-build b/src/cmd-build index 4879da99e2..e3a436e639 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -375,6 +375,11 @@ case "${composefs}" in true | signed) ostree config --repo="${tmprepo}" set ex-integrity.composefs "true" ostree config --repo="${tmprepo}" set ex-fsverity.required 'true' + mkdir -p "${workdir}/overrides/initramfs/etc/ostree/" + cat > "${workdir}/overrides/initramfs/etc/ostree/prepare-root.conf" << EOF + [composefs] + enabled=signed + EOF ;; *) fatal "Unhandled composefs setting: ${composefs}" ;; esac From 0d37e96daf73af2391168fde7b4b6139e8a50622 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Wed, 4 Sep 2024 16:14:46 +0200 Subject: [PATCH 29/40] cmd-build print out the composeFS digest --- src/cmd-build | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index e3a436e639..89ad51d1b5 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -379,7 +379,7 @@ case "${composefs}" in cat > "${workdir}/overrides/initramfs/etc/ostree/prepare-root.conf" << EOF [composefs] enabled=signed - EOF +EOF ;; *) fatal "Unhandled composefs setting: ${composefs}" ;; esac @@ -396,9 +396,19 @@ RUNVM_NONET=1 runcompose_tree --cache-only ${FORCE} \ strip_out_lockfile_digests "$lockfile_out".tmp /usr/lib/coreos-assembler/finalize-artifact "${lockfile_out}"{.tmp,} -# TODO Handle UKI & commit signature here - commit=$(jq -r '.["ostree-commit"]' < "${composejson}") + +ostree sign \ + --repo "${tmprepo}" \ + --sign-type ed25519 \ + --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ + "$commit" + +ostree show "$commit" +cfs_sig=$(ostree show "$commit" --print-metadata-key=ostree.composefs.digest.v0) +cfs_sig=$(echo "$cfs_sig"| sed 's/\[byte //g; s/\]//g; s/,//g; s/0x//g' | tr -d ' ') +echo "composeFS digest: $cfs_sig" + kernpath="$(ostree ls --repo "${tmprepo}" "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" kernver="$(basename "${kernpath}")" ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz @@ -416,12 +426,6 @@ ukify build \ --output "${workdir}/tmp/uki" \ --measure -ostree sign \ - --repo "${tmprepo}" \ - --sign-type ed25519 \ - --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ - "$commit" - # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" # mv uki "ukirootfs/usr/lib/modules/$kernver/uki" # chown 0:0 "ukirootfs/usr/lib/modules/$kernver/uki" From 81448fd1755cd6dc46806c56541cfcb94b691ecb Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Wed, 4 Sep 2024 16:30:01 +0200 Subject: [PATCH 30/40] cmd-build add missing --repo to ostree --- src/cmd-build | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 89ad51d1b5..9f2228cb09 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -404,8 +404,8 @@ ostree sign \ --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ "$commit" -ostree show "$commit" -cfs_sig=$(ostree show "$commit" --print-metadata-key=ostree.composefs.digest.v0) +ostree show --repo "${tmprepo}" $commit" +cfs_sig=$(ostree show --repo "${tmprepo}" "$commit" --print-metadata-key=ostree.composefs.digest.v0) cfs_sig=$(echo "$cfs_sig"| sed 's/\[byte //g; s/\]//g; s/,//g; s/0x//g' | tr -d ' ') echo "composeFS digest: $cfs_sig" @@ -600,6 +600,8 @@ else --label="coreos-assembler.image-input-checksum=${image_input_checksum}" \ --label="org.opencontainers.image.source=${gitsrc}" \ --label="org.opencontainers.image.revision=${config_gitrev}" \ + --label="ostree.commit=${commit}" \ + --label="ostree.commit.composefs.digest=${cfs_sig}" \ --copymeta-opt=fedora-coreos.stream \ "${last_build_manifest[@]}" \ "${labels[@]}" \ From 5d439425bc37caaff2e0e7d0d0fa981024a49c68 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Wed, 4 Sep 2024 16:52:07 +0200 Subject: [PATCH 31/40] cmd-build : fix missing quote --- src/cmd-build | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 9f2228cb09..dd39e3fbe6 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -404,16 +404,16 @@ ostree sign \ --keys-file "${workdir}/tmp/ostree_signing_key.ed25519" \ "$commit" -ostree show --repo "${tmprepo}" $commit" +ostree show --repo "${tmprepo}" "${commit}" cfs_sig=$(ostree show --repo "${tmprepo}" "$commit" --print-metadata-key=ostree.composefs.digest.v0) cfs_sig=$(echo "$cfs_sig"| sed 's/\[byte //g; s/\]//g; s/,//g; s/0x//g' | tr -d ' ') echo "composeFS digest: $cfs_sig" kernpath="$(ostree ls --repo "${tmprepo}" "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" kernver="$(basename "${kernpath}")" -ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/vmlinuz" > vmlinuz -ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/modules/$kernver/initramfs.img" > initramfs -ostree cat --repo "${tmprepo}" "$commit" "/usr/lib/os-release" > os-release +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/vmlinuz" > vmlinuz +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/initramfs.img" > initramfs +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ From 0955f90b8c4330f996b7f3d01eaf73cdf56de739 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Thu, 5 Sep 2024 11:51:42 +0200 Subject: [PATCH 32/40] Revert "cmd-build: add a config file for ostree-prepare-root" This reverts commit dcd1c258598e190f38da3d32b3f80b3b77609aea. the file should be copied from the rootfs https://github.com/travier/fedora-coreos-uki-devel/blob/testing-devel/overlay.d/08composefs/usr/lib/ostree/prepare-root.conf --- src/cmd-build | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index dd39e3fbe6..a89e2762fd 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -375,11 +375,6 @@ case "${composefs}" in true | signed) ostree config --repo="${tmprepo}" set ex-integrity.composefs "true" ostree config --repo="${tmprepo}" set ex-fsverity.required 'true' - mkdir -p "${workdir}/overrides/initramfs/etc/ostree/" - cat > "${workdir}/overrides/initramfs/etc/ostree/prepare-root.conf" << EOF - [composefs] - enabled=signed -EOF ;; *) fatal "Unhandled composefs setting: ${composefs}" ;; esac From 1998c8774f924bf734f7d1e0f500fcc64684f41c Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Tue, 10 Sep 2024 15:12:41 +0200 Subject: [PATCH 33/40] cmd-build: fix os-release argument The --os-release requires the path to the os-release to be prefixed by @. Otherwise, just the string in insereted as os-release. This causes systemd boot to refuse to load the UKI as it expects to create the menu entry from the os-release information https://github.com/systemd/systemd/blob/f2129f1d8c1a92f4ca98bfc06795d9cb5ed0acd2/src/shared/bootspec.c#L674 https://www.man7.org/linux/man-pages/man1/ukify.1.html --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index a89e2762fd..152b9a735e 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -413,7 +413,7 @@ ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ - --os-release "os-release" \ + --os-release "@os-release" \ --uname "$kernver" \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ From 900cae7a211ae8c3734d7cc1c9c3ef4c5deb0d10 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Tue, 10 Sep 2024 18:21:35 +0200 Subject: [PATCH 34/40] secureboot: sign systemd-boot efi binary --- src/cmd-build | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 152b9a735e..3b95a947c3 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -412,7 +412,7 @@ ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/os-release" > os-release ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ - --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.0/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ --os-release "@os-release" \ --uname "$kernver" \ --signtool sbsign \ @@ -421,6 +421,11 @@ ukify build \ --output "${workdir}/tmp/uki" \ --measure +# Sign systemd-boot binary +sbsign --key "${workdir}/db.key" --cert "${workdir}/db.pem" \ +/usr/lib/systemd/boot/efi/systemd-bootx64.efi \ + --output "${workdir}/tmp/systemd-bootx64-signed.efi + # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" # mv uki "ukirootfs/usr/lib/modules/$kernver/uki" # chown 0:0 "ukirootfs/usr/lib/modules/$kernver/uki" From 8a59d24df0050845467a509c75b60ad3a51f727d Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Tue, 10 Sep 2024 18:37:34 +0200 Subject: [PATCH 35/40] --amend --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 3b95a947c3..4f1918ea82 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -424,7 +424,7 @@ ukify build \ # Sign systemd-boot binary sbsign --key "${workdir}/db.key" --cert "${workdir}/db.pem" \ /usr/lib/systemd/boot/efi/systemd-bootx64.efi \ - --output "${workdir}/tmp/systemd-bootx64-signed.efi + --output "${workdir}/tmp/systemd-bootx64-signed.efi" # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" # mv uki "ukirootfs/usr/lib/modules/$kernver/uki" From 3cab964718e723ee1966544e1987299bd36400de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Sat, 14 Sep 2024 13:55:07 +0200 Subject: [PATCH 36/40] Get systemd-boot from the ostree commit --- src/cmd-build | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index 4f1918ea82..4bee3f921b 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -422,9 +422,12 @@ ukify build \ --measure # Sign systemd-boot binary -sbsign --key "${workdir}/db.key" --cert "${workdir}/db.pem" \ -/usr/lib/systemd/boot/efi/systemd-bootx64.efi \ - --output "${workdir}/tmp/systemd-bootx64-signed.efi" +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" > systemd-bootx64.efi +sbsign \ + --key "${workdir}/db.key" \ + --cert "${workdir}/db.pem" \ + --output "${workdir}/tmp/systemd-bootx64-signed.efi" + systemd-bootx64.efi # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" # mv uki "ukirootfs/usr/lib/modules/$kernver/uki" From cc3782ad8e98a49ecbf562c8f63afd55496373ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Sat, 14 Sep 2024 13:56:08 +0200 Subject: [PATCH 37/40] temporarily build 2 UKIs --- src/cmd-build | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/cmd-build b/src/cmd-build index 4bee3f921b..e21734340c 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -420,6 +420,17 @@ ukify build \ --secureboot-certificate "${workdir}/db.pem" \ --output "${workdir}/tmp/uki" \ --measure +ukify build \ + --linux "vmlinuz" \ + --initrd "initramfs" \ + --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ + --os-release "@os-release" \ + --uname "$kernver" \ + --signtool sbsign \ + --secureboot-private-key "${workdir}/db.key" \ + --secureboot-certificate "${workdir}/db.pem" \ + --output "${workdir}/tmp/uki.1" \ + --measure # Sign systemd-boot binary ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" > systemd-bootx64.efi From eac72c9045fe6c5d6d1d7b38e90241ab3d5ef27d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Sat, 14 Sep 2024 14:36:45 +0200 Subject: [PATCH 38/40] extract efistub from commit --- src/cmd-build | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/cmd-build b/src/cmd-build index e21734340c..c655ef1a92 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -409,11 +409,13 @@ kernver="$(basename "${kernpath}")" ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/vmlinuz" > vmlinuz ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/initramfs.img" > initramfs ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/os-release" > os-release +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" > linuxx64.efi.stub ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.0/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ --os-release "@os-release" \ + --stub "linuxx64.efi.stub" \ --uname "$kernver" \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ @@ -425,6 +427,7 @@ ukify build \ --initrd "initramfs" \ --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ --os-release "@os-release" \ + --stub "linuxx64.efi.stub" \ --uname "$kernver" \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ From 8ae1f76a4e9074af5fa6cde68065f02590708cf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Sat, 14 Sep 2024 14:56:25 +0200 Subject: [PATCH 39/40] Copy systemd-boot-unsigned content to host --- src/cmd-build | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/cmd-build b/src/cmd-build index c655ef1a92..009ebdec85 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -406,16 +406,18 @@ echo "composeFS digest: $cfs_sig" kernpath="$(ostree ls --repo "${tmprepo}" "${commit}" /usr/lib/modules | sort -h | tail -1 | awk '{print $5}')" kernver="$(basename "${kernpath}")" -ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/vmlinuz" > vmlinuz +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/vmlinuz" > vmlinuz ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/modules/${kernver}/initramfs.img" > initramfs -ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/os-release" > os-release -ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" > linuxx64.efi.stub +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/os-release" > os-release +mkdir -p "/usr/lib/systemd/boot/efi/" +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/addonx64.efi.stub" > /usr/lib/systemd/boot/efi/addonx64.efi.stub +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" > linuxx64.efi.stub +ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" > /usr/lib/systemd/boot/efi/systemd-bootx64.efi ukify build \ --linux "vmlinuz" \ --initrd "initramfs" \ --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.0/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ --os-release "@os-release" \ - --stub "linuxx64.efi.stub" \ --uname "$kernver" \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ @@ -427,7 +429,6 @@ ukify build \ --initrd "initramfs" \ --cmdline "rw mitigations=auto,nosmt ignition.platform.id=qemu console=tty0 console=ttyS0,115200n8 ostree=/ostree/boot.1/fedora-coreos/$(cat vmlinuz initramfs | sha256sum | awk '{print $1}')/0" \ --os-release "@os-release" \ - --stub "linuxx64.efi.stub" \ --uname "$kernver" \ --signtool sbsign \ --secureboot-private-key "${workdir}/db.key" \ @@ -441,7 +442,7 @@ sbsign \ --key "${workdir}/db.key" \ --cert "${workdir}/db.pem" \ --output "${workdir}/tmp/systemd-bootx64-signed.efi" - systemd-bootx64.efi + "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" # mkdir -p "ukirootfs/usr/lib/modules/$kernver/" # mv uki "ukirootfs/usr/lib/modules/$kernver/uki" From dc114a3fdc04f315bf0d4f2d5556463d3f497e69 Mon Sep 17 00:00:00 2001 From: jbtrystram Date: Wed, 18 Sep 2024 15:02:12 +0200 Subject: [PATCH 40/40] fix missing escape on sbsign call --- src/cmd-build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build b/src/cmd-build index 009ebdec85..1bddd9dc33 100755 --- a/src/cmd-build +++ b/src/cmd-build @@ -441,7 +441,7 @@ ostree cat --repo "${tmprepo}" "${commit}" "/usr/lib/systemd/boot/efi/systemd-bo sbsign \ --key "${workdir}/db.key" \ --cert "${workdir}/db.pem" \ - --output "${workdir}/tmp/systemd-bootx64-signed.efi" + --output "${workdir}/tmp/systemd-bootx64-signed.efi" \ "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" # mkdir -p "ukirootfs/usr/lib/modules/$kernver/"