Improve uki iso stuff #1854
Improve uki iso stuff #1854
Conversation
| @@ -495,8 +495,10 @@ uki-artifacts: | |||
| FROM +base-image --BUILD_INITRD=false | |||
| RUN /usr/bin/immucore version | |||
| RUN ln -s /usr/bin/immucore /init | |||
| RUN mkdir -p /oem # be able to mount oem under here if found | |||
There was a problem hiding this comment.
this makes it easier to deal with mounts later
There was a problem hiding this comment.
why does this only apply for UKI artifacts?
There was a problem hiding this comment.
there doesnt seem to be an oem dir on the rootfs when generating the uki artifact so if we want to mount something in there on boot, the path needs to exist before. No ieda why the rootfs doesnt have oem....
There was a problem hiding this comment.
but should we create it at the Dockerfile then?
There was a problem hiding this comment.
No idea, I need to investigate because the isos and images DO have it...so it has to be created somewhere...
| RUN find . \( -path ./sys -prune -o -path ./run -prune -o -path ./dev -prune -o -path ./tmp -prune -o -path ./proc -prune \) -o -print | cpio -R root:root -H newc -o | gzip -2 > /tmp/initramfs.cpio.gz | ||
| RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline | ||
| RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.oemlabel=COS_OEM rd.immucore.oemtimeout=2 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline |
There was a problem hiding this comment.
was missing the oem config
There was a problem hiding this comment.
when releasing, I guess we don't want to have that immucore debug there ... I wonder if these could be passed in some other way to not have different targets depending on whether it's a release or a normal build
There was a problem hiding this comment.
yes, there is a nice feature of systemd-boot in which you can have a separated efi artifact that contains the comand line only! And that one is also signed so supposedly it works with secureboot and such.
That would allow us to also have an install entry cmdline, a boot entry cmdline and a debug entry cmdline with minimal work.
Unfortunately I had no time to investigate this further but there is some work ongoing and it should be possible (but experimental) to do so: systemd/systemd#27358
| COPY +uki-signed/DB.auth . | ||
| COPY +uki-signed/MokManager.efi . | ||
| # Set the name for kairos manually as otherwise it picks it from the os-release automatically | ||
| RUN printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf |
There was a problem hiding this comment.
cretes the config for systemd-boot to show in the entries
| RUN mcopy -i /build/efi/efiboot.img /build/uki.efi ::EFI/BOOT/BOOTX64.EFI | ||
| RUN xorriso -as mkisofs -V 'EFI_ISO_BOOT' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/ | ||
| RUN mcopy -i /build/efi/efiboot.img /usr/lib/systemd/boot/efi/systemd-bootx64.efi ::EFI/BOOT/BOOTX64.EFI | ||
| RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/ |
There was a problem hiding this comment.
iso name is currently used as to find the source of the install due to how uki works. Basically there is no iso mounted anywhere that we can use as source like with normal isos, and we need to access the efi file directly to copy it over and respect signatures and such so this is a needed hack for now to dev this
Itxaka
force-pushed
the
uki_iso_v2
branch
2 times, most recently
from
6025844
to
900a124
Compare
| # --pcr-public-key public.pem \ | ||
| # --measure \ | ||
| # --output $ISO_NAME.signed.efi | ||
| RUN sbsign --key DB.key --cert DB.crt --output systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi |
There was a problem hiding this comment.
alwasy sign our efi artifacts, makes no sense to test them without signature
Itxaka
force-pushed
the
uki_iso_v2
branch
5 times, most recently
from
d232029
to
ec027c2
Compare
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
- Use test keys for development, easier to test if we always sign with the same key as we only need to insert into the EFI once - Sign systemd-boot - Also copy and create an entry for mokmanager so we can enroll keys using it if needed - Bump packages with uki fixes for layout Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka.garcia@spectrocloud.com>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
| # Use immmucore master as it has patches not released for uki | ||
| # Use kairos-agent main branch as it has patches not released for uki |
There was a problem hiding this comment.
i guess this will need to be updated once those patches are merged
There was a problem hiding this comment.
yep! Although with the heavy testing, Im guessing this can be left in master for both to keep testing it
| cp tests/go.* . | ||
| go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/ | ||
| - uses: actions/upload-artifact@v3 | ||
| if: failure() |
There was a problem hiding this comment.
I guess this will help debug the issue ... how does one debug from here?
There was a problem hiding this comment.
gathers logs only if it fails.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #