-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve uki iso stuff #1854
Improve uki iso stuff #1854
Conversation
@@ -495,8 +495,10 @@ uki-artifacts: | |||
FROM +base-image --BUILD_INITRD=false | |||
RUN /usr/bin/immucore version | |||
RUN ln -s /usr/bin/immucore /init | |||
RUN mkdir -p /oem # be able to mount oem under here if found |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this makes it easier to deal with mounts later
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does this only apply for UKI artifacts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there doesnt seem to be an oem dir on the rootfs when generating the uki artifact so if we want to mount something in there on boot, the path needs to exist before. No ieda why the rootfs doesnt have oem....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but should we create it at the Dockerfile then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No idea, I need to investigate because the isos and images DO have it...so it has to be created somewhere...
RUN find . \( -path ./sys -prune -o -path ./run -prune -o -path ./dev -prune -o -path ./tmp -prune -o -path ./proc -prune \) -o -print | cpio -R root:root -H newc -o | gzip -2 > /tmp/initramfs.cpio.gz | ||
RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline | ||
RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.oemlabel=COS_OEM rd.immucore.oemtimeout=2 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was missing the oem config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when releasing, I guess we don't want to have that immucore debug there ... I wonder if these could be passed in some other way to not have different targets depending on whether it's a release or a normal build
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, there is a nice feature of systemd-boot in which you can have a separated efi artifact that contains the comand line only! And that one is also signed so supposedly it works with secureboot and such.
That would allow us to also have an install entry cmdline, a boot entry cmdline and a debug entry cmdline with minimal work.
Unfortunately I had no time to investigate this further but there is some work ongoing and it should be possible (but experimental) to do so: systemd/systemd#27358
COPY +uki-signed/DB.auth . | ||
COPY +uki-signed/MokManager.efi . | ||
# Set the name for kairos manually as otherwise it picks it from the os-release automatically | ||
RUN printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cretes the config for systemd-boot to show in the entries
RUN mcopy -i /build/efi/efiboot.img /build/uki.efi ::EFI/BOOT/BOOTX64.EFI | ||
RUN xorriso -as mkisofs -V 'EFI_ISO_BOOT' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/ | ||
RUN mcopy -i /build/efi/efiboot.img /usr/lib/systemd/boot/efi/systemd-bootx64.efi ::EFI/BOOT/BOOTX64.EFI | ||
RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
iso name is currently used as to find the source of the install due to how uki works. Basically there is no iso mounted anywhere that we can use as source like with normal isos, and we need to access the efi file directly to copy it over and respect signatures and such so this is a needed hack for now to dev this
6025844
to
900a124
Compare
# --pcr-public-key public.pem \ | ||
# --measure \ | ||
# --output $ISO_NAME.signed.efi | ||
RUN sbsign --key DB.key --cert DB.crt --output systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alwasy sign our efi artifacts, makes no sense to test them without signature
d232029
to
ec027c2
Compare
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
- Use test keys for development, easier to test if we always sign with the same key as we only need to insert into the EFI once - Sign systemd-boot - Also copy and create an entry for mokmanager so we can enroll keys using it if needed - Bump packages with uki fixes for layout Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka.garcia@spectrocloud.com>
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
# Use immmucore master as it has patches not released for uki | ||
# Use kairos-agent main branch as it has patches not released for uki |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i guess this will need to be updated once those patches are merged
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep! Although with the heavy testing, Im guessing this can be left in master for both to keep testing it
cp tests/go.* . | ||
go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/ | ||
- uses: actions/upload-artifact@v3 | ||
if: failure() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this will help debug the issue ... how does one debug from here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gathers logs only if it fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #