1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

mkosi: Package a erofs usr partition with signed verity

Let's start moving towards a more involved partitioning setup to
test our stuff more when using mkosi.

The root partition is generated on boot with systemd-repart.

CentOS supports neither erofs nor btrfs so we use squashfs and xfs
instead.

We also enable SecureBoot= locally for additional coverage. This
and the use of verity means users need to run `mkosi genkey` once
to generate the keys necessary to do secure boot and verity.
This commit is contained in:
Daan De Meyer 2023-05-08 16:06:41 +02:00
parent 724683c27f
commit 47e5e12866
20 changed files with 88 additions and 18 deletions

View File

@ -84,11 +84,10 @@ jobs:
[Distribution]
Distribution=${{ matrix.distro }}
Release=${{ matrix.release }}
SecureBoot=yes
[Content]
Environment=CI_BUILD=1
DEFAULT_TIMEOUT_SEC=90
DEFAULT_TIMEOUT_SEC=120
SLOW_TESTS=true
[Output]
@ -101,6 +100,15 @@ jobs:
ExtraSearchPaths=!*
EOF
# For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
# version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
mkdir -p mkosi.presets/20-final/mkosi.repart/10-usr.conf.d
tee mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
[Partition]
Format=squashfs
EOF
- name: Generate secure boot key
run: mkosi --debug genkey
@ -113,11 +121,5 @@ jobs:
- name: Boot ${{ matrix.distro }} systemd-nspawn
run: sudo mkosi --debug boot
- name: Check ${{ matrix.distro }} systemd-nspawn
run: sudo mkosi --debug shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"
- name: Boot ${{ matrix.distro }} QEMU
run: timeout -k 30 10m mkosi --debug qemu
- name: Check ${{ matrix.distro }} QEMU
run: sudo mkosi --debug shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"

View File

@ -40,9 +40,11 @@ the [GitHub repository](https://github.com/systemd/mkosi). `mkosi` will build an
image for the host distro by default. Currently, the latest github commit is
required. `mkosi` also requires systemd v253 (unreleased) or newer. If systemd v253
is not available, `mkosi` will automatically use executables from the systemd build
directory if it's executed from the systemd repository root directory. It is
sufficient to type `mkosi` in the systemd project directory to generate a disk image
you can boot either in `systemd-nspawn` or in a UEFI-capable VM:
directory if it's executed from the systemd repository root directory. First, run
`mkosi genkey` to generate a key and certificate to be used for secure boot and
verity signing. After that is done, it is sufficient to type `mkosi` in the systemd
project directory to generate a disk image you can boot either in `systemd-nspawn`
or in a UEFI-capable VM:
```sh
$ sudo mkosi boot # nspawn still needs sudo for now

View File

@ -11,6 +11,11 @@ OutputDirectory=mkosi.output
BuildDirectory=mkosi.builddir
CacheDirectory=mkosi.cache
[Validation]
SecureBoot=yes
# Disabled until systemd-measure can operate without a TPM device.
SignExpectedPcr=no
[Host]
QemuMem=2G
ExtraSearchPaths=build/
@ -29,3 +34,5 @@ KernelCommandLineExtra=systemd.crash_shell
ip=enp0s1:any
# Make sure sulogin works even with a locked root account.
SYSTEMD_SULOGIN_FORCE=1
# Make sure /sysroot is mounted rw in the initrd.
rw

View File

@ -5,6 +5,7 @@ Distribution=debian ubuntu
[Content]
Packages=
dmsetup
libfdisk1
libfido2-1
libglib2.0-0

View File

@ -6,6 +6,7 @@ Distribution=opensuse
[Content]
# We install gawk, gzip, grep, xz here explicitly so that the busybox versions don't get installed instead.
Packages=
device-mapper
gawk
grep
gzip

View File

@ -6,3 +6,6 @@ Distribution=centos
[Output]
# TODO: Switch to zstd once we stop building CentOS Stream 8.
CompressOutput=xz
[Content]
Packages=xfsprogs

View File

@ -5,3 +5,6 @@ Distribution=arch debian fedora opensuse ubuntu
[Output]
CompressOutput=zst
[Content]
Packages=btrfs-progs

View File

@ -12,6 +12,7 @@ Packages=
iproute
iproute-tc
kernel-core
kernel-modules # For squashfs support
libcap-ng-utils
netcat
openssh-server

View File

@ -0,0 +1,4 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
Distribution=centos

View File

@ -0,0 +1,5 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# CentOS does not support btrfs so we use xfs instead.
[Partition]
Format=xfs

View File

@ -0,0 +1,5 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# CentOS does not support erofs so we use squashfs instead.
[Partition]
Format=squashfs

View File

@ -5,4 +5,6 @@ Distribution=ubuntu
[Content]
Packages=
linux-virtual
# We would like to use linux-image-kvm but it does not have support for dm-verity
# See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
linux-image-generic

View File

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=root
Format=btrfs
SizeMinBytes=1G

View File

@ -11,5 +11,3 @@ fi
# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
[[ ! -s /failed-services ]]
: >/testok

View File

@ -4,11 +4,9 @@ Description=Check if any service failed and then shutdown the machine
After=multi-user.target network-online.target
Requires=multi-user.target
Wants=systemd-resolved.service systemd-networkd.service network-online.target
OnFailure=poweroff.target
OnFailureJobMode=replace-irreversibly
SuccessAction=exit
FailureAction=exit
[Service]
Type=oneshot
ExecStartPre=-rm -f /failed-services
ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
ExecStartPost=systemctl poweroff --no-block

View File

@ -0,0 +1,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=esp
Format=vfat
CopyFiles=/efi:/
SizeMinBytes=512M
SizeMaxBytes=512M

View File

@ -0,0 +1,9 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=usr
Format=erofs
CopyFiles=/usr:/
Verity=data
VerityMatchKey=usr
Minimize=yes

View File

@ -0,0 +1,2 @@
[Partition]
Format=squashfs

View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=usr-verity
Verity=hash
VerityMatchKey=usr
Minimize=yes

View File

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=usr-verity-sig
Verity=signature
VerityMatchKey=usr