mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
mkosi: Package a erofs usr partition with signed verity
Let's start moving towards a more involved partitioning setup to test our stuff more when using mkosi. The root partition is generated on boot with systemd-repart. CentOS supports neither erofs nor btrfs so we use squashfs and xfs instead. We also enable SecureBoot= locally for additional coverage. This and the use of verity means users need to run `mkosi genkey` once to generate the keys necessary to do secure boot and verity.
This commit is contained in:
parent
724683c27f
commit
47e5e12866
18
.github/workflows/mkosi.yml
vendored
18
.github/workflows/mkosi.yml
vendored
@ -84,11 +84,10 @@ jobs:
|
||||
[Distribution]
|
||||
Distribution=${{ matrix.distro }}
|
||||
Release=${{ matrix.release }}
|
||||
SecureBoot=yes
|
||||
|
||||
[Content]
|
||||
Environment=CI_BUILD=1
|
||||
DEFAULT_TIMEOUT_SEC=90
|
||||
DEFAULT_TIMEOUT_SEC=120
|
||||
SLOW_TESTS=true
|
||||
|
||||
[Output]
|
||||
@ -101,6 +100,15 @@ jobs:
|
||||
ExtraSearchPaths=!*
|
||||
EOF
|
||||
|
||||
# For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
|
||||
# version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
|
||||
|
||||
mkdir -p mkosi.presets/20-final/mkosi.repart/10-usr.conf.d
|
||||
tee mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
|
||||
[Partition]
|
||||
Format=squashfs
|
||||
EOF
|
||||
|
||||
- name: Generate secure boot key
|
||||
run: mkosi --debug genkey
|
||||
|
||||
@ -113,11 +121,5 @@ jobs:
|
||||
- name: Boot ${{ matrix.distro }} systemd-nspawn
|
||||
run: sudo mkosi --debug boot
|
||||
|
||||
- name: Check ${{ matrix.distro }} systemd-nspawn
|
||||
run: sudo mkosi --debug shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"
|
||||
|
||||
- name: Boot ${{ matrix.distro }} QEMU
|
||||
run: timeout -k 30 10m mkosi --debug qemu
|
||||
|
||||
- name: Check ${{ matrix.distro }} QEMU
|
||||
run: sudo mkosi --debug shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"
|
||||
|
@ -40,9 +40,11 @@ the [GitHub repository](https://github.com/systemd/mkosi). `mkosi` will build an
|
||||
image for the host distro by default. Currently, the latest github commit is
|
||||
required. `mkosi` also requires systemd v253 (unreleased) or newer. If systemd v253
|
||||
is not available, `mkosi` will automatically use executables from the systemd build
|
||||
directory if it's executed from the systemd repository root directory. It is
|
||||
sufficient to type `mkosi` in the systemd project directory to generate a disk image
|
||||
you can boot either in `systemd-nspawn` or in a UEFI-capable VM:
|
||||
directory if it's executed from the systemd repository root directory. First, run
|
||||
`mkosi genkey` to generate a key and certificate to be used for secure boot and
|
||||
verity signing. After that is done, it is sufficient to type `mkosi` in the systemd
|
||||
project directory to generate a disk image you can boot either in `systemd-nspawn`
|
||||
or in a UEFI-capable VM:
|
||||
|
||||
```sh
|
||||
$ sudo mkosi boot # nspawn still needs sudo for now
|
||||
|
@ -11,6 +11,11 @@ OutputDirectory=mkosi.output
|
||||
BuildDirectory=mkosi.builddir
|
||||
CacheDirectory=mkosi.cache
|
||||
|
||||
[Validation]
|
||||
SecureBoot=yes
|
||||
# Disabled until systemd-measure can operate without a TPM device.
|
||||
SignExpectedPcr=no
|
||||
|
||||
[Host]
|
||||
QemuMem=2G
|
||||
ExtraSearchPaths=build/
|
||||
@ -29,3 +34,5 @@ KernelCommandLineExtra=systemd.crash_shell
|
||||
ip=enp0s1:any
|
||||
# Make sure sulogin works even with a locked root account.
|
||||
SYSTEMD_SULOGIN_FORCE=1
|
||||
# Make sure /sysroot is mounted rw in the initrd.
|
||||
rw
|
||||
|
@ -5,6 +5,7 @@ Distribution=debian ubuntu
|
||||
|
||||
[Content]
|
||||
Packages=
|
||||
dmsetup
|
||||
libfdisk1
|
||||
libfido2-1
|
||||
libglib2.0-0
|
||||
|
@ -6,6 +6,7 @@ Distribution=opensuse
|
||||
[Content]
|
||||
# We install gawk, gzip, grep, xz here explicitly so that the busybox versions don't get installed instead.
|
||||
Packages=
|
||||
device-mapper
|
||||
gawk
|
||||
grep
|
||||
gzip
|
||||
|
@ -6,3 +6,6 @@ Distribution=centos
|
||||
[Output]
|
||||
# TODO: Switch to zstd once we stop building CentOS Stream 8.
|
||||
CompressOutput=xz
|
||||
|
||||
[Content]
|
||||
Packages=xfsprogs
|
||||
|
@ -5,3 +5,6 @@ Distribution=arch debian fedora opensuse ubuntu
|
||||
|
||||
[Output]
|
||||
CompressOutput=zst
|
||||
|
||||
[Content]
|
||||
Packages=btrfs-progs
|
||||
|
@ -12,6 +12,7 @@ Packages=
|
||||
iproute
|
||||
iproute-tc
|
||||
kernel-core
|
||||
kernel-modules # For squashfs support
|
||||
libcap-ng-utils
|
||||
netcat
|
||||
openssh-server
|
||||
|
4
mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf
Normal file
4
mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf
Normal file
@ -0,0 +1,4 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Match]
|
||||
Distribution=centos
|
@ -0,0 +1,5 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
# CentOS does not support btrfs so we use xfs instead.
|
||||
[Partition]
|
||||
Format=xfs
|
@ -0,0 +1,5 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
# CentOS does not support erofs so we use squashfs instead.
|
||||
[Partition]
|
||||
Format=squashfs
|
@ -5,4 +5,6 @@ Distribution=ubuntu
|
||||
|
||||
[Content]
|
||||
Packages=
|
||||
linux-virtual
|
||||
# We would like to use linux-image-kvm but it does not have support for dm-verity
|
||||
# See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
|
||||
linux-image-generic
|
||||
|
@ -0,0 +1,6 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=root
|
||||
Format=btrfs
|
||||
SizeMinBytes=1G
|
@ -11,5 +11,3 @@ fi
|
||||
|
||||
# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
|
||||
[[ ! -s /failed-services ]]
|
||||
|
||||
: >/testok
|
||||
|
@ -4,11 +4,9 @@ Description=Check if any service failed and then shutdown the machine
|
||||
After=multi-user.target network-online.target
|
||||
Requires=multi-user.target
|
||||
Wants=systemd-resolved.service systemd-networkd.service network-online.target
|
||||
OnFailure=poweroff.target
|
||||
OnFailureJobMode=replace-irreversibly
|
||||
SuccessAction=exit
|
||||
FailureAction=exit
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStartPre=-rm -f /failed-services
|
||||
ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
|
||||
ExecStartPost=systemctl poweroff --no-block
|
||||
|
8
mkosi.presets/20-final/mkosi.repart/00-esp.conf
Normal file
8
mkosi.presets/20-final/mkosi.repart/00-esp.conf
Normal file
@ -0,0 +1,8 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=esp
|
||||
Format=vfat
|
||||
CopyFiles=/efi:/
|
||||
SizeMinBytes=512M
|
||||
SizeMaxBytes=512M
|
9
mkosi.presets/20-final/mkosi.repart/10-usr.conf
Normal file
9
mkosi.presets/20-final/mkosi.repart/10-usr.conf
Normal file
@ -0,0 +1,9 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=usr
|
||||
Format=erofs
|
||||
CopyFiles=/usr:/
|
||||
Verity=data
|
||||
VerityMatchKey=usr
|
||||
Minimize=yes
|
@ -0,0 +1,2 @@
|
||||
[Partition]
|
||||
Format=squashfs
|
7
mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf
Normal file
7
mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf
Normal file
@ -0,0 +1,7 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=usr-verity
|
||||
Verity=hash
|
||||
VerityMatchKey=usr
|
||||
Minimize=yes
|
@ -0,0 +1,6 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=usr-verity-sig
|
||||
Verity=signature
|
||||
VerityMatchKey=usr
|
Loading…
Reference in New Issue
Block a user