diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh index ad7d57d..c08f0d8 100644 --- a/pkgs/image/mkimage.sh +++ b/pkgs/image/mkimage.sh @@ -12,23 +12,6 @@ find rootfs/ -type d -exec chmod 755 {} \; # set default target to multi-user ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target -# Overlay mount for /etc which makes it read-write in runtime -cat <<EOF > rootfs/usr/lib/systemd/system/etc.mount -[Unit] -Description=Overlay mount for /etc -Before=local-fs.target - -[Mount] -What=overlay -Where=/etc -Type=overlay -Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work - -[Install] -WantedBy=local-fs.target -EOF -ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount - # enable dbus ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket @@ -40,8 +23,9 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar # enable default network config mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network -#FIXME: generate a temporary machine id (replace with overlay/confext later?) -$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/ +# enable confext/sysext services +ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service +ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service # install sys users mkdir creds diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config index 0220e23..209e026 100644 --- a/pkgs/kernel/generic.config +++ b/pkgs/kernel/generic.config @@ -591,7 +591,8 @@ CONFIG_DM_SWITCH=m CONFIG_DM_THIN_PROVISIONING=m CONFIG_DM_UNSTRIPED=m CONFIG_DM_VDO=m -CONFIG_DM_VERITY=m +CONFIG_DM_VERITY=y +CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIG_DM_WRITECACHE=m CONFIG_DM_ZERO=y CONFIG_DM_ZONED=m diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix index dd0e2a7..5ac9c6a 100644 --- a/pkgs/rootfs/default.nix +++ b/pkgs/rootfs/default.nix @@ -27,10 +27,12 @@ stdenvNoCC.mkDerivation (finalAttrs: { libbpf = pkgs.libbpf.out; btrfs = pkgs.btrfs-progs.out; tpm2Libs = patosPkgs.tpm2-tss.out; - tpm2Tools = patosPkgs.tpm2-tools.out; kexec = patosPkgs.kexec.out; lvm2 = patosPkgs.lvm2.out; + # FIXME: remove later: + tpm2Tools = patosPkgs.tpm2-tools.out; cryptsetup = pkgs.cryptsetup.bin; + erofsUtils = pkgs.erofs-utils.out; builder = ./mkrootfs.sh; }) diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh index 110b1e4..78d14d3 100644 --- a/pkgs/rootfs/mkrootfs.sh +++ b/pkgs/rootfs/mkrootfs.sh @@ -29,8 +29,8 @@ IMAGE_ID=patos ID=patos IMAGE_VERSION=${version} VERSION=${version} -VERSION_ID={version} -BUILD_ID={version} +VERSION_ID=patos +BUILD_ID=somehash EOF cat <<EOF > $out/etc/issue @@ -106,6 +106,9 @@ cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/ cp -Pr ${btrfs}/bin/* $out/usr/bin/ cp -Pr ${btrfs}/lib/* $out/usr/lib/ +##FIXME(remove later): install mkfs.erofs bin +cp -P ${erofsUtils}/bin/mkfs.erofs $out/usr/bin/ + ### install tpm2 tools # For TPM debugging # cp -P ${tpm2Tools}/bin/* $out/usr/bin/ @@ -119,11 +122,23 @@ cp -P $kmodBin/bin/* $out/usr/bin ### install libbpf cp -P $libbpf/lib/libbpf* $out/usr/lib +# setup default files +$systemd/usr/bin/systemd-hwdb --root=$out --usr update +$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create +cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/ +cp $out/usr/share/factory/etc/locale.conf $out/etc/ +cp $out/usr/share/factory/etc/vconsole.conf $out/etc/ +#Ephemeral machine-id until registration +ln -sf /run/machine-id $out/etc/machine-id + + # remove pkgconfig rm -rf $out/usr/lib/pkgconfig ### Find and install all shared libs -find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/ +find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \ + grep -v util-linux-2 | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \ + sort -u | xargs -I {} cp {} $out/usr/lib/ find $out -type f -executable -exec chmod 755 {} \; # FIXME: ELF patching. Is there a better way?