parent
1725120a49
commit
a3e2a970f8
11 changed files with 845 additions and 772 deletions
pkgs/image
|
|
@ -1,16 +1,15 @@
|
|||
{
|
||||
pkgs,
|
||||
stdenvNoCC,
|
||||
patosPkgs,
|
||||
version,
|
||||
runCommand,
|
||||
...
|
||||
}:
|
||||
let
|
||||
pname = "patos-image";
|
||||
in
|
||||
stdenvNoCC.mkDerivation (finalAttrs: {
|
||||
runCommand pname {
|
||||
inherit version;
|
||||
inherit pname;
|
||||
|
||||
buildInputs = with pkgs; [
|
||||
erofs-utils
|
||||
|
|
@ -27,12 +26,142 @@ stdenvNoCC.mkDerivation (finalAttrs: {
|
|||
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
|
||||
};
|
||||
|
||||
systemd = patosPkgs.systemd.out;
|
||||
kernel = patosPkgs.kernel;
|
||||
initrd = patosPkgs.initrd.out;
|
||||
rootfs = patosPkgs.rootfs.out;
|
||||
|
||||
kernelCmdLine = "console=ttyS0";
|
||||
}
|
||||
''
|
||||
mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
|
||||
pushd $out
|
||||
|
||||
builder = ./mkimage.sh;
|
||||
})
|
||||
# Don't seem to work just to create a symlink to rootfs derivation?
|
||||
# ln -sf $rootfs rootfs
|
||||
mkdir rootfs
|
||||
cp -prP ${patosPkgs.rootfs}/* rootfs/
|
||||
find rootfs/ -type d -exec chmod 755 {} \;
|
||||
|
||||
# set default target to multi-user
|
||||
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
|
||||
|
||||
# enable dbus
|
||||
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
|
||||
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
|
||||
|
||||
# enable network services
|
||||
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
|
||||
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
|
||||
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
|
||||
# enable default network config
|
||||
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
|
||||
|
||||
# enable confext/sysext services
|
||||
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
|
||||
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
|
||||
|
||||
# Initial partitioning
|
||||
cat <<EOF > init.repart.d/10-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Format=erofs
|
||||
Minimize=best
|
||||
CopyFiles=/rootfs:/
|
||||
Verity=data
|
||||
VerityMatchKey=root
|
||||
SplitName=root
|
||||
EOF
|
||||
|
||||
cat <<EOF > init.repart.d/20-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Verity=hash
|
||||
VerityMatchKey=root
|
||||
Minimize=best
|
||||
SplitName=verity
|
||||
EOF
|
||||
|
||||
#TODO: Add verity signature partition
|
||||
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./init.repart.d \
|
||||
--split=true \
|
||||
--json=pretty \
|
||||
--root=$out \
|
||||
patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
|
||||
|
||||
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
|
||||
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
|
||||
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
|
||||
|
||||
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
|
||||
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
|
||||
|
||||
${patosPkgs.systemd}/usr/bin/ukify build \
|
||||
--linux ${patosPkgs.kernel}/bzImage \
|
||||
--initrd ${patosPkgs.initrd}/initrd.xz \
|
||||
--os-release @rootfs/etc/os-release \
|
||||
--cmdline "$kernelCmdLine roothash=$roothash" \
|
||||
-o patos_${version}.efi
|
||||
|
||||
# install ESP
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
|
||||
--secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
|
||||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
|
||||
# sign EFIs
|
||||
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
|
||||
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
|
||||
|
||||
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
|
||||
patos_${version}.efi --output=patos_${version}.efi
|
||||
|
||||
# install UKI
|
||||
cp patos_${version}.efi rootfs/boot/EFI/Linux
|
||||
|
||||
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
|
||||
|
||||
# Final partitioning
|
||||
cat <<EOF > final.repart.d/10-esp.conf
|
||||
[Partition]
|
||||
Type=esp
|
||||
Format=vfat
|
||||
SizeMinBytes=160M
|
||||
SizeMaxBytes=160M
|
||||
CopyFiles=/rootfs/boot:/
|
||||
EOF
|
||||
|
||||
cat <<EOF > final.repart.d/20-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Label=root-${version}
|
||||
CopyBlocks=/$rootPart
|
||||
UUID=$rootUuid
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=256M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
cat <<EOF > final.repart.d/22-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Label=verity-${version}
|
||||
CopyBlocks=/$verityPart
|
||||
UUID=$verityUuid
|
||||
SizeMinBytes=10M
|
||||
SizeMaxBytes=10M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
# finalize image ready for boot
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./final.repart.d \
|
||||
--root=$out \
|
||||
patos-$version.raw > final-repart-output.json
|
||||
|
||||
rm -rf rootfs
|
||||
|
||||
popd
|
||||
''
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue