fix: rootfs now with verity and A/B prep

pkgs/image/default.nix

@@ -19,6 +19,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
     dosfstools
     mtools
     e2fsprogs
+    jq
   ];
 
   env = {
@@ -32,8 +33,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   initrd = patosPkgs.initrd.out;
   rootfs = patosPkgs.rootfs.out;
 
-  #FIXME: use roothash instead of device.
-  kernelCmdLine = "root=/dev/sda2 console=ttyS0";
+  kernelCmdLine = "console=ttyS0";
 
   builder = ./mkimage.sh;
 })

pkgs/image/mkimage.sh

@@ -1,6 +1,6 @@
 set -ex -o pipefail
 
-mkdir -p $out/repart.d $out/boot
+mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
 pushd $out
 
 # Don't seem to work just to create a symlink to rootfs derivation?
@@ -34,46 +34,102 @@ CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/sys
 chmod 600 rootfs/etc/shadow
 rm -rf creds
 
+# Initial partitioning
+cat <<EOF > init.repart.d/10-root.conf
+[Partition]
+Type=root
+Format=erofs
+Minimize=best
+CopyFiles=/rootfs:/
+Verity=data
+VerityMatchKey=root
+SplitName=root
+EOF
+
+cat <<EOF > init.repart.d/20-root-verity.conf
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+Minimize=best
+SplitName=verity
+EOF
+
+#TODO: Add verity signature partition
+
+$systemd/usr/bin/systemd-repart \
+  --no-pager \
+  --empty=create \
+  --size=auto \
+  --definitions=./init.repart.d \
+  --split=true \
+  --json=pretty \
+  --root=$out \
+  patos-$version.raw > init-repart-output.json
+rm -f patos-$version.raw
+
+roothash=$(jq -r '.[0].roothash' init-repart-output.json)
+rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
+rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
+
+verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
+verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
+
 $systemd/usr/bin/ukify build \
   --linux $kernel/bzImage \
   --initrd $initrd/initrd.xz \
   --os-release @rootfs/etc/os-release \
-  --cmdline "$kernelCmdLine" \
-  -o boot/patos.efi
+  --cmdline "$kernelCmdLine roothash=$roothash" \
+  -o patos_${version}.efi
+rm -rf rootfs
 
+cp patos_${version}.efi boot/
 cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
-
 echo "timeout 1" > boot/loader.conf
 
-cat <<EOF > repart.d/10-esp.conf
+# Final partitioning
+cat <<EOF > final.repart.d/10-esp.conf
 [Partition]
 Type=esp
 Format=vfat
 SizeMinBytes=96M
 SizeMaxBytes=96M
 CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
-CopyFiles=/boot/patos.efi:/EFI/Linux/patos.efi
+CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
 CopyFiles=/boot/loader.conf:/loader/loader.conf
 EOF
 
-cat <<EOF > repart.d/10-root.conf
+cat <<EOF > final.repart.d/20-root.conf
 [Partition]
 Type=root
-Format=erofs
-Minimize=best
-CopyFiles=/rootfs:/
-SplitName=root
+Label=root-${version}
+CopyBlocks=/${rootPart}
+UUID=${rootUuid}
+SizeMinBytes=256M
+SizeMaxBytes=256M
+ReadOnly=1
 EOF
 
+cat <<EOF > final.repart.d/22-root-verity.conf
+[Partition]
+Type=root-verity
+Label=verity-${version}
+CopyBlocks=/${verityPart}
+UUID=${verityUuid}
+SizeMinBytes=10M
+SizeMaxBytes=10M
+ReadOnly=1
+EOF
+
+# finalize image ready for boot
 $systemd/usr/bin/systemd-repart \
   --no-pager \
   --empty=create \
   --size=auto \
-  --definitions=./repart.d \
+  --definitions=./final.repart.d \
   --root=$out \
-  patos-$version.raw
+  patos-$version.raw > final-repart-output.json
 
-rm -rf rootfs
 rm -rf boot
 
 popd

pkgs/rootfs/mkrootfs.sh

@@ -52,11 +52,38 @@ cat <<EOF > $out/etc/repart.d/10-esp.conf
 [Partition]
 Type=esp
 Format=vfat
+SizeMaxBytes=96M
+SizeMinBytes=96M
 EOF
 
-cat <<EOF > $out/etc/repart.d/22-root.conf
+cat <<EOF > $out/etc/repart.d/20-root-a.conf
 [Partition]
 Type=root
+SizeMaxBytes=256M
+SizeMinBytes=256M
+EOF
+cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
+[Partition]
+Type=root-verity
+SizeMaxBytes=10M
+SizeMinBytes=10M
+EOF
+
+cat <<EOF > $out/etc/repart.d/30-root-b.conf
+[Partition]
+Type=root
+Label=_empty
+SizeMaxBytes=256M
+SizeMinBytes=256M
+ReadOnly=1
+EOF
+cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
+[Partition]
+Type=root-verity
+Label=_empty
+SizeMaxBytes=10M
+SizeMinBytes=10M
+ReadOnly=1
 EOF
 
 cat <<EOF > $out/etc/repart.d/40-var.conf