Patagia/patos
Patagia/patos
1
1
Code Issues4 Pull requests6 Activity
patos/pkgs/image/mkimage.sh

160 lines
4.6 KiB
Bash
Raw Blame History

set -ex -o pipefail
mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
pushd $out
# Don't seem to work just to create a symlink to rootfs derivation?
# ln -sf $rootfs rootfs
mkdir rootfs
cp -prP $rootfs/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
# enable confext/sysext services
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
Minimize=best
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
SplitName=root
EOF
cat <<EOF > init.repart.d/20-root-verity.conf
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
Minimize=best
SplitName=verity
EOF
#TODO: Add verity signature partition
$systemd/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./init.repart.d \
--split=true \
--json=pretty \
--root=$out \
patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
cat <<EOF > reset-os-release
NAME=PatOS
PRETTY_NAME=PatOS Factory Reset
IMAGE_ID=patos
ID=patos
IMAGE_VERSION=${version}
VERSION=${version}
VERSION_ID=patos
EOF
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
--os-release @./reset-os-release \
--cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
-o patos_factory_reset.efi
# Secure boot
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
--secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
# install UKIs
cp patos_${version}.efi rootfs/boot/EFI/Linux
cp patos_factory_reset.efi rootfs/boot/EFI/Linux
# sign EFIs
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi
echo "timeout 2" > rootfs/boot/loader/loader.conf
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=/${rootPart}
UUID=${rootUuid}
SizeMinBytes=256M
SizeMaxBytes=256M
ReadOnly=1
EOF
cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=/${verityPart}
UUID=${verityUuid}
SizeMinBytes=10M
SizeMaxBytes=10M
ReadOnly=1
EOF
# finalize image ready for boot
$systemd/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
patos-$version.raw > final-repart-output.json
rm -rf rootfs
popd
Reference in a new issue View git blame Copy permalink