image: upgrade mkosi to support repart (#1684)

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

image/Makefile

@@ -8,11 +8,13 @@ DEBUGD_BINARY                    ?= $(BASE_PATH)/../build/debugd
 MEASUREMENT_READER_BINARY        ?= $(BASE_PATH)/../build/measurement-reader
 PKI                              ?= $(BASE_PATH)/pki
 MKOSI_EXTRA                      ?= $(BASE_PATH)/mkosi.extra
+EXTRA_SEARCH_PATHS               ?=
 IMAGE_VERSION                    ?= v0.0.0
 DEBUG                            ?= false
 AUTOLOGIN                        ?= false
 AUTOLOGIN_ARGS                   := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
 KERNEL_DEBUG_CMDLNE              := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true
+SEARCH_PATHS_PARAM               := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS))
 export INSTALL_DEBUGD            ?= $(DEBUG)
 export CONSOLE_MOTD = $(AUTOLOGIN)
 -include $(CURDIR)/config.mk
@@ -28,6 +30,8 @@ PREBUILT_RPMS_GCP := $(addprefix prebuilt/rpms/gcp/,$(GCP_FIXED_KERNEL_RPMS))
 
 .PHONY: all clean inject-bins $(csps)
 
+.NOTPARALLEL: mkosi.output.%/fedora~37/image.raw clean-%
+
 all: $(csps)
 
 $(csps): %: mkosi.output.%/fedora~37/image.raw
@@ -50,18 +54,23 @@ prebuilt/rpms/azure/%.rpm:
 	@mkdir -p $(@D)
 	@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
 
-mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
-	mkosi --config mkosi.files/mkosi.$*.conf \
+mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
+	rm -rf .csp/
+	mkdir -p .csp/
+	touch .csp/$*
+	mkosi \
 		--image-version=$(IMAGE_VERSION) \
 		$(AUTOLOGIN_ARGS) \
 		--environment=INSTALL_DEBUGD \
 		--environment=CONSOLE_MOTD \
 		--kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \
+		$(SEARCH_PATHS_PARAM) \
 		build
 	secure-boot/signed-shim.sh $@
 	@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
 		chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
 	fi
+	rm -rf .csp/
 	@echo "Image is ready: $@"
 
 inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE) $(PREBUILT_RPMS_GCP)
@@ -84,19 +93,16 @@ inject-certs: $(certs)
 	mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
 	cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
 	cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"
-	cp $(PKI)/{PK,KEK,db}.esl "$(MKOSI_EXTRA)/boot/loader/keys/auto"
-	cp $(PKI)/{PK,KEK,db}.auth "$(MKOSI_EXTRA)/boot/loader/keys/auto"
-	# for manual enrollment using sbkeysync
-	mkdir -p $(MKOSI_EXTRA)/etc/secureboot/keys/{db,dbx,KEK,PK}
-	cp $(PKI)/db.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/db/"
-	cp $(PKI)/KEK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/KEK/"
-	cp $(PKI)/PK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/PK/"
 
 clean-cache:
 	rm -rf mkosi.cache/*
 
 clean-%:
-	mkosi --config mkosi.files/mkosi.$*.conf clean
+	rm -rf .csp/
+	mkdir -p .csp/
+	touch .csp/$*
+	mkosi clean
+	rm -rf .csp/
 
 clean:
 	rm -rf mkosi.output.*

image/README.md

@@ -6,10 +6,40 @@
     cd /tmp/
     git clone https://github.com/systemd/mkosi
     cd mkosi
+    git checkout d8b32fbf3077b612db0024276e73cec3c2c87577
     tools/generate-zipapp.sh
     cp builddir/mkosi /usr/local/bin/
     ```
 
+- Build systemd tooling (from git):
+
+    Ubuntu and Fedora ship outdated versions of systemd tools, so you need to build them from source:
+
+    ```sh
+    # Ubuntu
+    echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
+    sudo apt-get update
+    sudo apt-get build-dep systemd
+    sudo apt-get install libfdisk-dev
+    # Fedora
+    sudo dnf builddep systemd
+
+    git clone https://github.com/systemd/systemd --depth=1
+    meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true
+    BINARIES=(
+        bootctl
+        systemctl
+        systemd-analyze
+        systemd-dissect
+        systemd-nspawn
+        systemd-repart
+        ukify
+    )
+    ninja -C systemd/build ${BINARIES[@]}
+    SYSTEMD_BIN=$(realpath systemd/build)
+    echo installed systemd tools to "${SYSTEMD_BIN}"
+    ```
+
 - Install tools:
 
     <details>
@@ -18,22 +48,27 @@
     ```sh
     sudo apt-get update
     sudo apt-get install --assume-yes --no-install-recommends \
-        dnf \
-        systemd-container \
-        qemu-system-x86 \
-        qemu-utils \
-        ovmf \
-        e2fsprogs \
-        squashfs-tools \
-        efitools \
-        sbsigntool \
+        bubblewrap \
         coreutils \
         curl \
+        dnf \
+        e2fsprogs \
+        efitools \
         jq \
-        util-linux \
-        virt-manager \
+        mtools \
+        ovmf \
         python3-crc32c \
-        rpm
+        python3-pefile \
+        python3-pyelftools \
+        python3-setuptools \
+        qemu-system-x86 \
+        qemu-utils \
+        rpm \
+        sbsigntool \
+        squashfs-tools \
+        systemd-container \
+        util-linux \
+        virt-manager
     ```
 
     </details>
@@ -43,6 +78,7 @@
 
     ```sh
     sudo dnf install -y \
+        bubblewrap \
         edk2-ovmf \
         systemd-container \
         qemu \
@@ -68,13 +104,14 @@ When building your first image, prepare the secure boot PKI (see `secure-boot/ge
 After that, you can build the image with:
 
 ```sh
+# export SYSTEMD_BIN=<path to systemd tools>
 # OPTIONAL: to create a debug image, export the following line
 # export DEBUG=true
 # OPTIONAL: to enable the serial console, export the following line
 # export AUTOLOGIN=true
 # OPTIONAL: symlink custom path to secure boot PKI to ./pki
 # ln -s /path/to/pki/folder ./pki
-sudo make -j $(nproc)
+sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
 ```
 
 Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.

image/mkosi.conf.d/mkosi.aws.conf

@@ -1,9 +1,11 @@
+[Match]
+PathExists=../.csp/aws
+
 [Output]
 KernelCommandLine=constel.csp=aws constel.attestation-variant=aws-nitro-tpm
 OutputDirectory=mkosi.output.aws
 
 [Content]
-BasePackages=conditional
 Packages=kernel
          kernel-core
          kernel-modules

image/mkosi.conf.d/mkosi.azure.conf

@@ -1,10 +1,12 @@
+[Match]
+PathExists=../.csp/azure
+
 [Output]
 KernelCommandLine=constel.csp=azure constel.attestation-variant=azure-sev-snp
 OutputDirectory=mkosi.output.azure
 
 # replace kernel
 [Content]
-BasePackages=conditional
 Packages=prebuilt/rpms/azure/kernel-6.1.18-200.fc37.x86_64.rpm
          prebuilt/rpms/azure/kernel-core-6.1.18-200.fc37.x86_64.rpm
          prebuilt/rpms/azure/kernel-modules-6.1.18-200.fc37.x86_64.rpm

image/mkosi.conf.d/mkosi.conf

@@ -3,13 +3,10 @@ Distribution=fedora
 Release=37
 
 [Output]
-Format=gpt_squashfs
+Format=disk
 ManifestFormat=json,changelog
 Bootable=yes
-KernelCommandLine=mitigations=auto,nosmt preempt=full rd.shell=0 rd.emergency=reboot loglevel=8
-WithUnifiedKernelImages=yes
-Verity=yes
-CompressFs=zstd
+KernelCommandLine=mitigations=auto,nosmt preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0
 SplitArtifacts=yes
 # Enable Secure Boot with own PKI
 SecureBoot=yes
@@ -20,19 +17,12 @@ SecureBootCertificate=pki/db.crt
 ImageId=constellation
 Output=image.raw
 
-[Partitions]
-ESPSize=512M
-
 [Content]
-BasePackages=conditional
 Packages=prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm
          prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm
          prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm
          prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm
          prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm
          prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm
-         util-linux
          dracut
-
-[Host]
-QemuHeadless=yes
+         util-linux

image/mkosi.conf.d/mkosi.gcp.conf

@@ -1,10 +1,12 @@
+[Match]
+PathExists=../.csp/gcp
+
 [Output]
 KernelCommandLine=constel.csp=gcp constel.attestation-variant=gcp-sev-es
 OutputDirectory=mkosi.output.gcp
 
 # replace kernel
 [Content]
-BasePackages=conditional
 Packages=prebuilt/rpms/gcp/kernel-6.1.18-200.fc37.x86_64.rpm
          prebuilt/rpms/gcp/kernel-core-6.1.18-200.fc37.x86_64.rpm
          prebuilt/rpms/gcp/kernel-modules-6.1.18-200.fc37.x86_64.rpm

image/mkosi.conf.d/mkosi.openstack.conf

@@ -1,3 +1,6 @@
+[Match]
+PathExists=../.csp/openstack
+
 [Output]
 KernelCommandLine=constel.csp=openstack constel.attestation-variant=dummy mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0
 OutputDirectory=mkosi.output.openstack
@@ -5,7 +8,6 @@ OutputDirectory=mkosi.output.openstack
 [Content]
 Autologin=yes
 Environment=CONSOLE_MOTD=true
-BasePackages=conditional
 Packages=kernel
          kernel-core
          kernel-modules

image/mkosi.conf.d/mkosi.qemu.conf

@@ -1,3 +1,6 @@
+[Match]
+PathExists=../.csp/qemu
+
 [Output]
 KernelCommandLine=constel.csp=qemu constel.attestation-variant=qemu-vtpm
 OutputDirectory=mkosi.output.qemu
@@ -5,7 +8,6 @@ OutputDirectory=mkosi.output.qemu
 [Content]
 Autologin=yes
 Environment=CONSOLE_MOTD=true
-BasePackages=conditional
 Packages=kernel
          kernel-core
          kernel-modules

image/mkosi.conf.d/selinux.conf

@@ -1,3 +1,8 @@
 [Output]
 # set selinux to permissive
-KernelCommandLine=!selinux=0 selinux=1 enforcing=0
+KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0
+
+[Content]
+# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
+Packages=selinux-policy,
+         selinux-policy-targeted,

image/mkosi.repart/00-esp.conf

@@ -0,0 +1,6 @@
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+SizeMinBytes=256M
+SizeMaxBytes=512M

image/mkosi.repart/10-root.conf

@@ -0,0 +1,7 @@
+[Partition]
+Type=root
+Format=squashfs
+Verity=data
+VerityMatchKey=root
+CopyFiles=/
+Minimize=guess

image/mkosi.repart/20-root-verity.conf

@@ -0,0 +1,6 @@
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+SizeMinBytes=64M
+SizeMaxBytes=64M

image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh

@@ -6,8 +6,9 @@
 # Note: This script is sourced.
 
 depends() {
-  # expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
-  echo systemd-network-management
+  # systemd-network-management expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
+  echo dracut-systemd systemd-network-management systemd-veritysetup systemd-udevd
+  return 0
 }
 
 install_and_enable_unit() {
@@ -79,4 +80,15 @@ install() {
 
   # backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
   inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf"
+  # force systemd-networkd in initrd
+  install_and_enable_unit "systemd-networkd.service" \
+    "basic.target"
+  # shellcheck disable=SC2154
+  inst_multiple -o \
+    "${tmpfilesdir}"/systemd-network.conf \
+    "${systemdnetwork}"/80-6rd-tunnel.network \
+    "${systemdnetwork}"/80-container-vb.network \
+    "${systemdsystemunitdir}"/systemd-networkd-wait-online@.service
+  inst_simple /usr/lib/systemd/resolved.conf.d/fallback_dns.conf \
+    /usr/lib/systemd/resolved.conf.d/fallback_dns.conf
 }

image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf

@@ -0,0 +1,2 @@
+[Resolve]
+FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9

image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset

@@ -4,5 +4,7 @@ enable constellation-bootstrapper.service
 enable containerd.service
 enable kubelet.service
 enable systemd-networkd.service
+enable systemd-networkd.socket
+enable systemd-resolved.service
 enable measurements.service
 enable export_constellation_debug.service