From c58412bcd211b6e024e7cbfe0be964e22d07ad30 Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Wed, 25 Jan 2023 15:35:48 +0100
Subject: [PATCH] image: migrate mkosi config to systemd-repart

---
 image/Makefile                                |  3 +-
 image/README.md                               | 55 ++++++++++++++-----
 image/mkosi.conf.d/mkosi.conf                 |  5 +-
 image/mkosi.conf.d/selinux.conf               |  2 +-
 image/mkosi.repart/00-resp.conf               |  6 ++
 image/mkosi.repart/10-root.conf               |  7 +++
 image/mkosi.repart/20-root-verity.conf        |  6 ++
 .../system-preset/30-constellation.preset     |  1 +
 image/packages/Makefile                       |  5 +-
 9 files changed, 67 insertions(+), 23 deletions(-)
 create mode 100644 image/mkosi.repart/00-resp.conf
 create mode 100644 image/mkosi.repart/10-root.conf
 create mode 100644 image/mkosi.repart/20-root-verity.conf

diff --git a/image/Makefile b/image/Makefile
index 64a2aa431..516cb9100 100644
--- a/image/Makefile
+++ b/image/Makefile
@@ -6,6 +6,7 @@ DISK_MAPPER_BINARY               ?= $(BASE_PATH)/../build/disk-mapper
 UPGRADE_AGENT_BINARY             ?= $(BASE_PATH)/../build/upgrade-agent
 PKI                              ?= $(BASE_PATH)/pki
 MKOSI_EXTRA                      ?= $(BASE_PATH)/mkosi.extra
+EXTRA_SEARCH_PATHS               ?=
 IMAGE_VERSION                    ?= v0.0.0
 AUTOLOGIN                        ?= false
 AUTOLOGIN_ARGS                   := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
@@ -36,7 +37,7 @@ prebuilt/rpms/azure/%.rpm:
 	@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.7/200.fc37/x86_64/$*.rpm
 
 mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
-	mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) $(AUTOLOGIN_ARGS) --environment=CONSOLE_MOTD build
+	mkosi --config mkosi.files/mkosi.$*.conf --image-version=$(IMAGE_VERSION) $(AUTOLOGIN_ARGS) --environment=CONSOLE_MOTD --extra-search-paths "$(EXTRA_SEARCH_PATHS)" build
 	secure-boot/signed-shim.sh $@
 	@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
 		chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
diff --git a/image/README.md b/image/README.md
index fe86baeb0..966f9b3d7 100644
--- a/image/README.md
+++ b/image/README.md
@@ -10,6 +10,26 @@
     cp builddir/mkosi /usr/local/bin/
     ```
 
+- Build systemd tooling (from git):
+
+    Ubuntu and Fedora ship outdated versions of systemd tools, so you need to build them from source:
+
+    ```sh
+    # Ubuntu
+    echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
+    sudo apt-get update
+    sudo apt-get build-dep systemd
+    sudo apt-get install libfdisk-dev
+    # Fedora
+    sudo dnf builddep systemd
+
+    git clone https://github.com/systemd/systemd --depth=1
+    meson systemd/build systemd -Drepart=true -Defi=true
+    ninja -C systemd/build systemd-nspawn systemd-dissect systemd-repart systemd-analyze bootctl ukify
+    SYSTEMD_BIN=$(realpath systemd/build)
+    echo installed systemd tools to "${SYSTEMD_BIN}"
+    ```
+
 - Install tools:
 
     <details>
@@ -18,22 +38,24 @@
     ```sh
     sudo apt-get update
     sudo apt-get install --assume-yes --no-install-recommends \
-        dnf \
-        systemd-container \
-        qemu-system-x86 \
-        qemu-utils \
-        ovmf \
-        e2fsprogs \
-        squashfs-tools \
-        efitools \
-        sbsigntool \
         coreutils \
         curl \
+        dnf \
+        e2fsprogs \
+        efitools \
         jq \
-        util-linux \
-        virt-manager \
+        mtools \
+        ovmf \
         python3-crc32c \
-        rpm
+        python3-pefile \
+        qemu-system-x86 \
+        qemu-utils \
+        rpm \
+        sbsigntool \
+        squashfs-tools \
+        systemd-container \
+        util-linux \
+        virt-manager
     ```
 
     </details>
@@ -67,20 +89,23 @@ When building your first image, prepare the secure boot PKI (see `secure-boot/ge
 
 Second, you need to prepare the local RPM repository. This is only necessary for the first build, or when you want to update the packages in the repository.
 
-```sh:
-make -C ./packages pull repo
+`SYSTEMD_BIN` is the path to the systemd tools you built in the previous step.
+
+```sh
+make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -C ./packages pull repo
 ```
 
 After that, you can build the image with:
 
 ```sh
+# export SYSTEMD_BIN=<path to systemd tools>
 # OPTIONAL: to create a debug image, export the following line
 # export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd)
 # OPTIONAL: to enable the serial console, export the following line
 # export AUTOLOGIN=true
 # OPTIONAL: symlink custom path to secure boot PKI to ./pki
 # ln -s /path/to/pki/folder ./pki
-sudo make -j $(nproc)
+sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
 ```
 
 Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.
diff --git a/image/mkosi.conf.d/mkosi.conf b/image/mkosi.conf.d/mkosi.conf
index a60b9c468..2e63096c0 100644
--- a/image/mkosi.conf.d/mkosi.conf
+++ b/image/mkosi.conf.d/mkosi.conf
@@ -3,13 +3,10 @@ Distribution=fedora
 Release=37
 
 [Output]
-Format=gpt_squashfs
+Format=disk
 ManifestFormat=json,changelog
 Bootable=yes
 KernelCommandLine=mitigations=auto,nosmt preempt=full loglevel=8
-WithUnifiedKernelImages=yes
-Verity=yes
-CompressFs=zstd
 SplitArtifacts=yes
 # Enable Secure Boot with own PKI
 SecureBoot=yes
diff --git a/image/mkosi.conf.d/selinux.conf b/image/mkosi.conf.d/selinux.conf
index 2eddf3550..1ee4c741b 100644
--- a/image/mkosi.conf.d/selinux.conf
+++ b/image/mkosi.conf.d/selinux.conf
@@ -1,3 +1,3 @@
 [Output]
 # set selinux to permissive
-KernelCommandLine=!selinux=0 selinux=1 enforcing=0
+KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0
diff --git a/image/mkosi.repart/00-resp.conf b/image/mkosi.repart/00-resp.conf
new file mode 100644
index 000000000..126d27fb0
--- /dev/null
+++ b/image/mkosi.repart/00-resp.conf
@@ -0,0 +1,6 @@
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+SizeMinBytes=256M
+SizeMaxBytes=512M
diff --git a/image/mkosi.repart/10-root.conf b/image/mkosi.repart/10-root.conf
new file mode 100644
index 000000000..10ac90529
--- /dev/null
+++ b/image/mkosi.repart/10-root.conf
@@ -0,0 +1,7 @@
+[Partition]
+Type=root
+Format=squashfs
+Verity=data
+VerityMatchKey=root
+CopyFiles=/
+Minimize=guess
diff --git a/image/mkosi.repart/20-root-verity.conf b/image/mkosi.repart/20-root-verity.conf
new file mode 100644
index 000000000..352c50d55
--- /dev/null
+++ b/image/mkosi.repart/20-root-verity.conf
@@ -0,0 +1,6 @@
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+SizeMinBytes=64M
+SizeMaxBytes=64M
diff --git a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
index 5e846e63b..6a45cda35 100644
--- a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
+++ b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
@@ -5,3 +5,4 @@ enable containerd.service
 enable kubelet.service
 enable systemd-networkd.service
 enable tpm-pcrs.service
+mask systemd-journald-audit.socket
diff --git a/image/packages/Makefile b/image/packages/Makefile
index e2bf1fc4e..660fcae2e 100644
--- a/image/packages/Makefile
+++ b/image/packages/Makefile
@@ -2,8 +2,9 @@ SHELL                             = /bin/bash
 SRC_PATH                          = $(CURDIR)
 BASE_PATH                        ?= $(SRC_PATH)
 MKOSI_CACHE                      ?= $(BASE_PATH)/mkosi.cache
-REPODIR						     ?= $(BASE_PATH)/repo
-ORAS_IMAGE						 ?= ghcr.io/edgelesssys/constellation-rpms
+REPODIR                          ?= $(BASE_PATH)/repo
+ORAS_IMAGE                       ?= ghcr.io/edgelesssys/constellation-rpms
+EXTRA_SEARCH_PATHS               ?=
 MKOSI                            ?= mkosi
 
 .PHONY: all clean update repo testrepo