From 1941d0a27d5c805151272ac98bf62733cc59733b Mon Sep 17 00:00:00 2001 From: Ashwin Gopalan Date: Fri, 18 Aug 2023 16:10:45 -0700 Subject: [PATCH 1/2] Arm64 changes built on top of older commit Bootkit can still build on both x86 and arm64 with the changes. However, it needs to be readapted to be compatible with the latest main. Signed-off-by: Ashwin Gopalan --- Makefile | 2 ++ layers/bootkit/stacker.yaml | 12 +++---- layers/build-krd/dracut/bootkit.conf | 6 +++- layers/build-krd/dracut/soci/module-setup.sh | 6 +++- layers/build-krd/stacker.yaml | 8 ++++- layers/mos/stacker.yaml | 11 ++++-- layers/shim/stacker.yaml | 8 ++++- layers/stubby/stacker.yaml | 2 +- layers/uki/stacker.yaml | 2 +- layers/{ovmf => virt-firmware}/stacker.yaml | 37 ++++++++++++++------ subs.mk | 3 ++ 11 files changed, 72 insertions(+), 25 deletions(-) rename layers/{ovmf => virt-firmware}/stacker.yaml (67%) diff --git a/Makefile b/Makefile index 7162fbf..a53ad0a 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,7 @@ NAME := bootkit +ARCH := $(shell uname -m ) + include subs.mk include common.mk diff --git a/layers/bootkit/stacker.yaml b/layers/bootkit/stacker.yaml index 5049179..79e34b0 100644 --- a/layers/bootkit/stacker.yaml +++ b/layers/bootkit/stacker.yaml @@ -3,7 +3,7 @@ config: - ../kernel/stacker.yaml - ../shim/stacker.yaml - ../uki/stacker.yaml - - ../ovmf/stacker.yaml + - ../virt-firmware/stacker.yaml bootkit-assemble: build_only: true @@ -13,7 +13,7 @@ bootkit-assemble: import: - stacker://shim-build/export/shim.tar - stacker://uki-build/export/uki.tar - - stacker://ovmf-build/export/ovmf.tar + - stacker://virt-firmware-build/export/virt-firmware.tar - stacker://kernel-build/export/boot.tar - stacker://kernel-build/export/modules.squashfs run: | @@ -23,15 +23,15 @@ bootkit-assemble: tar -C "$d" -xf /stacker/shim.tar tar -C "$d" -xf /stacker/uki.tar - tar -C "$d" -xf /stacker/ovmf.tar + tar -C "$d" -xf /stacker/virt-firmware.tar prepd="$d/bootkit" mkdir "$prepd" cp "$d/shim/shim.efi" "$prepd/shim.efi" cp "$d/uki/kernel.efi" "$prepd/kernel.efi" - cp "$d/ovmf/ovmf-vars.fd" "$prepd/ovmf-vars.fd" - cp "$d/ovmf/ovmf-vars-empty.fd" "$prepd/ovmf-vars-empty.fd" - cp "$d/ovmf/ovmf-code.fd" "$prepd/ovmf-code.fd" + cp "$d/virt-fw/virt-firmware-vars.fd" "$prepd/virt-firmware-vars.fd" + cp "$d/virt-fw/virt-firmware-vars-empty.fd" "$prepd/virt-firmware-vars-empty.fd" + cp "$d/virt-fw/virt-firmware-code.fd" "$prepd/virt-firmware-code.fd" cp /stacker/boot.tar /stacker/modules.squashfs "$prepd" mkdir /export diff --git a/layers/build-krd/dracut/bootkit.conf b/layers/build-krd/dracut/bootkit.conf index 52511c0..e1ebb3f 100644 --- a/layers/build-krd/dracut/bootkit.conf +++ b/layers/build-krd/dracut/bootkit.conf @@ -1 +1,5 @@ -early_microcode="yes" +if [ "${ARCH}" = "aarch64" ]; then + early_microcode="no" +else + early_microcode="yes" +fi \ No newline at end of file diff --git a/layers/build-krd/dracut/soci/module-setup.sh b/layers/build-krd/dracut/soci/module-setup.sh index 41a44f3..69e89dc 100755 --- a/layers/build-krd/dracut/soci/module-setup.sh +++ b/layers/build-krd/dracut/soci/module-setup.sh @@ -33,7 +33,11 @@ install() { tpm2_nvread tpm2_nvreadpublic tpm2_pcrextend tpm2_pcrread \ tpm2_policyauthorize tpm2_policynv tpm2_policypcr \ tpm2_startauthsession tpm2_verifysignature tpm2_nvwrite - inst /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 + if [ "$ARCH" = "aarch64" ]; then + inst /usr/lib/aarch64-linux-gnu/libtss2-tcti-device.so.0 + elif [ "$ARCH" = "x86_64" ]; then + inst /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 + fi inst curl inst git # needed for manifest reading, for now #inst /usr/ib/git-core/git-upload-pack diff --git a/layers/build-krd/stacker.yaml b/layers/build-krd/stacker.yaml index e0c5cb4..1940e53 100644 --- a/layers/build-krd/stacker.yaml +++ b/layers/build-krd/stacker.yaml @@ -9,6 +9,7 @@ build-krd-pkg: tag: minbase run: | #!/bin/bash -ex + ARCH=$(uname -m) pkgs=( ) # packages used for initrd runtime or dracut initrd build. pkgs=( "${pkgs[@]}" @@ -30,7 +31,12 @@ build-krd-pkg: # packages used by build-initrd pkgs=( "${pkgs[@]}" cpio dracut-core fakeroot pigz ) # firmware - pkgs=( "${pkgs[@]}" linux-firmware intel-microcode amd64-microcode ) + if [ "$ARCH" = "x86_64" ]; then + pkgs=( "${pkgs[@]}" linux-firmware intel-microcode amd64-microcode ) + elif [ "$ARCH" = "aarch64" ]; then + pkgs=( "${pkgs[@]}" linux-firmware util-linux ) + fi + # uki tools pkgs=( "${pkgs[@]}" efitools pigz ) diff --git a/layers/mos/stacker.yaml b/layers/mos/stacker.yaml index 4d55e29..49019dd 100644 --- a/layers/mos/stacker.yaml +++ b/layers/mos/stacker.yaml @@ -8,7 +8,8 @@ mos-build: type: built tag: build-krd import: - - ${{MOSCTL_BINARY:https://github.com/project-machine/mos/releases/download/0.0.9/mosctl}} + - ${{MOSCTL_BINARY:https://github.com/project-machine/mos/releases/download/0.0.11/mosctl}} + - ${{ZOT_BINARY:https://github.com/project-zot/zot/releases/download/v1.4.3/zot-linux-arm64-minimal}} - ${{ZOT_BINARY:https://github.com/project-zot/zot/releases/download/v1.4.3/zot-linux-amd64-minimal}} - zot-config.json run: | @@ -23,7 +24,13 @@ mos-build: cp /stacker/zot-config.json "$workd/etc/" mkdir -p "$workd/usr/bin" - for bin in mosctl:mosctl zot-linux-amd64-minimal:zot ; do + ARCH=$(uname -m) + if [ "$ARCH" = "aarch64" ]; then + zotarch=arm64 + else + zotarch=amd64 + fi + for bin in mosctl:mosctl zot-linux-${zotarch}-minimal:zot ; do t=$workd/usr/bin/${bin#*:} cp -v /stacker/${bin%:*} $t chmod 755 $t diff --git a/layers/shim/stacker.yaml b/layers/shim/stacker.yaml index af3b6c9..8d2ee3a 100644 --- a/layers/shim/stacker.yaml +++ b/layers/shim/stacker.yaml @@ -28,6 +28,7 @@ shim-build: d=$(mktemp -d) trap "rm -Rf $d" EXIT + ARCH=$(uname -m) cd $d keydir=$(echo /import/keys/*) [ -d "$keydir" ] @@ -80,7 +81,12 @@ shim-build: sha256sum *.efi mkdir $d/shim - cp $shimd/shimx64.efi $d/shim/shim-unsigned.efi + if [ "$ARCH" = "x86_64" ]; then + cp $shimd/shimx64.efi $d/shim/shim-unsigned.efi + elif [ "$ARCH" = "aarch64" ]; then + cp $shimd/shimaa64.efi $d/shim/shim-unsigned.efi + fi + sbsign \ "--cert=$keydir/uefi-db/cert.pem" \ "--key=$keydir/uefi-db/privkey.pem" \ diff --git a/layers/stubby/stacker.yaml b/layers/stubby/stacker.yaml index 305c553..824dbdb 100644 --- a/layers/stubby/stacker.yaml +++ b/layers/stubby/stacker.yaml @@ -16,7 +16,7 @@ stubby-build: type: built tag: stubby-build-env import: - - "https://github.com/puzzleos/stubby/archive/refs/tags/v1.0.1.tar.gz" + - https://github.com/puzzleos/stubby/archive/refs/tags/v1.0.2.tar.gz run: | #!/bin/bash -ex tarball=$(echo /stacker/v*.tar.gz) diff --git a/layers/uki/stacker.yaml b/layers/uki/stacker.yaml index 74995d1..cc2c1a2 100644 --- a/layers/uki/stacker.yaml +++ b/layers/uki/stacker.yaml @@ -49,7 +49,7 @@ uki-build: tar -C "$d" -xf /stacker/stubby.tar [ -f "$stubefi" ] || { echo "stubby.tar did not have a stubby/stubby.efi"; exit 1; } - + stubefi="/usr/lib/systemd/boot/efi/linuxaa64.efi.stub" keyworkd="$d/keyworkd" mkdir "$keyworkd" cp "$keydir/manifest-ca/cert.pem" "$keyworkd/manifestCA.pem" diff --git a/layers/ovmf/stacker.yaml b/layers/virt-firmware/stacker.yaml similarity index 67% rename from layers/ovmf/stacker.yaml rename to layers/virt-firmware/stacker.yaml index 7ef0654..a62a228 100644 --- a/layers/ovmf/stacker.yaml +++ b/layers/virt-firmware/stacker.yaml @@ -2,20 +2,27 @@ config: prerequisites: - ../minbase/stacker.yaml -ovmf-build-env: +virt-firmware-build-env: build_only: true from: type: built tag: minbase run: | - pkgtool install python3 python3-pip ovmf + pkgtool install python3 python3-pip + ARCH=$(uname -m) + if [ "$ARCH" = "aarch64" ]; then + pkgtool install qemu-system-arm qemu-efi-aarch64 + else + pkgtool install ovmf + fi + pip install virt-firmware -ovmf-build: +virt-firmware-build: build_only: true from: type: built - tag: ovmf-build-env + tag: virt-firmware-build-env import: - path: ${{KEYSET_D}}/ dest: /import/keys/ @@ -23,7 +30,9 @@ ovmf-build: d=$(mktemp -d) trap "rm -Rf $d" EXIT - mkdir "$d/ovmf" + ARCH=$(uname -m) + + mkdir "$d/virt-fw" keydir=$(echo /import/keys/*) [ -d "$keydir" ] @@ -56,10 +65,16 @@ ovmf-build: echo "$guid" "$certf" } - codef=/usr/share/OVMF/OVMF_CODE.secboot.fd - varsf=/usr/share/OVMF/OVMF_VARS.fd - cp "$codef" "$d/ovmf/ovmf-code.fd" - cp "$varsf" "$d/ovmf/ovmf-vars-empty.fd" + if [ "$ARCH" = "aarch64" ]; then + codef=/usr/share/AAVMF/AAVMF_CODE.ms.fd + varsf=/usr/share/AAVMF/AAVMF_VARS.ms.fd + else + codef=/usr/share/OVMF/OVMF_CODE.secboot.fd + varsf=/usr/share/OVMF/OVMF_VARS.fd + fi + + cp "$codef" "$d/virt-fw/virt-firmware-code.fd" + cp "$varsf" "$d/virt-fw/virt-firmware-vars-empty.fd" set +x set -- \ --set-pk $(getGuidCert "$keydir" uefi-pk) \ @@ -70,10 +85,10 @@ ovmf-build: set -x virt-fw-vars \ "--input=$varsf" \ - "--output=$d/ovmf/ovmf-vars.fd" \ + "--output=$d/virt-fw/virt-firmware-vars.fd" \ --secure-boot \ --no-microsoft \ "$@" mkdir /export - tar -C "$d" -cvf /export/ovmf.tar ovmf + tar -C "$d" -cvf /export/virt-firmware.tar virt-fw diff --git a/subs.mk b/subs.mk index 75d99f0..6f0dbf6 100644 --- a/subs.mk +++ b/subs.mk @@ -1,5 +1,8 @@ KEYSET ?= snakeoil DOCKER_BASE ?= docker:// +ifeq (${ARCH},aarch64) +UBUNTU_MIRROR := http://ports.ubuntu.com/ubuntu-ports +endif UBUNTU_MIRROR ?= http://archive.ubuntu.com/ubuntu KEYSET_D ?= $(HOME)/.local/share/machine/trust/keys/$(KEYSET) From 02bfc5262f3b14a52d45cfc97e07d36caa33a07e Mon Sep 17 00:00:00 2001 From: Ashwin Gopalan Date: Fri, 18 Aug 2023 16:13:56 -0700 Subject: [PATCH 2/2] Accidentally used prepackaged stub in layers/uki/stacker In the previous code I set stubefi="/usr/lib/systemd/boot/efi/linuxaa64.efi.stub" for testing purposes. It should, however, stay as stubefi="$d/stubby/stubby.efi" Signed-off-by: Ashwin Gopalan --- layers/uki/stacker.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/layers/uki/stacker.yaml b/layers/uki/stacker.yaml index cc2c1a2..1df2078 100644 --- a/layers/uki/stacker.yaml +++ b/layers/uki/stacker.yaml @@ -49,7 +49,6 @@ uki-build: tar -C "$d" -xf /stacker/stubby.tar [ -f "$stubefi" ] || { echo "stubby.tar did not have a stubby/stubby.efi"; exit 1; } - stubefi="/usr/lib/systemd/boot/efi/linuxaa64.efi.stub" keyworkd="$d/keyworkd" mkdir "$keyworkd" cp "$keydir/manifest-ca/cert.pem" "$keyworkd/manifestCA.pem"