summaryrefslogtreecommitdiff
path: root/mkosi.presets
diff options
context:
space:
mode:
authorDaan De Meyer <daan.j.demeyer@gmail.com>2023-05-08 16:06:41 +0200
committerDaan De Meyer <daan.j.demeyer@gmail.com>2023-05-13 10:49:17 +0200
commit47e5e12866af14112452aeb8bc43a66191c6fbc1 (patch)
treef1f38524a56a3e7a5a3957ed638ba493bbb48650 /mkosi.presets
parent724683c27fd35e4828e35320ccfc62f885ca20bc (diff)
downloadsystemd-47e5e12866af14112452aeb8bc43a66191c6fbc1.tar.gz
mkosi: Package a erofs usr partition with signed verity
Let's start moving towards a more involved partitioning setup to test our stuff more when using mkosi. The root partition is generated on boot with systemd-repart. CentOS supports neither erofs nor btrfs so we use squashfs and xfs instead. We also enable SecureBoot= locally for additional coverage. This and the use of verity means users need to run `mkosi genkey` once to generate the keys necessary to do secure boot and verity.
Diffstat (limited to 'mkosi.presets')
-rw-r--r--mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf1
-rw-r--r--mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf1
-rw-r--r--mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf3
-rw-r--r--mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf3
-rw-r--r--mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf1
-rw-r--r--mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf4
-rw-r--r--mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf5
-rw-r--r--mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf5
-rw-r--r--mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf4
-rw-r--r--mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf6
-rwxr-xr-xmkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh2
-rw-r--r--mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service6
-rw-r--r--mkosi.presets/20-final/mkosi.repart/00-esp.conf8
-rw-r--r--mkosi.presets/20-final/mkosi.repart/10-usr.conf9
-rw-r--r--mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf2
-rw-r--r--mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf7
-rw-r--r--mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf6
17 files changed, 66 insertions, 7 deletions
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
index f5c3afbef4..920e50e42b 100644
--- a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
@@ -5,6 +5,7 @@ Distribution=debian ubuntu
[Content]
Packages=
+ dmsetup
libfdisk1
libfido2-1
libglib2.0-0
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
index 4ed5f6ff7c..c5c44b8df8 100644
--- a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
@@ -6,6 +6,7 @@ Distribution=opensuse
[Content]
# We install gawk, gzip, grep, xz here explicitly so that the busybox versions don't get installed instead.
Packages=
+ device-mapper
gawk
grep
gzip
diff --git a/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf b/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf
index c25a17a030..89a207dc71 100644
--- a/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf
+++ b/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf
@@ -6,3 +6,6 @@ Distribution=centos
[Output]
# TODO: Switch to zstd once we stop building CentOS Stream 8.
CompressOutput=xz
+
+[Content]
+Packages=xfsprogs
diff --git a/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf b/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf
index 98f0b7dffb..a2a9352266 100644
--- a/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf
+++ b/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf
@@ -5,3 +5,6 @@ Distribution=arch debian fedora opensuse ubuntu
[Output]
CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
index d89f827839..02e11d095f 100644
--- a/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
@@ -12,6 +12,7 @@ Packages=
iproute
iproute-tc
kernel-core
+ kernel-modules # For squashfs support
libcap-ng-utils
netcat
openssh-server
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf
new file mode 100644
index 0000000000..af4862d4b1
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
new file mode 100644
index 0000000000..99b846d3a8
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
new file mode 100644
index 0000000000..393d5f038c
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
index eb88ca7644..e677797c73 100644
--- a/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
@@ -5,4 +5,6 @@ Distribution=ubuntu
[Content]
Packages=
- linux-virtual
+ # We would like to use linux-image-kvm but it does not have support for dm-verity
+ # See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
+ linux-image-generic
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000000..2f92af248f
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
index b86d2d3e69..e6259c42db 100755
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -11,5 +11,3 @@ fi
# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
[[ ! -s /failed-services ]]
-
-: >/testok
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
index 6539325108..6e35b6f288 100644
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
+++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
@@ -4,11 +4,9 @@ Description=Check if any service failed and then shutdown the machine
After=multi-user.target network-online.target
Requires=multi-user.target
Wants=systemd-resolved.service systemd-networkd.service network-online.target
-OnFailure=poweroff.target
-OnFailureJobMode=replace-irreversibly
+SuccessAction=exit
+FailureAction=exit
[Service]
Type=oneshot
-ExecStartPre=-rm -f /failed-services
ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
-ExecStartPost=systemctl poweroff --no-block
diff --git a/mkosi.presets/20-final/mkosi.repart/00-esp.conf b/mkosi.presets/20-final/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000000..96b292ecb8
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.repart/00-esp.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
diff --git a/mkosi.presets/20-final/mkosi.repart/10-usr.conf b/mkosi.presets/20-final/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000000..343761d097
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf
new file mode 100644
index 0000000000..1e54ee19cf
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf
@@ -0,0 +1,2 @@
+[Partition]
+Format=squashfs
diff --git a/mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf b/mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000000..b4d45dd7ef
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf b/mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000000..1841d0a6db
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr
View Lorry Controller Status