-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[mkinitcpio] Create UEFI executables #53
Conversation
Implement UEFI executable generation in mkinitcpio by utilizing UEFI stubs provided by systemd/gummiboot. This allows us to create a unified boot image we can boot from UEFI with. These are practical for secure boot as we can sign initramfs, kernel cmdline and the kernel all at once. By utilizing the BOOT_LOADER_SPECIFICATION we can also drop new images into the correct patch and have systemd-boot/gummiboot pick up the images. The code does several things and does a fair amount of guessing to figure out all the inputs needed. We use `/etc/kernel/cmdline` to localize the kernel cmdline options we want for the image. This is inherited from the `kernel-install` hook system which might double as some form of standard. We also do a dance to get the correct kernel image. We do a lookup into /lib/modules and /boot for both versioned and unversioned kernels (mainly Arch Linux). There is an attempt to support both 32bit and 64bit lookup paths for the stub images, but only 64bit is tested. Gummiboot is also not tested. https://www.freedesktop.org/software/systemd/man/kernel-install.html https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-images Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
Added a manpage. Missing some '/usr/lib/os-release' fallback but should be'ish fine I think. @grazzolini I think a general ack/nack or changes you want to see would be useful at this point. |
It would be useful to have an Example in the man page, for manual non-preset invocation, |
Signed-off-by: Morten Linderud <morten@linderud.pw>
Manpages has been fixed up. I intend to try expand the preset documentation in another PR. It should preferably explain how it works instead of you having to infer it through examples. |
f98d3b8
to
7ef9130
Compare
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
7ef9130
to
34be8f7
Compare
I think everything should be good. I have built a package people can test if they want to. https://pkgbuild.com/~foxboron/repos/loose-pkgs/ https://github.com/Foxboron/PKGBUILDS/tree/master/mkinitcpio |
I realized #8 is a thing. I hijacked |
I tested this and it works like a dream, good work! :) |
edit: |
I have no clue how I missed the availability of |
I'd be happy to drop all the short options (except for |
First of all, great feature. Just a simple suggestion. Currently the command In my opinion, it makes sense that the command already had an image specified , and it should just make the initramfs in /tmp// and then create the final uefi image it was asked for. |
Frankly I'd prefer if I agree that diff --git a/mkinitcpio b/mkinitcpio
index 0111f80..eda4dca 100755
--- a/mkinitcpio
+++ b/mkinitcpio
@@ -599,6 +599,14 @@ if [[ -n $_d_flag_hooks && -n $_d_flag_install ]]; then
_d_install=${_d_flag_install%:}
fi
+
+# If we specified --uefi but no -g we want to create a temporary initramfs which will be used with the efi executable.
+if [[ $_optuefi && $_optgenimg == "" ]]; then
+ tmpfile=$(mktemp -t mkinitcpio.XXXXXX)
+ trap "rm $tmpfile" EXIT
+ _optgenimg="$tmpfile"
+fi
+
# insist that /proc and /dev be mounted (important for chroots)
# NOTE: avoid using mountpoint for this -- look for the paths that we actually
# use in mkinitcpio. Avoids issues like FS#26344. |
Signed-off-by: Morten Linderud <morten@linderud.pw>
Preferably we shouldn't need to have a dry run when `mkinitcpio -U` is invoked, instead create a temporary initramfs we use for the UEFI executable. Signed-off-by: Morten Linderud <morten@linderud.pw>
I have removed the short options, fixed up the manpage+help text. I also implemented the |
Signed-off-by: Morten Linderud <morten@linderud.pw>
@grazzolini I'm not quite sure why you decided to merge this with 11 fixup commits I intended to squash before finalizing. The idea was to make it easier to review incremental changes. |
I don't mind the fixups, don't worry. I plan on making a new release soon. |
For the unified UEFI image feature archlinux/mkinitcpio#53
Missing stuff for this pull-request.
Implement UEFI executable generation in mkinitcpio by utilizing UEFI
stubs provided by systemd/gummiboot.
This allows us to create a unified boot image we can boot from UEFI
with. These are practical for secure boot as we can sign initramfs,
kernel cmdline and the kernel all at once. By utilizing the
BOOT_LOADER_SPECIFICATION we can also drop new images into the correct
patch and have systemd-boot/gummiboot pick up the images.
The code does several things and does a fair amount of guessing to
figure out all the inputs needed.
We use
/etc/kernel/cmdline
to localize the kernel cmdline options wewant for the image. This is inherited from the
kernel-install
hooksystem which might double as some form of standard.
We also do a dance to get the correct kernel image. We do a lookup into
/lib/modules and /boot for both versioned and unversioned kernels
(mainly Arch Linux).
There is an attempt to support both 32bit and 64bit lookup paths for the
stub images, but only 64bit is tested.
Gummiboot is also not tested.
https://www.freedesktop.org/software/systemd/man/kernel-install.html
https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-images
Signed-off-by: Morten Linderud morten@linderud.pw