From d3f8b754d45036c954869248adc90fd78bb3ac18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 28 Aug 2023 18:20:56 +0300 Subject: [PATCH 1/3] man/ukify: fix synopsis Fixup for 7d481546acc8dbd9be05fe7a901e5598487aec02 and a3f758b3104ee1161d2dbf5a8c1be653340b1672. --- man/ukify.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/man/ukify.xml b/man/ukify.xml index 5755cf8fa49..40544502f12 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -25,8 +25,20 @@ /usr/lib/systemd/ukify OPTIONS build + + + + ukify + OPTIONS genkey + + + ukify + OPTIONS + inspect + FILE + From f65aa477d90ab7fbbc50ba05c55180213d5992e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 28 Aug 2023 18:22:43 +0300 Subject: [PATCH 2/3] ukify: move to /usr/bin and mark as non non-experimental The notice in the man page is removed and the tool is moved into the $PATH. A compat symlink is provided. It is fairly widely used now, and realistically we need to keep backwards compat or people will be very unhappy. --- man/ukify.xml | 13 +++++-------- meson.build | 6 +++++- src/kernel-install/60-ukify.install.in | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/man/ukify.xml b/man/ukify.xml index 40544502f12..5a94339e6f0 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -22,7 +22,7 @@ - /usr/lib/systemd/ukify + ukify OPTIONS build @@ -44,9 +44,6 @@ Description - Note: this command is experimental for now. While it is intended to become a regular component of - systemd, it might still change in behaviour and interface. - ukify is a tool whose primary purpose is to combine components (usually a kernel, an initrd, and a UEFI boot stub) to create a Unified Kernel Image (UKI) @@ -493,7 +490,7 @@ All the bells and whistles - $ /usr/lib/systemd/ukify build \ + $ ukify build \ --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ --initrd=early_cpio \ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ @@ -552,7 +549,7 @@ Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready -$ /usr/lib/systemd/ukify -c ukify.conf build \ +$ ukify -c ukify.conf build \ --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img @@ -588,7 +585,7 @@ $ /usr/lib/systemd/ukify -c ukify.conf build \ EOF Next, we can generate the certificate and keys: - # /usr/lib/systemd/ukify genkey --config=/etc/kernel/uki.conf + # ukify genkey --config=/etc/kernel/uki.conf Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem @@ -601,7 +598,7 @@ Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem to /etc/kernel/.) Subsequent invocations of using the config file - (/usr/lib/systemd/ukify build --config=/etc/kernel/uki.conf) + (ukify build --config=/etc/kernel/uki.conf) will use this certificate and key files. Note that the kernel-install8 plugin 60-ukify.install uses /etc/kernel/uki.conf diff --git a/meson.build b/meson.build index 910e06c7834..d90af73d52f 100644 --- a/meson.build +++ b/meson.build @@ -2417,9 +2417,13 @@ ukify = custom_target( command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'], install : want_ukify, install_mode : 'rwxr-xr-x', - install_dir : libexecdir) + install_dir : bindir) if want_ukify public_programs += ukify + + meson.add_install_script(sh, '-c', + ln_s.format(bindir / 'ukify', + libexecdir / 'ukify')) endif ############################################################ diff --git a/src/kernel-install/60-ukify.install.in b/src/kernel-install/60-ukify.install.in index 2ab0305e919..01146467d1a 100755 --- a/src/kernel-install/60-ukify.install.in +++ b/src/kernel-install/60-ukify.install.in @@ -34,7 +34,7 @@ except (KeyError, ValueError): VERBOSE = False # Override location of ukify and the boot stub for testing and debugging. -UKIFY = os.getenv('KERNEL_INSTALL_UKIFY', '/usr/lib/systemd/ukify') +UKIFY = os.getenv('KERNEL_INSTALL_UKIFY', 'ukify') BOOT_STUB = os.getenv('KERNEL_INSTALL_BOOT_STUB') From 594e27b0bc896a84017db02227e45e172186d1a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 28 Aug 2023 18:44:42 +0300 Subject: [PATCH 3/3] ukify: fail if the config file was not read Inspired by https://github.com/systemd/systemd/pull/28997. Noticed by Alvin Alvarado . --- src/ukify/ukify.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 10a464bb1a3..b7e21dafed7 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -1413,7 +1413,10 @@ def apply_config(namespace, filename=None): # Do not make keys lowercase cp.optionxform = lambda option: option - cp.read(filename) + # The API is not great. + read = cp.read(filename) + if not read: + raise IOError(f'Failed to read {filename}') for section_name, section in cp.items(): idx = section_name.find(':')