diff --git a/mkosi.conf b/mkosi.conf index b2e8ba62bac..d6bf53ee46d 100644 --- a/mkosi.conf +++ b/mkosi.conf @@ -38,7 +38,6 @@ KernelCommandLine=systemd.crash_shell [Host] @Incremental=yes -@RuntimeSize=8G @RuntimeBuildSources=yes @QemuSmp=2 ToolsTreePackages=virtiofsd diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf index b124c5c94a7..2f5c8af25b3 100644 --- a/mkosi.images/system/mkosi.conf +++ b/mkosi.images/system/mkosi.conf @@ -7,6 +7,7 @@ Dependencies= [Output] @Format=directory +RepartDirectories=mkosi.repart [Content] Autologin=yes @@ -61,7 +62,3 @@ Packages= xfsprogs zsh zstd - -[Validation] -@SecureBoot=yes -@SignExpectedPcr=yes diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf index 79622c83f73..524ffa0de5d 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf @@ -49,9 +49,6 @@ Packages= rpm rpm-build rpmautospec - selinux-policy - selinux-policy-targeted - setools-console squashfs-tools util-linux vim-common diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf new file mode 100644 index 00000000000..3dc1143fc84 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=!particle + +[Content] +# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're +# building a /usr-only image. +Packages= + selinux-policy + selinux-policy-targeted + setools-console diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf index 053f11be55c..54f8f1c1bd3 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf @@ -3,6 +3,9 @@ [Match] Distribution=centos +[Output] +RepartDirectories=mkosi.repart + [Content] Packages= rpmautospec-rpm-macros diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf deleted file mode 100644 index 99b846d3a80..00000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -# CentOS does not support btrfs so we use xfs instead. -[Partition] -Format=xfs diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf deleted file mode 100644 index d69ff91cc32..00000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf +++ /dev/null @@ -1,24 +0,0 @@ -g root 0 -g bin 1 -g daemon 2 -g sys 3 -g adm 4 -g tty 5 -g disk 6 -g lp 7 -g mem 8 -g kmem 9 -g wheel 10 -g cdrom 11 -g mail 12 -g man 15 -g dialout 18 -g floppy 19 -g games 20 -g tape 33 -g video 39 -g ftp 50 -g lock 54 -g audio 63 -g users 100 -g nobody 65534 diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf deleted file mode 100644 index bea0ab34471..00000000000 --- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf +++ /dev/null @@ -1,13 +0,0 @@ -u root 0:0 "Super User" /root /bin/bash -u bin 1:1 "bin" /bin - -u daemon 2:2 "daemon" /sbin - -u adm 3:4 "adm" /var/adm - -u lp 4:7 "lp" /var/spool/lpd - -u sync 5:0 "sync" /sbin /bin/sync -u shutdown 6:0 "shutdown" /sbin /sbin/shutdown -u halt 7:0 "halt" /sbin /sbin/halt -u mail 8:12 "mail" /var/spool/mail - -u operator 11:0 "operator" /root - -u games 12:100 "games" /usr/games - -u ftp 14:50 "FTP User" /var/ftp - -u nobody 65534:65534 "Kernel Overflow User" - - diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf new file mode 100644 index 00000000000..a50de68110e --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +# btrfs isn't supported on CentOS. Ideally we'd use xfs instead but we lose xattrs when doing rootless +# population of xfs which is required for testing SELinux so let's do ext4 instead. +Format=ext4 diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf new file mode 100644 index 00000000000..8c1920b0ce4 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Match] +Profile=particle + +[Output] +RepartDirectories= +RepartDirectories=mkosi.repart + +[Validation] +@SecureBoot=yes +@SignExpectedPcr=yes + +[Host] +@RuntimeSize=8G diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf similarity index 100% rename from mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf similarity index 66% rename from mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf index 71eb9e38c49..2f92af248f3 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf @@ -4,5 +4,3 @@ Type=root Format=btrfs SizeMinBytes=1G -Subvolumes=/home /var -MakeDirectories=/home /var diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf similarity index 100% rename from mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize new file mode 100755 index 00000000000..f5523983d2e --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize @@ -0,0 +1,15 @@ +#!/bin/bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -e + +mkdir -p "$BUILDROOT"/usr/share/factory/mkosi +cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi + +# sbsign is not available on CentOS Stream +if command -v sbsign &>/dev/null; then + # Ensure that side-loaded PE addons are loaded if signed, and ignored if not + addons_dir=/efi/loader/addons + mkdir -p "$addons_dir" + ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" + ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" +fi diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf new file mode 100644 index 00000000000..391543d1e78 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=esp +Format=vfat +CopyFiles=/boot:/ +CopyFiles=/efi:/ +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf similarity index 100% rename from mkosi.images/system/mkosi.repart/10-usr.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf similarity index 100% rename from mkosi.images/system/mkosi.repart/11-usr-verity.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf similarity index 100% rename from mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf rename to mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize deleted file mode 100755 index 6da35e51380..00000000000 --- a/mkosi.images/system/mkosi.finalize +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: LGPL-2.1-or-later - -mkdir -p "$BUILDROOT"/usr/share/factory/mkosi -cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot index 61a8e311e36..43978316fcd 100755 --- a/mkosi.images/system/mkosi.postinst.chroot +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -65,15 +65,6 @@ fi mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf rm -f /etc/resolv.conf -# sbsign is not available on CentOS Stream -if command -v sbsign &>/dev/null; then - # Ensure that side-loaded PE addons are loaded if signed, and ignored if not - addons_dir=/efi/loader/addons - mkdir -p "$addons_dir" - ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi" - ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi" -fi - for f in "$BUILDROOT"/usr/share/*.verity.sig; do jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash" done diff --git a/mkosi.images/system/mkosi.repart/10-root.conf b/mkosi.images/system/mkosi.repart/10-root.conf new file mode 100644 index 00000000000..3c25dbfb14d --- /dev/null +++ b/mkosi.images/system/mkosi.repart/10-root.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=root +Format=btrfs +CopyFiles=/ +SizeMinBytes=8G +SizeMaxBytes=8G diff --git a/mkosi.profiles/particle.conf b/mkosi.profiles/particle.conf new file mode 100644 index 00000000000..5f36d58e4d2 --- /dev/null +++ b/mkosi.profiles/particle.conf @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# This file exists to create the particle profile which is matched on by other configuration files.