diff --git a/usr/bin/archboot-aarch64-uki.sh b/usr/bin/archboot-aarch64-uki.sh new file mode 120000 index 000000000..ef0eee51e --- /dev/null +++ b/usr/bin/archboot-aarch64-uki.sh @@ -0,0 +1 @@ +../lib/archboot/run/uki.sh \ No newline at end of file diff --git a/usr/bin/archboot-x86_64-uki.sh b/usr/bin/archboot-x86_64-uki.sh new file mode 120000 index 000000000..ef0eee51e --- /dev/null +++ b/usr/bin/archboot-x86_64-uki.sh @@ -0,0 +1 @@ +../lib/archboot/run/uki.sh \ No newline at end of file diff --git a/usr/lib/archboot/release.sh b/usr/lib/archboot/release.sh index b7c6605b9..4696c1b80 100644 --- a/usr/lib/archboot/release.sh +++ b/usr/lib/archboot/release.sh @@ -128,12 +128,10 @@ _create_iso() { # add INTEL ucode license mkdir -p licenses/intel-ucode cp /usr/share/licenses/intel-ucode/* licenses/intel-ucode/ - _EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub" echo "console=ttyS0,115200 console=tty0 audit=0 systemd.show_status=auto" > ${_CMDLINE} fi if [[ "${_ARCH}" == "aarch64" ]]; then echo "nr_cpus=1 console=ttyAMA0,115200 console=tty0 loglevel=4 audit=0 systemd.show_status=auto" > ${_CMDLINE} - _EFISTUB="/usr/lib/systemd/boot/efi/linuxaa64.efi.stub" _INTEL_UCODE="" # replace aarch64 Image.gz with Image kernel for UKI, compressed image is not working at the moment cp "${_W_DIR}/boot/Image" "boot/Image-${_ARCH}" diff --git a/usr/lib/archboot/run/uki.sh b/usr/lib/archboot/run/uki.sh new file mode 100755 index 000000000..f147df20d --- /dev/null +++ b/usr/lib/archboot/run/uki.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: GPL-3.0-or-later +# created by Tobias Powalowski +. /usr/lib/archboot/common.sh +. /usr/lib/archboot/uki.sh +[[ -z "${1}" ]] && _usage +_parameters "$@" +[[ "${_GENERATE}" == "1" ]] || _usage +_root_check +_architecture_check +_config +echo "Starting UKI creation..." +_prepare_kernel_initramfs || exit 1 +_prepare_ucode || exit 1 +_prepare_background || exit 1 +_prepare_osrelease || exit 1 +_reproducibility || exit 1 +_create_cksum || exit 1 +_cleanup_uki || exit 1 +echo "Finished UKI creation." diff --git a/usr/lib/archboot/uki.sh b/usr/lib/archboot/uki.sh new file mode 100644 index 000000000..a6302d0b3 --- /dev/null +++ b/usr/lib/archboot/uki.sh @@ -0,0 +1,113 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: GPL-3.0-or-later +# created by Tobias Powalowski +. /etc/archboot/defaults +_AMD_UCODE="/boot/amd-ucode.img" +_INTEL_UCODE="/boot/intel-ucode.img" +_SPLASH="/usr/share/archboot/uki/archboot-background.bmp" +_OSREL="/usr/share/archboot/base/etc/os-release" +_CONFIG_DIR="/etc/archboot" +_UKIDIR="$(mktemp -d UKIDIR.XXX)" + +_usage () { + echo -e "\e[1m\e[36mArchboot\e[m\e[1m - Create ${_ARCH} UKI Image\e[m" + echo -e "\e[1m--------------------------------------\e[m" + echo "This will create an Archboot UKI image." + echo + echo "Options:" + echo -e " \e[1m-g\e[m Starting generation of image." + echo -e " \e[1m-c=CONFIG\e[m Which CONFIG should be used." + echo " ${_CONFIG_DIR} includes the config files" + echo " default=${_ARCH}.conf" + echo -e " \e[1m-i=IMAGENAME\e[m Your IMAGENAME." + echo + echo -e "Usage: \e[1m${_BASENAME} \e[m" + exit 0 +} + +_parameters() { + while [ $# -gt 0 ]; do + case ${1} in + -g|--g) export _GENERATE="1" ;; + -c=*|--c=*) _CONFIG="$(echo "${1}" | rg -o '=(.*)' -r '$1')" ;; + -i=*|--i=*) _UKI="$(echo "${1}" | rg -o '=(.*)' -r '$1')" ;; + *) _usage ;; + esac + shift + done +} + +_config() { + # set defaults, if nothing given + [[ -z "${_CONFIG}" ]] && _CONFIG="${_ARCH}.conf" + _CONFIG="${_CONFIG_DIR}/${_CONFIG}" + #shellcheck disable=SC1090 + . "${_CONFIG}" + #shellcheck disable=SC2116,2086 + _KERNEL="$(echo ${_KERNEL})" + #shellcheck disable=SC2154 + [[ -z "${_UKI}" ]] && _UKI="archboot-$(date +%Y.%m.%d-%H.%M)-$(_kver "${_KERNEL}")-${_ARCH}".efi +} + +_prepare_kernel_initramfs() { + mkdir -p "${_UKIDIR}" + # needed to hash the kernel for secureboot enabled systems + echo "Preparing kernel..." + install -m644 "${_KERNEL}" "${_UKIDIR}/kernel" + _INITRD="initrd-${_ARCH}.img" + echo "Running archboot-cpio.sh for ${_INITRD}..." + #shellcheck disable=SC2154 + archboot-cpio.sh -c "${_CONFIG}" -k "${_KERNEL}" \ + -g "${_UKIDIR}/${_INITRD}" || exit 1 +} + +_prepare_ucode() { + # only x86_64 + if [[ "${_ARCH}" == "x86_64" ]]; then + echo "Preparing intel-ucode..." + cp "${_INTEL_UCODE}" "${_UKIDIR}/" + fi + echo "Preparing amd-ucode..." + cp "${_AMD_UCODE}" "${_UKIDIR}/" +} + +_prepare_background() { + echo "Preparing UKI splash..." + cp "${_SPLASH}" "${_UKIDIR}/splash.png" +} + +_prepare_osrelease() { + echo "Preparing os-release..." + cp "${_OSREL}" "${_UKIDIR}/os-release" +} + +_reproducibility() { + # Reproducibility: set all timestamps to 0 + fd . "${_UKIDIR}" -u --min-depth 1 -X touch -hcd "@0" +} + +_systemd_ukify() { + echo "Generating ${_ARCH} UKI image..." + cd "${_UKIDIR}" + [[ "${_ARCH}" == "aarch64" ]] && _CMDLINE="console=ttyS0,115200 console=tty0 audit=0 systemd.show_status=auto" + [[ "${_ARCH}" == "aarch64" ]] && _CMDLINE="nr_cpus=1 console=ttyAMA0,115200 console=tty0 loglevel=4 audit=0 systemd.show_status=auto" + [[ -n "${_INTEL_UCODE}" ]] && _INTEL_UCODE="--initrd=intel-ucode" + [[ -n "${_AMD_UCODE}" ]] && _AMD_UCODE="--initrd=amd-ucode" + /usr/lib/systemd/ukify build --linux=kernel \ + ${_INTEL_UCODE} ${_AMD_UCODE} --initrd=${_INITRD} --cmdline=@${_CMDLINE} \ + --os-release=@os-release --splash=splash.png --output=../${_UKI} &>"${_NO_LOG}" || exit 1 + cd .. +} + +_create_cksum() { + ## create b2sums.txt + echo "Generating b2sum..." + [[ -f "b2sums.txt" ]] && rm "b2sums.txt" + [[ "$(echo ./*.iso)" == "./*.efi" ]] || cksum -a blake2b ./*.efi > "b2sums.txt" +} + +_cleanup_uki() { + # cleanup + echo "Removing ${_UKIDIR}..." + [[ -d "${_UKIDIR}" ]] && rm -r "${_UKIDIR}" +}