* [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI)
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 19:53 ` [OE-core] " Ricardo Salveti
2024-10-09 11:26 ` [PATCH v6 2/8] wic bootimg-efi.py: keep timestamps and add debug prints Mikko Rapeli
` (8 subsequent siblings)
9 siblings, 1 reply; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Michelle Lin, Erik Schilling, Mikko Rapeli
From: Michelle Lin <michelle.linto91@gmail.com>
This class calls systemd ukify tool, which will combine
kernel/initrd/stub components to build the UKI. To sign the UKI
(i.e. SecureBoot), the keys/cert files can be specified
in a configuration file or UEFI binary signing can be done
via separate steps, see qemuarm64-secureboot in meta-arm.
UKIs are loaded by UEFI firmware on target which can improve
security by loading only correctly signed kernel, initrd and kernel
command line.
Using systemd-measure to pre-calculate TPM PCR values and sign them is
not supported since that requires a TPM device on the build host. Thus
"ConditionSecurity=measured-uki" default from systemd 256 does not work
but "ConditionSecurity=tpm2" in combination with secure boot will.
These can be used to boot securely into systemd-boot, kernel, kernel
command line and initrd which then securely mounts a read-only dm-verity
/usr partition and creates a TPM encrypted read-write / rootfs.
Tested via qemuarm64-secureboot in meta-arm with
https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399
and a few more changes needed, will be posted separately.
Signed-off-by: Michelle Lin <michelle.linto91@gmail.com>
Acked-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta/classes-recipe/uki.bbclass | 197 ++++++++++++++++++++++++++++++++
1 file changed, 197 insertions(+)
create mode 100644 meta/classes-recipe/uki.bbclass
diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass
new file mode 100644
index 0000000000..fac50ea8ca
--- /dev/null
+++ b/meta/classes-recipe/uki.bbclass
@@ -0,0 +1,197 @@
+# Unified kernel image (UKI) class
+#
+# This bbclass merges kernel, initrd etc as a UKI standard UEFI binary,
+# to be loaded with UEFI firmware and systemd-boot on target HW.
+# TPM PCR pre-calculation is not supported since systemd-measure tooling
+# is meant to run on target, not in cross compile environment.
+#
+# See:
+# https://www.freedesktop.org/software/systemd/man/latest/ukify.html
+# https://uapi-group.org/specifications/specs/unified_kernel_image/
+#
+# The UKI contains:
+#
+# - UEFI stub
+# The linux kernel can generate a UEFI stub, however the one from systemd-boot can fetch
+# the command line from a separate section of the EFI application, avoiding the need to
+# rebuild the kernel.
+# - kernel
+# - initramfs
+# - kernel command line
+# - uname -r kernel version
+# - /etc/os-release to create a boot menu with version details
+# - optionally secure boot signature(s)
+# - other metadata (e.g. TPM PCR measurements)
+#
+# Usage instructions:
+#
+# - requires UEFI compatible firmware on target, e.g. qemuarm64-secureboot u-boot based
+# from meta-arm or qemux86 ovmf/edk2 based firmware for x86_64
+#
+# - Distro/build config:
+#
+# INIT_MANAGER = "systemd"
+# MACHINE_FEATURES:append = " efi"
+# DISTRO_FEATURES:append = " systemd"
+# DISTRO_FEATURES_NATIVE:append = " systemd"
+# EFI_PROVIDER = "systemd-boot"
+# INITRAMFS_IMAGE = "core-image-minimal-initramfs"
+#
+# - image recipe:
+#
+# inherit uki
+#
+# - qemuboot/runqemu changes in image recipe or build config:
+#
+# # Kernel command line must be inside the signed uki
+# QB_KERNEL_ROOT = ""
+# # kernel is in the uki image, not loaded separately
+# QB_DEFAULT_KERNEL = "none"
+#
+# - for UEFI secure boot, systemd-boot and uki (including kernel) can
+# be signed but require sbsign-tool-native (recipe available from meta-secure-core,
+# see also qemuarm64-secureboot from meta-arm). Set variable
+# UKI_SB_KEY to path of private key and UKI_SB_CERT for certificate.
+# Note that systemd-boot also need to be signed with the same key.
+#
+# - at runtime, UEFI firmware will load and boot systemd-boot which
+# creates a menu from all detected uki binaries. No need to manually
+# setup boot menu entries.
+#
+# - see efi-uki-bootdisk.wks.in how to create ESP partition which hosts systemd-boot,
+# config file(s) for systemd-boot and the UKI binaries.
+#
+
+DEPENDS += "\
+ os-release \
+ systemd-boot \
+ systemd-boot-native \
+ virtual/${TARGET_PREFIX}binutils \
+ virtual/kernel \
+"
+
+inherit image-artifact-names
+require ../conf/image-uefi.conf
+
+INITRAMFS_IMAGE ?= "core-image-minimal-initramfs"
+
+INITRD_ARCHIVE ?= "${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES}"
+
+do_image_complete[depends] += "${INITRAMFS_IMAGE}:do_image_complete"
+
+UKIFY_CMD ?= "ukify build"
+UKI_CONFIG_FILE ?= "${UNPACKDIR}/uki.conf"
+UKI_FILENAME ?= "uki.efi"
+UKI_KERNEL_FILENAME ?= "${KERNEL_IMAGETYPE}"
+UKI_CMDLINE ?= "rootwait root=LABEL=root console=${KERNEL_CONSOLE}"
+# secure boot keys and cert, needs sbsign-tools-native (meta-secure-core)
+#UKI_SB_KEY ?= ""
+#UKI_SB_CERT ?= ""
+
+IMAGE_EFI_BOOT_FILES ?= "${UKI_FILENAME};EFI/Linux/${UKI_FILENAME}"
+
+do_uki[depends] += " \
+ systemd-boot:do_deploy \
+ virtual/kernel:do_deploy \
+ "
+do_uki[depends] += "${@ '${INITRAMFS_IMAGE}:do_image_complete' if d.getVar('INITRAMFS_IMAGE') else ''}"
+
+# ensure that the build directory is empty everytime we generate a newly-created uki
+do_uki[cleandirs] = "${B}"
+# influence the build directory at the start of the builds
+do_uki[dirs] = "${B}"
+
+# we want to allow specifying files in SRC_URI, such as for signing the UKI
+python () {
+ d.delVarFlag("do_fetch","noexec")
+ d.delVarFlag("do_unpack","noexec")
+}
+
+# main task
+python do_uki() {
+ import glob
+ import bb.process
+
+ # base ukify command, can be extended if needed
+ ukify_cmd = d.getVar('UKIFY_CMD')
+
+ deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
+
+ # architecture
+ target_arch = d.getVar('EFI_ARCH')
+ if target_arch:
+ ukify_cmd += " --efi-arch %s" % (target_arch)
+
+ # systemd stubs
+ stub = "%s/linux%s.efi.stub" % (d.getVar('DEPLOY_DIR_IMAGE'), target_arch)
+ if not os.path.exists(stub):
+ bb.fatal(f"ERROR: cannot find {stub}.")
+ ukify_cmd += " --stub %s" % (stub)
+
+ # initrd
+ initramfs_image = "%s" % (d.getVar('INITRD_ARCHIVE'))
+ ukify_cmd += " --initrd=%s" % (os.path.join(deploy_dir_image, initramfs_image))
+
+ deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
+
+ # kernel
+ kernel_filename = d.getVar('UKI_KERNEL_FILENAME') or None
+ if kernel_filename:
+ kernel = "%s/%s" % (deploy_dir_image, kernel_filename)
+ if not os.path.exists(kernel):
+ bb.fatal(f"ERROR: cannot find %s" % (kernel))
+ ukify_cmd += " --linux=%s" % (kernel)
+ # not always needed, ukify can detect version from kernel binary
+ kernel_version = d.getVar('KERNEL_VERSION')
+ if kernel_version:
+ ukify_cmd += "--uname %s" % (kernel_version)
+ else:
+ bb.fatal("ERROR - UKI_KERNEL_FILENAME not set")
+
+ # command line
+ cmdline = d.getVar('UKI_CMDLINE')
+ if cmdline:
+ ukify_cmd += " --cmdline='%s'" % (cmdline)
+
+ # dtb
+ if d.getVar('KERNEL_DEVICETREE'):
+ for dtb in d.getVar('KERNEL_DEVICETREE').split():
+ dtb_path = "%s/%s" % (deploy_dir_image, dtb)
+ if not os.path.exists(dtb_path):
+ bb.fatal(f"ERROR: cannot find {dtb_path}.")
+ ukify_cmd += " --devicetree %s" % (dtb_path)
+
+ # custom config for ukify
+ if os.path.exists(d.getVar('UKI_CONFIG_FILE')):
+ ukify_cmd += " --config=%s" % (d.getVar('UKI_CONFIG_FILE'))
+
+ # systemd tools
+ ukify_cmd += " --tools=%s%s/lib/systemd/tools" % \
+ (d.getVar("RECIPE_SYSROOT_NATIVE"), d.getVar("prefix"))
+
+ # version
+ ukify_cmd += " --os-release=@%s%s/lib/os-release" % \
+ (d.getVar("RECIPE_SYSROOT"), d.getVar("prefix"))
+
+ # TODO: tpm2 measure for secure boot, depends on systemd-native and TPM tooling
+ # needed in systemd > 254 to fulfill ConditionSecurity=measured-uki
+ # Requires TPM device on build host, thus not supported at build time.
+ #ukify_cmd += " --measure"
+
+ # securebooot signing, also for kernel
+ key = d.getVar('UKI_SB_KEY')
+ if key:
+ ukify_cmd += " --sign-kernel --secureboot-private-key='%s'" % (key)
+ cert = d.getVar('UKI_SB_CERT')
+ if cert:
+ ukify_cmd += " --secureboot-certificate='%s'" % (cert)
+
+ # custom output UKI filename
+ output = " --output=%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'), d.getVar('UKI_FILENAME'))
+ ukify_cmd += " %s" % (output)
+
+ # Run the ukify command
+ bb.warn("uki: running command: %s" % (ukify_cmd))
+ bb.process.run(ukify_cmd, shell=True)
+}
+addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* Re: [OE-core] [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI)
2024-10-09 11:26 ` [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI) Mikko Rapeli
@ 2024-10-09 19:53 ` Ricardo Salveti
2024-10-10 9:06 ` Mikko Rapeli
0 siblings, 1 reply; 15+ messages in thread
From: Ricardo Salveti @ 2024-10-09 19:53 UTC (permalink / raw)
To: mikko.rapeli; +Cc: openembedded-core, Michelle Lin, Erik Schilling
On Wed, Oct 9, 2024 at 8:27 AM Mikko Rapeli via lists.openembedded.org
<mikko.rapeli=linaro.org@lists.openembedded.org> wrote:
>
> From: Michelle Lin <michelle.linto91@gmail.com>
>
> This class calls systemd ukify tool, which will combine
> kernel/initrd/stub components to build the UKI. To sign the UKI
> (i.e. SecureBoot), the keys/cert files can be specified
> in a configuration file or UEFI binary signing can be done
> via separate steps, see qemuarm64-secureboot in meta-arm.
> UKIs are loaded by UEFI firmware on target which can improve
> security by loading only correctly signed kernel, initrd and kernel
> command line.
>
> Using systemd-measure to pre-calculate TPM PCR values and sign them is
> not supported since that requires a TPM device on the build host. Thus
> "ConditionSecurity=measured-uki" default from systemd 256 does not work
> but "ConditionSecurity=tpm2" in combination with secure boot will.
> These can be used to boot securely into systemd-boot, kernel, kernel
> command line and initrd which then securely mounts a read-only dm-verity
> /usr partition and creates a TPM encrypted read-write / rootfs.
>
> Tested via qemuarm64-secureboot in meta-arm with
> https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399
> and a few more changes needed, will be posted separately.
>
> Signed-off-by: Michelle Lin <michelle.linto91@gmail.com>
> Acked-by: Erik Schilling <erik.schilling@linaro.org>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
> meta/classes-recipe/uki.bbclass | 197 ++++++++++++++++++++++++++++++++
> 1 file changed, 197 insertions(+)
> create mode 100644 meta/classes-recipe/uki.bbclass
>
> diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass
> new file mode 100644
> index 0000000000..fac50ea8ca
> --- /dev/null
> +++ b/meta/classes-recipe/uki.bbclass
> @@ -0,0 +1,197 @@
> +# Unified kernel image (UKI) class
> +#
> +# This bbclass merges kernel, initrd etc as a UKI standard UEFI binary,
> +# to be loaded with UEFI firmware and systemd-boot on target HW.
> +# TPM PCR pre-calculation is not supported since systemd-measure tooling
> +# is meant to run on target, not in cross compile environment.
> +#
> +# See:
> +# https://www.freedesktop.org/software/systemd/man/latest/ukify.html
> +# https://uapi-group.org/specifications/specs/unified_kernel_image/
> +#
> +# The UKI contains:
> +#
> +# - UEFI stub
> +# The linux kernel can generate a UEFI stub, however the one from systemd-boot can fetch
> +# the command line from a separate section of the EFI application, avoiding the need to
> +# rebuild the kernel.
> +# - kernel
> +# - initramfs
> +# - kernel command line
> +# - uname -r kernel version
> +# - /etc/os-release to create a boot menu with version details
> +# - optionally secure boot signature(s)
> +# - other metadata (e.g. TPM PCR measurements)
> +#
> +# Usage instructions:
> +#
> +# - requires UEFI compatible firmware on target, e.g. qemuarm64-secureboot u-boot based
> +# from meta-arm or qemux86 ovmf/edk2 based firmware for x86_64
> +#
> +# - Distro/build config:
> +#
> +# INIT_MANAGER = "systemd"
> +# MACHINE_FEATURES:append = " efi"
> +# DISTRO_FEATURES:append = " systemd"
> +# DISTRO_FEATURES_NATIVE:append = " systemd"
> +# EFI_PROVIDER = "systemd-boot"
> +# INITRAMFS_IMAGE = "core-image-minimal-initramfs"
> +#
> +# - image recipe:
> +#
> +# inherit uki
Wouldn't it be better if this was a kernel class instead, similar to
how it is done with fitimage (via kernel-fitimage.bbclass)?
I see a lot of similarities here, and it is confusing that one is done
as a kernel class and the other is added by including in the image
recipe instead.
Thanks,
--
Ricardo Salveti
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core] [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI)
2024-10-09 19:53 ` [OE-core] " Ricardo Salveti
@ 2024-10-10 9:06 ` Mikko Rapeli
2024-10-10 15:21 ` Ricardo Salveti
0 siblings, 1 reply; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-10 9:06 UTC (permalink / raw)
To: Ricardo Salveti; +Cc: openembedded-core, Michelle Lin, Erik Schilling
Hi,
On Wed, Oct 09, 2024 at 04:53:58PM -0300, Ricardo Salveti wrote:
> Wouldn't it be better if this was a kernel class instead, similar to
> how it is done with fitimage (via kernel-fitimage.bbclass)?
>
> I see a lot of similarities here, and it is confusing that one is done
> as a kernel class and the other is added by including in the image
> recipe instead.
Interesting idea. I'll have a look. Maybe this could be an improvement
on top of the uki.bbclass. UKI combines kernel, initramfs image etc
so the implementation can be an image class, kernel class or some
magic post processing (e.g. wic) but needs to be generated using
systemd tooling. Thus I think image class it is for now. I agree
that setting this up is not nice. Need to configure initrd, kernel
command line, kernel, systemd-boot etc and all the config switches
are independent. At least the selftests will contain a fully
working example so users can replicate that in their builds.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [OE-core] [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI)
2024-10-10 9:06 ` Mikko Rapeli
@ 2024-10-10 15:21 ` Ricardo Salveti
0 siblings, 0 replies; 15+ messages in thread
From: Ricardo Salveti @ 2024-10-10 15:21 UTC (permalink / raw)
To: Mikko Rapeli; +Cc: openembedded-core, Michelle Lin, Erik Schilling
On Thu, Oct 10, 2024 at 6:07 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
>
> Hi,
>
> On Wed, Oct 09, 2024 at 04:53:58PM -0300, Ricardo Salveti wrote:
> > Wouldn't it be better if this was a kernel class instead, similar to
> > how it is done with fitimage (via kernel-fitimage.bbclass)?
> >
> > I see a lot of similarities here, and it is confusing that one is done
> > as a kernel class and the other is added by including in the image
> > recipe instead.
>
> Interesting idea. I'll have a look. Maybe this could be an improvement
> on top of the uki.bbclass.
Yes, the current patch set seems to be quite functional and we can
work based on it.
> UKI combines kernel, initramfs image etc
> so the implementation can be an image class, kernel class or some
> magic post processing (e.g. wic) but needs to be generated using
> systemd tooling. Thus I think image class it is for now. I agree
> that setting this up is not nice. Need to configure initrd, kernel
> command line, kernel, systemd-boot etc and all the config switches
> are independent. At least the selftests will contain a fully
> working example so users can replicate that in their builds.
Right, for fitimage we have a similar build dependency chain, and why
I was wondering if it could be also made available via a kernel-class.
Thanks,
--
Ricardo Salveti
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v6 2/8] wic bootimg-efi.py: keep timestamps and add debug prints
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI) Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 3/8] wic bootimg-efi.py: change UKI support from wic plugin to uki.bbclass Mikko Rapeli
` (7 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
Keep timestamps etc to help build reproducibility.
Add prints to see what is being copied to ESP partition.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
scripts/lib/wic/plugins/source/bootimg-efi.py | 49 ++++++++++++-------
1 file changed, 30 insertions(+), 19 deletions(-)
diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index 7cc5131541..d00f5428da 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -43,16 +43,18 @@ class BootimgEFIPlugin(SourcePlugin):
if initrd:
initrds = initrd.split(';')
for rd in initrds:
- cp_cmd = "cp %s/%s %s" % (bootimg_dir, rd, hdddir)
- exec_cmd(cp_cmd, True)
+ cp_cmd = "cp -v -p %s/%s %s" % (bootimg_dir, rd, hdddir)
+ out = exec_cmd(cp_cmd, True)
+ logger.debug("initrd files:\n%s" % (out))
else:
logger.debug("Ignoring missing initrd")
if dtb:
if ';' in dtb:
raise WicError("Only one DTB supported, exiting")
- cp_cmd = "cp %s/%s %s" % (bootimg_dir, dtb, hdddir)
- exec_cmd(cp_cmd, True)
+ cp_cmd = "cp -v -p %s/%s %s" % (bootimg_dir, dtb, hdddir)
+ out = exec_cmd(cp_cmd, True)
+ logger.debug("dtb files:\n%s" % (out))
@classmethod
def do_configure_grubefi(cls, hdddir, creator, cr_workdir, source_params):
@@ -150,6 +152,7 @@ class BootimgEFIPlugin(SourcePlugin):
"%s/hdd/boot/loader/loader.conf", cr_workdir)
cfg = open("%s/hdd/boot/loader/loader.conf" % cr_workdir, "w")
cfg.write(loader_conf)
+ logger.debug("loader.conf:\n%s" % (loader_conf))
cfg.close()
configfile = creator.ks.bootloader.configfile
@@ -401,30 +404,33 @@ class BootimgEFIPlugin(SourcePlugin):
exec_native_cmd(objcopy_cmd, native_sysroot)
else:
if source_params.get('install-kernel-into-boot-dir') != 'false':
- install_cmd = "install -m 0644 %s/%s %s/%s" % \
+ install_cmd = "install -v -p -m 0644 %s/%s %s/%s" % \
(staging_kernel_dir, kernel, hdddir, kernel)
- exec_cmd(install_cmd)
+ out = exec_cmd(install_cmd)
+ logger.debug("Installed kernel files:\n%s" % out)
if get_bitbake_var("IMAGE_EFI_BOOT_FILES"):
for src_path, dst_path in cls.install_task:
- install_cmd = "install -m 0644 -D %s %s" \
+ install_cmd = "install -v -p -m 0644 -D %s %s" \
% (os.path.join(kernel_dir, src_path),
os.path.join(hdddir, dst_path))
- exec_cmd(install_cmd)
+ out = exec_cmd(install_cmd)
+ logger.debug("Installed IMAGE_EFI_BOOT_FILES:\n%s" % out)
try:
if source_params['loader'] == 'grub-efi':
shutil.copyfile("%s/hdd/boot/EFI/BOOT/grub.cfg" % cr_workdir,
"%s/grub.cfg" % cr_workdir)
for mod in [x for x in os.listdir(kernel_dir) if x.startswith("grub-efi-")]:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, mod[9:])
+ cp_cmd = "cp -v -p %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, mod[9:])
exec_cmd(cp_cmd, True)
shutil.move("%s/grub.cfg" % cr_workdir,
"%s/hdd/boot/EFI/BOOT/grub.cfg" % cr_workdir)
elif source_params['loader'] == 'systemd-boot':
for mod in [x for x in os.listdir(kernel_dir) if x.startswith("systemd-")]:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, mod[8:])
- exec_cmd(cp_cmd, True)
+ cp_cmd = "cp -v -p %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, mod[8:])
+ out = exec_cmd(cp_cmd, True)
+ logger.debug("systemd-boot files:\n%s" % out)
elif source_params['loader'] == 'uefi-kernel':
kernel = get_bitbake_var("KERNEL_IMAGETYPE")
if not kernel:
@@ -445,8 +451,9 @@ class BootimgEFIPlugin(SourcePlugin):
raise WicError("UEFI stub kernel is incompatible with target %s" % target)
for mod in [x for x in os.listdir(kernel_dir) if x.startswith(kernel)]:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, kernel_efi_image)
- exec_cmd(cp_cmd, True)
+ cp_cmd = "cp -v -p %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, kernel_efi_image)
+ out = exec_cmd(cp_cmd, True)
+ logger.debug("uefi-kernel files:\n%s" % out)
else:
raise WicError("unrecognized bootimg-efi loader: %s" %
source_params['loader'])
@@ -455,13 +462,15 @@ class BootimgEFIPlugin(SourcePlugin):
startup = os.path.join(kernel_dir, "startup.nsh")
if os.path.exists(startup):
- cp_cmd = "cp %s %s/" % (startup, hdddir)
- exec_cmd(cp_cmd, True)
+ cp_cmd = "cp -v -p %s %s/" % (startup, hdddir)
+ out = exec_cmd(cp_cmd, True)
+ logger.debug("startup files:\n%s" % out)
for paths in part.include_path or []:
for path in paths:
- cp_cmd = "cp -r %s %s/" % (path, hdddir)
+ cp_cmd = "cp -v -p -r %s %s/" % (path, hdddir)
exec_cmd(cp_cmd, True)
+ logger.debug("include_path files:\n%s" % out)
du_cmd = "du -bks %s" % hdddir
out = exec_cmd(du_cmd)
@@ -489,12 +498,14 @@ class BootimgEFIPlugin(SourcePlugin):
label = part.label if part.label else "ESP"
- dosfs_cmd = "mkdosfs -n %s -i %s -C %s %d" % \
+ dosfs_cmd = "mkdosfs -v -n %s -i %s -C %s %d" % \
(label, part.fsuuid, bootimg, blocks)
exec_native_cmd(dosfs_cmd, native_sysroot)
+ logger.debug("mkdosfs:\n%s" % (str(out)))
- mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (bootimg, hdddir)
- exec_native_cmd(mcopy_cmd, native_sysroot)
+ mcopy_cmd = "mcopy -v -p -i %s -s %s/* ::/" % (bootimg, hdddir)
+ out = exec_native_cmd(mcopy_cmd, native_sysroot)
+ logger.debug("mcopy:\n%s" % (str(out)))
chmod_cmd = "chmod 644 %s" % bootimg
exec_cmd(chmod_cmd)
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [PATCH v6 3/8] wic bootimg-efi.py: change UKI support from wic plugin to uki.bbclass
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 1/8] uki.bbclass: add class for building Unified Kernel Images (UKI) Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 2/8] wic bootimg-efi.py: keep timestamps and add debug prints Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 4/8] oeqa selftest uki.py: add tests for uki.bbclass Mikko Rapeli
` (6 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
Remove custom wic plugin implementation and use systemd ukify reference
implementation when generating UKI images. Fail if users still have
create-unified-kernel-image in wic image config. uki.bbclass use is
detected from IMAGE_CLASSES variable ("inherit uki" in image
recipe) so export that to wic plugins.
If UKI is used, then only generate a minimal loader config for
systemd-boot which basically just sets a timeout. Also set 5 second
timeout by default instead of failing if wic bootloader config is
missing. Boot menu is generated at runtime based on UKI binaries
found from ESP partition.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta/classes-recipe/image_types_wic.bbclass | 3 +-
scripts/lib/wic/plugins/source/bootimg-efi.py | 140 ++++--------------
2 files changed, 27 insertions(+), 116 deletions(-)
diff --git a/meta/classes-recipe/image_types_wic.bbclass b/meta/classes-recipe/image_types_wic.bbclass
index 1fa016c16e..9a2996658a 100644
--- a/meta/classes-recipe/image_types_wic.bbclass
+++ b/meta/classes-recipe/image_types_wic.bbclass
@@ -15,6 +15,7 @@ WICVARS ?= "\
HOSTTOOLS_DIR \
IMAGE_BASENAME \
IMAGE_BOOT_FILES \
+ IMAGE_CLASSES \
IMAGE_EFI_BOOT_FILES \
IMAGE_LINK_NAME \
IMAGE_ROOTFS \
@@ -113,7 +114,7 @@ WKS_FILE_DEPENDS_DEFAULT += "bmaptool-native cdrtools-native btrfs-tools-native
WKS_FILE_DEPENDS_DEFAULT += "virtual/${TARGET_PREFIX}binutils"
WKS_FILE_DEPENDS_BOOTLOADERS = ""
WKS_FILE_DEPENDS_BOOTLOADERS:x86 = "syslinux grub-efi systemd-boot os-release"
-WKS_FILE_DEPENDS_BOOTLOADERS:x86-64 = "syslinux grub-efi systemd-boot os-release"
+WKS_FILE_DEPENDS_BOOTLOADERS:x86-64 = "syslinux systemd-boot os-release"
WKS_FILE_DEPENDS_BOOTLOADERS:x86-x32 = "syslinux grub-efi"
WKS_FILE_DEPENDS ??= "${WKS_FILE_DEPENDS_DEFAULT} ${WKS_FILE_DEPENDS_BOOTLOADERS}"
diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index d00f5428da..c05f38f229 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -125,8 +125,16 @@ class BootimgEFIPlugin(SourcePlugin):
@classmethod
def do_configure_systemdboot(cls, hdddir, creator, cr_workdir, source_params):
"""
- Create loader-specific systemd-boot/gummiboot config
+ Create loader-specific systemd-boot/gummiboot config. Unified Kernel Image (uki)
+ support is done in image recipe with uki.bbclass and only systemd-boot loader config
+ and ESP partition structure is created here.
"""
+ # detect uki.bbclass usage
+ image_classes = get_bitbake_var("IMAGE_CLASSES").split()
+ unified_image = False
+ if "uki" in image_classes:
+ unified_image = True
+
install_cmd = "install -d %s/loader" % hdddir
exec_cmd(install_cmd)
@@ -134,19 +142,10 @@ class BootimgEFIPlugin(SourcePlugin):
exec_cmd(install_cmd)
bootloader = creator.ks.bootloader
-
- unified_image = source_params.get('create-unified-kernel-image') == "true"
-
loader_conf = ""
- if not unified_image:
- loader_conf += "default boot\n"
- loader_conf += "timeout %d\n" % bootloader.timeout
- initrd = source_params.get('initrd')
- dtb = source_params.get('dtb')
-
- if not unified_image:
- cls._copy_additional_files(hdddir, initrd, dtb)
+ # 5 seconds is a sensible default timeout
+ loader_conf += "timeout %d\n" % (bootloader.timeout or 5)
logger.debug("Writing systemd-boot config "
"%s/hdd/boot/loader/loader.conf", cr_workdir)
@@ -155,8 +154,14 @@ class BootimgEFIPlugin(SourcePlugin):
logger.debug("loader.conf:\n%s" % (loader_conf))
cfg.close()
+ initrd = source_params.get('initrd')
+ dtb = source_params.get('dtb')
+ if not unified_image:
+ cls._copy_additional_files(hdddir, initrd, dtb)
+
configfile = creator.ks.bootloader.configfile
custom_cfg = None
+ boot_conf = ""
if configfile:
custom_cfg = get_custom_config(configfile)
if custom_cfg:
@@ -167,8 +172,7 @@ class BootimgEFIPlugin(SourcePlugin):
else:
raise WicError("configfile is specified but failed to "
"get it from %s.", configfile)
-
- if not custom_cfg:
+ else:
# Create systemd-boot configuration using parameters from wks file
kernel = get_bitbake_var("KERNEL_IMAGETYPE")
if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":
@@ -178,7 +182,6 @@ class BootimgEFIPlugin(SourcePlugin):
title = source_params.get('title')
- boot_conf = ""
boot_conf += "title %s\n" % (title if title else "boot")
boot_conf += "linux /%s\n" % kernel
@@ -203,6 +206,7 @@ class BootimgEFIPlugin(SourcePlugin):
"%s/hdd/boot/loader/entries/boot.conf", cr_workdir)
cfg = open("%s/hdd/boot/loader/entries/boot.conf" % cr_workdir, "w")
cfg.write(boot_conf)
+ logger.debug("boot.conf:\n%s" % (boot_conf))
cfg.close()
@@ -307,107 +311,13 @@ class BootimgEFIPlugin(SourcePlugin):
(get_bitbake_var("KERNEL_IMAGETYPE"), get_bitbake_var("INITRAMFS_LINK_NAME"))
if source_params.get('create-unified-kernel-image') == "true":
- initrd = source_params.get('initrd')
- if not initrd:
- raise WicError("initrd= must be specified when create-unified-kernel-image=true, exiting")
-
- deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
- efi_stub = glob("%s/%s" % (deploy_dir, "linux*.efi.stub"))
- if len(efi_stub) == 0:
- raise WicError("Unified Kernel Image EFI stub not found, exiting")
- efi_stub = efi_stub[0]
-
- with tempfile.TemporaryDirectory() as tmp_dir:
- label = source_params.get('label')
- label_conf = "root=%s" % creator.rootdev
- if label:
- label_conf = "LABEL=%s" % label
-
- bootloader = creator.ks.bootloader
- cmdline = open("%s/cmdline" % tmp_dir, "w")
- cmdline.write("%s %s" % (label_conf, bootloader.append))
- cmdline.close()
+ raise WicError("create-unified-kernel-image is no longer supported. Please use uki.bbclass.")
- initrds = initrd.split(';')
- initrd = open("%s/initrd" % tmp_dir, "wb")
- for f in initrds:
- with open("%s/%s" % (deploy_dir, f), 'rb') as in_file:
- shutil.copyfileobj(in_file, initrd)
- initrd.close()
-
- # Searched by systemd-boot:
- # https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-images
- install_cmd = "install -d %s/EFI/Linux" % hdddir
- exec_cmd(install_cmd)
-
- staging_dir_host = get_bitbake_var("STAGING_DIR_HOST")
- target_sys = get_bitbake_var("TARGET_SYS")
-
- objdump_cmd = "%s-objdump" % target_sys
- objdump_cmd += " -p %s" % efi_stub
- objdump_cmd += " | awk '{ if ($1 == \"SectionAlignment\"){print $2} }'"
-
- ret, align_str = exec_native_cmd(objdump_cmd, native_sysroot)
- align = int(align_str, 16)
-
- objdump_cmd = "%s-objdump" % target_sys
- objdump_cmd += " -h %s | tail -2" % efi_stub
- ret, output = exec_native_cmd(objdump_cmd, native_sysroot)
-
- offset = int(output.split()[2], 16) + int(output.split()[3], 16)
-
- osrel_off = offset + align - offset % align
- osrel_path = "%s/usr/lib/os-release" % staging_dir_host
- osrel_sz = os.stat(osrel_path).st_size
-
- cmdline_off = osrel_off + osrel_sz
- cmdline_off = cmdline_off + align - cmdline_off % align
- cmdline_sz = os.stat(cmdline.name).st_size
-
- dtb_off = cmdline_off + cmdline_sz
- dtb_off = dtb_off + align - dtb_off % align
-
- dtb = source_params.get('dtb')
- if dtb:
- if ';' in dtb:
- raise WicError("Only one DTB supported, exiting")
- dtb_path = "%s/%s" % (deploy_dir, dtb)
- dtb_params = '--add-section .dtb=%s --change-section-vma .dtb=0x%x' % \
- (dtb_path, dtb_off)
- linux_off = dtb_off + os.stat(dtb_path).st_size
- linux_off = linux_off + align - linux_off % align
- else:
- dtb_params = ''
- linux_off = dtb_off
-
- linux_path = "%s/%s" % (staging_kernel_dir, kernel)
- linux_sz = os.stat(linux_path).st_size
-
- initrd_off = linux_off + linux_sz
- initrd_off = initrd_off + align - initrd_off % align
-
- # https://www.freedesktop.org/software/systemd/man/systemd-stub.html
- objcopy_cmd = "%s-objcopy" % target_sys
- objcopy_cmd += " --enable-deterministic-archives"
- objcopy_cmd += " --preserve-dates"
- objcopy_cmd += " --add-section .osrel=%s" % osrel_path
- objcopy_cmd += " --change-section-vma .osrel=0x%x" % osrel_off
- objcopy_cmd += " --add-section .cmdline=%s" % cmdline.name
- objcopy_cmd += " --change-section-vma .cmdline=0x%x" % cmdline_off
- objcopy_cmd += dtb_params
- objcopy_cmd += " --add-section .linux=%s" % linux_path
- objcopy_cmd += " --change-section-vma .linux=0x%x" % linux_off
- objcopy_cmd += " --add-section .initrd=%s" % initrd.name
- objcopy_cmd += " --change-section-vma .initrd=0x%x" % initrd_off
- objcopy_cmd += " %s %s/EFI/Linux/linux.efi" % (efi_stub, hdddir)
-
- exec_native_cmd(objcopy_cmd, native_sysroot)
- else:
- if source_params.get('install-kernel-into-boot-dir') != 'false':
- install_cmd = "install -v -p -m 0644 %s/%s %s/%s" % \
- (staging_kernel_dir, kernel, hdddir, kernel)
- out = exec_cmd(install_cmd)
- logger.debug("Installed kernel files:\n%s" % out)
+ if source_params.get('install-kernel-into-boot-dir') != 'false':
+ install_cmd = "install -v -p -m 0644 %s/%s %s/%s" % \
+ (staging_kernel_dir, kernel, hdddir, kernel)
+ out = exec_cmd(install_cmd)
+ logger.debug("Installed kernel files:\n%s" % out)
if get_bitbake_var("IMAGE_EFI_BOOT_FILES"):
for src_path, dst_path in cls.install_task:
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [PATCH v6 4/8] oeqa selftest uki.py: add tests for uki.bbclass
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
` (2 preceding siblings ...)
2024-10-09 11:26 ` [PATCH v6 3/8] wic bootimg-efi.py: change UKI support from wic plugin to uki.bbclass Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 5/8] oeqa selftest efibootpartition.py: add TEST_RUNQEMUPARAMS to runqemu Mikko Rapeli
` (5 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
Tests builds and boots qemu into uki binary with systemd and sysvinit.
Due to depedency to x86 specific ovmf UEFI firmware, tests
are specific to x86 curently. UEFI firmware for ARM can be generated
via qemuarm64-secureboot machine in meta-arm and similar tests
on qemu will pass.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta/lib/oeqa/selftest/cases/uki.py | 138 ++++++++++++++++++
.../wic/canned-wks/efi-uki-bootdisk.wks.in | 3 +
2 files changed, 141 insertions(+)
create mode 100644 meta/lib/oeqa/selftest/cases/uki.py
create mode 100644 scripts/lib/wic/canned-wks/efi-uki-bootdisk.wks.in
diff --git a/meta/lib/oeqa/selftest/cases/uki.py b/meta/lib/oeqa/selftest/cases/uki.py
new file mode 100644
index 0000000000..b0e6e52d64
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/uki.py
@@ -0,0 +1,138 @@
+# Based on runqemu.py test file
+#
+# Copyright (c) 2017 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, runqemu, get_bb_var
+from oeqa.core.decorator.data import skipIfNotArch
+from oeqa.core.decorator import OETestTag
+import oe.types
+
+class UkiTest(OESelftestTestCase):
+ """Boot Unified Kernel Image (UKI) generated with uki.bbclass on UEFI firmware (omvf/edk2)"""
+
+ @skipIfNotArch(['i586', 'i686', 'x86_64'])
+ @OETestTag("runqemu")
+ def test_uki_boot_systemd(self):
+ """Build and boot into UEFI firmware (omvf/edk2), systemd-boot, initrd without systemd, rootfs with systemd"""
+ image = "core-image-minimal"
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', image) or ""
+ cmd = "runqemu %s nographic serial wic ovmf" % (runqemu_params)
+ if oe.types.qemu_use_kvm(self.td.get('QEMU_USE_KVM', 0), self.td["TARGET_ARCH"]):
+ cmd += " kvm"
+
+ self.write_config("""
+# efi firmware must load systemd-boot, not grub
+EFI_PROVIDER = "systemd-boot"
+
+# image format must be wic, needs esp partition for firmware etc
+IMAGE_FSTYPES:pn-%s:append = " wic"
+WKS_FILE = "efi-uki-bootdisk.wks.in"
+
+# efi, uki and systemd features must be enabled
+INIT_MANAGER = "systemd"
+MACHINE_FEATURES:append = " efi"
+DISTRO_FEATURES:append = " uki"
+DISTRO_FEATURES:append = " systemd"
+DISTRO_FEATURES_NATIVE:append = " systemd"
+IMAGE_CLASSES:append:pn-core-image-minimal = " uki"
+
+# uki embeds also an initrd
+INITRAMFS_IMAGE = "core-image-minimal-initramfs"
+
+# runqemu must not load kernel separately, it's in the uki
+QB_KERNEL_ROOT = ""
+QB_DEFAULT_KERNEL = "none"
+
+# boot command line provided via uki, not via bootloader
+UKI_CMDLINE = "rootwait root=LABEL=root console=${KERNEL_CONSOLE}"
+""" % (image))
+
+ uki_filename = get_bb_var('UKI_FILENAME', image)
+
+ bitbake(image + " ovmf")
+ with runqemu(image, ssh=False, launch_cmd=cmd) as qemu:
+ self.assertTrue(qemu.runner.logged, "Failed: %s" % cmd)
+
+ # Verify from efivars that firmware was:
+ # x86_64, qemux86_64 = edk2
+ # arm, = u-boot
+ cmd = "echo $( cat /sys/firmware/efi/efivars/LoaderFirmwareInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep 'EDK II'"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ # Check that systemd-boot was the loader
+ cmd = "echo $( cat /sys/firmware/efi/efivars/LoaderInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep systemd-boot"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ # Check that systemd-stub was used
+ cmd = "echo $( cat /sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep systemd-stub"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ # Check that the compiled uki file was booted into
+ cmd = "echo $( cat /sys/firmware/efi/efivars/LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep '%s'" % (uki_filename)
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ @skipIfNotArch(['i586', 'i686', 'x86_64'])
+ @OETestTag("runqemu")
+ def test_uki_sysvinit(self):
+ """Build and boot into UEFI firmware (omvf/edk2), systemd-boot, initrd with sysvinit, rootfs with sysvinit"""
+ config = """
+# efi firmware must load systemd-boot, not grub
+EFI_PROVIDER = "systemd-boot"
+
+# image format must be wic, needs esp partition for firmware etc
+IMAGE_FSTYPES:pn-core-image-base:append = " wic"
+WKS_FILE = "efi-uki-bootdisk.wks.in"
+
+# efi, uki and systemd features must be enabled
+MACHINE_FEATURES:append = " efi"
+DISTRO_FEATURES_NATIVE:append = " systemd"
+IMAGE_CLASSES:append:pn-core-image-base = " uki"
+
+# uki embeds also an initrd, no systemd or udev
+INITRAMFS_IMAGE = "core-image-initramfs-boot"
+
+# runqemu must not load kernel separately, it's in the uki
+QB_KERNEL_ROOT = ""
+QB_DEFAULT_KERNEL = "none"
+
+# boot command line provided via uki, not via bootloader
+UKI_CMDLINE = "rootwait root=LABEL=root console=${KERNEL_CONSOLE}"
+
+"""
+ self.append_config(config)
+ bitbake('core-image-base ovmf')
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-base') or ""
+ uki_filename = get_bb_var('UKI_FILENAME', 'core-image-base')
+ self.remove_config(config)
+
+ with runqemu('core-image-base', ssh=False,
+ runqemuparams='%s slirp nographic ovmf' % (runqemu_params), image_fstype='wic') as qemu:
+ # Verify from efivars that firmware was:
+ # x86_64, qemux86_64 = edk2
+ # arm, = u-boot
+ cmd = "echo $( cat /sys/firmware/efi/efivars/LoaderFirmwareInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep 'EDK II'"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ # Check that systemd-boot was the loader
+ cmd = "echo $( cat /sys/firmware/efi/efivars/LoaderInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep systemd-boot"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ # Check that systemd-stub was used
+ cmd = "echo $( cat /sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep systemd-stub"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ # Check that the compiled uki file was booted into
+ cmd = "echo $( cat /sys/firmware/efi/efivars/LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ) | grep '%s'" % (uki_filename)
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
diff --git a/scripts/lib/wic/canned-wks/efi-uki-bootdisk.wks.in b/scripts/lib/wic/canned-wks/efi-uki-bootdisk.wks.in
new file mode 100644
index 0000000000..1ea9c8a845
--- /dev/null
+++ b/scripts/lib/wic/canned-wks/efi-uki-bootdisk.wks.in
@@ -0,0 +1,3 @@
+bootloader --ptable gpt --timeout=5
+part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label boot --active --align 1024 --use-uuid --part-name="ESP" --part-type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B --fixed-size 512M
+part / --source rootfs --fstype=ext4 --label root --align 1024 --exclude-path boot/
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [PATCH v6 5/8] oeqa selftest efibootpartition.py: add TEST_RUNQEMUPARAMS to runqemu
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
` (3 preceding siblings ...)
2024-10-09 11:26 ` [PATCH v6 4/8] oeqa selftest uki.py: add tests for uki.bbclass Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 6/8] oeqa selftest efibootpartition.py: remove systemd-boot from grub-efi test Mikko Rapeli
` (4 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
TEST_RUNQEMUPARAMS variable is used to add runqemu parameters like
"slirp" networking. Support this also in selftests so that "slirp"
networking can be used instead of the tun/tap devices setup which
is easier to work with on shared build machines.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta/lib/oeqa/selftest/cases/efibootpartition.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/efibootpartition.py b/meta/lib/oeqa/selftest/cases/efibootpartition.py
index fa74103dec..e6d6a91a22 100644
--- a/meta/lib/oeqa/selftest/cases/efibootpartition.py
+++ b/meta/lib/oeqa/selftest/cases/efibootpartition.py
@@ -6,7 +6,7 @@
#
from oeqa.selftest.case import OESelftestTestCase
-from oeqa.utils.commands import bitbake, runqemu
+from oeqa.utils.commands import bitbake, runqemu, get_bb_var
from oeqa.core.decorator.data import skipIfNotMachine
import oe.types
@@ -14,10 +14,11 @@ class GenericEFITest(OESelftestTestCase):
"""EFI booting test class"""
@skipIfNotMachine("qemux86-64", "test is qemux86-64 specific currently")
def test_boot_efi(self):
- cmd = "runqemu nographic serial wic ovmf"
+ image = "core-image-minimal"
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', image) or ""
+ cmd = "runqemu %s nographic serial wic ovmf" % (runqemu_params)
if oe.types.qemu_use_kvm(self.td.get('QEMU_USE_KVM', 0), self.td["TARGET_ARCH"]):
cmd += " kvm"
- image = "core-image-minimal"
self.write_config("""
EFI_PROVIDER = "systemd-boot"
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [PATCH v6 6/8] oeqa selftest efibootpartition.py: remove systemd-boot from grub-efi test
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
` (4 preceding siblings ...)
2024-10-09 11:26 ` [PATCH v6 5/8] oeqa selftest efibootpartition.py: add TEST_RUNQEMUPARAMS to runqemu Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 7/8] oeqa selftest wic.py: add TEST_RUNQEMUPARAMS to runqemu Mikko Rapeli
` (3 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
The test is actually using grub-efi not systemd-boot so
remove it completely. systemd-boot will be tested via uki.py
tests.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta/lib/oeqa/selftest/cases/efibootpartition.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/efibootpartition.py b/meta/lib/oeqa/selftest/cases/efibootpartition.py
index e6d6a91a22..fcfcdaf7e4 100644
--- a/meta/lib/oeqa/selftest/cases/efibootpartition.py
+++ b/meta/lib/oeqa/selftest/cases/efibootpartition.py
@@ -21,11 +21,11 @@ class GenericEFITest(OESelftestTestCase):
cmd += " kvm"
self.write_config("""
-EFI_PROVIDER = "systemd-boot"
+EFI_PROVIDER = "grub-efi"
IMAGE_FSTYPES:pn-%s:append = " wic"
MACHINE_FEATURES:append = " efi"
WKS_FILE = "efi-bootdisk.wks.in"
-IMAGE_INSTALL:append = " grub-efi systemd-boot kernel-image-bzimage"
+IMAGE_INSTALL:append = " grub-efi kernel-image-bzimage"
"""
% (image))
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [PATCH v6 7/8] oeqa selftest wic.py: add TEST_RUNQEMUPARAMS to runqemu
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
` (5 preceding siblings ...)
2024-10-09 11:26 ` [PATCH v6 6/8] oeqa selftest efibootpartition.py: remove systemd-boot from grub-efi test Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 11:26 ` [PATCH v6 8/8] oeqa selftest wic.py: support UKIs via uki.bbclass Mikko Rapeli
` (2 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
To support "slirp" networking on shared build machines instead
of tun/tap devices. Users can set
TEST_RUNQEMUPARAMS = "slirp"
in their build/conf/local.conf to run selftests using "slirp"
networking. The same works for testimage.bbclass and oeqa runtime
tests.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta/lib/oeqa/selftest/cases/wic.py | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index b616759209..f2a46c965b 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -939,7 +939,8 @@ class Wic2(WicTestCase):
bitbake('wic-image-minimal')
self.remove_config(config)
- with runqemu('wic-image-minimal', ssh=False, runqemuparams='nographic') as qemu:
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'wic-image-minimal') or ""
+ with runqemu('wic-image-minimal', ssh=False, runqemuparams='%s nographic' % (runqemu_params)) as qemu:
cmd = "mount | grep '^/dev/' | cut -f1,3 -d ' ' | egrep -c -e '/dev/sda1 /boot' " \
"-e '/dev/root /|/dev/sda2 /' -e '/dev/sda3 /media' -e '/dev/sda4 /mnt'"
status, output = qemu.run_serial(cmd)
@@ -959,8 +960,9 @@ class Wic2(WicTestCase):
bitbake('core-image-minimal ovmf')
self.remove_config(config)
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-minimal') or ""
with runqemu('core-image-minimal', ssh=False,
- runqemuparams='nographic ovmf', image_fstype='wic') as qemu:
+ runqemuparams='%s nographic ovmf' % (runqemu_params), image_fstype='wic') as qemu:
cmd = "grep sda. /proc/partitions |wc -l"
status, output = qemu.run_serial(cmd)
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
@@ -1154,8 +1156,9 @@ class Wic2(WicTestCase):
bitbake('core-image-minimal-mtdutils')
self.remove_config(config)
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-minimal-mtdutils') or ""
with runqemu('core-image-minimal-mtdutils', ssh=False,
- runqemuparams='nographic', image_fstype='wic') as qemu:
+ runqemuparams='%s nographic' % (runqemu_params), image_fstype='wic') as qemu:
cmd = "grep sda. /proc/partitions |wc -l"
status, output = qemu.run_serial(cmd)
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
@@ -1214,8 +1217,9 @@ class Wic2(WicTestCase):
bitbake('core-image-minimal')
self.remove_config(config)
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-minimal') or ""
with runqemu('core-image-minimal', ssh=False,
- runqemuparams='nographic', image_fstype='wic') as qemu:
+ runqemuparams='%s nographic' % (runqemu_params), image_fstype='wic') as qemu:
# Check that we have ONLY two /dev/sda* partitions (/boot and /)
cmd = "grep sda. /proc/partitions | wc -l"
status, output = qemu.run_serial(cmd)
@@ -1446,8 +1450,8 @@ class Wic2(WicTestCase):
os.rename(image_path, image_path + '.bak')
os.rename(new_image_path, image_path)
- # Check if it boots in qemu
- with runqemu('core-image-minimal', ssh=False, runqemuparams='nographic') as qemu:
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-minimal') or ""
+ with runqemu('core-image-minimal', ssh=False, runqemuparams='%s nographic' % (runqemu_params)) as qemu:
cmd = "ls /etc/"
status, output = qemu.run_serial('true')
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [PATCH v6 8/8] oeqa selftest wic.py: support UKIs via uki.bbclass
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
` (6 preceding siblings ...)
2024-10-09 11:26 ` [PATCH v6 7/8] oeqa selftest wic.py: add TEST_RUNQEMUPARAMS to runqemu Mikko Rapeli
@ 2024-10-09 11:26 ` Mikko Rapeli
2024-10-09 17:53 ` [OE-core] [PATCH v6 0/8] systemd uki support Richard Purdie
[not found] ` <17FCDA527F20D203.22523@lists.openembedded.org>
9 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-09 11:26 UTC (permalink / raw)
To: openembedded-core; +Cc: Mikko Rapeli
Use label to detect rootfs since UKI with kernel command
line is generated before rootfs is generated by wic.
Adapt wic tests to build and boot uki.bbclass generated
UKIs.
Keeping one UKI test in wic.py and rest of the UKI features
are tested with dedicated uki.py test. Add plain non-UKI
systemd-boot tests to wic suite for aarch64 and x86.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
meta-selftest/wic/test_efi_plugin.wks | 5 +-
.../test_efi_plugin_plain_systemd-boot.wks | 5 +
meta/lib/oeqa/selftest/cases/wic.py | 108 ++++++++++++++++--
3 files changed, 103 insertions(+), 15 deletions(-)
create mode 100644 meta-selftest/wic/test_efi_plugin_plain_systemd-boot.wks
diff --git a/meta-selftest/wic/test_efi_plugin.wks b/meta-selftest/wic/test_efi_plugin.wks
index 1603d6c4bb..e876a4be0e 100644
--- a/meta-selftest/wic/test_efi_plugin.wks
+++ b/meta-selftest/wic/test_efi_plugin.wks
@@ -1,6 +1,5 @@
# short-description: This file is used in oe-selftest wic module to test efi plugin
-
-part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,create-unified-kernel-image=true,initrd=${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES}" --active --align 1024 --use-uuid
-part / --source rootfs --fstype=ext4 --align 1024 --use-uuid
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot" --active --align 1024 --use-uuid
+part / --source rootfs --fstype=ext4 --align 1024 --use-uuid --label root
bootloader --timeout=0 --append="console=ttyS0,115200n8"
diff --git a/meta-selftest/wic/test_efi_plugin_plain_systemd-boot.wks b/meta-selftest/wic/test_efi_plugin_plain_systemd-boot.wks
new file mode 100644
index 0000000000..2745c19e85
--- /dev/null
+++ b/meta-selftest/wic/test_efi_plugin_plain_systemd-boot.wks
@@ -0,0 +1,5 @@
+# short-description: This file is used in oe-selftest wic module to test efi plugin
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES}" --active --align 1024 --use-uuid
+part / --source rootfs --fstype=ext4 --align 1024 --use-uuid
+
+bootloader --timeout=0 --append="console=ttyS0,115200n8"
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index f2a46c965b..739682e731 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -1292,24 +1292,46 @@ class Wic2(WicTestCase):
@skipIfNotArch(['i586', 'i686', 'x86_64'])
@OETestTag("runqemu")
def test_efi_plugin_unified_kernel_image_qemu(self):
- """Test efi plugin's Unified Kernel Image feature in qemu"""
- config = 'IMAGE_FSTYPES = "wic"\n'\
- 'INITRAMFS_IMAGE = "core-image-minimal-initramfs"\n'\
- 'WKS_FILE = "test_efi_plugin.wks"\n'\
- 'MACHINE_FEATURES:append = " efi"\n'
+ """Test Unified Kernel Image feature in qemu without systemd in initramfs or rootfs"""
+ config = """
+# efi firmware must load systemd-boot, not grub
+EFI_PROVIDER = "systemd-boot"
+
+# image format must be wic, needs esp partition for firmware etc
+IMAGE_FSTYPES:pn-core-image-base:append = " wic"
+WKS_FILE = "test_efi_plugin.wks"
+
+# efi, uki and systemd features must be enabled
+MACHINE_FEATURES:append = " efi"
+DISTRO_FEATURES_NATIVE:append = " systemd"
+IMAGE_CLASSES:append:pn-core-image-base = " uki"
+
+# uki embeds also an initrd, no systemd or udev
+INITRAMFS_IMAGE = "core-image-initramfs-boot"
+
+# runqemu must not load kernel separately, it's in the uki
+QB_KERNEL_ROOT = ""
+QB_DEFAULT_KERNEL = "none"
+
+# boot command line provided via uki, not via bootloader
+UKI_CMDLINE = "rootwait root=LABEL=root console=${KERNEL_CONSOLE}"
+
+"""
self.append_config(config)
- bitbake('core-image-minimal core-image-minimal-initramfs ovmf')
+ bitbake('core-image-base ovmf')
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-base') or ""
+ uki_filename = get_bb_var('UKI_FILENAME', 'core-image-base')
self.remove_config(config)
- with runqemu('core-image-minimal', ssh=False,
- runqemuparams='nographic ovmf', image_fstype='wic') as qemu:
- # Check that /boot has EFI bootx64.efi (required for EFI)
- cmd = "ls /boot/EFI/BOOT/bootx64.efi | wc -l"
+ with runqemu('core-image-base', ssh=False,
+ runqemuparams='%s nographic ovmf' % (runqemu_params), image_fstype='wic') as qemu:
+ # Check that /boot has EFI boot*.efi (required for EFI)
+ cmd = "ls /boot/EFI/BOOT/boot*.efi | wc -l"
status, output = qemu.run_serial(cmd)
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
self.assertEqual(output, '1')
- # Check that /boot has EFI/Linux/linux.efi (required for Unified Kernel Images auto detection)
- cmd = "ls /boot/EFI/Linux/linux.efi | wc -l"
+ # Check that /boot has EFI/Linux/${UKI_FILENAME} (required for Unified Kernel Images auto detection)
+ cmd = "ls /boot/EFI/Linux/%s | wc -l" % (uki_filename)
status, output = qemu.run_serial(cmd)
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
self.assertEqual(output, '1')
@@ -1319,6 +1341,68 @@ class Wic2(WicTestCase):
self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
self.assertEqual(output, '0')
+ @skipIfNotArch(['aarch64'])
+ @OETestTag("runqemu")
+ def test_efi_plugin_plain_systemd_boot_qemu_aarch64(self):
+ """Test plain systemd-boot in qemu with systemd"""
+ config = """
+INIT_MANAGER = "systemd"
+EFI_PROVIDER = "systemd-boot"
+
+# image format must be wic, needs esp partition for firmware etc
+IMAGE_FSTYPES:pn-core-image-base:append = " wic"
+WKS_FILE = "test_efi_plugin_plain_systemd-boot.wks"
+
+INITRAMFS_IMAGE = "core-image-initramfs-boot"
+"""
+ self.append_config(config)
+ bitbake('core-image-base u-boot')
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-base') or ""
+ self.remove_config(config)
+
+ with runqemu('core-image-base', ssh=False,
+ runqemuparams='%s nographic' % (runqemu_params), image_fstype='wic') as qemu:
+ # Check that /boot has EFI boot*.efi (required for EFI)
+ cmd = "ls /boot/EFI/BOOT/boot*.efi | wc -l"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+ self.assertEqual(output, '1')
+ # Check that boot.conf exists
+ cmd = "cat /boot/loader/entries/boot.conf"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
+ @skipIfNotArch(['i586', 'i686', 'x86_64'])
+ @OETestTag("runqemu")
+ def test_efi_plugin_plain_systemd_boot_qemu_x86(self):
+ """Test plain systemd-boot to systemd in qemu"""
+ config = """
+INIT_MANAGER = "systemd"
+EFI_PROVIDER = "systemd-boot"
+
+# image format must be wic, needs esp partition for firmware etc
+IMAGE_FSTYPES:pn-core-image-base:append = " wic"
+WKS_FILE = "test_efi_plugin_plain_systemd-boot.wks"
+
+INITRAMFS_IMAGE = "core-image-initramfs-boot"
+"""
+ self.append_config(config)
+ bitbake('core-image-base ovmf')
+ runqemu_params = get_bb_var('TEST_RUNQEMUPARAMS', 'core-image-base') or ""
+ self.remove_config(config)
+
+ with runqemu('core-image-base', ssh=False,
+ runqemuparams='%s nographic' % (runqemu_params), image_fstype='wic') as qemu:
+ # Check that /boot has EFI boot*.efi (required for EFI)
+ cmd = "ls /boot/EFI/BOOT/boot*.efi | wc -l"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+ self.assertEqual(output, '1')
+ # Check that boot.conf exists
+ cmd = "cat /boot/loader/entries/boot.conf"
+ status, output = qemu.run_serial(cmd)
+ self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
+
def test_fs_types(self):
"""Test filesystem types for empty and not empty partitions"""
img = 'core-image-minimal'
--
2.34.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* Re: [OE-core] [PATCH v6 0/8] systemd uki support
2024-10-09 11:26 [PATCH v6 0/8] systemd uki support Mikko Rapeli
` (7 preceding siblings ...)
2024-10-09 11:26 ` [PATCH v6 8/8] oeqa selftest wic.py: support UKIs via uki.bbclass Mikko Rapeli
@ 2024-10-09 17:53 ` Richard Purdie
[not found] ` <17FCDA527F20D203.22523@lists.openembedded.org>
9 siblings, 0 replies; 15+ messages in thread
From: Richard Purdie @ 2024-10-09 17:53 UTC (permalink / raw)
To: mikko.rapeli, openembedded-core
On Wed, 2024-10-09 at 14:26 +0300, Mikko Rapeli via lists.openembedded.org wrote:
> These changes enable building systemd uki images which combine
> kernel, kernel command line, initrd and possibly signatures to
> a single UEFI binary. This binary can be booted with UEFI firmware
> and systemd-boot. No grub is needed and UEFI firmware and/or
> systemd-boot provide possibilities for boot menus.
> The uki binary can also be signed for UEFI secure boot
> so the secure boot extends from firmware to kernel and initrd.
> Binding secure boot to full userspace is then easier since for example
> kernel command line and initrd contain the support needed to mount
> encrypted dm-verity etc partitions, and/or create partitions on demand
> with systemd-repart using device specific TPM devices for encryption.
>
> Tested on qemuarm64-secureboot machine from meta-arm with changes to
> support secure boot. Slightly different configuration tested on
> multiple arm64 System Ready boards with UEFI firmware, real and firmware
> based TPM devices. Tested with ovmf firmware on x86_64 with selftests but
> without secure boot which seems to be harder to setup in ovmf.
>
> Sadly I see two wic selftests, wic.Wic2.test_rawcopy_plugin_qemu and
> wic.Wic2.test_expand_mbr_image, failing when executing all wic selftests
> on a build machine with zfs filesystem. Will investigate this further.
> The issue seems to be in mkfs.ext4 producing broken filesystem, and partially
> in the tests which don't run the correct rootfs file (.ext4 vs .wic).
> Will debug this further and it is IMO unrelated to these changes since
> they reproduce on pure master branch without this series.
>
> v6: fixed wic refactoring botch which broken non-uki systemd-boot usage on
> genericarm64 reported by Ross Burton <Ross.Burton@arm.com>, added
> selftest to cover this wks usage on x86 and aarch64
>
> v5: drop patch "image_types_wic.bbclass: set systemd-boot and os-release
> dependency for all archs" since systemd-boot does not support all
> architectures
>
> v4: handle missing runqemu variable from build config, add
> python3-pefile to fast ptest list
>
> v3: rebased, fixed and added more sefltests, removed wic plugin side uki
> support
>
> v2: https://lists.openembedded.org/g/openembedded-core/message/204090
>
This seems to be causing selftest failures unfortunately:
https://valkyrie.yoctoproject.org/#/builders/54/builds/206/steps/14/logs/stdio
Cheers,
Richard
^ permalink raw reply [flat|nested] 15+ messages in thread[parent not found: <17FCDA527F20D203.22523@lists.openembedded.org>]
* Re: [OE-core] [PATCH v6 0/8] systemd uki support
[not found] ` <17FCDA527F20D203.22523@lists.openembedded.org>
@ 2024-10-09 22:36 ` Richard Purdie
2024-10-10 7:53 ` Mikko Rapeli
0 siblings, 1 reply; 15+ messages in thread
From: Richard Purdie @ 2024-10-09 22:36 UTC (permalink / raw)
To: mikko.rapeli, openembedded-core
On Wed, 2024-10-09 at 18:53 +0100, Richard Purdie via
lists.openembedded.org wrote:
> On Wed, 2024-10-09 at 14:26 +0300, Mikko Rapeli via
> lists.openembedded.org wrote:
> > These changes enable building systemd uki images which combine
> > kernel, kernel command line, initrd and possibly signatures to
> > a single UEFI binary. This binary can be booted with UEFI firmware
> > and systemd-boot. No grub is needed and UEFI firmware and/or
> > systemd-boot provide possibilities for boot menus.
> > The uki binary can also be signed for UEFI secure boot
> > so the secure boot extends from firmware to kernel and initrd.
> > Binding secure boot to full userspace is then easier since for
> > example
> > kernel command line and initrd contain the support needed to mount
> > encrypted dm-verity etc partitions, and/or create partitions on
> > demand
> > with systemd-repart using device specific TPM devices for
> > encryption.
> >
> > Tested on qemuarm64-secureboot machine from meta-arm with changes
> > to
> > support secure boot. Slightly different configuration tested on
> > multiple arm64 System Ready boards with UEFI firmware, real and
> > firmware
> > based TPM devices. Tested with ovmf firmware on x86_64 with
> > selftests but
> > without secure boot which seems to be harder to setup in ovmf.
> >
> > Sadly I see two wic selftests, wic.Wic2.test_rawcopy_plugin_qemu
> > and
> > wic.Wic2.test_expand_mbr_image, failing when executing all wic
> > selftests
> > on a build machine with zfs filesystem. Will investigate this
> > further.
> > The issue seems to be in mkfs.ext4 producing broken filesystem, and
> > partially
> > in the tests which don't run the correct rootfs file (.ext4 vs
> > .wic).
> > Will debug this further and it is IMO unrelated to these changes
> > since
> > they reproduce on pure master branch without this series.
> >
> > v6: fixed wic refactoring botch which broken non-uki systemd-boot
> > usage on
> > genericarm64 reported by Ross Burton <Ross.Burton@arm.com>,
> > added
> > selftest to cover this wks usage on x86 and aarch64
> >
> > v5: drop patch "image_types_wic.bbclass: set systemd-boot and os-
> > release
> > dependency for all archs" since systemd-boot does not support
> > all
> > architectures
> >
> > v4: handle missing runqemu variable from build config, add
> > python3-pefile to fast ptest list
> >
> > v3: rebased, fixed and added more sefltests, removed wic plugin
> > side uki
> > support
> >
> > v2:
> > https://lists.openembedded.org/g/openembedded-core/message/204090
> >
>
> This seems to be causing selftest failures unfortunately:
>
> https://valkyrie.yoctoproject.org/#/builders/54/builds/206/steps/14/logs/stdio
I think something may be broken in master causing that. Not quite sure
what/when yet.
Cheers,
Richard
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [OE-core] [PATCH v6 0/8] systemd uki support
2024-10-09 22:36 ` Richard Purdie
@ 2024-10-10 7:53 ` Mikko Rapeli
0 siblings, 0 replies; 15+ messages in thread
From: Mikko Rapeli @ 2024-10-10 7:53 UTC (permalink / raw)
To: Richard Purdie; +Cc: openembedded-core
Hi,
On Wed, Oct 09, 2024 at 11:36:51PM +0100, Richard Purdie wrote:
> On Wed, 2024-10-09 at 18:53 +0100, Richard Purdie via
> lists.openembedded.org wrote:
> > On Wed, 2024-10-09 at 14:26 +0300, Mikko Rapeli via
> > lists.openembedded.org wrote:
> > > These changes enable building systemd uki images which combine
> > > kernel, kernel command line, initrd and possibly signatures to
> > > a single UEFI binary. This binary can be booted with UEFI firmware
> > > and systemd-boot. No grub is needed and UEFI firmware and/or
> > > systemd-boot provide possibilities for boot menus.
> > > The uki binary can also be signed for UEFI secure boot
> > > so the secure boot extends from firmware to kernel and initrd.
> > > Binding secure boot to full userspace is then easier since for
> > > example
> > > kernel command line and initrd contain the support needed to mount
> > > encrypted dm-verity etc partitions, and/or create partitions on
> > > demand
> > > with systemd-repart using device specific TPM devices for
> > > encryption.
> > >
> > > Tested on qemuarm64-secureboot machine from meta-arm with changes
> > > to
> > > support secure boot. Slightly different configuration tested on
> > > multiple arm64 System Ready boards with UEFI firmware, real and
> > > firmware
> > > based TPM devices. Tested with ovmf firmware on x86_64 with
> > > selftests but
> > > without secure boot which seems to be harder to setup in ovmf.
> > >
> > > Sadly I see two wic selftests, wic.Wic2.test_rawcopy_plugin_qemu
> > > and
> > > wic.Wic2.test_expand_mbr_image, failing when executing all wic
> > > selftests
> > > on a build machine with zfs filesystem. Will investigate this
> > > further.
> > > The issue seems to be in mkfs.ext4 producing broken filesystem, and
> > > partially
> > > in the tests which don't run the correct rootfs file (.ext4 vs
> > > .wic).
> > > Will debug this further and it is IMO unrelated to these changes
> > > since
> > > they reproduce on pure master branch without this series.
> > >
> > > v6: fixed wic refactoring botch which broken non-uki systemd-boot
> > > usage on
> > > ��� genericarm64 reported by Ross Burton <Ross.Burton@arm.com>,
> > > added
> > > ��� selftest to cover this wks usage on x86 and aarch64
> > >
> > > v5: drop patch "image_types_wic.bbclass: set systemd-boot and os-
> > > release
> > > ��� dependency for all archs" since systemd-boot does not support
> > > all
> > > ��� architectures
> > >
> > > v4: handle missing runqemu variable from build config, add
> > > python3-pefile to fast ptest list
> > >
> > > v3: rebased, fixed and added more sefltests, removed wic plugin
> > > side uki
> > > support
> > >
> > > v2:
> > > https://lists.openembedded.org/g/openembedded-core/message/204090
> > >
> >
> > This seems to be causing selftest failures unfortunately:
> >
> > https://valkyrie.yoctoproject.org/#/builders/54/builds/206/steps/14/logs/stdio
>
> I think something may be broken in master causing that. Not quite sure
> what/when yet.
Sorry, this is my bad. x86 test runqemu is missing ovmf argument. I don't know how
this slipped through. Will send a new version.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 15+ messages in thread