diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 7ea7b64a97..f8c6734960 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -290,6 +290,7 @@ dev-libs/tree-sitter dev-libs/tree-sitter-bash dev-libs/userspace-rcu dev-libs/xmlsec +dev-libs/xxhash dev-libs/yajl dev-perl/Parse-Yapp @@ -666,6 +667,7 @@ sys-fs/btrfs-progs sys-fs/cryptsetup sys-fs/dosfstools sys-fs/e2fsprogs +sys-fs/erofs-utils sys-fs/fuse sys-fs/fuse-common sys-fs/fuse-overlayfs diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index d7e77ff3a5..27a6120b4f 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -162,6 +162,10 @@ EOF # Remove source locale data, only need to ship the compiled archive. sudo rm -rf ${root_fs_dir}/usr/share/i18n/ + # Inject ephemeral sysext signing certificate + sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d" + sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d" + # Finish image will move files from /etc to /usr/share/flatcar/etc. # Note that image filesystem contents generated by finish_image will not # include sysext contents (only the sysext squashfs files themselves). diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder index 8b8f3ddbc2..ab811f2761 100755 --- a/build_library/sysext_prod_builder +++ b/build_library/sysext_prod_builder @@ -59,7 +59,7 @@ create_prod_sysext() { # Pass the build ID extracted from root FS to build_sysext. This prevents common.sh # in build_sysext to generate a (timestamp based) build ID during a DEV build of a # release tag (which breaks its version check). - sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \ + sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \ --board="${BOARD}" \ --image_builddir="${workdir}/sysext-build" \ --squashfs_base="${base_sysext}" \ @@ -94,6 +94,14 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts" sysext_base="${sysext_workdir}/base-os.squashfs" function cleanup() { + IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs" + # skip the rootfs + mounted_sysexts=("${mounted_sysexts[@]:1}") + + for sysext in "${mounted_sysexts[@]}"; do + sudo systemd-dissect --umount --rmdir "$sysext" + done + sudo umount "${sysext_mountdir}"/* || true rm -rf "${sysext_workdir}" || true } @@ -111,6 +119,7 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt # for combined overlay later. prev_pkginfo="" sysext_lowerdirs="${sysext_mountdir}/rootfs-lower" +mkdir -p "${sysext_mountdir}" for sysext in ${sysexts_list//,/ }; do # format is ":/" name="${sysext%|*}" @@ -124,12 +133,21 @@ for sysext in ${sysexts_list//,/ }; do "${grp_pkg}" \ "${prev_pkginfo}" - mkdir -p "${sysext_mountdir}/${name}" \ - "${sysext_mountdir}/${name}_pkginfo" - sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \ - "${sysext_mountdir}/${name}" - sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \ - "${sysext_mountdir}/${name}_pkginfo" + sudo systemd-dissect \ + --read-only \ + --mount \ + --mkdir \ + --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \ + "${sysext_output_dir}/${name}.raw" \ + "${sysext_mountdir}/${name}" + + sudo systemd-dissect \ + --read-only \ + --mount \ + --mkdir \ + --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \ + "${sysext_output_dir}/${name}_pkginfo.raw" \ + "${sysext_mountdir}/${name}_pkginfo" sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}" sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo" diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index dce01f9c05..adf5fac405 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -580,7 +580,7 @@ install_oem_sysext() { fi mkdir -p "${built_sysext_dir}" - sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}" + sudo -E "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}" local installed_sysext_oem_dir='/oem/sysext' local installed_sysext_file_prefix="${oem_sysext}-${version}" diff --git a/build_sysext b/build_sysext index 138d7f8906..44842e8f98 100755 --- a/build_sysext +++ b/build_sysext @@ -301,14 +301,25 @@ if [[ -n "${invalid_files}" ]]; then die "Invalid file ownership: ${invalid_files}" fi -mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \ - -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts} +systemd-repart \ + --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \ + --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \ + --make-ddi=sysext \ + --copy-source="${BUILD_DIR}/install-root" \ + "${BUILD_DIR}/${SYSEXTNAME}.raw" + rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir} # Generate reports mkdir "${BUILD_DIR}/img-rootfs" -mount -rt squashfs -o loop,nodev "${BUILD_DIR}/${SYSEXTNAME}.raw" "${BUILD_DIR}/img-rootfs" +systemd-dissect --read-only \ + --mount \ + --mkdir \ + --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \ + "${BUILD_DIR}/${SYSEXTNAME}.raw" \ + "${BUILD_DIR}/img-rootfs" + write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt" write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt" write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt" -umount "${BUILD_DIR}/img-rootfs" +systemd-dissect --umount --rmdir "${BUILD_DIR}/img-rootfs" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild index 0d8be10a14..f1c57c78dd 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild @@ -46,6 +46,7 @@ DEPEND=" sys-firmware/edk2-bin sys-fs/btrfs-progs sys-fs/cryptsetup + sys-fs/erofs-utils dev-perl/Parse-Yapp dev-util/pkgcheck " diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults index b55f758adf..232dcb4910 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults @@ -1,4 +1,5 @@ USE="cros_host expat man -pam" +USE="${USE} cryptsetup" # Used by some old goo in profiles/coreos/base/profile.bashrc # TODO: clean up that old goo diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords index 7b5df04972..b5d36edcaa 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords @@ -1,2 +1,4 @@ # Temporarily put the SDK version ahead for sd-json support in Dracut. =sys-apps/systemd-257.5 ~amd64 ~arm64 + +=sys-fs/erofs-utils-1.8.4 ~amd64 ~arm64 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.40.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.40.ebuild index cea1123a3e..00f8d64b5a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.40.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.40.ebuild @@ -64,6 +64,7 @@ src_prepare() { validate_sig_key config_update 'CONFIG_INITRAMFS_SOURCE="bootengine.cpio"' + config_update "CONFIG_SYSTEM_TRUSTED_KEYS=\"/usr/share/sb_keys/shim.pem\"" # include all intel and amd microcode files, avoiding the signatures local fw_dir="${ESYSROOT}/lib/firmware" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 index 32312c1cba..c9438df8df 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12 @@ -166,6 +166,7 @@ CONFIG_DM_SNAPSHOT=m CONFIG_DM_THIN_PROVISIONING=m CONFIG_DM_UEVENT=y CONFIG_DM_VERITY=m +CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIG_DM_ZERO=m CONFIG_DNS_RESOLVER=y CONFIG_DRM=m diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest new file mode 100644 index 0000000000..1ea2e70343 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest @@ -0,0 +1,2 @@ +DIST xxhash-0.8.2.tar.gz 1141188 BLAKE2B 735408256240760778fa516e01bed428f04837eb4e059c512e924f13e4a96db6cacbbefb04dea65a37b0f25b52cf13c4927a6e7870dc8c0d45b1b955d4ba3da1 SHA512 3e3eef21432fe88bc4dd9940ccad0308fdea3537b06fa5ac0e74c1bde53413dff29c8b3fc617a8a42b9ce88fcf213311d338a31b1ce73b3729342c9e68f06c78 +DIST xxhash-0.8.3.tar.gz 1147630 BLAKE2B 75923c7c5df3490062791fa02ccddfb7281b3646e2b3e4b4a0c0d611c339e07c8d9cb656777fd0fcec9cda484f7b33edf080116bb011f70d6b8299cda63afa4e SHA512 8b5c8b9aad4e869f28310b12cc314037feda81d92f26c23eaecdb35dc65042ca2e65f2e9606033e62a31bcc737a9a950500ffcbdb8677d6ab20e820ea14f2b79 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml new file mode 100644 index 0000000000..63e48a416a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml @@ -0,0 +1,12 @@ + + + + + amadio@gentoo.org + Guilherme Amadio + + + Cyan4973/xxHash + https://github.com/Cyan4973/xxHash/issues + + diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild new file mode 100644 index 0000000000..5cb861b0ad --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild @@ -0,0 +1,43 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit multilib-minimal toolchain-funcs + +DESCRIPTION="Extremely fast non-cryptographic hash algorithm" +HOMEPAGE="https://xxhash.com/" +SRC_URI="https://github.com/Cyan4973/xxHash/archive/v${PV}.tar.gz -> ${P}.tar.gz" +S=${WORKDIR}/xxHash-${PV} + +LICENSE="BSD-2 GPL-2+" +# https://abi-laboratory.pro/tracker/timeline/xxhash +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-macos" + +src_prepare() { + default + + multilib_copy_sources +} + +multilib_src_compile() { + emake AR="$(tc-getAR)" CC="$(tc-getCC)" +} + +multilib_src_test() { + emake CC="$(tc-getCC)" check +} + +multilib_src_install() { + local emakeargs=( + DESTDIR="${D}" + PREFIX="${EPREFIX}"/usr + LIBDIR="${EPREFIX}"/usr/$(get_libdir) + ) + + emake "${emakeargs[@]}" install + einstalldocs + + rm "${ED}"/usr/$(get_libdir)/libxxhash.a || die +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild new file mode 100644 index 0000000000..f37f8df286 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit multilib-minimal toolchain-funcs + +DESCRIPTION="Extremely fast non-cryptographic hash algorithm" +HOMEPAGE="https://xxhash.com/" +SRC_URI="https://github.com/Cyan4973/xxHash/archive/v${PV}.tar.gz -> ${P}.tar.gz" +S=${WORKDIR}/xxHash-${PV} + +LICENSE="BSD-2 GPL-2+" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-macos" + +src_prepare() { + default + + multilib_copy_sources +} + +multilib_src_compile() { + emake AR="$(tc-getAR)" CC="$(tc-getCC)" +} + +multilib_src_test() { + emake CC="$(tc-getCC)" check +} + +multilib_src_install() { + local emakeargs=( + DESTDIR="${D}" + PREFIX="${EPREFIX}"/usr + LIBDIR="${EPREFIX}"/usr/$(get_libdir) + ) + + emake "${emakeargs[@]}" install + einstalldocs + + rm "${ED}"/usr/$(get_libdir)/libxxhash.a || die +} diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest new file mode 100644 index 0000000000..55cebbc53f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest @@ -0,0 +1 @@ +DIST erofs-utils-1.8.4.tar.gz 187276 BLAKE2B da0d80abbfd9b2d547c30bad7647165a3500f20e5de0b5db4c54efb27ec895fd069be983193b06d35728f5a8e1490e6cd255207c76135d8978d86e1512430755 SHA512 c941b0a2ab6c650a9aa4c9cadeb277ebc87007dc51354ff013c7cb763e6e8c9d44ed9e4791730ed05088faaba8c612198b924e70f5e52019382cfdf6d2e6b677 diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild new file mode 100644 index 0000000000..56cd91d056 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild @@ -0,0 +1,63 @@ +# Copyright 2021-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools + +DESCRIPTION="Userspace tools for EROFS" +HOMEPAGE="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git" + +SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/${PN}.git/snapshot/${P}.tar.gz" + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~loong" + +IUSE="fuse libdeflate +lz4 +lzma selinux static-libs +threads +uuid +zlib +zstd" + +RDEPEND=" + dev-libs/xxhash:0= + fuse? ( sys-fs/fuse:0 ) + lz4? ( app-arch/lz4:0= ) + lzma? ( >=app-arch/xz-utils-5.4.0:0= ) + selinux? ( sys-libs/libselinux:0= ) + uuid? ( sys-apps/util-linux ) + zlib? ( + libdeflate? ( app-arch/libdeflate:0= ) + !libdeflate? ( sys-libs/zlib:0= ) + ) + zstd? ( app-arch/zstd:0= ) +" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +PATCHES=( +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + local myeconfargs=( + --disable-werror + $(use_enable fuse) + $(use_with libdeflate) + $(use_enable lz4) + $(use_enable lzma) + $(use_with selinux) + $(use_enable static-libs static-fuse) + $(use_enable threads multithreading) + $(use_with uuid) + $(use_with zlib) + $(use_with zstd libzstd) + --without-qpl # not packaged + # do not use bundled xxhash; also upstream says "expected to be + # faster than the internal one" + --with-xxhash + ) + + econf "${myeconfargs[@]}" +} diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml new file mode 100644 index 0000000000..eaf0493a83 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml @@ -0,0 +1,13 @@ + + + + + xen0n@gentoo.org + WANG Xuerui + + + Builds erofsfuse (requires sys-fs/fuse). + Use app-arch/libdeflate rather than sys-libs/zlib for handling deflate compression. + Enables UUID support via sys-apps/util-linux. + + diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh index 3c7aaeb356..093eb90825 100755 --- a/sdk_lib/sdk_entry.sh +++ b/sdk_lib/sdk_entry.sh @@ -63,6 +63,27 @@ grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || { fi } +grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || { + SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") + if [[ ! "$SYSEXT_SIGNING_KEY_DIR" || ! -d "$SYSEXT_SIGNING_KEY_DIR" ]]; then + echo "Failed to create temporary directory for secure boot keys." + else + echo "export SYSEXT_SIGNING_KEY_DIR='$SYSEXT_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc + fi + pushd "$SYSEXT_SIGNING_KEY_DIR" + build_id=$(source "/mnt/host/source/.repo/manifests/version.txt"; echo "$FLATCAR_BUILD_ID") + openssl req -new -nodes -utf8 \ + -x509 -batch -sha256 \ + -days 36000 \ + -outform PEM \ + -out sysexts.crt \ + -keyout sysexts.key \ + -newkey 4096 \ + -subj "/CN=Flatcar $build_id sysext signing key/" \ + || echo "Generating module signing key failed" + popd +} + # This is ugly. # We need to sudo su - sdk -c so the SDK user gets a fresh login. # 'sdk' is member of multiple groups, and plain docker USER only