mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-22 17:52:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revert PR #3534 "sysext: Add OS-dependent sysext compression"

Browse Source 
Revert PR #3162 "Signed OS-dependent sysexts"

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
This commit is contained in:
Daniel 2025-12-15 17:21:11 +01:00 committed by Daniel Zatovic
parent 4041e4b21a
commit d28ece4479
7 changed files with 21 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build_library/prod_image_util.sh
View File

@ -170,10 +170,6 @@ EOF
# Remove source locale data, only need to ship the compiled archive. # Remove source locale data, only need to ship the compiled archive.
sudo rm -rf ${root_fs_dir}/usr/share/i18n/ sudo rm -rf ${root_fs_dir}/usr/share/i18n/
# Inject ephemeral sysext signing certificate
sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
# Finish image will move files from /etc to /usr/share/flatcar/etc. # Finish image will move files from /etc to /usr/share/flatcar/etc.
# Note that image filesystem contents generated by finish_image will not # Note that image filesystem contents generated by finish_image will not
# include sysext contents (only the sysext squashfs files themselves). # include sysext contents (only the sysext squashfs files themselves).

36
build_library/sysext_prod_builder
View File

@ -63,15 +63,11 @@ create_prod_sysext() {
# The --install_root_basename="${name}-base-sysext-rootfs" flag is # The --install_root_basename="${name}-base-sysext-rootfs" flag is
# important - it sets the name of a rootfs directory, which is used # important - it sets the name of a rootfs directory, which is used
# to determine the package target in coreos/base/profile.bashrc # to determine the package target in coreos/base/profile.bashrc
# sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
# Built-in sysexts are stored in the compressed /usr partition, so we
# disable compression to avoid double-compression.
sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
--board="${BOARD}" \ --board="${BOARD}" \
--image_builddir="${workdir}/sysext-build" \ --image_builddir="${workdir}/sysext-build" \
--squashfs_base="${base_sysext}" \ --squashfs_base="${base_sysext}" \
--generate_pkginfo \ --generate_pkginfo \
--compression=none \
--install_root_basename="${name}-base-sysext-rootfs" \ --install_root_basename="${name}-base-sysext-rootfs" \
"${build_sysext_opts[@]}" \ "${build_sysext_opts[@]}" \
"${name}" "${grp_pkg[@]}" "${name}" "${grp_pkg[@]}"
@ -103,14 +99,6 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
sysext_base="${sysext_workdir}/base-os.squashfs" sysext_base="${sysext_workdir}/base-os.squashfs"
function cleanup() { function cleanup() {
IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
# skip the rootfs
mounted_sysexts=("${mounted_sysexts[@]:1}")
for sysext in "${mounted_sysexts[@]}"; do
sudo systemd-dissect --umount --rmdir "$sysext"
done
sudo umount "${sysext_mountdir}"/* || true sudo umount "${sysext_mountdir}"/* || true
rm -rf "${sysext_workdir}" || true rm -rf "${sysext_workdir}" || true
} }
@ -128,7 +116,6 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt
# for combined overlay later. # for combined overlay later.
prev_pkginfo="" prev_pkginfo=""
sysext_lowerdirs="${sysext_mountdir}/rootfs-lower" sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
mkdir -p "${sysext_mountdir}"
for sysext in ${sysexts_list//,/ }; do for sysext in ${sysexts_list//,/ }; do
# format is "<name>:<group>/<package>" # format is "<name>:<group>/<package>"
name="${sysext%|*}" name="${sysext%|*}"
@ -142,21 +129,12 @@ for sysext in ${sysexts_list//,/ }; do
"${grp_pkg}" \ "${grp_pkg}" \
"${prev_pkginfo}" "${prev_pkginfo}"
sudo systemd-dissect \ mkdir -p "${sysext_mountdir}/${name}" \
--read-only \ "${sysext_mountdir}/${name}_pkginfo"
--mount \ sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \
--mkdir \ "${sysext_mountdir}/${name}"
--image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \ sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \
"${sysext_output_dir}/${name}.raw" \ "${sysext_mountdir}/${name}_pkginfo"
"${sysext_mountdir}/${name}"
sudo systemd-dissect \
--read-only \
--mount \
--mkdir \
--image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
"${sysext_output_dir}/${name}_pkginfo.raw" \
"${sysext_mountdir}/${name}_pkginfo"
sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}" sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo" sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"

6
build_library/vm_image_util.sh
View File

@ -585,15 +585,11 @@ install_oem_sysext() {
# important - it sets the name of a rootfs directory, which is # important - it sets the name of a rootfs directory, which is
# used to determine the package target in # used to determine the package target in
# coreos/base/profile.bashrc # coreos/base/profile.bashrc
#
# OEM sysexts are stored in the compressed partition, so we disable
# compression to avoid double-compression.
local build_sysext_flags=( local build_sysext_flags=(
--board="${BOARD}" --board="${BOARD}"
--squashfs_base="${VM_SRC_SYSEXT_IMG}" --squashfs_base="${VM_SRC_SYSEXT_IMG}"
--image_builddir="${built_sysext_dir}" --image_builddir="${built_sysext_dir}"
--metapkgs="${metapkg}" --metapkgs="${metapkg}"
--compression=none
--install_root_basename="${VM_IMG_TYPE}-oem-sysext-rootfs" --install_root_basename="${VM_IMG_TYPE}-oem-sysext-rootfs"
) )
local overlay_path mangle_fs local overlay_path mangle_fs
@ -606,7 +602,7 @@ install_oem_sysext() {
fi fi
mkdir -p "${built_sysext_dir}" mkdir -p "${built_sysext_dir}"
sudo -E "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}" sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
local installed_sysext_oem_dir='/oem/sysext' local installed_sysext_oem_dir='/oem/sysext'
local installed_sysext_file_prefix="${oem_sysext}-${version}" local installed_sysext_file_prefix="${oem_sysext}-${version}"

52
build_sysext
View File

@ -35,10 +35,10 @@ DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \
"Generate an additional squashfs '<sysext_name>_pkginfo.raw' with portage package meta-information (/var/db ...). Useful for creating sysext dependencies; see 'base_pkginfo' below." "Generate an additional squashfs '<sysext_name>_pkginfo.raw' with portage package meta-information (/var/db ...). Useful for creating sysext dependencies; see 'base_pkginfo' below."
DEFINE_string base_pkginfo "" \ DEFINE_string base_pkginfo "" \
"Colon-separated list of pkginfo squashfs paths / files generated via 'generate_pkginfo' to base this sysext on. The corresponding base sysexts are expected to be merged with the sysext generated." "Colon-separated list of pkginfo squashfs paths / files generated via 'generate_pkginfo' to base this sysext on. The corresponding base sysexts are expected to be merged with the sysext generated."
DEFINE_string compression "lz4hc" \ DEFINE_string compression "zstd" \
"Compression to use for sysext EROFS image. Options: 'lz4', 'lz4hc', 'zstd', or 'none'. Default is 'lz4hc'." "Compression to use for sysext squashfs. One of 'gzip', 'lzo', 'lz4', 'xz', or 'zstd'. Must be supported by the Flatcar squashfs kernel module in order for the sysext to work."
DEFINE_string mkerofs_opts "" \ DEFINE_string mksquashfs_opts "" \
"Additional mkfs.erofs options to pass via SYSTEMD_REPART_MKFS_OPTIONS_EROFS. If not specified, defaults are used based on compression type." "Additional command line options to pass to mksquashfs. See 'man 1 mksquashfs'. If <compression> is 'zstd' (the default), this option defaults to '-Xcompression-level 22 -b 512K'. Otherwise the default is empty."
DEFINE_boolean ignore_version_mismatch "${FLAGS_FALSE}" \ DEFINE_boolean ignore_version_mismatch "${FLAGS_FALSE}" \
"Ignore version mismatch between SDK board packages and base squashfs. DANGEROUS." "Ignore version mismatch between SDK board packages and base squashfs. DANGEROUS."
DEFINE_string install_root_basename "${default_install_root_basename}" \ DEFINE_string install_root_basename "${default_install_root_basename}" \
@ -112,6 +112,10 @@ fi
BUILD_DIR=$(realpath "${FLAGS_image_builddir}") BUILD_DIR=$(realpath "${FLAGS_image_builddir}")
mkdir -p "${BUILD_DIR}" mkdir -p "${BUILD_DIR}"
if [[ "${FLAGS_compression}" = "zstd" && -z "${FLAGS_mksquashfs_opts}" ]] ; then
FLAGS_mksquashfs_opts="-Xcompression-level 22 -b 512k"
fi
source "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1 source "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
source "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1 source "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1 source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
@ -244,7 +248,7 @@ if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then
mkdir -p "${BUILD_DIR}/img-pkginfo/var/db" mkdir -p "${BUILD_DIR}/img-pkginfo/var/db"
cp -R "${BUILD_DIR}/${FLAGS_install_root_basename}/var/db/pkg" "${BUILD_DIR}/img-pkginfo/var/db/" cp -R "${BUILD_DIR}/${FLAGS_install_root_basename}/var/db/pkg" "${BUILD_DIR}/img-pkginfo/var/db/"
mksquashfs "${BUILD_DIR}/img-pkginfo" "${BUILD_DIR}/${SYSEXTNAME}_pkginfo.raw" \ mksquashfs "${BUILD_DIR}/img-pkginfo" "${BUILD_DIR}/${SYSEXTNAME}_pkginfo.raw" \
-noappend -xattrs-exclude '^btrfs.' -comp zstd -Xcompression-level 22 -b 512k -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
fi fi
info "Writing ${SYSEXTNAME}_packages.txt" info "Writing ${SYSEXTNAME}_packages.txt"
@ -300,44 +304,14 @@ if [[ -n "${invalid_files}" ]]; then
die "Invalid file ownership: ${invalid_files}" die "Invalid file ownership: ${invalid_files}"
fi fi
# Set up EROFS compression options based on compression type mksquashfs "${BUILD_DIR}/${FLAGS_install_root_basename}" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
if [[ "${FLAGS_compression}" != "none" ]]; then -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="-z${FLAGS_compression}"
if [[ -n "${FLAGS_mkerofs_opts}" ]]; then
# User provided custom options
export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS} ${FLAGS_mkerofs_opts}"
elif [[ "${FLAGS_compression}" = "lz4hc" ]]; then
# Default options for lz4hc
export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS},12 -C65536 -Efragments,ztailpacking"
elif [[ "${FLAGS_compression}" = "zstd" ]]; then
# Default options for zstd
export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS},level=22 -C524288 -Efragments,ztailpacking"
fi
info "Building sysext with ${FLAGS_compression} compression"
else
info "Building sysext without compression (built-in sysexts)"
fi
systemd-repart \
--private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
--certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
--make-ddi=sysext \
--copy-source="${BUILD_DIR}/${FLAGS_install_root_basename}" \
"${BUILD_DIR}/${SYSEXTNAME}.raw"
rm -rf "${BUILD_DIR}"/{fs-root,"${FLAGS_install_root_basename}",workdir} rm -rf "${BUILD_DIR}"/{fs-root,"${FLAGS_install_root_basename}",workdir}
# Generate reports # Generate reports
mkdir "${BUILD_DIR}/img-rootfs" mkdir "${BUILD_DIR}/img-rootfs"
systemd-dissect --read-only \ mount -rt squashfs -o loop,nodev "${BUILD_DIR}/${SYSEXTNAME}.raw" "${BUILD_DIR}/img-rootfs"
--mount \
--mkdir \
--image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
"${BUILD_DIR}/${SYSEXTNAME}.raw" \
"${BUILD_DIR}/img-rootfs"
write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt" write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt"
write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt" write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt"
write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt" write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt"
systemd-dissect --umount --rmdir "${BUILD_DIR}/img-rootfs" umount "${BUILD_DIR}/img-rootfs"

1
changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
View File

@ -1 +0,0 @@
- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))

3
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use vendored
View File

@ -32,6 +32,3 @@ x11-libs/pixman static-libs
# Get latest EDK2 firmware for Secure Boot on arm64. # Get latest EDK2 firmware for Secure Boot on arm64.
app-emulation/qemu -pin-upstream-blobs app-emulation/qemu -pin-upstream-blobs
# Needed for signed sysexts using systemd-repart
sys-apps/systemd cryptsetup

37
sdk_lib/sdk_entry.sh
View File

@ -88,43 +88,6 @@ if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then
fi fi
fi fi
# Ensure sysext signing keys exist; regenerate if directory or files missing
if grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
_existing_sysext_dir=$(source /home/sdk/.bashrc 2>/dev/null; echo "$SYSEXT_SIGNING_KEY_DIR")
if [[ -z "$_existing_sysext_dir" || ! -d "$_existing_sysext_dir" || ! -s "$_existing_sysext_dir/sysexts.key" || ! -s "$_existing_sysext_dir/sysexts.crt" ]]; then
# Drop stale export so block below regenerates
sed -i -e '/export SYSEXT_SIGNING_KEY_DIR=/d' /home/sdk/.bashrc
fi
fi
grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
else
SYSEXT_SIGNING_KEY_DIR="/home/sdk/.sysext-signing-keys"
su sdk -c "mkdir -p ${SYSEXT_SIGNING_KEY_DIR@Q}"
fi
if [[ ! "$SYSEXT_SIGNING_KEY_DIR" || ! -d "$SYSEXT_SIGNING_KEY_DIR" ]]; then
echo "Failed to create directory for sysext signing keys."
else
echo "export SYSEXT_SIGNING_KEY_DIR='$SYSEXT_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
fi
pushd "$SYSEXT_SIGNING_KEY_DIR" > /dev/null
build_id=$(source "/mnt/host/source/.repo/manifests/version.txt"; echo "$FLATCAR_BUILD_ID")
# Generate sysext signing key only if missing or empty
if [[ ! -s sysexts.key || ! -s sysexts.crt ]]; then
su sdk -c "openssl req -new -nodes -utf8 \
-x509 -batch -sha256 \
-days 36000 \
-outform PEM \
-out sysexts.crt \
-keyout sysexts.key \
-newkey 4096 \
-subj '/CN=Flatcar sysext key/OU=$build_id'" \
|| echo "Generating sysext signing key failed"
fi
popd > /dev/null
}
# This is ugly. # This is ugly.
# We need to sudo su - sdk -c so the SDK user gets a fresh login. # We need to sudo su - sdk -c so the SDK user gets a fresh login.
# 'sdk' is member of multiple groups, and plain docker USER only # 'sdk' is member of multiple groups, and plain docker USER only