It is run early from the initrd, so wait for the sysexts, which may have
additional configuration, before running it again.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We already have GCE disk rules in coreos-init, but a user has pointed
out that the newer NVMe rules are missing. Let's take the rules directly
from upstream instead. This is loosely based on the ChromiumOS package
of the same name.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Having a USE flag per OEM is unnecessary when we only really need to
know whether the package will be installed in an OEM sysext or not. The
flag names were also prone to conflicts, e.g. qemu. We don't currently
make use of these flags anyway, although that is about to change.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
It is no longer necessary to include these as they are explicitly built
with --onlydeps in build_sysext_packages().
This new approach allows a package to be installed to both /usr and
sysexts with conflicting USE flags. Portage would normally refuse to do
this because it would "break" what is already installed to the board
root, but --ignore-world forces the breakage. It is safe in this context
because the board root is not used for execution, and affected packages
will be automatically rebuilt as needed, e.g. the next time you run
build_packages.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
It is no longer necessary to build the meta packages from source as they
are now covered by build_packages.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Update the changelog entry to include information about OEM sysexts
being signed and built during the image phase.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
Move OEM sysext building from the vms phase to the image phase. This
ensures OEM sysexts are signed with the same ephemeral key as other
sysexts, which is generated during image build and discarded afterward.
- Add create_oem_sysexts() to build all OEM sysexts during image build
- Add oem_sysexts.sh with OEM sysext definitions
- Update install_oem_sysext() to use prebuilt sysexts
- Add OEM sysext download to vms.sh for CI builds
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
We removed the sysext compression, because we double-compression is
redundant for sysexts stored in already coimpressed BTRFS /usr. However,
OS-dependent sysexts that are downloaded on-demand were now also
uncompressed. This commit brings back the compression via
SYSTEMD_REPART_MKFS_OPTIONS_EROFS option.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
Generate an ephemeral sysext signing key, that is injected into the
image's sysext root of trust. All OS-dependent sysexts will be signed by
this key and the private key (stored in /tmp) will be discarded on SDK
container exit.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
