Add support for loading iPXE via a UEFI shim in ISO and USB images.
Since the iPXE shim's default loader filename is currently "ipxe.efi"
for all CPU architectures, at most one architecture within an image
may use a shim. (This limitation should be removed in the next signed
release of the iPXE shim.)
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Use the ipxeboot.tar.gz artifact created by util/gensrvimg in the
"combine" job, and delete the dedicated "netboot" job that currently
creates the same artifact.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
In the spirit of util/genfsimg, create a script util/gensrvimg that
can be used to install compiled iPXE binaries to a directory tree
suitable for copying to a TFTP or HTTP server.
The script detects the CPU architecture for each input file and
installs it into the appropriate subdirectory. Top-level symlinks are
created for each filename, with earlier files taking precedence.
Signed binaries are detected and automatically placed into a Secure
Boot specific subdirectory, thereby allowing the reduced-feature
Secure Boot binaries to coexist with full-feature binaries in a single
installation directory tree. An iPXE shim may be specified and will
be automatically installed alongside the signed binaries, with the
relevant symlink created for each signed binary.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Add a job that will automatically create a (draft) release for any
suitable tag, using the build artifacts and release notes already
constructed by earlier jobs. Minimise the logic within the release
job itself, since by definition it cannot be tested on every commit.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The version.txt file is now created by the "version" job (which also
generates the release name, release title, and release notes). Remove
the now-redundant generation of version.txt in the BIOS build job.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Allow for automatic generation of the release name, release title, and
release notes (derived from the relevant section of the changelog).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Add a rule to construct bin/version.txt containing the version number,
to allow a GitHub Actions workflow to verify that a tagged release
embeds a version number that matches the tag.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Create an archive designed to be extracted to a web server (or TFTP
server) directory, containing the network bootable files such as
undionly.kpxe, ipxe.efi, etc.
Incorporate the iPXE shim binaries, complete with the required
symlinks such as snponly-shim.efi -> shimx64.efi.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Prepare for the possibility of creating ISO and USB disk images that
support UEFI Secure Boot by downloading the Microsoft-signed binaries
from the latest release of the iPXE shim.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
We currently use the ipxe-signer container for the step that combines
the BIOS and UEFI build artifacts to produce the multi-architecture
ISO and USB images.
Switch to using the generic architecture-independent utility toolchain
container, thereby allowing the ipxe-signer container to minimise its
attack surface by removing tools that are not required for the signing
operation.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Include the relevant CA certificate in the UEFI Secure Boot build
artifacts. This allows for easy identification of test-signed builds
without having to extract the certificate from the signed binary.
This also eases the process of adding the ephemeral test-signing
certificate to the UEFI trusted certificate list, if a user wants to
test a non-release build with Secure Boot enabled. (The corresponding
private key is deliberately not preserved, to minimise the attack
surface that this would otherwise open up on the user's system.)
Include the commit hash and build architecture within the ephemeral
test-signing certificate's subject name, to make it obvious that the
scope is limited to signing only that single build.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Add a job that takes the bin-x86_64-efi-sb and bin-arm64-efi-sb build
artifacts and signs them for UEFI Secure Boot.
The hardware token containing the trusted signing key is attached to a
dedicated self-hosted GitHub Actions runner. Only tagged release
versions (and commits on the "sbsign" testing branch) will be signed
on this dedicated runner. All other commits will be signed on a
standard GitHub hosted runner using an ephemeral test certificate that
is not trusted for UEFI Secure Boot.
No other work is done as part of the signing job. The iPXE source
code is not even checked out, minimising any opportunity to grant
untrusted code access to the hardware token.
The hardware token password is held as a deployment environment
secret, with the environment being restricted to allow access only for
tagged release versions (and commits on the "sbsign" testing branch)
to provide an additional layer of security.
The signing certificates and intermediate certificates are obtained
from the iPXE Secure Boot CA repository, with the certificate selected
via deployment environment variables.
To minimise hidden state held on the self-hosted runner, the pcscd
service is run via a service container, with the hardware token passed
in via "--devices /dev/bus/usb".
Select the deployment environment name (and hence runner tag) via a
repository variable SBSIGN_ENVIRONMENT, so that forks do not attempt
to start jobs on a non-existent self-hosted runner.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Including USB drivers has some unavoidable side effects. With a BIOS
firmware, attaching the host controller drivers will necessarily
disable the SMM-based USB legacy support which emulates a PS/2
keyboard. With a UEFI firmware, loading the host controller drivers
may disconnect some of the less compliant vendor USB device drivers.
We have historically erred on the side of caution and avoided
including any USB drivers in the all-drivers build. Time has moved
on, USB NICs have become more common (especially for laptops, which
now rarely include physical Ethernet ports), and the UEFI Secure Boot
model makes it prohibitively difficult for users to compile their own
binaries to add support for non-default drivers.
Switch to including USB drivers by default in the all-drivers build.
Provide a fallback build target that matches the existing driver set
(i.e. excluding any USB drivers) and can be built using e.g.:
make bin/ipxe-legacy.iso
make bin-x86_64-efi/ipxe-legacy.efi
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Construct and show the URL for the workflow runs that are triggered to
publish the rolling release binaries.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The automated tests that are run in the GitHub Actions workflow are
now as comprehensive as those that are run manually. Run tests on
pull requests as well as pushes, since the results are now
meaningfully informative.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The boot.ipxe.org website is now hosted on GitHub Pages and built via
a GitHub Actions workflow. The rolling release binaries are fetched
from the build artifacts created by this repository.
Remove the rolling release tag mechanism, and instead trigger a
workflow run on the boot.ipxe.org repository to publish the updated
binaries.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Publish the binaries built from commits on the master branch under
stable URLs such as:
https://github.com/ipxe/ipxe/releases/download/rolling/bin/undionly.kpxe
Since filenames such as "ipxe.iso" may exist in each of several build
directories, we implement this as one release tag per build directory.
The GitHub Actions workflow automatically moves the tag to the most
recent commit and overwrites the existing release assets.
One downside of this is that running a local "git log" or similar may
show a large number of uninformative tags of the form "rolling/bin",
"rolling/bin-x86_64-efi", "rolling-arm64-efi", etc, all pointing at
the most recent commit. This clutter may be hidden using:
git config --local log.excludeDecoration refs/tags/rolling/*
To avoid the unintentional creation of rolling release tags on forks,
we skip the whole publication job unless the environment variable
ROLLING_PREFIX is defined.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Use util/genfsimg to combine the 64-bit BIOS and all UEFI builds into
a single multi-architecture image in both ISO and USB formats.
Include an editable autoexec.ipxe script (that matches the default
iPXE behaviour) in the USB image, so that users can just mount and
edit this file.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Use the prebuilt containers from https://github.com/ipxe/ipxe-builder
to build BIOS, SBI, UEFI, and Linux userspace versions of iPXE for all
supported CPU architectures, and to run the Linux userspace test suite
(via valgrind or qemu as applicable).
This reduces the time taken for GitHub CI runs by around 80%, while
increasing the build coverage to include RISC-V SBI, RISC-V UEFI, and
LoongArch64 UEFI, and increasing the test coverage to include running
the Linux userspace test suite on all supported CPU architectures.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Using "git describe" to automatically construct the version number has
caused more problems than it has solved. In particular, it causes
errors when building from a shallow clone of the repository, which is
a common scenario in modern automated build environments.
Define the base version number (currently 1.21.1+) as a set of
hardcoded constants within the Makefile, to be updated whenever a
release is made.
It is extremely useful to have the git commit ID present in the
startup banner. End users tend to provide screenshots of failures,
and having the commit ID printed at startup makes it trivial to
identify which version of the code is in use. Identify the git
version (if building from a git tree) by directly reading from
.git/HEAD and associated files. This allows the git commit ID to
potentially be included even if the build environment does not have
the git tools installed.
Use the default shallow clone in the GitHub Actions workflow, since we
no longer require access to the full commit history.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The libc6-dbg:i386 package has spontaneously started failing to
install from the Azure package repositories used by the GitHub Actions
runners, with the somewhat recalcitrant error message:
libc6:i386: Depends: libgcc-s1:i386 but it is not going to be installed
Work around this unexplained issue by explicitly requesting
installation of the libgcc-s1:i386 package.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Speed up the "Install packages" step for each CI run by caching the
downloaded packages in /var/cache/apt.
Do not include libc6-dbg:i386 within the cache, since apt seems to
complain if asked to download both gcc-aarch64-linux-gnu and
libc6-dbg:i386 at the same time.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
When building as a Linux userspace application, iPXE currently
implements its own system calls to the host kernel rather than relying
on the host's C library. The output binary is statically linked and
has no external dependencies.
This matches the general philosophy of other platforms on which iPXE
runs, since there are no external libraries available on either BIOS
or UEFI bare metal. However, it would be useful for the Linux
userspace application to be able to link against host libraries such
as libslirp.
Modify the build process to perform a two-stage link: first picking
out the requested objects in the usual way from blib.a but with
relocations left present, then linking again with a helper object to
create a standard hosted application. The helper object provides the
standard main() entry point and wrappers for the Linux system calls
required by the iPXE Linux drivers and interface code.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
