From 19861e4742657e50547fcfe5f07a050ad6575067 Mon Sep 17 00:00:00 2001
From: David Runge <dvzrv@archlinux.org>
Date: Tue, 29 Jun 2021 21:34:05 +0200
Subject: archiso/mkarchiso: Generalize handling of ucodes

archiso/mkarchiso:
Generalize the handling of ucode files (e.g. copying, signing, size calculation) by introducing the global readonly
array of expected ucode names instead of hardcoding them in various functions.
When making use of ucode files in `_make_boot_on_iso9660()`, `_make_bootmode_uef-x86.systemd-boot.esp()` and
`_sign_netboot_artifacts()` create a list of files that is guaranteed to contain existing files.

Fixes #132
---
 archiso/mkarchiso | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/archiso/mkarchiso b/archiso/mkarchiso
index 6d8c977..7cec3a9 100755
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@@ -37,6 +37,8 @@ airootfs_image_tool_options=()
 cert_list=()
 sign_netboot_artifacts=""
 declare -A file_permissions=()
+# adapted from GRUB_EARLY_INITRD_LINUX_STOCK in https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in
+readonly ucodes=('intel-uc.img' 'intel-ucode.img' 'amd-uc.img' 'amd-ucode.img' 'early_ucode.cpio' 'microcode.cpio')
 
 
 # Show an INFO message
@@ -395,7 +397,7 @@ _make_boot_on_iso9660() {
     install -m 0644 -- "${pacstrap_dir}/boot/initramfs-"*".img" "${isofs_dir}/${install_dir}/boot/${arch}/"
     install -m 0644 -- "${pacstrap_dir}/boot/vmlinuz-"* "${isofs_dir}/${install_dir}/boot/${arch}/"
 
-    for ucode_image in {intel-uc.img,intel-ucode.img,amd-uc.img,amd-ucode.img,early_ucode.cpio,microcode.cpio}; do
+    for ucode_image in "${ucodes[@]}"; do
         if [[ -e "${pacstrap_dir}/boot/${ucode_image}" ]]; then
             install -m 0644 -- "${pacstrap_dir}/boot/${ucode_image}" "${isofs_dir}/${install_dir}/boot/"
             if [[ -e "${pacstrap_dir}/usr/share/licenses/${ucode_image%.*}/" ]]; then
@@ -494,11 +496,9 @@ _make_boot_on_fat() {
         "::/${install_dir}" "::/${install_dir}/boot" "::/${install_dir}/boot/${arch}"
     mcopy -i "${work_dir}/efiboot.img" "${pacstrap_dir}/boot/vmlinuz-"* \
         "${pacstrap_dir}/boot/initramfs-"*".img" "::/${install_dir}/boot/${arch}/"
-    for ucode_image in \
-        "${pacstrap_dir}/boot/"{intel-uc.img,intel-ucode.img,amd-uc.img,amd-ucode.img,early_ucode.cpio,microcode.cpio}
-    do
-        if [[ -e "${ucode_image}" ]]; then
-            all_ucode_images+=("${ucode_image}")
+    for ucode_image in "${ucodes[@]}"; do
+        if [[ -e "${pacstrap_dir}/boot/${ucode_image}" ]]; then
+            all_ucode_images+=("${pacstrap_dir}/boot/${ucode_image}")
         fi
     done
     if (( ${#all_ucode_images[@]} )); then
@@ -509,9 +509,15 @@ _make_boot_on_fat() {
 
 # Prepare efiboot.img::/EFI for EFI boot mode
 _make_bootmode_uefi-x64.systemd-boot.esp() {
-    local efiboot_imgsize="0"
+    local _file efiboot_imgsize="0"
+    local _available_ucodes=()
     _msg_info "Setting up systemd-boot for UEFI booting..."
 
+    for _file in "${ucodes[@]}"; do
+        if [[ -e "${pacstrap_dir}/boot/${_file}" ]]; then
+            _available_ucodes+=("${pacstrap_dir}/boot/${_file}")
+        fi
+    done
     # the required image size in KiB (rounded up to the next full MiB with an additional MiB for reserved sectors)
     efiboot_imgsize="$(du -bc \
         "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
@@ -519,7 +525,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() {
         "${profile}/efiboot/" \
         "${pacstrap_dir}/boot/vmlinuz-"* \
         "${pacstrap_dir}/boot/initramfs-"*".img" \
-        "${pacstrap_dir}/boot/"{intel-uc.img,intel-ucode.img,amd-uc.img,amd-ucode.img,early_ucode.cpio,microcode.cpio} \
+        "${_available_ucodes[@]}" \
         2>/dev/null | awk 'function ceil(x){return int(x)+(x>int(x))}
             function byte_to_kib(x){return x/1024}
             function mib_to_kib(x){return x*1024}
@@ -670,9 +676,15 @@ _export_netboot_artifacts() {
 # sign build artifacts for netboot
 _sign_netboot_artifacts() {
     local _file _dir
+    local _files_to_sign=()
     _msg_info "Signing netboot artifacts..."
-    _dir="${isofs_dir}/${install_dir}/"
-    for _file in "${_dir}/boot/"*ucode.img "${_dir}/boot/${arch}/vmlinuz-"* "${_dir}/boot/${arch}/initramfs-"*.img; do
+    _dir="${isofs_dir}/${install_dir}/boot/"
+    for _file in "${ucodes[@]}"; do
+        if [[ -e "${_dir}${_file}" ]]; then
+            _files_to_sign+=("${_dir}${_file}")
+        fi
+    done
+    for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"* "${_dir}${arch}/initramfs-"*.img; do
         openssl cms \
             -sign \
             -binary \
-- 
cgit v1.2.3-54-g00ecf


From 97b7aebab8be430f2ce0e7fc307e95fe693f334c Mon Sep 17 00:00:00 2001
From: David Runge <dvzrv@archlinux.org>
Date: Tue, 29 Jun 2021 21:45:56 +0200
Subject: gitlab-ci: Also build a baseline netboot target

.gitlab-ci.yml:
With #132 being fixed, it is possible to properly build the baseline netboot target without failure.
---
 .gitlab-ci.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 44fd2ca..2d615e7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -44,8 +44,6 @@ build_short:
   extends: .build
   parallel:
     matrix:
-      # baseline does not support netboot with codesinging
-      # https://gitlab.archlinux.org/archlinux/archiso/-/issues/132
       - BUILD_SCRIPT_ARGS: baseline bootstrap
       - BUILD_SCRIPT_ARGS: releng bootstrap
 
@@ -56,5 +54,6 @@ build_long:
   parallel:
     matrix:
       - BUILD_SCRIPT_ARGS: baseline iso
+      - BUILD_SCRIPT_ARGS: baseline netboot
       - BUILD_SCRIPT_ARGS: releng iso
       - BUILD_SCRIPT_ARGS: releng netboot
-- 
cgit v1.2.3-54-g00ecf